Security Handshake Pitfalls. Client Server Hello (K)

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Lecture 10: Mediated Authentication
SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Lecture 11: Strong Passwords
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Chapter eight: Authentication Protocols 2013 Term 2.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
The Secure Sockets Layer (SSL) Protocol
Outline The basic authentication problem
Cryptography Reference: Network Security
Cryptography Reference: Network Security
Secure Sockets Layer (SSL)
CS480 Cryptography and Information Security
PPP – Point to Point Protocol
Authentication Protocols
Tutorial on Creating Certificates SSH Kerberos
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
Public Key Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
9.2 SECURE CHANNELS Medisetty Swathy.
Network Security – Kerberos
CS Introduction to Operating Systems
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
The Secure Sockets Layer (SSL) Protocol
Kerberos Part of project Athena (MIT).
KERBEROS.
CDK: Chapter 7 TvS: Chapter 9
Diffie/Hellman Key Exchange
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
AIT 682: Network and Systems Security
Presentation transcript:

Security Handshake Pitfalls

Client Server Hello (K)

Security Handshake Pitfalls Client Server Challenge R (K)

Security Handshake Pitfalls Client Server f(K, R) (K)

Security Handshake Pitfalls Client Server f(K, R) (K) Problems: 1. Authentication is not mutual - only Server authenticates Client Anyone can send the challenge R.

Security Handshake Pitfalls Client Server f(K, R) (K) Problems: 1. Authentication is not mutual - only Server authenticates Client Anyone can send the challenge R. 2. Connection can be hijacked – if the rest of the transaction is without cryptographic protection and attacker makes packets with Client addr

Security Handshake Pitfalls Client Server f(K, R) (K) Problems: 1. Authentication is not mutual - only Server authenticates Client Anyone can send the challenge R. 2. Connection can be hijacked – if the rest of the transaction is without cryptographic protection and attacker makes packets with Client addr 3. Off-line password guessing attack - if K is derived from password because both R and f(K,R) are observable.

Security Handshake Pitfalls Client Server f(K, R) (K) Problems: 1. Authentication is not mutual - only Server authenticates Client Anyone can send the challenge R. 2. Connection can be hijacked – if the rest of the transaction is without cryptographic protection and attacker makes packets with Client addr 3. Off-line password guessing attack - if K is derived from password because both R and f(K,R) are observable. 4. Someone reading the Server database may be able to impersonate Client later or to another server that the client uses

Security Handshake Pitfalls Client Server Hello (K)

Security Handshake Pitfalls Client Server K{R } (K)

Security Handshake Pitfalls Client Server R (K)

Security Handshake Pitfalls Client Server R (K) Concerns: 1. Requires reversible cryptography - no hash

Security Handshake Pitfalls Client Server R (K) Concerns: 1. Requires reversible cryptography - no hash 2. No need to eavesdrop if R is recognizable - Attacker says hello and gets back K{R}, if K derived from password can generate lots of Ks for a dictionary attack.

Security Handshake Pitfalls Client Server R (K) Concerns: 1. Requires reversible cryptography - no hash 2. No need to eavesdrop if R is recognizable - Attacker says hello and gets back K{R}, if K derived from password can generate lots of Ks for a dictionary attack. 3. If R is recognizable by Client, then protocol authenticates Server but only if life of R is short, otherwise K{R} can be replayed by attacker

Security Handshake Pitfalls Client Server Hello, K{time} (K)

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for existing prot.

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R)

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R) Problems: 1. Attacker can use K{time} to impersonate Client - within acc clock skew

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R) Problems: 1. Attacker can use K{time} to impersonate Client - within acc clock skew But can be foiled if Server remembers all timestamps sent.

