csc 474 -- network securitydiscovery.csc.ncsu.edu/.../slides/t06.3_protocolpitfalls.ppt.pdf · csc...
TRANSCRIPT
11
CSC 474 Dr. Peng Ning 1
Computer Science
CSC 474 -- Network Security
Topic 6.3 Authentication Protocols
CSC 474 Dr. Peng Ning 2Computer Science
Outline
I. Attacks on authentication protocolsII. Preliminaries (KDCs and nonces)III. One-way authenticationIV. Two-way (mutual) authenticationV. Authentication + key negotiationVI. Authentication using KDCsVII. Security “Checklist”
CSC 474 Dr. Peng Ning 3
Computer Science
Attacks onAuthentication Protocols
22
CSC 474 Dr. Peng Ning 4Computer Science
Authentication Protocols
• Secure communication almost always beginswith a “handshake”, i.e., participants…– establish who they are talking with, and…– negotiate shared session keys
• Lots of protocols available– many of them aren’t secure!– vulnerabilities / weaknesses are surprisingly subtle
• How can you tell if a protocol is secure?
CSC 474 Dr. Peng Ning 5Computer Science
What Can Attackers Do?
• Attacks involving messages– eavesdrop on communications– delete, forge, or modify messages– replay messages previously intercepted– modify message delivery sequence– send a message spliced together from pieces of
other messages– delay message delivery
• Compromise hosts or servers
CSC 474 Dr. Peng Ning 6Computer Science
Sessions and Channels
• A session is an exchange of messagesprotected by a single authentication– attackers may be able to hijack sessions, i.e., take
them over after authentication has occurred• A channel is a conversation opened between
two parties– attackers can open multiple simultaneous channels
to the target
33
CSC 474 Dr. Peng Ning 7Computer Science
Desired Protocol Properties
• Robust against attacks• Efficient
– minimum number of messages– minimum number of keys– important?
• Should minimize the amount of trust which isassumed / relied upon
CSC 474 Dr. Peng Ning 8Computer Science
Taxonomy of Protocols (For This Lecture)
Is message integrity +confidentiality for the
session desired?yes to next page…
no, only authenticationis needed
Is mutual authenticationdesired?
no, only one-wayauthentication needed
yes
How is authenticationaccomplished?
secret-keycrypto
passwordpublic keycrypto
A. B. C.
Is a KDC required?
No, notavailable
Yes,available
D. I.
How is authenticationaccomplished?
secret-keycrypto
public keycrypto
E.
CSC 474 Dr. Peng Ning 9Computer Science
Taxonomy… (cont’d)
How is authenticationaccomplished?
F. G. H.
secret-keycrypto
one-waypublic keycrypto
bi-directionalpublic keycrypto
…from previous page
44
CSC 474 Dr. Peng Ning 10Computer Science
Lectures <--> Text• The correspondence between Figure labels in Textbook, and Protocol
labels in lecture, is:• Textbook Lecture• 11-1 B• 11-2 variation on B• 11-4 another variation on B• 11-5 C• 11-7 D• 11-8 Optimized version of D• 11-13 variation on D• 11-14 F• 11-16 I basic idea• 11-17 I in practice• 11-18 Needham Schroeder• 11-19 Expanded Needham Schroeder• 11-20 Otway-Rees
CSC 474 Dr. Peng Ning 11
Computer Science
Preliminaries
CSC 474 Dr. Peng Ning 12Computer Science
Trusted Key Servers
• How do a large number of users authenticateeach other?– inefficient / impractical for every pair of users to
negotiate a secret key or share passwords• Alternative: everybody shares a key with (and
authenticates to) a single trusted intermediary(third party)
• Assumes there is a way to negotiate a key withthe intermediary
55
CSC 474 Dr. Peng Ning 13Computer Science
Trusted… (cont’d)
• Shared keys between the Key DistributionCenter (KDC) and users
KDCA
BC D
EKA-KDC
KB-KDC
KC-KDCKD-KDC
KE-KDC
CSC 474 Dr. Peng Ning 14Computer Science
(Simplified) Example of Use
• Alice wishes to communicate securely with Bob;Alice has previously negotiated KA-KDC with theKDC, Bob has negotiated KB-KDC
1. Alice requests from the KDC a session key to usewith Bob
2. KDC generates session key KS, sends to Alice,encrypted with KA-KDC
3. KDC also sends KS to Bob, encrypted withKB-KDC
• Alice and Bob can then communicate using KS
CSC 474 Dr. Peng Ning 15Computer Science
Assessment
• Simplifies mutual authentication / keynegotiation, but…– secure against attacks?– robust to failures?– efficient?
