Quartz 4

compSec {postMidterm} Lecture18

6 min read

compSec {postMidterm} Lecture18

Download compSec {postMidterm} Lecture18.pdf | View on GitHub

View on GitHub | Download Local

Extracted Content (for search)

Click to view slide text

CS 4173/5173 COMPUTER SECURITY Authentication Protocols

AUTHENTICATION HANDSHAKES • Secure communication almost always includes an initial authentication handshake. ‒ Authenticate each other

• Based on cryptographic primitives

‒ Establish session keys ‒ This process is not trivial; flaws in this process undermine secure communication • Cryptographic primitives being secure is not equivalent to the design based on them being secure.

2

SECURITY ANALYSIS • All communications are based on the public channel • Ensure MUTUAL authentication ‒ Alice proves to Bob that she is indeed Alice

• If a third party Eve impersonates Alice, will she succeed?

‒ and Bob proves to Alice that he is indeed Bob

• If a third party Eve impersonates Bob, will she succeed?

• Ensure there is no other type of attacks • Alice and Bob must share a common secret, but they need to prove to each other that they hold the same secret without disclosing it in the public channel

3

AUTHENTICATION WITH SHARED SECRET Alice

I’m Alice A challenge R

Bob

H(KAlice-Bob, R)

• Assumptions:

‒ Shared key: KAlice-Bob ‒ R is a random number

• Questions:

‒ Can Alice prove to Bob that she is indeed Alice? ‒ Can Bob prove that he is indeed Bob? 4

AUTHENTICATION WITH SHARED SECRET (CONT’D) Alice

I’m Alice KAlice-Bob{R}

Bob

R

• Questions:

‒ Can Alice prove to Bob that she is indeed Alice? ‒ Can Bob prove that he is indeed Bob?

5

AUTHENTICATION WITH PUBLIC KEY Alice

I’m Alice R

Bob

SigAlice{R}

• Alice and Bob know each other’s public key • Questions:

‒ Can Alice prove to Bob that she is indeed Alice? ‒ Can Bob prove that he is indeed Bob?

6

AUTHENTICATION WITH PUBLIC KEY (CONT’D)

Alice

I’m Alice KAlice-P{R}

Bob

R

• Questions:

‒ Can Alice prove to Bob that she is indeed Alice? ‒ Can Bob prove that he is indeed Bob?

7

MUTUAL AUTHENTICATION Alice

I’m Alice R1

Bob

H(KAlice-Bob, R1) R2 H(KAlice-Bob, R2)

Optimize Alice

I’m Alice, R2 R1, H(KAlice-Bob, R2)

Bob

H(KAlice-Bob, R1) 8

MUTUAL AUTHENTICATION (CONT’D) • Reflection attack

Step 1:

Trudy Step 3:

Step 2:

Trudy

I’m Alice, R2 R1, H(KAlice-Bob, R2)

Bob

H(KAlice-Bob, R1)

I’m Alice, R1 R3, H(KAlice-Bob, R1)

Bob

9

REFLECTION ATTACKS (CON’TD) • Lesson: Don’t have Alice and Bob do exactly the same thing ‒ Different keys

• Totally different keys • KAlice-Bob = KBob-Alice + 1

‒ Different Challenges: Alice and Bob’s challenges cannot be the same ‒ The initiator should be the first to prove its identity • Assumption: initiator is more likely to be the bad guy

10

MUTUAL AUTHENTICATION (CONT’D) Alice

I’m Alice, R2 R1, H(KAlice-Bob, R2)

Bob

H(KAlice-Bob, R1)

Countermeasure: Alice proves herself first Alice

I’m Alice R1

Bob

H(KAlice-Bob, R1), R2 H(KAlice-Bob, R2) 11

MUTUAL AUTHENTICATION (CONT’D) • Public keys

‒ Authentication of public keys is a critical issue Alice

I’m Alice, KBob-P{R2} R2, KAlice-P{R1}

Bob

R1

• Question:

‒ Vulnerability to reflection? ‒ Any bad design?

12

BETTER DESIGN • Provide mutual authentication • Make two parties do different things • Challenge the initiators first • Avoid reflection attacks • Avoid message decryption

13

EXERCISE • In a three-message authentication protocol, Alice initiates contact with Bob. Assume that Alice and Bob share a key KAlice-Bob. The protocol works as follows, where R1 and R2 are random numbers generated by Alice and Bob, respectively. Is it mutual authentication?

I’m Alice, KAlice-Bob (R1)

Alice

I’m Bob, KAlice-Bob {R1+R2} KAlice-Bob{R2}

Bob

14

INTEGRITY/ENCRYPTION FOR DATA • Communication after mutual authentication should be cryptographically protected as well

‒ Require a session key established during mutual authentication

15

ESTABLISHMENT OF SESSION KEYS • Secret key based authentication

‒ Assume the following authentication happened. ‒ Can we use KAlice-Bob{R} as the session key? ‒ Can we use KAlice-Bob{R+1} as the session key? ‒ Can we use KAlice-Bob+1{R} as the session key? ‒ In general, modify KAlice-Bob and encrypt R. Use the result as the session key.

Alice

I’m Alice R

Bob

KAlice-Bob{R} 16

ESTABLISHMENT OF SESSION KEYS • Public key based authentication ‒ RSA based key negotiation Alice Generate random number R1

Public key: Ka,p Private key: Ka,i

  1. get R2
  2. get symmetric key as K = H(R1⊕R2),

Send R1 encrypted using Kb,p

Send R2 encrypted using Ka,p

Bob

Public key: Kb,p Private key: Kb,i

  1. Get R1,
  2. Generate random number R2,
  3. get key as K = H(R1⊕R2), 17

ESTABLISHMENT OF SESSION KEYS • Public key based authentication ‒ Diffie-Hellman negotiation

Alice

• Alice and Bob signs the quantity they send Generate random number SA

Public key: Ka,p Private key: Ka,i

Compute TBSA mod p = gSASB mod p

Compute, sign and send TA

Generate random number SB

= gSA mod p

Compute, sign and send TB = gSB mod p

Bob

Public key: Kb,p Private key: Kb,i

Compute TASB mod p = gSASB mod p 18

TWO-WAY PUBLIC KEY BASED AUTHENTICATION • Approach I

‒ Alice chooses and encrypts R1 with Bob’s public key ‒ Bob chooses and encrypts R2 with Alice’s public key ‒ Session key is H(R1⊕R2) ‒ Trudy will have to compromise both Alice and Bob

• Approach II

‒ Alice and Bob establish the session key with Diffie-Hellman key exchange ‒ Alice and Bob signs the quantity they send

19

SUMMARY • Design a perfect authentication protocol requires non-trivial efforts ‒ Can be based on symmetric or public key systems

• Some guidelines to check a protocol:

‒ The initiators should authenticate themselves first ‒ Need asymmetric challenge-response, be aware of reflection attacks • Make two parties do different things

‒ Provide mutual authentication ‒ Avoid message decryption

• Design based on public key:

‒ RSA key negotiation ‒ Diffie-Hellman with authentication 20

REAL-WORLD EXAMPLE

Fake GSM base station! Why? Reading materials, not required in homeworks/exams

21

GSM - AUTHENTICATION SIM

mobile network Ki

AC (Authentication 128 bit Center)

RAND

Step1: RAND

128 bit A3

128 bit

SRES* =? SRES

128 bit A3

A3: a hash function

SRES* 32 bit MSC (mobile switching center)

Ki

RAND

SIM SRES

Step2: SRES 32 bit

32 bit

SRES

It is mutual authentication? Why? Reading materials, not required in homeworks/exams

22

Graph View