CIS/TCOM 551Computer and Network SecuritySlide Set 5
Carl A. GunterSpring 2004
Protocols
Overview Entity Authentication Key Establishment
General Definition of “Protocol”
A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.
Arbitrated Protocols
Adjudicated Protocols
Self-Enforcing Protocols
Protocol Sample Threat
Common strategy. Encrypt for confidentiality. Sign for integrity.
Is it better to sign then encrypt? Or is it better to encrypt then sign? There is a pitfall.
Messages
P -> R : ER(M, DP(M)) R decodes with DR Verifies with EP:
EP(DP(M)) = M ?
P -> R : ER(M), DP(ER(M)) R decodes with DR Verifies with EP:
EP(DP(ER(M))) = ER(M) ?
Pitfall
Interception Scenario P -> O (R) : ER(M), DP(ER(M)) O -> R : ER(M), DO(ER(M))
R might think that M came from O. Is this really a problem? To be safe: sign then encrypt.
Foundations of Authentication
Authentication is based on one or more of the following: Something you know. Something you have. Something inherent about you.
Entity Authentication
Aims and Threats Weak Security: Passwords Strong Security: Challenge-Response
Typical Setup
Claimant Verifier
Userid:Password:
IdentificationAuthentication
Terminology: identification will be used to refer to thecombination of claimed identity and its authentication.
Aim
For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.
Threats
Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C.
Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.
Assumptions
A large number of previous authentications between A and B may have been observed.
The adversary C has participated in previous protocol executions with A and/or B.
Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.
Attacks Not Addressed
Identification affirms that communication with the expected party occurred at a given point in time.
Two active attacks are not addressed: Usurpation: The session beginning with
the identification is “usurped” by the attacker as a man-in-the-middle.
Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.
Unix Passwords
Humans need memorable keys, care must be taken to use these keys properly.
Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979), 594-597.
Make a File of Passwords At first Unix was implemented with a
password file holding the actual passwords of users.
This was vulnerable to many lapses Copies were made by privileged users Copies were made by bugs: classic
example posted password file on daily message file
Physical access to backup was a vulnerability
Information from the password file needed to be replicated into many other files
First Approach
Encrypt the passwords and keep the encrypted version.
Take the password from the user, encrypt it, and compare with password file entry.
Problems poor user selection of passwords online dictionary attack
On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.
Heuristics for Guessing
The dictionary with the words spelled backwards
A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well.
The above with initial upper-case letters. All valid license plate numbers in your
state. (About 5 hours work in 1979 for New Jersey.)
Room numbers, social security numbers, telephone numbers, and the like.
A Survey of 3,289 Passwords
With no constraints on choice of password, Morris and Thompson got the following results: 15 were a single ASCII letter. 72 were strings of two ASCII letters. 464 were strings of three ASCII letters. 47 were strings of four alphanumerics. 706 were five letters, all upper-case or
all lower-case. 605 were six letters, all lower case.
Risk in Password Restrictions
An installation required users to accept a machine-selected password.
These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator.
There were only 2**15 starting values (seeds).
Time to search strings of length 8 required 112 years (on machines of the time).
Time to check 2**15 seeds, not long!
Improvements to First Approach
Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm.
Enforce password rules. “Mess up” DES: change algorithm so
that stock hardware cannot be used.
Slowing Dictionary Attacks
“Salt” the passwords by adding random bits. Makes dictionary attacks more
expensive. Decreases the likelihood that two
identical passwords will appear as identical entries in the password file.
12 bit salt results in 4,096 versions of each password.
Classic Unix Crypt – part 1
Supplied by the user: a password P, truncated to 8 characters by the system.
Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows.
Pad password with zeros if necessary to get 56 bit key K.
Classic Unix Crypt – part 2
Create a modified DES with expansion permutations (32 to 48 bits) determined by S.
Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times.
This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.
One Time Passwords
Shared lists. Sequentially updated. One-time password sequences based
on a one-way function.
Hash-based 1-time Passwords
A claimant identifies itself to verifier B using a one-way hash function H.
One-time setup. A chooses a secret w. Fixes a constant t for the number of
times the verification can be done. A securely transfers H**t(w) to B.
Protocol messages. For the i’th identification where 1 <=i <= t: A -> B: A, i, H**(t-i)(w)
Hash-based 1-time Passwords
Protocol actions. For session i, claimant A does the following to identify itself: A computes w’ = H**(t-i)(w) and transmits
the value to B. B checks that i is the correct session (ie.
that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).
B saves w’ and i for use in the next session.
Challenge-Response
Background. Random numbers (nonces). Sequence numbers. Timestamps.
Symmetric keys. With timestamps or random numbers.
MAC’s. Asymmetric keys.
With encryption or signature.
Replay
Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender.
Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in.
There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.
Random Numbers
A random number is a number chosen unpredictably in a range.
In a challenge-response protocol they are used as follows. The verifier chooses a (new) random number
and provides it to the claimant. The claimant performs an operation on it
showing knowledge of a secret. This information is bound inseparably to the
random number and returned to the verifier for examination.
