info0056 - securing computer · securing computer networks guy leduc chapter 1: principles of...
TRANSCRIPT
1
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 1
INFO0056 - Securing Computer Networks
Guy Leduc
Chapter 1:Principles of Network Security
Computer Networking: A Top Down Approach, 7th edition. Jim Kurose, Keith RossAddison-Wesley, April 2016.(Sections 8.1 to 8.4)
Also based on:
Computer Networks, 4th or 5th editionAndrew S. Tanenbaum Pearson Education, 2003 or 2011 (Sections 8.1 to 8.7)
Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. SpecinerPearson Education, 2002
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 2
Chapter 1: Principles of Network Security
Chapter goals: ❒ review several security issues❒ recall symmetric-key and public-key cryptography
principles❒ understand basic techniques to achieve security
services: ❍ confidentiality, message integrity, nonrepudiation,
session key generation, end-point authentication
2
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 3
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 4
Network Security❒ The field of network security is about:
❍ how bad guys can attack computer networks❍ how we can defend networks against attacks❍ how to design architectures that are immune to
attacks❒ Internet not originally designed with (much)
security in mind❍ original vision: “a group of mutually trusting users
attached to a transparent network” ☺❍ Internet protocol designers playing “catch-up”❍ Security considerations in all layers!
3
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 5
Bad guys can put malware into hosts via Internet❒ Malware can get in host from a virus, worm, or
Trojan horse
❒ Spyware malware can record keystrokes, web sites visited, upload info to collection site
❒ Infected host can be enrolled in a botnet, used for spam and DDoS attacks
❒ Malware is often self-replicating: from an infected host, seeks entry into other hosts
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 6
Digital pest❒ Trojan Horse
❍ Instructions, hidden inside an otherwise useful program, that do bad things. Usually this refers to malicious instructions installed at the time the program is written (≠ virus)
❒ Virus❍ A set of instructions that, when executed, insert copies of
itself into other programs (self-replication)❍ In particular, instructions in email messages that, when
executed, cause malicious code to be sent in email to other users
❒ Worm❍ A program that replicates itself by installing copies of
itself on other machines across a network
4
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 7
Digital pest
❒ Trapdoor❍ An undocumented entry point intentionally written into a
program (often for debugging purposes), which can be exploited as a security flaw
❒ Logic bomb❍ Malicious instructions that trigger on some event in the
future, such as a particular time occurring❒ Zombie
❍ Malicious instructions installed on a system that can be remotely triggered to carry out some attack with less traceability because the attack comes from another victim
❍ Often a large number of zombies are installed
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 8
Viruses❒ A virus can be installed in any program as follows:
❍ Replace any instruction, say the instruction at location x, by a jump to some free space in memory, say location y; then
❍ Write the virus program starting at location y; then❍ Place the instruction that was originally at location x at the
end of the virus program, followed by a jump to x+1
❒ Replication❍ Besides the delayed planned damage, the virus replicates
itself silently.❍ If it did not wait before damaging the infected system, it
would not spread as far!
5
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 9
Digital pest detection
❒ Tools exist to break down (disassemble) executable files into assembly code that can be analyzed by humans or programs❍ e.g. GHIDRA from NSA
❒ Open source code can help, but…
❒ Is it possible to always detect a digital pest in a program?
❍ One of the famous results in computer science is that it is impossible to be able to tell what an arbitrary program will do by looking at it!
❍ In fact it is impossible in general to discern any nontrivial property of a program by looking at it (e.g. if the program will halt)
❍ So, no hope, but known viruses or suspicious patterns can nevertheless be detected
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 10
People do not always realize they are running a program
❒ Modern Email clients often process the attachments❍ Which may be infected by a virus
❒ PostScript is a complete programming language❍ Displaying a ps file is running a program that could
contain a Trojan horse
6
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 11
Covert channels❒ A covert channel is a method for a Trojan horse to
circumvent the automatic confinement of information within a security perimeter❍ Assume the Trojan horse program has not enough privileges to
directly send confidential data outside the system
❒ Examples of covert channels:❍ Timing channel❍ Storage channel❍ Error channel
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 12
Timing channel❒ The Trojan horse program alternately loops and waits, in
cycles of, say one minute per bit (of the confidential data)❍ When the bit is 1: the program loops for one minute❍ When the bit is 0: the program waits for a minute
❒ Another program running on the same computer (but without access to the sensitive data) constantly tests the loading of the system!❍ Also possible from a distant computer, by testing the reaction time of
the infected system to some requests (possibly averaged over a minute)
Noisy channel?❍ Other processes running at the same time are adding noise to the
timing channel❍ But communication people can deal with noisy channels!
7
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 13
Other covert channels❒ The storage channel
❍ The Trojan horse program loads a (printer) queue to send a 1, and deletes its jobs to send a 0.
