1 / 71

Chapter 9 Simple Authentication Protocols

Chapter 9 Simple Authentication Protocols. Simple Security Protocol Authentication Protocols Authentication and TCP Zero Knowledge Proofs The best Authentication Protocol?. Protocols. Human protocols  the rules followed in human interactions Example: Asking a question in class

lavi
Télécharger la présentation

Chapter 9 Simple Authentication Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Zero Knowledge Proofs The best Authentication Protocol? Chapter 9 Simple Authentication protocols

  2. Protocols • Human protocols the rules followed in human interactions • Example: Asking a question in class • Networking protocols  rules followed in networked communication systems • Examples: HTTP, FTP, etc. • Security protocols  the (communication) rules followed in a security application • Examples: SSL, IPSec, Kerberos, etc. Chapter 9 Simple Authentication protocols

  3. Protocols • Protocol flaws can be very subtle • Several well-known security protocols have serious flaws • Including IPSec, GSM and WEP • Common to find implementation errors • Such as IE implementation of SSL • Difficult to get protocols right… Chapter 9 Simple Authentication protocols

  4. Ideal Security Protocol • Satisfies security requirements • Requirements must be precise • Efficient • Minimize computational requirement  in particular, costly public key operations • Minimize delays/bandwidth • Not fragile • Must work when attacker tries to break it • Works even if environment changes • Easy to use and implement, flexible, etc. • Very difficult to satisfy all of these! Chapter 9 Simple Authentication protocols

  5. Simple Security Protocols Chapter 9 Simple Authentication protocols

  6. Secure Entry to NSA • Insert badge into reader • Enter PIN • Correct PIN? Yes?Enter No? Get shot by security guard Chapter 9 Simple Authentication protocols

  7. ATM Machine Protocol • Insert ATM card • Enter PIN • Correct PIN? Yes? Conduct your transaction(s) No? Machine eats card Chapter 9 Simple Authentication protocols

  8. Identify Friend or Foe (IFF) • Military needs many specialized protocols • Many cases, it could recognize friends as enemies, or …. Russian MIG Angola 2. E(N,K) Namibia SAAF Impala 1. N Chapter 9 Simple Authentication protocols

  9. MIG in the Middle Angola 3. N SAAF Impala 4. E(N,K) 2. N 5. E(N,K) Namibia 6. E(N,K) Russian MiG 1. N Chapter 9 Simple Authentication protocols

  10. Authentication Protocols Chapter 9 Simple Authentication protocols

  11. Authentication • Alice must prove her identity to Bob • Alice and Bob can be humans or computers • May also require Bob to prove he’s Bob (mutual authentication) • May also need to establish a session key • May have other requirements, such as • Use only public keys • Use only symmetric keys • Use only a hash function • Anonymity, plausible deniability, etc., etc. Chapter 9 Simple Authentication protocols

  12. Authentication • Authentication on a stand-alone computer is relatively simple • “Secure path” is the primary issue • Main concern is an attack on authentication software (we discuss software attacks later) • Authentication over a network is much more complex • Attacker can passively observe messages • Attacker can replay messages • Active attacks may be possible (insert, delete, change messages) Chapter 9 Simple Authentication protocols

  13. Simple Authentication • Simple and may be OK for standalone system • But insecure for networked system • Subject to a replay attack (next 2 slides) • Bob must know Alice’s password “I’m Alice” Prove it My password is “frank” Bob Alice Chapter 9 Simple Authentication protocols

  14. Authentication Attack “I’m Alice” Prove it My password is “frank” Bob Alice Trudy Chapter 9 Simple Authentication protocols

  15. Authentication Attack • This is a replay attack • How can we prevent a replay? “I’m Alice” Prove it My password is “frank” Trudy Bob Chapter 9 Simple Authentication protocols

  16. Simple Authentication • More efficient… • But same problem as previous version • Replay attack I’m Alice, My password is “frank” Bob Alice Chapter 9 Simple Authentication protocols

  17. Better Authentication • Better since it hides Alice’s password • From both Bob and attackers • But still subject to replay “I’m Alice” Prove it h(Alice’s password) Bob Alice Chapter 9 Simple Authentication protocols

  18. Challenge-Response • To prevent replay, challenge-response used • Suppose Bob wants to authenticate Alice • Challenge sent from Bob to Alice • Only Alice can provide the correct response • Challenge chosen so that replay is not possible • How to accomplish this? • Password is something only Alice should know… • For freshness, a “number used once” or nonce Chapter 9 Simple Authentication protocols

