Authentication Protocols - jaferian.comjaferian.com/nyit/3-key_exchange.pdf · Identify Friend or Foe (IFF) Namibia K Angola SAAF Impala K Russian MIG. Part 3 ⎯ Protocols 8 Identify

Part 3 ⎯ Protocols 1

Authentication Protocols

Protocol❑ Human protocols ⎯ the rules followed in

human interactions o Example: Asking a question in class

❑ Networking protocols ⎯ rules followed in networked communication systems o Examples: HTTP, FTP, etc.

❑ Security protocol ⎯ the (communication) rules followed in a security application o Examples: SSL, IPSec, Kerberos, etc.

Protocols❑ Protocol flaws can be very subtle ❑ Several well-known security protocols

have significant flaws o Including WEP, GSM, and IPSec

❑ Implementation errors can also occur o Recently, IE implementation of SSL

❑ Not easy to get protocols right…

Ideal Security Protocol❑ Must satisfy security requirements

o Requirements need to be precise ❑ Efficient

o Minimize computational requirement o Minimize bandwidth usage, delays…

❑ Robust o Works when attacker tries to break it o Works if environment changes (slightly)

❑ Easy to implement, easy to use, flexible… ❑ Difficult to satisfy all of these!

Secure Entry to NSA

Secure Entry to NSA1. Insert badge into reader

Secure Entry to NSA1. Insert badge into reader2. Enter PIN

Secure Entry to NSA1. Insert badge into reader2. Enter PIN3. Correct PIN?

Yes? Enter

Yes? Enter No? Get shot by security guard

ATM Machine Protocol

ATM Machine Protocol1. Insert ATM card

ATM Machine Protocol1. Insert ATM card2. Enter PIN

ATM Machine Protocol1. Insert ATM card2. Enter PIN3. Correct PIN?

Yes? Conduct your transaction(s)

Yes? Conduct your transaction(s) No? Machine (eventually) eats card

Identify Friend or Foe (IFF)

Namibia K

Angola

SAAF Impala

Russian MIG

Namibia K

Angola

SAAF Impala

Russian MIG

Namibia K

Angola

2. E(N,K)SAAF Impala

Russian MIG

MIG in the Middle

Namibia K

Angola

SAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

SAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

SAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

3. NSAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

4. E(N,K)SAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

4. E(N,K)

5. E(N,K)

SAAF Impala

Russian MiG

MIG in the Middle

Namibia K

Angola

4. E(N,K)

5. E(N,K)

6. E(N,K)

SAAF Impala

Russian MiG

Authentication Protocols

Authentication❑ Alice must prove her identity to Bob

o Alice and Bob can be humans or computers ❑ May also require Bob to prove he’s Bob (mutual

authentication) ❑ Probably need to establish a session key ❑ May have other requirements, such as

o Public keys, symmetric keys, hash functions, … o Anonymity, plausible deniability, perfect forward

secrecy, etc.

Authentication

Authentication❑ Authentication on a stand-alone computer is

relatively simple

relatively simpleo For example, hash a password with a salt

relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication

software, keystroke logging, etc., can be issues

software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging

o Attacker can passively observe messages

o Attacker can passively observe messageso Attacker can replay messages

o Attacker can passively observe messageso Attacker can replay messageso Active attacks possible (insert, delete, change)

Simple Authentication

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

Prove it

Alice Bob

“I’m Alice”

Prove it

My password is “frank”

Alice Bob

“I’m Alice”

Prove it

❑ Simple and may be OK for standalone system

Alice Bob

“I’m Alice”

Prove it

❑ Simple and may be OK for standalone system❑ But highly insecure for networked system

Alice Bob

“I’m Alice”

Prove it

o Subject to a replay attack (next 2 slides)

Alice Bob

“I’m Alice”

Prove it

o Subject to a replay attack (next 2 slides)o Also, Bob must know Alice’s password

Authentication Attack

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

Prove it

Alice Bob

“I’m Alice”

Prove it

BobTrudy

“I’m Alice”

Prove it

“I’m Alice”

Prove it

My password is “frank”Trudy

“I’m Alice”

Prove it

❑ This is an example of a replay attack

“I’m Alice”

Prove it

❑ This is an example of a replay attack❑ How can we prevent a replay?

