Cryptography & Authentication - Colorado State University

Dr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 1 / 156

Cryptography & Authentication

Dr. Indrajit RayINRIA SMIS

Colorado State UniversityEmail: [email protected]

August 19, 2012

Overview of Presentation

Basic Cryptography

Secret KeyCryptography

Public KeyCryptography

Message Digests

Key Distribution &Management

Authentication

Biometrics BasedAuthentication

Password BasedAuthentication

Replay andInterception Attacks

One TimePasswords

MutualAuthentication

Secret Key BasedMediatedAuthentication

Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 2 / 156

Basic Cryptography

Secret Key Cryptography

Public Key Cryptography

Message Digests

Key Distribution & Management

Authentication

Biometrics Based Authentication

Password Based Authentication

Replay and Interception Attacks

One Time Passwords

Mutual Authentication

Secret Key Based Mediated Authentication

Certificate Based Authentication Protocols

Basic Cryptography

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Cryptography

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Provides a tool for

✦ secrecy✦ integrity✦ authentication✦ non-repudiation

● In the face of

✦ passive and✦ active attacks

● Not intended to solve inference problem

Attacks

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Passive attacks

✦ observe but do not modify information✦ threat for confidentiality

● Active attacks

✦ delete, add, modify and replay information✦ threat for confidentiality, integrity, authentication and

non-repudiation

Terminology

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Encryption - the process of coding information such thatthe meaning is concealed

✦ encode / encipher are synonyms

● Decryption - the process of transforming an encryptedinformation back to the original form

✦ decode / decipher are synonyms

● Cryptosystem - a system for encryption and decryption

Terminology

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Plaintext - information in its original form (also calledcleartext)

● Ciphertext - information in the encrypted form● Cipher - an algorithm for transforming an intelligible

message into one that is unintelligible● Key - some critical information used by the cipher,

together with the plaintext to generate the ciphertext

Cryptographic Technologies

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Secret-key cryptosystem

✦ Also known as single key / shared key / symmetrickey cryptosystem

✦ Same key used for encryption and decryption

● Public-key cryptosystem

✦ Also known as two key / asymmetric keycryptosystem

✦ Different keys used for encryption and decryption✦ Strong mathematical relation exists between the two

keys

Cryptanalysis

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● How to compromise cryptographic mechanisms

✦ benevolent intention: to judge the strength ofcryptographic techniques and improve upon them

✦ malevolent intention: to breach security

Cryptanalysis

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Cryptanalyst is assumed to know the encryption anddecryption algorithms

● Objective of the cryptanalyst is to discover the key

✦ Real objective may be to discover the plaintextmessage M, but

■ this is generally assumed to be equivalent todiscovering the key

■ it is more rewarding for the cryptanalyst to discoverthe key

Attack Models for Cryptanalysis

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Ciphertext only or Known ciphertext● Plaintext only or Known plaintext● Chosen plaintext● Chosen ciphertext

Ciphertext Only

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Cryptanalyst assumed to have access to a subset ofciphertexts

● Attack is successful if corresponding plaintexts can bededuced

✦ Any information about underlying plaintext is alsoconsidered success

✦ For example, is it information about salary.

● Must be able to guess when we have plaintext

✦ Sometimes the statistics of the ciphertext provideinsight and can lead to a break

Known Plaintext

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Cryptanalyst knows (or suspects) someplaintext-ciphertext pairs

✦ We have some, or even large, amount of matchingplaintext and ciphertext. The goal is to extract the key.

● Knowledge of text properties can be used to simplifyattack

✦ For example, if plaintext is known to be ASCII, as wellas ciphertext, then only 28 keys can produce the result

Chosen Plaintext

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Cryptanalyst has the capability to choose arbitraryplaintexts to be encrypted and obtain the correspondingciphertexts.

✦ Feasible when attacker has access to the encryptionhardware or software

✦ Can use knowledge of algorithm structure to attack✦ Batch chosen plaintext: Cryptanalyst chooses all the

plaintexts before any of them are encrypted.✦ Adaptive chosen plaintext: Cryptanalyst makes a

series of interactive queries and choosing subsequentplaintexts based on the information from the previousencryptions

Chosen Ciphertext

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Cryptanalyst knows some plaintext-ciphertext pairs forciphertext of the cryptanalyst’s choice

● Cryptanalyst submits arbitrary encrypted messages to bedeciphered and see the resulting plaintext

● Feasible when attacker has access to the decryptionhardware or software

General Attack Techniques

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Brute Force (also called Exhaustive search)

✦ Try to decipher ciphertext under every possible keyuntil readable messages are produced.

✦ Given enough time all cryptosystems can be brokenby brute-force.

✦ Question remains “What is readable?”

