Part 3 ⎯ Protocols 1
Authentication Protocols
Part 3 ⎯ Protocols 2
Protocol❑ Human protocols ⎯ the rules followed in
human interactions o Example: Asking a question in class
❑ Networking protocols ⎯ rules followed in networked communication systems o Examples: HTTP, FTP, etc.
❑ Security protocol ⎯ the (communication) rules followed in a security application o Examples: SSL, IPSec, Kerberos, etc.
Part 3 ⎯ Protocols 3
Protocols❑ Protocol flaws can be very subtle ❑ Several well-known security protocols
have significant flaws o Including WEP, GSM, and IPSec
❑ Implementation errors can also occur o Recently, IE implementation of SSL
❑ Not easy to get protocols right…
Part 3 ⎯ Protocols 4
Ideal Security Protocol❑ Must satisfy security requirements
o Requirements need to be precise ❑ Efficient
o Minimize computational requirement o Minimize bandwidth usage, delays…
❑ Robust o Works when attacker tries to break it o Works if environment changes (slightly)
❑ Easy to implement, easy to use, flexible… ❑ Difficult to satisfy all of these!
Part 3 ⎯ Protocols 6
Secure Entry to NSA
Part 3 ⎯ Protocols 6
Secure Entry to NSA1. Insert badge into reader
Part 3 ⎯ Protocols 6
Secure Entry to NSA1. Insert badge into reader2. Enter PIN
Part 3 ⎯ Protocols 6
Secure Entry to NSA1. Insert badge into reader2. Enter PIN3. Correct PIN?
Part 3 ⎯ Protocols 6
Secure Entry to NSA1. Insert badge into reader2. Enter PIN3. Correct PIN?
Yes? Enter
Part 3 ⎯ Protocols 6
Secure Entry to NSA1. Insert badge into reader2. Enter PIN3. Correct PIN?
Yes? Enter No? Get shot by security guard
Part 3 ⎯ Protocols 7
ATM Machine Protocol
Part 3 ⎯ Protocols 7
ATM Machine Protocol1. Insert ATM card
Part 3 ⎯ Protocols 7
ATM Machine Protocol1. Insert ATM card2. Enter PIN
Part 3 ⎯ Protocols 7
ATM Machine Protocol1. Insert ATM card2. Enter PIN3. Correct PIN?
Part 3 ⎯ Protocols 7
ATM Machine Protocol1. Insert ATM card2. Enter PIN3. Correct PIN?
Yes? Conduct your transaction(s)
Part 3 ⎯ Protocols 7
ATM Machine Protocol1. Insert ATM card2. Enter PIN3. Correct PIN?
Yes? Conduct your transaction(s) No? Machine (eventually) eats card
Part 3 ⎯ Protocols 8
Identify Friend or Foe (IFF)
Namibia K
Angola
SAAF Impala
K
Russian MIG
Part 3 ⎯ Protocols 8
Identify Friend or Foe (IFF)
Namibia K
Angola
1. N
SAAF Impala
K
Russian MIG
Part 3 ⎯ Protocols 8
Identify Friend or Foe (IFF)
Namibia K
Angola
1. N
2. E(N,K)SAAF Impala
K
Russian MIG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
2. N
SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
2. N
3. NSAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
2. N
3. N
4. E(N,K)SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
2. N
3. N
4. E(N,K)
5. E(N,K)
SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 9
MIG in the Middle
Namibia K
Angola
1. N
2. N
3. N
4. E(N,K)
5. E(N,K)
6. E(N,K)
SAAF Impala
K
Russian MiG
Part 3 ⎯ Protocols 10
Authentication Protocols
Part 3 ⎯ Protocols 11
Authentication❑ Alice must prove her identity to Bob
o Alice and Bob can be humans or computers ❑ May also require Bob to prove he’s Bob (mutual
authentication) ❑ Probably need to establish a session key ❑ May have other requirements, such as
o Public keys, symmetric keys, hash functions, … o Anonymity, plausible deniability, perfect forward
secrecy, etc.
