Title: Security Protocols CS 236 On-Line MS Program Networks and Systems Security Peter Reiher
1Security ProtocolsCS 236On-Line MS
ProgramNetworks and Systems Security Peter
Reiher
2Outline
- Designing secure protocols
- Basic protocols
- Key exchange
- Common security problems in protocols
3Basics of Security Protocols
- Work from the assumption (usually) that your
encryption is sufficiently strong - Given that, how do you design a message exchange
to achieve a given result securely? - Not nearly as easy as you probably think
4Security Protocols
- A series of steps involving two or more parties
designed to accomplish a task with suitable
security - Sequence is important
- Cryptographic protocols use cryptography
- Different protocols assume different levels of
trust between participants
5Types of Security Protocols
- Arbitrated protocols
- Involving a trusted third party
- Adjudicated protocols
- Trusted third party, after the fact
- Self-enforcing protocols
- No trusted third party
6Participants in Security Protocols
7And the Bad Guys
And sometimes Alice or Bob might cheat
Who only listens passively
Who is actively malicious
8Trusted Arbitrator
A disinterested third party trusted by all
legitimate participants
Arbitrators often simplify protocols, but add
overhead
9Key Exchange Protocols
- Often we want a different encryption key for each
communication session - How do we get those keys to the participants?
- Securely
- Quickly
- Even if theyve never communicated before
10Key Exchange With Symmetric Encryption and an
Arbitrator
- Alice and Bob want to talk securely with a new
key - They both trust Trent
- Assume Alice Bob each share a key with Trent
- How do Alice and Bob get a shared key?
11Step One
Alice
Bob
Alice Requests Session Key for Bob
Who knows what at this point?
Trent
12Step Two
Alice
Bob
EKA(KS), EKB(KS)
Who knows what at this point?
EKA(KS), EKB(KS)
Trent
KS
13Step Three
KS
KS
Alice
Bob
EKA(KS), EKB(KS)
Who knows what at this point?
Trent
KS
14What Has the Protocol Achieved?
- Alice and Bob both have a new session key
- The session key was transmitted using keys known
only to Alice and Bob - Both Alice and Bob know that Trent participated
- But there are vulnerabilities
15Problems With the Protocol
- What if the initial request was grabbed by
Mallory? - Could he do something bad that ends up causing us
problems? - Yes!
16The Man-in-the-Middle Attack
- A class of attacks where an active attacker
interposes himself secretly in a protocol - Allowing alteration of the effects of the
protocol - Without necessarily attacking the encryption
17Applying the Man-in-the-Middle Attack
Alice
Bob
Alice Requests Session Key for Mallory
More precisely, what do they think they know?
Who knows what at this point?
Alice Requests Session Key for Bob
Trent
18Trent Does His Job
Alice
Bob
EKA(KS), EKM(KS)
Trent
19Alice Gets Ready to Talk to Bob
KS
Alice
Bob
KS
EKM(KS)
Mallory can now masquerade as Bob
EKM(KS)
Trent
20Really Getting in the Middle
Alice
KS1
Bob
KS
EKM(KS1), EKB(KS1)
KS
EKB(KS1)
KS1
Mallory can also ask Trent for a key to talk to
Bob
Trent
21Mallory Plays Man-in-the-Middle
Alice
KS1
Bob
KS
KS
Alices big secret
KS1
EKS(Alices big secret)
Bobs big secret
Alices big secret
EKS1(Alices big secret)
EKS(Alices big secret)
EKS1(Bobs big secret)
EKS1(Bobs big secret)
EKS(Bobs big secret)
Alices big secret
Bobs big secret
Bobs big secret
22Defeating the Man In the Middle
- Problems
- 1). Trent doesnt really know what hes supposed
to do - 2). Alice doesnt verify he did the right thing
- Minor changes can fix that
- 1). Encrypt request with KA
- 2). Include identity of other participant in
response - EKA(KS, Bob)
23Applying the First Fix
KB
Alice
Bob
Mallory cant read the request
EKA(Alice Requests Session Key for Bob)
And Mallory cant forge or alter Alices request
Trent
KB
24But Theres Another Problem
- A replay attack
- Replay attacks occur when Mallory copies down a
bunch of protocol messages - And then plays them again
- In some cases, this can wreak havoc
- Why does it here?
25Step One
Alice
Alice Requests Session Key for Bob
Bob
Alice Requests Session Key for Bob
Trent
26Step Two
Alice
Alice Requests Session Key for Bob
Bob
EKA(KS), EKB(KS)
EKA(KS), EKB(KS)
Trent
KS
27Step Three
KS
KS
Alice
Alice Requests Session Key for Bob
Bob
EKA(KS), EKB(KS)
EKA(KS), EKB(KS)
EKB(KS)
What can Mallory do with his saved messages?
Trent
KS
28Mallory Waits for His Opportunity
Alice Requests Session Key for Bob
EKA(KS), EKB(KS)
EKB(KS)
29What Will Happen Next?
KS
KS
Alice Requests Session Key for Bob
KS
EKA(KS), EKB(KS)
Whats so bad about that?
EKB(KS)
What if Mallory has cracked KS?
30Key Exchange With Public Key Cryptography
- With no trusted arbitrator
- Alice sends Bob her public key
- Bob sends Alice his public key
- Alice generates a session key and sends it to Bob
encrypted with his public key, signed with her
private key - Bob decrypts Alices message with his private key
- Encrypt session with shared session key
31Basic Key Exchange Using PK
KEA , KDA
KEB , KDB
Bob
Alice
EKDB(KS)
KS
KS
Bob verifies the message came from Alice
Bob extracts the key from the message
32Man-in-the-Middle With Public Keys
KEA , KDA
KEM , KDM
KEB , KDB
Alice
Bob
Now Mallory can pose as Alice to Bob
33And Bob Sends His Public Key
KEA , KDA
KEM , KDM
KEB , KDB
Alice
Bob
Now Mallory can pose as Bob to Alice
34Alice Chooses a Session Key
KEA , KDA
KEM , KDM
KEB , KDB
KS
KS
Alice
Bob
KS
Bob and Alice are sharing a session key
Unfortunately, theyre also sharing it with
Mallory