Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek...
Transcript of Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek...
![Page 1: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/1.jpg)
Security of Systems and Networks
November 19 Lecture 7 Authentication & Kerberos
Jaap van Ginkel
![Page 2: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/2.jpg)
Authentication
SNE SSN
![Page 3: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/3.jpg)
The problem illustrated
Thanks to Ton Verschuren
![Page 4: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/4.jpg)
Terminology
• Identification: (“who are you?“)
• Authentication: (“prove it!”) (AUTHN)
• Authorization: (“these you can do”) (AUTHZ)
• Different levels of authentication:– Weak (something you know)– Strong (something you have and
something you know)– Biometrics (something you are)
![Page 5: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/5.jpg)
Examples
• Something you Know– password– Address/birthday combination– Pin code
• Something you Have– Key– Bank card– Drivers license– Letter
• Something you Are– Finger print– DNA profile– Iris print
![Page 6: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/6.jpg)
User name Password
• Weak authentication
• User Friendly– Works everywhere
• Very common• Alternatives difficult
• Extended Life span– Awareness– Safe implementation
![Page 7: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/7.jpg)
Common passwords
• 123456 1375
• Ficken 404
• 12345367
• Hallo362
• 123456789 260
• Schatz253
• 12345678215
![Page 8: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/8.jpg)
Chocolate passwords 2004 Research Liverpool Street Station
o 70% gave up password for chocolate http://news.bbc.co.uk/2/hi/technology/3639679.stm
![Page 9: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/9.jpg)
Alternatives
![Page 10: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/10.jpg)
Passfaces
• Click here if you are doing the Passfaces demo for the first time
![Page 11: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/11.jpg)
Passclicks
http://labs.mininova.org/passclicks/
![Page 12: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/12.jpg)
But where do people click
![Page 13: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/13.jpg)
Certificate based• Public Key Infrastructure• X.509 certificates
• Open standard• Can be used in strong Authentication• Complex for end user• High cost• Used for server side authentication• Wide support
![Page 14: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/14.jpg)
Smart cards
• Not many successful implementations– Card reader
– Logistics
– Expensive
• Standardisation poor
![Page 15: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/15.jpg)
USB Tokens
• Smartcard with reader
![Page 16: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/16.jpg)
SecureID
• One time pad
• Pin code
• Easy to integrate
• Clock sync
![Page 17: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/17.jpg)
One Time Pads
• Maurits van der Schee
![Page 18: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/18.jpg)
WEBISO
• Web Initial Signon
• Framework en architectuur
• Brede steun
![Page 19: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/19.jpg)
Athens
• British• 1996
• Aimed at libraries• Health sector • Very successful
– Millions of users
• Migrated to Shibboleth SAML 2.0
![Page 20: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/20.jpg)
PAPI
• Spaans initiatief• In productie
• Bewezen inter organistie
• Redelijke steun • Naar SAML
![Page 21: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/21.jpg)
Pubcookie
• University Washington
• Lijkt sterk op A-select• Brede steun
![Page 22: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/22.jpg)
A-select
• Dutch Initiative• SURFnet
• No open source• Many platform2• Harde authenticatie
met Niegefoon en Niegebach
• DiGID
![Page 23: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/23.jpg)
Shibboleth
• Sheveningen• Lollapalooza
•
• Internet 2 middle ware initiative• Good architecture• Focus on privacy
![Page 24: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/24.jpg)
Shibboleth
![Page 25: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/25.jpg)
What is Shibboleth?
• Internet2/MACE project (open source)
• “inter institutional” authorization for web resources
• Authorization with privacy
• User data remains local
• More control to user and home organization
• More control for publishers
![Page 26: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/26.jpg)
Crossing the Jordan
• Pronounciation password
• War between Ephraimites and Gileadites
• Bible: Judges 12:1-15
• 42.000 were killed
![Page 27: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/27.jpg)
Oud en Nieuw
• Zo zeiden zij tot hem: Zeg nu Schibboleth; maar hij zeide: Sibbolet, en kon het alzo niet recht spreken; zo grepen zij hem, en versloegen hem aan de veren van de Jordaan, dat te dier tijd van Efraim vielen twee en veertig duizend.
