1 / 30

Key Management

Key Management. Shared Key Exchange Problem. How do Alice and Bob exchange a shared secret? Offline Doesn’t scale Using public key cryptography (possible) Using specially crafted messages ( Diffie Hellman) Using a trusted third party (KDC) Secrets should never be sent in clear

dore
Download Presentation

Key Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Management

  2. Shared Key Exchange Problem • How do Alice and Bob exchange a shared secret? • Offline • Doesn’t scale • Using public key cryptography (possible) • Using specially crafted messages (Diffie Hellman) • Using a trusted third party (KDC) • Secrets should never be sent in clear • We should prevent replay attacks • We should prevent reuse of old keys

  3. Diffie Hellman Key Exchange • Exchange a secret with someone you never met while shouting in a room full of people • Alice and Bob agree on g and large n • Alice chooses random a, sends • Bob chooses random b, sends • Alice takes Bob’s message and calculates • Bob does the same; now they both know shared secret

  4. KDC Based Key Distribution • Building up to Needham Schroeder/Kerberos • User sends req. to KDC (key distrib. center) • KDC generates a shared key: Kc,s • Keys KKDC,C andKKDC,S are preconfigured • No keys ever traverse net in the clear • Why are identities in tickets? • 1. C, S • 3. EKKDC,S{C, Kc,s} C KDC S ticket • 2. EKKDC,C{S, Kc,s}

  5. KDC Based Key Distribution • KDC does not have to talk both to C and S • Messages 2 or 3 can be replayed by M • Force C and S to use same secret for a long time • Cause S to have an old ticket, break comm. w C • ticketS = EKKDC,S{C, Kc,s} • 1. C, S C KDC S • 2. EKKDC,C{S, Kc,s}, ticketS • 3. ticketS

  6. Needham-Shroeder Key Exchange • Use nonces to prevent replay attacks • ticketS = EKKDC,S{C, Kc,s} • 1. N1, C, S C S KDC • 2. EKKDC,C{N1, S, Kc,s,ticketS} • 3. EKC,S{N2}, ticketS • 4. EKC,S{N2-1, N3} • 5. EKC,S{N3-1}

  7. Whys … • Why N1? • Why N2? • Why N3? • Why encrypt ticketS

  8. Problem • What happens if attacker gets session key? • Can reuse old session key to answer challenge-response, generate new requests, etc • Need timestamps to ensure freshness = tickets expire after some time

  9. Public Key Exchange Problem • How do we verify an identity: • Alice sends to Bob her public key Pub(A) • Bob sends to Alice his public key Pub(B) • How do we ensure that those keys really belong to Alice and Bob?Need a trusted third party

  10. Man-in-the-Middle Attack On Key Exchange • Alice sends to Bob her public key Pub(A) • Mallory captures this and sends to Bob Pub(M) • Bob sends to Alice his public key Pub(B) • Mallory captures this and sends to Alice Pub(M) • Now Alice and Bob correspond through Mallory who can read/change all their messages

  11. Public Key Exchange • Public key is public but … • How does either side know who and what the key is for? • Does this solve key distribution problem? • No – while confidentiality is not required, integrity is • Still need trusted third party • Digital certificates – certificate authority (CA) signs identity+public key tuple with its private key • Problem is finding a CA that both client and server trust

  12. Digital Certificates • Everyone has Trent’s public key • Trent signs both Alice’s and Bob’s public keys – he generates public-key certificate • When they receive keys, verify the signature • Mallory cannot impersonate Alice or Bob because her key is signed as Mallory’s • Certificate usually contains more than the public key • Name, network address, organization • Trent is known as Certificate Authority (CA)

  13. Certificate-Based Key Exchange • Authentication steps • Alice provides nonce, or a timestamp is used instead, along with her certificate. • Bob selects session key and sends it to Alice with nonce, encrypted with Alice’s public key, and signed with Bob’s private key. He sends his certificate too • Alice validates certificate – it is really Bob’s key inside • Alice checks signature and nonce – Bob really generated the message and it is fresh

  14. PGP • Pretty Good Privacy • “Web of Trust” • Public key, identity association is signed by many entities • Receiver hopefully can locate several signatures that he can trust • Like an endorsement scheme

