Authentication Protocols - jaferian.comjaferian.com/nyit/3-key_exchange.pdf · Identify Friend or Foe (IFF) Namibia K Angola SAAF Impala K Russian MIG. Part 3 ⎯ Protocols 8 Identify

Part 3 ⎯ Protocols 1

Authentication Protocols


Protocol❑ Human protocols ⎯ the rules followed in

human interactions o Example: Asking a question in class

❑ Networking protocols ⎯ rules followed in networked communication systems o Examples: HTTP, FTP, etc.

❑ Security protocol ⎯ the (communication) rules followed in a security application o Examples: SSL, IPSec, Kerberos, etc.


Protocols❑ Protocol flaws can be very subtle ❑ Several well-known security protocols

have significant flaws o Including WEP, GSM, and IPSec

❑ Implementation errors can also occur o Recently, IE implementation of SSL

❑ Not easy to get protocols right…


Ideal Security Protocol❑ Must satisfy security requirements

o Requirements need to be precise ❑ Efficient

o Minimize computational requirement o Minimize bandwidth usage, delays…

❑ Robust o Works when attacker tries to break it o Works if environment changes (slightly)

❑ Easy to implement, easy to use, flexible… ❑ Difficult to satisfy all of these!


Secure Entry to NSA


Secure Entry to NSA1. Insert badge into reader


Secure Entry to NSA1. Insert badge into reader2. Enter PIN


Secure Entry to NSA1. Insert badge into reader2. Enter PIN3. Correct PIN?



Yes? Enter



Yes? Enter No? Get shot by security guard


ATM Machine Protocol


ATM Machine Protocol1. Insert ATM card


ATM Machine Protocol1. Insert ATM card2. Enter PIN


ATM Machine Protocol1. Insert ATM card2. Enter PIN3. Correct PIN?



Yes? Conduct your transaction(s)



Yes? Conduct your transaction(s) No? Machine (eventually) eats card


Identify Friend or Foe (IFF)

Namibia K

Angola

SAAF Impala

K

Russian MIG



Namibia K

Angola

1. N

SAAF Impala

K

Russian MIG



Namibia K

Angola

1. N

2. E(N,K)SAAF Impala

K

Russian MIG


MIG in the Middle

Namibia K

Angola

SAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

SAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

2. N

SAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

2. N

3. NSAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

2. N

3. N

4. E(N,K)SAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

2. N

3. N

4. E(N,K)

5. E(N,K)

SAAF Impala

K

Russian MiG


MIG in the Middle

Namibia K

Angola

1. N

2. N

3. N

4. E(N,K)

5. E(N,K)

6. E(N,K)

SAAF Impala

K

Russian MiG


Authentication Protocols


Authentication❑ Alice must prove her identity to Bob

o Alice and Bob can be humans or computers ❑ May also require Bob to prove he’s Bob (mutual

authentication) ❑ Probably need to establish a session key ❑ May have other requirements, such as

o Public keys, symmetric keys, hash functions, … o Anonymity, plausible deniability, perfect forward

secrecy, etc.


Authentication


Authentication❑ Authentication on a stand-alone computer is

relatively simple



relatively simpleo For example, hash a password with a salt



relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication

software, keystroke logging, etc., can be issues




software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging





o Attacker can passively observe messages





o Attacker can passively observe messageso Attacker can replay messages





o Attacker can passively observe messageso Attacker can replay messageso Active attacks possible (insert, delete, change)


Simple Authentication

Alice Bob



Alice Bob

“I’m Alice”



Alice Bob

“I’m Alice”

Prove it



Alice Bob

“I’m Alice”

Prove it

My password is “frank”



Alice Bob

“I’m Alice”

Prove it


❑ Simple and may be OK for standalone system



Alice Bob

“I’m Alice”

Prove it


❑ Simple and may be OK for standalone system❑ But highly insecure for networked system



Alice Bob

“I’m Alice”

Prove it



o Subject to a replay attack (next 2 slides)



Alice Bob

“I’m Alice”

Prove it



o Subject to a replay attack (next 2 slides)o Also, Bob must know Alice’s password


Authentication Attack

Alice Bob

Trudy



Alice Bob

Trudy



Alice Bob

“I’m Alice”

Trudy



Alice Bob

“I’m Alice”

Prove it

Trudy



Alice Bob

“I’m Alice”

Prove it


Trudy



BobTrudy



Bob

“I’m Alice”

Trudy



Bob

“I’m Alice”

Prove it

Trudy



Bob

“I’m Alice”

Prove it

My password is “frank”Trudy



Bob

“I’m Alice”

Prove it


❑ This is an example of a replay attack



Bob

“I’m Alice”

Prove it


❑ This is an example of a replay attack❑ How can we prevent a replay?