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R) Problems: 1. Attacker can use K{time} to impersonate Client - within acc clock skew But can be foiled if Server remembers all timestamps sent. 2. If multiple Servers, same K, K{time} on one can work on others

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R) Problems: 1. Attacker can use K{time} to impersonate Client - within acc clock skew But can be foiled if Server remembers all timestamps sent. 2. If multiple Servers, same K, K{time} on one can work on others Can be foiled by sending K{time | server}

Security Handshake Pitfalls Client Server Hello, K{time} (K) Advantage: 1. One direction, more efficient - is drop-in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R) Problems: 1. Attacker can use K{time} to impersonate Client - within acc clock skew But can be foiled if Server remembers all timestamps sent. 2. If multiple Servers, same K, K{time} on one can work on others Can be foiled by sending K{time | server} 3. Vulnerable to attacker setting time back on Server!!

Security Handshake Pitfalls Client Server Hello, K{time} (K) Problems: 4. Setting time requires a security handshake - better make it chllng/resp (that is, not depending on time) or else there is a problem if clocks of machines are too far apart – the negotiation will fail.

Security Handshake Pitfalls Client Server Hello, time, hash{K,time} (K)

Security Handshake Pitfalls Client Server Hello, time, hash{K,time} (K) Advantage: 1. Otherwise, if time not sent, for Server to check hash, must try lots of different acceptable times before one matches the hash

Security Handshake Pitfalls Client Server Hello (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server Challenge R (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server signed[R] S c (K c, S c ) (K s, S s ) Advantage: Like secret-key protocol except Server database not vulnerable to peeking

Security Handshake Pitfalls Client Server signed[R] S c (K c, S c ) (K s, S s ) Advantage: Like secret-key protocol except Server database not vulnerable to peeking Problem: Can trick someone into signing something. Wait for Client to say Hello, send back something you want client to sign, get the signed item - use it.

Security Handshake Pitfalls Client Server Hello (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server encrypt{R} K c (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server R (K c, S c ) (K s, S s ) Concerns: 1. Some public key systems can only do signatures, not reversible encryption

Security Handshake Pitfalls Client Server R (K c, S c ) (K s, S s ) Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate Server, send the message to Client who decrypts it. Gets back the decrypted message.

Security Handshake Pitfalls Client Server R (K c, S c ) (K s, S s ) Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate Server, send the message to Client who decrypts it. Gets back the decrypted message. Never use the same key for signing and encryption/decryption

Security Handshake Pitfalls Client Server R (K c, S c ) (K s, S s ) Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate Server, send the message to Client who decrypts it. Gets back the decrypted message. Never use the same key for signing and encryption/decryption Observe: several secure independent systems may be insecure when put together (attacker may use one protocol to break another).

Security Handshake Pitfalls Client Server Hello, R c Mutual Authentication: (K)

Security Handshake Pitfalls Client Server R s, f(K, R c ) Mutual Authentication: (K)

Security Handshake Pitfalls Client Server f(K,R s ) Mutual Authentication: (K)

Security Handshake Pitfalls Imposter Server Hello, R i Reflection Attack: Attacker wants to impersonate Client to Server. Attacker sends Hello and a challenge. (K)

Security Handshake Pitfalls Imposter Server R s, f(K, R i ) Reflection Attack: Attacker wants to impersonate Client to Server. Attacker sends Hello and a challenge. Attacker gets back f(K, R i ) (who cares) and R s. (K)

Security Handshake Pitfalls Imposter Server R s, f(K, R i ) Reflection Attack: Attacker wants to impersonate Client to Server. Attacker sends Hello and a challenge. Attacker gets back f(K, R i ) (who cares) and R s. Attacker opens second connection to Server using R s. (K) Hello, R s

Security Handshake Pitfalls Imposter Server R s, f(K, R i ) Reflection Attack: Attacker wants to impersonate Client to Server. Attacker sends Hello and a challenge. Attacker gets back f(K, R i ) (who cares) and R s. Attacker opens second connection to Server using R s. Attacker gets back R s encrypted. (K) R p, f(K, R s )