66
CSC 474 Dr. Peng Ning 16Computer Science
A Hierarchy of KDCs
• For an Internet, not practical to have a single KDC– instead, imagine one KDC per domain
• To communicate securely with user in your owndomain, just contact your domain’s KDC
• To talk with user in another domain, your KDCneeds to contact the other domain’s KDC– KDCs must be able to authenticate each other and
communicate securely– details omitted (for now)
CSC 474 Dr. Peng Ning 17Computer Science
Hierarchy… (cont’d)
KDC-1A
BC
KA-K1
KB-K1
KC-K1
Domain 1D
E
KD-K2
KE-K2
KDC-2
Domain 2
CSC 474 Dr. Peng Ning 18Computer Science
Use of Keys vs. Passwords
• Even when we talk about using keys (secret orpublic/private), the user doesn’t typicallymemorize those; just too long!
• Keys are often protected by or generated froma password or a passphrase– so, still vulnerable to password attacks!– (good application for electronic tokens?)
77
CSC 474 Dr. Peng Ning 19Computer Science
Keys vs. Passwords… (cont’d)
• The verifier has to store keys as well– so, compromising the server may compromise user
keys or passwords• Not a problem if public key crypto is used
– but PK crypto requires an infrastructure for storingand obtaining public keys (certificates, etc.)
CSC 474 Dr. Peng Ning 20Computer Science
Key Guessing Attack
• AssumeTrudy knows f, can guess what KAlice-
Bob is– not that unlikely if key is derived from a password
• Solutions?
Trudy Bob
I’m Alice, RAlice
RBob, f(KAlice-Bob,RAlice)
CSC 474 Dr. Peng Ning 21Computer Science
Replay Attacks
• An attacker can record a message between twoother parties, replay it for one of them later– if original message was authenticated, the replayed
message is also authenticated• Detecting replayed messages: add a nonce to
each message– a non-repeating (unique) message identifier
• Choices: sequence numbers, random numbers,and timestamps
88
CSC 474 Dr. Peng Ning 22Computer Science
Sequence Number Nonces
• Just generate a sequential number, incremented foreach successive message
• If a message with duplicate sequence number is seen,it is rejected
• Also provides message sequencing (messages onlyaccepted in a particular order)
• Requires keeping track (maintaining state) of the lastsequence number– loss of synchronization possible between sender and
receiver?
000001 … 000002 … 000003 … 000004 …
CSC 474 Dr. Peng Ning 23Computer Science
Random Number Nonces
• Just generate a random number for eachsuccessive message– receiver cannot predict what the next number will
be; is that useful?
• If a message with duplicate random number isseen, it is rejected– how many previous values do you have to store,
and for how long?• Not useful for message sequencing
8179344 … 0502961 … 7936085 … 4419532 …
CSC 474 Dr. Peng Ning 24Computer Science
Timestamp Nonces
• Just read the time from a system clock andassociate with each message– timestamp has to be precise enough to generate a
different value for each message sent
• If a message with duplicate timestamp is seen,it is rejected– how many timestamps have to be remembered?