● Divide and Conquer to make brute-force easier

✦ Isolate small components or aspects so they can besolved separately


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Dictionary

✦ Form a list of the most likely keys, then try those keysone-by-one (a way to improve brute force)

● Codebook

✦ Develop or collect a lookup table of transformations.Each plaintext has one or more ciphertexts in thetable

✦ Match a plaintext-ciphertext pair against the codebook


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Birthday Attacks

✦ Use the birthday paradox; the idea is that it is mucheasier to find two values which match than it is find amatch to some particular value

✦ Typically birthday attacks are used to break messagedigest algorithms

● Replay Attacks

✦ Record and save some ciphertext blocks ormessages (especially if the content is known) thenresend those blocks when useful

✦ Very common technique to bypass authenticationprotocols (More later)


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Differential Cryptanalysis

✦ Find a statistical correlation between key values andcipher transformations (typically the XOR of textpairs); then use sufficient defined plaintext to developthe key

✦ Typically used against symmetric key cryptosystemthat is iterative in structure

● Algebraic Coding

✦ From the cipher design, develop equations for the keyin terms of known/ chosen plaintext, then solve thoseequations


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Related Key: Specify a change in any particular key bit, orsome other relationship between keys and observe theeffect on the ciphertext, specially patterns ofnon-randomness

✦ 10 round AES-256 has been broken this way withinpractical complexity

● Timing: Measure the duration of ciphering operations anduse that to reveal information about the algorithm, key ordata

● Fault Analysis: Induce random faults into the cipheringsystem and use those to expose the key


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Man-in-the-middle: Subvert the routing capabilities of anetwork and pose as the other side to each end of thecommunications

✦ Have been used to break Double DES✦ Diffie-Hellman is susceptible to this kind of attacks

● Use pitfalls in protocol design (More in the discussion)● Use bugs in crypto implementation

Strength of Encryption

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● There is no theory which guarantees strength for anyconventional cipher

● Ciphers traditionally are considered strong when theyhave been used for a long time with “nobody” knowinghow to break them

● While cryptanalysis can prove “weakness” for a givenlevel of effort, cryptanalysis cannot prove that there is nosimpler attack

Security of Ciphers

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Two fundamentally different ways ciphers may be secure

✦ Unconditional security

■ No matter how much computer power is available,the cipher cannot be broken

✦ Computational security

■ Given limited computing resources (eg timeneeded for calculations is greater than age ofuniverse), the cipher cannot be broken

Secret Key Cryptography

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Model of Secret Key Cryptosystem

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Cryptanalyst

Encrypt M withkey K1

C = E[M, K1]Source

Message MessageDestination

Key SourceKey SourceGenerates

Random Key

Decrypt C with

Provides OrProduces Key

key K2M = D[C, K2]

K1

Secure KeyChannel

K1 K2

M MC

Insecure CommunicationsChannel

C

Block Ciphers vs. Stream Ciphers (1)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




P1 P2 PnPn-1

64 / 128 bitsblock

64 / 128 bitsblock

P1

EncryptKey

C1

Pi

EncryptKey

Ci

Pn

EncryptKey

Cn

C1

DecryptKey

P1

Ci

DecryptKey

Pi

Cn

DecryptKey

Pn

Plaintext

Ciphertext

Plaintext

Block Cipher vs. Stream Ciphers (2)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Plaintext

Plaintext byte stream

Pseudorandom byte generator

(key stream generator)

+Key

Ciphertextbyte stream

Pseudorandom byte generator

(key stream generator)

+Key

Ciphertextbyte stream

Plaintextbyte stream

Modes of Operation for Block Ciphers

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● 4 modes of operation

✦ ECB - Electronic Code Book✦ CBC - Cipher Block Chaining✦ CFB - Cipher Feedback✦ OFB - Output Feedback

Electronic Code Book Mode

Basic Cryptography



Message Digests


Authentication




One TimePasswords




64 bit data block

64 bit data block

56 bit key 56 bit keyE D

● Ok for small messages● Identical data blocks will be identically encrypted

Cipher Block Chaining

Basic Cryptography



Message Digests


Authentication




One TimePasswords




56 bit key 56 bit key

+

+

64 bit data block

64 bit data block

ciphertext block

ciphertext block64 bit previous

64 bit previous

E D


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● CBC seeks to make each ciphertext block a function of

✦ the key and✦ all previous plaintext blocks

● Needs an Initialization Vector (IV) to serve as the firstfeedback block


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● IV need not be secret or random● Integrity of IV is important, otherwise first data block can

be arbitrarily changed● IV should be changed from message to message, or first

block of every message should be distinct

✦ otherwise the first blocks will be encrypted identically

Cipher Feedback

Basic Cryptography



Message Digests


Authentication




One TimePasswords




8, 8-bit blocks

56 bitkey

+

8-bitplaintext

+

8, 8-bit blocks

leftshift

leftshift

8-bitplaintext

leftmost8 bits

leftmost8 bits

56 bitkeyE D

8-bit ciphertext

Cipher Feedback

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Intended for character-by-character transmission, amongother things