Alice Bob



Alice Bob

I’m Alice, my password is “frank”



Alice Bob


❑ More efficient, but…



Alice Bob


❑ More efficient, but…❑ … same problem as previous version


Better Authentication

Alice Bob



Alice Bob

“I’m Alice”



Alice Bob

“I’m Alice”

Prove it



Alice Bob

“I’m Alice”

Prove it

h(Alice’s password)



Alice Bob

“I’m Alice”

Prove it


❑ This approach hides Alice’s password o From both Bob and Trudy



Alice Bob

“I’m Alice”

Prove it


❑ This approach hides Alice’s password o From both Bob and Trudy

❑ But still subject to replay attack


Challenge-Response❑ To prevent replay, use challenge-response

o Goal is to ensure “freshness” ❑ Suppose Bob wants to authenticate Alice

o Challenge sent from Bob to Alice ❑ Challenge is chosen so that…

o Replay is not possible o Only Alice can provide the correct response o Bob can verify the response


Nonce


Nonce❑ To ensure freshness, can employ a nonce

o Nonce == number used once



o Nonce == number used once ❑ What to use for nonces?

o That is, what is the challenge?




o That is, what is the challenge?❑ What should Alice do with the nonce?

o That is, how to compute the response?





o That is, how to compute the response?❑ How can Bob verify the response?





o That is, how to compute the response?❑ How can Bob verify the response?❑ Should we use passwords or keys?


Challenge-Response

BobAlice


Challenge-Response

Bob

“I’m Alice”

Alice


Challenge-Response

Bob

“I’m Alice”

Nonce

Alice


Challenge-Response

Bob

“I’m Alice”

Nonce

h(Alice’s password, Nonce)Alice


Challenge-Response

Bob

“I’m Alice”

Nonce

h(Alice’s password, Nonce)

❑ Nonce is the challengeAlice


Challenge-Response

Bob

“I’m Alice”

Nonce


❑ Nonce is the challenge❑ The hash is the response

Alice


Challenge-Response

Bob

“I’m Alice”

Nonce


❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)

Alice


Challenge-Response

Bob

“I’m Alice”

Nonce


❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows

Alice


Challenge-Response

Bob

“I’m Alice”

Nonce


❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows❑ Note: Bob must know Alice’s pwd to verify

Alice


Generic Challenge-Response

BobAlice



Bob

“I’m Alice”

Alice



Bob

“I’m Alice”

Nonce

Alice



Bob

“I’m Alice”

Nonce

Something that could only beAlice from Alice, and Bob can verify



Bob

“I’m Alice”

Nonce


❑ In practice, how to achieve this?



Bob

“I’m Alice”

Nonce


❑ In practice, how to achieve this?❑ Hashed password works, but…



Bob

“I’m Alice”

Nonce


❑ In practice, how to achieve this?❑ Hashed password works, but…❑ …encryption is much better here (why?)


Symmetric Key Notation❑ Encrypt plaintext P with key K C = E(P,K) ❑ Decrypt ciphertext C with key K P = D(C,K) ❑ Here, we are concerned with attacks on

protocols, not attacks on cryptography o So, we assume crypto algorithms are secure


Authentication: Symmetric Key❑ Alice and Bob share symmetric key K❑ Key K known only to Alice and Bob ❑ Authenticate by proving knowledge of

shared symmetric key ❑ How to accomplish this?

o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …


Authenticate Alice Using Symmetric Key

Alice, K Bob, K



Alice, K Bob, K

“I’m Alice”



Alice, K Bob, K

“I’m Alice”

R



Alice, K Bob, K

“I’m Alice”

E(R,K)

R



Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice

R



Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob

R



Alice, K Bob, K

“I’m Alice”

E(R,K)

❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob❑ So, can we achieve mutual authentication?