A timeout period is used to ensure “freshness”.
Sequence Numbers
Sequence numbers provide a sequential or monotonic counter on messages.
If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded.
Cannot detect forced delay. Difficult to maintain when there are
system failures.
Time Stamps
The claimant sends a message with a timestamp.
The verifier checks that it falls within an acceptance window of time.
The last timestamp received is held, and identification requests with older timestamps are ignored.
Good only if clock synchronization is close enough for acceptance window.
Unilateral Symmetric Key
Unilateral authentication with timestamp generated by A. A -> B : E(K, (t, B))
Unilateral authentication with random number generated by B. B -> A : r A -> B : E(K, (r, B))
Mutual Symmetric Key
Using random numbers: B -> A: rB A -> B: E(K, (rA, rB, B)) B -> A: E(K, (rB, rA))
Mutual MAC Function
Let H be a hash function and K be a shared secret between A and B. B -> A: rB A -> B: rA, H(K, (rA, rB, B)) B -> A: H(K, (rB, rA, A))
Passkey Systems
F
S
PIN
A
Display
Claimant A Verifier B
e
y
ChallengeGenerator
Login Request
PasscodeGenerator
F
Secret Database
Compare
(challenge)
(response)
PIN
S
Unilateral Public Key Decryption
Encryption under A’s public key is EA: B -> A : H(r), B, EA(r, B) A -> B : r
The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.
Mutual Public Key Decryption
Let EA and EB be the encryption functions for the public keys of A and B respectively. A -> B: EB(rA, A) B -> A: EA(rA, rB) A -> B: rB
Unilateral Digital Signatures
Let SA and SB be the signature functions of A and B respectively.
Unilateral authentication with timestamps: A -> B: t, B, SA(t, B)
Unilateral authentication with random numbers: B -> A: rB A -> B: rA, B, SA(rA, rB, B) The rA prevents chosen plaintext
attacks.
Mutual Digital Signatures
Using random numbers. B -> A: rB A -> B: rA, B, SA(rA, rB, B) B -> A: A, SB(rB, rA, A)
Primary Attacks
Impersonation. Replay. Interleaving. Reflection. Forced delay. Chosen plaintext.
Primary Controls
Replay: use of challenge-response techniques and embedding target identity in response.
Interleaving: link messages in a run with chained nonces.
Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.
Primary Controls, continued
Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques.
Forced delays: use random numbers with short timeouts, use timestamps with other techniques.
Multiple Use of Keys
There are risks in using keys for multiple purposes.
Using an RSA key for both entity authentication and signatures may allow a chosen-text attack.
B attacker/verifier, rB=H(M) for some message M. B -> A: rB A -> B: B, SA(rB) B(A) -> C: M, SA(H(M))
B, pretending to be A
Effective Control
Notice how the protocol described earlier foils this. Here’s the protocol: B -> A: rB A -> B: rA, B, SA(rA, rB, B)
Here’s what happens: B -> A: rB A -> B: rA, B, SA(rA, rB, B) B(A) -> C: M, SA(rA, H(M), B) C finds that SA(rA, H(M), B) SA(H(M))
and rejects the signature.
Usurpation Attacks
Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time.
Techniques to assure ongoing authenticity: Periodic re-identification. Tying identification to an ongoing
integrity service. For example: key establishment and encryption.
Key Establishment
Symmetric keys. Point-to-Point. Needham-Schroeder. Kerberos.
Asymmetric keys. X.509 key establishment. Attack example. Station To Station (STS) protocol. Bellovin-Merritt protocol.
Symmetric Keys
Key establishment using only symmetric keys requires use of pre-distribution keys to get things going.
These can be based on: Point to point distribution, or Key Distribution Center (KDC).
Point-to-Point
Timestamp. A -> B : E(K, (k, t, B))
Nonce. B -> A : r A -> B : E(K, (k, r, B))
Session Key
ISO/IEC 11770-2
Key Distribution Center
Distribution Center Setup
A wishes to communicate with B. T is a trusted third party that
provides session keys. T has a key KAT in common with A
and a key KBT in common with B. A authenticates T using a nonce rA
and obtains a session key from T. A authenticates to B and transports
the session key securely.
Needham-Schroeder
1. A -> T : A, B, rA2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) ))
A decrypts with KAT and checks rA and B. Holds k for future correspondence with B.
3. A -> B : E( KBT, (k, A))B decrypts with KBT.
4. B -> A : E(k, rB)A decrypts with k.
5. A -> B : E(k, rB – 1)B checks rB-1.
Attack Scenario 1
1. A -> T : A, B, rA2. T -> C (A) : E( KAT, (k, rA, B, E( KBT,
(k, A)) ))C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.
Attack Scenario 2
1. A -> C (T) : A, B, rA2. C (A) -> T : A, C, rA3. T -> A : E( KAT, (k, rA, C, E( KCT, (k,
A)) ))Rejected by A because C rather than B.
Attack Scenario 3
1. A -> C (T) : A, B, rA2. C -> T : C, B, rA3. T -> C : E( KCT, (k, rA, B, E( KBT, (k,
C)) ))4. C (T) -> A : E( KCT, (k, rA, B, E( KBT,
(k, C)) ))A is unable to decrypt the message.