● Operates at 1/8th the speed of CB or ECB● We can have k-bit feedback, in general● Needs a 64-bit Initialization Vector to initialize the shift

register● Error in 1 8-bit incoming ciphertext will be extended to the

next 8 8-bit decrypted ciphertexts

Output Feedback

Basic Cryptography



Message Digests


Authentication




One TimePasswords




8, 8-bit blocks

56 bitkey

+

8-bitplaintext

+

8, 8-bit blocks

leftshift

leftshift

8-bitplaintext

leftmost8 bits

leftmost8 bits

56 bitkeyE D

8-bit ciphertext

Output Feedback

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Similar to CFB except that the key stream generated asinput to exclusive OR is independent of plaintext

✦ Error is not extended

● OFB is intended for use with speech or video (due to lackof error extension)

● ANSI and ISO only allow 64 bit feedback in OFB

✦ otherwise average cycle of repetition in key stream is231


Basic Cryptography



Message Digests


Authentication




One TimePasswords




Public Key Cryptosystem

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Traditional secret key cryptography uses a single keyshared by both sender and receiver

✦ Problem – How to share the key?

● Does not protect sender from the receiver forging amessage & claiming that message is sent by sender, thetwo parties being equal

● Solution - public key / asymmetric key cryptosystem


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Public-key (or two-key or asymmetric key) cryptographyinvolves the use of two keys:

✦ a public-key, which may be known by anybody, andcan be used to encrypt messages, andverify signatures

✦ a private-key, known only to the recipient, used todecrypt messages, and create signatures

Public Key Cryptosystems

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Three important classes of public-key algorithms:

✦ Public-Key Distribution Schemes (PKDS) - used tosecurely exchange a single piece of information that isthen used as a session key for a secret-key scheme

✦ Public Key Schemes (PKS) - used for encryption,where the public-key encrypts and the private-keydecrypts messages

✦ Signature Schemes - used to create a digitalsignature, where the private-key creates and thepublic-key verifies signatures


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Any public-key scheme can be used as a PKDS, just byselecting a message which is the required session key

● Many public-key schemes are also signature schemes(provided encryption & decryption can be done in eitherorder)


Basic Cryptography



Message Digests


Authentication




One TimePasswords




Cryptanalyst

Encrypt M with

SourceMessage Message

Destination

Key SourceKey Source

Decrypt C with

Channel

M MC

Insecure CommunicationsChannel

C

Reliable Key

Bob’s Public Key

Provides Bob’sPublic Key

GeneratesKey Pair

Bob’s Private Key

Alice Bob

C = E[M, KE ] M = D[C, KD]

KE KD

Properties of Public/Private Keys

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Public / Private key pairs, (KE , KD) are easy to generate(a polynomial time (P-time) problem)

● D[E[M, KE ], KD] = M● D[E[M, KD], KE ] = M● KE 6= KD

● D[E[M, KE ], K′] = M→ KD = K′

Properties of Public/Private Keys

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● The keys KE and KD are mathematically related● A plaintext encrypted with KE can be decrypted only with

KD and vice versa

✦ Does not matter which one you choose to call publickey / private key

Property of the Keys

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Knowing the public-key and public description of thecipher, it is

✦ Computationally infeasible to compute the private key(KD) (an NP-time problem)

✦ Thus the public-key may be distributed to anyonewishing to communicate securely with its owner

■ Although proper distribution of the public-key is anon-trivial problem - the key distribution problem

Privacy For Small Payload (One Way)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Look up the recipient’s public key● Encrypt the payload with the recipient’s public key and

send on an unprotected network● The recipient will receive and decrypt the message with

their private key

Privacy For Small Payload (Two Way)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Look up the recipient’s public key● Encrypt the following with the recipient’s public key and

send on an unprotected network

✦ The payload✦ Your public key1

● The recipient will receive and decrypt the message andyour public key with their private key and encrypt theirresponse with your public key

● When you receive the response, decrypt it with yourprivate key

1Could have recipient look up originator’s public key

Privacy For A Session

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Look up the recipient’s public key● Encrypt the following with the recipient’s public key and

send on an unprotected network:

✦ Your public key✦ Your part of a session key

● The recipient will decrypt the message, combine yoursession key part with their session key part, and encryptthis with your public key

● When you receive the response, decrypt it with yourprivate key and begin the private key session

Digital Signatures

Basic Cryptography



Message Digests


Authentication




One TimePasswords




SourceMessage Message

Destination

Key SourceKey Source

Channel

M MC

Channel

Reliable Key

Alice Bob

Generates Alice’sPrivate Key

Provides Alice’sPublic Key

Decrypt M withAlice’s Private Key

Encrypt C withAlice’s Public Key

Reliable Communications

C = D[M, KD] M = E[C, KE ]

KD KE

Signature and Non Repudiation

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● A signature is a non repudiable proof assuming that aone-to-one mapping can be established between a publickey and its owner

● In general non-repudiation requires a notarized signature,involving a third party, that vouches for the one-to-onemapping between a public key and its owner

