Computer Science 654 Lecture 2 : Protocols - PowerPoint PPT Presentation

1 / 72

About This Presentation

Title:

Computer Science 654 Lecture 2 : Protocols

Description:

Title: Computer Science 654 Chapter 8: Multilateral Security Author: Wayne Patterson Last modified by: nsfuser Created Date: 2/2/2003 3:45:59 AM Document presentation ... – PowerPoint PPT presentation

Number of Views:203

Avg rating:3.0/5.0

Slides: 73

Provided by: WaynePa7

Category:

more less

Transcript and Presenter's Notes

Title: Computer Science 654 Lecture 2 : Protocols

1
Computer Science 654Lecture 2 Protocols

Professor Wayne Patterson
Howard University
Spring 2009
(Stamp Chapter 9)

2
Protocol

Human protocols ? the rules followed in human
interactions
Example Asking a question in class
Networking protocols ? rules followed in
networked communication systems
Examples HTTP, FTP, etc.
Security protocol ? the (communication) rules
followed in a security application
Examples SSL, IPSec, Kerberos, etc.

3
Protocols

Protocol flaws can be very subtle
Several well-known security protocols have
serious flaws
Including IPSec, GSM and WEP
Common to find implementation errors
Such as IE implementation of SSL
Difficult to get protocols right

4
Ideal Security Protocol

Satisfies security requirements
Requirements must be precise
Efficient
Minimize computational requirement ? in
particular, costly public key operations
Minimize delays/bandwidth
Not fragile
Must work when attacker tries to break it
Works even if environment changes
Easy to use and implement, flexible, etc.
Very difficult to satisfy all of these!

5
Simple Security Protocols
6
Secure Entry to NSA

Insert badge into reader
Enter PIN
Correct PIN?
Yes? Enter
No? Get shot by security guard

7
ATM Machine Protocol

Insert ATM card
Enter PIN
Correct PIN?
Yes? Conduct your transaction(s)
No? Machine eats card

8
Identify Friend or Foe (IFF)
Russian MIG
Angola
2. E(N,K)
SAAF Impala
1. N
Namibia
9
MIG in the Middle
3. N
SAAF Impala
4. E(N,K)
Angola
2. N
5. E(N,K)
6. E(N,K)
Russian MiG
1. N
Namibia
10
Authentication Protocols
11
Authentication

Alice must prove her identity to Bob
Alice and Bob can be humans or computers
May also require Bob to prove hes Bob (mutual
authentication)
May also need to establish a session key
May have other requirements, such as
Use only public keys
Use only symmetric keys
Use only a hash function
Anonymity, plausible deniability, etc., etc.

12
Authentication

Authentication on a stand-alone computer is
relatively simple
Secure path is the primary issue
Main concern is an attack on authentication
software (we discuss software attacks later)
Authentication over a network is much more
complex
Attacker can passively observe messages
Attacker can replay messages
Active attacks may be possible (insert, delete,
change messages)

13
Simple Authentication
Im Alice
Prove it
My password is frank
Bob
Alice

Simple and may be OK for standalone system
But insecure for networked system
Subject to a replay attack (next 2 slides)
Bob must know Alices password

14
Authentication Attack
Im Alice
Prove it
My password is frank
Bob
Alice
Trudy
15
Authentication Attack
Im Alice
Prove it
My password is frank
Bob
Trudy

This is a replay attack
How can we prevent a replay?

16
Simple Authentication
Im Alice, My password is frank
Bob
Alice

More efficient
But same problem as previous version

17
Better Authentication
Im Alice
Prove it
h(Alices password)
Bob
Alice

Better since it hides Alices password
From both Bob and attackers
But still subject to replay

18
Challenge-Response

To prevent replay, challenge-response used
Suppose Bob wants to authenticate Alice
Challenge sent from Bob to Alice
Only Alice can provide the correct response
Challenge chosen so that replay is not possible
How to accomplish this?
Password is something only Alice should know
For freshness, a number used once or nonce