❍ Easy to check the queue status and get the information
❒ The error channel❍ The Trojan horse program creates a file to send a 1, and
deletes it to send a 0❍ The external process tries to read the file: if different
error messages are reported when the file exists (but its access is not permitted) or does not exist, we have a channel
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 14
target
Denial of Service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic
1. select target2. break into hosts around
the network
3. send packets to target from compromised hosts (botnet)
Bad guys can attack servers and network infrastructure
8
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 15
The bad guys can sniff packetsPacket sniffing:
❍ broadcast media (shared Ethernet, wireless)❍ promiscuous network interface reads/records all
packets (e.g., including passwords!) passing by
A
B
C
src:B dest:A payload
Wireshark software is a (free) packet-sniffer
Eavesdropping
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 16
The bad guys can use false source addresses❒ IP spoofing: send packet with false source address
Impersonation, masquerading
Allows Hijacking: “taking over” ongoing connection by removing sender or receiver, inserting himself in place
A
B
C
src:B dest:A payload
9
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 17
The bad guys can record and playback
❒ record-and-playback: sniff sensitive info (e.g., password), and use later❍ password holder is that user from system point of
view
A
B
C
src:B dest:A user: B; password: foo
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 18
Security servicesConfidentiality: only sender and intended receiver should “understand”
message contents❍ sender encrypts message❍ receiver decrypts message
Authentication: sender and receiver want to confirm identity of each other
Message integrity: sender and receiver want to ensure message not altered (in transit, or afterwards) without detection
Nonrepudiation: neither the sender nor the receiver of a message should be able to deny the transmission (nonrepudiation with proof of origin/delivery)
Access control: access to information resources may be controlled by or for the target system
Availability: services must be accessible and available to users when needed
10
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 19
Generic types of attacksInformation
sourceInformationdestination
Normal flow
InterceptionAttack on confidentiality
(could be only traffic analysis)
InterruptionAttack on availability
(DoS: Denial of Service)
ModificationAttack on integrity
FabricationAttack on authenticity
(masquerading, replay)
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 20
Friends and enemies: Alice, Bob, Trudy❒ well-known in network security world❒ Alice and Bob want to communicate “securely”❒ Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
11
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 21
Who might Bob, Alice be?
❒ … well, real-life Bobs and Alices!❒ Web browser/server for electronic
transactions (e.g., on-line purchases)❒ on-line banking client/server❒ DNS servers❒ routers exchanging routing table updates❒ other examples?
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 22
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key Cryptography- Public-key Cryptography
1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
12
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 23
The language of cryptography
m plaintext messageKA(m) ciphertext, encrypted with key KAm = KB(KA(m))
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 24
Simple encryption schemesubstitution cipher: substituting one thing for another
❍ monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc
E.g.:
Q: How hard to break this simple cipher?
" brute force (how hard?)" other?
Key: the mapping from the set of 26 letters to the set of 26 letters
13
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 25
Polyalphabetic encryption
❒ A more sophisticated encryption approach❒ n monoalphabetic ciphers, M1,M2,…,Mn❒ Cycling pattern:
❍ e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ❒ For each new plaintext symbol, use
subsequent monoalphabetic pattern in cyclic pattern❍ dog: d from M1, o from M3, g from M4
❒ Key: the n ciphers and the cyclic pattern❍ Key need not be just n-bit pattern
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 26
Breaking an Encryption Scheme❒ Three basic attacks of increasing strength❒ Ciphertext Only
❍ Trudy has ciphertext that she can analyse❍ Trudy must recognize when she has succeeded❍ Possible only if there is some redundancy in the plaintext to make it
recognizable (e.g. the text is in English, or has some starting keyword)❒ Known Plaintext
❍ Trudy knows some (ciphertext, plaintext) pairs❍ Sometimes easier to break❍ E.g. a monoalphabetic cipher can be broken easily with a small amount of
known plaintext❒ Chosen Plaintext
❍ Trudy may have the opportunity to ask the system to encrypt some chosen plaintext
❍ E.g., “The quick brown fox jumps over the lazy dog” would break a monoalphabetic cipher
❍ Ditto if Trudy knows some plaintexts normally encrypted by the system. In this case, she would ask the system to encrypt them to see the resulting ciphertexts
14
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 27
Computational difficulty
❒ Breaking a cryptographic algorithm is possible by trying all possible keys (brute force)
❒ If computers get N times faster, is it better for the good guys or the bad guys?❍ Making a key log2(N) longer will make the bad guy’s job as
hard as it was before the advance in computer speed❍ However, it will be much easier for the good guys to encrypt:
basically his job is almost N times faster (not quite because the increase of the length of the key slows down the process a bit)
❒ So, the faster computers get, the better life gets for the good guys!
