Authentication

1
Authentication

• Devices and Messages

2
Topics

• The Authentication Problem
• Simple device authentication
• Attack and Countermeasures
• Cryptographic Hash Functions
• Message authentication with secure hash functions

3
Authentication Protocols

• The authentication problem is to identify one
  entity, the client or user to another entity,
  the server.
• The communications channel may be limited voice
  only, or radio signals only
• The client and server may have limited
  capabilities compute power, battery life, etc

4
Simple Client and Server

• The Client is a device or token such as the one
  you hold in your hand and use to open your car or
  garage door.
• The Server is the system that receives your
  devices signal and opens the door.
• The communications channel is infrared or radio
  signals.

5
Simple Protocol

• The simplest protocol is for the token to
  transmit its 16 bit serial number, which also
  acts as a password.
• Method 1 Thief can try all possible passwords.
  Can usually open door after 215 tries which, at
  10 per second, is about an hour.
• Method 2 Devices called grabbers became
  available about 1995 which would record a signal
  and replay it at a later time.

6
Countermeasures

• Use longer passwords 32 bits instead of 16
  (this really happened and manufacturers proudly
  advertised increased security). Guessing
  impractical but grabbers still work.
• Use different codes for open and close. Grabber
  must be used at proper time.
• Additional vulnerability serial number is known
  by others original vendor, service people, etc.

7
What is Really needed

• The device needs to send something that cant
  simply be recorded and played back.
• Add a counter value, random number, or timestamp
  to guarantee freshness.
• Problem with counters the token and the dog
• Problem with random numbers (nonce) token and
  server must remember past codes valet attack
• Problem with timestamp clock drift
• Encrypt so that attacker cannot fabricate message

8
General Setting and Notation

• Many clients with devices (or tokens) needing
  access to a building or large parking garage.
• Notation to show that X is encrypted with key K
  write XK or KX
•  Standard protocol notation for token sending to
  the garage T ? G T, KTN

9
More Sophisticated Protocol

• token sends to the garage its name, T, followed
  by the encrypted value of its name concatenated
  with a nonce, N
• T ? G T, KTT, N
•  
• The garage verifies the open request by
  deciphering the encrypted part and verifying the
  token name is the same as the plaintext name and
  that the nonce hasnt been used before.

10
T ? G T, KTT, N

• This protocol is more secure. An attacker cannot
  simply replay an old message. He cannot
  fabricate a message even if he knows the tokens
  name and guesses a fresh nonce unless he knows
  KT.
• Key management The server needs to remember
  keys for many different tokens if it is a large
  garage. Assign a global master key to the garage
  KM. Key for each token is the token name or
  serial number encrypted with the global master
  key. KT KMT This scheme is called key
  diversification and is widely used in smart
  cards.

11
Challenge-Response Protocol

• Because of the problems with nonces, the
  challenge-response protocol is often used to
  provide a high degree of security.
• This requires an exchange of messages and
  receiving as well as more processing ability on
  the part of the token.
•  The server (door or lock) sends a challenge
  consisting of a random number and the token
  computes a response by encrypting the challenge.

12
Challenge-Response

• T ? S T
• S ? T N
• T ? S T, KT N
• Note that the encryption used does not have to
  be invertible. A one-way function or
  cryptographic hash function can be used.

13
Weaknesses in C-R

• The C-R protocol is widely used. However, it is
  not unbreakable.
• Example the random numbers generated by the
  server are often predictable and cyclic. An
  attacker can eavesdrop on a C-R session and
  determine what the next challenge will be and
  prepare a (perhaps pre-recorded) response.
• Note most programming language library routines
  for random numbers produce predictable number
  streams.

14
Man-in-the-Middle Attack

• Also known as the MIG-in-the-Middle as it was
  apparently used successfully in the war between
  South Africa and Angola in the late 1980s.
  Aircraft use IFF (Identify Friend or Foe) systems
  to prevent them from shooting down friendly
  aircraft. This system was developed in the
  1940s and initially used the C-R.
• S ? T N
• T ? S KTT, N Where T is the aircraft

15

• Air defense units on both sides could send and
  receive these signals. MIGs from Angola would
  wait at the border of South African air defense
  until South African bombers crossed into Angola
  on a bombing raid. The MIGs would then cross
  into South Africa and be met with a challenge
  from South African air defense units.

16
MIG In The Middle Attack

• south african air defense SAAD
• south african bomber SAB
• Angolan air defense AAD
• Angolan MIG MIG
•  
• SAAD ? MIG N
• MIG ? AAD N
• AAD ? SAB N
• SAB ? AAD KTSAB, N
• AAD ? MIG KTSAB, N
• MIG ? SAAD KTSAB, N

17
Reflection Attack

• In order for this attack to work, the two
  principals must be able and willing to identify
  themselves to each other. This attack works if
  the challenge system and response generator are
  not integrated or if the response generator does
  not check the name of the challenger. (Also if
  the token name is not included in the encryption
  part.)
• Assume you have two airplanes, one from the red
  team and one from the blue team. The red
  aircraft wants to get close enough to shoot at
  the blue plane without the blue plane knowing it.