Part 3 ⎯ Protocols 12
Authentication
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simple
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salt
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication
software, keystroke logging, etc., can be issues
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication
software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication
software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging
o Attacker can passively observe messages
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication
software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging
o Attacker can passively observe messageso Attacker can replay messages
Part 3 ⎯ Protocols 12
Authentication❑ Authentication on a stand-alone computer is
relatively simpleo For example, hash a password with a salto “Secure path,” attacks on authentication
software, keystroke logging, etc., can be issues❑ Authentication over a network is challenging
o Attacker can passively observe messageso Attacker can replay messageso Active attacks possible (insert, delete, change)
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
❑ Simple and may be OK for standalone system
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
❑ Simple and may be OK for standalone system❑ But highly insecure for networked system
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
❑ Simple and may be OK for standalone system❑ But highly insecure for networked system
o Subject to a replay attack (next 2 slides)
Part 3 ⎯ Protocols 13
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
❑ Simple and may be OK for standalone system❑ But highly insecure for networked system
o Subject to a replay attack (next 2 slides)o Also, Bob must know Alice’s password
Part 3 ⎯ Protocols 14
Authentication Attack
Alice Bob
Trudy
Part 3 ⎯ Protocols 14
Authentication Attack
Alice Bob
Trudy
Part 3 ⎯ Protocols 14
Authentication Attack
Alice Bob
“I’m Alice”
Trudy
Part 3 ⎯ Protocols 14
Authentication Attack
Alice Bob
“I’m Alice”
Prove it
Trudy
Part 3 ⎯ Protocols 14
Authentication Attack
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
Trudy
Part 3 ⎯ Protocols 15
Authentication Attack
BobTrudy
Part 3 ⎯ Protocols 15
Authentication Attack
Bob
“I’m Alice”
Trudy
Part 3 ⎯ Protocols 15
Authentication Attack
Bob
“I’m Alice”
Prove it
Trudy
Part 3 ⎯ Protocols 15
Authentication Attack
Bob
“I’m Alice”
Prove it
My password is “frank”Trudy
Part 3 ⎯ Protocols 15
Authentication Attack
Bob
“I’m Alice”
Prove it
My password is “frank”Trudy
❑ This is an example of a replay attack
Part 3 ⎯ Protocols 15
Authentication Attack
Bob
“I’m Alice”
Prove it
My password is “frank”Trudy
❑ This is an example of a replay attack❑ How can we prevent a replay?
Part 3 ⎯ Protocols 16
Simple Authentication
Alice Bob
Part 3 ⎯ Protocols 16
Simple Authentication
Alice Bob
I’m Alice, my password is “frank”
Part 3 ⎯ Protocols 16
Simple Authentication
Alice Bob
I’m Alice, my password is “frank”
❑ More efficient, but…
Part 3 ⎯ Protocols 16
Simple Authentication
Alice Bob
I’m Alice, my password is “frank”
❑ More efficient, but…❑ … same problem as previous version
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
“I’m Alice”
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
“I’m Alice”
Prove it
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
“I’m Alice”
Prove it
h(Alice’s password)
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
“I’m Alice”
Prove it
h(Alice’s password)
❑ This approach hides Alice’s password o From both Bob and Trudy
Part 3 ⎯ Protocols 17
Better Authentication
Alice Bob
“I’m Alice”
Prove it
h(Alice’s password)
❑ This approach hides Alice’s password o From both Bob and Trudy
❑ But still subject to replay attack
Part 3 ⎯ Protocols 18
Challenge-Response❑ To prevent replay, use challenge-response
o Goal is to ensure “freshness” ❑ Suppose Bob wants to authenticate Alice
o Challenge sent from Bob to Alice ❑ Challenge is chosen so that…
o Replay is not possible o Only Alice can provide the correct response o Bob can verify the response
Part 3 ⎯ Protocols 19
Nonce
Part 3 ⎯ Protocols 19
Nonce❑ To ensure freshness, can employ a nonce
o Nonce == number used once
Part 3 ⎯ Protocols 19
Nonce❑ To ensure freshness, can employ a nonce
o Nonce == number used once ❑ What to use for nonces?
o That is, what is the challenge?
