Chapter – 8.5 Authentication And Key Distribution

1
Chapter 8.5 Authentication And Key
Distribution

• Anjum Reyaz-Ahmed

2
Outline

• Part I Authentication Protocols
• Kerberos Protocol
• Needham-Schroder Protocol
• Part II Current Literary Review
• Elliptical Curve Cryptography How it Works" Sun
  Microsystems Laboratory 2005
• Security Challenges in Seamless Mobility How
  to Handover The Keys, WICON 2008
• Part III Future Research Initiatives

3
Kerberos

• Provide authentication for a user that works on a
  workstation.
• Uses secret key technology
• Because public key technology still had patent
  projection.
• Implements authentication by Needham Schroeder.
• On the market in versions 4 and 5.

4
Kerberos

• Kerberos consists of
• Key Distribution Center (KDC)
• Runs on a physically secure node
• Library of Subroutines
• Modifies known UNIX libraries such as telnet,
  rlogin,

5
Key Distribution Center

• KDC
• Database of keys for all users
• Invents and hands out keys for each transaction
  between clients.

Alice KDC
Bob
Alice wants Bob
KAlice KAB for Bob
KBobKAB for Alice
6
Key Distribution Center

• Message from KDC to Bob has some problems.
• Timing problem Alice needs to wait to make sure
  that Bob got the key.
• Change the protocol so that Alice receives a
  ticket to talk to Bob.

7
Key Distribution Center
Alice KDC Bob
KAliceUse KAB for Bob Ticket for Bob
KBobUse KAB for Alice
Alice wants Bob
Im Alice, my ticket is KBobUse KAB for Alice
8
Key Distribution Center

• Needham Schroeder
• Combines KDC operation with authentication.
• Uses nonces instead of timestamps to prevent
  replay attacks.
• A (sequential / random) number used only once.

9
Needham Schroeder
Bob
N1, Alice, Bob
Alice
KDC
KAliceN1, Bob, KAB, ticket to Bob
Ticket, KABN2
KABN2-1, N3
KABN3-1
Ticket KBobKAB, Alice
10
Needham Schroeder
Bob
Alice, Bob
Alice
KDC
Trudy (KDC)
Trudy as Bob
Kalice Bob, KAB, ticket to Bob
Ticket KBobKAB, Alice,
Trudy can now successfully authenticate herself
to Alice as Bob.
Trudy impersonates the KDC and replays the old
captured message, which looks like a normal
message.
Trudy waits until Alice makes a request to the
KDC.
Trudy now incorporates Bob.
Purpose of the nonce is the following
scenario Assume that Trudy has stolen an old key
of Bobs and stolen the message where Alice
previously has requested a key. Bob has in the
meantime changed his key.
But the nonces make all messages unique!
11
Needham Schroeder

• Message 2 KAliceN1, Bob, KAB, ticket with
  ticket KBobKAB,Alice
• N1 prevents replay attacks.
• Bob to prevent Trudy from trying to play Bob.
• Ticket does not have to be sent encrypted with
  Alices key.

12
Needham Schroeder

• Message 3 ticket, KABN2
• Alice presents a challenge together with her
  ticket.
• Bob decodes ticket to find KAB.
• He decodes the latter part of the message to find
  the challenge.

13
Needham Schroeder

• Message 4 KABN2-1,N3
• Bob solves Alices challenge.
• Bob sends Alice his own challenge.
• Your turn What is the vulnerability if message 4
  were to read KABN2-1, KABN3 ?

Answer on next two slides.
14
Needham Schroeder

• Answer
• Trudy eavesdrops on an exchange and then splices
  her own messages to Bob

15
Needham Schroeder
Bob
Alice
Ticket, KABN2
KABN2-1, KABN3
Replays Ticket, KABN2
KABN2-1 KABN4
Trudy (later)
Trudy now resumes her first connection KABN4-1
and is authenticated
Ticket, KABN4
KABN4-1 KABN5
Trudy (second connection)
16
Needham Schroeder

• Expanded Needham Schroeder
• Prevents replay attacks after Alices master key
  was stolen and Alice changed her master key.