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 28
Types of Cryptography
❒ Crypto uses keys:❍ Algorithm is known to everyone❍ Only “keys” are secret
❒ Symmetric-key (or secret-key) cryptography❍ Involves the use of one secret key shared by the
sender and the receiver❒ Public-key cryptography
❍ Involves the use of two keys per entity: senders and receivers both have a private (secret) key and a public key
15
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 29
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key (aka Symmetric-key) Cryptography- Public-key Cryptography
1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 30
Symmetric-key cryptography
symmetric-key crypto: Bob and Alice share/know same (symmetric) key: K
❒ e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
❒ Q: how do Bob and Alice agree on key value?
plaintextciphertext
KAB
encryptionalgorithm
decryption algorithm
AB
KAB
plaintextmessage, m
K (m)ABK (m)ABm = K ( ) AB
16
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 31
Two types of symmetric ciphers
❒ Stream ciphers❍ encrypt one bit at time
❒ Block ciphers❍ Break plaintext message in equal-size blocks❍ Encrypt each block as a unit
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 32
Stream Ciphers
❒ Combine each bit of keystream with bit of plaintext to get bit of ciphertext
❒ m(i) = ith bit of message❒ ks(i) = ith bit of keystream❒ c(i) = ith bit of ciphertext❒ c(i) = ks(i) ⊕ m(i) (⊕ = exclusive or)❒ m(i) = ks(i) ⊕ c(i)
keystreamgeneratorkey keystream
pseudo random
17
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 33
RC4 Stream Cipher
❒ RC4 is a popular stream cipher❍ Key can be from 1 to 256 bytes❍ Was used in WEP for 802.11 (WiFi)❍ Was frequently used in SSL/TLS❍ Extensively analyzed and considered good
• Until 2013…• Now considered as not sufficiently random • Statistical flaws in the keystream generated by the RC4
algorithm, which become apparent in SSL ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many SSL sessions
• Prohibited in TLS by IETF since 2015
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 34
Block ciphers
❒ Message to be encrypted is processed in blocks of k bits (e.g., 64-bit blocks).
❒ 1-to-1 mapping is used to map k-bit block of plaintext to k-bit block of ciphertext
Example with k=3:input output000 110001 111010 101011 100
input output100 011101 010110 000111 001
What is the ciphertext for 010110001111 ?
18
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 35
Block ciphers
❒ How many possible mappings are there for k=3?❍ How many 3-bit inputs?❍ How many permutations of the 3-bit inputs?❍ Answer: 40,320 ; not very many!
❒ In general, 2k! mappings; huge for k=64❒ Problem:
❍ Table approach requires table with 264 entries, each entry with 64 bits
❒ Table too big: instead use function that simulates a randomly permuted table
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 36
Block Cipher
❒ S1,…S8: permutation tables❍ 8-bit to 8-bit
mapping❒ one pass through:
one input bit affects eight output bits
64-bit input
S1
8bits
8 bits
8bits
8 bits
8bits
8 bits
8bits
8 bits
8bits
8 bits
8bits
8 bits
8bits
8 bits
8bits
8 bits
64-bit intermediate
64-bit output
loop for n rounds
S2 S3 S4 S6S5 S7 S8
❒ what is the key (assuming scrambler known)?❒ block ciphers: DES, 3DES, AES, …❒ used in SSL/TLS, IPsec, secure BGP, …
scrambler
From Network Security, by Kaufman et al. © Pearsons
19
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 37
Why rounds in prototype?
❒ If only a single round, then one bit of input affects at most 8 bits of output
❒ In 2nd round, the 8 affected bits get scattered and input into multiple substitution boxes
❒ How many rounds?❍ How many times do you need to shuffle cards?❍ Becomes less efficient as n increases
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 38
Encrypting a large message
❒ Why not just break message in 64-bit blocks, encrypt each block separately?❍ If same block of plaintext appears twice, will give
same ciphertext❒ How about:
❍ Generate random 64-bit number r(i) for each plaintext block m(i)
❍ Calculate c(i) = KS( m(i) ⊕ r(i) )❍ Transmit c(i), r(i), i=1,2,…❍ At receiver: m(i) = KS(c(i)) ⊕ r(i) ❍ Problem: inefficient, need to send c(i) and r(i) for all i
20
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 39
Cipher Block Chaining (CBC)
❒ CBC generates its own random numbers❍ Have encryption of current block depend on result of
previous block❍ c(i) = KS( m(i) ⊕ c(i-1) )❍ m(i) = KS(c(i)) ⊕ c(i-1)
❒ How do we encrypt first block?❍ Initialization vector (IV): random block = c(0)❍ IV does not have to be secret
❒ Change IV for each message (or session)❍ Guarantees that even if the same message is sent
repeatedly, the ciphertext will be completely different each time
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 40
Cipher Block Chaining (CBC)❒ cipher block: if input block
repeated, will produce same cipher text:
t=1 m(1) = “HTTP/1.1” blockcipher
c(1) = “k329aM02”
…
❒ cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1)
❍ c(0) transmitted to receiver in clear
❍ c(0) = Initialisation Vector (IV)
❍ what happens in “HTTP/1.1” scenario from above?
+m(i)
c(i)
t=17 m(17) = “HTTP/1.1” blockcipher
c(17) = “k329aM02”
blockcipher
c(i-1) XOR
c(i)=KS((m(i) ⊕ c(i-1))
Receiver computes m(i)=KS(c(i)) ⊕ c(i-1)
21
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 41
Symmetric-key crypto: DES
DES: Data Encryption Standard❒ US encryption standard [NIST 1993]❒ 56-bit symmetric key, 64-bit plaintext input❒ Block cipher with cipher block chaining❒ How secure is DES?
