CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

Slides:

Advertisements

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Advertisements

Lecture 10: Mediated Authentication

Chapter 10 Real world security protocols

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

CSC 474 Information Systems Security

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.

IPsec – IKE CS 470 Introduction to Applied Cryptography

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

CS470, A.SelcukKerberos1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.

Security & Authentication (continued) CS-4513 D-term Security and Authentication (continued) CS-4513 Distributed Computing Systems (Slides include.

Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

Authentication Advanced Software Engineering (CSE870) Instructor: Dr. B. Cheng Contact info: chengb at cse dot msu dot edu Eduardo Diaz Dan Fiedler Andres.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Security and Authentication CS-4513, D-Term Security and Authentication (continued) CS-4513 D-Term 2007 (Slides include materials from Operating.

Key Distribution CS 470 Introduction to Applied Cryptography

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)

Network Security Chapter Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.

Digital Signatures, Message Digest and Authentication Week-9.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Cryptography: Digital Signatures Message Digests Authentication

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

1 Number Theory and Advanced Cryptography 9. Authentication Protocols Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced.

Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.

1 Authentication Protocols Rocky K. C. Chang 9 March 2007.

Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:

Security. Cryptography (1) Intruders and eavesdroppers in communication.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.

- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.

Security Handshake Pitfalls. Client Server Hello (K)

CS480 Cryptography and Information Security

Handshake Protocols COEN 150.

9.2 SECURE CHANNELS Medisetty Swathy.

Protocol ap1.0: Alice says “I am Alice”

AIT 682: Network and Systems Security

Presentation transcript:

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

CS470, A.SelcukNeedham-Schroeder2 Key Establishment and Authentication with KDC A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others) Alice Bob KDC Alice, Bob K A {Bob, K AB } K B {Alice, K AB }

CS470, A.SelcukNeedham-Schroeder3 Another simple protocol: Problems: No freshness guarantee for K AB Alice & Bob need to authenticate Alice Bob KDC Alice, Bob K A {Bob, K AB }, ticket B where ticket B = K B {Alice, K AB } Alice, ticket B

CS470, A.SelcukNeedham-Schroeder4 Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice} ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1}

CS470, A.SelcukNeedham-Schroeder5 Needham-Schroeder Protocol N 1 : for authenticating KDC & freshness of K AB. Ticket is double-encrypted. (unnecessary) N 2, N 3 : for key confirmation, mutual authentication Why are the challenges N2, N3 encrypted? Problem: Bob doesn’t have freshness guarantee for K AB (i.e., can’t detect replays).

CS470, A.SelcukNeedham-Schroeder6 Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: Trudy Bob replay ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } Trudy Bob ticket B, K AB {N 3 } K AB {N 3 -1, N 4 } K AB {N 3 -1}

CS470, A.SelcukNeedham-Schroeder7 Expanded Needham-Schroeder Protocol Alice Bob KDC N 1, Alice, Bob, K B {N B } K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, N B } ticket B, K AB {N 2 } K AB {N 2 -1, N 3 } K AB {N 3 -1} hello K B {N B }

CS470, A.SelcukNeedham-Schroeder8 Otway-Rees Protocol Alice Bob KDC N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, N C, “Alice”, “Bob”} K B {N B, N C, “Alice”, “Bob”} N C, “Alice”, “Bob”, K A {N A, N C, “Alice”, “Bob”} K A {N A, K AB } K AB {anything recognizable}

CS470, A.SelcukNeedham-Schroeder9 Otway-Rees Protocol N A, N B : Provides freshness guarantee for A & B, as well as authentication of KDC. N C : Binds Alice, Bob, and the session. Also authenticates Bob. Having separate N A & N C is redundant for security, though it’s good for functional separation of nonces and uniformity of KDC messages.

CS470, A.SelcukNeedham-Schroeder10 Basic Kerboros Protocol Alice Bob KDC N 1, Alice, Bob K A {N 1, Bob, K AB, ticket B } where ticket B = K B {K AB, Alice, expiration time} ticket B, K AB {T} K AB {T+1} T: timestamp