Part 3 ⎯ Protocols 19
Nonce❑ To ensure freshness, can employ a nonce
o Nonce == number used once ❑ What to use for nonces?
o That is, what is the challenge?❑ What should Alice do with the nonce?
o That is, how to compute the response?
Part 3 ⎯ Protocols 19
Nonce❑ To ensure freshness, can employ a nonce
o Nonce == number used once ❑ What to use for nonces?
o That is, what is the challenge?❑ What should Alice do with the nonce?
o That is, how to compute the response?❑ How can Bob verify the response?
Part 3 ⎯ Protocols 19
Nonce❑ To ensure freshness, can employ a nonce
o Nonce == number used once ❑ What to use for nonces?
o That is, what is the challenge?❑ What should Alice do with the nonce?
o That is, how to compute the response?❑ How can Bob verify the response?❑ Should we use passwords or keys?
Part 3 ⎯ Protocols 20
Challenge-Response
BobAlice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
❑ Nonce is the challengeAlice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
❑ Nonce is the challenge❑ The hash is the response
Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)
Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows
Alice
Part 3 ⎯ Protocols 20
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
❑ Nonce is the challenge❑ The hash is the response❑ Nonce prevents replay (ensures freshness)❑ Password is something Alice knows❑ Note: Bob must know Alice’s pwd to verify
Alice
Part 3 ⎯ Protocols 21
Generic Challenge-Response
BobAlice
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Alice
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Alice
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Something that could only beAlice from Alice, and Bob can verify
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Something that could only beAlice from Alice, and Bob can verify
❑ In practice, how to achieve this?
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Something that could only beAlice from Alice, and Bob can verify
❑ In practice, how to achieve this?❑ Hashed password works, but…
Part 3 ⎯ Protocols 21
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Something that could only beAlice from Alice, and Bob can verify
❑ In practice, how to achieve this?❑ Hashed password works, but…❑ …encryption is much better here (why?)
Part 3 ⎯ Protocols 22
Symmetric Key Notation❑ Encrypt plaintext P with key K C = E(P,K) ❑ Decrypt ciphertext C with key K P = D(C,K) ❑ Here, we are concerned with attacks on
protocols, not attacks on cryptography o So, we assume crypto algorithms are secure
Part 3 ⎯ Protocols 23
Authentication: Symmetric Key❑ Alice and Bob share symmetric key K❑ Key K known only to Alice and Bob ❑ Authenticate by proving knowledge of
shared symmetric key ❑ How to accomplish this?
o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
R
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
E(R,K)
R
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
E(R,K)
❑ Secure method for Bob to authenticate Alice
R
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
E(R,K)
❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob
R
Part 3 ⎯ Protocols 24
Authenticate Alice Using Symmetric Key
Alice, K Bob, K
“I’m Alice”
E(R,K)
❑ Secure method for Bob to authenticate Alice❑ But, Alice does not authenticate Bob❑ So, can we achieve mutual authentication?
R
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
E(R,K)
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
E(R,K)
❑ What’s wrong with this picture?
Part 3 ⎯ Protocols 25
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
E(R,K)
❑ What’s wrong with this picture?❑ “Alice” could be Trudy (or anybody else)!
Part 3 ⎯ Protocols 26
Mutual Authentication❑ Since we have a secure one-way
authentication protocol… ❑ The obvious thing to do is to use the
protocol twice o Once for Bob to authenticate Alice o Once for Alice to authenticate Bob
❑ This has got to work…
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
E(RB, K)
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
E(RB, K)
❑ This provides mutual authentication…
Part 3 ⎯ Protocols 27
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
E(RB, K)
❑ This provides mutual authentication…❑ …or does it? Subject to reflection attack
o Next slide
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, KTrudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
Trudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, KTrudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, K
3. “I’m Alice”, RB
Trudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, K
3. “I’m Alice”, RB
4. RC, E(RB, K)
Trudy
Part 3 ⎯ Protocols 28
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, K
3. “I’m Alice”, RB
4. RC, E(RB, K)
Trudy
5. E(RB, K)
Part 3 ⎯ Protocols 29
Mutual Authentication❑ Our one-way authentication protocol is
not secure for mutual authentication o Protocols are subtle! o In this case, “obvious” solution is not secure
❑ Also, if assumptions or environment change, protocol may not be secure o This is a common source of security failure o For example, Internet protocols
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
❑ Do these “insignificant” changes help?
