1 / 77

CIS/TCOM 551 Computer and Network Security Slide Set 5

CIS/TCOM 551 Computer and Network Security Slide Set 5. Carl A. Gunter Spring 2004. Protocols. Overview Entity Authentication Key Establishment. General Definition of “Protocol”.

chinara
Download Presentation

CIS/TCOM 551 Computer and Network Security Slide Set 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS/TCOM 551Computer and Network SecuritySlide Set 5 Carl A. Gunter Spring 2004

  2. Protocols • Overview • Entity Authentication • Key Establishment

  3. General Definition of “Protocol” • A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.

  4. Arbitrated Protocols

  5. Adjudicated Protocols

  6. Self-Enforcing Protocols

  7. Protocol Sample Threat • Common strategy. • Encrypt for confidentiality. • Sign for integrity. • Is it better to sign then encrypt? • Or is it better to encrypt then sign? • There is a pitfall.

  8. Messages • P -> R : ER(M, DP(M)) • R decodes with DR • Verifies with EP: • EP(DP(M)) = M ? • P -> R : ER(M), DP(ER(M)) • R decodes with DR • Verifies with EP: • EP(DP(ER(M))) = ER(M) ?

  9. Pitfall • Interception Scenario • P -> O (R) : ER(M), DP(ER(M)) • O -> R : ER(M), DO(ER(M)) • R might think that M came from O. • Is this really a problem? • To be safe: sign then encrypt.

  10. Foundations of Authentication • Authentication is based on one or more of the following: • Something you know. • Something you have. • Something inherent about you.

  11. Entity Authentication • Aims and Threats • Weak Security: Passwords • Strong Security: Challenge-Response

  12. Typical Setup Identification Authentication Userid: Password: Claimant Verifier Terminology: identification will be used to refer to the combination of claimed identity and its authentication.

  13. Aim • For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.

  14. Threats • Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C. • Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.

  15. Assumptions • A large number of previous authentications between A and B may have been observed. • The adversary C has participated in previous protocol executions with A and/or B. • Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.

  16. Attacks Not Addressed • Identification affirms that communication with the expected party occurred at a given point in time. • Two active attacks are not addressed: • Usurpation: The session beginning with the identification is “usurped” by the attacker as a man-in-the-middle. • Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.

  17. Unix Passwords • Humans need memorable keys, care must be taken to use these keys properly. • Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979), 594-597.

  18. Make a File of Passwords • At first Unix was implemented with a password file holding the actual passwords of users. • This was vulnerable to many lapses • Copies were made by privileged users • Copies were made by bugs: classic example posted password file on daily message file • Physical access to backup was a vulnerability • Information from the password file needed to be replicated into many other files

  19. First Approach • Encrypt the passwords and keep the encrypted version. • Take the password from the user, encrypt it, and compare with password file entry. • Problems • poor user selection of passwords • online dictionary attack • On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.

  20. Heuristics for Guessing • The dictionary with the words spelled backwards • A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. • The above with initial upper-case letters. • All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) • Room numbers, social security numbers, telephone numbers, and the like.

  21. A Survey of 3,289 Passwords • With no constraints on choice of password, Morris and Thompson got the following results: • 15 were a single ASCII letter. • 72 were strings of two ASCII letters. • 464 were strings of three ASCII letters. • 47 were strings of four alphanumerics. • 706 were five letters, all upper-case or all lower-case. • 605 were six letters, all lower case.

  22. Risk in Password Restrictions • An installation required users to accept a machine-selected password. • These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator. • There were only 2**15 starting values (seeds). • Time to search strings of length 8 required 112 years (on machines of the time). • Time to check 2**15 seeds, not long!

  23. Improvements to First Approach • Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm. • Enforce password rules. • “Mess up” DES: change algorithm so that stock hardware cannot be used.

  24. Slowing Dictionary Attacks • “Salt” the passwords by adding random bits. • Makes dictionary attacks more expensive. • Decreases the likelihood that two identical passwords will appear as identical entries in the password file. • 12 bit salt results in 4,096 versions of each password.

  25. Classic Unix Crypt – part 1 • Supplied by the user: a password P, truncated to 8 characters by the system. • Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows. • Pad password with zeros if necessary to get 56 bit key K.

  26. Classic Unix Crypt – part 2 • Create a modified DES with expansion permutations (32 to 48 bits) determined by S. • Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times. • This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.

  27. One Time Passwords • Shared lists. • Sequentially updated. • One-time password sequences based on a one-way function.