19
Challenge-Response
Im Alice
Nonce
h(Alices password, Nonce)
Bob
Alice

Nonce is the challenge
The hash is the response
Nonce prevents replay, insures freshness
Password is something Alice knows
Note that Bob must know Alices password

20
Challenge-Response
Im Alice
Nonce
Something that could only be
Bob
from Alice (and Bob can verify)
Alice

What can we use to achieve this?
Hashed pwd works, crypto might be better

21
Symmetric Key Notation

Encrypt plaintext P with key K
C E(P,K)
Decrypt ciphertext C with key K
P D(C,K)
Here, we are concerned with attacks on protocols,
not directly on the crypto
We assume that crypto algorithm is secure

22
Symmetric Key Authentication

Alice and Bob share symmetric key KAB
Key KAB known only to Alice and Bob
Authenticate by proving knowledge of shared
symmetric key
How to accomplish this?
Must not reveal key
Must not allow replay attack

23
Authentication with Symmetric Key
Im Alice
R
E(R,KAB)
Bob, KAB
Alice, KAB

Secure method for Bob to authenticate Alice

Alice does not authenticate Bob

Can we achieve mutual authentication?

24
Mutual Authentication?
Im Alice, R
E(R,KAB)
E(R,KAB)
Alice
Bob

Whats wrong with this picture?
Alice could be Trudy (or anybody else)!

25
Mutual Authentication

Since we have a secure one-way authentication
protocol
The obvious thing to do is to use the protocol
twice
Once for Bob to authenticate Alice
Once for Alice to authenticate Bob
This has to work

26
Mutual Authentication
Im Alice, RA
RB, E(RA,KAB)
E(RB,KAB)
Bob
Alice

This provides mutual authentication
or does it? See the next slide

27
Mutual Authentication Attack
1. Im Alice, RA
2. RB, E(RA,KAB)
5. E(RB,KAB)
Bob
Trudy
3. Im Alice, RB
4. RC, E(RB,KAB)
Bob
Trudy
28
Mutual Authentication

Our one-way authentication protocol not secure
for mutual authentication
Protocols are subtle!
The obvious thing may not be secure
Also, if assumptions or environment changes,
protocol may not work
This is a common source of security failure
For example, Internet protocols

29
Symmetric Key Mutual Authentication
Im Alice, RA
RB, E(Bob,RA,KAB)
E(Alice,RB,KAB)
Bob
Alice

Do these insignificant changes help?
Yes!

30
Public Key Notation

Encrypt M with Alices public key MAlice
Sign M with Alices private key MAlice
Then
MAlice Alice M
MAlice Alice M
Anybody can do public key operations
Only Alice can use her private key (sign)

31
Public Key Authentication
Im Alice
RAlice
R
Bob
Alice

Is this secure?
Trudy can get Alice to decrypt anything!
Must have two key pairs

32
Public Key Authentication
Im Alice
R
RAlice
Bob
Alice

Is this secure?
Trudy can get Alice to sign anything!
Must have two key pairs

33
Public Keys

Never use the same key pair for encryption and
signing
One key pair for encryption/decryption
A different key pair for signing/verifying
signatures

34
Session Key

Usually, a session key is required
Symmetric key for a particular session
Can we authenticate and establish a shared
symmetric key?
Key can be used for confidentiality
Key can be used for integrity
In some cases, we may also require perfect
forward secrecy (PFS)
Discussed later

35
Authentication Session Key
Im Alice, R
R,KAlice
R 1,KBob
Bob
Alice

Is this secure?
OK for key, but no mutual authentication
Note that K is acting as Bobs nonce

36
Public Key Authentication and Session Key
Im Alice, R
R,KBob
R 1,KAlice
Bob
Alice

Is this secure?
Mutual authentication but key is not secret!

37
Public Key Authentication and Session Key
Im Alice, R
R,KBobAlice
R 1,KAliceBob
Bob
Alice

Is this secure?
Seems to be OK
Mutual authentication and session key!

