chapter 9 simple authentication protocols

Chapter 9Simple Authentication ProtocolsSimple Security ProtocolAuthentication ProtocolsAuthentication and TCPZero Knowledge ProofsThe best Authentication Protocol?

Chapter 9 Simple Authentication protocols*

Chapter 9 Simple Authentication protocols

ProtocolsHuman protocols the rules followed in human interactionsExample: Asking a question in classNetworking protocols rules followed in networked communication systemsExamples: HTTP, FTP, etc.Security protocols the (communication) rules followed in a security applicationExamples: SSL, IPSec, Kerberos, etc. Chapter 9 Simple Authentication protocols*


ProtocolsProtocol flaws can be very subtleSeveral well-known security protocols have serious flawsIncluding IPSec, GSM and WEPCommon to find implementation errorsSuch as IE implementation of SSLDifficult to get protocols right Chapter 9 Simple Authentication protocols*


Ideal Security ProtocolSatisfies security requirementsRequirements must be preciseEfficientMinimize computational requirement in particular, costly public key operationsMinimize delays/bandwidthNot fragileMust work when attacker tries to break itWorks even if environment changesEasy to use and implement, flexible, etc.Very difficult to satisfy all of these! Chapter 9 Simple Authentication protocols*


Simple Security Protocols Chapter 9 Simple Authentication protocols*


Secure Entry to NSAInsert badge into readerEnter PINCorrect PIN?Yes? EnterNo? Get shot by security guard Chapter 9 Simple Authentication protocols*


ATM Machine ProtocolInsert ATM cardEnter PINCorrect PIN?Yes? Conduct your transaction(s)No? Machine eats card Chapter 9 Simple Authentication protocols*


Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocolsNamibiaAngola1. N2. E(N,K)SAAFImpalaRussianMIG*Military needs many specialized protocolsMany cases, it could recognize friends as enemies, or .


MIG in the Middle Chapter 9 Simple Authentication protocolsNamibiaAngola1. N2. N3. N4. E(N,K)5. E(N,K)6. E(N,K)SAAFImpalaRussianMiG*


Authentication Protocols Chapter 9 Simple Authentication protocols*


AuthenticationAlice must prove her identity to BobAlice and Bob can be humans or computersMay also require Bob to prove hes Bob (mutual authentication)May also need to establish a session keyMay have other requirements, such asUse only public keysUse only symmetric keysUse only a hash functionAnonymity, plausible deniability, etc., etc. Chapter 9 Simple Authentication protocols*


AuthenticationAuthentication on a stand-alone computer is relatively simpleSecure path is the primary issueMain concern is an attack on authentication software (we discuss software attacks later)Authentication over a network is much more complexAttacker can passively observe messagesAttacker can replay messagesActive attacks may be possible (insert, delete, change messages) Chapter 9 Simple Authentication protocols*


Simple AuthenticationSimple and may be OK for standalone systemBut insecure for networked systemSubject to a replay attack (next 2 slides)Bob must know Alices password Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve itMy password is frank*


Authentication Attack Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve itMy password is frankTrudy*


Authentication AttackThis is a replay attackHow can we prevent a replay? Chapter 9 Simple Authentication protocolsBobIm AliceProve itMy password is frankTrudy*


Simple AuthenticationMore efficientBut same problem as previous versionReplay attack Chapter 9 Simple Authentication protocolsAliceBobIm Alice, My password is frank*


Better AuthenticationBetter since it hides Alices passwordFrom both Bob and attackersBut still subject to replay Chapter 9 Simple Authentication protocolsAliceBobIm AliceProve ith(Alices password)*


Challenge-ResponseTo prevent replay, challenge-response usedSuppose Bob wants to authenticate AliceChallenge sent from Bob to AliceOnly Alice can provide the correct responseChallenge chosen so that replay is not possibleHow to accomplish this?Password is something only Alice should knowFor freshness, a number used once or nonce Chapter 9 Simple Authentication protocols*


Challenge-Response Chapter 9 Simple Authentication protocolsBobIm AliceNonceh(Alices password, Nonce) Nonce is the challenge The hash is the response Nonce prevents replay, insures freshness Password is something Alice knows Note that Bob must know Alices passwordAlice*


Challenge-ResponseWhat can we use to achieve this?Hashed pwd works, crypto might be betterWill be discussed for Symmetric key, Public key, and so on Chapter 9 Simple Authentication protocolsBobIm AliceNonceSomething that could only beAlicefrom Alice (and Bob can verify)*


Symmetric Key NotationEncrypt plaintext P with key K C = E(P,K)Decrypt ciphertext C with key K P = D(C,K)Here, we are concerned with attacks on protocols, not directly on the cryptoWe assume that crypto algorithm is secure Chapter 9 Simple Authentication protocols*


