Download presentation

Presentation is loading. Please wait.

Published byGunnar Slaughter Modified about 1 year ago

1
CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2
CS470, A.SelcukNeedham-Schroeder2 Key Establishment and Authentication with KDC A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others) Alice Bob KDC Alice, Bob K A {Bob, K AB } K B {Alice, K AB }

3
CS470, A.SelcukNeedham-Schroeder3 Another simple protocol: Problems: No freshness guarantee for K AB Alice & Bob need to authenticate Alice Bob KDC Alice, Bob K A {Bob, K AB }, ticket B where ticket B = K B {Alice, K AB } Alice, ticket B

4
CS470, A.SelcukNeedham-Schroeder4 Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice} ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1}

5
CS470, A.SelcukNeedham-Schroeder5 Needham-Schroeder Protocol N 1 : for authenticating KDC & freshness of K AB. Ticket is double-encrypted. (unnecessary) N 2, N 3 : for key confirmation, mutual authentication Why are the challenges N2, N3 encrypted? Problem: Bob doesn’t have freshness guarantee for K AB (i.e., can’t detect replays).

6
CS470, A.SelcukNeedham-Schroeder6 Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: Trudy Bob replay ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } Trudy Bob ticket B, K AB {N 3 } K AB {N 3 -1, N 4 } K AB {N 3 -1}

7
CS470, A.SelcukNeedham-Schroeder7 Expanded Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob, K B {N B } K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, N B } ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1} hello K B {N B }

8
CS470, A.SelcukNeedham-Schroeder8 Otway-Rees Protocol Alice Bob KDC N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, N C, “Alice”, “Bob”} K B {N B, N C, “Alice”, “Bob”} N C, “Alice”, “Bob”, K A {N A, N C, “Alice”, “Bob”} K A {N A, K AB } K AB {anything recognizable}

9
CS470, A.SelcukNeedham-Schroeder9 Otway-Rees Protocol N A, N B : Provides freshness guarantee for A & B, as well as authentication of KDC. N C : Binds Alice, Bob, and the session. Also authenticates Bob. Having separate N A & N C is redundant for security, though it’s good for functional separation of nonces and uniformity of KDC messages.

10
CS470, A.SelcukNeedham-Schroeder10 Basic Kerboros Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, expiration time} ticket B, K AB {T} K AB {T+1} T: timestamp

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google