Download presentation

Presentation is loading. Please wait.

Published byJagger Crummett Modified over 3 years ago

1
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz

2
Administrative stuff HW4 is out

3
One-way authentication If only the server has a known public key (e.g., SSL) –Server sends R –Client sends E pk (R, password, session-key) Insecure in general!!! –But secure if encryption scheme is chosen appropriately

4
Using session keys Generally, want to provide both secrecy and integrity for subsequent conversation –Use encrypt-then-MAC –Use sequence numbers to prevent replay attacks –Use a directionality bit –Periodically refresh the session key

5
Mediated authentication E.g., using KDC Simple protocol: –Alice requests to talk to Bob –KDC generates K AB and sends it to Alice and Bob, encrypted with their respective keys –Note: no authentication here, but impostor cant determine K AB

6
Improvement… Have KDC send to Alice the encryption of K AB under Bobs key –Reduces communication load on KDC –Resilient to message delays in network

7
Needham-Schroeder A KDC: N 1, Alice, Bob KDC A: K A (N 1, Bob, K AB, ticket), where ticket = K B (K AB, Alice) A B: ticket, K AB (N 2 ) B A: K AB (N 2 +1, N 3 ) A B: K AB (N 3 +1)

8
Analysis? N 1 assures Alice that she is talking to KDC –Prevents key-replay, in case Bob changes K B Important: authenticate Bob in message 2, and Alice in ticket Uses encryption to authenticate… –Leads to actual flaw if, e.g., ECB mode is used! Vulnerable if Alices key is compromised –Bobs ticket is always valid –Use timestamps, or request (encrypted) nonce from Bob at the very beginning of the protocol

9
Otway-Rees A B: N C, K A (N A, N C, Alice, Bob) B KDC: K A (…), K B (N B, N C, Alice, Bob) –KDC checks that N C is the same… KDC B: N C, K A (N A, K AB ), K B (N B, K AB ) B A: K A (…) A B: K AB (timestamp) –Note: KDC already authenticated Bob

10
Analysis? N C should be unpredictable, not just a nonce –Otherwise, can impersonate B to KDC Send first message: (next N C ), garbage B forwards to KDC along with encryption of the next N C Next time A initiates a conversation, replay previous message from B Still uses encryption for authentication… –Serious attack if ECB is used Replace K AB with N C

11
Kerberos (Will possibly discuss in more detail later) A KDC: N 1, Alice, Bob KDC A: K A (N 1, Bob, K AB, ticket), where ticket = K B (K AB, Alice, expiration time) A B: ticket, K AB (time) B A: K AB (time+1)

Similar presentations

OK

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google