Symmetric Key AuthenticationAlice and Bob share symmetric key KABKey KAB known only to Alice and BobAuthenticate by proving knowledge of shared symmetric keyHow to accomplish this?Must not reveal keyMust not allow replay attack Chapter 9 Simple Authentication protocols*


Authentication with Sym Key Chapter 9 Simple Authentication protocolsAlice, KABBob, KABIm AliceE(R,KAB)Secure method for Bob to authenticate AliceAlice does not authenticate BobCan we achieve mutual authentication?R*


Mutual Authentication?Whats wrong with this picture?Alice could be Trudy (or anybody else)! Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RE(R,KAB)E(R,KAB)*


Mutual AuthenticationSince we have a secure one-way authentication protocolThe obvious thing to do is to use the protocol twiceOnce for Bob to authenticate AliceOnce for Alice to authenticate BobThis has to work Chapter 9 Simple Authentication protocols*


Mutual AuthenticationThis provides mutual authenticationIs it secure? See the next slide Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RARB, E(RA,KAB)E(RB,KAB)*


Mutual Authentication Attack Chapter 9 Simple Authentication protocolsBob1. Im Alice, RA2. RB, E(RA,KAB)TrudyBob3. Im Alice, RB4. RC, E(RB,KAB)Trudy5. E(RB,KAB)*


Mutual AuthenticationOur one-way authentication protocol not secure for mutual authentication Protocols are subtle!The obvious thing may not be secureAlso, if assumptions or environment changes, protocol may not workThis is a common source of security failureFor example, Internet protocols Chapter 9 Simple Authentication protocols*


Sym Key Mutual AuthenticationDo these insignificant changes help?Yes! Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RARB, E(Bob,RA,KAB)E(Alice,RB,KAB)*


Public Key NotationEncrypt M with Alices public key: {M}AliceSign M with Alices private key: [M]AliceThen [{M}Alice ]Alice = M {[M]Alice }Alice = M Anybody can do public key operations Only Alice can use her private key (sign) Chapter 9 Simple Authentication protocols*


Public Key AuthenticationIs this secure?Trudy can get Alice to decrypt anything!Should not use the key for encryptionMust have two key pairs Chapter 9 Simple Authentication protocolsAliceBobIm Alice{R}AliceR*


Public Key AuthenticationIs this secure?Trudy can get Alice to sign anything!Should not use the key for signMust have two key pairs Chapter 9 Simple Authentication protocolsAliceBobIm AliceR[R]Alice*


Public KeysNever use the same key pair for encryption and signingOne key pair for encryption/decryptionA different key pair for signing/verifying signatures Chapter 9 Simple Authentication protocols*


Session KeySession key: temporary key, used for a short time periodUsually, a session key is required in addition to authenticationLimit symmetric key for a particular sessionLimit damage if one session key compromisedCan we authenticate and establish a shared symmetric key?Key can be used for confidentialityKey can be used for integrity Chapter 9 Simple Authentication protocols*


Session KeyIn some cases, we may also require perfect forward secrecy (PFS)Discussed later Chapter 9 Simple Authentication protocols*


Is this secure?OK for key, but no mutual authenticationNote that K is acting as Bobs nonceAlice can not authenticate Bob Chapter 9 Simple Authentication protocols*Pub Key Authen and Sess KeyUsing Encryptions of Alice and Bob


Pub Key Authen and Sess KeyIs this secure?Mutual authentication but key is not secret! Chapter 9 Simple Authentication protocols*Using Signs of Alice and Bob


Pub Key Authen and Sess KeyIs this secure?Seems to be OKMutual authentication and session key! Chapter 9 Simple Authentication protocols*First Sign and encrypt


Is this secure?Seems to be OKThough anyone can see {R,K}Alice and {R +1,K}Bob Chapter 9 Simple Authentication protocols*Pub Key Authen and Sess KeyFirst encrypt and Sign


Perfect Forward SecrecyThe concernAlice encrypts message with shared key KAB and sends ciphertext to BobTrudy records ciphertext and later attacks Alices (or Bobs) computer to find KABThen Trudy decrypts recorded messagesPerfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertextEven if Trudy gets key KAB or other secret(s)Is PFS possible? Chapter 9 Simple Authentication protocols*


Perfect Forward SecrecyFor perfect forward secrecy, Alice and Bob cannot use KAB to encryptInstead they must use a session key KS and forget it after its usedProblem: How can Alice and Bob agree on session key KS and insure PFS? Chapter 9 Simple Authentication protocols*


