Computer Security Lecture 25

1
Computer SecurityLecture 25

• Phillip G. Bradford
• Department of Computer Science
• The University of Alabama

2
Outline

• More Kerberos
• Starting Auctions
• Potential exam problems

3
Objectives

• Understanding some of Kerberos
• E-Auction Issues
• Exam-type problems

4
Credits

• Kerberos discussion
• See William Stallings Cryptography and Network
  Security, 3rd edition, 2002.
• H. Nurmi and A. Salomaa (1993) Cryptographic
  Protocols for Vickrey Auctions, Group Decision
  and Negotiation, Vol. 2, 363-373.

5
Announcements

• Tom Cormen, Dartmouth College
• Parallel Out-of-Core Sorting The Third Way
• Friday _at_ 11am in East Eng. 119

6
Kerberos

• Client/Server Model
• How might we suggest securing the C/S model?
• Three key threats
• Physically log into a secure work station
• Steal impersonate network address
• Replay Attacks
• RFC 1510

7
Kerberos

• Why the KDC Model?
• Avoid complex tracking for C/S model
• Symmetric (private key) crypto
• Why might this be?
• Authentication Server (AS)
• Distributed authentication of valid users
• Shares a unique secret key with each server

8
Kerberos (AS)

• AS has central database with ids keys
• Suppose we have n servers
• Key shared with each server total of n keys
• Assume the n keys are physically given to each
  server
• Issues?

9
Authentication Server Example

• All Transactions Could Use Pair Keys
• Client ? AS
• IDclient Passwordclient IDserver
• AS ? C
• Ticket EK(s)IDclient, C_NetAddr,IDserver
• C_NetAddr client network address
• Client ? Server
• IDclient Ticket

10
Authentication Server Example

• AS checks Clients password Server access in
  Database
• Ticket EK(s)IDclient, C_NetAddr,IDserver
• Is encrypted using the symmetric key shared by
• AS and Server!
• The Client does not know K(s) !
• Why?
• Cant change Ticket

11
Authentication Server Example

• Why does the Client send Server
• IDclient Ticket ?
• The server can unencrypt the Ticket verify it
  is from the correct client
• Also, C_NetAddress in Ticket
• Prevents replay attack Mallory listens copies
  Ticket sent from AS to Client
• Prevents another client (at a different network
  address) from using the same Ticket to
  misrepresent themselves

12
How Safe is C_NetAddress ?

• Name Servers physical security
• How do Domain Name Servers (DNS) work?
• Tables of domain-names with their IP addresses
• Why?
• Names as property Fees for such protection
• Keep security of Domain names IP addresses
• Physical Logical Protection

13
The Costs of TicketsThe Costs of Not Having Tix

• Lots of Tickets can be costly
• In Bandwidth generation cost
• Those 100 print-jobs/day
• Take a heavily used server
• TGS Ticket Granting Server
• TGT Ticket Granting Ticket
• More general solution

14
More Robust Flexible Authentication

• To begin a Session (logging in)
• Client ? AS
• IDclient IDtgs
• AS ? Client
• Ek(c)Tickettgs
• Service Type Initiation
• Client ? TGS
• IDclient IDserver Tickettgs

15
More Robust Flexible Authentication

• Service Type, Cont.
• TGS ? Client
• Ticketserver
• Each Server Session
• Client ? Server
• IDclient Ticketserver
• Each ticket (Tickettgs,Ticketserver) now has
• A time-stamp
• A lifetime

16
More Robust Flexible Authentication

• Do these transmissions need to be secure?
• No passwords transmitted across the network

17
Trade-offs

• Short lifetimes lots of re-authentication
• Long lifetimes more chance of attacks working
• Grabbing an illicit TGS
• Help prove TGS must demonstrate ticket holder
  actually issued the ticket
• Protecting against this

18
Other issues

• Faking a server

19
E-Auction Objectives

• Get students interested in applications of
  Computer Security to E-Auctions
• Learn a little about the application domain on
  the Internet
• Present a very interesting protocol by A.-C. Yao
• Changes the identity question to less information
  of the indices of the items

20
E-AuctionsNurmi Salomaa

• Public key encryption eA and eB
• Private key encryption dA and dB
• Main commutativity assumption
• dB(eA(m)) eA(dB(m)) m
• Vickrey Auctions and bidding our Utility
• Secrecy is important to participants

21
E-AuctionsNurmi Salomaa

• Protocol 1 Standard Secure Transfer
• Alice has m, computes dA(m)
• Alice computes eB(dA(m)) and send to Bob
• Bob computes dB(eB(dA(m))) dA(m)
• Bob finally computes eA(dA(m)) m

22
A.C. Yaos Millionaires Protocol

• Let a be Alices Bid
• Let b be Bobs Bid

23
A.C. Yaos Millionaires Protocol Used in
Protocol 3 of Nurmi Salomaa

• Assume the range of inputs is in
• 1,,100 Bobs Bid is b
• Bob privately computes random x
• Lets k eA(x) and sends (k b) to Alice
• Alice privately computes
• yi dA(k - b i) for all i in 1,,100

24
A.C. Yaos Millionaires Protocol

• Alice for all i in 1,,100 find a prime q so
  that zi zj gt 2
• and zi lt q-1
• Where zi yi mod q and be sure q is smaller than
  x pre-agreed
• Alice sends Bob the sequence
• z1, , za, za1 1, , z1001, q

25
A.C. Yaos Millionaires Protocol

• Bob determines which of
• If Zb x mod q, then b lt a
• If Zb ! x mod q, then b gt a
• Bob tells Alice his conclusion, then the loosing
  bidder sends the winner their private key for
  verification

26
Schneiers Example

• Use RSA
• Bobs
• Public key lt7,55gt
• Private Key lt23,55gt
• Suppose all possible values are 1,2,3,4
• Bobs secret value j 2
• Alices secret value i 4

27
Schneiers Example

• Bobs 4 numbers
• y1 de(151) 26
• y2 de(151) 18
• y3 de(151) 2
• y4 de(151) 39
• Transformation choose p 31
• z1 26 mod 31 26
• z2 18 mod 31 18
• z3 2 mod 31 2
• z4 39 mod 31 8

28
Schneiers Example

• Bob sends Alice
• lt26, 18, 21, 81, 31gt
• Alice checks if 81 9 is congruent to y mod 31
• If 39 mod 31 9, then i gt j
• Else j lt i