• …………
Onder Embargo tot 17:00 uur
……….
![Page 28: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/28.jpg)
Shibboleth terminologie
Onderdelen:
1. Shibboleth Indexical Reference Establisher (SHIRE).2. Handle Service (HS)3. Where Are You From (WAYF)4. Authentication System (AS)5. Shibboleth Attribute Requestor (SHAR) 6. Resource Manager (RM)
1. Security Assertion Markup Language (SAML) 2. Attribute Release Policies (ARP).3. Attribute Acceptance Policies (AAP)
![Page 29: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/29.jpg)
Shibboleth Architectuur
![Page 30: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/30.jpg)
Shibboleth Toegang tot Science Direct
Scien
ce Direct
WAYF
UvA Elsevier1
SHIRE
Ik ken je niet van welke organisatie
ben jij eigenlijk3
2
Vertel me waar je vandaan komt
HS
5
6
Ik ken je niet, kun je je
eerst authenticeren
7
User DB
Credentials
OK, Nu ken ik je.Ik stuur je verzoek
door met een handle
4
OK, Ik stuur het verzoek naar de Handle Service
van jouw organisatie.
SHAR
Handle
Handle8
Ik ken de attributen van deze gebruiker niet en vraag ze op
Handle9AA
OK, ik geef de attributen door waar de gebruiker toestemming voor geeft
Attributes 10
Reso
urc e
Man
age r
Attributes
OK, Op basis van deze attributen
geef ik toegang
![Page 31: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/31.jpg)
Demo
• Thanks to switch AAI• Resource is
– kohala.switch.ch
• WAYF is – wayf1.switch.ch
• Identity Provider is– maunakea.switch.ch
• http://www.switch.ch/aai/demo/demo_live.html
![Page 32: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/32.jpg)
A-Select
• Integratie met Shibboleth– Nog geen productie
• Replacement PubCookie
• Many authenticatie methods
![Page 33: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/33.jpg)
TIQR
![Page 34: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/34.jpg)
TIQR
Dutch initiative SURFnet OAUTH
o Initiative for Open Authentication
OCRA o OATH Challenge-Response Algorithm
![Page 35: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/35.jpg)
OpenID provider (OP) OpenID relying party (RP) Microsoft Google Facebook Paypal
![Page 36: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/36.jpg)
Biometrics
Sheets van de uitgever
![Page 37: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/37.jpg)
Something You Are• Biometric
– “You are your key” Schneier
Are
Know Have
• Examples● Fingerprint● Handwritten signature● Facial recognition● Speech recognition● Gait (walking) recognition● “Digital doggie” (odor recognition)● Many more!
![Page 38: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/38.jpg)
Why Biometrics?• Biometrics seen as desirable replacement for
passwords• Cheap and reliable biometrics needed• Today, a very active area of research• Biometrics are used in security today
– Thumbprint mouse– Palm print for secure entry– Fingerprint to unlock car door, etc.
• But biometrics not too popular– Has not lived up to its promise (yet?)
![Page 39: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/39.jpg)
Ideal Biometric• Universal applies to (almost) everyone
– In reality, no biometric applies to everyone• Distinguishing distinguish with certainty
– In reality, cannot hope for 100% certainty• Permanent physical characteristic being
measured never changes– In reality, want it to remain valid for a long time
• Collectable easy to collect required data – Depends on whether subjects are cooperative
• Safe, easy to use, etc., etc.