● In large systems this can involve hierarchies ofnotarization

Signature and Encryption

Basic Cryptography



Message Digests


Authentication




One TimePasswords




D DE E

Alice’sPrivate Key

Bob’sPublic Key

Bob’sPrivate Key

Alice’sPublic Key

Alice BobEncrypted

SignedPlaintext

Signature and Encryption

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● We can do the encryption first followed by the signature

✦ From Bob’s perspective both provide the samefunctionality

✦ Signature later (that is signature on the clear) has theadvantage that the signature can be verified byparties other than Bob

Special Signature Schemes

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Relax one or more of the following characteristics ofregular signature schemes

✦ Signer knows the contents of the message signed✦ Anyone with knowledge of public key of signer can

verify correctness of signature without consent orinput from signer

✦ Security of signature scheme is based on certaincomplexity theoretic assumptions

Blind Signature

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Allows a subject to get a message signed by anotherparty without revealing any information about themessage to the other party

● Usage in

✦ Digital timestamping✦ Anonymous access control✦ Digital cash

Group Signature

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Allows a member of a group to sign a message such thatthe verifier can confirm that it came from the group, butdoes not know which individual in the group signed themessage

✦ In case of disputes identity of signer can bediscovered by a designated group authority that hassome additional information

One Time Signature

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Allows the signature of only a single message using agiven piece of private (and public) information

✦ Schemes that require new key pairs for each messagesigned are not susceptible to key compromise

✦ Generally quite fast✦ Schemes tend to be unwieldy when used to

authenticate multiple messages because additionaldata needs to be generated to both sign and verifyeach new message

Message Digests

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Message Digests

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Motivation

✦ Public-key technology is very slow

■ Cannot sign big messages

✦ Signed message is at least as long as originalmessage, often longer

● Message digests are one way hash values of originalmessages that represent concisely the message fromwhich it was computed

Message Digests

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Easy to Compute

Hard to Compute

Properties of Cryptographic Hash Functions

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● The hash function H(x) is relatively easy to compute forany given x

● H(x) is one-way

✦ “hard to invert”, that is given a hash value h, it iscomputationally infeasible to find some input x suchthat H(x) = h

● H(x) is collision-free

Weakly Collision Free

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Given a message M, it is computationally infeasible to finda message M′ 6= M such that H(M) = H(M′)

✦ Given M, m = H(M) try messages at random to findM’ with H(M’) = m

✦ 2k trials on an average for messages of size k bits

Strongly Collision Free

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● It is computationally infeasible to find any two messagesM and M′ such that H(M) = H(M′)

✦ Try pairs of messages at random to find M and M′

such that H(M′) = H(M)✦ 2k/2 trials on an average

Current Generation Algorithms

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● MD5 (Message Digest 5)

✦ 128 bit message digest proposed by Rivest of RSA✦ simple, compact and fast

● SHA (Secure Hash Algorithm)

✦ 160 bit message digest similar to MD5✦ slightly slower than MD5 but more secure

Keyed Message Digest

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Secret-key technique to provide efficient

✦ Authentication✦ Integrity

● Does not provide Non-repudiation● Also known as Message Authentication Codes (MAC)

Message Authentication Code

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Its is an authentication tag (also called a checksum)derived by applying an authentication scheme, togetherwith a secret key, to a message digest

● MACs are computed and verified with the same key, sothat they can only be verified by the intended recipient

✦ This is unlike digital signatures

● Many different types of MACs – most popular are

✦ hash function-based✦ block cipher-based

Hash Based MACs

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Often called HMAC (example: HMAC-MD5, HMAC-SHA)● Use a key or keys in conjunction with a hash function to

produce a checksum that is appended to the message● HMACK(M) = H(K ⊕ opad ‖ H(K ⊕ ipad ‖ M))

✦ H is any message digest function✦ M message✦ K secret key✦ opad, ipad: fixed outer and inner padding

Block Cipher-based MACs

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Encrypt the message blocks using a symmetric blockcipher in Cipher Block Chaining mode and output the finalblock in the ciphertext as the checksum

● DES based MACs are 64 bit and not considered stronganymore

Key Distribution & Management

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Public-Key Certificates

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Reliable distribution of public-keys● Public-key encryption

✦ Sender needs public key of receiver

● Public-key digital signatures

✦ Receiver needs public key of sender

● Public-key key agreement

✦ Both need each other’s public keys

Public-Key Certificates

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Public key should be linked with subject’s ID

✦ Allows verification of the claim that a specific publickey does indeed belong to a specific subject

● Trusted authority must certify the authenticity of publickeys

● Achieved by means of certificates

✦ In its simplest form contain a public key and a name✦ Most widely accepted format defined by the ITU-T

X.509 standard

X.509 Certificate

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Subject Public Key Info

Version

Serial Number

Signature Algorithm

Issuer

Validity

Subject

Signature

X.509 Certificate

Basic Cryptography



Message Digests


Authentication




One TimePasswords




1

1234567891011121314

RSA + MD5, 512

C=US, S=CO, O=CSU, OU=CS

01/01/2002 - 01/10/2002

C=US, S=CO, O=CSU, OU=CS, CN=Indrajit Ray

RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxxx

yyyyyyyyyyy

Certificate Revocation

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Certificates may need to be revoked

