network security and it’s issues presenter prosanta gope advisor prof. tzonelih hwang quantum...

Network Security and It’s Issues

Presenter

Prosanta Gope

AdvisorProf. Tzonelih

Hwang

Quantum Information and Network Security Lab, NCKU,2015

Flash Back

Part 3 Protocols 2

Outline

Network Security Basics. Understating the Purpose of Mutual

Authentication Symmetric Key based Mutual

Authentication. Public Key based Mutual Authentication. Understating Secure Socket Layer (SSL)

Network Security Basics

Network Security Services

Confidentiality Integrity Authentication Nonrepudiation Access Control Availability

Network Security Services Confidentiality

Maintaining the privacy of data Integrity

Detecting that the data is not tampered with Authentication

Establishing proof of identity Nonrepudiation

Ability to prove that the sender actually sent the data Access Control

Access to information resources are regulated Availability

Computer assets are available to authorized parties when needed

SERVICES

Something Well-known in Network Security World

Friends and enemies: Alice, Bob, Trudy

Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, control messages

data data

Alice Bob

Trudy

Protocol Human protocols the rules followed in

human interactionso Example: Asking a question in class

Networking protocols rules followed in networked communication systemso Examples: HTTP, FTP, etc.

Security protocol the (communication) rules followed in a security applicationo Examples: SSL, IPSec, Kerberos, etc.

Ideal Security Protocol Must satisfy security requirements

o Requirements need to be precise Efficient

o Small computational requiremento Small bandwidth usage, minimal delays…

Robusto Works even if environment changes

Easy to use & implement, flexible… Difficult to satisfy all of these!

Secure Entry to NSA

1. Insert badge into reader2. Enter PIN3. Correct PIN?

Yes? EnterNo? Get shot by security guard

ATM Machine Protocol

1. Insert ATM card2. Enter PIN3. Correct PIN?

Yes? Conduct your transaction(s)No? Machine (eventually) eats card

Authentication Protocols

Authentication

Alice must prove her identity to Bobo Alice and Bob can be humans or computers

May also require Bob to prove he’s Bob (mutual authentication)

Probably need to establish a session key May have other requirements, such as

o Use public keyso Use symmetric keyso Use hash functionso Anonymity, etc., etc.

Simple Authentication

Alice Bob

“I’m Alice”

Prove it

My password is “frank”

Simple and may be OK for standalone system But insecure for networked system

o Subject to a replay attack (next 2 slides)o Also, Bob must know Alice’s password

Authentication Attack

Alice Bob

“I’m Alice”

Prove it

My password is “frank”

Trudy

Authentication Attack

Bob

“I’m Alice”

Prove it

My password is “frank”Trudy

This is an example of a replay attack How can we prevent a replay?

Simple Authentication

Alice Bob

I’m Alice, my password is “frank”

More efficient, but… … same problem as previous version

Better Authentication

Alice Bob

“I’m Alice”

Prove it

h(Alice’s password)

Better since it hides Alice’s passwordo From both Bob and Trudy

But still subject to replay

Challenge-Response To prevent replay, use challenge-response

o Goal is to ensure “freshness”

Suppose Bob wants to authenticate Aliceo Challenge sent from Bob to Alice

Challenge is chosen so that… o Replay is not possible

o Only Alice can provide the correct response

o Bob can verify the response

Nonce To ensure freshness, can employ a nonce

o Nonce == number used once

What to use for nonces?o That is, what is the challenge?

What should Alice do with the nonce?o That is, how to compute the response?

How can Bob verify the response? Should we rely on passwords or keys?

Challenge-Response

Bob

“I’m Alice”

Nonce

h(Alice’s password, Nonce)

Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something Alice knows Note: Bob must know Alice’s pwd to verify

Alice

Generic Challenge-Response

Bob

“I’m Alice”

Nonce

Something that could only be

Alice from Alice (and Bob can verify)

In practice, how to achieve this? Hashed password works, but… Encryption is better here (Why?)

Symmetric Key Notation Encrypt plaintext P with key K

C = E(P,K) Decrypt ciphertext C with key K

P = D(C,K) Here, we are concerned with attacks on

protocols, not attacks on cryptoo So, we assume crypto algorithms are secure

Authentication: Symmetric Key Alice and Bob share symmetric key K Key K known only to Alice and Bob Authenticate by proving knowledge of

shared symmetric key How to accomplish this?

o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …

Authentication with Symmetric Key

Alice, K Bob, K

“I’m Alice”

E(R,K)

Secure method for Bob to authenticate Alice Alice does not authenticate Bob

So, can we achieve mutual authentication?

R

Mutual Authentication?

Alice, K Bob, K

“I’m Alice”, R

E(R,K)

E(R,K)

What’s wrong with this picture? “Alice” could be Trudy (or anybody else)!

Mutual Authentication Since we have a secure one-way

authentication protocol… The obvious thing to do is to use the

protocol twiceo Once for Bob to authenticate Aliceo Once for Alice to authenticate Bob

This has got to work…

Mutual Authentication

Alice, K Bob, K

“I’m Alice”, RA

RB, E(RA, K)

E(RB, K)

This provides mutual authentication… …or does it? See the next slide

Mutual Authentication Attack

Bob, K

1. “I’m Alice”, RA

2. RB, E(RA, K)

Trudy

Bob, K

3. “I’m Alice”, RB

4. RC, E(RB, K)

Trudy

5. E(RB, K)

Let’s Resolve this Problem

Symmetric Key Mutual Authentication

Alice, K Bob, K

“I’m Alice”, RA

RB, E(“Bob”,RA,K)

E(“Alice”,RB,K)

Do these “insignificant” changes help? Yes!

