1 / 57

Chapter 5

Chapter 5. A Quantitative Analysis of Authentication Services. Security. Security can be divided into the following categories Authentication Confidentiality Data Integrity Availability (Denial of Service) Non-repudiation. Security Categories. Authentication

howard-camacho
Download Presentation

Chapter 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 A Quantitative Analysis of Authentication Services

  2. Security • Security can be divided into the following categories • Authentication • Confidentiality • Data Integrity • Availability (Denial of Service) • Non-repudiation

  3. Security Categories • Authentication • The process by which two parties involved in a dialogue are given a guarantee that they are indeed interacting with whom they think they are interacting • Server Authentication • You access the website of your favorite online bookstore • You want to make sure that you are indeed interacting with that site and not with an imposter • Client Authentication • An e-business site may also want to authenticate a business partner to make sure that an order is being placed by someone known and registered with the site

  4. Security Categories • Confidentiality • Protecting the contents of messages or data transmitted over the Internet from unauthorized people • Protect your credit card information when you buy over the Internet • Data Integrity • Preventing data from being modified by an attacker • Attacker modifies your credit card while being transmitted

  5. Security Categories • Availability (Denial of Service) • Guarantee that authentic users of an e-business site are given access to the site when they need it • Denial of Service (DoS) attack • Reduces the availability of the site • Attacker setup a program that continuously attempts to be authenticated by a site • Authentication fails • Precious resources wasted at the e-commerce site to deny access to the attacker • Possible to bring a system to its knees making it unavailable to valid users

  6. Security Categories • Non-repudiation • Prevents the sender of a message from denying having sent it • Online trading want to ensure that a customer will not be able to deny having requested to buy or sell securities • Cryptography can be used to support • Authentication • Confidentiality • Data integrity • Non-repudiation

  7. Cryptography • Cryptography • A technique by which data, called plaintext, is scrambled or encrypted in such a way that it becomes extremely difficult, expensive, and time consuming for an unauthorized person to unscramble or decrypt it • ciphertext • Scrambled text

  8. Cryptography • Encryption EncryptedMsg = Encrypt(Msg, Keye) • Decryption Msg = Decrypt(EncryptedMsg, Keyd) • Two classes of cryptographic algorithms • Symmetric algorithms • Public-key (PK)

  9. Cryptography – Symmetric Algorithms • Same key is used for encryption and decryption • Keye = Keyd • Secret key shared between sender and receiver • Anyone who discovers the secret key will be able to decrypt any messages encrypted with that key • Assume encryption and decryption algorithms are known to everyone • Examples • Data Encryption Standard (DES), triple-DES (TDES), IDEA, RC2, RC4, RC5

  10. A B plaintext cyphertext plaintext Encryption Decryption Hi Bob. Hi Bob. &#@s*;t Keye Keyd Keye = Keyd Cryptography– Symmetric Algorithms Symmetric Encryption and Decryption

  11. Cryptography– Public-key (PK) Algorithms • Uses two different keys for sending messages to a public body • A private key (Kpriv) • Known only to the receiver of the message • Used for decrypt message • A public key (Kpub) • Known to everybody • Associate to the receiver of the message • Used for encryption • Encryption EncryptedMsg = PKEncrypt(Msg, Keypub) • Decryption Msg = PKDecrypt(EncryptedMsg, Keypriv)

  12. A B plaintext cyphertext plaintext Encryption Decryption Hi Bob. Hi Bob. &#@s*;t B’s public key B’s private key Public Key Encryption and Decryption Cryptography– Public-key (PK) Algorithms

  13. Cryptography– Public-key (PK) Algorithms • RSA(see appendix) • The most common PK algorithm • An RSA operation, whether encryption or decryption, is essentially a modular exponentiation • Common way to choose exponent • Choose small public exponent (numbers 17 or 23) for the public key • Choose a large exponent for the private key • Makes encryption faster than decryption • Encryption time is a function of the size in bits of the modulus, also called key length • Longer keys provide significantly increased levels of security

  14. Cryptography– Public-key (PK) Algorithms • RSA • Time required to perform private and public operations on a 128-byte block as a function of the key length used in the operation