17
Needham Schroeder

• Vulnerability Scenario
• Alice has a previous key JAlice that Trudy
  captured.
• Alice has changed her key to KAlice.
• Trudy has captured a previous login request from
  Alice to KDC
• KDC sent JAliceN1,Bob,JAB,KBobJAB,Alice

18
Needham Schroeder

• Vulnerability Scenario
• Trudy has JAliceN1,Bob,JAB,KBobJAB,Alice
• Trudy calculates JAB and KBobJAB,Alice with
  JAlice.
• Trudy now impersonates Alice to Bob. She sends
  her round 3 message to Bob
• N2, KBobJAB,Alice
• She can complete the Needham Schroeder protocol
  with Bob.
• Since the KDC no longer participates, informing
  the KDC of the change does not prevent Trudy from
  succeeding impersonating Alice to Bob.

19
Needham Schroeder Vulnerability Scenario

• Trudy has
• JAliceN1,Bob,JAB,KBobJAB,Alice, JAB.
  KBobJAB,Alice.
• Trudy to Bob JABN2, KBobJAB,Alice
• Bob to Trudy JABN21, N3
• Trudy to Bob JABN31
• Trudy and Bob are mutually authenticated!

20
Needham Schroeder

• Solution
• Prevent replays after long duration
• Clock and date.
• Certificate from Bob.
• Extended Needham Schroeder picks the latter.

21
Extended Needham Schroeder

• Alice to Bob I want to talk to you.
• Bob to Alice KBobNB
• Alice to KDC N1, Alice wants Bob, KBobNB
• KDC to Alice KAliceN1,Bob,KAB, KBobKAB,
  Alice, NB
• Alice to Bob KBobKAB, Alice, NB, KABN2
• Bob to Alice KABN2-1,N3
• Alice to Bob KABN3-1.

NB prevents the previous attack. Bob can
determine whether Alice is using the key that the
KDC has.
22
Extended Needham Schroeder

• Alice now needs to receive a certificate from Bob
  before starting standard Needham Schroeder.

23
Otway Rees

• Replaces extended Needham Schroeder
• Uses only 5 messages
• Speed-up results from the suspicious party
  (Bob) going to the KDC.

24
Otway Rees

• Alice to Bob NC, Alice Bob KAliceNA, NC, Alice,
  Bob
• Bob to KDC KAliceNA,NC, Alice, Bob, KBobNB,
  NC, Alice, Bob
• KDC to Bob NC, KAliceNA,KAB, KBobNB,KAB
• Bob to Alice KAliceNA, KAB
• Alice to Bob KABNC

25
Kerberos

• Based on Needham Schroeder, but uses time instead
  of nonces.
• Approximate time is easy in distributed systems.

26
Kerberos

• Kerberos Authentication Service
• Alice to KDC N1 Alice wants Bob
• KDC to Alice KAliceN1, Bob, KAB, KBobKAB,
  Alice, expir. Time
• Alice to Bob KBobKAB, Alice, expir. Time,
  KABcur. Time
• Bob to Alice KABcur. Time 1

27
Kerberos

• Kerberos Setup
• Master key shared by KDC with each principal.
• When Alice logs into her machine, her station
  asks the KDC for a session key for Alice. The KDC
  also gives her a Ticket Granting Ticket. (TGT)
• Alices workstation retains only the session key
  and the TGT.
• Alices workstation uses the TGT to receive other
  tickets from the Ticket Granting Service (TGS).

28
Kerberos

• Two entities
• Key distribution center.
• Authentication Server (AS)
• Ticket granting server (TGS).
• Both need the same database, so they are usually
  on the same machine.

29
Part II Current Trends In Cryptography
30
Elliptical Curve Cryptography- How it
works-----Sheueling Chang, Hans Eberle, Vipul
Gupta, Nils Gura----Sun Microsystem 2005

• Summary
• Elliptical curve cryptosystem (ECC) operates over
  points on an elliptical curve
• The best known algorithm to attack ECC runs more
  slowly than best known algorithm to other
  cryptosystems
• ECC can offer equivalent security with
  subsequently smaller size keys.

31
Elliptical Curve Crytography

• Public-key cryptosystem offering the highest
  security strength per bit. Uses smaller keys for
  equivalent security.
• Results in faster computations and savings in
  memory, power and bandwidth (especially important
  in constrained environments).
• Performance advantage increases as security needs
  increase over time
• Endorsed/standardized by NIST, ANSI, IEEE, IETF.