Nave Session Key ProtocolTrudy could also record E(KS,KAB)If Trudy gets KAB, she gets KS Chapter 9 Simple Authentication protocolsAlice, KABBob, KABE(KS, KAB)E(messages, KS)*


Perfect Forward SecrecyCan use Diffie-Hellman for PFSRecall Diffie-Hellman: public g and p Chapter 9 Simple Authentication protocolsBut Diffie-Hellman is subject to MiMHow to get PFS and prevent MiM?Alice, aBob, bga mod pgb mod p*


Perfect Forward SecrecySession key KS = gab mod pAlice forgets a, Bob forgets bEphemeral() Diffie-HellmanNot even Alice and Bob can later recover KSOther ways to do PFS? Chapter 9 Simple Authentication protocolsAlice, aBob, bE(ga mod p, KAB)E(gb mod p, KAB)*


Mutual Authen, Sess Key & PFS Chapter 9 Simple Authentication protocolsAliceBobIm Alice, RARB, [{RA, gb mod p}Alice]Bob[{RB, ga mod p}Bob]AliceSession key is K = gab mod pAlice forgets a and Bob forgets bIf Trudy later gets Bobs and Alices secrets, she cannot recover session key K*


TimestampsA timestamp T is the current timeTimestamps used in many security protocols (Kerberos, for example)Timestamps reduce number of messagesLike a nonce that both sides know in advanceBut, use of timestamps implies that time is a security-critical parameterClocks never exactly the same, so must allow for clock skew( ) risk of replayHow much clock skew is enough? Chapter 9 Simple Authentication protocols*


Pub Key Authen with Timestamp T Chapter 9 Simple Authentication protocolsBobIm Alice, {[T,K]Alice}Bob{[T +1,K]Bob}AliceAliceIs this secure?Seems to be OK*


Chapter 9 Simple Authentication protocolsBobIm Alice, [{T,K}Bob]Alice[{T +1,K}Alice]BobAliceIs this secure?Trudy can use Alices public key to find{T,K}Bob and then*Pub Key Authen with Timestamp T


Chapter 9 Simple Authentication protocolsBobIm Trudy, [{T,K}Bob]Trudy[{T +1,K}Trudy]BobTrudyTrudy obtains Alice-Bob session key KNote: Trudy must act within clock skew*Pub Key Authen with Timestamp T


Pub Key Authen with Timestamp T Chapter 9 Simple Authentication protocolsBobIm Alice, [{T,K}Bob]Alice[{T +1}Alice]BobAliceIs this encrypt and sign secure?Yes, seems to beDoes sign and encrypt also work here?*


Public Key AuthenticationSign and encrypt with nonceSecureEncrypt and sign with nonceSecureSign and encrypt with timestampSecureEncrypt and sign with timestampInsecureProtocols can be subtle! Chapter 9 Simple Authentication protocols*


Authentication and TCP Chapter 9 Simple Authentication protocols*


TCP-based AuthenticationTCP not intended for use as an authentication protocolBut IP address in TCP connection often used for authenticationOne mode of IPSec uses IP address for authenticationThis can cause problems Chapter 9 Simple Authentication protocols*


TCP 3-way Handshake Chapter 9 Simple Authentication protocolsAliceBobSYN, SEQ aSYN, ACK a+1, SEQ bACK b+1, data Recall the TCP three way handshake Initial SEQ number must be random Why? See the next slide*


TCP Authentication Attack Chapter 9 Simple Authentication protocolsAliceBobTrudy1. SYN, SEQ = t (as Trudy)2. SYN, ACK = t+1, SEQ = b13. SYN, SEQ = t (as Alice)4. SYN, ACK = t+1, SEQ = b25. ACK = b2+1, data5.5.5.5.*


TCP Authentication Attack Chapter 9 Simple Authentication protocolsRandom SEQ numbersInitial SEQ numbersMac OS X If initial SEQ numbers not very random possible to guess initial SEQ number and previous attack will succeed*


TCP Authentication AttackTrudy cannot see what Bob sends, but she can send packets to server Bob, while posing as AliceTrudy must prevent Alice from receiving Bobs packets (or else connection will terminate)If password (or other authentication) required, this attack failsIf TCP connection is relied on for authentication, then attack succeedsBad idea to rely on TCP for authentication Chapter 9 Simple Authentication protocols*


Zero Knowledge Proofs Chapter 9 Simple Authentication protocols*


Zero Knowledge Proof (ZKP)Alice wants to prove that she knows a secret without revealing any info about itBob must verify that Alice knows secretEven though he gains no info about the secretProcess is probabilisticBob can verify that Alice knows the secret to an arbitrarily high probabilityAn interactive proof system Chapter 9 Simple Authentication protocols*


