Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols.

Published byMeagan Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols."— Presentation transcript:

1

2 Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols 1

3 Protocols Human protocols  the rules followed in human interactions Example: Asking a question in class Networking protocols  rules followed in networked communication systems Examples: HTTP, FTP, etc. Security protocols  the (communication) rules followed in a security application Examples: SSL, IPSec, Kerberos, etc. Chapter 9 Simple Authentication protocols 2

4 Protocols Protocol flaws can be very subtle Several well-known security protocols have serious flaws Including IPSec, GSM and WEP Common to find implementation errors Such as IE implementation of SSL Difficult to get protocols right… Chapter 9 Simple Authentication protocols 3

5 Ideal Security Protocol 1. Satisfies security requirements Requirements must be precise 2. Efficient Minimize computational requirement  in particular, costly public key operations Minimize delays/bandwidth 3. Not fragile Must work when attacker tries to break it Works even if environment changes 4.Easy to use and implement, flexible, etc. Very difficult to satisfy all of these! Chapter 9 Simple Authentication protocols 4

6 Simple Security Protocols Chapter 9 Simple Authentication protocols 5

7 Secure Entry to NSA 1.Insert badge into reader 2.Enter PIN 3.Correct PIN? Yes? Enter No? Get shot by security guard Chapter 9 Simple Authentication protocols 6

8 ATM Machine Protocol 1.Insert ATM card 2.Enter PIN 3.Correct PIN? Yes? Conduct your transaction(s) No? Machine eats card Chapter 9 Simple Authentication protocols 7

9 Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 8 Military needs many specialized protocols Many cases, it could recognize friends as enemies, or ….

10 MIG in the Middle Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. N 3. N 4. E(N,K) 5. E(N,K) 6. E(N,K) SAAF Impala Russian MiG 9

11 Authentication Protocols Chapter 9 Simple Authentication protocols 10

12 Authentication Alice must prove her identity to Bob Alice and Bob can be humans or computers May also require Bob to prove he’s Bob (mutual authentication) May also need to establish a session key May have other requirements, such as Use only public keys Use only symmetric keys Use only a hash function Anonymity, plausible deniability, etc., etc. Chapter 9 Simple Authentication protocols 11

13 Authentication Authentication on a stand-alone computer is relatively simple “Secure path” is the primary issue Main concern is an attack on authentication software (we discuss software attacks later) Authentication over a network is much more complex Attacker can passively observe messages Attacker can replay messages Active attacks may be possible (insert, delete, change messages) Chapter 9 Simple Authentication protocols 12

14 Simple Authentication Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Bob must know Alice’s password Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice” Prove it My password is “frank” 13

15 Authentication Attack Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice” Prove it My password is “frank” Trudy 14

16 Authentication Attack This is a replay attack How can we prevent a replay? Chapter 9 Simple Authentication protocols Bob “I’m Alice” Prove it My password is “frank” Trudy 15

17 Simple Authentication More efficient… But same problem as previous version Replay attack Chapter 9 Simple Authentication protocols Alice Bob I’m Alice, My password is “frank” 16

18 Better Authentication Better since it hides Alice’s password From both Bob and attackers But still subject to replay Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice” Prove it h(Alice’s password) 17

19 Challenge-Response To prevent replay, challenge-response used Suppose Bob wants to authenticate Alice Challenge sent from Bob to Alice Only Alice can provide the correct response Challenge chosen so that replay is not possible How to accomplish this? Password is something only Alice should know… For freshness, a “number used once” or nonce Chapter 9 Simple Authentication protocols 18

20 Challenge-Response Chapter 9 Simple Authentication protocols Bob “I’m Alice” Nonce h(Alice’s password, Nonce) Nonce is the challenge The hash is the response Nonce prevents replay, insures freshness Password is something Alice knows Note that Bob must know Alice’s password Alice 19

21 Challenge-Response What can we use to achieve this? Hashed pwd works, crypto might be better Will be discussed for Symmetric key, Public key, and so on Chapter 9 Simple Authentication protocols Bob “I’m Alice” Nonce Something that could only be Alice from Alice (and Bob can verify) 20

22 Symmetric Key Notation Encrypt plaintext P with key K C = E(P,K) Decrypt ciphertext C with key K P = D(C,K) Here, we are concerned with attacks on protocols, not directly on the crypto We assume that crypto algorithm is secure Chapter 9 Simple Authentication protocols 21

23 Symmetric Key Authentication Alice and Bob share symmetric key K AB Key K AB known only to Alice and Bob Authenticate by proving knowledge of shared symmetric key How to accomplish this? Must not reveal key Must not allow replay attack Chapter 9 Simple Authentication protocols 22

