Click here to load reader

November 18, 2003

  • View
    38

  • Download
    0

Embed Size (px)

DESCRIPTION

November 18, 2003. Certificates, Authentication Network Security Lecture 9. Cryptographic Key Infrastructure. Goal: bind identity to key Classical Crypto: Not possible as all keys are shared Public key Crypto: Bind identity to public key - PowerPoint PPT Presentation

Text of November 18, 2003

  • November 18, 2003

    Certificates, AuthenticationNetwork Security

    Lecture 9

  • Cryptographic Key InfrastructureGoal: bind identity to keyClassical Crypto: Not possible as all keys are sharedPublic key Crypto: Bind identity to public keyCrucial as people will use key to communicate with principal whose identity is bound to keyErroneous binding means no secrecy between principalsAssume principal identified by an acceptable name

  • CertificatesCreate token (message) containingIdentity of principal (here, Alice)Corresponding public keyTimestamp (when issued)Other information (perhaps identity of signer)signed by trusted authority (here, Cathy)CA = { eA || Alice || T } dC

    CA is As certificate

  • UseBob gets Alices certificateIf he knows Cathys public key, he can decipher the certificateWhen was certificate issued?Is the principal Alice?Now Bob has Alices public keyProblem: Bob needs Cathys public key to validate certificateMerkles tree, Signature chains

  • Merkles Tree SchemeKeep certificates in a fileChanging any certificate changes the fileUse crypto hash functions to detect this (data integrity)Define hashes recursivelyh is hash functionCi is certificate for iHash of file (h(1,4) in example) known to allh(1,4)h(1,2) h(3,4)h(1,1) h(2,2) h(3,3) h(4,4) C1 C2 C3 C4

  • Detailsf: DDD maps bit strings to bit stringsh: NND maps integers to bit stringsif i j, h(i, j) = f(Ci, Cj)if i < j,h(i, j) = f(h(i, (i+j)/2), h((i+j)/2+1, j))

  • ValidationTo validate C1:Compute h(1, 1)Obtain h(2, 2)Compute h(1, 2)Obtain h(3, 4)Compute h(1,4)Compare to known h(1, 4)Need to know hashes of children of nodes on path that are not computedh(1,4)h(1,2) h(3,4)h(1,1) h(2,2) h(3,3) h(4,4) C1 C2 C3 C4

  • ProblemFile must be available for validationOtherwise, cant recompute hash at root of treeIntermediate hashes would doNot practical in most circumstancesToo many certificates and usersUsers and certificates distributed over widely separated systems

  • Certificate Signature ChainsCreate certificateGenerate hash of certificateEncipher hash with issuers private keyValidateObtain issuers public keyDecipher enciphered hashRecompute hash from certificate and compareProblem: Validating the certificate of the issuer and getting issuers public key

  • X.509 ChainsKey certificate fields in X.509v3:VersionSerial number(unique)Signature algorithm identifier: hash algorithmIssuers name; uniquely identifies issuerInterval of validitySubjects name; uniquely identifies subjectSubjects public keySignature: Identifies algorithm used to sign the certificateSignature (enciphered hash)

  • X.509 Certificate ValidationObtain issuers public keyThe one for the particular signature algorithmDecipher signatureGives hash of certificateRecompute hash from certificate and compareIf they differ, theres a problemCheck interval of validityThis confirms that certificate is current

  • IssuersCertification Authority (CA): entity that issues certificatesMultiple issuers pose validation problemAlices CA is Cathy; Bobs CA is Don; how can Alice validate Bobs certificate?Have Cathy and Don cross-certifyEach issues certificate for the other

  • Validation and Cross-CertifyingCertificates:Cathyrepresents the certificate that C has generated for ADanCathyDanAlice validates Bobs certificateAlice obtains CathyAlice uses (known) public key of Cathy to validate CathyAlice uses Cathy to validate DanCathy Dan is a signature chainHow about Bob validating Alice?

  • PGP ChainsPretty Good Privacy:Widely used to provide privacy for electronic mailSign files digitallyOpenPGP certificates structured into packetsOne public key packetZero or more signature packetsPublic key packet:Version (3 or 4; 3 compatible with all versions of PGP, 4 not compatible with older versions of PGP)Creation timeValidity period (not present in version 3)Public key algorithm, associated parametersPublic key

  • OpenPGP Signature PacketVersion 3 signature packetVersion (3)Signature type (level of trust)Creation time (when next fields hashed)Signers key identifier (identifies key to encipher hash)Public key algorithm (used to encipher hash)Hash algorithmPart of signed hash (used for quick check)Signature (enciphered hash using signers private key)