  15. Cryptography– Public-key (PK) Algorithms • Conclusions drawn from the table • Private key operations grows with k3, where k is the key length in bits • Public key operations grows with k2 • Public key operation time, even for a small 128-byte block, is of the same order of magnitude of a disk access time • Private key operation time varies from one to two orders of magnitude greater than a disk access time

  16. Cryptography– Public-key (PK) Algorithms • PK Conclusions • PK encryption cannot be efficiently used for bulk data transfer • Adv.: Not necessary to exchange a secret key before two parties can communicate through a secure channel • Key used for encryption is public • Disadv.: Symmetric cryptography is much faster than PK cryptography, but requires the exchange of a secret key • Current software implementation of RSA are a hundred times slower than DES • In hardware, DES is a thousand to ten thousand times faster than RSA

  17. Digital Signatures • PK encryption can be used for digitally signing an electronic document in a way that allows for later validation for authenticity • Suppose that A wants to send a message Msg to B

  18. Digital Signatures - Diagram message received from A message sent to B Site A Site B Hi Bob. Hi Bob. Hi Bob. Hi Bob. Internet encrypted MD encrypted MD Hash Function Hash Function kp08#%1ua$ kp08#%1ua$ MD r$(*1:<%aq*& =? Decryption Encryption r$(*1:<%aq*& r$(*1:<%aq*& messagedigest (MD)(128 bits) MD A’s publickey A’s private key

  19. Digital Signatures – Hash Function • MD = h(Msg) • For a hash function to be useful for digital signatures, it must have the following properties • Easy to compute h(Msg) • Very hard to obtain Msg given h(Msg) • Very hard to find another Msg’ such thath(Msg) = h(Msg’) • Example of hash functions • MD4, MD5, SHA, SHA-1

  20. Authentication Protocols - SSL • Authentication protocols try to use the best of both symmetric and PK algorithms • Use PK algorithms to exchange a secret key • Use symmetric cryptography for bulk secure data transfer • Secure Sockets Layer (SSL) • A protocol developed by Netscape • Offers authentication, confidentiality, non-repudiation of web servers and end-users • A session layer protocol runs on top of TCP

  21. Authentication Protocols - TLS • Transport Layer Security (TLS)(v. 1.2 is the latest) • Superseded SSL • IETF RFC(Internet Engineering Task Force—Request for Comment) • Contains minor changes with respect to SSL v3.0, TLS V1.0 • Decomposed into two protocols • TLS Handshake Protocol • TLS Record Protocol • each record can be optionally compressed, encrypted and packed with a message authentication code (MAC).

  22. Authentication Protocols - TLS • TLS Handshake Protocol • Responsible for the selection of • PK algorithm and key used for the transmission of a shared secret key • Bulk encryption algorithm and secret keys(MAC) to be used during the session by the Record Protocol • MAC (Message authentication code) used by the Record Protocol for message authentication.A MAC algorithm accepts as input a secret keyand an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's integrity as well as its authenticity, by allowing verifiers to detect any change to the message content. • Compression algorithms to be used by the Record Protocol • TLS Record Protocol • Compresses data • Applies MAC (Message Authentication Code) to the messages • Encrypts data using symmetric encryption

  23. TLS and SSL Compatibility TLS v1.0 (also known as SSL v3.1) • Published by IETF in 1999 (RFC 2246). • based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. • not a 100% backward compatible with its predecessor. • using a different calculation of the master secret and key material, • using HMAC (key-hashed MAC) instead of MAC, • adding additional alert codes, • Server verification is necessary

  24. Authentication Protocols – TLS– Authentication with Certificates • Servers authenticate themselves to clients (not optional) • Present to the client a certificate signed by a trusted Certificate Authority (CA) • CA endorse the identity of the sites registered with them • Process of generating a certificate • Standard X.509 certificate • Digest of the server information • encrypted with the CA’s private key • Server information • Name • Issuer CA • Serial number • Validity • Public key

  25. Authentication Protocols – TLS– Authentication with Certificates X.509 Certificate Server Info Server Info encrypted MD Hash Function kp08#%1ua$ Encryption r$(*1:<%aq*& messagedigest (MD) CA’s private key Generation of a Server Certificate

  26. Authentication Protocols – TLS– Authentication with Certificates • Browser verifies server • Most browsers have a list of trusted CAs • Receives a server certification • Checks for the issuing CA on its list and retrieves the CA’s public key(online) • Use CA’s public key to decrypt the message digest in the certificate • Use same hash function to recreate the message digest from the server information • If the recreated digest matches the decrypted digest, the certification was signed by the CA and the server is authenticated