24 Authentication with Sym Key Chapter 9 Simple Authentication protocols Alice, K AB Bob, K AB “I’m Alice” E(R,K AB ) Secure method for Bob to authenticate Alice Alice does not authenticate Bob Can we achieve mutual authentication? R 23

25 Mutual Authentication? What’s wrong with this picture? “Alice” could be Trudy (or anybody else)! Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R E(R,K AB ) 24

26 Mutual Authentication Since we have a secure one-way authentication protocol… The obvious thing to do is to use the protocol twice Once for Bob to authenticate Alice Once for Alice to authenticate Bob This has to work… Chapter 9 Simple Authentication protocols 25

27 Mutual Authentication This provides mutual authentication Is it secure? See the next slide… Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R A R B, E(R A,K AB ) E(R B,K AB ) 26

28 Mutual Authentication Attack Chapter 9 Simple Authentication protocols Bob 1. “I’m Alice”, R A 2. R B, E(R A,K AB ) Trudy Bob 3. “I’m Alice”, R B 4. R C, E(R B,K AB ) Trudy 5. E(R B,K AB ) 27

29 Mutual Authentication Our one-way authentication protocol not secure for mutual authentication Protocols are subtle! The “obvious” thing may not be secure Also, if assumptions or environment changes, protocol may not work This is a common source of security failure For example, Internet protocols Chapter 9 Simple Authentication protocols 28

30 Sym Key Mutual Authentication Do these “insignificant” changes help? Yes! Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R A R B, E(“Bob”,R A,K AB ) E(“Alice”,R B,K AB ) 29

31 Public Key Notation Encrypt M with Alice’s public key: {M} Alice Sign M with Alice’s private key: [M] Alice Then [{M} Alice ] Alice = M {[M] Alice } Alice = M Anybody can do public key operations Only Alice can use her private key (sign) Chapter 9 Simple Authentication protocols 30

32 Public Key Authentication Is this secure? Trudy can get Alice to decrypt anything! Should not use the key for encryption Must have two key pairs Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice” {R} Alice R 31

33 Public Key Authentication Is this secure? Trudy can get Alice to sign anything! Should not use the key for sign Must have two key pairs Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice” R [R] Alice 32

34 Public Keys Never use the same key pair for encryption and signing One key pair for encryption/decryption A different key pair for signing/verifying signatures Chapter 9 Simple Authentication protocols 33

35 Session Key Session key: temporary key, used for a short time period Usually, a session key is required in addition to authentication Limit symmetric key for a particular session Limit damage if one session key compromised Can we authenticate and establish a shared symmetric key? Key can be used for confidentiality Key can be used for integrity Chapter 9 Simple Authentication protocols 34

36 Session Key In some cases, we may also require perfect forward secrecy (PFS) Discussed later… Chapter 9 Simple Authentication protocols 35

37 Is this secure? OK for key, but no mutual authentication Note that K is acting as Bob’s nonce Alice can not authenticate Bob Chapter 9 Simple Authentication protocols “I’m Alice”, R {R,K} Alice {R +1,K} Bob Alice Bob 36 Pub Key Authen and Sess Key Using Encryptions of Alice and Bob

38 Pub Key Authen and Sess Key Is this secure? Mutual authentication but key is not secret! Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R [R,K] Bob [R +1,K] Alice 37 Using Signs of Alice and Bob

39 Pub Key Authen and Sess Key Is this secure? Seems to be OK Mutual authentication and session key! Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R {[R,K] Bob } Alice {[R +1,K] Alice } Bob 38 First Sign and encrypt

40 Is this secure? Seems to be OK Though anyone can see {R,K} Alice and {R +1,K} Bob Chapter 9 Simple Authentication protocols Alice Bob “I’m Alice”, R [{R,K} Alice ] Bob [{R +1,K} Bob ] Alice 39 Pub Key Authen and Sess Key First encrypt and Sign

41 Perfect Forward Secrecy The concern… Alice encrypts message with shared key K AB and sends ciphertext to Bob Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to find K AB Then Trudy decrypts recorded messages Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertext Even if Trudy gets key K AB or other secret(s) Is PFS possible? Chapter 9 Simple Authentication protocols 40

42 Perfect Forward Secrecy For perfect forward secrecy, Alice and Bob cannot use K AB to encrypt Instead they must use a session key K S and forget it after it’s used Problem: How can Alice and Bob agree on session key K S and insure PFS? Chapter 9 Simple Authentication protocols 41

43 Naïve Session Key Protocol Trudy could also record E(K S,K AB ) If Trudy gets K AB, she gets K S Chapter 9 Simple Authentication protocols Alice, K AB Bob, K AB E(K S, K AB ) E(messages, K S ) 42