❍ DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in less than a day
❍ No known good analytic attack❒ Making DES more secure:
❍ 3DES: encrypt 3 times with 3 different keys
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 42
Symmetric-key crypto: DES
(Feistel Network)initial permutation 16 identical “rounds” of
function application, each using different 48 bits of key
final permutation
DES operation
“keyed” function f instead of permutation tables
22
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 43
AES: Advanced Encryption Standard
❒ “new” (Nov. 2001) symmetric-key NIST standard, replacing DES
❒ processes data in 128 bit blocks❒ 128, 192, or 256 bit keys❒ brute force decryption (try each key) taking 1
sec on DES, takes 149 trillion years for AES
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 44
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key Cryptography- Public-key Cryptography
1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
23
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 45
Public-key cryptography
symmetric-key crypto❒ Requires sender,
receiver know shared secret key
❒ Not easy to agree on key in first place (particularly if never “met”)
❒ In the late 60’s, most researchers thought a better system was impossible
public-key cryptography❒ radically different approach
[Diffie-Hellman76, RSA78]❍ But real inventors are
J. Ellis, C. Cocks and M. Williamson (between 1969 and 1975, at British IA, declassified in 1997)
❒ sender, receiver do not share secret key
❒ public encryption key known to all
❒ private decryption key known only to receiver
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 46
Challenge: Establishing a shared key: Diffie-Hellman Key Exchange (1976)
(shared secret)
YB
YA
Two strangers can establish a shared key in broad daylight, even with an intruder carefully recording every message
Note: this scheme is vulnerable to man-in-the-middle attack (see later)
Some conditions on p and g
24
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 47
Public-key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)B
+
K B+
Bob’s privatekey
KB-
m = K (K (m))B+
B-
Note: Anyone can send KB(m) to B!+
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 48
Public key encryption algorithms
need KB( ) and KB( ) such that. .
given public key KB , it should be “impossible” to compute private key KB
Requirements:
1
2
RSA: Rivest, Shamir, Adleman algorithmRelies on “impossibility” to factorize big numbers
+ -
KB(KB(m)) = m - +
+-
25
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 49
RSA: another important property
The following property will be very useful later:
KB (KB (m)) = m - +
KB (KB (m)) + -=
use public key first, followed by
private key
use private key first, followed by
public key
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 50
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity
- Message digest- Message Authentication Code (MAC)
1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
26
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 51
Message Integrity
❒ Allows communicating parties to verify that received messages are authentic❍ Content of message has not been altered❍ Source of message is who/what you think it is
❒ Will also be useful to verify that❍ Message has not been replayed❍ Sequence of messages is maintained
❒ Let’s first talk about message digest
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 52
Message Digests
❒ Deterministic function H( ) that takes as input an arbitrary length message and outputs a fixed-length string: “message digest”
❒ Note that H( ) is a many-to-1 function
❒ H( ) is often called a “hash function”
❒ Desirable properties of a cryptographic hash function:❍ Easy to calculate❍ Irreversibility: Can’t determine m
from H(m)❍ Collision resistance:
Computationally difficult to produce m and m’ such that H(m) = H(m’)
❍ A small change in m should change H(m) extensively
large message
m
H: HashFunction H(m)
27
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 53
Internet checksum: poor message digestInternet checksum has some properties of hash function:➼ produces fixed length digest (16-bit sum) of input➼ is many-to-one❒ But given message with given hash value, it is easy to find
another message with same hash value.❒ Example: Simplified checksum: add 4-byte chunks at a time:
I O U 10 0 . 99 B O B
49 4F 55 3130 30 2E 3939 42 D2 42
message ASCII format
B2 C1 D2 AC
I O U 90 0 . 19 B O B
49 4F 55 3930 30 2E 3139 42 D2 42
message ASCII format
B2 C1 D2 ACdifferent messagesbut identical checksums!
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 54
Length of a Hash
❒ The hash should be at least 128-bit long, preferably more❒ Would take trying approx 2128 possible messages before
finding one that maps to a given hash
❒ But beware of the Birthday attack: ❍ 365 days in a year, N people picked at random❍ Let (<< 365)❍ The odds are 50% that two have the same birthday
❒ So, for a 128-bit hash, it would take only trying 1.18 x 264 (<<<<< 2128) possible messages before finding two that map to a same hash with probability 50%
€
N =1.18 × 365 ≈ 23
28
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 55
Hash Function Algorithms❒ MD5 hash function widely used (RFC 1321)
❍ computes 128-bit message digest in 4-step process.❍ recent (2005) attacks on MD5
❒ SHA-1 is also used❍ US standard [NIST, FIPS PUB 180-1]❍ 160-bit message digest
❒ Even better: SHA-2❍ 256-bit digest for SHA-256❍ 512-bit digest for SHA-512
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 56
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity
- Message digest- Message Authentication Code (MAC)
1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
29
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 57
Message Authentication Code (MAC)m
essa
ge
H( )
s
mes
sage
mes
sage
s
H( )
compare
s = shared secret
❒ Concatenate m and s, and then hash the result❍ Notation: MDm = H(s || m) ; send m || MDm
❒ Also called “keyed hash”❒ No encryption !❒ Verifies message integrity❒ Verifies authenticity of message (built by secret owner)
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 58
HMAC
1. Concatenates secret to front of message 2. Hashes concatenated message3. Concatenates the secret to front of digest4. Hashes the combination again
❒ Popular MAC standard, RFC 2104❒ Can be used with various hash functions❒ Addresses some subtle security flaws
30
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 59
Protection against playback
❒ Some measures must be taken to prevent active intruders from playing back old messages
❒ Simple solution: timestamp❍ Include a timestamp in every message, and ensure integrity of
message❍ The receiver stores all messages received during the last T units❍ If a received message has a timestamp < Now - T, it is discarded:
old message❍ If it has a timestamp in [Now - T, Now] it is compared to the
previously received messages❒ Need to store many messages!