  • SigningSingle certificate may have multiple signaturesNotion of trust embedded in each signatureRange from untrusted to ultimate trustSigner defines meaning of trust level (no standards!)All version 4 keys signed by subjectCalled self-signing

  • Validating CertificatesAlice needs to validate Bobs OpenPGP certDoes not know Fred, Giselle, or EllenAlice gets Giselles certKnows Henry slightly, but his signature is at casual level of trustAlice gets Ellens certKnows Jack, so uses his cert to validate Ellens, then hers to validate BobsBobFredGiselleEllenIreneHenryJackArrows show signaturesSelf signatures not shown

  • Authentication and Identity

  • What is Authentication?Authentication: Binding identity and external entity to subjectHow do we do it?Entity knows something (secret)Passwords, id numbersEntity has somethingBadge, smart cardEntity is something Biometrics: fingerprints or retinal characteristicsEntity is in someplaceSource IP, restricted area terminal

  • Authentication System:Formal DefinitionA: Set of authentication informationused by entities to prove their identities (e.g., password)C: Set of complementary informationused by system to validate authentication information (e.g., hash of a password or the password itself)F: Set of complementation functions (to generate C)f : A CGenerate appropriate c C given a AL: set of authentication functionsl: A C { true, false }verify identityS: set of selection functionsGenerate/alter A and C e.g., commands to change password

  • Authentication System: PasswordsExample: plaintext passwordsA = C = alphabet*f returns argument: f(a) returns al is string equivalence: l(a, b) is true if a = b

    Complementation FunctionNull (return the argument as above)requires that c be protected; i.e. password file needs to be protectedOne-way hash function such thatComplementary information c = f(a) easy to computef-1(c) difficult to compute

  • PasswordsExample: Original Unix A password is up to eight characters each character could be one of 127 possible characters; A contains approx. 6.9 x 1016 passwordsPassword is hashed using one of 4096 functions into a 11 character string2 characters pre-pended to indicate the hash function usedC contains passwords of size 13 characters, each character from an alphabet of 64 charactersApproximately 3.0 x 1023 stringsStored in file /etc/passwd (all can read)

  • Authentication SystemGoal of (A, C, F, L, S)For all a A, c f(a) C (f, l), f F, l L in the system such thatl(a, f(a)) truel(a, c) false (with high probability)ApproachesHide enough information so that one of a, c or f cannot be foundMake C readable only to root (use shadow password files)Make F unknownPrevent access to the authentication functions Lroot cannot log in over the network (L exist but fails)

  • Attacks on PasswordsDictionary attack: Trial and error guessingType 1: attacker knows A, f, cGuess g and compute f(g) for each f in FType 2: attacker knows A, ll returns True for guess gDifficulty based on |A|, TimeProbability P of breaking in time TG be the number of guesses that can be tested in one time unitP TG/|A|Assumptions: time constant; all passwords are equally likely

  • Password SelectionRandomDepends on the quality of random number generator; size of legal passwords8 characters: humans can remember only oneWill need to write somewherePronounceable nonsenseBased on unit of sound (phoneme)Helgoret vs pxnftrEasier to rememberUser selection (proactive selection)Controls on allowableReasonably good: At least 1 digit, 1 letter, 1 punctuation, 1 control characterObscure poem verse

  • Password SelectionReusable Passwords susceptible to dictionary attack (type 1)Salting can be used to increase effort neededmakes the choice of complementation function a function of randomly selected dataRandom data is different for different userAuthentication function is chosen on the basis of the saltMany Unix systems: A salt is randomly chosen from 0..4095Complementation function depends on the salt

  • Password SelectionPassword agingChange password after some time: based on expected time to guess a passwordDisallow change to previous n passwordsFundamental problem is reusabilityReplay attack is easySolution: Authenticate in such a way that the transmitted password changes each time

  • Authentication Systems: Challenge-ResponsePass algorithmauthenticator sends message msubject responds with f(m)f is a secret encryption functionIn practice: key known only to subjectExample: ask for second input based on some algorithm

  • Authentication Systems: Challenge-ResponseOne-time password: invalidated after usef changes after useChallenge is the number of authentication attemptResponse is the one-time passwordS/Key uses a hash function (MD4/MD5)User chooses an initial seed kKey generator calculatesk1 = h(k), k2 = h(k1) , kn = h(kn-1)Passwords used in the orderp1 = kn, p2 = kn-1, , pn =k1 Suppose p1 = kn is intercepted; the next password is p2 = kn-1Since h(kn-1) = kn, the attacker needs to know h to determine the next password

  • Authentication Systems: BiometricsUsed for human subject identification based on physical characteristics that are tough to copyFingerprint (optical scanning)Cameras needed (bulky)VoiceSpeaker-verification (identity) or speaker-recognition (info content)Iris/retina patterns (unique fo

Search related