  27. Authentication Protocols – TLS– Authentication with Certificates X.509 server certificate Hash Function server info encrypted MD MD kp08#%1ua$ r$(*1:<%aq*& =? Decryption r$(*1:<%aq*& MD CA’s public key Verification of a Server Certificate

  28. Authentication Protocols – TLS– Description of TLS • Client server algorithm • A client wants to establish a secure connection with a server • Exchange of messages have to take place • Two session establishment methods • Full handshake • Session establishment using cached session states

  29. TLS-- optional

  30. Authentication Protocols – TLS– Description of TLS • If the client establishes a new session while its session state is cached at the server, TLS can skip the authentication and secret negotiation steps • The client sends the session ID of the session it wants to reuse • If the state of the that session is still cached at the server, it replies with a “Server Hello” message • With a session ID equal to the client session ID sent in the “Client Hello” message • New server random numbers (master secret remains unchanged) • Client and server generate new session keys from the cached state and the new random numbers • Session caching eliminates the use of PK during session establishment and cuts down the number of messages from four to three

  31. Authentication Protocols – TLS– Description of TLS • A secure TLS connection has to be established from scratch (full handshake) • 1  2  5  6  7 CSID for the Connection Establishment Phase of TLS

  32. Authentication Protocols – TLS– Description of TLS • A TLS session is setup by using the session state cached at the server from a recent session between the same client and the server CSID for the Connection Establishment Phase of TLS

  33. Authentication Protocols – TLS– Description of TLS 1 Client sends a “Client Hello” message to the server to indicate that it wants to start the handshake process • Message contains • Random number generated by the client (28 bytes) • Time measured at the client (4 bytes) • Session ID (from 0 to 32 bytes) • Set of cryptographic algorithms (cipher suites) (2 bytes) supported by the client for key exchange, for bulk encryption, and for message authentication • Compression method to be used (1 byte) • Protocol version (1 byte)

  34. Authentication Protocols – TLS– Description of TLS • 2 • Server receives the “Client Hello” message • Server sends a “Server Hello” message to the client • A X.509 server certificate (750 bytes) • A server random number (28 bytes) • A server session ID (0 to 32 bytes) different from the client session ID • Cipher suites supported by the server (2 bytes). The compression method supported by the server (1 byte)

  35. Authentication Protocols – TLS– Description of TLS • 5 • Client receives the “Server Hello” message • Client authenticates the server using its certificate • Client generates the symmetric key (session key) to be used for bulk encryption from the premaster secretand the client and server random numbers • Client sends the premaster secret to the server using a digital envelope* *To be discussed in Chapter 6

  36. Authentication Protocols – TLS– Description of TLS • 6 • Server receives the “Client Key Exchange Message” • Server decrypts the premaster secret using its private key • Server generates the key used for bulk data transmission from the premaster secret, the client and server random numbers Server encrypts a digest of all messages previously received from the client with the key for bulk encryption • Server sends the digest to the client in a 27 byte “Server Finished” message

  37. Authentication Protocols – TLS– Description of TLS • 3 • Client receives the “Server Hello” message • Client authenticates the server using its certificate • Client generates the symmetric key to be used for bulk encryption from the previouspremaster secretand the new client andserver random numbers(no digital envelope)

  38. Authentication Protocols – TLS– Description of TLS • 4 • Client sends a twenty-seven-byte “Client Finished” message to the server to indicate that it is done with the handshake

  39. Authentication Protocols – TLS– Description of TLS • Analysis of the CSID for TLS reveals • Authentication with TLS adds from 178 to 322 msec to the response time perceived by a user during the authentication phase • A full handshake adds two round trip times (RTTs) between the client and server to the network delay involved in fulfilling an HTTP request • Round trip time • Slow Internet: 161 msec • Fast Internet: 89 msec • Byte overhead of a TLS connection is almost 25% • 983(68+813+75+27) bytes for full handshake (assuming 32 bytes for client and server IDs) • 4K for average size of a page returned by an HTTP request • Slow modem connection • Effective transmission rates = 4K bytes/sec • Byte overhead incurs an additional 240 (=983/4096) msec to the latency

