1 / 52

David Evans cs.virginia/~evans

Lecture 13: Authentication and Cash.

covarrubias
Télécharger la présentation

David Evans cs.virginia/~evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 13: Authentication and Cash Cash is a problem. It’s annoying to carry, it spreads germs, and people can steal it from you. Checks and credit cards have reduced the amount of physical cash flowing through society, but the complete elimination of cash is virtually impossible. It’ll never happen; drug dealers and politicians would never stand for it. Checks and credit cards have an audit trail; you can’t hide to whom you gave money. Bruce Schneier, Applied Cryptography David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science

  2. Menu • Authentication • Digital Cash University of Virginia CS 588

  3. Eve Last Time Terminal Login: evans Password: ****** login sends <“evans”, “memodn”> shankly.cs.virginia.edu Trusted subsystem computes DES+25memodn (0, salt) and compares to stored value. University of Virginia CS 588

  4. Simplified SSH Protocol Terminal Login: evans Password: ****** shankly.cs.virginia.edu login sends EKUshankly<“evans”, “memodn”> Eve Can’t decrypt without KRshankly University of Virginia CS 588

  5. requests connection 1 KUS, KUt 2 Compares to stored KUS EKUS[EKUt [r]] || { IDEA | 3DES } 3 All traffic encrypted using r and selected algorithm. Can do regular login (or something more complicated). Actual SSH Protocol Server Client KUS - server’s public host key KUt – server’s public key, changes every hour r – 256-bit random number generated by client time University of Virginia CS 588

  6. Comparing to stored KUS • It better be stored securely • PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys) University of Virginia CS 588

  7. Default choice! Why Johnny Can’t Even Login SecureCRT University of Virginia CS 588

  8. ssh.com’s SSH University of Virginia CS 588

  9. ssh Error University of Virginia CS 588

  10. Jennifer Kahng’s TCC Thesis Project • People are stupid • Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience.) • Only two people (of > 700) emailed webmaster about potential security vulnerability.  31% clicked Continue 2%typed in “yes” University of Virginia CS 588

  11. Why Johnny (von Neumann) Can’t Even Login • A smart attacker just replaces the stored key in registry • An ActiveX control can do this trivially • No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy) • No easy solution…see Question 4 from last year’s midterm University of Virginia CS 588

  12. Recap – Authentication Problems • Need to store the passwords somewhere – dangerous to rely on this being secure • Need to transmit password from user to host • Remaining problems: • User’s pick bad passwords • Even if everything is secure, can still watch victim type! • Only have to mess up once University of Virginia CS 588

  13. Solution – Don’t Reuse Passwords • One-time passwords • New users have to memorize a list of secure passwords and use one in turn for each login • Host generates the list using cryptographic random numbers and stores it securely • Users spend hours memorizing passwords...and better not forget one! University of Virginia CS 588

  14. Challenge Challenge-Response Terminal Login: evans EKUshankly[“evans”] Challenge: What’s the 15th word of the Jefferson Wheel Cipher Challenge? Response: of “of” University of Virginia CS 588

  15. Challenge-Response Terminal Login: evans EKUmamba[“evans”] Challenge x Challenge: 2357938523 Response: f(x) f(x) University of Virginia CS 588

  16. Challenge-Response Systems • Ask a question, see if the answer is right • Hard to make up questions only host and user can answer • Question: x? Answer: f(x). • What’s a good choice for f? • E (x, key known to both) • Still have to problem of storing the key • SecureID systems work like this • Don’t need to send challenge, its the time University of Virginia CS 588

  17. One-Time Use Passwords • Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host? Recall: Unix repeated use passwords Host stores: H(p) User provides: x Password is valid if H(x) = H(p) University of Virginia CS 588

  18. S-Key • Alice picks random number R • S-Key program generates H(R), H(H(R)), ... , H99(R). • Alice prints out these numbers and stores somewhere secure • Host stores H100(R). University of Virginia CS 588

