Computer Science 654 Lecture 2 : Protocols - PowerPoint PPT Presentation

1 / 72
About This Presentation
Title:

Computer Science 654 Lecture 2 : Protocols

Description:

Title: Computer Science 654 Chapter 8: Multilateral Security Author: Wayne Patterson Last modified by: nsfuser Created Date: 2/2/2003 3:45:59 AM Document presentation ... – PowerPoint PPT presentation

Number of Views:221
Avg rating:3.0/5.0
Slides: 73
Provided by: WaynePa7
Category:

less

Transcript and Presenter's Notes

Title: Computer Science 654 Lecture 2 : Protocols


1
Computer Science 654Lecture 2 Protocols
  • Professor Wayne Patterson
  • Howard University
  • Spring 2009
  • (Stamp Chapter 9)

2
Protocol
  • Human protocols ? the rules followed in human
    interactions
  • Example Asking a question in class
  • Networking protocols ? rules followed in
    networked communication systems
  • Examples HTTP, FTP, etc.
  • Security protocol ? the (communication) rules
    followed in a security application
  • Examples SSL, IPSec, Kerberos, etc.

3
Protocols
  • Protocol flaws can be very subtle
  • Several well-known security protocols have
    serious flaws
  • Including IPSec, GSM and WEP
  • Common to find implementation errors
  • Such as IE implementation of SSL
  • Difficult to get protocols right

4
Ideal Security Protocol
  • Satisfies security requirements
  • Requirements must be precise
  • Efficient
  • Minimize computational requirement ? in
    particular, costly public key operations
  • Minimize delays/bandwidth
  • Not fragile
  • Must work when attacker tries to break it
  • Works even if environment changes
  • Easy to use and implement, flexible, etc.
  • Very difficult to satisfy all of these!

5
Simple Security Protocols
6
Secure Entry to NSA
  • Insert badge into reader
  • Enter PIN
  • Correct PIN?
  • Yes? Enter
  • No? Get shot by security guard

7
ATM Machine Protocol
  • Insert ATM card
  • Enter PIN
  • Correct PIN?
  • Yes? Conduct your transaction(s)
  • No? Machine eats card

8
Identify Friend or Foe (IFF)
Russian MIG
Angola
2. E(N,K)
SAAF Impala
1. N
Namibia
9
MIG in the Middle
3. N
SAAF Impala
4. E(N,K)
Angola
2. N
5. E(N,K)
6. E(N,K)
Russian MiG
1. N
Namibia
10
Authentication Protocols
11
Authentication
  • Alice must prove her identity to Bob
  • Alice and Bob can be humans or computers
  • May also require Bob to prove hes Bob (mutual
    authentication)
  • May also need to establish a session key
  • May have other requirements, such as
  • Use only public keys
  • Use only symmetric keys
  • Use only a hash function
  • Anonymity, plausible deniability, etc., etc.

12
Authentication
  • Authentication on a stand-alone computer is
    relatively simple
  • Secure path is the primary issue
  • Main concern is an attack on authentication
    software (we discuss software attacks later)
  • Authentication over a network is much more
    complex
  • Attacker can passively observe messages
  • Attacker can replay messages
  • Active attacks may be possible (insert, delete,
    change messages)

13
Simple Authentication
Im Alice
Prove it
My password is frank
Bob
Alice
  • Simple and may be OK for standalone system
  • But insecure for networked system
  • Subject to a replay attack (next 2 slides)
  • Bob must know Alices password

14
Authentication Attack
Im Alice
Prove it
My password is frank
Bob
Alice
Trudy
15
Authentication Attack
Im Alice
Prove it
My password is frank
Bob
Trudy
  • This is a replay attack
  • How can we prevent a replay?

16
Simple Authentication
Im Alice, My password is frank
Bob
Alice
  • More efficient
  • But same problem as previous version

17
Better Authentication
Im Alice
Prove it
h(Alices password)
Bob
Alice
  • Better since it hides Alices password
  • From both Bob and attackers
  • But still subject to replay

18
Challenge-Response
  • To prevent replay, challenge-response used
  • Suppose Bob wants to authenticate Alice
  • Challenge sent from Bob to Alice
  • Only Alice can provide the correct response
  • Challenge chosen so that replay is not possible
  • How to accomplish this?
  • Password is something only Alice should know
  • For freshness, a number used once or nonce

19
Challenge-Response
Im Alice
Nonce
h(Alices password, Nonce)
Bob
Alice
  • Nonce is the challenge
  • The hash is the response
  • Nonce prevents replay, insures freshness
  • Password is something Alice knows
  • Note that Bob must know Alices password

20
Challenge-Response
Im Alice
Nonce
Something that could only be
Bob
from Alice (and Bob can verify)
Alice
  • What can we use to achieve this?
  • Hashed pwd works, crypto might be better