✦ Key specified in certificate may have beencompromised

✦ Subject specified may no longer have the authority touse the key

✦ Certifying authority’s key is compromised

● Achieved by means of Certificate Revocation Lists (CRLs)stored at CRL repositories – usually the certifyingauthority itself

CRL Format

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Revoked Certificates

Signature Algorithm

Issuer

Last Update

Next Update

Signature

Serial Number

Revocation Date

Serial Number

Revocation Date

CRL Distribution

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Pull Model

✦ Verifier downloads the CRL from the certifyingauthority as needed

● Push Model

✦ Certifying authority sends the CRL to verifiers atregular intervals

● Hybrid Model

✦ CRL is “pushed” to several intermediate repositoriesfrom which the verifier “pulls” the CRL as needed

Certificate Trust

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● How to acquire public key of the issuer to verifysignature?

● Whether or not to trust certificates signed by the issuer forthis subject?

Public Key Infrastructure

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Protocols, services and standards for managing publickeys

✦ Key registration: issuing a new certificate for a publickey

✦ Certificate revocation: canceling a previously issuedcertificate

✦ Key selection: obtaining a subject’s public key✦ Trust evaluation: determining whether a certificate is

valid and what operations it authorizes

● Several PKI initiatives underway most based on X.509certificates

Internet Key Exchange (IKE) Protocol

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Uses Diffie-Hellman Key exchange to share a sessionsecret

● Uses session secret to derive keys

Diffie-Hellman Key Exchange

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Alice and Bob wants to exchange a secret key over aninsecure channel

● System wide constants

✦ p a very large prime number (∼ 200 digit)✦ α a small integer

● Alice chooses a random secret number xa● Bob chooses a random secret number xb

Diffie-Hellman Key Exchange

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Alice Bob

Step 1Choosesrandom

xa

Step 1Choosesrandom

xb

Step 2Sends

yB = αxb

mod p

Step 2Sends

yA = αxa

mod pStep 3

Computes

KAB = (yB)xa

mod p

= αxa

xb

mod p

Step 3Computes

KAB = (yA)xb

mod p

= αxa

xb

mod p

Shared Key

KAB

DH Man-in-the-Middle Attack

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Step 2Sends

yAC = αxa

mod p

Step 2Sends

yBC = αxb

mod p

Alice

Step 1Choosesrandom

xa

Step 3Computes

KAC = (yCA)xa

mod p

= αxcxa

mod p

Bob

Step 1Choosesrandom

xb

Step 3Computes

KBC = (yCB)xb

mod p

= αxcxb

mod pShared Keys

KAC, KBC

CryptanalystCharlie

Step 1Choosesrandom

xc

Step 2Sends

yCA = αxc mod p

Step 2Sends

yCB = αxc mod p

Charile computes

KAC = (yAC)xc mod p

= αxa

xc mod p

KBC = (yBC)xc mod p

= αxb

xc mod p

Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Authentication in DBMSs

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● DBMSs, in general, rely on underlying OS to provideauthentication services

● If OS provides different types of authentication services,DBMS can specify what type of authentication service touse

● DBMS can also specifiy whether authentication needs tobe done at the client side or at the server side

Entity Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Allows one party – the verifier – to gain assurance thatthe identity of another – the claimant is as declared

✦ Prevents impersonation✦ Enables authorization✦ Allows accountability

● Typically, the claimant reveals knowledge of some secretS to the verifier

● Strong Authentication – Claimant reveals knowledge of Sto the verifier without revealing S to the verifier.

Message Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Allows the receiver of a message to gain assurance that

✦ The incoming message has not been tampered within transit

✦ The incoming message did indeed originate from thesender who claimed to have sent it

● Provided by digital signatures● Provides no timeliness guarantee with respect to when

message was created● Authenticated key establishment is essentially message

authentication where the message is the key

Identification vs. Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Identification (Who you are?)

✦ Associating an identity with an individual, process orrequest

✦ Confirmed by matching characteristics to a databasecontaining records of people and characteristics

● Authentication (Are you who you claim to be?)