38
Public Key Authentication and Session Key
Im Alice, R
R,KAliceBob
R 1,KBobAlice
Bob
Alice

Is this secure?
Seems to be OK
Anyone can see R,KAlice and R 1,KBob

39
Perfect Forward Secrecy

The concern
Alice encrypts message with shared key KAB and
sends ciphertext to Bob
Trudy records ciphertext and later attacks
Alices (or Bobs) computer to find KAB
Then Trudy decrypts recorded messages
Perfect forward secrecy (PFS) Trudy cannot later
decrypt recorded ciphertext
Even if Trudy gets key KAB or other secret(s)
Is PFS possible?

40
Perfect Forward Secrecy

Suppose Alice and Bob share key KAB
For perfect forward secrecy, Alice and Bob cannot
use KAB to encrypt
Instead they must use a session key KS and forget
it after its used
Problem How can Alice and Bob agree on session
key KS and ensure PFS?

41
Naïve Session Key Protocol
E(KS, KAB)
E(messages, KS)
Bob, KAB
Alice, KAB

Trudy could also record E(KS,KAB)
If Trudy gets KAB, she gets KS

42
Perfect Forward Secrecy

Can use Diffie-Hellman for PFS
Recall Diffie-Hellman public g and p

ga mod p
gb mod p
Alice, a
Bob, b

But Diffie-Hellman is subject to MiM
How to get PFS and prevent MiM?

43
Diffie-Hellman

Subject to man-in-the-middle (MiM) attack

ga mod p
gt mod p
gb mod p
gt mod p
Bob, b
Trudy, t
Alice, a

Trudy shares secret gat mod p with Alice
Trudy shares secret gbt mod p with Bob
Alice and Bob dont know Trudy exists!

44
Diffie-Hellman

How to prevent MiM attack?
Encrypt DH exchange with symmetric key
Encrypt DH exchange with public key
Sign DH values with private key
Other?
You MUST be aware of MiM attack on Diffie-Hellman

45
Perfect Forward Secrecy
E(ga mod p, KAB)
E(gb mod p, KAB)
Alice, a
Bob, b

Session key KS gab mod p
Alice forgets a, Bob forgets b
Ephemeral Diffie-Hellman
Not even Alice and Bob can later recover KS
Other ways to do PFS?

46
Mutual Authentication, Session Key and PFS
Im Alice, RA
RB, RA, gb mod pAliceBob
RB, ga mod pBobAlice
Bob
Alice

Session key is K gab mod p
Alice forgets a and Bob forgets b
If Trudy later gets Bobs and Alices secrets,
she cannot recover session key K

47
Timestamps

A timestamp T is the current time
Timestamps used in many security protocols
(Kerberos, for example)
Timestamps reduce number of messages
Like a nonce that both sides know in advance
But, use of timestamps implies that time is a
security-critical parameter
Clocks never exactly the same, so must allow for
clock skew ? risk of replay
How much clock skew is enough?

48
Public Key Authentication with Timestamp T
Im Alice, T,KAliceBob
T 1,KBobAlice
Bob
Alice

Is this secure?
Seems to be OK

49
Public Key Authentication with Timestamp T
Im Alice, T,KBobAlice
T 1,KAliceBob
Alice
Bob

Is this secure?
Trudy can use Alices public key to find
T,KBob and then

50
Public Key Authentication with Timestamp T
Im Trudy, T,KBobTrudy
T 1,KTrudyBob
Bob
Trudy

Trudy obtains Alice-Bob session key K
Note Trudy must act within clock skew

51
Public Key Authentication

Sign and encrypt with nonce
Secure
Encrypt and sign with nonce
Secure
Sign and encrypt with timestamp
Secure
Encrypt and sign with timestamp
Insecure
Protocols can be subtle!

52
Public Key Authentication with Timestamp T
Im Alice, T,KBobAlice
T 1AliceBob
Bob
Alice

Is this encrypt and sign secure?
Yes, seems to be
Does sign and encrypt also work here?