  28. Hash-based 1-time Passwords • A claimant identifies itself to verifier B using a one-way hash function H. • One-time setup. • A chooses a secret w. • Fixes a constant t for the number of times the verification can be done. • A securely transfers H**t(w) to B. • Protocol messages. For the i’th identification where 1 <=i <= t: • A -> B: A, i, H**(t-i)(w)

  29. Hash-based 1-time Passwords • Protocol actions. For session i, claimant A does the following to identify itself: • A computes w’ = H**(t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session.

  30. Challenge-Response • Background. • Random numbers (nonces). • Sequence numbers. • Timestamps. • Symmetric keys. • With timestamps or random numbers. • MAC’s. • Asymmetric keys. • With encryption or signature.

  31. Replay • Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. • Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. • There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

  32. Random Numbers • A random number is a number chosen unpredictably in a range. • In a challenge-response protocol they are used as follows. • The verifier chooses a (new) random number and provides it to the claimant. • The claimant performs an operation on it showing knowledge of a secret. • This information is bound inseparably to the random number and returned to the verifier for examination. • A timeout period is used to ensure “freshness”.

  33. Sequence Numbers • Sequence numbers provide a sequential or monotonic counter on messages. • If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. • Cannot detect forced delay. • Difficult to maintain when there are system failures.

  34. Time Stamps • The claimant sends a message with a timestamp. • The verifier checks that it falls within an acceptance window of time. • The last timestamp received is held, and identification requests with older timestamps are ignored. • Good only if clock synchronization is close enough for acceptance window.

  35. Unilateral Symmetric Key • Unilateral authentication with timestamp generated by A. • A -> B : E(K, (t, B)) • Unilateral authentication with random number generated by B. • B -> A : r • A -> B : E(K, (r, B))

  36. Mutual Symmetric Key • Using random numbers: • B -> A: rB • A -> B: E(K, (rA, rB, B)) • B -> A: E(K, (rB, rA))

  37. Mutual MAC Function • Let H be a hash function and K be a shared secret between A and B. • B -> A: rB • A -> B: rA, H(K, (rA, rB, B)) • B -> A: H(K, (rB, rA, A))

  38. Passkey Systems Claimant A Verifier B Secret Database Login Request Passcode Generator PIN A S S e Challenge Generator F PIN F (challenge) y Compare Display (response)

  39. Unilateral Public Key Decryption • Encryption under A’s public key is EA: • B -> A : H(r), B, EA(r, B) • A -> B : r • The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.

  40. Mutual Public Key Decryption • Let EA and EB be the encryption functions for the public keys of A and B respectively. • A -> B: EB(rA, A) • B -> A: EA(rA, rB) • A -> B: rB

  41. Unilateral Digital Signatures • Let SA and SB be the signature functions of A and B respectively. • Unilateral authentication with timestamps: • A -> B: t, B, SA(t, B) • Unilateral authentication with random numbers: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • The rA prevents chosen plaintext attacks.

  42. Mutual Digital Signatures • Using random numbers. • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • B -> A: A, SB(rB, rA, A)

  43. Primary Attacks • Impersonation. • Replay. • Interleaving. • Reflection. • Forced delay. • Chosen plaintext.

  44. Primary Controls • Replay: use of challenge-response techniques and embedding target identity in response. • Interleaving: link messages in a run with chained nonces. • Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.

  45. Primary Controls, continued • Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. • Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

  46. Multiple Use of Keys • There are risks in using keys for multiple purposes. • Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. • B attacker/verifier, rB=H(M) for some message M. • B -> A: rB • A -> B: B, SA(rB) • B(A) -> C: M, SA(H(M)) B, pretending to be A

  47. Effective Control • Notice how the protocol described earlier foils this. Here’s the protocol: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • Here’s what happens: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • B(A) -> C: M, SA(rA, H(M), B) • C finds that SA(rA, H(M), B)  SA(H(M)) and rejects the signature.

  48. Usurpation Attacks • Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. • Techniques to assure ongoing authenticity: • Periodic re-identification. • Tying identification to an ongoing integrity service. For example: key establishment and encryption.

  49. Key Establishment • Symmetric keys. • Point-to-Point. • Needham-Schroeder. • Kerberos. • Asymmetric keys. • X.509 key establishment. • Attack example. • Station To Station (STS) protocol. • Bellovin-Merritt protocol.

  50. Symmetric Keys • Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. • These can be based on: • Point to point distribution, or • Key Distribution Center (KDC).

More Related