Vitaly Shmatikov - PowerPoint PPT Presentation

About This Presentation
Title:

Vitaly Shmatikov

Description:

Secure sessions are one of the most important applications in network ... Evil Bob pretends. that he is Alice. Charlie. EncryptPublicKey(Charlie) ('Alice', NA) ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 12
Provided by: vita51
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: Vitaly Shmatikov


1
Key Establishment Pitfalls
CS 378
  • Vitaly Shmatikov

2
Secure Sessions
  • Secure sessions are one of the most important
    applications in network security
  • Enable us to talk securely on an insecure network
  • Goal secure bi-directional communication channel
    between two parties
  • The channel must provide confidentiality
  • Third party cannot read messages on the channel
  • The channel must provide authentication
  • Each party must be sure who the other party is
  • Other desirable properies integrity, protection
    against denial of service, anonymity against
    eavesdroppers

3
Key Establishment Protocols
  • Common implementation of secure sessions
    establish a secret key known only to two parties
  • Can then use block ciphers for confidentiality,
    HMAC for authentication, and so on
  • Challenge how to establish a secret key using
    only public information
  • Even if the two parties share a long-term secret,
    a fresh key should be created for each session
  • Long-term secrets are valuable want to use them
    as sparingly as possible to limit exposure and
    the damage if the key is compromised

4
Key Establishment Techniques
  • Use a trusted key distribution center (KDC)
  • Every party shares a pairwise secret key with KDC
  • KDC creates a new random session key and then
    distributes it, encrypted under the pairwise keys
  • Example Kerberos
  • Use public-key cryptography
  • Diffie-Hellman authenticated with signatures
  • Example IKE (Internet Key Exchange)
  • One party creates a random key, sends it
    encrypted under the other partys public key
  • Example TLS (Transport Layer Security)

5
Private-Key Needham-Schroeder
Creates fresh random session key KAB
KDC (knows secret keys KAlice and KBob)
Fresh, random nonce
N1, Im Alice, wanna talk to Bob
EncryptKAlice(N1,Bob,KAB, EncryptKBob(KAB,Alice
))
ticket
ticket, EncryptKAB(N2)
Another nonce
EncryptKAB(N2-1, N3)
Yet another nonce
Alice
Bob
EncryptKAB(N3-1)
6
Weird Reflection Attack
  • Suppose symmetric encryption is in ECB mode
  • Bad idea in general

Bob
7
Otway-Rees Protocol
Creates fresh random session key KAB
KDC (knows secret keys KAlice and KBob)
EncryptKAlice(NA,NC,Alice,Bob)
?
EncryptKBob(NB,NC,Alice,Bob)
NC, EncryptKAlice(NA,KAB),
EncryptKBob(NB,KAB),
Bobs own nonce
?
This nonce is sent in the clear
This nonce is hidden from Bob
NC, Alice, Bob, EncryptKAlice(NA,NC,Alice,B
ob)
?
NC, EncryptKAlice(NA, KAB)
?
Alice
Bob
EncryptKAB(anything recognizable)
?
8
Brief Analysis of Otway-Rees
KDC (knows secret keys KAlice and KBob)
Match between these values is the only thing
that authenticates Bob to KDC
If NC is predictable, attacker can send a bogus
message to Bob and fool him into creating
EncryptKBob(NB,NC,Alice,Bob). When Alice
actually uses NC, attacker will be able to
impersonate Bob to KDC.
EncryptKAlice(NA,NC,Alice,Bob)
?
EncryptKBob(NB,NC,Alice,Bob)
NC, EncryptKAlice(NA,KAB),
EncryptKBob(NB,KAB),
?
NC, Alice, Bob, EncryptKAlice(NA,NC,Alice,B
ob)
?
NC, EncryptKAlice(NA, KAB)
?
Alice
Bob
EncryptKAB(anything recognizable)
?
  • Lesson randomness of nonces is essential

9
Public-Key Needham-Schroeder
Alices nonce
EncryptPublicKey(Bob)(Alice, NA)
Bobs nonce
EncryptPublicKey(Alice)(NA, NB)
EncryptPublicKey(Bob)(NB)
Bob
Alice
Create new key from NA and NB, e.g., NA?NB
  • Alices reasoning
  • The only person who could know NA
  • is the person who decrypted 1st message
  • Only Bob can decrypt message encrypted with
  • Bobs public key
  • Therefore, Bob is on the other end of the line
  • Bob is authenticated!
  • Bobs reasoning
  • The only way to learn NB is
  • to decrypt 2nd message
  • Only Alice can decrypt 2nd message
  • Therefore, Alice is on the other end
  • Alice is authenticated!

10
Attack on Needham-Schroeder
published by Gavin Lowe
Alice
Bob
11
Lessons of Needham-Schroeder
  • Yet another example of faulty reasoning
  • Alice is correct that Bob must have decrypted
    EncryptPublicKey(Bob)(Alice, NA), but this does
    not mean that EncryptPublicKey(Alice)(NA, NB)
    came from Bob
  • It is important to realize limitations of
    protocols
  • The attack requires that Alice willingly talk to
    attacker
  • Attacker uses a legitimate conversation with
    Alice to impersonate Alice to Charlie
  • Needham and Schroeder intended this protocol to
    be used by well-behaved workstations on an
    insecure network. In their setting, the protocol
    is correct!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Vitaly Shmatikov" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!