  15. SSH • User keys installed on server out of band • User logs in with a password • Copies her public key onto server • Weak assurance of server keys • User machine remembers server keys on first contact • Checks if this is still the same host on subsequent contact • But no check on first contact

  16. Recovery From Stolen Private Keys • Revocation lists (CRL’s) • Long lists • Hard to propagate • Lifetime / Expiration • Short life allows assurance of validity at time of issue • Real time validation • Receiver of a certificate asks the CA who signed it if corresponding private key was compromised • Can cache replies

  17. Authentication andIdentity Management

  18. Basis for Authentication • Ideally • Who you are • Practically • Something you know (e.g., password) • Something you have (e.g., badge) • Something about you (e.g., fingerprint)

  19. Password Authentication • Alice inputs her password, computer verifies this against list of passwords • If computer is broken into, hackers can learn everybody’s passwords • Use one-way functions, store the result for every valid password • Perform one-way function on input, compare result against the list

  20. Password Authentication • Hackers can compile a list of frequently used passwords, apply one-way function to each and store them in a table – dictionary attack • Host adds random salt to password, applies one-way function to that and stores result and salt value • Randomly generated, unique and long enough

  21. Password Authentication • Someone sniffing on the network can learn the password • Lamport hash or S-KEY – time-varying password • To set-up the system, Alice enters random number R • Host calculates x0=h(R), x1=h(h(R)), x2=h(h(h(R))),..., x100 • Alice keeps this list, host sets her password to x101 • Alice logs on with x100, host verifies h(x100)=x101, resets password to x100 • Next time Alice logs on with x99

  22. Password Authentication • Someone sniffing on the network can learn the password • Host keeps a file of every user’s public key • Users keep their private keys • When Alice attempts to log on, host sends her a random number R • Alice encrypts R with her private key and sends to host • Host can now verify her identity by decrypting the message and retrieving R

  23. Passport • Goal is single sign-on • Solves problem of weak or repeated user/pass combinations • Implemented via redirections • Users authenticate themselves to a common server, which gives them tickets • Similar flavor to Kerberos but different environment – many organizations • Widely deployed by Microsoft • Designed to use existing technologies in servers/browsers (HTTP redirect, SSL, cookies, Javascript)

  24. David P. Kormann and Aviel D. Rubin, Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. How Passport Works • Client (browser), merchant (Web server), Passport login server • Passport server maintains authentication info for client • Gives merchant access when permitted by client • Divides client data into profile (address) and wallet (credit card)

  25. How Passport Works David P. Kormann and Aviel D. Rubin, Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. SSL Token = 3DES encrypted authentication infousing key merchant shares with passport server Also set cookie at browser (passport)

  26. How Cookies Work • Placed into browser cache by servers to store state about this particular user • Contain any information that server wants to remember about the user as name/value pairs • May contain expiration time • May persist across browser instances • Returned to server in clear on new access • Only those cookies created for the server’s domain are sent to the server • May not be created by this server • Usually used for persistent sign in, shopping cart, user preferences

  27. Cookies for Authentication • User logs in using her user/pass • Server sets a cookie with some info – username, password, session ID … • Any future accesses return this info to the server who uses it for authentication (equivalent to user/pass) • Once user signs out the cookie is deleted and the session closed at the server • Problems • Cookies can be sniffed, remain on the browser because user did not sign out, be stolen by cross-site scripting or via DNS poisoning • Solutions: • Send cookies over SSL, use timed cookies, secure code, bind cookies to IP address of the client, encrypt cookies … Learn more at: http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

  28. Something You Have • Cards • Mag stripe (= password) • Smart card, USB key • Time-varying password • Issues • How to validate • How to read (i.e. infrastructure)

  29. Something About You • Biometrics • Measures some physical attribute • Iris scan • Fingerprint • Picture • Voice • Issues • How to prevent spoofing • What if spoofing is possible? No way to obtain new credentials

  30. Multi-factor Authentication • Require at least two of the classes we mentioned, e.g. • Smart card plus PIN • RSA SecurID plus password • Biometric and password

More Related