Attack Scenario 4
1. C -> T : C, B, rA2. T -> C : E( KCT, (k, rA, B, E( KBT, (k,
C)) ))3. C (A) -> B : E( KBT, (k, C))
B will see that the purported origin (A) does not match the identity indicated by the distribution center.
Kerberos Setup
A,T,B, shared keys KAT, KBT as in distribution center.
Nonce rA generated by A. Trusted synchronous clocks for
generating a time t and checking expiration of a lifetime L.
Kerberos Messages
1. A -> T : A, B, rA2. T -> A : E( KBT, (k, A, L)), E( KAT, (k,
rA, L, B))3. A -> B : E( KBT, (k, A, L)), E( k, (A,
t))4. B -> A : E(k, t)
Ticket
Authenticator
Kerberos Actions
1. A -> T : A, B, rA2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA,
L, B))Decrypt using KAT, check rA, B, and hold L for future reference.
3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L.
4. B -> A : E(k, t)Check t.
Asymmetric Key Exchange
X.509 key establishment. Impersonation case study. STS. Bellovin-Merritt protocol.
X.509 Key Establishment Setup
X.509 is part of the X.500 series of ISO/IEC standards.
certA and certB are certificates for the public keys of A and B.
A has encryption function EA and signature function SA. B has signature function SB.
rA and rB are nonces. LA and LB are lifetimes (validity
periods).
X.509 Key Est. Messages
Let DA = EB(k), rA, LA, A. Let DB = rB, LB, rA, A Two messages:
1. A -> B : certA, DA, SA(DA)Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA.
2. B -> A : certB, DB, SB(DB)Check the rA and A. Check that rB has not been seen and is not expired according to LB.
X.509 Variant
X.509 supports several variants on the previously-described protocol.
Let DA = EB(kA), rA, LA, A. Let DB = EA(kB), rB, LB, rA, A Two messages:
1. A -> B : certA, DA, SA(DA)2. B -> A : certB, DB, SB(DB)
Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.
Impersonation Case Study
Protocol X
1. A -> T : A, B2. T -> A : ST(EB, B)3. A -> B : EB(kA, A)4. B -> T : B, A5. T -> B : ST(EA, A)6. B -> A : EA(kA, kB)
Check kA. Calculate session key as f(kA,kB).
7. A -> B : EB(kB) Check kB. Calculate session key as f(kA,kB).
Interleaving Attack on Protocol X
An interleaving attack on this protocol is possible.
An adversary C convinces: A that he is talking to C using session
key k = f(kA, kB). B that his is talking to A using session
key k. C has access to the key k and can
use it to decrypt the responses that B makes to A.
Compromise Scenario
B, C are taxpayers. A is the IRS. A contacts C, (presumably)
authenticates and sets up a session key k. C uses the interleaving attack with B.
B now thinks he is talking to the IRS. C answers questions directed to him
by the IRS. Meanwhile C, pretending to be IRS,
asks B for information about his income for the last 5 years.
What Went Wrong?
Entity authentication: determining who you are talking to.
Key establishment: settling on a shared session key.
Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.
Station-To-Station Protocol
Provides key confirmation and mutual authentication without revealing the identities of the participants to other parties.
Based on: Diffie-Hellman. Digital signatures using public key pairs. Symmetric encryption.
Station-To-Station Setup
q prime with primitive root where 1< < q-1. q and are agreed upon by A and B.
XA is the private key of A where 1 <= XA < q. The public key of A is YA = **XA mod q.
XB is the private key of B where 1 <= XB < q. The public key of B is YB = **XB mod q.
k = **(XA * XB) is the session key.
STS Messages
1. A -> B : YACalculate k.
2. B –> A : YB, E(k, SB(YB, YA))Calculate k, use it to decrypt the signature, check the signature using the verification function of B and known values YB, YA.
3. A -> B : E(k, SA(YA, YB))Decrypt the signature and check it using the verification function of A.
Passwords as Keys
Humans are not good at remembering 56 bit keys.
Solution: use passwords as keys. Setup: P is a password known to both
A and B. EA is a public key for A. Simple protocol:
A -> B : E(P, K) B -> A : E(K, “Terminal type:”)
Simple Protocol Vulnerability
Use a dictionary attack on the password.
This protocol enables an offline attack.
Let P* be a word in a dictionary of likely passwords.
Compute: D(P*, E(P,K)) = K* D(K*, E(K, “Terminal type:”)) = S If S makes sense, then P* = P.
Countermeasure
The server supplies the session key, encrypted under the public key of A.
Guessing P only reveals EA(K), which is not useful in attacking the last message.
1. A -> B : E(P, EA)2. B -> A : E(P, EA(K))3. B -> A : E(K, “Terminal type:”)
Bellovin-Merritt Protocol
A -> B : A, E(P, EA) B -> A : E(P, EA(K)) A -> B : E(K, rA) B -> A : E(K, (rA, rB)) A -> B : E(K, rB)