Alice Bob

I’m Alice, my password is “frank”

Alice Bob

❑ More efficient, but…

Alice Bob

❑ More efficient, but…❑ … same problem as previous version

Better Authentication

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

Prove it

Alice Bob

“I’m Alice”

Prove it

h(Alice’s password)

Alice Bob

“I’m Alice”

Prove it

❑ This approach hides Alice’s password o From both Bob and Trudy

Alice Bob

“I’m Alice”

Prove it

❑ This approach hides Alice’s password o From both Bob and Trudy

❑ But still subject to replay attack

Challenge-Response❑ To prevent replay, use challenge-response

o Goal is to ensure “freshness” ❑ Suppose Bob wants to authenticate Alice

o Challenge sent from Bob to Alice ❑ Challenge is chosen so that…

o Replay is not possible o Only Alice can provide the correct response o Bob can verify the response

Nonce❑ To ensure freshness, can employ a nonce

o Nonce == number used once

o Nonce == number used once ❑ What to use for nonces?

o That is, what is the challenge?

o That is, what is the challenge?❑ What should Alice do with the nonce?

o That is, how to compute the response?

o That is, how to compute the response?❑ How can Bob verify the response?

o That is, how to compute the response?❑ How can Bob verify the response?❑ Should we use passwords or keys?

Challenge-Response

BobAlice

Challenge-Response

“I’m Alice”

Challenge-Response

“I’m Alice”

Challenge-Response

“I’m Alice”

h(Alice’s password, Nonce)Alice

Challenge-Response

“I’m Alice”

h(Alice’s password, Nonce)

❑ Nonce is the challengeAlice

Challenge-Response

“I’m Alice”

❑ Nonce is the challenge❑ The hash is the response

Challenge-Response

“I’m Alice”

❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)

Challenge-Response

“I’m Alice”

❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows

Challenge-Response

“I’m Alice”

❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows❑ Note: Bob must know Alice’s pwd to verify

Generic Challenge-Response

BobAlice

“I’m Alice”

Something that could only beAlice from Alice, and Bob can verify

“I’m Alice”

❑ In practice, how to achieve this?

“I’m Alice”

❑ In practice, how to achieve this?❑ Hashed password works, but…

“I’m Alice”

❑ In practice, how to achieve this?❑ Hashed password works, but…❑ …encryption is much better here (why?)

Symmetric Key Notation❑ Encrypt plaintext P with key K C = E(P,K) ❑ Decrypt ciphertext C with key K P = D(C,K) ❑ Here, we are concerned with attacks on

protocols, not attacks on cryptography o So, we assume crypto algorithms are secure

Authentication: Symmetric Key❑ Alice and Bob share symmetric key K❑ Key K known only to Alice and Bob ❑ Authenticate by proving knowledge of

shared symmetric key ❑ How to accomplish this?

o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …

Authenticate Alice Using Symmetric Key

Alice, K Bob, K

“I’m Alice”

Alice, K Bob, K

“I’m Alice”

Alice, K Bob, K

“I’m Alice”

E(R,K)

Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice

Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob

Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob❑ So, can we achieve mutual authentication?

Mutual Authentication?

Alice, K Bob, K

“I’m Alice”, R

Alice, K Bob, K

E(R,K)

Alice, K Bob, K

E(R,K)

Alice, K Bob, K

E(R,K)

❑ What’s wrong with this picture?

Alice, K Bob, K

E(R,K)

❑ What’s wrong with this picture?❑ “Alice” could be Trudy (or anybody else)!