10:03:01.56 … 10:03:01.57 … 10:41:19.21 … 10:42:57.98 …
99
CSC 474 Dr. Peng Ning 25Computer Science
Timestamps… (cont’d)
• Provides additional information (time of messagetransmission)– message can be rejected if it is too old– out of order messages can be rejected
• This requires clock synchronization between senderand receiver– synchronization is non-trivial, and can be a target of attack
• Best choice: combination of the above, i.e.,random number + one of sequence number ortimestamp
CSC 474 Dr. Peng Ning 26
Computer Science
One Way Authentication(w/o Session Key Negotiation)
Is message integrity +confidentiality for the
session desired? yesto next page…
no
Is mutual authenticationdesired?
noHow is authentication
accomplished?
secret-keycrypto
password public keycrypto
How is authenticationaccomplished?
secret-keycrypto
Is a KDC required?
No, notavailable
Yes,available
yespublic keycrypto
A. B. C. D. I.
E.
CSC 474 Dr. Peng Ning 27Computer Science
Authentication Only?
• Simplest starting point for discussion ofprotocols
• Of limited value– cannot do encryption or authentication of data
traffic– session hijacking possible after the authentication
step– are there applications?
1010
CSC 474 Dr. Peng Ning 28Computer Science
One-Way Authentication
• Typically: client (supplicant) authenticatesitself to server (verifier) in order to receiveservices– client does not require server to authenticate?– how do you know what server you are contacting
then?– applications?
CSC 474 Dr. Peng Ning 29Computer Science
Method : Use Password
• We just talked about this one in the last lecture• Advantages?• Drawbacks / limitations?
A
CSC 474 Dr. Peng Ning 30Computer Science
Method : Using Shared Secrets
• The function f can be a keyed hash, or encryption; howdoes this authenticate Alice?
• RBob is a challenge from the verifier– has to be remembered by Bob (stateful protocol)
• Better than using passwords?• Problems if RBob reused? if predictable?
B
Alice Bob
I’m Alice
RBob
f(KAlice-Bob,RBob)
1111
CSC 474 Dr. Peng Ning 31Computer Science
A Variation on
• How does this authenticate Alice?• f cannot be hashing for this version; only encryption
works– why is that?
• Does this authenticate Bob as well as Alice? If so, anyconditions?
B
Alice Bob
I’m Alice
RBob
KAlice-Bob{RBob}
CSC 474 Dr. Peng Ning 32Computer Science
Another Variation on !
• Authenticate both? f = hashing? encryption?• Timestamp = nonce; Alice chooses, cannot
reuse, requires synchronization• If KAlice-S is used by Alice to authenticate to
multiple servers, any problems with that?
B
Alice Bob
I’m Alice, timestamp, f(KAlice-Bob,timestamp)
CSC 474 Dr. Peng Ning 33Computer Science
Method : Using Public Key Crypto
• Advantages over and ?• Authenticate Bob?• Can attacker reuse Alice’s messages with other
servers? Any other harm Trudy can do?• Can RBob be reused? Other requirements?
C
A B
Alice Bob
I’m Alice
RBob
SigAlice{Rbob}Trudy
1212
CSC 474 Dr. Peng Ning 34
Computer Science
Mutual Authentication(w/o Session Key Negotiation)
Is message integrity +confidentiality for the
session desired?yes
to next page…
no
Is mutual authenticationdesired?
no
How is authenticationaccomplished?
secret-keycrypto
password public keycrypto
How is authenticationaccomplished?
secret-keycrypto
Is a KDC required?
No, notavailable
Yes,available
yes public keycrypto
A. B. C. D. I.
E.
CSC 474 Dr. Peng Ning 35Computer Science
Method : Using a Shared Secret
• Does this authenticate Bob as well as Alice?– who authenticates first, and does it matter?
• Can f be either hashing or encrypting?• Threat of replaying messages to other servers?
D
Alice Bob
I’m AliceRBob
f(KAlice-Bob,RBob)
RAlice
f(KAlice-Bob,RAlice)
CSC 474 Dr. Peng Ning 36Computer Science
Method … (cont’d)
• An optimized (fewer messages) version of thisprotocol:
D
Alice Bobf(KAlice-Bob,RBob)
I’m Alice, RAlice
Rbob, f(KAlice-Bob,RAlice)
Who authenticates first, and does it matter?
1313
CSC 474 Dr. Peng Ning 37Computer Science
It Matters: The Reflection Attack!
