Security of Authentication Protocols - PowerPoint Presentation

Download presentation
Security of Authentication Protocols
Security of Authentication Protocols

Embed / Share - Security of Authentication Protocols


Presentation on theme: "Security of Authentication Protocols"— Presentation transcript


Slide1

Security of Authentication Protocols

Alexander

PotapovSlide2

Authentication definitionProtocol architectures

Cryptographic properties

FreshnessTypes of attack on protocolsTwo-way authentication protocol attackThe Diffie-Hellman key exchange attackAuthentication protocol using a KDC

OutlineSlide3

Authentication

deals with

the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do.Authentication definitionSlide4

Authentication

deals with

the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do.Example:

Is

this actually Scott's process (

authentication

)?Is Scott allowed to delete this file (authorization)?

Authentication definition

Scott

Server

Delete file

RequestSlide5

Existing cryptographic keysMethod of session key generation

Protocol

architecturesSlide6

The principals already share a secret key

An off-line server is used. Principals possess certified public keys

An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide7

The principals already share a secret key

An off-line server is used. Principals possess certified public keys

An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide8

The principals already share a secret key

An off-line server is used. Principals possess certified public keys

An on-line server is used. Each principal shares a key with a trusted serverProtocol architectures: existing cryptographic keysSlide9

A key transport protocol

A key agreement protocol

Protocol architectures: method of session key generation

One of the principals

g

enerates the key and

this key is then transferred to all protocol users (K

s in this example)Slide10

A key transport protocol

A key agreement protocol

Protocol architectures: method of session key generation Session key is a function of inputs by all protocol usersSlide11

Confidentiality

Data integrity

Data origin authenticationNon-repudiationCryptographic properties

Ensures that data is only available to those

authorised

to obtain it.

Usually achieved through encryption/decryption.Slide12

Confidentiality

Data integrity

Data origin authenticationNon-repudiationCryptographic properties

Ensures that data has not been altered by

unauthorised

entities.

Usually achieved: Use of hash functions in combination with encryption

Use of message authentication code to create a

separate check field Slide13

Confidentiality

Data integrity

Data origin authenticationNon-repudiationCryptographic properties

Guarantees the origin of data.

Normally achieved by the same mechanisms like we

h

ave in data integrity.Slide14

Confidentiality

Data integrity

Data origin authenticationNon-repudiationCryptographic properties

Ensures that entities cannot deny sending data

that they have committed to.

Typically provided using a digital signature

mechanism.Slide15

Timestamps

Nonces

(random challenges)CountersFreshness

U

ser of the session key should be able to

verify that key is new and not replayed from

old sessions.On recipients side if message is within an acceptable window of the current time then the message is

regarded as fresh.Slide16

Timestamps

Nonces

(random challenges)CountersFreshness

U

ser of the session key should be able to

verify that key is new and not replayed from

old sessions.The message is fresh because the message cannot have been formed before the

nonce was generated. Slide17

Timestamps

Nonces

(random challenges)CountersFreshness

U

ser of the session key should be able to

verify that key is new and not replayed from

old sessions.The sender and recipient maintain a synchronized counter whose value is sent with the message and then incremented.Slide18

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary captures

the information sent in the protocol

EavesdroppingSlide19

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary alters

the information sent in the protocol

ModificationSlide20

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary records

information seen in the protocol and then sends it to the same, or

a different, principal, possibly during a later p

rotocol run

ReplaySlide21

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary engages

in a run of the protocolprior to a run by the

legitimate principals

Pr

eplaySlide22

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary sends

protocol message backto the principal who sent

them

ReflectionSlide23

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary prevents

or hinders legitimate principals from completing

the protocol

Denial of serviceSlide24

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary replaces

a protocol message fieldof one type with a

message field of anothertype

Typing attacksSlide25

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary gains

some useful leverage from the protocol to help in cryptanalysis

CryptanalysisSlide26

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary chooses

or modifies certificateinformation to attack

one or more protocolruns

Certificate manipulationSlide27

Eavesdropping

Modification

ReplayPreplayReflectionDenial of service

Typing attacks

Cryptanalysis

Certificate manipulation

Protocol interactionTypes of attack on protocols

The adversary chooses

a new protocol to interact with a known protocol

Protocol interactionSlide28

Two-way

authentication protocol

A, B

are the identities of Alice and Bob.

R

i

- the challenge, where the subscript identifies the challenger.Ki - are keys, where i indicates the owner.Slide29

Two-way authentication

protocol

: reflection attack

Second

session

is opened (message 3),

supplying the RB taken from message 2. Bob encrypts it and sends back KAB (RB) in message 4. Slide30

Two-way authentication protocol

: solution of the problem

Both HMACs include values chosen by the sending party, something which Trudy cannot control.

HMAC

hashed message authentication c

ode Data structured is hashed into the HMAC,

for example using SHA-1. Based on received information, Alice can compute the HMAC herself.Slide31

The Diffie-Hellman key exchange

n

and g are two agreed large numbersx

and

y

are

large (say, 512-bit) private numbers generated by both sidesThe trouble is, given only g mod n, it is hard to find x. All currently-known algorithms simply take too long, even on massively parallel supercomputers.

xSlide32

The Diffie-Hellman key

exchange

: man-in-the-middle attackAlice thinks she is talking to

Bob

so she establishes a session

key

(with Trudy). So does Bob. Every message that Alice sends on the encrypted session is captured by Trudy, stored, modified if desired, and then (optionally) passed on to Bob

. Similarly, in the

other direction.Slide33

Authentication Using a Key Distribution

Center:

replay attackKDC -

Key distribution center

K

s

- generated session keyBy snooping on the network, Trudy copies message 2 and the money-transfer request that follows it. Later, she replays both of

them to Bob.Slide34

Authentication Using a Key Distribution Center

:

Needham-Schroeder authentication protocol

½ messages – ticket request (R

A

assures that

message 2 is fresh, and not a replay)Message 4 - Bob sends back it to prove to Alice that she is talking to the real BobSlide35

Reference

Protocols for authentication

and key establishment

Colin Boyd, Anish Mathuria

Computer networks

Andrew S. Tanenbaum

By: calandra-battersby
Views: 97
Type: Public

Security of Authentication Protocols - Description


Alexander Potapov Authentication definition Protocol architectures Cryptographic properties Freshness Types of attack on protocols T woway authentication protocol attack The DiffieHellman key ID: 218110 Download Presentation

Related Documents