CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.
CSE331 Fall 2002 3
Primary Attacks
• Impersonation.• Replay.• Interleaving.• Reflection.• Forced delay.• Chosen plaintext.
CSE331 Fall 2002 4
Primary Controls
• Replay: use of challenge-response techniques and embedding target identity in response.
• Interleaving: link messages in a run with chained nonces.
• Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.
CSE331 Fall 2002 5
Primary Controls, continued
• Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques.
• Forced delays: use random numbers with short timeouts, use timestamps with other techniques.
CSE331 Fall 2002 6
Multiple Use of Keys
• There are risks in using keys for multiple purposes.
• Using an RSA key for both entity authentication and signatures may allow a chosen-text attack.
• B attacker/verifier, rB=H(M) for some message M.– B -> A: rB– A -> B: B, EA(rB)– B(A) -> C: M, EA(H(M))
B, pretending to be A
CSE331 Fall 2002 7
Effective Control
• Notice how the protocol described earlier foils this. Here’s the protocol:– B -> A: rB
– A -> B: rA, B, SA(rA, rB, B)
• Here’s what happens:– B -> A: rB– A -> B: rA, B, EA(rA, rB, B)– B(A) -> C: M, EA(rA, H(M), B)– C finds that EA(rA, H(M), B) EA(H(M)) and
rejects the signature.
CSE331 Fall 2002 8
Usurpation Attacks
• Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time.
• Techniques to assure ongoing authenticity:– Periodic re-identification.– Tying identification to an ongoing integrity service.
For example: key establishment and encryption.
CSE331 Fall 2002 9
Key Establishment
• Symmetric keys.– Point-to-Point.– Needham-Schroeder.– Kerberos.
• Asymmetric keys.– X.509 key establishment.– Attack example.– Station To Station (STS) protocol.– Bellovin-Merritt protocol.
CSE331 Fall 2002 10
Symmetric Keys
• Key establishment using only symmetric keys requires use of pre-distribution keys to get things going.
• These can be based on:– Point to point distribution, or– Key Distribution Center (KDC).
CSE331 Fall 2002 11
Point-to-Point
• Timestamp.– A -> B : E(K, (k, t, B))
• Nonce.– B -> A : r– A -> B : E(K, (k, r, B))
Session Key
ISO/IEC 11770-2
CSE331 Fall 2002 13
Distribution Center Setup
• A wishes to communicate with B.• T is a trusted third party that provides session
keys.
• T has a key KAT in common with A and a key KBT in common with B.
• A authenticates T using a nonce rA and obtains a session key from T.
• A authenticates to B and transports the session key securely.
CSE331 Fall 2002 14
Needham-Schroeder
1. A -> T : A, B, rA
2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) ))
A decrypts with KAT and checks rA and B. Holds k for future correspondence with B.
3. A -> B : E( KBT, (k, A))
B decrypts with KBT.
4. B -> A : E(k, rB)A decrypts with k.
5. A -> B : E(k, rB – 1)B checks rB-1.
CSE331 Fall 2002 15
Attack Scenario 1
1. A -> T : A, B, rA
2. T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) ))
C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.
CSE331 Fall 2002 16
Attack Scenario 2
1. A -> C (T) : A, B, rA
2. C (A) -> T : A, C, rA
3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) ))
Rejected by A because C rather than B.
CSE331 Fall 2002 17
Attack Scenario 3
1. A -> C (T) : A, B, rA
2. C -> T : C, B, rA
3. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
4. C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
A is unable to decrypt the message.
CSE331 Fall 2002 18
Attack Scenario 4
1. C -> T : C, B, rA
2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
3. C (A) -> B : E( KBT, (k, C))
B will see that the purported origin (A) does not match the identity indicated by the distribution center.
CSE331 Fall 2002 19
Kerberos Setup
• A,T,B, shared keys KAT, KBT as in distribution center.
• Nonce rA generated by A.• Trusted synchronous clocks for generating a
time t and checking expiration of a lifetime L.
CSE331 Fall 2002 20
Kerberos Messages
1. A -> T : A, B, rA
2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))
3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))
4. B -> A : E(k, t)
Ticket
Authenticator
CSE331 Fall 2002 21
Kerberos Actions
1. A -> T : A, B, rA
2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))
Decrypt using KAT, check rA, B, and hold L for future reference.
3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))
Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L.
4. B -> A : E(k, t)Check t.
CSE331 Fall 2002 22
Asymmetric Key Exchange
• X.509 key establishment.• Impersonation case study.• STS.• Bellovin-Merritt protocol.
CSE331 Fall 2002 23
X.509 Key Establishment Setup
• X.509 is part of the X.500 series of ISO/IEC standards.
• certA and certB are certificates for the public keys of A and B.
• A has encryption function EA and signature function SA. B has signature function SB.
• rA and rB are nonces.• LA and LB are lifetimes (validity periods).
CSE331 Fall 2002 24
X.509 Key Est. Messages
• Let DA = EB(k), rA, LA, A.• Let DB = rB, LB, rA, A• Two messages:
1. A -> B : certA, DA, SA(DA)Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA.
2. B -> A : certB, DB, SB(DB)Check the rA and A. Check that rB has not been seen and is not expired according to LB.
CSE331 Fall 2002 25
X.509 Variant
• X.509 supports several variants on the previously-described protocol.
• Let DA = EB(kA), rA, LA, A.• Let DB = EA(kB), rB, LB, rA, A• Two messages:
1. A -> B : certA, DA, SA(DA)
2. B -> A : certB, DB, SB(DB)Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.
CSE331 Fall 2002 27
Protocol X
1. A -> T : A, B
2. T -> A : ST(EB, B)
3. A -> B : EB(kA, A)
4. B -> T : B, A
5. T -> B : ST(EA, A)
6. B -> A : EA(kA, kB)– Check kA. Calculate session key as f(kA,kB).
7. A -> B : EB(kB)– Check kB. Calculate session key as f(kA,kB).
CSE331 Fall 2002 28
Interleaving Attack on Protocol X
• An interleaving attack on this protocol is possible.
• An adversary C convinces:– A that he is talking to C using session key
k = f(kA, kB).– B that his is talking to A using session key k.
• C has access to the key k and can use it to decrypt the responses that B makes to A.
CSE331 Fall 2002 29
Compromise Scenario
• B, C are taxpayers. A is the IRS.• A contacts C, (presumably) authenticates and
sets up a session key k. C uses the interleaving attack with B.
• B now thinks he is talking to the IRS.• C answers questions directed to him by the
IRS.• Meanwhile C, pretending to be IRS, asks B
for information about his income for the last 5 years.
CSE331 Fall 2002 30
What Went Wrong?
• Entity authentication: determining who you are talking to.
• Key establishment: settling on a shared session key.
• Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.