18
Reflection Attack

• Red enters Blues airspace
• B ? R N Blue sends challenge
• R ? B N Red reflects challenge back to Blue
• B ? R KN Blues automatic IFF system
  responds without noticing that it just sent out
  that same challenge
• R ? B KN Red gives proper response to Blue,
  gets close and shoots him down

19
Thwarting the Reflection Attack

• Require an identifier to be included in the
  answer to a challenge. Blue plane 1
• B ? R N Blue sends challenge
• R ? B N Red reflects challenge
• B ? R B1, KN Blues IFF responds
• R ? B B1, KN Red sees reflection
  attempt
• Connect the challenge and response generator
  logic.

20
Subtle Uses for IFF

• Radar is used extensively in weapons systems.
  Radar has limited range as the signal must travel
  from the source to the target and return.
• In January 1944, Allied forces learned that the
  Germans were tracking British and American
  bombers at twice the normal radar range. The
  Germans were sending signals to interrogate the
  IFF systems of the bombers, so the bombers
  replied automatically.
• Modern IFF systems authenticate the challenge
  with encryption and only respond to valid
  challenges.

21
Manipulating the Message

• Reflection and Man-in-the-middle attacks can be
  enhanced by the ability of the attacker to
  manipulate the message.
• Recall the previous example the blue plane
  requires a name (or other identifier) in the
  response message

B ? R N Blue sends challenge R ? B N Red
reflects challenge back to Blue B ? R B3,
KN Blues IFF responds, includes its
identifier, b3 R ? B B3, KN Red sends
response, but Blue recognizes attack!!
22
Manipulating the Message

• Red responds by giving his planes the ability to
  manipulate the message
• B ? R N Blue sends challenge
• R ? B N Red reflects challenge back to Blue
• B ? R B3, KN Blues IFF responds, includes
  b3
• R ? B B4, KN Red knows the first part of
  the message is the identifier and changes it!!
  Blue thinks Red is friendly and lets him get
  close.-----

23
Countermeasure

• Require the ID to be in the encrypted part - then
  Red cannot successfully manipulate the message
  unless he knows the encryption key (in which case
  he doesnt need to reflect).
• B ? R N Blue sends challenge
• R ? B N Red reflects challenge back to Blue
• B ? R B3, KB3, N Blues IFF responds,
  includes b3
• R ? B B4, KB3, N Red gives response,
  changing the unencrypted identifier, but Blue
  recognizes a reflection attack!!

24
Cryptographic Hash Functions

• Alternative to encryption when decryption is not
  needed.
• Encryption software is slow and hardware is
  costly.
• Message digest (signature or hash) is smaller
  than ciphertext.
• B ? R N Blue sends challenge
• R ? B N Red reflects challenge back to Blue
• B ? R B3, HB3, N Blues IFF responds,
  includes b3
• R ? B B4, HB3, N Red gives response, Blue
  calculates H(B4,N) and compares to Reds response.

25
Secure HASH Functions

• Purpose is to produce a fingerprint.
• Properties of a HASH function H
• H can be applied to a block of data at any size
• H produces a fixed length output
• H(x) is easy to compute for any given x.
• For any given block x, it is computationally
  infeasible to find x such that H(x) h
• For any given block x, it is computationally
  infeasible to find with H(y)
  H(x).
• It is computationally infeasible to find any pair
  (x, y) such that H(x) H(y)

26
Simple Hash Function

• Divide message into n-bit blocks (pad with zero
  if necessary). Hash code is n-bits.

27
Authentication

• Requirements - must be able to verify that
• 1. Message came from apparent source or
  author,
• 2. Contents have not been altered,
• 3. Sometimes, it was sent at a certain time or
  sequence.
• Protection against active attack (falsification
  of data and transactions)

28
Approaches to Message Authentication

• Authentication Using Conventional Encryption
• Only the sender and receiver should share a key
• Message Authentication with Encryption and Hash
  function (a and b)
• An authentication tag is generated with hashing
  and appended to each message after encryption
• Message Authentication with Hash function and
  Shared Secret Value (c )

29
One-way HASH function
30
One-way HASH function

• Secret value is added before the hash and removed
  before transmission.

31
Other Secure HASH functions
32
HMAC

• Use a MAC (message authentication code) derived
  from a cryptographic hash code, such as SHA-1.
• Motivations
• Cryptographic hash functions executes faster in
  software than encryptoin algorithms such as DES
• Library code for cryptographic hash functions is
  widely available
• No export restrictions from the US

33
For Further Reading

• Security Engineering, A Guide to Building
  Dependable Systems by Ross Anderson, Wiley, 2001
• Cryptography and Network Security, Principles
  and Practice third edition, William Stallings,
  Prentice Hall
• Network Security, Private Communication in a
  Public World, 2nd edition, Kaufman, Perlman,
  Speciner, Prentice Hall, 2002