Authenticationcvrcek/KIB/lecture5.pdf · • Authentication protocols – assures a party about identity of another party (the one it communicates with) • Key establishment protocols

1

Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005

Authentication

Lecture 5


Three basic notions

• Authentication – a process of verifying identity (with a required assurance)

• Authorization – assigning privileges and specification of allowed activities

• Identification – recognition of an entity from a predefined set

2


User Authentication/Identification

• Authentication (verification) – subjectproduces a statement about his/her identity – 1:1

• Identification (searching) – subject does not produce any identity. The systém goesthrough all records in the database to findout a match and the relevant subject’s identity – 1:n


Data and Message Authentication

• no cryptography used– CRC codes (cyclic redundancy codes)

• with cryptography– shared secret symmetric key– getting hash through an authenticated channel– keyed hash / MAC (message authentication

code)– digital signature

3


Hashing and Data Authentication

• out-of-band communication– data sent through an unsecured channel with high

throughput (e.g. email)

– a hash is computed and the result passed on via a different channel (phone, business card, …)

– recipient re-computes hash of the data and compares with the received hash

document email

hash phone

příjemce


Digital Signature Algorithm

• there was a bid for a new Digital SignatureStandard (DSS) in 1994 –DSA (DigitalSignature Algorithm) won– modified ElGamal algorithm based on the

problem of discrete logarithm Zp

• Other algorithms based on elliptic curves

4


Digital signature – key lengths

• RSA algorithm– author published an example believed to be

secure (uses 64 and 65 bit primes) in 1977– this crypto system was broken in 1994– end of 1999 – 512b crypto system was broken

(several hundred computers was used for a period of 4 months)

– currently used are keys computed modulo 1024-2048 bit number


Digital signature – time complexityasymmetric algorithms are computationally hard – examples

for a smart-card

50 ms160 bits160 bitsEC DSA (GF(p)) verification

24 ms160 bitsEC DSA (GF(p)) signature

14,4 s2048 bitsRSA key generation

1,56 s1024 bitsRSA key generation

38 msF_42048 bitsRSA verification

2,8 ms32 bits1024 bitsRSA verification

0,17 s2048 bits2048 bitsRSA signature

25,2 ms1024 bits1024 bitsRSA signature

TimeExponentModuleOperation

5


Data authentication - example

• authentication of EXE files in MS Windows– why to authenticate?

– we want and need to ensure data integrity

– we want to know the program author

– we may believe MS and want to be sure the code was not changed during distribution


Microsoft Autenticode

• How does it work?– EXE file is digitally signed

– the digital signature is verified

– if the verification succeeds => program is started

– if the verification fails => user is asked for the decision

6





7



• still no 100% proof• 2001 – an uknown attacker gained 2 public key

certificates for Microsoft signed by Verisigh (the both companies are key players and the do have adequate security procedures)

• an attacker managed to masquerade as a Microsoft employee and got issued a certificate signed by Verisign

• any code signed with a key belonging to this certificate could be run in Windows OS without any warning


Cryptographic protocols

• Authentication protocols – assures a party about identity of another party (the one it communicates with)

• Key establishment protocols – creates a shared secret (typically a key)

• Authenticated key establishment protocol –creates a shared secret with the party which identity has been verified

8


Authentication protocols

• the authentication is – one way

– mutual

– continuous

• who’s authenticating who– Alice asks Bob to authenticate himself

– Bob authenticates himself without a request


Password

• Alice authenticate herself towards Bob by sending a password

• the password can be eavesdropped• Bob (at the end of the protocol) knows Alice’s

password and can himself authenticate as Alice (e.g. towards Cyril)

•password

9


Hashed password

• during authentication – the password is not sent in plaintext but a hash is sent instead

