Download presentation

Presentation is loading. Please wait.

Published byGisselle Sheerer Modified over 2 years ago

1
1 Lecture 10: Mediated Authentication simple algorithm Needham-Schroeder –simple –expanded Otway-Rees nonce types

2
2 Establishing Session Key problem (besides others): Bob will not know how to decrypt a message from Alice if message from KDC is late establishing connection KDC Bob is (somewhat) expensive Alice Bob KDC Alice, Bob K A {Bob, K AB } K B {Alice, K AB }

3
3 Establishing Session Key (variant) Problems: no authentication between Alice and Bob no freshness guarantee for K AB (what if Alice reuses the ticket?) Alice Bob KDC Alice, Bob K A {Bob, K AB }, ticket B where ticket B = K B {Alice, K AB } Alice, ticket B

4
4 Needham-Schroeder Protocol Outline Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice} ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1}

5
5 Needham-Schroeder Protocol Explained N 1 is –for KDC authentication –to ensure freshness of K AB attack (without nonce): Trudy stole K AB from Bob and records old KDCs reply to Alice; Trudy waits for a new request to KDC form Alice to talk to Bob and plays back old KDCs reply impersonating KDC Reply from KDC –strings Bob and Alice disallows Trudy tampering with messages and hijacking the conversation N 2, N 3 : for key confirmation and mutual authentication (minor) issue: –ticket is unnecessarily doubly encrypted in message from KDC

6
6 Needham-Schroeder: Reflection Attacks If message integrity is vulnerable (for example with ECB), reflection attack is possible Trudy Bob replay ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } Trudy Bob ticket B, K AB {N 3 } K AB {N 3 -1, N 4 } K AB {N 3 -1} Trudy can separate K AB {N 2 -1} and K AB {N 3 } BTW, why are N2 and N3 encrypted at all in N-S?

7
7 Expanded Needham-Schroeder in standard N-S, Bob doesnt have freshness guarantee for K AB (i.e., cant detect replays) to fix – get a nonce form Bob Alice Bob KDC N 1, Alice, Bob, K B {N B } K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, N B } ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1} hello K B {N B }

8
8 Otway-Rees Protocol Outline Alice Bob KDC N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, N C, Alice, Bob} K B {N B, N C, Alice, Bob} N C, Alice, Bob, K A {N A, N C, Alice, Bob} K A {N A, K AB } K AB {anything recognizable}

9
9 Otway-Rees Protocol Explained N A, N B : Provides freshness guarantee for A & B, as well as authentication of KDC. N C : To bind Alice, Bob, and the session. having separate N A and N C is not necessary for security, though its good for functional separation of nonces and uniformity of KDC messages.

10
10 Nonce Types nonce: a quantity which any given user of a protocol uses only once (a quantity which is guaranteed fresh) nonce types: –sequence numbers need to keep state, what if Trudy can induce crashes (DoS attack?) –timestamps need synchronized clocks –random numbers freshness guarantee is only probabilistic but if number is large it is good enough unpredictable

11
11 Value of Unpredictability for Nonces recall the one one-way authentication alg –is there a problem if R is a sequence number? –what if Alice sends the plaintext challenge first and Alice replies with encrypted challenge? –what if timestamps are used for challenges? Alice Bob Im Alice K AB {R} R

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google