Bobs CaveAlice claims to know secret phrase to open path between R and S (open sasparilla)Can she convince Bob that she knows the secret without revealing phrase? Chapter 9 Simple Authentication protocolsPQRS*


Bobs CaveBob: Alice come out on S side Chapter 9 Simple Authentication protocolsAlice (quietly): Open sasparillaApse Alice does not know secretWithout knowing secret, Alice could come out from the correct side with probability If Bob repeats this n times, then Alice can only fool Bob with probability 1/2n

PQRS*


Fiat-Shamir ProtocolCave-based protocols are inconvenientCan we achieve same effect without a cave?It is known that finding square roots modulo N is difficult (like factoring)Suppose N = pq, where p and q primeAlice has a secret SN and v = S2 mod N are public, S is secretAlice must convince Bob that she knows S without revealing any information about S Chapter 9 Simple Authentication protocols*


Fiat-ShamirPublic: Modulus N and v = S2 mod NAlice selects random rBob chooses e {0,1} Bob verifies that y2 = r2S2e = r2(S2)e = xve mod N Chapter 9 Simple Authentication protocolsAliceBobx = r2 mod Ne {0,1}y = rSe mod N*secret Srandom r


Fiat-Shamir: e = 1Public: Modulus N and v = S2 mod NAlice selects random rSuppose Bob chooses e =1 Bob must verify that y2 = xv mod NAlice must know S in this case Chapter 9 Simple Authentication protocolsAliceBobx = r2 mod Ne = 1 y = rS mod N*Secret SRandom r


Fiat-Shamir: e = 0Public: Modulus N and v = S2 mod NAlice selects random rSuppose Bob chooses e = 0Bob must verify that y2 = x mod N Alice does not need to know S in this case! Chapter 9 Simple Authentication protocolsAliceBobx = r2 mod Ne = 0 y = r mod N*Secret SRandom r


Fiat-ShamirPublic: modulus N and v = S2 mod NSecret: Alice knows SAlice selects random r and commits to r by sending x = r2 mod N to BobBob sends challenge e {0,1} to AliceAlice responds with y = rSe mod NBob checks that y2 = xve mod N Does this prove response is from Alice? Chapter 9 Simple Authentication protocols*


Does Fiat-Shamir Work?The math works sincePublic: v = S2Alice to Bob: x = r2 and y = rSeBob verifies y2 = xve mod N Can Trudy convince Bob she is Alice?If Trudy expects e = 0, she can send x = r2 in msg 1 and y = r in msg 3 (i.e., follow protocol)If Trudy expects Bob to send e = 1, she can send x = r2v1 in msg 1 and y = r in msg 3If Bob chooses e {0,1} at random, Trudy can fool Bob with probability 1/2 Chapter 9 Simple Authentication protocols*


Fiat-Shamir FactsTrudy can fool Bob with prob 1/2, butAfter n iterations, the probability that Trudy can fool Bob is only 1/2nJust like Bobs cave!Bobs e {0,1} must be unpredictableAlice must use new r each iteration or elseIf e = 0, Alice sends r in message 3If e = 1, Alice sends rS in message 3Anyone can find S given both r and rS Chapter 9 Simple Authentication protocols*


Fiat-Shamir Zero Knowledge?Zero knowledge means that Bob learns nothing about the secret SPublic: v = S2 mod NBob sees r2 mod N in message 1Bob sees rS mod N in message 3 (if e = 1)If Bob can find r from r2 mod N, he gets SBut that requires modular square rootIf Bob can find modular square roots, he can get S from public vThe protocol does not help Bob to find S Chapter 9 Simple Authentication protocols*


ZKP in the Real WorldPublic keys identify usersNo anonymity if public keys transmittedZKP offers a way to authenticate without revealing identitiesZKP supported in Microsofts Next Generation Secure Computing Base (NGSCB)ZKP used to authenticate software without revealing machine identifying dataZKP not just fun and games for mathematicians! Chapter 9 Simple Authentication protocols*


Best Authentication Protocol?What is best depends on many factorsThe sensitivity of the applicationThe delay that is tolerableThe cost that is tolerableWhat crypto is supportedPublic key, symmetric key, hash functionsIs mutual authentication required?Is a session key required?Is PFS a concern?Is anonymity a concern?, etc. Chapter 9 Simple Authentication protocols*


*Subtle: *

chapter 9 simple authentication protocols

Documents

authentication software

protocols right chapter

middle chapter

security guard chapter

foe iff chapter

machine eats card chapter

security applicationexamples

communication rules