• eavesdropping a hash does not reveal a password automatically

• however, the has can be used for masquerading

•password hash


Challenge-response protocols

• the protocol consists of at least two messages (challenge and response)– eavesdropping the challenge or/and response does not

allow an attacker to repeat the authentication

– Bob is able to verify Alice’s identity without knowing her secret

–binary string - Nc

digitally signed Nc

Bob Alicechallenge

response

10


Time-dependant variables - Nc

• random numbers – number are unpredictable (random as well as pseudorandom). They ensure uniqueness and freshness. It’s not easy to generate them (requires specialised HW), usually generated in SW from a seed –labelled as r

• sequence numbers – monotonous sequence of numbers (both sides must store the last value used). Uniquely identify msgs and allow detection of replay attacks –labelled as n

• timestamps – both sides must keep clock synchronisation. Provide uniqueness and time precision – labelled as t


Symmetric algorithms

• protocols based on symmetric algorithms (Alice and Bob share a symmetric key K)

• Standard ISO/IEC 9798-2• One-way authentication (time stamp)

– A → B: EK(tA,“B“)

• One-way authentication (random number)– A ← B: rB

– A → B: EK(rB,“B“)

• two-way (mutual) authentication (random numbers)– A ← B: rB

– A → B: EK(rA,rB,“B“)– A ← B: EK(rB,rA)

11


Symmetric algorithms

• protocols based on one-way keyed functions(Alice and Bob share a symmetric key K)

• Standard ISO/IEC 9798-4, protokols SKID• Two-way authentication

– A ← B: rB

– A → B: rA, hK(rA,rB,”B”)– A ← B: hK(rB,rA,A)– hK is a MAC algorithms


Asymmetric algorithms

• Based on decryption with private keys

• One-way authentication– A ← B: h(r), „B“, PA(r,”B”)

– A → B: r

• h – hash function

• h(r) serves as a proof of knowledge of rwithout revealing r

12


Asymmetric algorithms

• based on digital signature• Standard ISO/IEC 9798-3• One-way authentication (timestamp)

– A → B: certA, tA, ”B“, SA(tA, “B“)

• One-way authentication (random number)– A ← B: rB

– A → B: certA, rA, “B“, SA(rA,rB,“B“)– rA prevents chosen plain-text attacks

• Two-way authentication (random numbers)– A ← B: rB

– A → B: certA, rA, “B“, SA(rA,rB,“B“)– A ← B: certB, “A“, SB(rB,rA,“A“)


Key Management

• Goal– key transmission

– key agreement

– key actualisation (parties share a long-term key K)

– authentication of one or both parties

• Number of parties– two-party protocols

– protocols with trusted third party

13


Kerberos

• Created as a part of Athena project at MIT• Symmetric cipher E• 2 parties (A, B) and trusted authentication server

(labelled T)• Goal:

– authentication of Alice towards Bob– key K establishment (T generates/selects)– optionally distribution of a shared secret for Alice + Bob

• Each party shares a secret with server T (KAT, KBT)


Kerberos

• KDC (key distribution centre) – centre shares a key with all clients and generates and distributes keysKTC (key translation centre) – centre does not generate keys – just translates (distributes) them

•

Alice Bob

Server (KDC)

14


(1)

(2)

(3)

A B¨T

(4)

Kerberos• Simplified protocol

– L – ticket lifetime

– Def.: ticketB = EKBT(k, “A”, L), auth = Ek(“A”, TA)

– (1) A → T: ”A”, ”B”, nA

– (2) A ← T: ticketB, EKAT(k, nA, L, “B“)

– (3) A → B: ticketB, auth

– (4) A ← B: Ek(TA)


Diffie Hellman

• Diffie-Hellman key agreement protocol– common prime p, generator α form Zp

– Alice chooses secret x, Bob chooses secret y– A → B: αx mod p

– A ← B: αy mod p

– Alice and Bob share K=αxy mod p

Documents

Authenticationcvrcek/KIB/lecture5.pdf · • Authentication protocols – assures a party about identity of another party (the one it communicates with) • Key establishment protocols