• Attacker opens two simultaneous channels
Trudy Bob
I’m Alice, RAlice
f(KAlice-Bob,RBob1)
RBob1, f(KAlice-Bob,RAlice)
Trudy Bob
I’m Alice, RBob1
RBob2, f(KAlice-Bob,RBob1)
CSC 474 Dr. Peng Ning 38Computer Science
Reflection… (cont’d)
• Lesson: Don’t have Alice and Bob do exactlythe same thing! Examples…– Alice uses a slightly different key than Bob (e.g.,
adds 1 to the shared key, or complements lsb)– Alice includes her name with her nonce, Bob
includes his name with his nonce• If initiator must prove her identity first, the
reflection attack is not possible– e.g., unoptimized method D
CSC 474 Dr. Peng Ning 39Computer Science
Key Guessing Attack
• AssumeTrudy knows f, can guess what KAlice-
Bob is– not that unlikely if key is derived from a password
• Solutions?
Trudy Bob
I’m Alice, RAlice
RBob, f(KAlice-Bob,RAlice)
1414
CSC 474 Dr. Peng Ning 40Computer Science
A Variation on
• Super-optimized; one message each direction! Whoauthenticates first?– stateless, but synchronized clocks needed
• Why does Bob’s response have to be a variation ofAlice’s challenge? What variations work?
• Can A.’s messages be replayed to other servers?
D
Alice Bob
I’m Alice, timestamp, f(KAlice-Bob,timestamp)
f(KAlice-Bob,timestamp+1)
CSC 474 Dr. Peng Ning 41Computer Science
Method : Mut. Auth. w. Pub.Key
• Advantages?• Who authenticates first? Reflection attack possible?• Why doesn’t Bob’s response have to be a variation of
the challenge RAlice? Problems if it is?
E
Alice Bob
I’m Alice, KBob{RAlice}
RAlice, KAlice{RBob}
RBob
CSC 474 Dr. Peng Ning 42Computer Science
Variations on Method
• Differences? Advantages over ?• Trick Bob into signing arbitrary values?
E
Alice Bob
I’m Alice, KBob{RAlice}, SigAlice{RAlice}
RAlice
Alice Bob
I’m Alice, RAlice
SigBob{RAlice},RBob
SigAlice{RBob}
#1
#2
E
1515
CSC 474 Dr. Peng Ning 43
Computer Science
Authentication Including Session KeyNegotiation
Is message integrity +confidentiality for the
session desired?
yes
no
How is authenticationaccomplished?
F. G. H.
one-waysecret-keycrypto
one-waypublic keycrypto
mutualpublic keycrypto
CSC 474 Dr. Peng Ning 44Computer Science
Session Keys
• Usually, communication after authenticationshould be cryptographically protected as well
• Session keys are negotiated and used just forthe duration of one session
• If “permanent” public keys, or shared secretkeys, are available, why bother with sessionkeys?
CSC 474 Dr. Peng Ning 45Computer Science
: 1-Way Auth+Sess’n Key (Symm.)F
Alice Bob
I’m Alice
RBob
KAlice-Bob{RBob}
• Who is authenticated?• Possible session keys
– RBob? KAlice-Bob{RBob}? KAlice-Bob{RBob +1}?• Other choices; better?
– KAlice-Bob{f(RBob)}, where f() is “unguessable”?– (KAlice-Bob+1){RBob}?
1616
CSC 474 Dr. Peng Ning 46Computer Science
: 1-Way Auth+Session Key (PubKey)
• Who is authenticated? How?• Session key choice: RAlice ; Problems?• Another choice (not shown): use D-H to
negotiate a key, and Bob signs his messages
G
Alice BobKBob{RAlice}
I’m Bob
SigBob{KBob{RAlice}}
CSC 474 Dr. Peng Ning 47Computer Science
: 2-Way Auth+Sess’n Key (PubKey)
• How does this authenticate Alice and Bob?• Session key possibilities (problems?)
– RAlice? KBob{RAlice}? KAlice{RAlice}?– what if response from Bob is KAlice{RAlice} instead?
