1 / 29

Security II

Security II. CSE 5306 Lecture Quiz due at 5 PM on 28 July 2014. Authentication. Authentication and message integrity work together. Alice and Bob submit their user names and passwords to a trusted agent, who provides a secure channel.

solana
Download Presentation

Security II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security II CSE 5306 Lecture Quiz due at 5 PM on 28 July 2014

  2. Authentication • Authentication and message integrity work together. • Alice and Bob submit their user names and passwords to a trusted agent, who provides a secure channel. • Every message is encrypted and decrypted using the agent’s session key, which dissolves when the session is over. • Without 1 above, they cannot be sure of who they are talking to. • Without 2 above, they cannot trust that their channel is under their full control.

  3. Authentication Based on a Shared Key • Alice and Bob can authenticate each other, even on an insecure channel. • See upper left: 1) Alice says, “I’m Alice,” 2) Bob asks, “Can you encrypt this random number?” 3) “Done,” she says, 4) “And can you decrypt encrypt this one?” 5) “Done,” he says. • Are three messages (center) just as effective? • No, they are vulnerable to reflection attack (right): 1) Cathy says, “I’m Alice, and can you encrypt this random number?” 2) Bob says, “I’m Bob, here is your encrypted number, and here is another for you to encrypt for me.” 3) Cathy opens a new channel saying, “I’m Alice, and can you encrypt this random number (which she just received from Bob)?” 4) Bob carelessly encrypts his own number, and 5) she returns it to him in the first session, which is still open.

  4. Authentication Using a Key Distribution Center • A key distribution center (KDC) gives session-length secret keys to authenticated (e.g., via user name and password) user pairs, making n(n-1)/2 permanent keys between all pairs of n hosts unnecessary. • Above-left figure: 1) Alice inserts her key into the KDC, which delivers the session keys she requested to both 3) her and 4) Bob. • Or Alice may ask for both keys (center), so that she can deliver Bob’s ticket just in time for their session. • In the Needham-Schroeder authentication protocol (right), 1) Alice identifies herself and Bob, and she challenges the KDC to send her a ticket, along with Bob’s and her session keys. Alice’s challenge (called a “nonce,” short for “used only once”) is repeated in the KDC’s reply to show that its message is a direct response to hers. (Chatty Cathy cannot falsely authenticate herself by replaying Alice’s old message; its old nonce doesn’t match the new nonce in Alice’s request.) 2) The KDC’s reply includes Bob’s identity, so that Alice can verify that Cathy did not intercept the message and substitute her identity for Bob’s. 3) Starting to set up their secure channel, Alice sends Bob the KDC’s ticket, which he decrypts to find their shared session key and her random number decryption challenge inside. 4) Bob encrypts and returns her random number minus one, along with a challenge of his own.

  5. R U O K ? • Why are authentication and message integrity inseparable? • Even if I can be sure that it is you who sent me a contractual offer, I also want assurances that no one modified it along the way. • Even if our communication channel is completely trustworthy, I also want to know that you are the one who is accepting my offer. • Both a and b above. • Actually they are separable.

  6. R U O K ? 2. Why is the five-message shared secret key authentication protocol safe from reflection attack? • Bob’s challenge (to demonstrate use of their secret key) follows Alice’s challenge. • Bob was smart enough not to encrypt his own random number in the five-message protocol. • The initiator (trusted Alice or an intruder) must demonstrate her authenticity before the responder (Bob) is asked to demonstrate his. • It was impossible to open a second session in the five-message protocol. • Actually the five-message authentication protocol has the same fatal vulnerability as the three-message authentication protocol.

  7. R U O K ? 3. What is the major advantage of a key distribution center? • It provides the used-only-once (“nonce”) tickets that foil hackers. • It simplifies secure communications by concentrating security concerns in one tightly-controlled agency. • It automatically issues session-length secret keys to authenticated user pairs, making n(n-1)/2 permanent keys between all pairs of n hosts unnecessary. • All of the above. • None of the above.

  8. Authentication Using Public-Key Cryptography • The above-left figure shows Needham-Schroeder upgraded for safety against one more attack: Bob and Alice exchange one more RB1 nonce to assure each is speaking to other and not with Cathy. • Compare it with the much simpler public key authentication (right), which does not require a KDC: • Alice uses Bob’s public key to encrypt her identity and a challenge. • Bob uses his private key to decrypts both, and he uses Alice’s public key to encrypt a) his identity, b) his challenge to her and c) a session key. • Alice responds to Bob’s challenge, as he did to hers.