![Page 40: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/40.jpg)
Biometric Modes
• Identification Who goes there?– Compare one to many– Example: The FBI fingerprint database
• Authentication Is that really you?– Compare one to one– Example: Thumbprint mouse
• Identification problem more difficult– More “random” matches since more comparisons
• We are interested in authentication
![Page 41: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/41.jpg)
Enrollment vs Recognition• Enrollment phase
– Subject’s biometric info put into database– Must carefully measure the required info– OK if slow and repeated measurement needed– Must be very precise for good recognition– A weak point of many biometric schemes
• Recognition phase– Biometric detection when used in practice– Must be quick and simple– But must be reasonably accurate
![Page 42: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/42.jpg)
Cooperative Subjects• We are assuming cooperative subjects• In identification problem often have
uncooperative subjects• For example, facial recognition
– Proposed for use in Las Vegas casinos to detect known cheaters
– Also as way to detect terrorists in airports, etc.– Probably do not have ideal enrollment conditions– Subject will try to confuse recognition phase
• Cooperative subject makes it much easier!– In authentication, subjects are cooperative
![Page 43: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/43.jpg)
Biometric Errors• Fraud rate versus insult rate
– Fraud user A mis-authenticated as user B– Insult user A not authenticate as user A
• For any biometric, can decrease fraud or insult, but other will increase
• For example– 99% voiceprint match ⇒ low fraud, high insult– 30% voiceprint match ⇒ high fraud, low insult
• Equal error rate: rate where fraud == insult– The best measure for comparing biometrics
![Page 44: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/44.jpg)
Fingerprint History
• 1823 Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns
• 1856 Sir William Hershel used fingerprint (in India) on contracts
• 1880 Dr. Henry Faulds article in Nature about fingerprints for ID
• 1883 Mark Twain’s Life on the Mississippi a murderer ID’ed by fingerprint
![Page 45: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/45.jpg)
Fingerprint History
• 1888 Sir Francis Galton (cousin of Darwin) developed classification system– His system of “minutia” is still in use today– Also verified that fingerprints do not change
• Some countries require a number of points (i.e., minutia) to match in criminal cases– In Britain, 15 points– In US, no fixed number of points required
![Page 46: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/46.jpg)
Fingerprint Comparison
Loop (double) Whorl Arch
• Examples of loops, whorls and arches
• Minutia extracted from these features
![Page 47: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/47.jpg)
Fingerprint Biometric
• Capture image of fingerprint• Enhance image• Identify minutia
![Page 48: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/48.jpg)
Fingerprint Biometric
• Extracted minutia are compared with user’s minutia stored in a database
• Is it a statistical match?
![Page 49: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/49.jpg)
Hand Geometry• Popular form of biometric• Measures shape of hand
● Width of hand, fingers● Length of fingers, etc.
• Human hands not unique• Hand geometry sufficient for
many situations• Suitable for authentication• Not useful for ID problem
![Page 50: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/50.jpg)
Hand Geometry
• Advantages– Quick– 1 minute for enrollment– 5 seconds for recognition– Hands symmetric (use other hand backwards)
• Disadvantages– Cannot use on very young or very old– Relatively high equal error rate
![Page 51: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/51.jpg)
Iris Patterns
• Iris pattern development is “chaotic”• Little or no genetic influence• Different even for identical twins• Pattern is stable through lifetime
![Page 52: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/52.jpg)
Iris Recognition: History
• 1936 suggested by Frank Burch
• 1980s James Bond films
• 1986 first patent appeared
• 1994 John Daugman patented best current approach– Patent owned by Iridian Technologies
![Page 53: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/53.jpg)
Iris Scan
• Scanner locates iris• Take b/w photo• Use polar coordinates…• Find 2-D wavelet trans• Get 256 byte iris code
![Page 54: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/54.jpg)
Iris Scan Error Rate
distance