H
Alice Bob
I’m Alice, KBob{RAlice}, SigAlice{KBob{RAlice}}
RAlice
CSC 474 Dr. Peng Ning 48Computer Science
Method , version 2
• How does this authenticate both? Why aren’tsignatures needed?
• Session key: RAlice ⊕ RBob ; Problems?
H
Alice Bob
I’m Alice, KBob{RAlice}
KAlice{RAlice}, KAlice{RBob}
KBob{RBob}
1717
CSC 474 Dr. Peng Ning 49Computer Science
Method version 3
• (not shown) Alice and Bob negotiate a sessionkey using D-H (and all messages are signed)– problems?
H
CSC 474 Dr. Peng Ning 50
Computer Science
Authentication Using KDCsIs message integrity +confidentiality for the
session desired?yes
to next page…
no
Is mutual authenticationdesired?
no
How is authenticationaccomplished?
secret-keycrypto
password public keycrypto
How is authenticationaccomplished?
secret-keycrypto
Is a KDC required?
No, notavailable
Yes,available
yes public keycrypto
A. B. C. D. I.
E.
CSC 474 Dr. Peng Ning 51Computer Science
: Mediated Authentication
• Use of KDC eliminates need ofcommunicating parties to know or trust eachother
To establish a shared session key KAB :
I
Alice Bob
I’m Alice, and I want to speaksecurely with Bob
KAlice-KDC{KAB} KDCKBob-KDC{KAB}
BASIC IDEA
Use of KDC reduces need of communicating parties toknow or trust each other
In addition to this, a separate “handshake” between Aliceand Bob required for mutual authentication (not shownabove)
1818
CSC 474 Dr. Peng Ning 52Computer Science
… (cont’d)
• A problem with this basic approach: the KDCmay be slow, or may have difficulty contactingBob– why would this happen?
• Result: messages encrypted by Alice may getto Bob before the KDC’s message to Bobarrives– what should Bob do with these messages?
I
CSC 474 Dr. Peng Ning 53Computer Science
Solution
• is a ticket given by KDC toAlice to present later to Bob directly herself
I
Use of KDC eliminates need of communicatingparties to know or trust each other
Alice Bob
I’m Alice, and I want to speaksecurely with Bob
KDC
IN PRACTICE
KAlice-KDC{KAB} + KBob-KDC{KAB}
I’m Alice, let’s use… KBob-KDC{KAB}
KBob-KDC{KAB}
CSC 474 Dr. Peng Ning 54Computer Science
The Needham-Schroeder Protocol
• An influential protocol (many systems, includingKerberos, have been modeled after it)
Alice
Bob
#1 Alice wants to speak with Bob, NAlice1
KDCKBob-KDC{KAB,Alice}#2 KAlice-KDC{NAlice1, Bob, KAB , }
KBob-KDC{KAB,Alice}#3 , KAB{NAlice2}
#4 KAB{NAlice2+1, NBob}
#5 KAB{NBob +1}
How is Bob authenticated? How is Alice authenticated? How is KDCauthenticated? What are the N’s used for? Why N+1 needed?
1919
CSC 474 Dr. Peng Ning 55Computer Science
Needham-Schroeder … (cont’d)
• A problem: if Trudy can somehow obtain anoldKAlice-KDC , she can reuse an old ticket grantedby the KDC to masquerade as Alice to Bob
• Solutions to this problem (following slides)1. use timestamps with messages2. use nonces with messages3. modify who contacts the KDC
CSC 474 Dr. Peng Ning 56Computer Science
Solution #1: Use Timestamps
• Ignore the ticket if timestamp T is too old– requires Bob and KDC to have more or less
synchronized clocks
Alice
Bob
#1 Alice wants to speak with Bob, NAlice1
KDC
#4 KAB{NAlice2+1, NBob}
#5 KAB{NBob +1}
KBob-KDC{KAB,Alice},T#2 KAlice-KDC{NAlice1,Bob,KAB , }
KBob-KDC{KAB,Alice,T}#3 , KAB{NAlice2}
CSC 474 Dr. Peng Ning 57Computer Science
Solution #2:Use Nonces (“Expanded N-S”)
• Two Tickets: B-->A-->KDC, and KDC-->A-->B• How does this help?