21
Symmetric Key Notation
  • Encrypt plaintext P with key K
  • C E(P,K)
  • Decrypt ciphertext C with key K
  • P D(C,K)
  • Here, we are concerned with attacks on protocols,
    not directly on the crypto
  • We assume that crypto algorithm is secure

22
Symmetric Key Authentication
  • Alice and Bob share symmetric key KAB
  • Key KAB known only to Alice and Bob
  • Authenticate by proving knowledge of shared
    symmetric key
  • How to accomplish this?
  • Must not reveal key
  • Must not allow replay attack

23
Authentication with Symmetric Key
Im Alice
R
E(R,KAB)
Bob, KAB
Alice, KAB
  • Secure method for Bob to authenticate Alice
  • Alice does not authenticate Bob
  • Can we achieve mutual authentication?

24
Mutual Authentication?
Im Alice, R
E(R,KAB)
E(R,KAB)
Alice
Bob
  • Whats wrong with this picture?
  • Alice could be Trudy (or anybody else)!

25
Mutual Authentication
  • Since we have a secure one-way authentication
    protocol
  • The obvious thing to do is to use the protocol
    twice
  • Once for Bob to authenticate Alice
  • Once for Alice to authenticate Bob
  • This has to work

26
Mutual Authentication
Im Alice, RA
RB, E(RA,KAB)
E(RB,KAB)
Bob
Alice
  • This provides mutual authentication
  • or does it? See the next slide

27
Mutual Authentication Attack
1. Im Alice, RA
2. RB, E(RA,KAB)
5. E(RB,KAB)
Bob
Trudy
3. Im Alice, RB
4. RC, E(RB,KAB)
Bob
Trudy
28
Mutual Authentication
  • Our one-way authentication protocol not secure
    for mutual authentication
  • Protocols are subtle!
  • The obvious thing may not be secure
  • Also, if assumptions or environment changes,
    protocol may not work
  • This is a common source of security failure
  • For example, Internet protocols

29
Symmetric Key Mutual Authentication
Im Alice, RA
RB, E(Bob,RA,KAB)
E(Alice,RB,KAB)
Bob
Alice
  • Do these insignificant changes help?
  • Yes!

30
Public Key Notation
  • Encrypt M with Alices public key MAlice
  • Sign M with Alices private key MAlice
  • Then
  • MAlice Alice M
  • MAlice Alice M
  • Anybody can do public key operations
  • Only Alice can use her private key (sign)

31
Public Key Authentication
Im Alice
RAlice
R
Bob
Alice
  • Is this secure?
  • Trudy can get Alice to decrypt anything!
  • Must have two key pairs

32
Public Key Authentication
Im Alice
R
RAlice
Bob
Alice
  • Is this secure?
  • Trudy can get Alice to sign anything!
  • Must have two key pairs

33
Public Keys
  • Never use the same key pair for encryption and
    signing
  • One key pair for encryption/decryption
  • A different key pair for signing/verifying
    signatures

34
Session Key
  • Usually, a session key is required
  • Symmetric key for a particular session
  • Can we authenticate and establish a shared
    symmetric key?
  • Key can be used for confidentiality
  • Key can be used for integrity
  • In some cases, we may also require perfect
    forward secrecy (PFS)
  • Discussed later

35
Authentication Session Key
Im Alice, R
R,KAlice
R 1,KBob
Bob
Alice
  • Is this secure?
  • OK for key, but no mutual authentication
  • Note that K is acting as Bobs nonce

36
Public Key Authentication and Session Key
Im Alice, R
R,KBob
R 1,KAlice
Bob
Alice
  • Is this secure?
  • Mutual authentication but key is not secret!

37
Public Key Authentication and Session Key
Im Alice, R
R,KBobAlice
R 1,KAliceBob
Bob
Alice
  • Is this secure?
  • Seems to be OK
  • Mutual authentication and session key!

38
Public Key Authentication and Session Key
Im Alice, R
R,KAliceBob
R 1,KBobAlice
Bob
Alice
  • Is this secure?
  • Seems to be OK
  • Anyone can see R,KAlice and R 1,KBob

39
Perfect Forward Secrecy
  • The concern
  • Alice encrypts message with shared key KAB and
    sends ciphertext to Bob
  • Trudy records ciphertext and later attacks
    Alices (or Bobs) computer to find KAB
  • Then Trudy decrypts recorded messages
  • Perfect forward secrecy (PFS) Trudy cannot later
    decrypt recorded ciphertext
  • Even if Trudy gets key KAB or other secret(s)
  • Is PFS possible?

40
Perfect Forward Secrecy
  • Suppose Alice and Bob share key KAB
  • For perfect forward secrecy, Alice and Bob cannot
    use KAB to encrypt
  • Instead they must use a session key KS and forget
    it after its used
  • Problem How can Alice and Bob agree on session
    key KS and ensure PFS?