✦ Verifying a claimed identity✦ Confirmed by comparing characteristics to previously

recorded for that same entity

Basis of Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Something inherent to a human individual (Biometrics)

✦ Fingerprints, retinal patterns, hand geometries,signature dynamics, dynamic keyboardingcharacteristics

● Something known

✦ Standard passwords, personal identification numbers,secret key whose knowledge is demostrated in achallenge-response protocols

● Something possessed

✦ A physical key, a passport, a token, a smart card

Biometrics Based Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Biometric Authentication Model

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Attacks on Biometrics

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Attack the database● Attack the network – Replay● Attack the sensor or other part of the trusted computing

base● Attack the registration process

✦ Dummy finger✦ Contact lenses✦ Disguises

● Collusion

Security Considerations

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Biometrics are not secrets and are therefore susceptibleto modified or spoofed measurements

● There is no recourse for revoking a compromisedidentifier

● Threatens individual right to anonymity

✦ Cultural concerns✦ Religious concerns✦ Violates civil liberties

Types of Biometrics

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Physiological

✦ Fingerprints✦ Retinal patterns✦ Face✦ Hand geometry✦ DNA (not yet used for authentication)

● Behavioral

✦ Keystroke dynamics✦ Voice

Fingerprints for Biometric Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Very low false acceptance rate

✦ Typically 95–98% accurate✦ Accuracy varies depending on gender, racial

characteristics

● Relatively high false rejection rate

✦ Chemical residues may cause rejection

● Easy to use● Fast, small storage requirement● People handling rough materials, children require

updating the database

Retinal Patterns for Biometric Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Extremely low false acceptance rate

✦ Ethnicity and eye color can affect accuracy

● High rejection rate● Fast, very small storage needed● Very stable biometric

✦ Affected by certain diseases like blindness andcataract

Facial Features for Biometric Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Till evolving technology; about 80% accurate● Perspective, lighting, pose etc affects authentication● Comparatively larger space and computation overhead

than fingerprints or retinal patterns

Other Biometrics

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Keystroke timing for typing a password

✦ Require no special hardware✦ Can be used for generating secrets for other

password based schemes✦ Affected by network properties✦ Timing can be used to make guessing passwords

easier

● Hand geometry, hand vein patterns● Voice recognition

✦ Ambient noise can affect authentication

Password Based Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Commonly used method● For each user, system stores in a password file

< User name, F(password) >, where F is sometransformation

✦ F(password) is easy to compute✦ From F(password), the original password is difficult

(ideally) to compute

● When a user enters the password, system computesF(password)

✦ A match provides proof of identity

Simple Password Scheme

Basic Cryptography



Message Digests


Authentication




One TimePasswords




CLAIMANTTERMINAL

f

q’ id

id

compare

AuthenticationOK or not

VERIFIER

Messagep’

qid

Choice of Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Suppose passwords can be from 1 to 8 characters inlength

✦ Lower case English alphabets used

● Possible choices for passwords = 261 + 262 + . . . + 268 =1.5 × 1012

● At the rate of 1 password per millisecond, it will take about150 years to test all passwords

Probable Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● In a Bell Labs study (Morris & Thompson 1979), 3,289passwords were examined

✦ 15 single ASCII characters✦ 72 two ASCII characters✦ 464 three ASCII characters✦ 477 four alphanumeric character✦ 706 five letters (all lower or all upper case)✦ 605 six letters all lower case✦ 492 weak passwords (dictionary words spelled

backwords, first names, last names etc)

● Summary: 2831 passwords (86%) were weak, that is theywere too easily predictable, or were too short

Dictionary Attacks on Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● The statistics haven’t changed much in later studies● To improve upon the expected probability of success of an

exhaustive search, an attacker may search the space ofall possible passwords in order of decreasing probability

Dictionary Attack on Simple Password Scheme

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Attacker constructs a table of values of q to values of pensuring, especially, that the table contains the most likelyexpected values for p

● Passively monitor large numbers of authenticationattempts

✦ Can obtain with high degree of probability somepasswords for some user

Dictionary Attack (Case 1)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Create a dictionary of common words and names andtheir simple transformation

✦ For example: indrajit −→ jndaitr

● Use these to guess the password

Dictionary Attack (Case 2 – knownF)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Improved Password Scheme (#2)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




CLAIMANTTERMINAL

f

q’ id

id

compare


VERIFIER

Messagep’

qid

Attack on Scheme #2

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Now we have stored password q = F(p,id)● It is still possible to prepare the table of q values for

password values but now only for one particular id.● Suffers from verifier compromise

✦ attacker gets < id, q > pair and attacker generatingan authentication message request on the wire.

Improved Scheme #3

Basic Cryptography



Message Digests


Authentication




One TimePasswords




id qCLAIMANTTERMINAL

p’

id

compare


id

Message

p’

f

VERIFIER

q’

Scheme #3≡ UNIX Password

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Designed by Bob Morris and Ken Thomson to encryptpasswords in Unix

● Uses an extended DES algorithm for the passwordfunction F

● User password and salt is used as encryption key toencrypt

● Process is repeated 25 times

✦ ith encrypted block used as the plaintext for the(i+ 1)th round

Unix Crypt Algorithm

Basic Cryptography



Message Digests


Authentication




One TimePasswords




userpassword

truncate to 8ASCII characters

pad with 0s if

necessary

56 bit key

data

ModifiedDES

12 bit usersalt initiallytaken from

the system clock

repack 76 bitsinto eleven

7-bit characters

encryptedpassword

I1

next input Ii2 le i

Ii

OutputOi

O25

Password Salt

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Salt is used to make dictionary attack a bit more difficult● Salt is a 12 bit number between 0 and 4095● It is derived from the system clock and the process

identifier● Rather than computing F(password), computeF(password + salt); both salt and f(passwd + salt) isstored in the table

● With salt the same password can result in 4096 differentValues stored in the table.