R


Mutual Authentication?

Alice, K Bob, K



Alice, K Bob, K

“I’m Alice”, R



Alice, K Bob, K


E(R,K)



Alice, K Bob, K


E(R,K)

E(R,K)



Alice, K Bob, K


E(R,K)

E(R,K)

❑ What’s wrong with this picture?



Alice, K Bob, K


E(R,K)

E(R,K)

❑ What’s wrong with this picture?❑ “Alice” could be Trudy (or anybody else)!


Mutual Authentication❑ Since we have a secure one-way

authentication protocol… ❑ The obvious thing to do is to use the

protocol twice o Once for Bob to authenticate Alice o Once for Alice to authenticate Bob

❑ This has got to work…


Mutual Authentication

Alice, K Bob, K



Alice, K Bob, K

“I’m Alice”, RA



Alice, K Bob, K


RB, E(RA, K)



Alice, K Bob, K


RB, E(RA, K)

E(RB, K)



Alice, K Bob, K


RB, E(RA, K)

E(RB, K)

❑ This provides mutual authentication…



Alice, K Bob, K


RB, E(RA, K)

E(RB, K)

❑ This provides mutual authentication…❑ …or does it? Subject to reflection attack

o Next slide


Mutual Authentication Attack

Bob, KTrudy



Bob, K

1. “I’m Alice”, RA

Trudy



Bob, K


2. RB, E(RA, K)

Trudy



Bob, K


2. RB, E(RA, K)

Trudy

Bob, KTrudy



Bob, K


2. RB, E(RA, K)

Trudy

Bob, K

3. “I’m Alice”, RB

Trudy



Bob, K


2. RB, E(RA, K)

Trudy

Bob, K


4. RC, E(RB, K)

Trudy



Bob, K


2. RB, E(RA, K)

Trudy

Bob, K


4. RC, E(RB, K)

Trudy

5. E(RB, K)


Mutual Authentication❑ Our one-way authentication protocol is

not secure for mutual authentication o Protocols are subtle! o In this case, “obvious” solution is not secure

❑ Also, if assumptions or environment change, protocol may not be secure o This is a common source of security failure o For example, Internet protocols


Symmetric Key Mutual Authentication

Alice, K Bob, K



Alice, K Bob, K




Alice, K Bob, K


RB, E(“Bob”,RA,K)



Alice, K Bob, K



E(“Alice”,RB,K)



Alice, K Bob, K



E(“Alice”,RB,K)

❑ Do these “insignificant” changes help?



Alice, K Bob, K



E(“Alice”,RB,K)

❑ Do these “insignificant” changes help?❑ Yes!


Public Key Notation❑ Encrypt M with Alice’s public key: {M}Alice ❑ Sign M with Alice’s private key: [M]Alice ❑ Then

o [{M}Alice ]Alice = M o {[M]Alice }Alice = M

❑ Anybody can use Alice’s public key ❑ Only Alice can use her private key


Public Key Authentication

Alice Bob



Alice Bob

“I’m Alice”



Alice Bob

“I’m Alice”

{R}Alice



Alice Bob

“I’m Alice”

{R}Alice

R



Alice Bob

“I’m Alice”

{R}Alice

R

❑ Is this secure?



Alice Bob

“I’m Alice”

{R}Alice

R

❑ Is this secure?❑ Trudy can get Alice to decrypt anything!

Prevent this by having two key pairs



Alice Bob



Alice Bob

“I’m Alice”



Alice Bob

“I’m Alice”

R



Alice Bob

“I’m Alice”

R

[R]Alice



Alice Bob

“I’m Alice”

R

[R]Alice

❑ Is this secure?



Alice Bob

“I’m Alice”

R

[R]Alice

❑ Is this secure?❑ Trudy can get Alice to sign anything!

o Same a previous ⎯ should have two key pairs


Public Keys❑ Generally, a bad idea to use the same

key pair for encryption and signing ❑ Instead, should have…

o …one key pair for encryption/decryption and signing/verifying signatures…

o …and a different key pair for authentication


Session Key❑ Usually, a session key is required

o A symmetric key for current session o Used for confidentiality and/or integrity

❑ How to authenticate and establish a session key (i.e., shared symmetric key)? o When authentication completed, Alice and Bob

share a session key o Trudy cannot break the authentication… o …and Trudy cannot determine the session key


Authentication & Session Key

Alice Bob



Alice Bob




Alice Bob


{R, K}Alice



Alice Bob


{R, K}Alice

{R +1, K}Bob



Alice Bob


{R, K}Alice

{R +1, K}Bob

❑ Is this secure?