44 Perfect Forward Secrecy Can use Diffie-Hellman for PFS Recall Diffie-Hellman: public g and p Chapter 9 Simple Authentication protocols But Diffie-Hellman is subject to MiM How to get PFS and prevent MiM? Alice, a Bob, b g a mod p g b mod p 43

45 Perfect Forward Secrecy Session key K S = g ab mod p Alice forgets a, Bob forgets b Ephemeral ( 일회성 ) Diffie-Hellman Not even Alice and Bob can later recover K S Other ways to do PFS? Chapter 9 Simple Authentication protocols Alice, a Bob, b E(g a mod p, K AB ) E(g b mod p, K AB ) 44

46 Mutual Authen, Sess Key & PFS Chapter 9 Simple Authentication protocols AliceBob “I’m Alice”, R A R B, [{R A, g b mod p} Alice ] Bob [{R B, g a mod p} Bob ] Alice Session key is K = g ab mod p Alice forgets a and Bob forgets b If Trudy later gets Bob’s and Alice’s secrets, she cannot recover session key K 45

47 Timestamps A timestamp T is the current time Timestamps used in many security protocols (Kerberos, for example) Timestamps reduce number of messages Like a nonce that both sides know in advance But, use of timestamps implies that time is a security-critical parameter Clocks never exactly the same, so must allow for clock skew ( 시간 오차 )  risk of replay How much clock skew is enough? Chapter 9 Simple Authentication protocols 46

48 Pub Key Authen with Timestamp T Chapter 9 Simple Authentication protocols Bob “I’m Alice”, {[T,K] Alice } Bob {[T +1,K] Bob } Alice Alice Is this secure? Seems to be OK 47

49 Chapter 9 Simple Authentication protocols Bob “I’m Alice”, [{T,K} Bob ] Alice [{T +1,K} Alice ] Bob Alice Is this secure? Trudy can use Alice’s public key to find {T,K} Bob and then… 48 Pub Key Authen with Timestamp T

50 Chapter 9 Simple Authentication protocols Bob “I’m Trudy”, [{T,K} Bob ] Trudy [{T +1,K} Trudy ] Bob Trudy Trudy obtains Alice-Bob session key K Note: Trudy must act within clock skew 49 Pub Key Authen with Timestamp T

51 Chapter 9 Simple Authentication protocols Bob “I’m Alice”, [{T,K} Bob ] Alice [{T +1} Alice ] Bob Alice Is this “encrypt and sign” secure? Yes, seems to be Does “sign and encrypt” also work here? 50

52 Public Key Authentication Sign and encrypt with nonce… Secure Encrypt and sign with nonce… Secure Sign and encrypt with timestamp… Secure Encrypt and sign with timestamp… Insecure Protocols can be subtle! Chapter 9 Simple Authentication protocols 51

53 Authentication and TCP Chapter 9 Simple Authentication protocols 52

54 TCP-based Authentication TCP not intended for use as an authentication protocol But IP address in TCP connection often used for authentication One mode of IPSec uses IP address for authentication This can cause problems Chapter 9 Simple Authentication protocols 53

55 TCP 3-way Handshake Chapter 9 Simple Authentication protocols Alice Bob SYN, SEQ a SYN, ACK a+1, SEQ b ACK b+1, data Recall the TCP three way handshake Initial SEQ number must be random Why? See the next slide… 54

56 TCP Authentication Attack Chapter 9 Simple Authentication protocols Alice Bob Trudy 1. SYN, SEQ = t (as Trudy) 2. SYN, ACK = t+1, SEQ = b 1 3. SYN, SEQ = t (as Alice) 4. SYN, ACK = t+1, SEQ = b 2 5. ACK = b 2 +1, data 5. 55

57 TCP Authentication Attack Chapter 9 Simple Authentication protocols Random SEQ numbers Initial SEQ numbers Mac OS X If initial SEQ numbers not very random… …possible to guess initial SEQ number… …and previous attack will succeed 56

58 TCP Authentication Attack Trudy cannot see what Bob sends, but she can send packets to server Bob, while posing as Alice Trudy must prevent Alice from receiving Bob’s packets (or else connection will terminate) If password (or other authentication) required, this attack fails If TCP connection is relied on for authentication, then attack succeeds Bad idea to rely on TCP for authentication Chapter 9 Simple Authentication protocols 57

Download ppt "Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Part 3  Protocols 1 Protocols Part 3  Protocols 2 Protocol  Human protocols  the rules followed in human interactions o Example: Asking a question.

Part 3  Protocols 1 Protocols Part 3  Protocols 2 Protocol  Human protocols  the rules followed in human interactions o Example: Asking a question.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

Similar presentations

Ads by Google