Mutual Authentication❑ Since we have a secure one-way

authentication protocol… ❑ The obvious thing to do is to use the

protocol twice o Once for Bob to authenticate Alice o Once for Alice to authenticate Bob

❑ This has got to work…

Mutual Authentication

Alice, K Bob, K

“I’m Alice”, RA

Alice, K Bob, K

RB, E(RA, K)

Alice, K Bob, K

RB, E(RA, K)

E(RB, K)

Alice, K Bob, K

RB, E(RA, K)

E(RB, K)

❑ This provides mutual authentication…

Alice, K Bob, K

RB, E(RA, K)

E(RB, K)

❑ This provides mutual authentication…❑ …or does it? Subject to reflection attack

o Next slide

Mutual Authentication Attack

Bob, KTrudy

Bob, K

1. “I’m Alice”, RA

Bob, K

2. RB, E(RA, K)

Bob, K

2. RB, E(RA, K)

Bob, KTrudy

Bob, K

2. RB, E(RA, K)

Bob, K

3. “I’m Alice”, RB

Bob, K

2. RB, E(RA, K)

Bob, K

4. RC, E(RB, K)

Bob, K

2. RB, E(RA, K)

Bob, K

4. RC, E(RB, K)

5. E(RB, K)

Mutual Authentication❑ Our one-way authentication protocol is

not secure for mutual authentication o Protocols are subtle! o In this case, “obvious” solution is not secure

❑ Also, if assumptions or environment change, protocol may not be secure o This is a common source of security failure o For example, Internet protocols

Symmetric Key Mutual Authentication

Alice, K Bob, K

RB, E(“Bob”,RA,K)

Alice, K Bob, K

E(“Alice”,RB,K)

Alice, K Bob, K

E(“Alice”,RB,K)

❑ Do these “insignificant” changes help?

Alice, K Bob, K

E(“Alice”,RB,K)

❑ Do these “insignificant” changes help?❑ Yes!

Public Key Notation❑ Encrypt M with Alice’s public key: {M}Alice ❑ Sign M with Alice’s private key: [M]Alice ❑ Then

o [{M}Alice ]Alice = M o {[M]Alice }Alice = M

❑ Anybody can use Alice’s public key ❑ Only Alice can use her private key

Public Key Authentication

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

{R}Alice

Alice Bob

“I’m Alice”

{R}Alice

Alice Bob

“I’m Alice”

{R}Alice

❑ Is this secure?

Alice Bob

“I’m Alice”

{R}Alice

❑ Is this secure?❑ Trudy can get Alice to decrypt anything!

Prevent this by having two key pairs

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

Alice Bob

“I’m Alice”

[R]Alice

Alice Bob

“I’m Alice”

[R]Alice

❑ Is this secure?

Alice Bob

“I’m Alice”

[R]Alice

❑ Is this secure?❑ Trudy can get Alice to sign anything!

o Same a previous ⎯ should have two key pairs

Public Keys❑ Generally, a bad idea to use the same

key pair for encryption and signing ❑ Instead, should have…

o …one key pair for encryption/decryption and signing/verifying signatures…

o …and a different key pair for authentication

Session Key❑ Usually, a session key is required

o A symmetric key for current session o Used for confidentiality and/or integrity

❑ How to authenticate and establish a session key (i.e., shared symmetric key)? o When authentication completed, Alice and Bob

share a session key o Trudy cannot break the authentication… o …and Trudy cannot determine the session key

Authentication & Session Key

Alice Bob

{R, K}Alice

Alice Bob

{R, K}Alice

{R +1, K}Bob

Alice Bob

{R, K}Alice

{R +1, K}Bob

❑ Is this secure?

Alice Bob

{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secure

Alice Bob

{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bob

Alice Bob

{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice

Alice Bob

{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice

❑ No mutual authentication

Public Key Authentication and Session Key

Alice Bob

[R, K]Bob

Alice Bob

[R, K]Bob

[R +1, K]Alice

Alice Bob

[R, K]Bob

[R +1, K]Alice

❑ Is this secure?

