1 / 32

Authentication Protocol

Authentication Protocol. Yuan Xue. Authentication Basics. Terms Authentication vs. integrity Message authentication = data integrity Source authentication non-repudiation Authentication is the process of reliably verifying the identity of someone (or something)

sarah-jacobs
Télécharger la présentation

Authentication Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Protocol Yuan Xue

  2. Authentication Basics • Terms • Authentication vs. integrity • Message authentication = data integrity • Source authentication • non-repudiation • Authentication is the process of reliably verifying the identity of someone (or something) • A computer authenticates another computer • A computer is authenticates a person • User’s secret must be remembered by the user • Secure communication • Initial authentication handsake  Integrity protection and/or encryption of the data key

  3. Authentication Approaches • Password-based • Address-based • Cryptographic • Other approaches Basic Guideline • What you know • What you have • Who you are

  4. Password-Based Authentication • Authentication based on what you know • Pro • Easy to use • Con • Insecure: Eavesdropping • Solution combine with cryptography-based • Storing user passwords • Password can not be stored in cleartext • Store hashes of the password • Store encrypted version • Password guessing • Online vs. offline I’m Alice, my passwd is 123456 Bob Alice

  5. Address-based Authentication • Authentication based on where you are • Infer the identity of the source based on the network address • Example • IEEE Xexplore/ACM DL • Unix rtools • Pro • Easy to use • Transparent to end user

  6. Address-based Authentication • UNIX Berkeley rtools • Computer B has a list of network addresses of “equivalent machines” • If A is listed, then any account on A is equivalent to the same account name on B • Computer B has a list of <address, remote account, local account> • E.g. <A, Alice, Bob>, then request from A with name Alice will be authorized with account Bob

  7. Address-based Authentication • In UNIX, hosts.equiv and .rhosts files list hosts and users that are trusted by the local host when a connection is made using the rshd service • A global file /etc/hosts.equiv contains trusted remote hosts. • In each user’s home directory, a per-user .rhosts file contains host-user pairs.

  8. Address-based Authentication • File format • hostname [username] • + anyhost/user • Example hosts.equiv entries ( Local computer A ) • + +  • Allows any user from any host to connect to A • B +  • Allows any user from the remote hosts B to connect to A. • + Alice  • Allows the user Alice to connect to A from any remote host. • Example .rhosts entries • In these examples, the .rhosts file is in the home directory of the user Alice on computer A. • + +  • Allows any user from any host to connect to this host (A) as the user Alice. • B Bob  • Allows the user Bob from the remote host B to connect to A as the user Alice. • Example of how the hosts.equiv and the .rhosts file combine • Rule: the most restrictive combination of the entries applies • hosts.equiv file with <+ Alice> • .rhosts in the home directory of the user Alice with the following entry: B + • In this case, these entries combine to mean that only the user Alice from the remote host B can connect to A as Alice.

  9. Address-based Authentication • Entry <+ +>  severe security hazards • It allows any user on any machine to connect to the local host as the same user name. • If it is specified in the /etc/hosts.equiv file, it allows any user on any machine to connect to the local host as any user. • If A trusts B and B is hacked, then the attacker could gain access to A. • Network address impersonation (address spoofing) • Ingress filtering

  10. Cryptographic Authentication • For connection-oriented communication, overall process involves authentication + secure communication (connection) • Based on prior knowledge/ownership of master key • Dependably verify the knowledge/ownership of key • Distribution of session keys • integrity protection and/or encryption of the data using session keys authentication

  11. Cryptographic Authentication • For connection-less communication, overall process involves authentication + data transmission • Based on prior knowledge/ownership of key • Generation of data encryption keys • integrity protection and/or encryption of the data using data encryption keys • One time authentication • E.g., prove driver’s identify to a secured gate.

  12. Cryptographic Authentication • Basic idea • Alice proves her identity to Bob by performing a cryptographic operation on a quantity (challenge) Bob supplies. • The cryptographic operation performed by Alice is based on Alice’s key. • Cryptographic operations include • Symmetric key encryption, asymmetric key encryption, hash operations.

  13. Cryptographic Authentication • Approaches • Symmetric-key based • Distributed (communication peers share a master key) • KDC-based (communication peers share master keys with KDC) • Asymmetric-key based • Two types of authentication • One-way authentication (login only) • Mutual authentication

  14. Authentication using Symmetric-Key(Distributed One-Way Authentication) • Priori: Alice and Bob share a master key • Result: Alice proves her identity to Bob • E(KAB, R) • H(KAB||R) I’m Alice R Alice Bob F(KAB, R) • Weakness: • 1.Offline-password guessing attack • 2. If the database at Bob is hacked, attacker could impersonate Alice

  15. Authentication using Symmetric-Key(Distributed One-Way Authentication) • Priori: Alice and Bob share a master key • Result: Alice proves her identity to Bob; Bob can also prove his identify, if R is a timestamp. • Limit: • Requires reversible cryptography • Vulnerability to dictionary attack I’m Alice E(KAB, R) Alice Bob R

  16. Authentication using Symmetric-Key(Distributed Mutual Authentication) • E(KAB, R) • H(KAB||R) • Limitation • Too many messages • Could we reduce them? I’m Alice R1 Alice Bob F(KAB, R1) R2 F(KAB, R2)

  17. I’m Alice, R2 I’m Alice R1, F(KAB, R2) Alice Bob R1 Alice Bob F(KAB, R1) F(KAB, R1) R2 F(KAB, R2) Authentication using Symmetric-Key(Distributed Mutual Authentication) Simplify Any Problem?