53
Authentication and TCP
54
TCP-based Authentication

TCP not intended for use as an authentication
protocol
But IP address in TCP connection often used for
authentication
One mode of IPSec uses IP address for
authentication
This can cause problems

55
TCP 3-way Handshake
SYN, SEQ a
SYN, ACK a1, SEQ b
ACK b1, data
Bob
Alice

Recall the TCP three way handshake
Initial SEQ number must be random
Why? See the next slide

56
TCP Authentication Attack
1. SYN, SEQ t (as Trudy)
2. SYN, ACK t1, SEQ b1
3. SYN, SEQ t (as Alice)
5. ACK b21, data
Bob
Trudy
5.
5.
4. SYN, ACK t1, SEQ b2
5.
Alice
5.
57
TCP Authentication Attack
Initial SEQ numbers Mac OS X
Random SEQ numbers

If initial SEQ numbers not very random
possible to guess initial SEQ number
and previous attack will succeed

58
TCP Authentication Attack

Trudy cannot see what Bob sends, but she can send
packets to server Bob, while posing as Alice
Trudy must prevent Alice from receiving Bobs
packets (or else connection will terminate)
If password (or other authentication) required,
this attack fails
If TCP connection is relied on for
authentication, then attack succeeds
Bad idea to rely on TCP for authentication

59
Zero Knowledge Proofs
60
Zero Knowledge Proof (ZKP)

Alice wants to prove that she knows a secret
without revealing any info about it
Bob must verify that Alice knows secret
Even though he gains no info about the secret
Process is probabilistic
Bob can verify that Alice knows the secret to an
arbitrarily high probability
An interactive proof system

61
Bobs Cave

Alice claims to know secret phrase to open path
between R and S (open sarsparilla)
Can she convince Bob that she knows the secret
without revealing phrase?

P
Q
R
S
62
Bobs Cave

Bob Alice come out on S side

Alice (quietly) Open sarsparilla

If Alice does not know secret

R
S

then Alice could come out from the correct side
with probability 1/2

If Bob repeats this n times, then Alice (who does
not know secret) can only fool Bob with
probability 1/2n

63
Fiat-Shamir Protocol

Cave-based protocols are inconvenient
Can we achieve same effect without a cave?
It is known that finding square roots modulo N is
difficult (like factoring)
Suppose N pq, where p and q prime
Alice has a secret S
N and v S2 mod N are public, S is secret
Alice must convince Bob that she knows S without
revealing any information about S

64
Fiat-Shamir
x r2 mod N
e ? 0,1
y r?Se mod N
Alice secret S random r
Bob

Public Modulus N and v S2 mod N
Alice selects random r
Bob chooses e ? 0,1
Bob verifies that y2 r2?S2e r2?(S2)e x?ve
mod N

65
Fiat-Shamir e 1
x r2 mod N
e 1
y r?S mod N
Alice secret S random r
Bob

Public Modulus N and v S2 mod N
Alice selects random r
Suppose Bob chooses e 1
Bob must verify that y2 x?v mod N
Alice must know S in this case

66
Fiat-Shamir e 0
x r2 mod N
e 0
y r mod N
Alice secret S random r
Bob

Public Modulus N and v S2 mod N
Alice selects random r
Suppose Bob chooses e 0
Bob must verify that y2 x mod N
Alice does not need to know S in this case!

67
Fiat-Shamir

Public modulus N and v S2 mod N
Secret Alice knows S
Alice selects random r and commits to r by
sending x r2 mod N to Bob
Bob sends challenge e ? 0,1 to Alice
Alice responds with y r?Se mod N
Bob checks that y2 x?ve mod N
Does this prove response is from Alice?

68
Does Fiat-Shamir Work?

The math works since
Public v S2
Alice to Bob x r2 and y r?Se
Bob verifies y2 x?ve mod N
Can Trudy convince Bob she is Alice?
If Trudy expects e 0, she can send x r2 in
msg 1 and y r in msg 3 (i.e., follow protocol)
If Trudy expects Bob to send e 1, she can send
x r2?v?1 in msg 1 and y r in msg 3
If Bob chooses e ? 0,1 at random, Trudy can
only fool Bob with probability 1/2

69
Fiat-Shamir Facts