Attack on Scheme #3

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Password on the clear in the network

✦ Vulnerable to eavesdropping

■ Serious concern on any network

✦ Also susceptible to replay attacks

■ Attacker eavesdrops on the communicationchannel and intercepts a legitimate authenticationexchange

■ Attacker later replays the authentication exchange■ Serious on interconnected networks

Improved Password Scheme #4

Basic Cryptography



Message Digests


Authentication




One TimePasswords




CLAIMANTTERMINAL

id

compare


id

Message

VERIFIER

id r

r’g

q’

f

p’

Replay and Interception Attacks

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Replay on a Different Verifier

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Reflection Attack

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Man-in-the-Middle Attack

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Replay on the Same Verifier

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Improved Scheme 4

Basic Cryptography



Message Digests


Authentication




One TimePasswords




compare


g

id

f

CLAIMANTTERMINAL

Message

id

r

q

VERIFIER

nrv

g

q’

id

nrv

p’

r’

One Time Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




One Time Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Use a password exactly once● Such schemes are safe from passive adversaries who

eavesdrop and later attempt impersonation.● Variations include

✦ Shared lists of one time passwords✦ Sequentially updated one time passwords✦ One time password sequences based on one-way

functions

Shared Lists of One Time Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● User and system use a sequence of n secret passwords –each valid for a single authentication

● Drawback – maintenance of shared list

✦ Have to use passwords in exact sequence✦ Otherwise system has to check password against all

remaining unused passswords✦ Not widely used

Sequentially Updated One Time Passwords

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Initially only a single secret is shared● During authentication, user creates and transmits a new

password using the current password

✦ New password typically encrypted under a keyderived from current password

● New password transmitted in current session, forms thepassword for the next session

● Method becomes difficult if communication failure occurs

One Time Password Sequences

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● User does not send new password everytime; insteaduser and system compute next passwords locally

● Use one-way functions to compute passwords● Improvement on Sequentially Updated One Time

Passwords Scheme

✦ More efficient with respect to bandwidth

Lamport’s One-Time Password Scheme

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Uses one-way hash function● Relies on the fact that it is easier to compute the hash of a

particular value than to compute the original value fromthe hashed value

✦ That is, H(x) is easy to compute given x

✦ H−1(x) is difficult to compute given H(x)

Lamport’s Scheme (continued)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Notation Ht(x) = H(Ht−1(x))● User A begins with a secret w and a one-way function H● A constant t is fixed – for example t = 100 or 1000

✦ t defines the number of identifications allowed✦ The system has to be restarted thereafter with a new

w

● A transfers (the initial shared secret) w0 = Ht(w) to thesystem; system initializes its counter for A to iA = 1


Basic Cryptography



Message Digests


Authentication




One TimePasswords




● System stores (User name A, Ht(w))● The ith identification message, 1 ≤ i ≤ t, is as follows:

A → system : A, i, wi (= Ht−i(w))

✦ Ht−i(w) = H(Ht−i−1(w))

● A computes Ht−1(w) the first time● If authentication is correct, system replaces Ht(w) by

Ht−1(w) and sets iA ← iA + 1


Basic Cryptography



Message Digests


Authentication




One TimePasswords




Time Synchronized Schemes

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Hand Held Authenticator

Secret Key

f(S,t)Time

One Time Password

Time Synchronized Scheme

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● A hand-held authenticator is used

✦ It contains an internal clock, a secret key and adisplay

✦ Display outputs a function (DES / one-way function) ofthe current time and the key

✦ Current time is in minutes, rather than seconds, sothe value changes about once per minute

Time Synchronized Scheme (continued)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● User supplies the user-id and the display value● System uses the secret key, the one-way function and its

clock to calculate the expected output – login is valid ifvalues match

● Clocks need to be synchronized

Challenge Response Schemes

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● A non-repeating challenge from the system is usedinstead of the clock

Workstation

NetworkVerifier

User ID

Challenge

Response

Non Repeating Values

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Ensures that an attempt to replay an earlier authenticationexchange will be detected

● Potential sources:

✦ Sequence numbers – claimant and verifier agreeupon policy to generate sequence numbers

✦ Time stamps – clocks need to be synchronized to atleast within a window

Non Repeating Values (continued)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Time stamps

✦ To guarantee uniqueness, verifier needs to buffercopies of all messages received within window

● Random value (or nonce) sent previously from the verifier

Improved Password Scheme #6

Basic Cryptography



Message Digests


Authentication




One TimePasswords




id

f

compare


g

id

r

q

VERIFIER

CLAIMANTTERMINAL

g

id

p’

r’

q’nrv

nrv

ResponseMessage

Hand Held Password Generator

Basic Cryptography



Message Digests


Authentication




One TimePasswords




UserPINfrom

Token/

entered

f(PIN,S,e)

challengegenerator

=

A (user)