Security Handshake Pitfalls Imposter Server f(K, R s ) Reflection Attack: Attacker wants to impersonate Client to Server. Attacker sends Hello and a challenge. Attacker gets back f(K, R i ) (who cares) and R s. Attacker opens second connection to Server using R s. Attacker gets back R s encrypted. Attacker abandons second connection and sends back f(K, R s ) to complete. (K) R p, f(K, R s )

Security Handshake Pitfalls Imposter Server f(K, R s ) Reflection Attack, how to foil it: 1. Instead of the same key K, use different keys K s, K c K s may be almost K c (say times -1 or 1 different etc.) 2. Insist the challenge from the Client is different from that of the Server (K) R p, f(K, R s )

Security Handshake Pitfalls Imposter Server f(K, R s ) Reflection Attack, how to foil it: 1. Instead of the same key K, use different keys K s, K c K s may be almost K c (say times -1 or 1 different etc.) 2. Insist the challenge from the Client is different from that of the Server Also, off-line password guessing attack vulnerability: Attacker sends message to Server claiming to be Client and enclosing a challenge R, Server returns the challenge encrypted f(K, R), this gives the attacker ability to check passwords (K) R p, f(K, R s )

Security Handshake Pitfalls Client Server Hello Reflection Attack can't succeed with this protocol: (K)

Security Handshake Pitfalls Client Server RsRs Reflection Attack can't succeed with this protocol: (K)

Security Handshake Pitfalls Client Server f(K,R s ) Reflection Attack can't succeed with this protocol: (K)

Security Handshake Pitfalls Client Server RcRc Reflection Attack can't succeed with this protocol: (K)

Security Handshake Pitfalls Client Server f(K,R c ) Reflection Attack can't succeed with this protocol: Reason: Initiator always is first to prove its identity!! (K)

Security Handshake Pitfalls Client Server Hello, encrypt{R c } K s Public key mutual authentication: (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server R c, encrypt{R s } K c Public key mutual authentication: (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server RsRs Public key mutual authentication: (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server RsRs Public key mutual authentication: Variant: R s and R c are signed by their respective parties (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server RsRs Public key mutual authentication: Variant: R s and R c are signed by their respective parties How does the client's workstation retrieve the client's private key when all the client knows is a password – usually keys cannot be recovered from passwords? Use a directory service - 1. Client's key is encrypted with Client's password 2. Certificate for Server's public key, signed with Client's private key (K c, S c ) (K s, S s )

Security Handshake Pitfalls Client Server Establish a session key (secret key system): After authentication R and K{R} is known by Client and Server Can't use K{R} as session key - someone may have seen it Can't use K{R+1} as session key - Attacker seeing transmission using session key K{R+1} impersonates Server's network address to Client and sends R+1 as the challenge to Client. Client responds with K{R+1}. So attacker can decrypt previous transmission. (K) hello R K{R}

Security Handshake Pitfalls Client Server R Establish a session key (secret key system): After authentication R and K{R} is known by Client and Server Can't use K{R} as session key - someone may have seen it Can't use K{R+1} as session key - Attacker seeing transmission using session key K{R+1} impersonates Server's network address to Client and sends R+1 as the challenge to Client. Client responds with K{R+1}. So attacker can decrypt previous transmission. Session key should not be an encrypted value which can be predicted or extracted later. (K) hello K{R}

Security Handshake Pitfalls Client Server (K c, S c ) (K s, S s ) g, p, [g a mod p] S c, [g b mod p] S s Establish a session key (public key system): Authenticate with Diffie-Hellman exchange, RSA signing. Use g ab mod p as the session key. Attempt to get root access on either machine does not reveal the a and b needed to generate session key to decrypt recorded messages - they were never recorded and the session key was tossed. If session key had been sent across, it could have been recorded and decrypted after getting root access. If session keys get sent across without being signed, attacker can send an R while impersonating Client's network address. Establish a session key (public key system): Authenticate with Diffie-Hellman exchange, RSA signing Use g ab mod p as the session key Attempt to get root access on either machine does not reveal the a and b needed to generate session key to decrypt recorded messages - they were never recorded and the session key was tossed. If session key had been sent across, it could have been recorded and decrypted after getting