Alice Bob

[R, K]Bob

[R +1, K]Alice

❑ Is this secure?o Mutual authentication (good), but…

Alice Bob

[R, K]Bob

[R +1, K]Alice

❑ Is this secure?o Mutual authentication (good), but…o … session key is not protected (very bad)

Alice Bob

{[R, K]Bob}Alice

Alice Bob

{[R, K]Bob}Alice

{[R +1, K]Alice}Bob

Alice Bob

{[R, K]Bob}Alice

{[R +1, K]Alice}Bob

❑ Is this secure?

Alice Bob

{[R, K]Bob}Alice

{[R +1, K]Alice}Bob

❑ Is this secure?❑ No! It’s subject to subtle MiM attack

o See the next slide…

Alice BobTrudy

Alice Bob

1. “I’m Alice”, R

Alice Bob

2. “I’m Trudy”, R

Alice Bob

3. {[R, K]Bob}Trudy

Alice Bob

4. {[R, K]Bob}Alice

3. {[R, K]Bob}Trudy

Alice Bob

4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}BobTrudy

3. {[R, K]Bob}Trudy

Alice Bob

4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}BobTrudy

3. {[R, K]Bob}Trudy

6. time out

Alice Bob

4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}Bob

❑ Trudy can get [R, K]Bob and K from 3.

3. {[R, K]Bob}Trudy

6. time out

Alice Bob

4. {[R, K]Bob}Alice

❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K

3. {[R, K]Bob}Trudy

6. time out

Alice Bob

4. {[R, K]Bob}Alice

❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K ❑ And Alice thinks she’s talking to Bob

3. {[R, K]Bob}Trudy

6. time out

Alice Bob

[{R, K}Alice]Bob

Alice Bob

[{R, K}Alice]Bob

[{R +1, K}Bob]Alice

Alice Bob

[{R, K}Alice]Bob

[{R +1, K}Bob]Alice

❑ Is this secure?

Alice Bob

[{R, K}Alice]Bob

[{R +1, K}Bob]Alice

❑ Is this secure?❑ Seems to be OK

o Anyone can see {R, K}Alice and {R +1, K}Bob

Public Key Authentication❑ Sign and encrypt with nonce…

o Insecure

o Insecure❑ Encrypt and sign with nonce…

o Secure

o Secure❑ Protocols can be subtle!

Perfect Forward Secrecy

Perfect Forward Secrecy❑ Consider this “issue”…

o Alice encrypts message with shared key K and sends ciphertext to Bob

o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K

o Then Trudy decrypts recorded messages

o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy

cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)

o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy

cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)

❑ Is PFS possible?

Perfect Forward Secrecy❑ Suppose Alice and Bob share key K ❑ For perfect forward secrecy, Alice and Bob

cannot use K to encrypt ❑ Instead they must use a session key KS and

forget it after it’s used ❑ Can Alice and Bob agree on session key KS in

a way that provides PFS?

Naïve Session Key Protocol

Alice, K Bob, K

E(KS, K)

Alice, K Bob, K

E(KS, K)

E(messages, KS)

❑ Trudy could record E(KS, K)

Alice, K Bob, K

E(KS, K)

E(messages, KS)

❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS

o Then Trudy can decrypt recorded messages

Alice, K Bob, K

E(KS, K)

E(messages, KS)

❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS

o Then Trudy can decrypt recorded messages❑ No perfect forward secrecy in this case

Alice, K Bob, K

E(KS, K)

E(messages, KS)

Part 1 ⎯ Cryptography 121

Diffie-Hellman

Diffie-Hellman Key Exchange❑ Invented by Williamson (GCHQ) and,

independently, by D and H (Stanford) ❑ A “key exchange” algorithm

o Used to establish a shared symmetric key o Not for encrypting or signing

❑ Based on discrete log problem o Given: g, p, and gk mod p o Find: exponent k

Diffie-Hellman❑ Let p be prime, let g be a generator

o For any x ∈ {1,2,…,p-1} there is n s.t. x = gn mod p ❑ Alice selects her private value a ❑ Bob selects his private value b ❑ Alice sends ga mod p to Bob ❑ Bob sends gb mod p to Alice ❑ Both compute shared secret, gab mod p❑ Shared secret can be used as symmetric key

Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b

Alice, a Bob, b

ga mod p

Alice, a Bob, b

ga mod p

gb mod p

Alice, a Bob, b

ga mod p

gb mod p

❑ Alice computes (gb)a = gba = gab mod p ❑ Bob computes (ga)b = gab mod p❑ They can use K = gab mod p as symmetric key

Diffie-Hellman❑ Suppose Bob and Alice use Diffie-Hellman

to determine symmetric key K = gab mod p ❑ Trudy can see ga mod p and gb mod p

o But… ga gb mod p = ga+b mod p ≠ gab mod p ❑ If Trudy can find a or b, she gets K❑ If Trudy can solve discrete log problem,

she can find a or b

Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack

Alice, a Bob, bTrudy, t

Alice, a Bob, b

ga mod p

Trudy, t

Alice, a Bob, b

ga mod p

Trudy, t

gt mod p

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

❑ Trudy shares secret gat mod p with Alice ❑ Trudy shares secret gbt mod p with Bob ❑ Alice and Bob don’t know Trudy is MiM

Diffie-Hellman❑ How to prevent MiM attack?

o Encrypt DH exchange with symmetric key o Encrypt DH exchange with public key o Sign DH values with private key o Other?

❑ At this point, DH may look pointless… o …but it’s not (more on this later)

❑ You MUST be aware of MiM attack on Diffie-Hellman

Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p

Alice, a Bob, b

ga mod p

Alice, a Bob, b

ga mod p

gb mod p

❑ But Diffie-Hellman is subject to MiMAlice, a Bob, b

ga mod p

gb mod p

❑ But Diffie-Hellman is subject to MiM❑ How to get PFS and prevent MiM?

Alice, a Bob, b

ga mod p

gb mod p

Alice: K, a Bob: K, b

E(ga mod p, K)

E(gb mod p, K)

❑ Session key KS = gab mod p

E(ga mod p, K)

E(gb mod p, K)

❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b

E(ga mod p, K)

E(gb mod p, K)

❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman

E(ga mod p, K)

E(gb mod p, K)

❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS

E(ga mod p, K)

E(gb mod p, K)

❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS❑ Are there other ways to achieve PFS?

E(ga mod p, K)

E(gb mod p, K)

Mutual Authentication, Session Key and PFS

Alice Bob

RB, [RA, gb mod p]Bob

Alice Bob

[RB, ga mod p]Alice

Alice Bob

[RB, ga mod p]Alice

❑ Session key is K = gab mod p

Alice Bob

[RB, ga mod p]Alice

❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b

Alice Bob

[RB, ga mod p]Alice

❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b❑ If Trudy later gets Bob’s and Alice’s secrets,

she cannot recover session key K

Authentication Protocols - jaferian.comjaferian.com/nyit/3-key_exchange.pdf · Identify Friend or Foe (IFF) Namibia K Angola SAAF Impala K Russian MIG. Part 3 ⎯ Protocols 8 Identify

Documents

Cleaning Protocols and Equipment - APIC MT€¦ · Identify...

SAAF Chemical Media and...

Transportation Protocols: UDP, TCP & RTP Transportation...

PUNJAB SAAF PANI...

FZ275 LGR Integration on SAAF - Rooivalk

Child Protection Decision-Making: The Safeguarding Children....

The SAAF Museum · The SAAF Museum Operators of the North.....

Transall-SAAF,R-RTyneEngine -...

Computer Network protocols. Objectives Identify the...

2014 Webinar Series€¦ · Identify protocols for the risk...

Opening Reception Donald Saaf Michael Stasiuk Jan ter...

Network Protocols 1. Protocols are rules and procedures for....

and value of IEC activities under Swachh Bharat Mission...

Transall-SAAF,R-RTyneFuelSys.pdR...1.pdf · Title:...

North American Mustang in RAF, RAAF,SAAF, RNZAF, RCAF &...

Data Link Protocols Asynchronous Protocols Synchronous...