1 in 1.3∗1050.351 in 6.9∗1050.341 in 4.0∗1060.331 in 2.6∗1070.321 in 1.8∗1080.311 in 1.5∗1090.301 in 1.3∗10100.29
distance Fraud rate
: equal error rate
![Page 55: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/55.jpg)
Attack on Iris Scan
• Good photo of eye can be scanned• And attacker can use photo of eye
• Afghan woman was authenticated by iris scan of old photo
● Story is here
• To prevent photo attack, scanner could use light to be sure it is a “live” iris
![Page 56: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/56.jpg)
Equal Error Rate Comparison• Equal error rate (EER): fraud == insult rate• Fingerprint biometric has EER of about 5%• Hand geometry has EER of about 10-3
• In theory, iris scan has EER of about 10-6– But in practice, hard to achieve– Enrollment phase must be extremely accurate
• Most biometrics much worse than fingerprint!• Biometrics useful for authentication…• But ID biometrics are almost useless today
![Page 57: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/57.jpg)
Biometrics: The Bottom Line• Biometrics are hard to forge• But attacker could
– Steal Alice’s thumb– Photocopy Bob’s fingerprint, eye, etc.– Subvert software, database, “trusted path”, …
• Also, how to revoke a “broken” biometric?• Biometrics are not foolproof!• Biometric use is limited today• That should change in the future…
![Page 58: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/58.jpg)
Op de effectiviteit blijven letten
![Page 59: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/59.jpg)
![Page 60: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/60.jpg)
Zero Knowledge Proofs
![Page 61: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/61.jpg)
Zero Knowledge Proof (ZKP)
Alice wants to prove that she knows a secret without revealing any info about it
Bob must verify that Alice knows secreto Even though he gains no info about the secret
Process is probabilistico Bob can verify that Alice knows the secret to an
arbitrarily high probability
An “interactive proof system”
![Page 62: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/62.jpg)
Bob’s Cave
Alice claims to know secret phrase to open path between R and S (“open sarsparilla”)
Can she convince Bob that she knows the secret without revealing phrase?
P
Q
R S
![Page 63: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/63.jpg)
Bob: “Alice come out on S side”
Alice (quietly): “Open sarsparilla”
If Alice does not know secret…
If Bob repeats this n times, then Alice (who does not know secret) can only fool Bob with probability 1/2n
…then Alice could come out from the correct side with probability 1/2
P
Q
R S
Bob’s Cave
![Page 64: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/64.jpg)
Rainbow tables
![Page 65: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/65.jpg)
Kerberos
In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hadeso “Wouldn’t it make more sense to guard the exit?”
In security, Kerberos is an authentication system based on symmetric key cryptoo Originated at MIT
o Based on work by Needham and Schroeder
o Relies on a trusted third party (TTP)
![Page 66: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/66.jpg)
Motivation for Kerberos
Authentication using public keyso N users ⇒ N key pairs
Authentication using symmetric keyso N users requires about N2 keys
Symmetric key case does not scale! Kerberos based on symmetric keys but only
requires N keys for N userso But must rely on TTP
o Advantage is that no PKI is required
![Page 67: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/67.jpg)
Kerberos KDC Kerberos Key Distribution Center or KDC
o Acts as a TTP
o TTP must not be compromised!
o KDC shares symmetric key KA with Alice, key KB with Bob, key KC with Carol, etc.
o Master key KKDC known only to KDC
o KDC enables authentication and session keys
o Keys for confidentiality and integrity
o In practice, the crypto algorithm used is DES
![Page 68: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/68.jpg)
Kerberos Tickets KDC issues a ticket containing info needed to
access a network resource KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets
Each TGT containso Session key
o User’s ID
o Expiration time
Every TGT is encrypted with KKDC
o TGT can only be read by the KDC
![Page 69: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/69.jpg)
Kerberized Login Alice enters her password Alice’s workstation
o Derives KA from Alice’s password
o Uses KA to get TGT for Alice from the KDC
Alice can then use her TGT (credentials) to securely access network resources
Plus: Security is transparent to Alice Minus: KDC must be secure it’s trusted!
