Upload
barb
View
24
Download
3
Embed Size (px)
DESCRIPTION
Lecture 9: Cryptographic Authentication. objectives and classification one-way secret key public key mutual secret key public key establishing session key. Authentication Objectives and Classification. Objectives Authentication (what was that again?) one-way mutual - PowerPoint PPT Presentation
Citation preview
1
Lecture 9: Cryptographic Authentication
• objectives and classification• one-way
– secret key– public key
• mutual– secret key– public key
• establishing session key
2
Authentication Objectives and Classification
• Objectives– Authentication (what was that again?)
• one-way• mutual
– Immunity from attacks– efficiency: minimum number of messages exchanged– bootstrapping a session: establishing a session key
• types of authentication– password authentication (authenticating humans or
machines on their behalf)• what’s wrong with it?
– cryptographic challenge-response• secret key• public key
3
Secret Key One-Way
problems• one-way authentication,
• who is not authenticated? why is that a problem?• connection hijacking possible
• dictionary attack possible if Trudy is eavesdropping (if KAB is derived from a password)
• Bob stores key in clear– what is possible if Bob’s machine is broken into?
Alic
eB
ob
I’m Alice
a challenge R
F(KAB,R)
4
Alic
eB
ob
I’m Alice
KAB{R}
R
Secret Key One-Way: Variant
advantages• can be used for mutual authentication, how?
– replay attack possible if R’s lifetime is not limited
problems• requires reversible cryptography• subject to dictionary attack, without eavesdropping, if R is
recognizable
5
Secret Key One-Way: Timestamp Based
• alternatively, with a hash function, send:I’m Alice, timestamp, H(KAB,timestamp)
advantages• easy integration into password-sending systems• efficient: single message, stateless (what does that mean?)
problems• clocks need to be synchronized, • extra protection against replay needed• if Alice uses same password to multiple servers, Trudy can authenticate to a
different server if acts quickly• clock protection needed at Bob
Alic
eB
obI’m Alice, KAB{timestamp}
6
Secret Key One-Way: Timestamp Based
• alternatively, with a hash function, send:I’m Alice, timestamp, H(KAB,timestamp)
advantages• easy integration into password-sending systems• efficient: single message, stateless (what does that mean?)
problems• clocks need to be synchronized, • extra protection against replay needed• if Alice uses same password to multiple servers, Trudy can authenticate to a
different server if acts quickly• clock protection needed at Bob
Alic
eB
obI’m Alice, KAB{timestamp}
7
Public Key, One-Way
where []A is Alice’s signature. Can this be done with encryption?
problem• Trudy can get Alice to sign/decrypt any text he chooses, how?
– why is decryption useful?
solution• don’t use the same key for authentication and other purposes• give structure (formatting) (e.g. type field) to challenge so it cannot
be mistaken for other things
Alic
eB
ob
I’m Alice
R
[R]A
8
Secret KeysMutual Authentication
simple solution: run one-way authentication twice in reverse directions• can we save a message?
problems with simple solution (to be explained next)• reflection attack• password guessing
Alic
eB
ob
I’m Alice
R1
F(KAB,R1)
R2
F(KAB,R2)
9
Reflection Attack
Trudy opens two connections to Bob and reuses the results of the second connection to complete the first
solutions:• use dissimilar keys for directions• format challenges• have initiator authenticate first (more next slide)
Tru
dy
Bo
b
I’m Alice, R2
R3, F(KAB,R2)
Tru
dy
Bo
bI’m Alice, R1
R2, F(KAB,R1)
F(KAB,R2)
1st connection
2nd connection
10
Dictionary Attack Against Mutual Authentication
Trudy can obtain material for offline password guessing (no eavesdropping) by forcing Bob to encrypt her challenge
Solution against dictionary and reflection attacks:
Alic
eB
ob
R1
F(KAB,R1), R2
F(KAB,R2)
I’m Alice
password guessing is still possible if Trudy can impersonate Bob (considered harder)
11
Mutual AuthenticationPublic Keys
• [] – signature, {} – encryption• why does Alice sign R?• (minor) problem,
– assume R is going to be used as conversation key,if Trudy records the conversation and, after the conversation is over, overruns Bob (breaks into Bob’s computer and learns his secrets), she can decode the conversation
• why overrunning Alice won’t help?– we already know the solution, what is it?
Alic
eB
obI’m Alice, [{R}B]A
12
Establishing Session Key
secret keys
• knowing , KAB and R modify them in some way, ex: (KAB+1){R}
(KAB+1){R}
– why not KAB{R}?
– KAB{R+1} ?
public keys• send additional random nonces(a number that is used only
once) {R}A , {R}B and use them to derive a session key.