Security Protocols CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

1
Security ProtocolsCS 236On-Line MS
ProgramNetworks and Systems Security Peter
Reiher

2
Outline

• Designing secure protocols
• Basic protocols
• Key exchange
• Common security problems in protocols

3
Basics of Security Protocols

• Work from the assumption (usually) that your
  encryption is sufficiently strong
• Given that, how do you design a message exchange
  to achieve a given result securely?
• Not nearly as easy as you probably think

4
Security Protocols

• A series of steps involving two or more parties
  designed to accomplish a task with suitable
  security
• Sequence is important
• Cryptographic protocols use cryptography
• Different protocols assume different levels of
  trust between participants

5
Types of Security Protocols

• Arbitrated protocols
• Involving a trusted third party
• Adjudicated protocols
• Trusted third party, after the fact
• Self-enforcing protocols
• No trusted third party

6
Participants in Security Protocols

7
And the Bad Guys

And sometimes Alice or Bob might cheat
Who only listens passively
Who is actively malicious
8
Trusted Arbitrator

A disinterested third party trusted by all
legitimate participants
Arbitrators often simplify protocols, but add
overhead
9
Key Exchange Protocols

• Often we want a different encryption key for each
  communication session
• How do we get those keys to the participants?
• Securely
• Quickly
• Even if theyve never communicated before

10
Key Exchange With Symmetric Encryption and an
Arbitrator

• Alice and Bob want to talk securely with a new
  key
• They both trust Trent
• Assume Alice Bob each share a key with Trent
• How do Alice and Bob get a shared key?

11
Step One

Alice
Bob
Alice Requests Session Key for Bob
Who knows what at this point?
Trent
12
Step Two

Alice
Bob
EKA(KS), EKB(KS)
Who knows what at this point?
EKA(KS), EKB(KS)
Trent
KS
13
Step Three
KS
KS

Alice
Bob
EKA(KS), EKB(KS)
Who knows what at this point?
Trent
KS
14
What Has the Protocol Achieved?

• Alice and Bob both have a new session key
• The session key was transmitted using keys known
  only to Alice and Bob
• Both Alice and Bob know that Trent participated
• But there are vulnerabilities

15
Problems With the Protocol

• What if the initial request was grabbed by
  Mallory?
• Could he do something bad that ends up causing us
  problems?
• Yes!

16
The Man-in-the-Middle Attack

• A class of attacks where an active attacker
  interposes himself secretly in a protocol
• Allowing alteration of the effects of the
  protocol
• Without necessarily attacking the encryption

17
Applying the Man-in-the-Middle Attack

Alice
Bob
Alice Requests Session Key for Mallory
More precisely, what do they think they know?
Who knows what at this point?
Alice Requests Session Key for Bob
Trent
18
Trent Does His Job

Alice
Bob
EKA(KS), EKM(KS)
Trent
19
Alice Gets Ready to Talk to Bob
KS

Alice
Bob
KS
EKM(KS)
Mallory can now masquerade as Bob
EKM(KS)
Trent
20
Really Getting in the Middle

Alice
KS1
Bob
KS
EKM(KS1), EKB(KS1)
KS
EKB(KS1)
KS1
Mallory can also ask Trent for a key to talk to
Bob
Trent
21
Mallory Plays Man-in-the-Middle

Alice
KS1
Bob
KS
KS
Alices big secret
KS1
EKS(Alices big secret)
Bobs big secret
Alices big secret
EKS1(Alices big secret)
EKS(Alices big secret)
EKS1(Bobs big secret)
EKS1(Bobs big secret)
EKS(Bobs big secret)
Alices big secret
Bobs big secret
Bobs big secret
22
Defeating the Man In the Middle

• Problems
• 1). Trent doesnt really know what hes supposed
  to do
• 2). Alice doesnt verify he did the right thing
• Minor changes can fix that
• 1). Encrypt request with KA
• 2). Include identity of other participant in
  response - EKA(KS, Bob)

23
Applying the First Fix
KB

Alice
Bob
Mallory cant read the request
EKA(Alice Requests Session Key for Bob)
And Mallory cant forge or alter Alices request
Trent
KB
24
But Theres Another Problem

• A replay attack
• Replay attacks occur when Mallory copies down a
  bunch of protocol messages
• And then plays them again
• In some cases, this can wreak havoc
• Why does it here?

25
Step One

Alice
Alice Requests Session Key for Bob
Bob
Alice Requests Session Key for Bob
Trent
26
Step Two

Alice
Alice Requests Session Key for Bob
Bob
EKA(KS), EKB(KS)
EKA(KS), EKB(KS)
Trent
KS
27
Step Three
KS
KS

Alice
Alice Requests Session Key for Bob
Bob
EKA(KS), EKB(KS)
EKA(KS), EKB(KS)
EKB(KS)
What can Mallory do with his saved messages?
Trent
KS
28
Mallory Waits for His Opportunity

Alice Requests Session Key for Bob
EKA(KS), EKB(KS)
EKB(KS)
29
What Will Happen Next?
KS
KS

Alice Requests Session Key for Bob
KS
EKA(KS), EKB(KS)
Whats so bad about that?
EKB(KS)
What if Mallory has cracked KS?
30
Key Exchange With Public Key Cryptography

• With no trusted arbitrator
• Alice sends Bob her public key
• Bob sends Alice his public key
• Alice generates a session key and sends it to Bob
  encrypted with his public key, signed with her
  private key
• Bob decrypts Alices message with his private key
• Encrypt session with shared session key

31
Basic Key Exchange Using PK

KEA , KDA
KEB , KDB
Bob
Alice
EKDB(KS)
KS
KS
Bob verifies the message came from Alice
Bob extracts the key from the message
32
Man-in-the-Middle With Public Keys

KEA , KDA
KEM , KDM
KEB , KDB
Alice
Bob
Now Mallory can pose as Alice to Bob
33
And Bob Sends His Public Key

KEA , KDA
KEM , KDM
KEB , KDB
Alice
Bob
Now Mallory can pose as Bob to Alice
34
Alice Chooses a Session Key

KEA , KDA
KEM , KDM
KEB , KDB
KS
KS
Alice
Bob
KS
Bob and Alice are sharing a session key
Unfortunately, theyre also sharing it with
Mallory