Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols...

Click here to load reader

  • date post

    31-Dec-2015
  • Category

    Documents

  • view

    229
  • download

    5

Embed Size (px)

Transcript of Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols...

  • Chapter 9Simple Authentication ProtocolsSimple Security ProtocolAuthentication ProtocolsAuthentication and TCPZero Knowledge ProofsThe best Authentication Protocol?

    Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • ProtocolsHuman protocols the rules followed in human interactionsExample: Asking a question in classNetworking protocols rules followed in networked communication systemsExamples: HTTP, FTP, etc.Security protocols the (communication) rules followed in a security applicationExamples: SSL, IPSec, Kerberos, etc. Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • ProtocolsProtocol flaws can be very subtleSeveral well-known security protocols have serious flawsIncluding IPSec, GSM and WEPCommon to find implementation errorsSuch as IE implementation of SSLDifficult to get protocols right Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Ideal Security ProtocolSatisfies security requirementsRequirements must be preciseEfficientMinimize computational requirement in particular, costly public key operationsMinimize delays/bandwidthNot fragileMust work when attacker tries to break itWorks even if environment changesEasy to use and implement, flexible, etc.Very difficult to satisfy all of these! Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Simple Security Protocols Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Secure Entry to NSAInsert badge into readerEnter PINCorrect PIN?Yes? EnterNo? Get shot by security guard Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • ATM Machine ProtocolInsert ATM cardEnter PINCorrect PIN?Yes? Conduct your transaction(s)No? Machine eats card Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocolsNamibiaAngola1. N2. E(N,K)SAAFImpalaRussianMIG*Military needs many specialized protocolsMany cases, it could recognize friends as enemies, or .

    Chapter 9 Simple Authentication protocols

  • MIG in the Middle Chapter 9 Simple Authentication protocolsNamibiaAngola1. N2. N3. N4. E(N,K)5. E(N,K)6. E(N,K)SAAFImpalaRussianMiG*

    Chapter 9 Simple Authentication protocols

  • Authentication Protocols Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • AuthenticationAlice must prove her identity to BobAlice and Bob can be humans or computersMay also require Bob to prove hes Bob (mutual authentication)May also need to establish a session keyMay have other requirements, such asUse only public keysUse only symmetric keysUse only a hash functionAnonymity, plausible deniability, etc., etc. Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • AuthenticationAuthentication on a stand-alone computer is relatively simpleSecure path is the primary issueMain concern is an attack on authentication software (we discuss software attacks later)Authentication over a network is much more complexAttacker can passively observe messagesAttacker can replay messagesActive attacks may be possible (insert, delete, change messages) Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Simple AuthenticationSimple and may be OK for standalone systemBut insecure for networked systemSubject to a replay attack (next 2 slides)Bob must know Alices password Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve itMy password is frank*

    Chapter 9 Simple Authentication protocols

  • Authentication Attack Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve itMy password is frankTrudy*

    Chapter 9 Simple Authentication protocols

  • Authentication AttackThis is a replay attackHow can we prevent a replay? Chapter 9 Simple Authentication protocolsBobIm AliceProve itMy password is frankTrudy*

    Chapter 9 Simple Authentication protocols

  • Simple AuthenticationMore efficientBut same problem as previous versionReplay attack Chapter 9 Simple Authentication protocolsAliceBobIm Alice, My password is frank*

    Chapter 9 Simple Authentication protocols

  • Better AuthenticationBetter since it hides Alices passwordFrom both Bob and attackersBut still subject to replay Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve ith(Alices password)*

    Chapter 9 Simple Authentication protocols

  • Challenge-ResponseTo prevent replay, challenge-response usedSuppose Bob wants to authenticate AliceChallenge sent from Bob to AliceOnly Alice can provide the correct responseChallenge chosen so that replay is not possibleHow to accomplish this?Password is something only Alice should knowFor freshness, a number used once or nonce Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Challenge-Response Chapter 9 Simple Authentication protocolsBobIm AliceNonceh(Alices password, Nonce) Nonce is the challenge The hash is the response Nonce prevents replay, insures freshness Password is something Alice knows Note that Bob must know Alices passwordAlice*