  19. Challenge-Response “I’m Alice” Nonce h(Alice’s password, Nonce) Bob Alice • Nonce is the challenge • The hash is the response • Nonce prevents replay, insures freshness • Password is something Alice knows • Note that Bob must know Alice’s password Chapter 9 Simple Authentication protocols

  20. Challenge-Response • What can we use to achieve this? • Hashed pwd works, crypto might be better • Will be discussed for Symmetric key, Public key, and so on “I’m Alice” Nonce Something that could only be Bob from Alice (and Bob can verify) Alice Chapter 9 Simple Authentication protocols

  21. Symmetric Key Notation • Encrypt plaintext P with key K C = E(P,K) • Decrypt ciphertext C with key K P = D(C,K) • Here, we are concerned with attacks on protocols, not directly on the crypto • We assume that crypto algorithm is secure Chapter 9 Simple Authentication protocols

  22. Symmetric Key Authentication • Alice and Bob share symmetric key KAB • Key KAB known only to Alice and Bob • Authenticate by proving knowledge of shared symmetric key • How to accomplish this? • Must not reveal key • Must not allow replay attack Chapter 9 Simple Authentication protocols

  23. Authentication with Sym Key “I’m Alice” R E(R,KAB) Bob, KAB Alice, KAB • Secure method for Bob to authenticate Alice • Alice does not authenticate Bob • Can we achieve mutual authentication? Chapter 9 Simple Authentication protocols

  24. Mutual Authentication? • What’s wrong with this picture? • “Alice” could be Trudy (or anybody else)! “I’m Alice”, R E(R,KAB) E(R,KAB) Alice Bob Chapter 9 Simple Authentication protocols

  25. Mutual Authentication • Since we have a secure one-way authentication protocol… • The obvious thing to do is to use the protocol twice • Once for Bob to authenticate Alice • Once for Alice to authenticate Bob • This has to work… Chapter 9 Simple Authentication protocols

  26. Mutual Authentication • This provides mutual authentication • Is it secure? See the next slide… “I’m Alice”, RA RB, E(RA,KAB) E(RB,KAB) Bob Alice Chapter 9 Simple Authentication protocols

  27. Mutual Authentication Attack 1. “I’m Alice”, RA 2. RB, E(RA,KAB) 5. E(RB,KAB) Bob Trudy 3. “I’m Alice”, RB 4. RC, E(RB,KAB) Bob Trudy Chapter 9 Simple Authentication protocols

  28. Mutual Authentication • Our one-way authentication protocol not secure for mutual authentication • Protocols are subtle! • The “obvious” thing may not be secure • Also, if assumptions or environment changes, protocol may not work • This is a common source of security failure • For example, Internet protocols Chapter 9 Simple Authentication protocols

  29. Sym Key Mutual Authentication • Do these “insignificant” changes help? • Yes! “I’m Alice”, RA RB, E(“Bob”,RA,KAB) E(“Alice”,RB,KAB) Bob Alice Chapter 9 Simple Authentication protocols

  30. Public Key Notation • Encrypt M with Alice’s public key: {M}Alice • Sign M with Alice’s private key: [M]Alice • Then • [{M}Alice ]Alice = M • {[M]Alice }Alice = M • Anybody can do public key operations • Only Alice can use her private key (sign) Chapter 9 Simple Authentication protocols

  31. Public Key Authentication • Is this secure? • Trudy can get Alice to decrypt anything! • Should not use the key for encryption • Must have two key pairs “I’m Alice” {R}Alice R Bob Alice Chapter 9 Simple Authentication protocols

  32. Public Key Authentication • Is this secure? • Trudy can get Alice to sign anything! • Should not use the key for sign • Must have two key pairs “I’m Alice” R [R]Alice Bob Alice Chapter 9 Simple Authentication protocols

  33. Public Keys • Never use the same key pair for encryption and signing • One key pair for encryption/decryption • A different key pair for signing/verifying signatures Chapter 9 Simple Authentication protocols

  34. Session Key • Session key: temporary key, used for a short time period • Usually, a session key is required in addition to authentication • Limit symmetric key for a particular session • Limit damage if one session key compromised • Can we authenticate and establish a shared symmetric key? • Key can be used for confidentiality • Key can be used for integrity Chapter 9 Simple Authentication protocols

  35. Session Key • In some cases, we may also require perfect forward secrecy (PFS) • Discussed later… Chapter 9 Simple Authentication protocols

