1 / 30

CSE331: Introduction to Networks and Security

This lecture covers primary attacks and controls in network security, including impersonation, replay, interleaving, reflection, forced delay, and chosen plaintext attacks. It also discusses the risks of using keys for multiple purposes, key establishment protocols, and the Kerberos authentication system.

ggall
Télécharger la présentation

CSE331: Introduction to Networks and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE331:Introduction to Networksand Security Lectures 26 & 27 Fall 2002

  2. Announcements • Project 3 is due on Nov. 18th CSE331 Fall 2002

  3. Primary Attacks • Impersonation. • Replay. • Interleaving. • Reflection. • Forced delay. • Chosen plaintext. CSE331 Fall 2002

  4. Primary Controls • Replay: use of challenge-response techniques and embedding target identity in response. • Interleaving: link messages in a run with chained nonces. • Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys. CSE331 Fall 2002

  5. Primary Controls, continued • Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. • Forced delays: use random numbers with short timeouts, use timestamps with other techniques. CSE331 Fall 2002

  6. Multiple Use of Keys • There are risks in using keys for multiple purposes. • Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. • B attacker/verifier, rB=H(M) for some message M. • B -> A: rB • A -> B: B, EA(rB) • B(A) -> C: M, EA(H(M)) B, pretending to be A CSE331 Fall 2002

  7. Effective Control • Notice how the protocol described earlier foils this. Here’s the protocol: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • Here’s what happens: • B -> A: rB • A -> B: rA, B, EA(rA, rB, B) • B(A) -> C: M, EA(rA, H(M), B) • C finds that EA(rA, H(M), B)  EA(H(M)) and rejects the signature. CSE331 Fall 2002

  8. Usurpation Attacks • Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. • Techniques to assure ongoing authenticity: • Periodic re-identification. • Tying identification to an ongoing integrity service. For example: key establishment and encryption. CSE331 Fall 2002

  9. Key Establishment • Symmetric keys. • Point-to-Point. • Needham-Schroeder. • Kerberos. • Asymmetric keys. • X.509 key establishment. • Attack example. • Station To Station (STS) protocol. • Bellovin-Merritt protocol. CSE331 Fall 2002

  10. Symmetric Keys • Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. • These can be based on: • Point to point distribution, or • Key Distribution Center (KDC). CSE331 Fall 2002

  11. Point-to-Point Session Key • Timestamp. • A -> B : E(K, (k, t, B)) • Nonce. • B -> A : r • A -> B : E(K, (k, r, B)) CSE331 Fall 2002 ISO/IEC 11770-2

  12. Key Distribution Center CSE331 Fall 2002

  13. Distribution Center Setup • A wishes to communicate with B. • T is a trusted third party that provides session keys. • T has a key KAT in common with A and a key KBT in common with B. • A authenticates T using a nonce rA and obtains a session key from T. • A authenticates to B and transports the session key securely. CSE331 Fall 2002

  14. Needham-Schroeder • A -> T : A, B, rA • T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) )) A decrypts with KAT and checks rA and B. Holds k for future correspondence with B. • A -> B : E( KBT, (k, A)) B decrypts with KBT. • B -> A : E(k, rB) A decrypts with k. • A -> B : E(k, rB – 1) B checks rB-1. CSE331 Fall 2002

  15. Attack Scenario 1 • A -> T : A, B, rA • T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A. CSE331 Fall 2002

  16. Attack Scenario 2 • A -> C (T) : A, B, rA • C (A) -> T : A, C, rA • T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) )) Rejected by A because C rather than B. CSE331 Fall 2002

  17. Attack Scenario 3 • A -> C (T) : A, B, rA • C -> T : C, B, rA • T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) • C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) )) A is unable to decrypt the message. CSE331 Fall 2002

  18. Attack Scenario 4 • C -> T : C, B, rA • T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) • C (A) -> B : E( KBT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center. CSE331 Fall 2002

  19. Kerberos Setup • A,T,B, shared keys KAT, KBT as in distribution center. • Nonce rA generated by A. • Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L. CSE331 Fall 2002

  20. Kerberos Messages • A -> T : A, B, rA • T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) • A -> B : E( KBT, (k, A, L)), E( k, (A, t)) • B -> A : E(k, t) Ticket Authenticator CSE331 Fall 2002

  21. Kerberos Actions • A -> T : A, B, rA • T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) Decrypt using KAT, check rA, B, and hold L for future reference. • A -> B : E( KBT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. • B -> A : E(k, t) Check t. CSE331 Fall 2002

  22. Asymmetric Key Exchange • X.509 key establishment. • Impersonation case study. • STS. • Bellovin-Merritt protocol. CSE331 Fall 2002

  23. X.509 Key Establishment Setup • X.509 is part of the X.500 series of ISO/IEC standards. • certA and certB are certificates for the public keys of A and B. • A has encryption function EA and signature function SA. B has signature function SB. • rA and rB are nonces. • LA and LB are lifetimes (validity periods). CSE331 Fall 2002

  24. X.509 Key Est. Messages • Let DA = EB(k), rA, LA, A. • Let DB = rB, LB, rA, A • Two messages: • A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. • B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB. CSE331 Fall 2002

  25. X.509 Variant • X.509 supports several variants on the previously-described protocol. • Let DA = EB(kA), rA, LA, A. • Let DB = EA(kB), rB, LB, rA, A • Two messages: • A -> B : certA, DA, SA(DA) • B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B. CSE331 Fall 2002

  26. Impersonation Case Study CSE331 Fall 2002

  27. Protocol X • A -> T : A, B • T -> A : ST(EB, B) • A -> B : EB(kA, A) • B -> T : B, A • T -> B : ST(EA, A) • B -> A : EA(kA, kB) • Check kA. Calculate session key as f(kA,kB). • A -> B : EB(kB) • Check kB. Calculate session key as f(kA,kB). CSE331 Fall 2002

  28. Interleaving Attack on Protocol X • An interleaving attack on this protocol is possible. • An adversary C convinces: • A that he is talking to C using session key k = f(kA, kB). • B that his is talking to A using session key k. • C has access to the key k and can use it to decrypt the responses that B makes to A. CSE331 Fall 2002

  29. Compromise Scenario • B, C are taxpayers. A is the IRS. • A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. • B now thinks he is talking to the IRS. • C answers questions directed to him by the IRS. • Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years. CSE331 Fall 2002

  30. What Went Wrong? • Entity authentication: determining who you are talking to. • Key establishment: settling on a shared session key. • Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment. CSE331 Fall 2002

More Related