Alice Bob


{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secure



Alice Bob


{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bob



Alice Bob


{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice



Alice Bob


{R, K}Alice

{R +1, K}Bob

❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice

❑ No mutual authentication


Public Key Authentication and Session Key

Alice Bob



Alice Bob




Alice Bob


[R, K]Bob



Alice Bob


[R, K]Bob

[R +1, K]Alice



Alice Bob


[R, K]Bob

[R +1, K]Alice

❑ Is this secure?



Alice Bob


[R, K]Bob

[R +1, K]Alice

❑ Is this secure?o Mutual authentication (good), but…



Alice Bob


[R, K]Bob

[R +1, K]Alice

❑ Is this secure?o Mutual authentication (good), but…o … session key is not protected (very bad)



Alice Bob



Alice Bob




Alice Bob


{[R, K]Bob}Alice



Alice Bob


{[R, K]Bob}Alice

{[R +1, K]Alice}Bob



Alice Bob


{[R, K]Bob}Alice

{[R +1, K]Alice}Bob

❑ Is this secure?



Alice Bob


{[R, K]Bob}Alice

{[R +1, K]Alice}Bob

❑ Is this secure?❑ No! It’s subject to subtle MiM attack

o See the next slide…



Alice BobTrudy



Alice Bob

1. “I’m Alice”, R

Trudy



Alice Bob


Trudy

2. “I’m Trudy”, R



Alice Bob


Trudy


3. {[R, K]Bob}Trudy



Alice Bob


4. {[R, K]Bob}Alice

Trudy


3. {[R, K]Bob}Trudy



Alice Bob


4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}BobTrudy


3. {[R, K]Bob}Trudy



Alice Bob


4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}BobTrudy


3. {[R, K]Bob}Trudy

6. time out



Alice Bob


4. {[R, K]Bob}Alice

5. {[R +1, K]Alice}Bob

❑ Trudy can get [R, K]Bob and K from 3.

Trudy


3. {[R, K]Bob}Trudy

6. time out



Alice Bob


4. {[R, K]Bob}Alice


❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K

Trudy


3. {[R, K]Bob}Trudy

6. time out



Alice Bob


4. {[R, K]Bob}Alice


❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K ❑ And Alice thinks she’s talking to Bob

Trudy


3. {[R, K]Bob}Trudy

6. time out



Alice Bob



Alice Bob




Alice Bob


[{R, K}Alice]Bob



Alice Bob


[{R, K}Alice]Bob

[{R +1, K}Bob]Alice



Alice Bob


[{R, K}Alice]Bob

[{R +1, K}Bob]Alice

❑ Is this secure?



Alice Bob


[{R, K}Alice]Bob

[{R +1, K}Bob]Alice

❑ Is this secure?❑ Seems to be OK

o Anyone can see {R, K}Alice and {R +1, K}Bob




Public Key Authentication❑ Sign and encrypt with nonce…



o Insecure



o Insecure❑ Encrypt and sign with nonce…




o Secure




o Secure❑ Protocols can be subtle!


Perfect Forward Secrecy


Perfect Forward Secrecy❑ Consider this “issue”…

o Alice encrypts message with shared key K and sends ciphertext to Bob

o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K

o Then Trudy decrypts recorded messages





o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy

cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)





o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy

cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)

❑ Is PFS possible?


Perfect Forward Secrecy❑ Suppose Alice and Bob share key K ❑ For perfect forward secrecy, Alice and Bob

cannot use K to encrypt ❑ Instead they must use a session key KS and

forget it after it’s used ❑ Can Alice and Bob agree on session key KS in

a way that provides PFS?