Security Handshake Pitfalls Client A KDC KDC operation, in principle (K a ) (K s ) Client B (K b ) Request B Makes K AB K a {K AB } K b {K AB }

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC (K a ) (K s ) Client B (K b ) N a, Req B

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection (K a ) (K s ) Client B (K b ) K ab, N a

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. (K a ) (K s ) Client B (K b ) K ab, N a K a {N a, B, K ab, T} T=K b {K ab, A}

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. Client A encrypts a nonce N b with the session key K ab, sends with ticket to B (K a ) (K s ) Client B (K b ) T, K ab {N b }

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. Client A encrypts a nonce N b with the session key K ab, sends with ticket to B Client B subtracts 1 from nonce, make new nonce, encrypts with session key sends encrypted message to Client A. (K a ) (K s ) Client B (K b ) K ab {N b -1,N c }

Security Handshake Pitfalls Client A KDC Needham-Schroeder authentication and session key (secret key system): Client A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. Client A encrypts a nonce N b with the session key K ab, sends with ticket to B Client B subtracts 1 from nonce, make new nonce, encrypts with session key sends encrypted message to Client A. Client A subtracts 1 from nonce, encrypts with session key, sends to Client B (K a ) (K s ) Client B (K b ) K ab {N c -1}

Security Handshake Pitfalls Client A KDC Needham-Schroeder: What is going on? Nonce N a protects against: attacker, having stolen previous K b and message from Client A requesting it, waits for Client A to request a session key from the KDC and immediately plays back KDC's reply to Client A, and gets the session key encrypted with Client B's old K b, which it knows, so it can impersonate Client B to Client A. (K a ) (K s ) Client B (K b ) N a, Req B K a {N a, B, K ab, T} T=K b {K ab, A} Attacker need not know key of Client A

Security Handshake Pitfalls Client A KDC Needham-Schroeder: What is going on? With the identity of Client B inserted, attacker id substitution is detected by A Nonce is returned to check authenticity of KDC Double encryption of session key (K b for ticket, then K a on the ticket) is not considered necessary (K a ) (K s ) Client B (K b ) K a {N a, B, K ab, T} T=K b {K ab, A}

Security Handshake Pitfalls Client A KDC Needham-Schroeder: What is going on? Client A knows that only someone with Client B's key K b can decrypt and get the session key. With session key, Client B decrypts N b. (K a ) (K s ) Client B (K b ) T, K ab {N b }

Security Handshake Pitfalls Client A KDC Needham-Schroeder: Vulnerability If attacker finds out Client A's key K a, then attacker can impersonate itself to the KDC. But if Client A changes K a, then we require attacker not to be able to impersonate. But the ticket to Client B remains valid after a such a change. Attacker can save K a {N a, B, K ab, K b {K ab, A}} until it knows the old K a key, then decrypt to get K b {K ab, A} and send that to Client B to convince it that it is connecting with Client A using K ab. (K a ) (K s ) Client B (K b )

Security Handshake Pitfalls Client A KDC Needham-Schroeder: Vulnerability If attacker finds out Client A's key K a, then attacker can impersonate itself to the KDC. But if Client A changes K a, then we require attacker not to be able to impersonate. But the ticket to Client B remains valid after a such a change. Attacker can save K a {N a, B, K ab, K b {K ab, A}} until it knows the old K a key, then decrypt to get K b {K ab, A} and send that to Client B to convince it that it is connecting with Client A using K ab Fixed by Client A connecting to Client B requesting an encrypted nonce and using that nonce throughout the exchange. (K a ) (K s ) Client B (K b )

Security Handshake Pitfalls Client A KDC Otway-Rees: (K a ) (K s ) Client B (K b ) N c, A, B, K a {N a, N c, A, B}