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 60
Protection against playback (2)
❒ Improvement❍ Every message contains an additional nonce
• A nonce is a "random" number used once per interval of (at least) duration T
❍ It suffices to store the received nonces (together with the message source) during T, not the complete messages
31
Protection against reordering
❒ Add sequence numbers in successive messages
❒ Ensure integrity of messages
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 2-61
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 62
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key Cryptography- Public-key Cryptography
1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
32
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 63
Digital Signatures
Cryptographic technique analogous to hand-written signatures
❒ sender (Bob) digitally signs document, establishing he is document owner/creator
❒ goal is similar to that of a MAC, except now use cryptography
❒ verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 64
Digital signatures
❒ A signature has a triple purpose:❍ Integrity: the message has not been altered during transit❍ Authenticity: the receiver can verify the claimed identity of the
message creator❍ Nonrepudiation of origin: the creator cannot later repudiate the
contents of the message, the receiver cannot possibly have concocted the message himself
❒ Did MACs provide these 3 services?
❒ Two digital signature schemes:❍ Secret-key signatures❍ Public-key signatures
33
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 65
Secret-key signatures
❒ A wants to send a signed plaintext P to B❒ KA-T (resp. KB-T) is a secret key shared by A (resp. B) and T❒ KT is a secret known by T only❒ B has KT (A,B, t, P) as a proof of origin with reference time t❒ Problems:
❍ Vulnerable to replay attack (solutions exist: see next slides)❍ Everyone must trust T
• Does everyone trust a government, a bank, a lawyer, …?• T can impersonate anyone to anyone!
❍ Performance concern: T must transcode every message❍ T is a single-point of failure❍ If T is compromised, all the network resources are vulnerable
TrusteeT
A, KA-T (B, P) KB-T (A, P, KT (A, B, t, P))
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 66
Secret-key signatures (2)❒ Add nonce (R) and timestamp (t) to detect replays
TrusteeT
A, KA-T (B, R, t, P) KB-T (A, R, t, P, KT (A, B, t, P))
34
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 67
Signing a hash of P is enough
KB-T (A, R, t, P, KT (A, B, t, H(P)))A, KA-T (B, R, t, P)
Why?
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 68
Public-key Signatures
Simple digital signature for message m:❒ Bob “signs” m by encrypting with his private key KB,
creating “signed” message, KB(m)
❒ Anyone knowing Bob’s public key can verify signature (decrypt)
- -
Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah)
Bob
Bob’s message, m
public key encryption algorithm
Bob’s private key
K B -
Bob’s message, m, signed
(encrypted) with his private key
K B - (m)
35
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 69
large message
mH: hashfunction H(m)
digitalsignature(encrypt)
Bob’s private
key K B-
+
Bob sends digitally signed message:
Alice verifies signature and integrity of digitally signed message:
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H: hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bob’s public
key K B+
equal ?
Again: Signing a Hash is enough
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 70
Digital Signatures (more)❒ suppose Alice receives msg m, digital signature KB(m)❒ Alice verifies m signed by Bob by applying Bob’s public
key KB to KB(m) then checks KB(KB(m) ) = m❒ if KB(KB(m) ) = m, whoever signed m must have used
Bob’s private key
+ +
-
-
- -
+
Alice thus verifies that:➼ Bob signed m➼ No one else signed m➼ Bob signed m and not m’
Non-repudiation:# Alice can take m, and signature KB(m) to court and prove
that Bob signed m
-
36
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 71
Encryption and Signature Combined in Public-Key Cryptography
PAlice's
private keyKA
Alice'spublic key
KA
PBob'spublic key
KB
Bob'sprivate key
KB
KA (P) KA (P)KB (KA (P))
+-+- - -
- +
Sign Encrypt Decrypt Checksignature
In practice, signature is applied to H(P).Also possible to reverse signature and encryption order.
