1 / 34

Authentication

Authentication. Building Secure Protocols. Topics. The Authentication Problem Simple Device Authentication Attack and Countermeasures Cryptographic Hash Functions Message Authentication with Secure Hash Functions. Authentication Protocols.

ceana
Download Presentation

Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Authentication Building Secure Protocols

  2. Topics • The Authentication Problem • Simple Device Authentication • Attack and Countermeasures • Cryptographic Hash Functions • Message Authentication with Secure Hash Functions

  3. Authentication Protocols • The authentication problem is to remotely identify one entity, the “client” or “user” to another entity, the “server”. • The communications channel may be limited: voice only, or radio signals only • The client and server may have limited capabilities: compute power, battery life, etc

  4. Simple Client and Server • The Client is a device or token such as the one you hold in your hand and use to open your car or garage door. • The Server is the system that receives your device’s signal and opens the door. • The communications channel is infrared or radio signals.

  5. Simple Protocol • The simplest protocol is for the token to transmit its 16 bit serial number, which also acts as a password. • Method 1: Thief can try all possible passwords. Can usually open door after 215 tries which, at 10 per second, is about an hour. • Method 2: Devices called “grabbers” became available about 1995 which would record a signal and replay it at a later time.

  6. Countermeasures • Use longer passwords – 32 bits instead of 16 (this really happened and manufacturers proudly advertised increased security). Guessing impractical but grabbers still work. • Use different codes for open and close. Grabber must be used at proper time. • Additional vulnerability – serial number is known by others – original vendor, service people, etc.

  7. What is Really needed • The device needs to send something that can’t simply be recorded and played back. • Add a counter value, random number, or timestamp to guarantee freshness. • Problem with counters – the token and the dog • Problem with random numbers (nonce) – token and server must remember past codes – valet attack • Problem with timestamp – clock drift • Encrypt so that attacker cannot fabricate message

  8. General Setting and Notation • Many clients with devices (or tokens) needing access to a building or large parking garage. • Notation: to show that X is encrypted with key K write: {X}K or K{X} •  Standard protocol notation for token sending to the garage: T  G: T, KT{N}

  9. More Sophisticated Protocol • token sends to the garage: its name, T, followed by the encrypted value of its name concatenated with a nonce, N: T  G: T, KT{T, N} • The garage verifies the open request by deciphering the encrypted part and verifying the token name is the same as the plaintext name and that the nonce hasn’t been used before.

  10. T  G: T, KT{T, N} • This protocol is more secure. An attacker cannot simply replay an old message. He cannot fabricate a message even if he knows the token’s name and guesses a fresh nonce unless he knows KT. • Key management: The server needs to remember keys for many different tokens if it is a large garage. Assign a global master key to the garage KM. Key for each token is the token name or serial number encrypted with the global master key. KT = KM{T} This scheme is called key diversification and is widely used in smart cards.

  11. Challenge-Response Protocol • Because of the problems with nonces, the challenge-response protocol is often used to provide a high degree of security. • This requires an exchange of messages and receiving as well as more processing ability on the part of the token. •  The server (door or lock) sends a challenge consisting of a random number and the token computes a response by encrypting the challenge.

  12. Challenge-Response T  S: T S  T: N T  S: T, KT{ N} Note that the encryption used does not have to be invertible. A “one-way function” or cryptographic hash function can be used.

  13. Weaknesses in C-R • The C-R protocol is widely used. However, it is not unbreakable. • Example: the random numbers generated by the server are often predictable and cyclic. An attacker can eavesdrop on a C-R session and determine what the next challenge will be and prepare a (perhaps pre-recorded) response. • Note: most programming language library routines for random numbers produce predictable number streams. • Man-in-the-Middle attacks

  14. Man-in-the-Middle • A man-in-the-middle attack involves an attacker “between” two legitimate parties that are authenticating – perhaps using a CR protocol. • The attacker intercepts the messages and replays them in ways to trick the legitimate participants.

  15. Man-in-the-Middle Example Also known as the MIG-in-the-Middle as it was apparently used successfully in the war between South Africa and Angola in the late 1980s. Aircraft use IFF (Identify Friend or Foe) systems to prevent them from shooting down friendly aircraft. This system was developed in the 1940’s and initially used the C-R. S  T: N T  S: KT{T, N} Where T is the aircraft

  16. Air defense units on both sides could send and receive these signals. MIGs from Angola would wait at the border of South African air defense until South African bombers crossed into Angola on a bombing raid. The MIGs would then cross into South Africa and be met with a challenge from South African air defense units.

