network security and it’s issues presenter prosanta gope advisor prof. tzonelih hwang quantum...
TRANSCRIPT
Network Security and It’s Issues
Presenter
Prosanta Gope
AdvisorProf. Tzonelih
Hwang
Quantum Information and Network Security Lab, NCKU,2015
Flash Back
Part 3 Protocols 2
Outline
Network Security Basics. Understating the Purpose of Mutual
Authentication Symmetric Key based Mutual
Authentication. Public Key based Mutual Authentication. Understating Secure Socket Layer (SSL)
Network Security Basics
Network Security Services
Confidentiality Integrity Authentication Nonrepudiation Access Control Availability
Network Security Services Confidentiality
Maintaining the privacy of data Integrity
Detecting that the data is not tampered with Authentication
Establishing proof of identity Nonrepudiation
Ability to prove that the sender actually sent the data Access Control
Access to information resources are regulated Availability
Computer assets are available to authorized parties when needed
SERVICES
Something Well-known in Network Security World
Friends and enemies: Alice, Bob, Trudy
Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
Protocol Human protocols the rules followed in
human interactionso Example: Asking a question in class
Networking protocols rules followed in networked communication systemso Examples: HTTP, FTP, etc.
Security protocol the (communication) rules followed in a security applicationo Examples: SSL, IPSec, Kerberos, etc.
Ideal Security Protocol Must satisfy security requirements
o Requirements need to be precise Efficient
o Small computational requiremento Small bandwidth usage, minimal delays…
Robusto Works even if environment changes
Easy to use & implement, flexible… Difficult to satisfy all of these!
Secure Entry to NSA
1. Insert badge into reader2. Enter PIN3. Correct PIN?
Yes? EnterNo? Get shot by security guard
ATM Machine Protocol
1. Insert ATM card2. Enter PIN3. Correct PIN?
Yes? Conduct your transaction(s)No? Machine (eventually) eats card
Authentication Protocols
Authentication
Alice must prove her identity to Bobo Alice and Bob can be humans or computers
May also require Bob to prove he’s Bob (mutual authentication)
Probably need to establish a session key May have other requirements, such as
o Use public keyso Use symmetric keyso Use hash functionso Anonymity, etc., etc.
Simple Authentication
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
Simple and may be OK for standalone system But insecure for networked system
o Subject to a replay attack (next 2 slides)o Also, Bob must know Alice’s password
Authentication Attack
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
Trudy
Authentication Attack
Bob
“I’m Alice”
Prove it
My password is “frank”Trudy
This is an example of a replay attack How can we prevent a replay?
Simple Authentication
Alice Bob
I’m Alice, my password is “frank”
More efficient, but… … same problem as previous version
Better Authentication
Alice Bob
“I’m Alice”
Prove it
h(Alice’s password)
Better since it hides Alice’s passwordo From both Bob and Trudy
But still subject to replay
Challenge-Response To prevent replay, use challenge-response
o Goal is to ensure “freshness”
Suppose Bob wants to authenticate Aliceo Challenge sent from Bob to Alice
Challenge is chosen so that… o Replay is not possible
o Only Alice can provide the correct response
o Bob can verify the response
Nonce To ensure freshness, can employ a nonce
o Nonce == number used once
What to use for nonces?o That is, what is the challenge?
What should Alice do with the nonce?o That is, how to compute the response?
How can Bob verify the response? Should we rely on passwords or keys?
Challenge-Response
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something Alice knows Note: Bob must know Alice’s pwd to verify
Alice
Generic Challenge-Response
Bob
“I’m Alice”
Nonce
Something that could only be
Alice from Alice (and Bob can verify)
In practice, how to achieve this? Hashed password works, but… Encryption is better here (Why?)
Symmetric Key Notation Encrypt plaintext P with key K
C = E(P,K) Decrypt ciphertext C with key K
P = D(C,K) Here, we are concerned with attacks on
protocols, not attacks on cryptoo So, we assume crypto algorithms are secure
Authentication: Symmetric Key Alice and Bob share symmetric key K Key K known only to Alice and Bob Authenticate by proving knowledge of
shared symmetric key How to accomplish this?
o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …
Authentication with Symmetric Key
Alice, K Bob, K
“I’m Alice”
E(R,K)
Secure method for Bob to authenticate Alice Alice does not authenticate Bob
So, can we achieve mutual authentication?
R
Mutual Authentication?
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
E(R,K)
What’s wrong with this picture? “Alice” could be Trudy (or anybody else)!
Mutual Authentication Since we have a secure one-way
authentication protocol… The obvious thing to do is to use the
protocol twiceo Once for Bob to authenticate Aliceo Once for Alice to authenticate Bob
This has got to work…
Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
E(RB, K)
This provides mutual authentication… …or does it? See the next slide
Mutual Authentication Attack
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, K
3. “I’m Alice”, RB
4. RC, E(RB, K)
Trudy
5. E(RB, K)
Let’s Resolve this Problem
Symmetric Key Mutual Authentication
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
Do these “insignificant” changes help? Yes!
Problem Statement
In Symmetric Key based Authentication
Protocol Alice and Bob need to have a
Shared Secret Key, Where Distribution of
Keys among the Participants is a tedious
Job.
Welcome to the World of Public-Key Crypto-
System
35
Public Keys and Trust
Public Key: PA
Secret key: SA
Public Key: PB
Secret key: SB
How are public keys stored?