Secret Key

f(PIN,S,e)(challenge)

e e

y(response)

yes

no

Reject

Accept

A(login request)

Password GeneratorA

PINS

System


Basic Cryptography



Message Digests


Authentication




One TimePasswords





Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Problem – How to share key

✦ This is more critical than in the case of secret keybased encryption schemes because authentication isa more fundamental issue

● Solution – Mediated Authentication

✦ Secret key based – Needham-Schroeder andKerberos

✦ Public key based – X.509

Secret Key Based MediatedAuthentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Needham-Schroeder Protocol

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Message 1: Alice→ TP A, B, NA

Message 2: TP→ Alice {NA, B, KAB, {KAB, A}KBS}KAS

Message 3: Alice→ Bob {KAB, A}KBS

Message 4: Bob→ Alice {NB}KAB

Message 5: Alice→ Bob {NB - 1}KAB

Kerberos – Improved Needham-Schroeder

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Designed as part of Project Athena at MIT● Provides the means of authenticating workstation users

(clients) to server and sharing a session key● Uses the ticket approach

✦ Client authenticates itself to an authentication server✦ Authentication Server gives ticket to client✦ Client uses ticket to get authenticated

Notation

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Symbol used What it means

c client principals server principalKDC Kerberos serverTGS Ticket granting serverKx private key of xKc,s session key for c & s{info}Kx string info encrypted in Kx

Tc,s ticket for c to use sAc authenticator for caddr client’s IP address

Notation (continued)

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Message innetwork

Structure of message

Tc,s – ticket forc to use s

{s,c,addr,timestamp,lifetime,Kc,s}

Ac – authenti-cator for c

{c,addr,timestamp}

Kerberos Protocol

Basic Cryptography



Message Digests


Authentication




One TimePasswords




✚✙✛✘

✚✙✛✘✚✙✛✘

✚✙✛✘

✻

❄✲

✚✚

✚✚

✚✚❂✚

✚✚✚

✚✚❃

Server

TGS

Client

KDC

1 23

5

4

✚✙✛✘

✚✙✛✘✚✙✛✘

✚✙✛✘

✻

❄✲

✚✚

✚✚

✚✚❂✚✚

✚✚

✚✚❃

Server

TGS

Client

KDC

1 23

5

4

MS Windows Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Based on Kerberos V5

✦ 128 bit RC4-HMAC✦ 56 bit DES-CBC-CRC✦ 56 bit DES-CBC-MD5

● Has extensions for using public-key certificates

Windows SSPI Architecture

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Certificate Based AuthenticationProtocols

Basic Cryptography



Message Digests


Authentication




One TimePasswords




X.509 – Directory Authentication Service

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Part of CCITT X.500 directory services● Defines framework for authentication services● Directory may store public-key certificates● Uses public-key cryptography and digital signatures● Algorithms not standardised but RSA is recommended● Does not require physically secured on-line servers –

Advantage over Kerberos

Symbols Used

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Ex{}: indicates encryption of a sequence of data valuesunder the public key of party x

● Sx{}: indicates a sequence of data values together with asignature over those values, using the private key of partyx

● tsxy: a current time-stamp generated by party x to assistparty y in detecting replayed messages (may contain bothgeneration and expiry date/time for the messageconveying it)

● nrvxy: a non-repeating value sent by party x to assistparty y in detecting replayed messages

● keyxy a secret key generated by x to be used in protectingsubsequent communications between x and y

X.509 Authentication Exchange

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Optional Message 3

Alice Bob

X.509Server

Message 1Message 2

Public-keycertificate

distribution


Basic Cryptography



Message Digests


Authentication




One TimePasswords




Message 1:

A, SA{tsAB, nrvAB, B, EB{keyAB}}

● The field EB{keyAB} is optional● B verifies A’s signature, checks that the identifier B in

the message is correct, checks that the time-stamp iscurrent and (optionally if an effective non-repeatingvalue procedure is in use) checks the non-repeatingvalue as protection against replay


Basic Cryptography



Message Digests


Authentication




One TimePasswords




Message 2:

SB{tsBA, nrvBA, A, nrvAB, EA{keyBA}}

● The field EA{keyBA}} is optional● A performs the correspondinng set of actions

Optional Message 3: The first two messages are identicalexcept that the time-stamps are not conveyed. The thirdmessage is

SA{B, nrvBA}

LOCKOut Fortezza Authentication Protocol

Basic Cryptography



Message Digests


Authentication




One TimePasswords




● Fortezza is a PCMCIA card developed by the NSA toprovide general purpose cryptographic capabilities

✦ Has built in implementation for SHA and DSS amongother features

✦ Tamper evident

● Computes hash functions and digital signatures forauthentication

LOCKOut Fortezza Authentication

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Bibliography

Basic Cryptography



Message Digests


Authentication




One TimePasswords




Cryptography & Authentication - Colorado State University

Documents

Transcript of Cryptography & Authentication - Colorado State University