  19. S/Key Login • Alice enters H99(R). • Host calculates H (H99(R)). • Compares to stored H100(R). • If they match, allows login • And replaces old value with H99(R). • Alice crosses off H99(R), enters H98(R) next time. • S/Key uses MD4 for H University of Virginia CS 588

  20. S/Key > keyinit Adding evans: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: test Again secret password: test ID evans s/key is 99 sh69506 H100(test) = sh69506 What do I need to enter to log in? University of Virginia CS 588

  21. S/Key > key -n 100 99 sh69506 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD … 98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO University of Virginia CS 588

  22. Digital Cash University of Virginia CS 588

  23. Properties of Physical Cash • Universally recognized as valuable • Easy to transfer • Anonymous • Big and Heavy • Average bank robbery takes $4552 • 500 US bills / pound • Bill Gates net worth would be 400 tons in $100 bills • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) University of Virginia CS 588

  24. Real Cash • Why does it have value? • Nice pictures of dead presidents (< 1¢) • Because it is hard to print (< 5¢) • Because other people think it does • We trust our government not to print too much • People who forge it get sent to jail University of Virginia CS 588

  25. Counterfeiting • Secret Service siezed $209M in 1994 (of $380B circulated) • Nearly 2/3 of US cash is in foreign countries • Why did US bills change? • Iran and Syria probably print counterfeit US bills • They have a De la rue Giori (Switzerland) printing press, same as used for old US bills • 1992 report, led to currency redesign • Most foreign countries are smarter • Use of color • Obvious, well-known security features • Bigger bills for bigger denominations University of Virginia CS 588

  26. IOU Protocol (Lecture 11) M = “I, Alice, owe Bob $1000.” M EKRA[H(M)] Bob Alice knows KUA {KUA, KRA} M EKRA[H(M)] Bob can verify H(M) by decrypting, but cannot forge M, EKRA[H(M)] pair without knowing KRA. Judge knows KUA University of Virginia CS 588

  27. IOU Protocol • Universally recognized as valuable • Easy to transfer • Anonymous • Heavy • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities University of Virginia CS 588

  28. What is cash really? • IOU from a bank • Instead of generating, “I, Alice, owe Bob $1000”, let’s generate, “I, the Trustworthy Trust Bank, owe the bearer of this note $1000.” • Alice asks the bank for an IOU, and the bank deducts $1000 from her account. University of Virginia CS 588

  29. Bank IOU Protocol • Universally recognized as valuable • Easy to transfer • Anonymous • Heavy • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities University of Virginia CS 588

  30. Counterfeiting Bank IOUs • Assuming the hash and signature are secure • Alice gives Bob bank IOU for $1000 • Bob sends bank 100 copies of bank IOU • The bank has lost $99 000. • Bits are easy to copy! Hard to make something rare... University of Virginia CS 588

  31. Bank Identifiers • Bank adds a unique tag to each IOU it generates • When someone cashes an IOU, bank checks that that IOU has not already been cashed • Can’t tell if it was Alice or Bob who cheated • Alice loses her anonymity – the bank can tell where she spends her money University of Virginia CS 588

  32. Digital Cash, Protocol #1 • Alice prepares 100 money orders for $1000 each. • Puts each one in a different sealed envelope, with a piece of carbon paper. • Gives envelopes to bank. • Bank opens 99 envelopes and checks they contain money order for $1000. • Bank signs the remaining envelope without opening it (signature goes through carbon paper). University of Virginia CS 588

  33. Digital Cash, Protocol #1 cont. • Bank returns envelope to Alice and deducts $1000 from her account. • Alice opens envelope, and spends the money order. • Merchant checks the Bank’s signature. • Merchant deposits money order. • Bank verifies its signature and credits Merchant’s account. University of Virginia CS 588

  34. Digital Cash, Protocol #1 • Is it anonymous? • Can Alice cheat? • Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. • Better make the penalty for this high (e.g., jail) • Copy the signed money order and re-spend it. • Can Merchant cheat? • Copy the signed money order and re-deposit it. University of Virginia CS 588

