AuthenticationBuilding Secure Protocols

Topics

• The Authentication Problem

• Simple Device Authentication

• Attack and Countermeasures

• Cryptographic Hash Functions

• Message Authentication with Secure Hash Functions

Authentication Protocols

• The authentication problem is to remotely identify one entity, the “client” or “user” to another entity, the “server”.

• The communications channel may be limited: voice only, or radio signals only

• The client and server may have limited capabilities: compute power, battery life, etc

Simple Client and Server

• The Client is a device or token such as the one you hold in your hand and use to open your car or garage door.

• The Server is the system that receives your device’s signal and opens the door.

• The communications channel is infrared or radio signals.

Simple Protocol

• The simplest protocol is for the token to transmit its 16 bit serial number, which also acts as a password.

• Method 1: Thief can try all possible passwords. Can usually open door after 215 tries which, at 10 per second, is about an hour.

• Method 2: Devices called “grabbers” became available about 1995 which would record a signal and replay it at a later time.

Countermeasures

• Use longer passwords – 32 bits instead of 16 (this really happened and manufacturers proudly advertised increased security). Guessing impractical but grabbers still work.

• Use different codes for open and close. Grabber must be used at proper time.

• Additional vulnerability – serial number is known by others – original vendor, service people, etc.

What is Really needed

• The device needs to send something that can’t simply be recorded and played back.

• Add a counter value, random number, or timestamp to guarantee freshness.– Problem with counters – the token and the dog

– Problem with random numbers (nonce) – token and server must remember past codes – valet attack

– Problem with timestamp – clock drift

• Encrypt so that attacker cannot fabricate message

General Setting and Notation

• Many clients with devices (or tokens) needing access to a building or large parking garage.

• Notation: to show that X is encrypted with key K write: {X}K or K{X}

•  Standard protocol notation for token sending to the garage: T G: T, KT{N}

More Sophisticated Protocol

• token sends to the garage: its name, T, followed by the encrypted value of its name concatenated with a nonce, N:

T G: T, KT{T, N} • The garage verifies the open request by

deciphering the encrypted part and verifying the token name is the same as the plaintext name and that the nonce hasn’t been used before.

T G: T, KT{T, N}

• This protocol is more secure. An attacker cannot simply replay an old message. He cannot fabricate a message even if he knows the token’s name and guesses a fresh nonce unless he knows KT.

• Key management: The server needs to remember keys for many different tokens if it is a large garage. Assign a global master key to the garage KM. Key for each token is the token name or serial number encrypted with the global master key. KT = KM{T} This scheme is called key diversification and is widely used in smart cards.

Challenge-Response Protocol

• Because of the problems with nonces, the challenge-response protocol is often used to provide a high degree of security.

• This requires an exchange of messages and receiving as well as more processing ability on the part of the token.

•  The server (door or lock) sends a challenge consisting of a random number and the token computes a response by encrypting the challenge.

Challenge-Response

T S: T

S T: N

T S: T, KT{ N}

Note that the encryption used does not have to be invertible. A “one-way function” or cryptographic hash function can be used.

Weaknesses in C-R

• The C-R protocol is widely used. However, it is not unbreakable.

• Example: the random numbers generated by the server are often predictable and cyclic. An attacker can eavesdrop on a C-R session and determine what the next challenge will be and prepare a (perhaps pre-recorded) response.

• Note: most programming language library routines for random numbers produce predictable number streams.

• Man-in-the-Middle attacks

Man-in-the-Middle

• A man-in-the-middle attack involves an attacker “between” two legitimate parties that are authenticating – perhaps using a CR protocol.

• The attacker intercepts the messages and replays them in ways to trick the legitimate participants.

Man-in-the-Middle Example

Also known as the MIG-in-the-Middle as it was apparently used successfully in the war between South Africa and Angola in the late 1980s. Aircraft use IFF (Identify Friend or Foe) systems to prevent them from shooting down friendly aircraft. This system was developed in the 1940’s and initially used the C-R.

S T: N

T S: KT{T, N} Where T is the aircraft

• Air defense units on both sides could send and receive these signals. MIGs from Angola would wait at the border of South African air defense until South African bombers crossed into Angola on a bombing raid. The MIGs would then cross into South Africa and be met with a challenge from South African air defense units.

MIG In The Middle Attacksouth african air defense = SAADsouth african bomber = SABAngolan air defense = AADAngolan MIG = MIG SAAD MIG: NMIG AAD: NAAD SAB: N

SAB AAD: KT{SAB, N}

AAD MIG: KT{SAB, N}

MIG SAAD: KT{SAB, N}

Reflection Attack• In order for this attack to work, the two principals

must be able and willing to identify themselves to each other. This attack works if the challenge system and response generator are not integrated or if the response generator does not check the name of the challenger. (Also if the token name is not included in the encryption part.)