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 72
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
37
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 73
Public-key certification
❒ Motivation: Trudy plays pizza prank on Bob❍ Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob
❍ Trudy signs order with her private key❍ Trudy sends order to Pizza Store❍ Trudy sends to Pizza Store her public key, but
says it’s Bob’s public key❍ Pizza Store verifies signature; then delivers four
pizzas to Bob❍ Bob doesn’t even like Pepperoni
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 74
Public Key Certificationpublic key problem:❒ When Alice obtains Bob’s public key (from web site, e-mail, USB
stick), how does she know it is Bob’s public key, not Trudy’s?❒ Distributing public keys is easier than distributing secret keys but
some care is needed❒ Even though they are public, they cannot just be exchanged by
partners over the network or put in a public (even protected) database❍ The trouble with this approach is that it is subject to the bucket-
brigade (or man-in-the-middle) attack❍ Trudy can always intercept any request sent to the database and
send back her own public key instead❍ This would allow Trudy to decrypt messages encrypted with that
public key (but in fact intended for someone else)solution:❒ trusted certification authority (CA)
38
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 75
Certification Authorities❒ Certification Authority (CA): binds public key to particular
entity, E❒ E (person, router, server, …) registers its public key with CA
❍ E provides “proof of identity” to CA❍ CA creates certificate binding E to its public key❍ certificate containing E’s public key digitally signed by CA:
CA says “This is E’s public key.”
Bob’s public
key K B+
B: Bob’s identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bob’s public key,
signed by CA
KCA(B,KB) +-
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 76
Certification Authorities❒ when Alice wants Bob’s public key:
❍ gets Bob’s certificate (from Bob or elsewhere)❍ apply CA’s public key to Bob’s certificate, get
Bob’s public key
Bob’s public
key K B+
digitalsignature(decrypt)
CA’s public
key K CA+
K B+ KCA(B,KB) +-
39
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 77
A certificate contains:❒ Serial number (unique to issuer)❒ info about certificate owner, including algorithm and
key value itself (not shown)❒ info about
certificate issuer
❒ valid dates❒ digital
signature by issuer
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 78
How peers work with CA
CA’s own certificate signed by CA
0. Bob generates public/private key pair
1. Bob fetches CA’s certificate
2. Bob transmitsits public key
3. Bob’s certificate signed by CA
4. Bob fetchesits certificate
40
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 79
How to scale CA?A root CA can delegate authentication to lower CA
self-signed root CA own certificate
lower CA certificate signed by root CA
Bob certificate signed by lower CA
root CA
lower CA
© From Computer Networking, by Kurose&Ross 1: Principles of Network Security 80
How to check a certificate?
• Check CA’s signature❍ CA’s certificate needed
• Check black list = CRL (Certificate Revocation List)❍ connect to CA to get the CRL
• CRL ❍ List of revoked certificates signed by CA❍ Stored on CA or directory service❍ No requirement on devices to ensure CRL is current
41
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 81
PKCS standards
❒ PKCS = Public Key Cryptography Standard❒ A set of standards (PKCS#1 to #15) for the encoding
of information that will be signed or encrypted through RSA
❒ Encoding of ❍ RSA public key❍ RSA private key❍ RSA signature❍ Short RSA-encrypted message (typically a secret key)❍ Short RSA-signed message (typically a message digest)
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 82
Certificates: summary❒ Primary standard X.509 (RFC 2459) or PKCS#6
(S/MIME, SSL, …)❒ Certificate contains:
❍ Issuer name❍ Entity name, address, domain name, etc.❍ Entity’s public key❍ Digital signature (signed with issuer’s private key)
❒ Public-Key Infrastructure (PKI)❍ Certificates and certification authorities❍ Often considered “heavy”
42
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 83
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End-point authentication
Why symmetric session keys?❒ Public-key crypto is computationally more
intensive than symmetric-key crypto❒ Public/private key pairs are usually long-term
keys❒ It’s more efficient and more secure to use a
short-term symmetric session keys for encrypting data, and renew them often
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 2-84
43
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 85
Using a Key Distribution Centre (KDC)❒ Assume:
❍ There is a trusted KDC❍ Each user has only one (long-term) secret key shared with that
trusted KDC❍ KS is a (secret) session key picked up by Alice
❒ KA-KDC (resp. KB-KDC) is a secret key shared by A (resp. B) and KDC
KDC
“I am Alice. I want to use this session key to talk to Bob”, KA-KDC (B, KS)
KB-KDC (“She is Alice. Shewants to use this session key
to talk to you”, KS)
Relies on quality of Alice’s random generatorAs is, it is also subject to the replay attack
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 86
Better: let the KDC issue the session key
❒ Steps 1-2: Alice asks the KDC a session key to talk to Bob❍ Message 2 is encrypted using Alice’s secret key❍ Alice extracts the session key KS ❍ KS is also encrypted with Bob's secret key KB-KDC (A, KS), the so-called ticket.