  36. Pub Key Authen and Sess Key • Using Encryptions of Alice and Bob • Is this secure? • OK for key, but no mutual authentication • Note that K is acting as Bob’s nonce • Alice can not authenticate Bob “I’m Alice”, R {R,K}Alice {R +1,K}Bob Alice Bob Chapter 9 Simple Authentication protocols

  37. Pub Key Authen and Sess Key • Using Signs of Alice and Bob • Is this secure? • Mutual authentication but key is not secret! “I’m Alice”, R [R,K]Bob [R +1,K]Alice Bob Alice Chapter 9 Simple Authentication protocols

  38. Pub Key Authen and Sess Key • First Sign and encrypt • Is this secure? • Seems to be OK • Mutual authentication and session key! “I’m Alice”, R {[R,K]Bob}Alice {[R +1,K]Alice}Bob Bob Alice Chapter 9 Simple Authentication protocols

  39. Pub Key Authen and Sess Key • First encrypt and Sign • Is this secure? • Seems to be OK • Though anyone can see {R,K}Alice and {R +1,K}Bob “I’m Alice”, R [{R,K}Alice]Bob [{R +1,K}Bob]Alice Bob Alice Chapter 9 Simple Authentication protocols

  40. Perfect Forward Secrecy • The concern… • Alice encrypts message with shared key KAB and sends ciphertext to Bob • Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to find KAB • Then Trudy decrypts recorded messages • Perfect forward secrecy (PFS): • Trudy cannot later decrypt recorded ciphertext • Even if Trudy gets key KAB or other secret(s) • Is PFS possible? Chapter 9 Simple Authentication protocols

  41. Perfect Forward Secrecy • For perfect forward secrecy, Alice and Bob cannot use KAB to encrypt • Instead they must use a session key KS and forget it after it’s used • Problem: How can Alice and Bob agree on session key KS and insure PFS? Chapter 9 Simple Authentication protocols

  42. Naïve Session Key Protocol • Trudy could also record E(KS,KAB) • If Trudy gets KAB, she gets KS E(KS, KAB) E(messages, KS) Bob, KAB Alice, KAB Chapter 9 Simple Authentication protocols

  43. Perfect Forward Secrecy • Can use Diffie-Hellman for PFS • Recall Diffie-Hellman: public g and p ga mod p gb mod p Alice, a Bob, b • But Diffie-Hellman is subject to MiM • How to get PFS and prevent MiM? Chapter 9 Simple Authentication protocols

  44. Perfect Forward Secrecy • Session key KS = gab mod p • Alice forgets a, Bob forgets b • Ephemeral(일회성) Diffie-Hellman • Not even Alice and Bob can later recover KS • Other ways to do PFS? E(ga mod p, KAB) E(gb mod p, KAB) Alice, a Bob, b Chapter 9 Simple Authentication protocols

  45. Mutual Authen, Sess Key & PFS “I’m Alice”, RA RB, [{RA, gb mod p}Alice]Bob [{RB, ga mod p}Bob]Alice Alice Bob • Session key is K = gab mod p • Alice forgets a and Bob forgets b • If Trudy later gets Bob’s and Alice’s secrets, she cannot recover session key K Chapter 9 Simple Authentication protocols

  46. Timestamps • A timestamp Tis the current time • Timestamps used in many security protocols (Kerberos, for example) • Timestamps reduce number of messages • Like a nonce that both sides know in advance • But, use of timestamps implies that time is a security-critical parameter • Clocks never exactly the same, so must allow for clock skew(시간 오차)  risk of replay • How much clock skew is enough? Chapter 9 Simple Authentication protocols

  47. Pub Key Authen with Timestamp T “I’m Alice”, {[T,K]Alice}Bob {[T +1,K]Bob}Alice Bob Alice • Is this secure? • Seems to be OK Chapter 9 Simple Authentication protocols

  48. Pub Key Authen with Timestamp T “I’m Alice”, [{T,K}Bob]Alice [{T +1,K}Alice]Bob Alice Bob • Is this secure? • Trudy can use Alice’s public key to find • {T,K}Bob and then… Chapter 9 Simple Authentication protocols

  49. Pub Key Authen with Timestamp T “I’m Trudy”, [{T,K}Bob]Trudy [{T +1,K}Trudy]Bob Bob Trudy • Trudy obtains Alice-Bob session key K • Note:Trudy must act within clock skew Chapter 9 Simple Authentication protocols

  50. Pub Key Authen with Timestamp T “I’m Alice”, [{T,K}Bob]Alice [{T +1}Alice]Bob Bob Alice • Is this “encrypt and sign” secure? • Yes, seems to be • Does “sign and encrypt” also work here? Chapter 9 Simple Authentication protocols

More Related