  9. Message Integrity and Confidentiality • A secure channel ensures message… • confidentiality (interception) by encryption, whether… • DES • RSA • or MD5 • and integrity (modification) by… • digital signatures • or session keys.

  10. Digital Signatures • Tying Alice’s signature to an emailed contract 1) protects Alice from Bob changing its terms, and 2) protects Bob from Alice denying she sent it. • To sign the contract, Alice encrypts it with her private RSA key. • The whole world can decrypt it with her public key, to see that only she could have signed it. Of course, only Bob could see it, if she encrypted it again with Bob’s public key.

  11. Digital Signatures (continued) • Problems with public-key signatures arise when… • Fickle Alice claims her private key was stolen. • Alice changes her private key, invalidating all prior signatures. • The message is long, making RSA run forever. • Alice can encrypt a tiny hash-coded message digest of the contract with her private key. • Bob can compare the decrypted CRC with one he calculates to assure that the signature is good.

  12. R U O K ? 4. If it so simple and straightforward, why doesn’t everyone use public key cryptosystems? • IT managers enjoy controlling things, like the centralized key distribution centers. • RSA requires that every party pair in the distributed system own a two permanent keys. • RSA’s big math runs verrry slowly. • All of the above. • None of the above.

  13. R U O K ? 5. What must every secure channel provide? • Guarantees of message integrity and confidentiality. • Encryption and digital signatures. • Interception and modification. • All of the above. • None of the above.

  14. R U O K ? 6. What assurances arise from Alice digitally signing her emailed contract with Bob? a. Alice is protected from Bob surreptitiously changing its terms. b. Bob is protected from Alice denying she sent it. c. The whole world can help enforce those protections, if Alice doesn’t use Bob’s public key to encrypt the email again. d. All of the above. e. None of the above.

  15. R U O K ? 7. A very simple example of a message digest is the cyclic redundancy check (CRC), which assures files against unintended changes. How does it work? a. Exclusive-OR a given a binary polynomial divisor (e.g., x³+x+1 = 1011) with the message bit stream. b. Shift the result one bit to the left. c. Repeat a and b on the resulting bit stream. d. All of the above. e. None of the above. [http://en.wikipedia.org/wiki/Cyclic_redundancy_check]

  16. Session Keys • So as not to wear out ( i.e., over expose) our “permanent” authentication keys, we derive from them secure channel “session keys.” • Replay attacks are thwarted, when session keys are discarded at the end of each session. • Authentication keys are expensive; session keys are cheap to make and replace. • If Alice must share something slightly personal (e.g., her forthcoming wedding date) with Chatty Cathy, Alice may prefer to encrypt it with a cheap session key, instead of sharing her and Bob’s permanent secret key.

  17. Confidential Group Communication • There are three ways to ensure confidentiality in group communications: • All could share the same secret key. • All members must be trustworthy--can we know all members of a group that well? • A single secret key is more vulnerable to attack, when shared among a group than between two individuals. • A key distribution center could issue a secret session key to every pair of individuals in the group. • N group members would require N(N-1)/2 keys prior to every meeting. • When others suspect a member is leaking information, they can stop communicating with her. • Every group member could publish her public RSA key. • When untrustworthy members drop out of the group, other’s keys confidentialities are not compromised. • Every broadcast message would require N encryptions. • RSA keys take a lot of time (and big math) to make.

  18. Secure Replicated Servers • If only a minority of a group of servers is corrupted, how can a client discover the group’s trustworthy majority response? • Each of the five servers above produces a response, r, and its digital signature, K-(md(r)); i.e., a message digest of r encrypted with the server’s private RSA key. • The client applies Reiter’s (May, 1994) decryption function, D, to produce a message digest of three server signatures at a time. • The client also applies Reiter’s hash function, H, to each of the five servers’ responses in turn. • If one of those H(ri) = D(K-(md(ra)), K-(md(rb)), K-(md(rc))), then those three servers’ responses can be trusted. • Reiter and Birman’s “(m,n)-threshold scheme” became more replication transparent in November, 1994, when all of the servers did the client’s work. [http://www.cs.unc.edu/~reiter/papers/1994/TOPLAS.pdf]

  19. R U O K ? 8. Why are permanent shared keys more “expensive” to make and replace than temporary session keys? • The permanent keys are typically communicated out-of-band via double-wrapped snail mail or secure land-line telephone. • Permanent keys should be communicated only once and used as seldom as possible to minimize their wear and tear (exposure). • A key distribution center automatically exchanges any number of temporary session keys for your trusted password, which you change regularly. • All of the above. • None of the above.

