Embed Size (px)
Citation preview
SSL with New Client Authentication
Takuya Yahagi, S1090215University of AizuPerformance Evaluation Lab.
Purpose
To evaluate performance of SSL with client authentication with waiting time and probability of finding malicious user point of view.
Spoofing
Uses other’s or non-existent mail address to send phishing mail, spam and some kind of virus mail.
Sender ID (1)
Problem If IP address is also forged, Sender ID can’t prevent spoofing.
Sender Receiver DNS
Domain(2)
IP address(3)
SSL•Client hello(1)
•Random value Used to create common key•Cryptography algorithms list
• Server hello(2)•Random value Used to create common key•Selected algorithm
•Server certificate(2)•Public key
•Server hello done(2)
•Client key exchange(3)•Premaster secret Used to create common key
•Change cipher spec(3),(4) Signal of encryption
•Finished(3),(4)
ProblemThere is no client authentication.
Client hello (1)Client certificate
Server hello
Server certificate(2)
Server hello done
Client key exchangeChange cipher specFinished (3)
Change cipher spec
Finished (4)
ServerClient
Feige-Fiat-Shammir Identification Protocol
• Prove identity via demonstration of knowledge of secret without revealing even a single bit of secret.
• Malicious person, Mallory has 50% chance of passing this trial without secret number by guessing that Bob will send c = 0 or 1.
Alice Bob
w
crlmsr
lmwm
llst
s
cA
AA
A
mod Calculate
mod CalculateSelect
number. large is where ,mod:Open value
:numberSecret
2
2
lwtlr
c
cA modmodCheck
1or 0Select
2
Waiting time of SSL and SSL with authentication
Waiting time of SSL
Waiting time of SSL with authentication
S1 S2 S3
C1 C2
S4 S5
C3 C4 C5
W2
W1 W3 W4
W5C: ClientW: Waiting time of SSLS: Service time of SSL
S1 S3
A1 A2 M1 A3 A4
W2
W1 W3 W4
W5
A: AliceM: MalloryW: Waiting time of SSL with authenticationS: Service time of SSL with authenticationS2 S4 S5
Waiting Time of SSL
. where
,)1(2
][22
SSLNE
)1(2
2][
:SSL of time waitingof n valueExpectatio0 then same, always is SSL of timeService 2
SSLYE
Expectation of number of SSL clients:
SSL of timeservice of Variance:
SSL of timeservice Average:1
client incoming of Rate:
Waiting Time of SSL with Authentication(1)
2
2
22
)1()1()12(1][
)1(1][
x
x
x
xxn
x
xTVar
x
xTE
nn
M
n
M
Expectation value and variance of Mallory’s number of trials:
0][][
A
ATVar
nTE
Expectation value and variance of Alice’s number of trials:
trialsofNumber : trialoneper Mallory finding ofy Probabilit:
nx
][][ ][][
MauthM
SSLMauthMNVarsSVar
sNEsSE
SSL of timeService: trialof timeService:
SSL
authss
Expectation value and variance of Mallory’s and Alice’s service time of SSL with authentication:
0][][][][
AauthA
SSLAauthANVarsSVar
sNEsSE
Waiting Time ofSSL with Authentication(2)
. where
,)1(2
][22
authNE
tionauthentica with SSL of timeservice of Variance:
tionauthentica with SSL of timeservice Average:1
client incoming of Rate:
Expectation of number of SSL with authentication clients:
][
][ authauth
NEYE
Expectation value of waiting time of SSL with authentication:
Waiting Time
10 20 30 40 50 60
0.2
0.4
0.6
0.8
1Waiting time
n 20
n 15
n 5
No auth
Probability of Miss
5 10 15 20n
0.02
0.04
0.06
0.08
p(n)
Probability of missing Mallory in n trials: n
np
2
1)(
Conclusion and Future Works
Using the feature of this authentication, client can prove identity more securely.This method is solution to IP address spoofing.
However, service time of authentication and probability of Mallory is not accurate value.