• Assume you have two airplanes, one from the red team and one from the blue team. The red aircraft wants to get close enough to shoot at the blue plane without the blue plane knowing it.

Reflection Attack Red enters Blue’s airspace

B R: N Blue sends challenge

R B: N Red reflects challenge back to Blue

B R: K{N} Blue’s automatic IFF system responds without noticing that it just sent out that same challenge

R B: K{N} Red gives proper response to Blue, gets close and shoots him down

Thwarting the Reflection Attack

• Require an identifier to be included in the answer to a challenge. Blue plane #1

B R: N Blue sends challenge R B: N Red reflects challenge B R: B1, K{N} Blue’s IFF responds R B: B1, K{N} Red sends reflection attempt

which is detected!• Connect the challenge and response generator

logic.

Manipulating the Message

• Reflection and Man-in-the-middle attacks can be enhanced by the ability of the attacker to manipulate the message.

• Recall the previous example: the blue plane requires a name (or other identifier) in the response message

B R: N Blue sends challenge

R B: N Red reflects challenge back to Blue

B R: B3, K{N} Blue’s IFF responds, includes its identifier, b3

R B: B3, K{N} Red sends response, but Blue recognizes attack!!

Manipulating the Message

• Red responds by giving his planes the ability to manipulate the message

B R: N Blue sends challenge

R B: N Red reflects challenge back to Blue

B R: B3, K{N} Blue’s IFF responds, includes b3

R B: B4, K{N} Red knows the first part of the message is the identifier and changes it!! Blue thinks Red is friendly and lets him get close.-----

Countermeasure

• Require the ID to be in the encrypted part - then Red cannot successfully manipulate the message unless he knows the encryption key (in which case he doesn’t need to reflect).

B R: N Blue sends challenge

R B: N Red reflects challenge back to Blue

B R: B3, K{B3, N} Blue’s IFF responds, includes b3

R B: B4, K{B3, N} Red gives response, changing the unencrypted identifier, but Blue recognizes a reflection attack!!

Subtle Uses for IFF• Radar is used extensively in weapons systems.

Radar has limited range as the signal must travel from the source to the target and return.

• In January 1944, Allied forces learned that the Germans were tracking British and American bombers at twice the normal radar range. The Germans were sending signals to interrogate the IFF systems of the bombers, so the bombers replied automatically.

• Modern IFF systems authenticate the challenge with encryption and only respond to valid challenges.

Cryptographic Hash Functions

• Alternative to encryption when decryption is not needed.

• Encryption software is slow and hardware is costly.• Message digest (signature or hash) is smaller than

ciphertext.

B R: N Blue sends challenge

R B: N Red reflects challenge back to Blue

B R: B3, H{B3, N} Blue’s IFF responds, includes b3

R B: B4, H{B3, N} Red gives response, Blue calculates H(B4,N) and compares to Red’s response.

Secure HASH Functions• Purpose is to produce a “fingerprint”.• Properties of a HASH function H :

1. H can be applied to a block of data of any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given h, it is computationally infeasible to

find x such that H(x) = h5. For any given block of data x, it is computationally

infeasible to find y such that H(y) = H(x).6. It is computationally infeasible to find any pair (x, y)

such that H(x) = H(y) where xy

Simple Hash Function

• Divide message into n-bit blocks (pad with zero if necessary). Hash code is n-bits.

Authentication

• Requirements - must be able to verify that:1. Message came from apparent

source or author,2. Contents have not been altered,3. Sometimes, it was sent at a certain time or sequence.

• Protection against active attack (falsification of data and transactions)

Approaches to Message Authentication

• Authentication Using Conventional Encryption– Only the sender and receiver should share a key

• Message Authentication with Encryption and Hash function (a and b)– An authentication tag is generated with hashing and

appended to each message after encryption

• Message Authentication with Hash function and Shared Secret Value (c )

One-way HASH functionOne-way HASH function

One-way HASH function

• Secret value is added before the hash and removed before transmission.

Other Secure HASH functionsSHA-1 MD5 RIPEMD-

160

Digest length 160 bits 128 bits 160 bits

Basic unit of processing

512 bits 512 bits 512 bits

Number of steps 80 (4 rounds of 20)

64 (4 rounds of 16)

160 (5 paired rounds of 16)

Maximum message size

264-1 bits

HMAC

• Use a MAC (message authentication code) derived from a cryptographic hash code, such as SHA-1.

• Motivations:– Cryptographic hash functions executes faster in

software than encryption algorithms such as DES

– Library code for cryptographic hash functions is widely available

– No export restrictions from the US

For Further Reading

• “Security Engineering, A Guide to Building Dependable Systems” by Ross Anderson, Wiley, 2001

• “Cryptography and Network Security, Principles and Practice” third edition, William Stallings, Prentice Hall

• “Network Security, Private Communication in a Public World”, 2nd edition, Kaufman, Perlman, Speciner, Prentice Hall, 2002