Alexander Potapov Authentication definition Protocol architectures Cryptographic properties Freshness Types of attack on protocols T woway authentication protocol attack The DiffieHellman key ID: 218110
Download Presentation The PPT/PDF document "Security of Authentication Protocols" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security of Authentication Protocols
Alexander
PotapovSlide2
Authentication definitionProtocol architectures
Cryptographic properties
FreshnessTypes of attack on protocolsTwo-way authentication protocol attackThe Diffie-Hellman key exchange attackAuthentication protocol using a KDC
OutlineSlide3
Authentication
deals with
the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do.Authentication definitionSlide4
Authentication
deals with
the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do.Example:
Is
this actually Scott's process (
authentication
)?Is Scott allowed to delete this file (authorization)?
Authentication definition
Scott
Server
Delete file
RequestSlide5
Existing cryptographic keysMethod of session key generation
Protocol
architecturesSlide6
The principals already share a secret key
An off-line server is used. Principals possess certified public keys
An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide7
The principals already share a secret key
An off-line server is used. Principals possess certified public keys
An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide8
The principals already share a secret key
An off-line server is used. Principals possess certified public keys
An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide9
A key transport protocol
A key agreement protocol
Protocol architectures: method of session key generation
One of the principals
g
enerates the key and
this key is then transferred to all protocol users (K
s in this example)Slide10
A key transport protocol
A key agreement protocol
Protocol architectures: method of session key generation Session key is a function of inputs by all protocol usersSlide11
Confidentiality
Data integrity
Data origin authenticationNon-repudiationCryptographic properties
Ensures that data is only available to those
authorised
to obtain it.
Usually achieved through encryption/decryption.Slide12
Confidentiality
Data integrity
Data origin authenticationNon-repudiationCryptographic properties
Ensures that data has not been altered by
unauthorised
entities.
Usually achieved: Use of hash functions in combination with encryption
Use of message authentication code to create a
separate check field Slide13
Confidentiality
Data integrity
Data origin authenticationNon-repudiationCryptographic properties
Guarantees the origin of data.
Normally achieved by the same mechanisms like we
h
ave in data integrity.Slide14
Confidentiality
Data integrity
Data origin authenticationNon-repudiationCryptographic properties
Ensures that entities cannot deny sending data
that they have committed to.
Typically provided using a digital signature
mechanism.Slide15
Timestamps
Nonces
(random challenges)CountersFreshness
U
ser of the session key should be able to
verify that key is new and not replayed from
old sessions.On recipients side if message is within an acceptable window of the current time then the message is
regarded as fresh.Slide16
Timestamps
Nonces
(random challenges)CountersFreshness
U
ser of the session key should be able to
verify that key is new and not replayed from
old sessions.The message is fresh because the message cannot have been formed before the
nonce was generated. Slide17
Timestamps
Nonces
(random challenges)CountersFreshness
U
ser of the session key should be able to
verify that key is new and not replayed from
old sessions.The sender and recipient maintain a synchronized counter whose value is sent with the message and then incremented.Slide18
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary captures
the information sent in the protocol
EavesdroppingSlide19
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary alters
the information sent in the protocol
ModificationSlide20
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary records
information seen in the protocol and then sends it to the same, or
a different, principal, possibly during a later p
rotocol run
ReplaySlide21
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary engages
in a run of the protocolprior to a run by the
legitimate principals
Pr
eplaySlide22
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary sends
protocol message backto the principal who sent
them
ReflectionSlide23
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary prevents
or hinders legitimate principals from completing
the protocol
Denial of serviceSlide24
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary replaces
a protocol message fieldof one type with a
message field of anothertype
Typing attacksSlide25
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary gains
some useful leverage from the protocol to help in cryptanalysis
CryptanalysisSlide26
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary chooses
or modifies certificateinformation to attack
one or more protocolruns
Certificate manipulationSlide27
Eavesdropping
Modification
ReplayPreplayReflectionDenial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interactionTypes of attack on protocols
The adversary chooses
a new protocol to interact with a known protocol
Protocol interactionSlide28
Two-way
authentication protocol
A, B
are the identities of Alice and Bob.
R
i
- the challenge, where the subscript identifies the challenger.Ki - are keys, where i indicates the owner.Slide29
Two-way authentication
protocol
: reflection attack
Second
session
is opened (message 3),
supplying the RB taken from message 2. Bob encrypts it and sends back KAB (RB) in message 4. Slide30
Two-way authentication protocol
: solution of the problem
Both HMACs include values chosen by the sending party, something which Trudy cannot control.
HMAC
–
hashed message authentication c
ode Data structured is hashed into the HMAC,
for example using SHA-1. Based on received information, Alice can compute the HMAC herself.Slide31
The Diffie-Hellman key exchange
n
and g are two agreed large numbersx
and
y
are
large (say, 512-bit) private numbers generated by both sidesThe trouble is, given only g mod n, it is hard to find x. All currently-known algorithms simply take too long, even on massively parallel supercomputers.
xSlide32
The Diffie-Hellman key
exchange
: man-in-the-middle attackAlice thinks she is talking to
Bob
so she establishes a session
key
(with Trudy). So does Bob. Every message that Alice sends on the encrypted session is captured by Trudy, stored, modified if desired, and then (optionally) passed on to Bob
. Similarly, in the
other direction.Slide33
Authentication Using a Key Distribution
Center:
replay attackKDC -
Key distribution center
K
s
- generated session keyBy snooping on the network, Trudy copies message 2 and the money-transfer request that follows it. Later, she replays both of
them to Bob.Slide34
Authentication Using a Key Distribution Center
:
Needham-Schroeder authentication protocol
½ messages – ticket request (R
A
assures that
message 2 is fresh, and not a replay)Message 4 - Bob sends back it to prove to Alice that she is talking to the real BobSlide35
Reference
Protocols for authentication
and key establishment
Colin Boyd, Anish Mathuria
Computer networks
Andrew S. Tanenbaum