CSE331:Introduction to Networksand Security

Lectures 26 & 27

Fall 2002

CSE331 Fall 2002 2

Announcements

• Project 3 is due on Nov. 18th

CSE331 Fall 2002 3

Primary Attacks

• Impersonation.• Replay.• Interleaving.• Reflection.• Forced delay.• Chosen plaintext.

CSE331 Fall 2002 4

Primary Controls

• Replay: use of challenge-response techniques and embedding target identity in response.

• Interleaving: link messages in a run with chained nonces.

• Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.

CSE331 Fall 2002 5

Primary Controls, continued

• Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques.

• Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

CSE331 Fall 2002 6

Multiple Use of Keys

• There are risks in using keys for multiple purposes.

• Using an RSA key for both entity authentication and signatures may allow a chosen-text attack.

• B attacker/verifier, rB=H(M) for some message M.– B -> A: rB– A -> B: B, EA(rB)– B(A) -> C: M, EA(H(M))

B, pretending to be A

CSE331 Fall 2002 7

Effective Control

• Notice how the protocol described earlier foils this. Here’s the protocol:– B -> A: rB

– A -> B: rA, B, SA(rA, rB, B)

• Here’s what happens:– B -> A: rB– A -> B: rA, B, EA(rA, rB, B)– B(A) -> C: M, EA(rA, H(M), B)– C finds that EA(rA, H(M), B) EA(H(M)) and

rejects the signature.

CSE331 Fall 2002 8

Usurpation Attacks

• Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time.

• Techniques to assure ongoing authenticity:– Periodic re-identification.– Tying identification to an ongoing integrity service.

For example: key establishment and encryption.

CSE331 Fall 2002 9

Key Establishment

• Symmetric keys.– Point-to-Point.– Needham-Schroeder.– Kerberos.

• Asymmetric keys.– X.509 key establishment.– Attack example.– Station To Station (STS) protocol.– Bellovin-Merritt protocol.

CSE331 Fall 2002 10

Symmetric Keys

• Key establishment using only symmetric keys requires use of pre-distribution keys to get things going.

• These can be based on:– Point to point distribution, or– Key Distribution Center (KDC).

CSE331 Fall 2002 11

Point-to-Point

• Timestamp.– A -> B : E(K, (k, t, B))

• Nonce.– B -> A : r– A -> B : E(K, (k, r, B))

Session Key

ISO/IEC 11770-2

CSE331 Fall 2002 12

Key Distribution Center

CSE331 Fall 2002 13

Distribution Center Setup

• A wishes to communicate with B.• T is a trusted third party that provides session

keys.

• T has a key KAT in common with A and a key KBT in common with B.

• A authenticates T using a nonce rA and obtains a session key from T.

• A authenticates to B and transports the session key securely.

CSE331 Fall 2002 14

Needham-Schroeder

1. A -> T : A, B, rA

2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) ))

A decrypts with KAT and checks rA and B. Holds k for future correspondence with B.

3. A -> B : E( KBT, (k, A))

B decrypts with KBT.

4. B -> A : E(k, rB)A decrypts with k.

5. A -> B : E(k, rB – 1)B checks rB-1.

CSE331 Fall 2002 15

Attack Scenario 1

1. A -> T : A, B, rA

2. T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) ))

C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

CSE331 Fall 2002 16

Attack Scenario 2

1. A -> C (T) : A, B, rA

2. C (A) -> T : A, C, rA

3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) ))

Rejected by A because C rather than B.

CSE331 Fall 2002 17

Attack Scenario 3

1. A -> C (T) : A, B, rA

2. C -> T : C, B, rA

3. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))

4. C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) ))

A is unable to decrypt the message.

CSE331 Fall 2002 18

Attack Scenario 4

1. C -> T : C, B, rA

2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))

3. C (A) -> B : E( KBT, (k, C))

B will see that the purported origin (A) does not match the identity indicated by the distribution center.

CSE331 Fall 2002 19

Kerberos Setup

• A,T,B, shared keys KAT, KBT as in distribution center.

• Nonce rA generated by A.• Trusted synchronous clocks for generating a

time t and checking expiration of a lifetime L.

CSE331 Fall 2002 20

Kerberos Messages

1. A -> T : A, B, rA

2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))

3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))

4. B -> A : E(k, t)

Ticket

Authenticator

CSE331 Fall 2002 21

Kerberos Actions

1. A -> T : A, B, rA

2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))

Decrypt using KAT, check rA, B, and hold L for future reference.

3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))

Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L.

4. B -> A : E(k, t)Check t.

CSE331 Fall 2002 22

Asymmetric Key Exchange

• X.509 key establishment.• Impersonation case study.• STS.• Bellovin-Merritt protocol.

CSE331 Fall 2002 23

X.509 Key Establishment Setup

• X.509 is part of the X.500 series of ISO/IEC standards.

• certA and certB are certificates for the public keys of A and B.

• A has encryption function EA and signature function SA. B has signature function SB.

• rA and rB are nonces.• LA and LB are lifetimes (validity periods).

CSE331 Fall 2002 24

X.509 Key Est. Messages

• Let DA = EB(k), rA, LA, A.• Let DB = rB, LB, rA, A• Two messages:

1. A -> B : certA, DA, SA(DA)Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA.

2. B -> A : certB, DB, SB(DB)Check the rA and A. Check that rB has not been seen and is not expired according to LB.

CSE331 Fall 2002 25

X.509 Variant

• X.509 supports several variants on the previously-described protocol.

• Let DA = EB(kA), rA, LA, A.• Let DB = EA(kB), rB, LB, rA, A• Two messages:

1. A -> B : certA, DA, SA(DA)

2. B -> A : certB, DB, SB(DB)Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

CSE331 Fall 2002 26

Impersonation Case Study

CSE331 Fall 2002 27

Protocol X

1. A -> T : A, B

2. T -> A : ST(EB, B)

3. A -> B : EB(kA, A)

4. B -> T : B, A

5. T -> B : ST(EA, A)

6. B -> A : EA(kA, kB)– Check kA. Calculate session key as f(kA,kB).

7. A -> B : EB(kB)– Check kB. Calculate session key as f(kA,kB).

CSE331 Fall 2002 28

Interleaving Attack on Protocol X

• An interleaving attack on this protocol is possible.

• An adversary C convinces:– A that he is talking to C using session key

k = f(kA, kB).– B that his is talking to A using session key k.

• C has access to the key k and can use it to decrypt the responses that B makes to A.

CSE331 Fall 2002 29

Compromise Scenario

• B, C are taxpayers. A is the IRS.• A contacts C, (presumably) authenticates and

sets up a session key k. C uses the interleaving attack with B.

• B now thinks he is talking to the IRS.• C answers questions directed to him by the

IRS.• Meanwhile C, pretending to be IRS, asks B

for information about his income for the last 5 years.

CSE331 Fall 2002 30

What Went Wrong?

• Entity authentication: determining who you are talking to.

• Key establishment: settling on a shared session key.

• Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.