![Page 70: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/70.jpg)
Kerberized Login
Alice
Alice’s
Alice wants
password
a TGT
E(SA,TGT,KA)
KDC
Key KA derived from Alice’s password
KDC creates session key SA
Workstation decrypts SA, TGT, forgets KA
TGT = E(“Alice”,SA, KKDC)
Computer
![Page 71: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/71.jpg)
Alice Requests Ticket to Bob
Alice
Talk to Bob
I want totalk to Bob
REQUEST
REPLY
KDC REQUEST = (TGT, authenticator) where
authenticator = E(timestamp,SA)
REPLY = E(“Bob”,KAB,ticket to Bob, SA) ticket to Bob = E(“Alice”,KAB,KB) KDC gets SA from TGT to verify timestamp
Computer
![Page 72: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/72.jpg)
Alice Uses Ticket to Bob
ticket to Bob, authenticator
E(timestamp + 1,KAB)
ticket to Bob = E(“Alice”,KAB, KB) authenticator = E(timestamp, KAB) Bob decrypts “ticket to Bob” to get KAB which he
then uses to verify timestamp
Alice’s Computer
Bob
![Page 73: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/73.jpg)
Kerberos
Session key SA used for authentication
Can also be used for confidentiality/integrity Timestamps used for mutual authentication Recall that timestamps reduce number of
messageso Acts like a nonce that is known to both sides
o Note: time is a security-critical parameter!
![Page 74: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/74.jpg)
Kerberos Questions
When Alice logs in, KDC sends E(SA,TGT,KA)
where TGT = E(“Alice”,SA,KKDC)
Q: Why is TGT encrypted with KA?
A: Extra work and no added security!
In Alice’s Kerberized login to Bob, why can Alice remain anonymous?
Why is “ticket to Bob” sent to Alice? Where is replay prevention in Kerberos?
![Page 75: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/75.jpg)
Kerberos Alternatives
Could have Alice’s workstation remember password and use that for authenticationo Then no KDC required
o But hard to protect password on workstation
o Scaling problem
Could have KDC remember session key instead of putting it in a TGTo Then no need for TGTs
o But stateless KDC is big feature of Kerberos
![Page 76: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/76.jpg)
Kerberos Keys In Kerberos, KA = h(Alice’s password)
Could instead generate random KA and
o Compute Kh = h(Alice’s password)
o And workstation stores E(KA, Kh)
Then KA need not change (on workstation or KDC) when Alice changes her password
But E(KA, Kh) subject to password guessing
This alternative approach is often used in applications (but not in Kerberos)
![Page 77: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/77.jpg)
See MAMS presentation
![Page 78: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/78.jpg)
Rainbow tables
![Page 79: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/79.jpg)
Rainbow tables
![Page 80: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/80.jpg)
GSM Security
![Page 81: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/81.jpg)
Cell Phones
First generation cell phoneso Analog, few standards
o Little or no security
o Susceptible to cloning
Second generation cell phones: GSMo Began in 1982 as Groupe Speciale Mobile
o Now, Global System for Mobile Communications
Third generation?o 3rd Generation Partnership Project (3GPP)
![Page 82: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/82.jpg)
GSM System Overview
Mobile
HomeNetwork
“land line”
air interface
BaseStation
BaseStation
Controller
PSTNInternet
Etc.Visited Network
VLR
HLR
AuC
![Page 83: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/83.jpg)
GSM System Components
Mobile phoneo Contains SIM (Subscriber Identity
Module)
SIM is the security moduleo IMSI (International Mobile
Subscriber ID)
o User key Ki (128 bits)
o Tamper resistant (smart card)
o PIN activated (usually not used)
SIM
![Page 84: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/84.jpg)
GSM System Components Visited network network where mobile is
currently locatedo Base station one “cell”
o Base station controller manages many cells
o VLR (Visitor Location Register) info on all visiting mobiles currently in the network
Home network “home” of the mobile
o HLR (Home Location Register) keeps track of most recent location of mobile
o AuC (Authentication Center) contains IMSI/Ki
![Page 85: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/85.jpg)
GSM Security Goals Primary design goals
o Make GSM as secure as ordinary telephone
o Prevent phone cloning
Not designed to resist an active attack!o At the time this seemed infeasible
o Today such an attack is very feasible…
Designers considered biggest threatso Insecure billing
o Corruption
o Other low-tech attacks
![Page 86: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/86.jpg)
GSM Security Features Anonymity
o Intercepted traffic does not identify user
o Not so important to phone company
Authenticationo Necessary for proper billing
o Very important to phone company!
