1 / 13

Agenda

CS G513 / SS G513 Network Security. Agenda. Identification / Authentication Protocols Kerberos Zero Knowledge Protocols. Authentication in practice. Kerberos: Used for online mutual authentication of servers and clients. Uses trusted third parties (other servers).

jewel
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS G513 / SS G513 Network Security Agenda Identification / Authentication Protocols Kerberos Zero Knowledge Protocols

  2. Authentication in practice • Kerberos: • Used for online mutual authentication of servers and clients. • Uses trusted third parties (other servers). • Distributed protocols. • Fairly robust and efficient in practice. • Has gone through multiple version. • Reading: Kerberos articles (see website). Sundar B.

  3. Identification/Authentication Protocols • Objective: to corroborate identity (of claimant) • Constraint: In the process, claimant does not reveal - to an attacker - the secret it owns • Password schemes • Fail this constraint if password is sent in plaintext form • Partially fail if password is sent in ciphertext form – adversary can replay the ciphertext • Challenge Response Protocols • Introduce Time-variant parameters to prevent replay. • But what information – if any - is revealed in the process? • Chosen plain-text attacks may reveal patterns Sundar B.

  4. Zero Knowledge Protocols • Prover (claimaint) to demonstrate knowledge of a secret while revealing no information of use to the verifier • Interactive Proofs • Use a probabilistic notion of proofs • Prover’s goal is to convince the verifier of the truth of an assertion by exchanging messages. (proof by protcol) • Interactive proofs for identification • Can be formulated as proofs of knowledge of a secret by answering queries which require knowledge of the secret Sundar B.

  5. Interactive Proofs • Completeness – an interactive proof P is complete if, • given a honest prover and a honest verifier, proof (protocol) P succeeds with overwhelming probability. • Soundness - an interactive proof P is sound if there exists an expected poly-time algorithm M such that: • if a dishonest prover can with non-negligible probability successfully execute P • then M can be used to extract from this prover knowledge which allows successful execution of subsequent protocol executions (w/ over. prob.)

  6. Zero Knowledge Protocols • A protocol which is a proof of knowledge has the ZK property if : • there exists an expected poly-time (simulator) algorithm which • upon input of the assertions to be proven • without interacting with the real prover • can produce transcripts indistinguishable from those resulting from interaction with the real prover. • Transcript: • collection of messages resulting from protocol execution Sundar B.

  7. Zero Knowledge Protocols • ZK property implies that a prover executing the protocol • does not reveal any information about its secret knowledge even when interacting with a malicious verifier i.e. • participation does not increase the chances of subsequent impersonation • Computational ZK vs. perfect ZK • A protocol is computationally ZK if an observer restricted to probabilistic polynomial-time tests cannot distinguish real from simulated transcripts. • For perfect ZK, the probability distributions must be identical. Sundar B.

  8. Zero Knowledge Protocols • Comparison with other (asymmetric) protocols • no degradation with usage – • do not suffer degradation of security with repeated usage, and resist chosen-text attacks • encryption may not be needed • impractical to prove ZK • inefficiency - overheads in comp. & comm. • assumptions similar to Public Key protcols – e.g. intractability of factoring Sundar B.

  9. Zero Knowledge Protocols • Fiat-Shamir identification protocols - One-time setup: • A trusted (central) server selects an RSA-like modulus n=pq but keeps primes p and q as secret. • Each claimant selects a secret s co-prime to n, 1≤s≤n-1 and computes v = s2(mod n), and registers v as its public key with server. Sundar B.

  10. Zero Knowledge Protocols • Fiat-Shamir identification protocols – Messages (Prover A, Verifier B) per round: • A chooses a random r, 1≤r≤n-1 and sends x = r2mod n to B. • B randomly selects a bit e (0 or 1) and sends e to A • A computes y = r * se (mod n) and sends y to B • B rejects proof if y=0; otherwise accepts by verifying y2 = x * ve (mod n). Sundar B.

  11. Zero Knowledge Protocols – Fiat Shamir • Observation: • if A is impersonated by an adversary C, • then C has to guess e (as it cannot compute root mod n) - prob. of escaping detection 1/2. • Observation: • C can set x = r*r/v and then send y = r (for any r) which will work for e=1 • again prob. for escaping detection 1/2. • Solution: • To decrease probability of cheating to 2-t iterate the protocol (t rounds). Sundar B.

  12. Zero Knowledge Protocols – Fiat Shamir • Information revealed: • y = r (mod n) no info. • y = rs (mod n) no info. Revealed as r is random • Relation between x and y: • Indistinguishable from x = y2 or y2/v mod n Sundar B.

  13. Attacks & Defence on id. protocols • replay - use of challenge-response (nonce, embedded target id,) • interleaving - link all messages from a protocol (.e.g use chained nonces) • reflection - embed id of target in challenge-response; use uni-directional keys; use different message formats (with integrity checks) • chosen-text - use ZK ; use confounders (random no.s) • forced delay - combined use of random numbers with short response time-outs. timestamps; Sundar B.

More Related