  20. R U O K ? 9. Which of the three options is best for securing group confidentiality? • Using a single secret key, because trust is relatively fault tolerant; e.g., family secrets. • Distributing N(N-1)/2 session keys, because all of the details are handled automatically. • Using RSA public-key encryption, because its great expense is levied only once. • All of the above. • None of the above.

  21. R U O K ? 10. Tanenbaum fails to describe Reiter’s D and H functions in sufficient detail that we can indepen-dently verify their performance. Can you extract those details from Reiter’s cited paper? • Yes, each is a copy of MD5 (see pp.395-6). • No, as Tanenbaum notes at the beginning of §9.2.4, “…incorporating security into distributed systems is not trivial.” (Reiter’s 24pp paper is obscure.)

  22. Kerberos, v.5 • MIT’s Kerberos helps a client build a trusting relationship (secure channel) with any one server in a distributed computing system. • Its authentication server (AS) accepts the user’s login (1 & 2 above left) and provides a ticket (3 & 4). • Its ticket granting service (TGS) accepts AS & TGS’ shared key (5 & 6), and provides a session key (7). • Naming the user’s conversation partner, the ticket (6) includes a timestamp to thwart replay attacks. (Secure sign-on complete.) • The user passes TGS’ (honored everywhere) ticket to her partner’s server (1 right), which opens their secure channel (2).

  23. General Issues in Access Control • Authorized users also need access rights to use a server’s various resources; i.e., invoke its subjects (methods) on state-machine objects. • A reference monitor enforces the user’s rights to create, rename manage or delete objects. • The reference monitor must be tamper proof.

  24. Access Control Matrix • Right-click on a Windows file to see if you have read-only or read-write access to it. Every object has an Access Control List (ACL, upper figure). • The alternative user “capabilities” list (lower figure) is like pilot certifications; e.g., private, multi-engine, commercial, jet, Boeing 777, F35. The grantor’s digital signature protects it against changes by its user.

  25. Protection Domains • A protection domain tree simplifies numerous, sparse access control matrices by assigning similar individuals to groups that have rights. • Every node of the tree is labeled with an (object, access right) pair, which describes increasingly restrictive rights for everyone below that node. • Individuals carry digitally signed certificates listing their group memberships. • A department head may play the role of project manager, which assigns her to many groups. • The tree may be more efficiently organized by objects, when objects are many and user groups are few.

  26. R U O K ? 11. How does Kerberos use the user’s password in authentication? a. The Authentication Server (AS) hashes the user’s password into a 56-bit digest, which is substitutes as their secret session key, until AS can generate the key that they will share. b. The user’s password passes to TGS, which logs it for future reference.

  27. R U O K ? 12. How do we make a reference monitor tamper proof? • The reference monitor grants the right to change itself to particular authorized. • Only the server’s creator-administrator can change the reference monitor’s list of users’ rights. • Potential hackers cannot even get access to the server, because they are not authorized. • All of the above. • None of the above.

  28. R U O K ? 13. Contrast an ACL with a capabilities list. • The ACL is a list of operations on objects (resources) that the server’s administrator permits the authorized user to perform. • The capabilities list is a ticket to use resources even where the ticket holder is unknown. • The server’s administrator uses an ACL to grant rights to one server’s resources, but a trusted third party can grant global rights to capability ticket holders. • All of the above. • None of the above.

  29. R U O K ? 14. Describe the protection domain tree that controls access to the MATLAB tools installed on the Windows machines in ERB124. • The ERB124 door locks out unauthorized users of its Macintoshes and Windows machines. • Each Windows machine’s login procedure welcomes only UTA students, faculty and staff. • Each machine’s ACL allows MATLAB access to every user. • All of the above. • None of the above.

More Related