32
How it works

• Parameters Elliptic curve, base point G
• Scalar point multiplication Q kP, e.g. 9P
  2(2(2P)) P
• Hard problem Given kP (public-key) P, find k
  (private-key). EC Discrete Logarithm Problem no
  known subexponential solutions.

33
ECC ON Small Devices

• Large keys are a big problem for small devices

34
Securing the Next Generation Internet

• The Internet today is ...
• a global marketplace for goods and services
• enabled by security mechanisms that ensure
  authentication, confidentiality and integrity
• predominantly secured by the SSL protocol using
  a combination of symmetric- and public-key
  cryptography
• but ...
• many new devices connecting to the Internet have
  limited capabilities (e.g. sensors, appliances)
• new applications (e.g. patient monitoring,
  building automation) will increase the number of
  transactions requiring security
• the future will demand higher levels of security
  (e.g. 128-bit AES, 2048-bit RSA)

35
What makes ECC hard to crack?

• The security of ECC relies on the difficulty of
  solving the Elliptic
• Curve Discrete Logarithm Problem (ECDLP), i.e.
  finding k, given P
• and Q kP. The problem is computationally
  intractable for large
• values of k.

36
Key Exchange

• Each node has a CPU and communication controller
  running independently
• Time Triggered Communication Protocol

37
Summary

• ECC can offer equivalent security with
  substantially smaller key sizes.
• For example, a 160-bit ECC key provides the same
  level of security as a 1024-bit RSA key and
  224-bit ECC is equivalent to 2048-bit RSA.
• Smaller keys result in faster computations, lower
  power consumption, as well as memory and
  bandwidth savings.
• While these characteristics make ECC especially
  appealing for small embedded devices , they can
  also alleviate the computational burden on secure
  web servers.

38
Security Challenges in Seamless Mobility How to
"Handover" the keys? --- K Hooper, L Chen, A
Izquierdo, N Golmie --- WICON 2008

• Synopsis
• Key management challenges for seamless handover
  across heterogeneous wireless networks.

39
Handovers
40
Key Distributor

• The authentication server of the serving network
• the lowest common key holder in serving and
  target network
• the lowest key holder in the serving network with
  access to target network via a short cut

41
Summary

• Discussion on various security aspects of key
  management and seamless mobility in heterogeneous
  networks.
• Show that Handover security and performance
  depends on the
• method used to derive the HO key hierarchy
• the network position of the entity acting as
  key distributor
• the protocol used to distribute HO keys
• Present three HO key distribution protocols a
  push protocol and two variant of pull protocols.

42
Future of User Authentication

• Passwords are the weakest link in any system
• We need new methods of authenticating users
• Password 2.0?

43
Belly-Button Ring Identifiers

• If your mobile phone is your future
  authenticator, how do you authenticate to your
  mobile phone?
• One possibility is based on MITs beeper-based
  signature concept (R. Rivest, A. Lysyanskaya)
• Beeper that you wear maybe a belly button
  ring? sends low-power signal to your phone
• Fresh signal required for phone to generate
  digital signatures otherwise phone wont sign
• Beeper can authenticate you to your phone, and/or
  you and your phone to the network

44
Knowledge-Based Authentication

• Users will authenticate based on what they know
  and what theyre able to do in new and
  sophisticated ways
• Life questions are quite common already for
  password reset, as well as account enrollment
• Human-computer interfaces offer new possibilities
  for authentication, e.g., PassfaceTM

45
References

• Randy Chow Theodore Johnson . Distributed
  Operating Systems Algorithms. pp 156-163
  Addison-Wesley 1997
• Sheueling Chang, Hans Eberle, Vipul Gupta Nils
  Gura. Elliptical Curve Cryptography- How it
  works. Sun Microsystem http//research.sun.com/p
  rojects/crypto/ , 2005
• Katrin Hoeper, Lidong Chen, Antonio Izquierdo
  Nada Golmie. Security Challenges in Seamless
  Mobility How to Handover the Keys. WICON
  IEEE, 2008

46

• Thank you!!