41
Naïve Session Key Protocol
E(KS, KAB)
E(messages, KS)
Bob, KAB
Alice, KAB
  • Trudy could also record E(KS,KAB)
  • If Trudy gets KAB, she gets KS

42
Perfect Forward Secrecy
  • Can use Diffie-Hellman for PFS
  • Recall Diffie-Hellman public g and p

ga mod p
gb mod p
Alice, a
Bob, b
  • But Diffie-Hellman is subject to MiM
  • How to get PFS and prevent MiM?

43
Diffie-Hellman
  • Subject to man-in-the-middle (MiM) attack

ga mod p
gt mod p
gb mod p
gt mod p
Bob, b
Trudy, t
Alice, a
  • Trudy shares secret gat mod p with Alice
  • Trudy shares secret gbt mod p with Bob
  • Alice and Bob dont know Trudy exists!

44
Diffie-Hellman
  • How to prevent MiM attack?
  • Encrypt DH exchange with symmetric key
  • Encrypt DH exchange with public key
  • Sign DH values with private key
  • Other?
  • You MUST be aware of MiM attack on Diffie-Hellman

45
Perfect Forward Secrecy
E(ga mod p, KAB)
E(gb mod p, KAB)
Alice, a
Bob, b
  • Session key KS gab mod p
  • Alice forgets a, Bob forgets b
  • Ephemeral Diffie-Hellman
  • Not even Alice and Bob can later recover KS
  • Other ways to do PFS?

46
Mutual Authentication, Session Key and PFS
Im Alice, RA
RB, RA, gb mod pAliceBob
RB, ga mod pBobAlice
Bob
Alice
  • Session key is K gab mod p
  • Alice forgets a and Bob forgets b
  • If Trudy later gets Bobs and Alices secrets,
    she cannot recover session key K

47
Timestamps
  • A timestamp T is the current time
  • Timestamps used in many security protocols
    (Kerberos, for example)
  • Timestamps reduce number of messages
  • Like a nonce that both sides know in advance
  • But, use of timestamps implies that time is a
    security-critical parameter
  • Clocks never exactly the same, so must allow for
    clock skew ? risk of replay
  • How much clock skew is enough?

48
Public Key Authentication with Timestamp T
Im Alice, T,KAliceBob
T 1,KBobAlice
Bob
Alice
  • Is this secure?
  • Seems to be OK

49
Public Key Authentication with Timestamp T
Im Alice, T,KBobAlice
T 1,KAliceBob
Alice
Bob
  • Is this secure?
  • Trudy can use Alices public key to find
  • T,KBob and then

50
Public Key Authentication with Timestamp T
Im Trudy, T,KBobTrudy
T 1,KTrudyBob
Bob
Trudy
  • Trudy obtains Alice-Bob session key K
  • Note Trudy must act within clock skew

51
Public Key Authentication
  • Sign and encrypt with nonce
  • Secure
  • Encrypt and sign with nonce
  • Secure
  • Sign and encrypt with timestamp
  • Secure
  • Encrypt and sign with timestamp
  • Insecure
  • Protocols can be subtle!

52
Public Key Authentication with Timestamp T
Im Alice, T,KBobAlice
T 1AliceBob
Bob
Alice
  • Is this encrypt and sign secure?
  • Yes, seems to be
  • Does sign and encrypt also work here?

53
Authentication and TCP
54
TCP-based Authentication
  • TCP not intended for use as an authentication
    protocol
  • But IP address in TCP connection often used for
    authentication
  • One mode of IPSec uses IP address for
    authentication
  • This can cause problems

55
TCP 3-way Handshake
SYN, SEQ a
SYN, ACK a1, SEQ b
ACK b1, data
Bob
Alice
  • Recall the TCP three way handshake
  • Initial SEQ number must be random
  • Why? See the next slide

56
TCP Authentication Attack
1. SYN, SEQ t (as Trudy)
2. SYN, ACK t1, SEQ b1
3. SYN, SEQ t (as Alice)
5. ACK b21, data
Bob
Trudy
5.
5.
4. SYN, ACK t1, SEQ b2
5.
Alice
5.
57
TCP Authentication Attack
Initial SEQ numbers Mac OS X
Random SEQ numbers
  • If initial SEQ numbers not very random
  • possible to guess initial SEQ number
  • and previous attack will succeed

58
TCP Authentication Attack
  • Trudy cannot see what Bob sends, but she can send
    packets to server Bob, while posing as Alice
  • Trudy must prevent Alice from receiving Bobs
    packets (or else connection will terminate)
  • If password (or other authentication) required,
    this attack fails
  • If TCP connection is relied on for
    authentication, then attack succeeds
  • Bad idea to rely on TCP for authentication

59
Zero Knowledge Proofs
60
Zero Knowledge Proof (ZKP)
  • Alice wants to prove that she knows a secret
    without revealing any info about it
  • Bob must verify that Alice knows secret
  • Even though he gains no info about the secret
  • Process is probabilistic
  • Bob can verify that Alice knows the secret to an
    arbitrarily high probability
  • An interactive proof system

61
Bobs Cave
  • Alice claims to know secret phrase to open path
    between R and S (open sarsparilla)
  • Can she convince Bob that she knows the secret
    without revealing phrase?

