CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Slides:

Advertisements

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

Advertisements

COEN 350 Kerberos.

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Lecture 10: Mediated Authentication

A less formal view of the Kerberos protocol J.-F. Pâris.

Chapter 10 Real world security protocols

Chapter 14 – Authentication Applications

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

CSC 474 Information Systems Security

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

COEN 350 Kerberos. Provide authentication for a user that works on a workstation. Uses secret key technology Because public key technology still had patent.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

Authentication & Kerberos

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.

Digital Signatures, Message Digest and Authentication Week-9.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

Lecture 5.1: Message Authentication Codes, and Key Distribution

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.

CMSC 414 Computer and Network Security Lecture 15

Message Security, User Authentication, and Key Management

AIT 682: Network and Systems Security

Presentation transcript:

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz

Administrative stuff HW4 is out

One-way authentication If only the server has a known public key (e.g., SSL) –Server sends R –Client sends E pk (R, password, session-key) Insecure in general!!! –But secure if encryption scheme is chosen appropriately

Using session keys Generally, want to provide both secrecy and integrity for subsequent conversation –Use encrypt-then-MAC –Use sequence numbers to prevent replay attacks –Use a directionality bit –Periodically refresh the session key

Mediated authentication E.g., using KDC Simple protocol: –Alice requests to talk to Bob –KDC generates K AB and sends it to Alice and Bob, encrypted with their respective keys –Note: no authentication here, but impostor cant determine K AB

Improvement… Have KDC send to Alice the encryption of K AB under Bobs key –Reduces communication load on KDC –Resilient to message delays in network

Needham-Schroeder A KDC: N 1, Alice, Bob KDC A: K A (N 1, Bob, K AB, ticket), where ticket = K B (K AB, Alice) A B: ticket, K AB (N 2 ) B A: K AB (N 2 +1, N 3 ) A B: K AB (N 3 +1)

Analysis? N 1 assures Alice that she is talking to KDC –Prevents key-replay, in case Bob changes K B Important: authenticate Bob in message 2, and Alice in ticket Uses encryption to authenticate… –Leads to actual flaw if, e.g., ECB mode is used! Vulnerable if Alices key is compromised –Bobs ticket is always valid –Use timestamps, or request (encrypted) nonce from Bob at the very beginning of the protocol

Otway-Rees A B: N C, K A (N A, N C, Alice, Bob) B KDC: K A (…), K B (N B, N C, Alice, Bob) –KDC checks that N C is the same… KDC B: N C, K A (N A, K AB ), K B (N B, K AB ) B A: K A (…) A B: K AB (timestamp) –Note: KDC already authenticated Bob

Analysis? N C should be unpredictable, not just a nonce –Otherwise, can impersonate B to KDC Send first message: (next N C ), garbage B forwards to KDC along with encryption of the next N C Next time A initiates a conversation, replay previous message from B Still uses encryption for authentication… –Serious attack if ECB is used Replace K AB with N C

Kerberos (Will possibly discuss in more detail later) A KDC: N 1, Alice, Bob KDC A: K A (N 1, Bob, K AB, ticket), where ticket = K B (K AB, Alice, expiration time) A B: ticket, K AB (time) B A: K AB (time+1)