Part 3 ⎯ Protocols 30
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
❑ Do these “insignificant” changes help?❑ Yes!
Part 3 ⎯ Protocols 31
Public Key Notation❑ Encrypt M with Alice’s public key: {M}Alice ❑ Sign M with Alice’s private key: [M]Alice ❑ Then
o [{M}Alice ]Alice = M o {[M]Alice }Alice = M
❑ Anybody can use Alice’s public key ❑ Only Alice can use her private key
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
“I’m Alice”
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
“I’m Alice”
{R}Alice
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
“I’m Alice”
{R}Alice
R
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
“I’m Alice”
{R}Alice
R
❑ Is this secure?
Part 3 ⎯ Protocols 32
Public Key Authentication
Alice Bob
“I’m Alice”
{R}Alice
R
❑ Is this secure?❑ Trudy can get Alice to decrypt anything!
Prevent this by having two key pairs
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
“I’m Alice”
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
“I’m Alice”
R
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
“I’m Alice”
R
[R]Alice
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
“I’m Alice”
R
[R]Alice
❑ Is this secure?
Part 3 ⎯ Protocols 33
Public Key Authentication
Alice Bob
“I’m Alice”
R
[R]Alice
❑ Is this secure?❑ Trudy can get Alice to sign anything!
o Same a previous ⎯ should have two key pairs
Part 3 ⎯ Protocols 34
Public Keys❑ Generally, a bad idea to use the same
key pair for encryption and signing ❑ Instead, should have…
o …one key pair for encryption/decryption and signing/verifying signatures…
o …and a different key pair for authentication
Part 3 ⎯ Protocols 35
Session Key❑ Usually, a session key is required
o A symmetric key for current session o Used for confidentiality and/or integrity
❑ How to authenticate and establish a session key (i.e., shared symmetric key)? o When authentication completed, Alice and Bob
share a session key o Trudy cannot break the authentication… o …and Trudy cannot determine the session key
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
❑ Is this secure?
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
❑ Is this secure?o Alice is authenticated and session key is secure
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bob
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice
Part 3 ⎯ Protocols 36
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R, K}Alice
{R +1, K}Bob
❑ Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice
❑ No mutual authentication
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R, K]Bob
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R, K]Bob
[R +1, K]Alice
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R, K]Bob
[R +1, K]Alice
❑ Is this secure?
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R, K]Bob
[R +1, K]Alice
❑ Is this secure?o Mutual authentication (good), but…
Part 3 ⎯ Protocols 37
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R, K]Bob
[R +1, K]Alice
❑ Is this secure?o Mutual authentication (good), but…o … session key is not protected (very bad)
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
{[R, K]Bob}Alice
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
{[R, K]Bob}Alice
{[R +1, K]Alice}Bob
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
{[R, K]Bob}Alice
{[R +1, K]Alice}Bob
❑ Is this secure?
Part 3 ⎯ Protocols 38
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
{[R, K]Bob}Alice
{[R +1, K]Alice}Bob
❑ Is this secure?❑ No! It’s subject to subtle MiM attack
o See the next slide…
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice BobTrudy
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
Trudy
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
Trudy
2. “I’m Trudy”, R
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
Trudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
Trudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
5. {[R +1, K]Alice}BobTrudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
5. {[R +1, K]Alice}BobTrudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
6. time out
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
5. {[R +1, K]Alice}Bob
❑ Trudy can get [R, K]Bob and K from 3.
Trudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
6. time out
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
5. {[R +1, K]Alice}Bob
❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K
Trudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
6. time out
Part 3 ⎯ Protocols 39
Public Key Authentication and Session Key
Alice Bob
1. “I’m Alice”, R
4. {[R, K]Bob}Alice
5. {[R +1, K]Alice}Bob
❑ Trudy can get [R, K]Bob and K from 3.❑ Alice uses this same key K ❑ And Alice thinks she’s talking to Bob
Trudy
2. “I’m Trudy”, R
3. {[R, K]Bob}Trudy
6. time out
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[{R, K}Alice]Bob
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[{R, K}Alice]Bob
[{R +1, K}Bob]Alice
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[{R, K}Alice]Bob
[{R +1, K}Bob]Alice
❑ Is this secure?
Part 3 ⎯ Protocols 40
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[{R, K}Alice]Bob
[{R +1, K}Bob]Alice
❑ Is this secure?❑ Seems to be OK
o Anyone can see {R, K}Alice and {R +1, K}Bob
Part 3 ⎯ Protocols 45
Public Key Authentication
Part 3 ⎯ Protocols 45
Public Key Authentication❑ Sign and encrypt with nonce…
Part 3 ⎯ Protocols 45
Public Key Authentication❑ Sign and encrypt with nonce…
o Insecure
Part 3 ⎯ Protocols 45
Public Key Authentication❑ Sign and encrypt with nonce…
o Insecure❑ Encrypt and sign with nonce…
Part 3 ⎯ Protocols 45
Public Key Authentication❑ Sign and encrypt with nonce…
o Insecure❑ Encrypt and sign with nonce…
o Secure
Part 3 ⎯ Protocols 45
Public Key Authentication❑ Sign and encrypt with nonce…
o Insecure❑ Encrypt and sign with nonce…
o Secure❑ Protocols can be subtle!
Part 3 ⎯ Protocols 47
Perfect Forward Secrecy
Part 3 ⎯ Protocols 47
Perfect Forward Secrecy❑ Consider this “issue”…
o Alice encrypts message with shared key K and sends ciphertext to Bob
o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K
o Then Trudy decrypts recorded messages
Part 3 ⎯ Protocols 47
Perfect Forward Secrecy❑ Consider this “issue”…
o Alice encrypts message with shared key K and sends ciphertext to Bob
o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K
o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy
cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)
Part 3 ⎯ Protocols 47
Perfect Forward Secrecy❑ Consider this “issue”…
o Alice encrypts message with shared key K and sends ciphertext to Bob
o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K
o Then Trudy decrypts recorded messages❑ Perfect forward secrecy (PFS): Trudy
cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)
❑ Is PFS possible?
Part 3 ⎯ Protocols 48
Perfect Forward Secrecy❑ Suppose Alice and Bob share key K ❑ For perfect forward secrecy, Alice and Bob
cannot use K to encrypt ❑ Instead they must use a session key KS and
forget it after it’s used ❑ Can Alice and Bob agree on session key KS in
a way that provides PFS?