This can only be decrypted by Bob and is bound to Alice❍ B is present in message 2 in case B would have been replaced in 1❍ Message 1 doesn’t need encryption, unless privacy is a concern❍ Freshness is guaranteed by the presence of the nonce R
❒ Step 3: Alice sends the ticket to Bob
2: KA-KDC (R, B, KS , KB-KDC(A, KS))
3: KB-KDC(A, KS)
1: A, B, R
Here, Ks is chosen by KDC and distributed to A and B (via A)
44
1: Principles of Network Security 87
And without KDC?❒ Assume Alice and Bob have public/private key pairs❒ Idea: use public key crypto to exchange the symmetric
session key:
Session key randomly generated by Alice: KS❒ Bob can check Alice’s signature❒ Bob can extract KS
❒ Once both have KS, they use symmetric-key crypto❒ Asymmetrical scheme: relies on quality of Alice’s random
generator
KA(KB(A, KS))+-
I’m Alice and I want to use this session key KS to talk to you
Back to Diffie-Hellman (DH)❒ With DH the shared key is built from one’s own
private value and the other side’s public value (no exchange of KS at all, and symmetrical)
1: Principles of Network Security 2-88
YB
YA
Some conditions on p and g
45
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 89
Security hole in Diffie-Hellman
YA YB
YT YT
Shared key between A and T
Shared key between B and T
❒ This basic (so-called Anonymous) Diffie-Hellman scheme is subject to a man-in-the-middle (or bucket brigade) attack, in which a third party (Trudy, T) impersonates B while communicating with A, and impersonates A while communicating with B
Solution 1: Fixed Diffie-Hellman❒ The public values were not authenticated in DH❒ So, let’s use certified DH public values
❒ (A,YA) and (B,YB) are certified by a CA❍ Similar to public-key certification
❒ MIM attack impossible. Why?❒ Problem: A and B will always generate the same KS
as long as they keep the same (X,Y) pairs1: Principles of Network Security 2-90
KCA(A,YA)-
KCA(B,YB)-
46
Solution 2: Ephemeral DH❒ Let Alice and Bob certify their own public values
❒ They can change their (X,Y) pairs at any time❒ No CA certification needed
❍ Except once for the certified RSA long-term keys
1: Principles of Network Security 2-91
KA(A,YA)-
KB(B,YB)-
Solution 3: DH without signatures❒ Let Alice and Bob encrypt their own public values
❒ Note: Y values are not public any more, but they are not authenticated!❍ Trudy could easily forge the two messages
❒ Interestingly this scheme turns out to resist the MIM attack. Why?
1: Principles of Network Security 2-92
KB(A,YA)+
KA(B,YB)+
47
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 93
Chapter 1 roadmap1.1 What is network security?1.2 Encryption1.3 Message integrity1.4 Digital Signatures1.5 Public-key Certification1.6 Session keys1.7 End point authentication
- Naïve approaches- Secret-key authentication- Public-key authentication
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 94
End-Point Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario?“I am Alice”
48
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 95
End-Point Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
in a network,Bob cannot “see” Alice,
so Trudy simply declares
herself to be Alice“I am Alice”
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 96
End-Point Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Failure scenario?
“I am Alice”Alice’s IP address
49
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 97
End-Point Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Trudy can createa packet “spoofing”
Alice’s address“I am Alice”Alice’s
IP address
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 98
End-Point Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Failure scenario?
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
50
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 99
End-Point Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
playback attack: Trudy records Alice’s packet
and laterplays it back to Bob
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
Alice’s password
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 100
End-Point Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it,
assuming Alice and Bob share a secret key
Failure scenario?
“I’m Alice”Alice’s IP addr
encrypted password
OKAlice’s IP addr
51
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 101
End-Point Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
recordand
playbackstill works!
“I’m Alice”Alice’s IP addr
encryptedpassword
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 102
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key Cryptography- Public-key Cryptography
1.3 Message integrity- Message digest- Message Authentication Code (MAC)
1.4 Digital Signatures1.5 Public-key Certification1.6 End-point authentication
- Naïve approaches- Secret-key authentication- Public-key authentication
52
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 103
End-Point Authentication with a secret key
Goal: avoid playback attack
Failures, drawbacks?
Nonce: number (R) used only once-in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce R. Alice must return R, encrypted with shared secret key
“I am Alice”
R
K (R)A-BAlice is live, and only Alice knows
key to encrypt nonce, so it must
be Alice!
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 104
A variant with a MAC
Goal: replace secret key cryptography by cryptographic hash(no export problem)
Failures, drawbacks?
ap4.1: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return a MAC based on R and the shared secret key
“I am Alice”
R
H(R||KA-B)Alice is live, and only Alice knows
key to concatenate to nonce, so it must be Alice!
53
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 105
Bidirectional authenticationap4.2: run 2 separate authentications in //
“I am Alice”
“I am Bob”, RB
RA
H(RB||KA-B)
H(RA||KA-B)
Failures, drawbacks?
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 106
Reflection attack in bidirectional authenticationCombining two robust unidirectional protocols does not always result in a robust bidirectional protocol!
“I am Alice”
“I am Bob”, RB
RB
H(RB||KA-B)
H(RB||KA-B)
Postpone reply.Replay MAC!
Take RA = RB
Solution?
54
3-way bidirectional authentication
1: Principles of Network Security 2-107
“I am Alice”, RA
“I am Bob”, RB, H(RA||KA-B)
H(RB||KA-B)
ap4.3: combine the 2 authentications in 3 messages
Trudy cannot impersonate Alice: he has to choose his nonce first.Trudy cannot impersonate Bob: he has to send his MAC first.