How to obtain the public key?
How does Bob know or ‘trusts’ that PA is Alice’s public key?
36
Distribution of Public Keys
Public announcement: users distribute public keys to recipients or broadcast to community at large
Publicly available directory: can obtain greater security by registering keys with a public directory
Public Key Can Also Achieve Through CA
Public Key Notation Encrypt M with Alice’s public key: {M}Alice
Sign M with Alice’s private key: [M]Alice
Anybody can use Alice’s public key Only Alice can use her private key
Public Key Authentication
Alice Bob
“I’m Alice”
{R}Alice
R
Is this secure? Trudy can get Alice to decrypt anything!
Public Key Authentication
Alice Bob
“I’m Alice”
R
[R]Alice
Is this secure? Trudy can get Alice to sign anything!
Public Keys Generally, a bad idea to use the same
key pair for encryption and signing Instead, should have…
o …one key pair for encryption/decryption…o …and a different key pair for
signing/verifying signatures
Session Key Usually, a session key is required
o I.e., a symmetric key for a particular sessiono Used for confidentiality and/or integrity
How to authenticate and establish a session key (i.e., shared symmetric key)?o When authentication completed, want Alice and
Bob to share a session keyo Trudy cannot break the authentication…o …and Trudy cannot determine the session key
Authentication & Session Key
Alice Bob
“I’m Alice”, R
{R,K}Alice
{R +1,K}Bob
Is this secure?o Alice is authenticated and session key is secureo Alice’s “nonce”, R, useless to authenticate Bobo The key K is acting as Bob’s nonce to Alice
No mutual authentication
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[R,K]Bob
[R +1,K]Alice
Is this secure?o Mutual authentication (good), but…o … session key is not secret (very bad)
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
{[R,K]Bob}Alice
{[R +1,K]Alice}Bob
Is this secure? Seems to be OK Mutual authentication and session key!
Public Key Authentication and Session Key
Alice Bob
“I’m Alice”, R
[{R,K}Alice]Bob
[{R +1,K}Bob]Alice
Is this secure? Seems to be OK
Perfect Forward Secrecy Consider this “issue”…
o Alice encrypts message with shared key K and sends ciphertext to Bob
o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K
o Then Trudy decrypts recorded messages
Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertexto Even if Trudy gets key K or other secret(s)
Is PFS possible?
Naïve Session Key Protocol
Trudy could record E(KS, K) If Trudy later gets K then she can get KS
o Then Trudy can decrypt recorded messages
Alice, K Bob, K
E(KS, K)
E(messages, KS)
Then How to Achieve Perfect Forward Secrecy
(PFS)
With the Help of Diffie-Hellman Key-Agreement Protocol
Key Agreement: Diffie-Hellman Protocol
Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Zp*, p and g public.
K = (gb mod p)a = gab mod p
ga mod p
gb mod p
K = (ga mod p)b = gab mod p
Pick random, secret aCompute and send ga mod p
Pick random, secret bCompute and send gb mod p
MIM in Diffie-Hellmanga mod n
gb mod n
gc mod n
gc mod n
Alice computes gac mod n and Bob computes gbc mod n !!!
Oh! No..Can Anyone Help Me to Achieve PFS?
Perfect Forward Secrecy
Session key KS = gab mod p Alice forgets a, Bob forgets b So-called Ephemeral Daffier-Hellman Neither Alice nor Bob can later recover KS
Are there other ways to achieve PFS?
Alice: K, a Bob: K, b
E(ga mod p, K)
E(gb mod p, K)
Mutual Authentication, Session Key and PFS
Alice Bob
“I’m Alice”, RA
RB, [{RA, gb mod p}Alice]Bob
[{RB, ga mod p}Bob]Alice
Session key is SK = gab mod p Alice forgets a and Bob forgets b If Trudy later gets Bob’s and Alice’s secrets,
she cannot recover session key SK
Three-Party Mutual Authentication
andKey-Distribution
UsingSymmetric-Key Crypto System
Part 3 Protocols 55
Meet Our Participants
Part 3 Protocols 56
Part 3 Protocols 57
Trudy
Alice Bob
Can be Treated as Server
Assumptions
Part 3 Protocols 58
Part 3 Protocols 59
Trudy
Alice Bob
𝑲 𝒂𝒕𝑲 𝒃𝒕
?Share Key𝑰𝑫𝒂
𝑰𝑫𝒃
TrudyM1
M2M
3M4
Gen:NaNx=Na Va=h(Na || Kat || IDa)M1:{IDa, Nx, Va}
Gen:NbNy=Nb Vb=h(Nb || Kbt || IDb)M2 :{IDb, Ny, Vb}
Check:?Va, ?VbGen: KabM3 :{Kab || Na}M4 :{Kab || Nb}
Na=Nx Nb=Ny
TrudyM1
M2M
3M4
Decrypt: M3Check: ? NaGet : Kab
Check:?Va, ?VbGen: KabM3 :{Kab || Na}M4 :{Kab || Nb}
Decrypt: M4Check: ? NbGet : Kab
Kab
Secure communication
Understanding SSL
Part 3 Protocols 63
64
古早密碼學
古典密碼學資安號
Privacy Integrity Authentication
Network Security Services
Authentication
THANK YOU
I have questions…