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
Alice, K Bob, K
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
Alice, K Bob, K
E(KS, K)
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
Alice, K Bob, K
E(KS, K)
E(messages, KS)
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
❑ Trudy could record E(KS, K)
Alice, K Bob, K
E(KS, K)
E(messages, KS)
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS
o Then Trudy can decrypt recorded messages
Alice, K Bob, K
E(KS, K)
E(messages, KS)
Part 3 ⎯ Protocols 49
Naïve Session Key Protocol
❑ Trudy could record E(KS, K)❑ If Trudy later gets K then she can get KS
o Then Trudy can decrypt recorded messages❑ No perfect forward secrecy in this case
Alice, K Bob, K
E(KS, K)
E(messages, KS)
Part 1 ⎯ Cryptography 121
Diffie-Hellman
Part 1 ⎯ Cryptography 122
Diffie-Hellman Key Exchange❑ Invented by Williamson (GCHQ) and,
independently, by D and H (Stanford) ❑ A “key exchange” algorithm
o Used to establish a shared symmetric key o Not for encrypting or signing
❑ Based on discrete log problem o Given: g, p, and gk mod p o Find: exponent k
Part 1 ⎯ Cryptography 123
Diffie-Hellman❑ Let p be prime, let g be a generator
o For any x ∈ {1,2,…,p-1} there is n s.t. x = gn mod p ❑ Alice selects her private value a ❑ Bob selects his private value b ❑ Alice sends ga mod p to Bob ❑ Bob sends gb mod p to Alice ❑ Both compute shared secret, gab mod p❑ Shared secret can be used as symmetric key
Part 1 ⎯ Cryptography 124
Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b
Alice, a Bob, b
Part 1 ⎯ Cryptography 124
Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b
Alice, a Bob, b
ga mod p
Part 1 ⎯ Cryptography 124
Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b
Alice, a Bob, b
ga mod p
gb mod p
Part 1 ⎯ Cryptography 124
Diffie-Hellman❑ Public: g and p ❑ Private: Alice’s exponent a, Bob’s exponent b
Alice, a Bob, b
ga mod p
gb mod p
❑ Alice computes (gb)a = gba = gab mod p ❑ Bob computes (ga)b = gab mod p❑ They can use K = gab mod p as symmetric key
Part 1 ⎯ Cryptography 125
Diffie-Hellman❑ Suppose Bob and Alice use Diffie-Hellman
to determine symmetric key K = gab mod p ❑ Trudy can see ga mod p and gb mod p
o But… ga gb mod p = ga+b mod p ≠ gab mod p ❑ If Trudy can find a or b, she gets K❑ If Trudy can solve discrete log problem,
she can find a or b
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, bTrudy, t
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
Trudy, t
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
Trudy, t
gt mod p
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
gb mod p
Trudy, t
gt mod p
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
gb mod p
Trudy, t
gt mod p
gt mod p
Part 1 ⎯ Cryptography 126
Diffie-Hellman❑ Subject to man-in-the-middle (MiM) attack
Alice, a Bob, b
ga mod p
gb mod p
Trudy, t
gt mod p
gt mod p
❑ Trudy shares secret gat mod p with Alice ❑ Trudy shares secret gbt mod p with Bob ❑ Alice and Bob don’t know Trudy is MiM
Part 1 ⎯ Cryptography 127
Diffie-Hellman❑ How to prevent MiM attack?
o Encrypt DH exchange with symmetric key o Encrypt DH exchange with public key o Sign DH values with private key o Other?
❑ At this point, DH may look pointless… o …but it’s not (more on this later)
❑ You MUST be aware of MiM attack on Diffie-Hellman
Part 3 ⎯ Protocols 50
Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p
Alice, a Bob, b
Part 3 ⎯ Protocols 50
Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p
Alice, a Bob, b
ga mod p
Part 3 ⎯ Protocols 50
Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p
Alice, a Bob, b
ga mod p
gb mod p
Part 3 ⎯ Protocols 50
Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p
❑ But Diffie-Hellman is subject to MiMAlice, a Bob, b
ga mod p
gb mod p
Part 3 ⎯ Protocols 50
Perfect Forward Secrecy❑ We can use Diffie-Hellman for PFS ❑ Recall: public g and p
❑ But Diffie-Hellman is subject to MiM❑ How to get PFS and prevent MiM?
Alice, a Bob, b
ga mod p
gb mod p
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
Alice: K, a Bob: K, b
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
Alice: K, a Bob: K, b
E(ga mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
❑ Session key KS = gab mod p
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 51
Perfect Forward Secrecy
❑ Session key KS = gab mod p❑ Alice forgets a, Bob forgets b❑ This is known as Ephemeral Diffie-Hellman❑ Neither Alice nor Bob can later recover KS❑ Are there other ways to achieve PFS?
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
[RB, ga mod p]Alice
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
[RB, ga mod p]Alice
❑ Session key is K = gab mod p
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
[RB, ga mod p]Alice
❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b
Part 3 ⎯ Protocols 52
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [RA, gb mod p]Bob
[RB, ga mod p]Alice
❑ Session key is K = gab mod p❑ Alice forgets a and Bob forgets b❑ If Trudy later gets Bob’s and Alice’s secrets,
she cannot recover session key K