  18. Reflection Attack I’m Alice, R2 Reflection attack • A way of attacking a challenge-response authentication system which uses the same protocol in both directions. • The basic idea is to trick the target into providing the answer to its own challenge. R1, F(KAB, R2) Alice Bob F(KAB, R1) Flawed protocol design I’m Alice, R2 R1, F(KAB, R2) Cathy Bob I’m Alice, R1 Cathy Bob R3, F(KAB, R1) F(KAB, R1) This is what’s going to happen

  19. Reflection Attack -- Solutions Principle: • Don’t have Alice and Bob do exactly the same thing • Different key/protocol along the two directions • The responder sends its identifier within the response, so if it receives a response that has its identifier in it, it can reject it. • Have the initiator prove its identity first • Initiating party to first respond to challenges before the target party responds to its challenges. I’m Alice, F(KAB, R2) F(KAB, f(R2)||R1) Alice Bob F(KAB, F(R1))

  20. Authentication using Symmetric-Key(KDC-based Authentication) • Basic idea • KDC and A can establish a trust relationship using KA • KDC and B can establish a trust relationship using KB • KDC needs to provide A and B a shared secret based on their master keys so that they could use to authenticate each other • Once A and B has a a shared secret (KS), the procedure used in distributed symmetric-key-based authentication can be used to perform mutual authentication. • Step 1 • KDC provides A and B a shared secret KS • Step 2 • A and B perform mutual authentication using KS

  21. Both are vulnerable to replay attack Step 1 KDC E[KB, Ks||IDA] • Similar to Secret Key Distribution • Important Issue • Replay attack • Solution • Use of nonce • Use of timestamp IDA||IDB||N1 E[KA, Ks||IDB||N1||ticket] B A E[KB, Ks||IDA] Needham-Schroeder KDC E[KB, Ks||IDA||T2] IDA||IDB||T1 E[KA, Ks||IDB||T1||ticket] B A E[KB, Ks||IDA ||T2] Kerberos

  22. Step 2 KDC E[KB, Ks||IDA||T2] • Combine two one-way distributed authentication procedure IDA||IDB||T1 E[KA, Ks||IDB||T1||ticket] E[KB, Ks||IDA ||T2], E[Ks, N2] A B E[Ks, f(N2), N3] E[Ks, f(N3)]

  23. Authentication using Asymmetric-Key(One-way Authentication) • Priori: Bob has Alice’s public key • Result: Alice proves her identity to Bob I’m Alice Alice Bob R • E(KRA, R) • DS(KRA,R) F(KRA, R) I’m Alice E(KUA, R) Alice Bob R

  24. Authentication using Asymmetric-Key(One-way Authentication) • Serious Security Issue • Cathy wants to impersonate Alice, she wants to have a Alice’s signature of quantity R • She can wait for Alice to authenticate herself to Bob I’m Alice Alice Bob R Cathy F(KRA, R) • Solution: • Should not use the same key for different purposes • R has some structure • Refer to PKCS standard

  25. Authentication using Asymmetric-Key(Mutual Authentication) I’m Alice E(KUB, R2) Alice Bob E(KUA, R1), R2 R1

  26. Kerberos • An Authentication Service • Based on client-server model (user and server provider) • Mutual authentication support: between user and server • Key assumption • The server can not rely on the client host to authenticate user • Basics • Based on KDC-based symmetric key • Based on Needham-Schroeder protocol • Use “ticket” to distribute the key • Use “authenticator" to prove the identity of a user • Main entities • Authentication Server (AS) • Ticket Granting Server (TGS)

  27. Authentication vs. Key Distribution • Cryptographic Authentication • Based on prior knowledge/ownership of key • Dependably verify the knowledge of key • Distribution of session keys (for connection-oriented communication) • Key Distribution • Prior knowledge/ownership of master keys • Distribution of session keys after verification of master keys • Symmetric key • A, B share a master key with KDC • A and B share a master key • Asymmetric key • A and B both have a pair of public and private keys • The public keys of A and B are reliably distributed to each other

  28. Authentication Summary • Security in communication • An initial authentication handsake • Distribution of session keys • Then integrity protection and/or encryption of the data • Types • One-way • Mutual • Approaches • Symmetric key (KDC, distributed), Asymmetric key • Authentication Service • Kerberos (composed Needham-Schroeder protocol) • Attacks to Authentication • Replay Attack • Reflection Attack

  29. Misc • How to retrieve the key • Computer • Person: password  key • Doing a hash of the password • Using the password to encrypt/decrypt a key which is stored in a computer/dir service • Timestamp vs. Nonce • Timestamp • needs synchronized system • Use fewer messages • Nonce • Challenge-response  more messages • Challenge (N) can be encrypted, response encrypts a function of N (f(N)) mutual authentication

  30. Authentication Checklist • Eavesdrop • Replay • Impersonate Alice/Bob • Address Spoof • Read Alice/Bob’s database • Modify the messages between Alice/Bob

More Related