Alice BobKDCKBob-KDC{KAB,Alice,NBob1}#2 Kalice-KDC{NAlice1,Bob,KAB , }
KBob-KDC{KAB,Alice,NBob1}#3 , KAB{NAlice2}
#4 KAB{NAlice2+1, NBob2}
#5 KAB{NBob2 +1}
# -1 Hi, this is Alice, I want to speak with you
#0 KBob-KDC{NBob1}
#1 Alice wants to speak with Bob, NAlice1, KBob-KDC{NBob1}
2020
CSC 474 Dr. Peng Ning 58Computer Science
Solution #3: Bob Contacts KDC (Otway-ReesProtocol)
• Who is authenticated, and how?• How does this help?
Alice BobKDC
I’m Alice, NAlice1, Bob, KAlice-KDC{NAlice2,NAlice1,Alice,Bob}
KAlice-KDC{NAlice2,KAB} , KBob-KDC{NBob,KAB}
KAB{anything recognizable}
KBob-KDC{NBob,NAlice1,Alice,Bob}KAlice-KDC{NAlice2,NAlice1,Alice,Bob}
KAlice-KDC{NAlice2,KAB}
CSC 474 Dr. Peng Ning 59
Computer Science
Security Protocol “Checklist”
CSC 474 Dr. Peng Ning 60Computer Science
Some Things to Worry About
• Password attack possible?• Database attack possible?• Is the server required to be stateful?• Is PKI required?• Can messages be reused / replayed?• Can you trick someone into encrypting or
signing something arbitrary?
2121
CSC 474 Dr. Peng Ning 61Computer Science
Scenarios
• Possible assumptions:1. Trudy can passively eavesdrop on a conversation2. Trudy can initiate a conversation, and masquerade
as Alice3. Trudy can intercept (and interfere with) attempts
to communicate with Bob4. Trudy can read Alice’s or Bob’s key database5. Trudy can play “man-in-the-middle”
CSC 474 Dr. Peng Ning 62Computer Science
1. If Trudy Can Eavesdrop…
• then design the protocol so she will not be able to dothe following…
?Learn info that allows her tomasquerade as either party
?Learn info that will make an off-linedictionary attack easy
?Learn the contents of encryptedmessages
CSC 474 Dr. Peng Ning 63Computer Science
2. If Trudy Can Initiate a Conversation asAlice…
?Learn info that allows her to masquerade as Bobto Alice
?Learn info that will make an off-line dictionaryattack easy
?Learn info that enables her to masquerade asAlice (either later, or now, on anotherconnection)
?Trick Bob into signing an arbitrary message
2222
CSC 474 Dr. Peng Ning 64Computer Science
3. If Trudy Can Intercept Connections toBob…
?Learn info that will allow her to masqueradeas Bob at a later time
?Learn info that will make an off-linedictionary attack easy
?Trick Alice into signing an arbitrarymessage
?Learn info that allows her to masquerade asBob to Alice, or as Alice to Bob
CSC 474 Dr. Peng Ning 65Computer Science
4. If Trudy Can Read Alice’s or Bob’sDatabase…
?Decrypt old (previously-eavesdropped)conversations
?Masquerade as the other party, to the ownerof the database
CSC 474 Dr. Peng Ning 66Computer Science
5. If Trudy Can Be a Man-in-the-Middle…
?Learn info that will make an off-line dictionaryattack easy
?Modify, duplicate, reorder, or replay themessages without being detected
?Hijack the conversation
?Decrypt encrypted messages
2323
CSC 474 Dr. Peng Ning 67Computer Science
Summary
1. KDCs are necessary to scale authentication tolarge systems
2. Nonces prevent replay attacks3. Many styles of authentication protocols; they
all have subtle vulnerabilities4. “Know thy enemy” (understand their
capabilities and goals)5. Use protocol standard correctly; rolling your
own is very hard to do right