Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

Published byGunnar Slaughter Modified over 9 years ago

Similar presentations

Presentation on theme: "CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:"— Presentation transcript:

1 CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2 CS470, A.SelcukNeedham-Schroeder2 Key Establishment and Authentication with KDC A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others) Alice Bob KDC Alice, Bob K A {Bob, K AB } K B {Alice, K AB }

3 CS470, A.SelcukNeedham-Schroeder3 Another simple protocol: Problems: No freshness guarantee for K AB Alice & Bob need to authenticate Alice Bob KDC Alice, Bob K A {Bob, K AB }, ticket B where ticket B = K B {Alice, K AB } Alice, ticket B

4 CS470, A.SelcukNeedham-Schroeder4 Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice} ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1}

5 CS470, A.SelcukNeedham-Schroeder5 Needham-Schroeder Protocol N 1 : for authenticating KDC & freshness of K AB. Ticket is double-encrypted. (unnecessary) N 2, N 3 : for key confirmation, mutual authentication Why are the challenges N2, N3 encrypted? Problem: Bob doesn’t have freshness guarantee for K AB (i.e., can’t detect replays).

6 CS470, A.SelcukNeedham-Schroeder6 Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: Trudy Bob replay ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } Trudy Bob ticket B, K AB {N 3 } K AB {N 3 -1, N 4 } K AB {N 3 -1}

7 CS470, A.SelcukNeedham-Schroeder7 Expanded Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob, K B {N B } K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, N B } ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1} hello K B {N B }

8 CS470, A.SelcukNeedham-Schroeder8 Otway-Rees Protocol Alice Bob KDC N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, N C, “Alice”, “Bob”} K B {N B, N C, “Alice”, “Bob”} N C, “Alice”, “Bob”, K A {N A, N C, “Alice”, “Bob”} K A {N A, K AB } K AB {anything recognizable}

9 CS470, A.SelcukNeedham-Schroeder9 Otway-Rees Protocol N A, N B : Provides freshness guarantee for A & B, as well as authentication of KDC. N C : Binds Alice, Bob, and the session. Also authenticates Bob. Having separate N A & N C is redundant for security, though it’s good for functional separation of nonces and uniformity of KDC messages.

10 CS470, A.SelcukNeedham-Schroeder10 Basic Kerboros Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, expiration time} ticket B, K AB {T} K AB {T+1} T: timestamp

Download ppt "CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication

Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Computer Science&Technology School of Shandong University Instructor: Hou Mengbo Email: houmb AT sdu.edu.cn Office: Information Security Research Group.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

Similar presentations

Ads by Google