P
Q
R
S
62
Bobs Cave
  • Bob Alice come out on S side

P
  • Alice (quietly) Open sarsparilla

Q
  • If Alice does not know secret

R
S
  • then Alice could come out from the correct side
    with probability 1/2
  • If Bob repeats this n times, then Alice (who does
    not know secret) can only fool Bob with
    probability 1/2n

63
Fiat-Shamir Protocol
  • Cave-based protocols are inconvenient
  • Can we achieve same effect without a cave?
  • It is known that finding square roots modulo N is
    difficult (like factoring)
  • Suppose N pq, where p and q prime
  • Alice has a secret S
  • N and v S2 mod N are public, S is secret
  • Alice must convince Bob that she knows S without
    revealing any information about S

64
Fiat-Shamir
x r2 mod N
e ? 0,1
y r?Se mod N
Alice secret S random r
Bob
  • Public Modulus N and v S2 mod N
  • Alice selects random r
  • Bob chooses e ? 0,1
  • Bob verifies that y2 r2?S2e r2?(S2)e x?ve
    mod N

65
Fiat-Shamir e 1
x r2 mod N
e 1
y r?S mod N
Alice secret S random r
Bob
  • Public Modulus N and v S2 mod N
  • Alice selects random r
  • Suppose Bob chooses e 1
  • Bob must verify that y2 x?v mod N
  • Alice must know S in this case

66
Fiat-Shamir e 0
x r2 mod N
e 0
y r mod N
Alice secret S random r
Bob
  • Public Modulus N and v S2 mod N
  • Alice selects random r
  • Suppose Bob chooses e 0
  • Bob must verify that y2 x mod N
  • Alice does not need to know S in this case!

67
Fiat-Shamir
  • Public modulus N and v S2 mod N
  • Secret Alice knows S
  • Alice selects random r and commits to r by
    sending x r2 mod N to Bob
  • Bob sends challenge e ? 0,1 to Alice
  • Alice responds with y r?Se mod N
  • Bob checks that y2 x?ve mod N
  • Does this prove response is from Alice?

68
Does Fiat-Shamir Work?
  • The math works since
  • Public v S2
  • Alice to Bob x r2 and y r?Se
  • Bob verifies y2 x?ve mod N
  • Can Trudy convince Bob she is Alice?
  • If Trudy expects e 0, she can send x r2 in
    msg 1 and y r in msg 3 (i.e., follow protocol)
  • If Trudy expects Bob to send e 1, she can send
    x r2?v?1 in msg 1 and y r in msg 3
  • If Bob chooses e ? 0,1 at random, Trudy can
    only fool Bob with probability 1/2

69
Fiat-Shamir Facts
  • Trudy can fool Bob with prob 1/2, but
  • after n iterations, the probability that Trudy
    can fool Bob is only 1/2n
  • Just like Bobs cave!
  • Bobs e ? 0,1 must be unpredictable
  • Alice must use new r each iteration or else
  • If e 0, Alice sends r in message 3
  • If e 1, Alice sends r?S in message 3
  • Anyone can find S given both r and r?S

70
Fiat-Shamir Zero Knowledge?
  • Zero knowledge means that Bob learns nothing
    about the secret S
  • Public v S2 mod N
  • Bob sees r2 mod N in message 1
  • Bob sees r?S mod N in message 3 (if e 1)
  • If Bob can find r from r2 mod N, he gets S
  • But that requires modular square root
  • If Bob can find modular square roots, he can get
    S from public v
  • The protocol does not help Bob to find S

71
ZKP in the Real World
  • Public key certificates identify users
  • No anonymity if certificates transmitted
  • ZKP offers a way to authenticate without
    revealing identities
  • ZKP supported in Microsofts Next Generation
    Secure Computing Base (NGSCB)
  • ZKP used to authenticate software without
    revealing machine identifying data
  • ZKP not just fun and games for mathematicians!

72
Best Authentication Protocol?
  • What is best depends on many factors
  • The sensitivity of the application
  • The delay that is tolerable
  • The cost (computation) that is tolerable
  • What crypto is supported
  • Public key, symmetric key, hash functions
  • Is mutual authentication required?
  • Is a session key required?
  • Is PFS a concern?
  • Is anonymity a concern?, etc.
Write a Comment
User Comments (0)
About PowerShow.com