Take RB ≠ RA
3-way bidirectional authentication
1: Principles of Network Security 2-108
“I am Alice”, RA
“I am Bob”, RB, KA-B(RA)
KA-B(RB)
ap4.4: with encryption
Take RB ≠ RA
55
3-way bidirectional authentication
1: Principles of Network Security 2-109
“I am Alice”, RA
“I am Bob”, KA-B(RB,RA)
KA-B(RB)
ap4.5: with RB also encrypted in message 2 (salt)
Take RB ≠ RA
And there are many other variants …
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 110
Combining Key Distribution and Secret-Key Authentication: Needham-Shroeder
❒ Steps 1-2: Alice asks the KDC a session key KS to talk to Bob❒ Steps 3-5: Double authentication between Alice and Bob using KS
❒ The Kerberos system is a variant of this scheme
2: KA-KDC (R, B, KS , KB-KDC(A, KS))
3: KB-KDC(A, KS), RA
1: A, B, R
4: KS(RA), RB
5: KS(RB)
56
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 111
Chapter 1 roadmap1.1 What is network security?1.2 Encryption
- Secret-key Cryptography- Public-key Cryptography
1.3 Message integrity- Message digest- Message Authentication Code (MAC)
1.4 Digital Signatures1.5 Public-key Certification1.6 End-point authentication
- Naïve approaches- Secret-key authentication- Public-key authentication
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 112
Authentication with public key techniques: ap5.0ap4.* require shared symmetric key Can we authenticate using public key techniques?ap5.0: use nonce, public key cryptography
“I am Alice”R
Bob computes
K (R)A-
“send me your public key”
K A+
(K (R)) = RA-K A
+
and knows only Alice could have the private key, that encrypted R
such that(K (R)) = RA
-K A+
57
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 113
ap5.0: security holeMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
“I am Alice” “I am Alice”R
TK (R)-
Send me your public key
TK +A
K (R)-
Send me your public key
AK +
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted with
Alice’s public key
AK (m)+
Am = K (K (m))+
A-
R
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 114
ap5.0: security holeMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:" Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and recall conversation)
" Problem is that Trudy receives all messages as well!
58
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 115
Authentication with public key techniques: ap5.1ap5.1: use certified public keys
“I am Alice”R
Bob computes
K (R)A-
“send me your certified public key”
(K (R)) = RA-K A
+
and knows only Alice could have the private key, that encrypted R
such that(K (R)) = RA
-K A+KCA(A, KA)
+-
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 116
Authentication using Public-Key Cryptography: ap5.2 Needham-Schroeder
We limit the description to the authentication part, omitting the exchanges of certified public keys
This protocol designed in 1978 was in all the textbooksIn 1995, it was proved incorrect
“I am Alice”, KB(RA)+
“I am Bob”, KA(RA, RB)+
KB(RB)+
Bob extractsRA= KB(KB(RA))+-
Only Bob could get RA, so
it must be Bob.Alice extracts RB
Only Alice could get RB, so
it must be Alice.
Here encryption is used instead of signatures
59
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 117
Security hole in ap5.2
“I am Alice”, KT(RA)+
KT(RB)+
“I am Alice”, KB(RA)+
“I am Trudy”, KA(RA, RB)+
KB(RB)+The end result of this interchange is that:- Alice believes she has established a session with Trudy (thinking Trudy is e.g. a
server, but Trudy will just redirect traffic to Bob who will actually provide the service)
- Bob believes he has authenticated Alice and will provide the service to herLater on:- Trudy will send the bill to Alice who will pay (Trudy is her provider)- Bob will send the bill to Alice who will refuse (Alice never asked any service to
Bob
“I am Bob”, KA(RA, RB)+
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 118
Authentication using Public-Key Cryptography: ap5.3 Needham-Schroeder
❒ Corrected protocol: add originator in encrypted part
Moral of the story: designing a correct authentication protocol is much harder than it looks!
“I am Alice”, KB(A, RA)+
“I am Bob”, KA(B, RA, RB)+
KB(A, RB)+
Bob extractsRA= KB(KB(RA))+-
Only Bob could get RA, so
it must be Bob.Alice extracts RB
Only Alice could get RB, so
it must be Alice.
60
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 119
Advantages of CAs over KDCs
❒ The CA is the public key equivalent to the KDC
❒ The CA does not need to be on-line❍ If the CA crashes, the network is not disabled
❒ Certificates are not security-sensitive❒ A compromised CA cannot decrypt conversations
❍ But a compromised CA can fool Alice into accepting an incorrect public key for Bob, and then the CA can impersonate Bob to Alice
© From Computer Networking, by Kurose&Ross1: Principles of Network Security 120
Principles of Network Security (summary)Basic techniques (symmetric-key and public-key):
❍ confidentiality❍ message integrity (MAC)❍ nonrepudiation (signatures)❍ session key generation❍ end-point authentication
Next we’ll see how to use them to secure protocols:❍ SMTP, DNS, TCP (TLS/SSL), IP (IPsec), WiFi, Ethernet
switching, routing, …