    Chapter 9 Simple Authentication protocols

  • Challenge-ResponseWhat can we use to achieve this?Hashed pwd works, crypto might be betterWill be discussed for Symmetric key, Public key, and so on Chapter 9 Simple Authentication protocolsBobIm AliceNonceSomething that could only beAlicefrom Alice (and Bob can verify)*

    Chapter 9 Simple Authentication protocols

  • Symmetric Key NotationEncrypt plaintext P with key K C = E(P,K)Decrypt ciphertext C with key K P = D(C,K)Here, we are concerned with attacks on protocols, not directly on the cryptoWe assume that crypto algorithm is secure Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Symmetric Key AuthenticationAlice and Bob share symmetric key KABKey KAB known only to Alice and BobAuthenticate by proving knowledge of shared symmetric keyHow to accomplish this?Must not reveal keyMust not allow replay attack Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Authentication with Sym Key Chapter 9 Simple Authentication protocolsAlice, KABBob, KABIm AliceE(R,KAB)Secure method for Bob to authenticate AliceAlice does not authenticate BobCan we achieve mutual authentication?R*

    Chapter 9 Simple Authentication protocols

  • Mutual Authentication?Whats wrong with this picture?Alice could be Trudy (or anybody else)! Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RE(R,KAB)E(R,KAB)*

    Chapter 9 Simple Authentication protocols

  • Mutual AuthenticationSince we have a secure one-way authentication protocolThe obvious thing to do is to use the protocol twiceOnce for Bob to authenticate AliceOnce for Alice to authenticate BobThis has to work Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Mutual AuthenticationThis provides mutual authenticationIs it secure? See the next slide Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RARB, E(RA,KAB)E(RB,KAB)*

    Chapter 9 Simple Authentication protocols

  • Mutual Authentication Attack Chapter 9 Simple Authentication protocolsBob1. Im Alice, RA2. RB, E(RA,KAB)TrudyBob3. Im Alice, RB4. RC, E(RB,KAB)Trudy5. E(RB,KAB)*

    Chapter 9 Simple Authentication protocols

  • Mutual AuthenticationOur one-way authentication protocol not secure for mutual authentication Protocols are subtle!The obvious thing may not be secureAlso, if assumptions or environment changes, protocol may not workThis is a common source of security failureFor example, Internet protocols Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Sym Key Mutual AuthenticationDo these insignificant changes help?Yes! Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RARB, E(Bob,RA,KAB)E(Alice,RB,KAB)*

    Chapter 9 Simple Authentication protocols

  • Public Key NotationEncrypt M with Alices public key: {M}AliceSign M with Alices private key: [M]AliceThen [{M}Alice ]Alice = M {[M]Alice }Alice = M Anybody can do public key operations Only Alice can use her private key (sign) Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Public Key AuthenticationIs this secure?Trudy can get Alice to decrypt anything!Should not use the key for encryptionMust have two key pairs Chapter 9 Simple Authentication protocolsAliceBobIm Alice{R}AliceR*

    Chapter 9 Simple Authentication protocols

  • Public Key AuthenticationIs this secure?Trudy can get Alice to sign anything!Should not use the key for signMust have two key pairs Chapter 9 Simple Authentication protocolsAliceBobIm AliceR[R]Alice*

    Chapter 9 Simple Authentication protocols

  • Public KeysNever use the same key pair for encryption and signingOne key pair for encryption/decryptionA different key pair for signing/verifying signatures Chapter 9 Simple Authentication protocols*

    Chapter 9 Simple Authentication protocols

  • Session KeySession key: temporary key, used for a short time periodUsually, a session key is required in addition to authenticationLimit symmetric key for a particular sessionLimit damage if one session key compromisedCan we authenticate and establish a shared symmetric key