  35. Digital Cash, Protocol #2 • Idea: prevent double-spending by giving each money order a unique ID. • Problem: how do we provide unique IDs without losing anonymity? • Solution: let Alice generate the unique IDs, and keep them secret from bank. University of Virginia CS 588

  36. Digital Cash, Protocol #2 • Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. • Puts each one in a different sealed envelope, with a piece of carbon paper. • Gives envelopes to bank. • Bank opens 99 envelopes and checks they contain money order for $1000. • Bank signs the remaining envelope without opening it. University of Virginia CS 588

  37. Digital Cash, Protocol #2 cont. • Bank returns envelope to Alice and deducts $1000 from her account. • Alice opens envelope, and spends the money order. • Merchant checks the Bank’s signature. • Merchant deposits money order. • Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID. University of Virginia CS 588

  38. Digital Cash, Protocol #2 • Is it anonymous? • Can Alice cheat? • Can Merchant cheat? • Can bank catch cheaters? University of Virginia CS 588

  39. Mimicking Carbon Paper • How does bank sign the envelope without knowing what it contains? • Normal signatures Alice sends bank M Bank sends Alice, SM = EKRBank (M) Alice shows SM to Bob who decrypts with banks public key. University of Virginia CS 588

  40. Blind Signatures • Alice picks random k between 1 and n. • Sends bank t = mke mod n. (e from Bank’s public key). • Bank signs t using private key d. Sends Alice: td = (mkemod n)d mod n = (mke)dmod n  mdkedmod n = (mke)dmod n  mdkedmod n What do we know about kedmod n? University of Virginia CS 588

  41. Blind Signatures • Alice gets td mdkmod n • Alice divides by k to get sm mdk/ k  md mod n. • Hence: bank can sign money orders without opening them! University of Virginia CS 588

  42. Digital Cash Protocol #2 • Instead of envelopes, Alice blinds each money order using a different randomly selected ki. • The bank asks for any 99 of the ki’s. The bank unblinds the messages (by dividing) and checks they are valid. • The bank signs the other money order. • Still haven’t solved the catching cheaters problem! University of Virginia CS 588

  43. Anonymity for Non-Cheaters • Spend a bill once – maintain anonymity • Spend a bill twice – lose anonymity • Have we seen anything like this? University of Virginia CS 588

  44. Digital Cash • Alice prepares n money orders each containing: Amount Uniqueness String: X Identity Strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) Each In pair reveals Alice’s identity (name, address, etc.). I = IiL IiR. h is a secure, one-way hash function. University of Virginia CS 588

  45. Digital Cash, cont. • Alice blinds (multiplies by random k) all n money orders and sends them to bank. • Bank asks for any n-1 of the random kis and all its corresponding identity strings. • Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account. University of Virginia CS 588

  46. Digital Cash, cont. • Alice unblinds the signed note, and spends it with a Merchant. • Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses n-bit selector string.) • Alice sends Merchant corresponding IiL’s or IiR’s. • Merchant uses h to confirm Alice didn’t cheat. University of Virginia CS 588

  47. Digital Cash, cont. • Merchant takes money order and identity string halves to bank. • Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves. University of Virginia CS 588

  48. Digital Cash, cont. • If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I. Arrests Alice. • If there are no i’s, where different halves are known, arrest Merchant. University of Virginia CS 588

  49. Digital Cash Protocol • Universally recognized as valuable • Easy to transfer • Anonymous • Heavy • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) University of Virginia CS 588

  50. Digital Cash Summary • Preserves anonymity of non-cheating spenders (assuming large bank and standard denominations) • Doesn’t preserve anonymity of Merchants • Requires a trusted off-line bank • Expensive – lots of computation for one transaction • Other schemes (Millicent, CyberCoin, NetBill, etc.) proposed for smaller transactions University of Virginia CS 588

More Related