Confidentialityo Confidentiality of calls over the air interface
o Not important to phone company
o May be very important for marketing!
![Page 87: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/87.jpg)
GSM: Anonymity IMSI used to initially identify caller Then TMSI (Temporary Mobile Subscriber ID)
used TMSI changed frequently TMSI’s encrypted when sent Not a strong form of anonymity But probably sufficient for most uses
![Page 88: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/88.jpg)
GSM: Authentication Caller is authenticated to base station Authentication is not mutual Authentication via challenge-response
o Home network generates RAND and computes XRES = A3(RAND, Ki) where A3 is a hash
o Then (RAND,XRES) sent to base station
o Base station sends challenge RAND to mobile
o Mobile’s response is SRES = A3(RAND, Ki)o Base station verifies SRES = XRES
Note: Ki never leaves home network!
![Page 89: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/89.jpg)
GSM: Confidentiality Data encrypted with stream cipher Error rate estimated at about 1/1000
o Error rate too high for a block cipher
Encryption key Kco Home network computes Kc = A8(RAND, Ki),
where A8 is a hash
o Then Kc sent to base station with (RAND,XRES)o Mobile computes Kc = A8(RAND, Ki)o Keystream generated from A5(Kc)
Note: Ki never leaves home network!
![Page 90: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/90.jpg)
GSM Security
SRES and Kc must be uncorrelatedo Even though both are derived from RAND and Ki
Must not be possible to deduce Ki from known RAND/SRES pairs (known plaintext attack)
Must not be possible to deduce Ki from chosen RAND/SRES pairs (chosen plaintext attack)o With possession of SIM, attacker can choose RAND’s
Mobile Base Station
4. RAND
5. SRES
6. Encrypt with Kc
1. IMSI
HomeNetwork
3. (RAND,XRES,Kc)
2. IMSI
![Page 91: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/91.jpg)
GSM Insecurity (1) Hash used for A3/A8 is COMP128
o Broken by 160,000 chosen plaintexts
o With SIM, can get Ki in 2 to 10 hours
Encryption between mobile and base station but no encryption from base station to base station controllero Often transmitted over microwave link
Encryption algorithm A5/1o Broken with 2 seconds of known plaintext
BaseStation
BaseStation
Controller
VLR
![Page 92: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/92.jpg)
GSM Insecurity (2) Attacks on SIM card
o Optical Fault Induction can attack SIM with a flashbulb to recover Ki
o Partitioning Attacks using timing and power consumption, can recover Ki with only 8 adaptively chosen “plaintexts”
With possession of SIM, attacker can recover Ki in seconds
![Page 93: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/93.jpg)
GSM Insecurity (3) Fake base station exploits two flaws
o Encryption not automatic
o Base station not authenticated
Mobile Base Station
RAND
SRES
Fake Base Station
Noencryption
Call todestination
Note: The bill goes to fake base station!
![Page 94: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/94.jpg)
GSM Insecurity (4)
Denial of service is possibleo Jamming (always an issue in wireless)
Base station can replay triple (RAND,XRES,Kc)o One compromised triple gives attacker a
key Kc that is valid forever
o No replay protection!
![Page 95: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/95.jpg)
GSM Conclusion Did GSM achieve its goals?
o Eliminate cloning? Yes
o Make air interface as secure as PSTN? Perhaps…
o But design goals were clearly too limited
GSM insecurities weak crypto, SIM issues, fake base station, replay, etc.
PSTN insecurities tapping, active attack, passive attack (e.g., cordless phones), etc.
GSM a (modest) security success?
![Page 96: Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades](https://reader031.fdocuments.net/reader031/viewer/2022030416/5aa1ef0d7f8b9a46238c6cc5/html5/thumbnails/96.jpg)
3GPP: 3rd Generation Partnership Project
3G security built on GSM (in)security 3G fixes known GSM security problems
o Mutual authentication
o Integrity protect signaling (such as “start encryption” command)
o Keys (encryption/integrity) cannot be reused
o Triples cannot be replayed
o Strong encryption algorithm (KASUMI)o Encryption extended to base station controller