Cryptographic%20Authentication%20Protocols

1
Cryptographic Authentication Protocols

• CS 470
• Introduction to Applied Cryptography
• Instructor Ali Aydin Selcuk

2
Cryptographic Authentication

• Password authentication subject to eavesdropping
• Alternative Cryptographic challenge-response
• Symmetric key
• Public key

3
Symmetric Key Challenge-Response
An example protocol
Im Alice
a challenge R
Alice
Bob
F(KAB,R)
4

• Limitations
• Authentication not mutual (login only)
• Subject to connection hijacking (login only)
• Subject to off-line password guessing (if K is
  derived from password)
• Bobs database has keys in the clear

5
Symmetric Key Challenge-Response
A one-message protocol
Im Alice, KABtimestamp
Alice
Bob
6

• Easy integration into password-sending systems
• More efficient Single message, stateless
• Care needed against replays
• Care needed if key is common across servers
• Clock has to be protected as well
• Alternatively, with a hash function, send,
• Im Alice, timestamp, H(KAB,timestamp)

7
Public Key Challenge-Response
By signature
Im Alice
R
Alice
Bob
RA
8
Public Key Challenge-Response
By decryption
Im Alice
RA
Alice
Bob
R
9

• Problem Bob (or Trudy) can get Alice to
  sign/decrypt any text he chooses.
• Solutions
• Never use the same key for different purposes
  (e.g., for login and signature)
• Have formatted challenges

10
Mutual Authentication

• Both Alice and Bob authenticate each other
• An example protocol

Im Alice
R1
F(KAB,R1)
Alice
Bob
R2
F(KAB,R2)
11
Some saving
Im Alice, R2
R1, F(KAB,R2)
Alice
Bob
F(KAB,R1)
12
Reflection attack
Im Alice, R2
R1, F(KAB,R2)
Trudy
Bob
F(KAB,R1)
Im Alice, R1
Trudy
Bob
R3, F(KAB,R1)
13

• Solutions
• Different keys for Alice and Bob
• Formatted challenges, different for Alice and Bob
• Principle Initiator should be the first to prove
  its identity

14

• Another weakness Trudy can do dictionary attack
  against KAB acting as Alice, without
  eavesdropping.
• Solution against both problems
• (Dictionary attack still possible if Trudy can
  impersonate Bob.)

Im Alice
R1
Alice
Bob
F(KAB,R1), R2
F(KAB,R2)
15

• Mutual authentication with PKC
• Problem How can the public/private keys be
  remembered by ordinary users?
• They can be stored in an electronic token (USB),
  or can be retrieved from a server with
  password-based authentication encryption.

Im Alice, R2B
R2, R1A
Alice
Bob
R1
16
Session Key Establishment

• A session key is needed to authenticate/encrypt
  the rest of the session.
• The session key must be
• different for each session
• unguessable by an eavesdropper
• not KABx for some x predictable/extractable by
  an attacker
• Good if both sides contribute
• avoids replays (freshness guarantee)
• works if either side has a good random number
  generator

17
Nonces

• Nonce Something created for one particular
  occasion
• Nonce types
• Random numbers
• Timestamps
• Sequence numbers
• Random nonces needed for unpredictability
• Obtaining random nonces from timestamps
  encryption with a secret key.

18
Protocol Performance Comparison

• Computational Complexity(to minimize CPU time,
  power consumption)
• Number of private-key operations
• public-key
• bytes encrypted with secret
  key
• bytes hashed
• Communication Complexity
• Number of message rounds
• Bandwidth consumption