  40. Authentication Protocols – TLS– Example – Assumptions • Timings in (msec) for Client Operations During TLS Handshake • Timings in (msec) for Server Operations During TLS Handshake

  41. Authentication Protocols – TLS– Example – Assumptions • Several clients are connected to the server through a high-speed LAN • Clients continuously request files that are 16,384 bytes long • Server • Average CPU time involved in accessing a file is 0.002sec when no processing involved for establishing secure connections • Average disk time to retrieve a file is 0.010sec • Encryption/Decryption and Message Digest (MD) Generation/Verification Rates (in Mbps)

  42. Authentication Protocols – TLS– Example 1 • Investigate the impact on server throughput, measured in requests/sec, due to the use of TLS • Assume all requests involve a full handshake • No session reuse • Algorithm for data encryption (symmetric) • RC4 • Message authentication by TLS’ Record Protocol • MD5 • Consider four cases • Insecure connections • Secure connections using TLS for key sizes of • 512 bits • 768 bits • 1024 bits for the PK cryptography used in the Handshake Protocol

  43. Authentication Protocols – TLS– Example 1 • Evaluate the server throughput as a function of load, measured by the number of clients actively sending requests to the server • Computing the service demands: The sum of total time spent by a request at • Client • Network • Server CPU • Server disk

  44. Authentication Protocols – TLS– Example 1 • Time spent at client • Handshake phase • File retrieval phase • Decryption • Verification • Example: 1024-bit key for PK algorithm Service demand at client= Handshake* + Decryption** + Verification**= = 0.01405 sec *Overhead of TLS. Slide 40; ** slide 41, 140,000,000 is the RC4 decryption speed, 180,000,000 is the MD5 verification speed, *** 16484 is file size

  45. Authentication Protocols – TLS– Example 1 • Time spent at server CPU • CPU time excluding TLS-related processing • Handshake phase • File retrieval phase • Decryption • Verification • Example: 1024-bit key for PK algorithmService demand at server CPU= File Accessing time*+ Handshake** + Decryption + Verification== 0.05169 sec *accessing a file is 0.002 sec; ** also slide 40—handshake for server is slow!

  46. Authentication Protocols – TLS– Example 1 Service Demands (in msec) for RC4 and MD5 * See calculations in last two slides Where is the bottleneck?

  47. Authentication Protocols – TLS– Example 1 • Throughput curves obtained with the help of queuing network models such as the ones discussed in chapters 8 & 9 • Closed queuing network • Throughput increases almost linearly at the beginning as the load increases and saturates at its maximum • Maximum throughput • Limited by the bottleneck resource • Inverse of the maximum service demand(identify the bottleneckresource—the largest value in a column in slide 46) • Insecure connection = 1/0.01 = 100 requests/sec(disk time only!) • Key size of 512 = 1/13.894 = 72.0 requests/sec • Key size of 768 = 1/27.424 = 36.4 requests/sec • Key size of 1024 = 1/51.654 = 19.3 requests/sec • Maximum throughput for 1024-bit keys is 20% of the throughput one obtained without the use of cryptography

  48. Authentication Protocols – TLS– Example 2 • Assume • 40% requests are for insecure documents • 60% requests are for secure documents • What is the maximum server throughput assuming 1024-bit keys, RC4 and MD5 for data transfer phase? • New CPU demand= 0.4 x 0.002 (slide 41)+ 0.6 x 0.051694 (slide 45)= 0.0318 sec • New CPU demand is still higher than the disk(0.01 sec, slide 46) • CPU is still the bottleneck • Maximum server throughput= 1 / 0.0318 = 31.43 requests/sec • 62% higher than the maximum throughput for the case when all requests require the establishment of TLS session

  49. Authentication Protocols – TLS– Example 2 • Generalize this analysis for any value Fs of the faction of secure connections • Upper bound on the server throughput X,

  50. Authentication Protocols – TLS– Example 2 • Low value of Fs • Bottleneck is the disk • Throughput is bounded at 100 requests/sec • High value of Fs • More requests use the TLS protocol • Bottleneck is the CPU • Maximum throughput drops in a nonlinear way with the fraction of secure connections Maximum Throughput (in requests/sec) vs. Fraction of Secure Connections Fs

More Related