  17. MIG In The Middle Attack south african air defense = SAAD south african bomber = SAB Angolan air defense = AAD Angolan MIG = MIG SAAD  MIG: N MIG  AAD: N AAD  SAB: N SAB  AAD: KT{SAB, N} AAD  MIG: KT{SAB, N} MIG  SAAD: KT{SAB, N}

  18. Reflection Attack • In order for this attack to work, the two principals must be able and willing to identify themselves to each other. This attack works if the challenge system and response generator are not integrated or if the response generator does not check the name of the challenger. (Also if the token name is not included in the encryption part.) • Assume you have two airplanes, one from the red team and one from the blue team. The red aircraft wants to get close enough to shoot at the blue plane without the blue plane knowing it.

  19. Reflection Attack Red enters Blue’s airspace B  R: N Blue sends challenge R  B: N Red reflects challenge back to Blue B  R: K{N} Blue’s automatic IFF system responds without noticing that it just sent out that same challenge R  B: K{N} Red gives proper response to Blue, gets close and shoots him down

  20. Thwarting the Reflection Attack • Require an identifier to be included in the answer to a challenge. Blue plane #1 B  R: N Blue sends challenge R  B: N Red reflects challenge B  R: B1, K{N} Blue’s IFF responds R  B: B1, K{N} Red sends reflection attempt which is detected! • Connect the challenge and response generator logic.

  21. Manipulating the Message • Reflection and Man-in-the-middle attacks can be enhanced by the ability of the attacker to manipulate the message. • Recall the previous example: the blue plane requires a name (or other identifier) in the response message B  R: N Blue sends challenge R  B: N Red reflects challenge back to Blue B  R: B3, K{N} Blue’s IFF responds, includes its identifier, b3 R  B: B3, K{N} Red sends response, but Blue recognizes attack!!

  22. Manipulating the Message • Red responds by giving his planes the ability to manipulate the message B  R: N Blue sends challenge R  B: N Red reflects challenge back to Blue B  R: B3, K{N} Blue’s IFF responds, includes b3 R  B: B4, K{N} Red knows the first part of the message is the identifier and changes it!! Blue thinks Red is friendly and lets him get close.-----

  23. Countermeasure • Require the ID to be in the encrypted part - then Red cannot successfully manipulate the message unless he knows the encryption key (in which case he doesn’t need to reflect). B  R: N Blue sends challenge R  B: N Red reflects challenge back to Blue B  R: B3, K{B3, N} Blue’s IFF responds, includes b3 R  B: B4, K{B3, N} Red gives response, changing the unencrypted identifier, but Blue recognizes a reflection attack!!

  24. Subtle Uses for IFF • Radar is used extensively in weapons systems. Radar has limited range as the signal must travel from the source to the target and return. • In January 1944, Allied forces learned that the Germans were tracking British and American bombers at twice the normal radar range. The Germans were sending signals to interrogate the IFF systems of the bombers, so the bombers replied automatically. • Modern IFF systems authenticate the challenge with encryption and only respond to valid challenges.

  25. Cryptographic Hash Functions • Alternative to encryption when decryption is not needed. • Encryption software is slow and hardware is costly. • Message digest (signature or hash) is smaller than ciphertext. B  R: N Blue sends challenge R  B: N Red reflects challenge back to Blue B  R: B3, H{B3, N} Blue’s IFF responds, includes b3 R  B: B4, H{B3, N} Red gives response, Blue calculates H(B4,N) and compares to Red’s response.

  26. Secure HASH Functions • Purpose is to produce a “fingerprint”. • Properties of a HASH function H : • H can be applied to a block of data of any size • H produces a fixed length output • H(x) is easy to compute for any given x. • For any given h, it is computationally infeasible to find x such that H(x) = h • For any given block of data x, it is computationally infeasible to find y such that H(y) = H(x). • It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) where

  27. Simple Hash Function • Divide message into n-bit blocks (pad with zero if necessary). Hash code is n-bits.

  28. Authentication • Requirements - must be able to verify that: 1. Message came from apparent source or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. • Protection against active attack (falsification of data and transactions)

  29. Approaches to Message Authentication • Authentication Using Conventional Encryption • Only the sender and receiver should share a key • Message Authentication with Encryption and Hash function (a and b) • An authentication tag is generated with hashing and appended to each message after encryption • Message Authentication with Hash function and Shared Secret Value (c )

  30. One-way HASH function

  31. One-way HASH function • Secret value is added before the hash and removed before transmission.

  32. Other Secure HASH functions

  33. HMAC • Use a MAC (message authentication code) derived from a cryptographic hash code, such as SHA-1. • Motivations: • Cryptographic hash functions executes faster in software than encryption algorithms such as DES • Library code for cryptographic hash functions is widely available • No export restrictions from the US

  34. For Further Reading • “Security Engineering, A Guide to Building Dependable Systems” by Ross Anderson, Wiley, 2001 • “Cryptography and Network Security, Principles and Practice” third edition, William Stallings, Prentice Hall • “Network Security, Private Communication in a Public World”, 2nd edition, Kaufman, Perlman, Speciner, Prentice Hall, 2002

More Related