Problem Statement

In Symmetric Key based Authentication

Protocol Alice and Bob need to have a

Shared Secret Key, Where Distribution of

Keys among the Participants is a tedious

Job.

Welcome to the World of Public-Key Crypto-

System

35

Public Keys and Trust

Public Key: PA

Secret key: SA

Public Key: PB

Secret key: SB

How are public keys stored?

How to obtain the public key?

How does Bob know or ‘trusts’ that PA is Alice’s public key?

36

Distribution of Public Keys

Public announcement: users distribute public keys to recipients or broadcast to community at large

Publicly available directory: can obtain greater security by registering keys with a public directory

Public Key Can Also Achieve Through CA

Public Key Notation Encrypt M with Alice’s public key: {M}Alice

Sign M with Alice’s private key: [M]Alice

Anybody can use Alice’s public key Only Alice can use her private key

Public Key Authentication

Alice Bob

“I’m Alice”

{R}Alice

R

Is this secure? Trudy can get Alice to decrypt anything!

Public Key Authentication

Alice Bob

“I’m Alice”

R

[R]Alice

Is this secure? Trudy can get Alice to sign anything!

Public Keys Generally, a bad idea to use the same

key pair for encryption and signing Instead, should have…

o …one key pair for encryption/decryption…o …and a different key pair for

signing/verifying signatures

Session Key Usually, a session key is required

o I.e., a symmetric key for a particular sessiono Used for confidentiality and/or integrity

How to authenticate and establish a session key (i.e., shared symmetric key)?o When authentication completed, want Alice and

Bob to share a session keyo Trudy cannot break the authentication…o …and Trudy cannot determine the session key

Authentication & Session Key

Alice Bob

“I’m Alice”, R

{R,K}Alice

{R +1,K}Bob

Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice

No mutual authentication

Public Key Authentication and Session Key

Alice Bob

“I’m Alice”, R

[R,K]Bob

[R +1,K]Alice

Is this secure?o Mutual authentication (good), but…o … session key is not secret (very bad)

Public Key Authentication and Session Key

Alice Bob

“I’m Alice”, R

{[R,K]Bob}Alice

{[R +1,K]Alice}Bob

Is this secure? Seems to be OK Mutual authentication and session key!

Public Key Authentication and Session Key

Alice Bob

“I’m Alice”, R

[{R,K}Alice]Bob

[{R +1,K}Bob]Alice

Is this secure? Seems to be OK

Perfect Forward Secrecy Consider this “issue”…

o Alice encrypts message with shared key K and sends ciphertext to Bob

o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K

o Then Trudy decrypts recorded messages

Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertexto Even if Trudy gets key K or other secret(s)

Is PFS possible?

Naïve Session Key Protocol

Trudy could record E(KS, K) If Trudy later gets K then she can get KS

o Then Trudy can decrypt recorded messages

Alice, K Bob, K

E(KS, K)

E(messages, KS)

Then How to Achieve Perfect Forward Secrecy

(PFS)

With the Help of Diffie-Hellman Key-Agreement Protocol

Key Agreement: Diffie-Hellman Protocol

Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Zp*, p and g public.

K = (gb mod p)a = gab mod p

ga mod p

gb mod p

K = (ga mod p)b = gab mod p

Pick random, secret aCompute and send ga mod p

Pick random, secret bCompute and send gb mod p

MIM in Diffie-Hellmanga mod n

gb mod n

gc mod n

gc mod n

Alice computes gac mod n and Bob computes gbc mod n !!!

Oh! No..Can Anyone Help Me to Achieve PFS?

Perfect Forward Secrecy

Session key KS = gab mod p Alice forgets a, Bob forgets b So-called Ephemeral Daffier-Hellman Neither Alice nor Bob can later recover KS

Are there other ways to achieve PFS?

Alice: K, a Bob: K, b

E(ga mod p, K)

E(gb mod p, K)

Mutual Authentication, Session Key and PFS

Alice Bob

“I’m Alice”, RA

RB, [{RA, gb mod p}Alice]Bob

[{RB, ga mod p}Bob]Alice

Session key is SK = gab mod p Alice forgets a and Bob forgets b If Trudy later gets Bob’s and Alice’s secrets,

she cannot recover session key SK

Three-Party Mutual Authentication

andKey-Distribution

UsingSymmetric-Key Crypto System

Part 3 Protocols 55

Meet Our Participants

Part 3 Protocols 56

Part 3 Protocols 57

Trudy

Alice Bob

Can be Treated as Server

Assumptions

Part 3 Protocols 58

Part 3 Protocols 59

Trudy

Alice Bob

𝑲 𝒂𝒕𝑲 𝒃𝒕

?Share Key𝑰𝑫𝒂

𝑰𝑫𝒃

TrudyM1

M2M

3M4

Gen:NaNx=Na Va=h(Na || Kat || IDa)M1:{IDa, Nx, Va}

Gen:NbNy=Nb Vb=h(Nb || Kbt || IDb)M2 :{IDb, Ny, Vb}

Check:?Va, ?VbGen: KabM3 :{Kab || Na}M4 :{Kab || Nb}

Na=Nx Nb=Ny

TrudyM1

M2M

3M4

Decrypt: M3Check: ? NaGet : Kab

Check:?Va, ?VbGen: KabM3 :{Kab || Na}M4 :{Kab || Nb}

Decrypt: M4Check: ? NbGet : Kab

Kab

Secure communication

Understanding SSL

Part 3 Protocols 63

64

古早密碼學

古典密碼學資安號

Privacy Integrity Authentication

Network Security Services

Authentication

THANK YOU

I have questions…