Upload
adanna
View
51
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring 2012 Nitesh Saxena. Course Admin. HW2 solution emailed Grading ongoing Exam study topics emailed. Course Admin. Mid-Term Exam On March 08 In class, from 11am-12:15pm Covers lectures up to Feb 23 - PowerPoint PPT Presentation
Citation preview
Lecture 6.2: Protocols - Authentication and Key Exchange II
CS 436/636/736 Spring 2012
Nitesh Saxena
Course Admin
• HW2 solution emailed• Grading ongoing
• Exam study topics emailed
04/22/23Protocols: Authentication and Key
Exchange2
Course Admin
• Mid-Term Exam– On March 08– In class, from 11am-12:15pm
• Covers lectures up to Feb 23• In-class review on Mar 06 (Tuesday)• Strictly closed-book (no cheat-sheets are
allowed)• A sample exam will be provided as we near the
exam date3
Outline of Today’s lecture• Today we try to put everything together
– Encryption (public-key/private-key)– MACs– Signing– Key-Distribution
• Secure protocols (for secure communication)– Authentication
• We studied it somewhat while talking about key distribution– (Authenticated-) Key Exchange
• Designing secure protocols is hard – we’ll only be able to learn the basics today
• We’ll use the board extensively today – be prepared to take notes
04/22/23Protocols: Authentication and Key
Exchange4
MAC-based Authentication
1. A B: A, rA2. B A: rB, HMACK(rB, rA, A)
3. A B: HMACK(rA, rB,B)
• Faster than enc-based protocols (computationally)
04/22/23Protocols: Authentication and Key
Exchange5
Public-key based authentication(Needham-Shroeder (NS) pk-based)
• Assuming public keys are distributed through CA(s)
1. A B: Encpkb(rA, A)
2. B A: Encpka(rA, rB)
3. A B: Encpkb(rB)
04/22/23Protocols: Authentication and Key
Exchange6
Attack and fix on PK-based NS protocol
• Attack:
• Fix:
1. A B: Encpkb(rA, A)
2. B A: Encpka(rA, rB,B)
3. A B: Encpkb(rB)
04/22/23Protocols: Authentication and Key
Exchange7
Signature-based authentication(assuming public keys are distributed through
CA)A auth B• A B: Hi Bob, this is Alice!• B A: r (a challenge)• A B: SigSKa(r,B) (response)
A auth B, B auth A (run two copies; piggyback common flows)
• A B: A, rA (could sign this too)• B A: rB, SigSKb(rB, rA, A)• A B: SigSKa(rA,rB,B)
04/22/23Protocols: Authentication and Key
Exchange8
Authenticated Key Exchange (AKE)
• Public-key operations are costly• Why not
1. use public-key mutual authentication protocols to exchange a symmetric key
2. use this symmetric key with a symmetric encryption to secure subsequent communication
04/22/23Protocols: Authentication and Key
Exchange9
Security Notion for AKE
• Launch protocol between any pair • Reveal all session key except one• Try to distinguish the key of the unrevealed
session from random
• This captures: the compromise of other sessions should not lead to the compromise of any other session
04/22/23Protocols: Authentication and Key
Exchange10
1. A B: A, rA, EncPKb(K) (must sign this too??)
2. B A: rB, SigSKb(rB, rA, A)
3. A B: SigSKa(rA, rB, B)
4. A and B output K as the authenticated key
• Such a protocol can be instantiated using RSA encryption/signing– The way SSL/SSH establishes key
• But, generally only the server authenticates to the client, not vice versa
04/22/23Protocols: Authentication and Key
Exchange11
X.509: One-Way Authentication
• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message
04/22/23Protocols: Authentication and Key
Exchange12
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key
X.509: Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
04/22/23Protocols: Authentication and Key
Exchange13
A B
1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kba]}
X.509: Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks
04/22/23Protocols: Authentication and Key
Exchange14
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}
Discrete Logarithm Assumption
• p, q primes such that q|p-1• g’ be the generator of Zp*
• g is an element of order q and generates a group Gq of order q; g = g’(p-1)/q
• x in Zq, y = gx mod p
• Given (p, q, g, y), it is computationally hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the public key
04/22/23Protocols: Authentication and Key
Exchange15
Example of DL-based system
• Let’s construct an example• KeyGen:– p = 11, q = 2 or 5; let’s say q = 5– 2 is a generator of Z11*
– g = 22 = 4– x = 2; y = 42 mod 11 = 5
04/22/23Protocols: Authentication and Key
Exchange16
Diffie-Hellman (DH) Key Exchange
1. A B: Ka = ga mod p
2. B A: Kb = gb mod p
3. A outputs Kab = Kba
4. B outputs Kba = Kab
• Note Kab = Kba = gab mod p 04/22/23
Protocols: Authentication and Key Exchange
17
Security of DH key exchange
• No authentication of either party• Secure only against a passive adversary– Under the computational Diffie-Hellman
assumption • Given (g, ga,gb), hard to compute gab
• Not secure against an active attacker– Man-in-the-middle attack…
04/22/23Protocols: Authentication and Key
Exchange18
Authenticated DH Key Exchange
1. A B: Ka = ga mod p
2. B A: Certb, Kb = gb mod p EncKba[SigSKb(Kb, Ka )]
3. A B: Certa, EncKab[SigSKa(Ka,Kb)]
4. A outputs Kab = Kba
5. B outputs Kba = Kab
04/22/23Protocols: Authentication and Key
Exchange19
Summary• Designing secure protocols is not easy
– Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously
– Becomes even harder as the number of parties increase; n-party or group setting
• Use the protocols that are well-studied and standardized
• While designing a protocol, consider– Reflection attacks– Replay attacks– Eliminating any symmetry in the messages
04/22/23Protocols: Authentication and Key
Exchange20
Further Reading
• HAC – chapter 10• Stallings – Chapter 15
04/22/23Protocols: Authentication and Key
Exchange21