Security Handshake Pitfalls Client A KDC Otway-Rees: If N c is not the same in both messages, KDC will stop the transaction. (K a ) (K s ) Client B (K b ) K a {N a, N c, A, B}, K b {N b, N c, A, B}

Security Handshake Pitfalls Client A KDC Otway-Rees: (K a ) (K s ) Client B (K b ) K ab

Security Handshake Pitfalls Client A KDC Otway-Rees: Client B is reassured that it is talking to KDC since its nonce was extracted using K b and sent back encrypted. (K a ) (K s ) Client B (K b ) K ab N c, K a {N a, K ab }, K b {N b, K ab }

Security Handshake Pitfalls Client A KDC Otway-Rees: This message reassures Client A that both the KDC and Client B are OK because it can check its nonce, which it had encrypted with other things, and to get it back means the KDC used K a and the KDC validated Client B. (K a ) (K s ) Client B (K b ) K ab K a {N a, K ab }

Security Handshake Pitfalls Client A KDC Otway-Rees: Client A proves identity to Client B by showing it knows K ab. (K a ) (K s ) Client B (K b ) K ab K ab {anything recognizable}

Security Handshake Pitfalls Nonce types: Random number - will probably never be reused Timestamp - requires synchronized clocks Sequence number - requires non volatile memory (system crash?)

Security Handshake Pitfalls Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off-line password-guessing

Security Handshake Pitfalls Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off-line password-guessing Impersonation of Originator: attacker should not be able to do any of these: convince other party it is the real originator learn information that would enable impersonator to do an off-line password-guessing attack against Client or Server's secret information learn information that would enable impersonation of Client in the future learn information that would enable impersonation of Server to Client trick Server into signing or decrypting something

Security Handshake Pitfalls Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off-line password-guessing Impersonation of Originator: attacker should not be able to do any of these: convince other party it is the real originator learn information that would enable impersonator to do an off-line password-guessing attack against Client or Server's secret information learn information that would enable impersonation of Client in the future learn information that would enable impersonation of Server to Client trick Server into signing or decrypting something Pounce - attacker gets part way through authentication but should not: convince Client the attacker is the Server learn info enabling an off-line password-guessing attack learn info enabling impersonation of Server in future or Client to Server trick Client into signing or decrypting something

Security Handshake Pitfalls Protocol Checklist: Read Client Database: Bad news! Then attacker can convince Server it is the Client. Attacker can do off-line password guessing attack against Server's secret (if it is derived from a password) since Client must have enough info to know if party really is the Server. But: Attacker should not be able to impersonate the Server to the Client Attacker should not be able to decrypt recorded messages between S and C

Security Handshake Pitfalls Protocol Checklist: Read Client Database: Bad news! Then attacker can convince Server it is the Client. Attacker can do off-line password guessing attack against Server's secret (if it is derived from a password) since Client must have enough info to know if party really is the Server. But: Attacker should not be able to impersonate the Server to the Client Attacker should not be able to decrypt recorded messages between S and C Read Server Database: Bad News!! Then attacker can convince Client that it is the Server. Attacker can do off-line password-guessing attack against Client's secret. But: Attacker should not be able to impersonate the Client to the Server Attacker should not be able to decrypt recorded messages between S and C

Security Handshake Pitfalls Protocol Checklist: Read Client Database: Bad news! Then attacker can convince Server it is the Client. Attacker can do off-line password guessing attack against Server's secret (if it is derived from a password) since Client must have enough info to know if party really is the Server. But: Attacker should not be able to impersonate the Server to the Client Attacker should not be able to decrypt recorded messages between S and C Read Server Database: Bad News!! Then attacker can convince Client that it is the Server. Attacker can do off-line password-guessing attack against Client's secret. But: Attacker should not be able to impersonate the Client to the Server Attacker should not be able to decrypt recorded messages between S and C Sit on net and modify messages – Attacker should not be able to: do an off-line password-guessing attack on anybody's secret information read any messages hijack a conversation without the other side knowing this cause messages between Client and Server to be misinterpreted

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.