Naïve Session Key Protocol

Alice, K Bob, K



Alice, K Bob, K

E(KS, K)



Alice, K Bob, K

E(KS, K)

E(messages, KS)



❑ Trudy could record E(KS, K)

Alice, K Bob, K

E(KS, K)

E(messages, KS)



❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS

o Then Trudy can decrypt recorded messages

Alice, K Bob, K

E(KS, K)

E(messages, KS)



❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS

o Then Trudy can decrypt recorded messages❑ No perfect forward secrecy in this case

Alice, K Bob, K

E(KS, K)

E(messages, KS)

Part 1 ⎯ Cryptography 121

Diffie-Hellman


Diffie-Hellman Key Exchange❑ Invented by Williamson (GCHQ) and,

independently, by D and H (Stanford) ❑ A “key exchange” algorithm

o Used to establish a shared symmetric key o Not for encrypting or signing

❑ Based on discrete log problem o Given: g, p, and gk mod p o Find: exponent k


Diffie-Hellman❑ Let p be prime, let g be a generator

o For any x ∈ {1,2,…,p-1} there is n s.t. x = gn mod p ❑ Alice selects her private value a ❑ Bob selects his private value b ❑ Alice sends ga mod p to Bob ❑ Bob sends gb mod p to Alice ❑ Both compute shared secret, gab mod p❑ Shared secret can be used as symmetric key


Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b

Alice, a Bob, b



Alice, a Bob, b

ga mod p



Alice, a Bob, b

ga mod p

gb mod p



Alice, a Bob, b

ga mod p

gb mod p

❑ Alice computes (gb)a = gba = gab mod p ❑ Bob computes (ga)b = gab mod p❑ They can use K = gab mod p as symmetric key


Diffie-Hellman❑ Suppose Bob and Alice use Diffie-Hellman

to determine symmetric key K = gab mod p ❑ Trudy can see ga mod p and gb mod p

o But… ga gb mod p = ga+b mod p ≠ gab mod p ❑ If Trudy can find a or b, she gets K❑ If Trudy can solve discrete log problem,

she can find a or b


Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack

Alice, a Bob, bTrudy, t



Alice, a Bob, b

ga mod p

Trudy, t



Alice, a Bob, b

ga mod p

Trudy, t

gt mod p



Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p



Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

gt mod p



Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

gt mod p

❑ Trudy shares secret gat mod p with Alice ❑ Trudy shares secret gbt mod p with Bob ❑ Alice and Bob don’t know Trudy is MiM


Diffie-Hellman❑ How to prevent MiM attack?

o Encrypt DH exchange with symmetric key o Encrypt DH exchange with public key o Sign DH values with private key o Other?

❑ At this point, DH may look pointless… o …but it’s not (more on this later)

❑ You MUST be aware of MiM attack on Diffie-Hellman


Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p

Alice, a Bob, b



Alice, a Bob, b

ga mod p



Alice, a Bob, b

ga mod p

gb mod p



❑ But Diffie-Hellman is subject to MiMAlice, a Bob, b

ga mod p

gb mod p



❑ But Diffie-Hellman is subject to MiM❑ How to get PFS and prevent MiM?

Alice, a Bob, b

ga mod p

gb mod p



Alice: K, a Bob: K, b




E(ga mod p, K)




E(ga mod p, K)

E(gb mod p, K)



❑ Session key KS = gab mod p


E(ga mod p, K)

E(gb mod p, K)



❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b


E(ga mod p, K)

E(gb mod p, K)



❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman


E(ga mod p, K)

E(gb mod p, K)



❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS


E(ga mod p, K)

E(gb mod p, K)



❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS❑ Are there other ways to achieve PFS?


E(ga mod p, K)

E(gb mod p, K)


Mutual Authentication, Session Key and PFS

Alice Bob



Alice Bob




Alice Bob


RB, [RA, gb mod p]Bob



Alice Bob



[RB, ga mod p]Alice



Alice Bob



[RB, ga mod p]Alice

❑ Session key is K = gab mod p



Alice Bob



[RB, ga mod p]Alice

❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b



Alice Bob



[RB, ga mod p]Alice

❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b❑ If Trudy later gets Bob’s and Alice’s secrets,

she cannot recover session key K

Authentication Protocols - jaferian.comjaferian.com/nyit/3-key_exchange.pdf · Identify Friend or Foe (IFF) Namibia K Angola SAAF Impala K Russian MIG. Part 3 ⎯ Protocols 8 Identify

Documents