SMUCSE 5349/73491 Authentication Protocols
SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric key encryption, hash functions, MACs) to design secure protocols (providing security services) over an un-trusted network?
SMUCSE 5349/73493 Types of Authentication Peer entity authentication –Prevent masquerading –Ensure freshness Data origin authentication –Claims of data origin –Prevention of forgery We are dealing with Entity Authentication
SMUCSE 5349/73494 Definitions Entity authentication: –Corroboration that an entity is the one claimed at a particular point in time. Unilateral authentication: –Provides one entity with assurance of the other’s identity but not vice versa. Mutual authentication: –Provides both entities with assurance of each other’s identity
SMUCSE 5349/73495 Simple Challenge-Response AP 1.A B:N a 2.B A:{ N a } kab nOne way protocol using shared secret key
SMUCSE 5349/73496 Mutual Authentication Using Needham-Schroeder (shared key) M1 A -> S A, B, N a M2 S -> A E Kas {N a, B, K ab, E Kbs {K ab, A} } M3 A -> B E Kbs {K ab, A} M4 B -> A E Kab {N b } M5 A-> B E Kab {N b -1} –N a is a random value chosen by A, N b random chosen by B
SMUCSE 5349/73497 NS – Public Key KDC has well known public key B’s public received from KDC Challenge – response as before –We saw this in last class
SMUCSE 5349/73498 Attacks on AP Crypto system –We have seen many of them Protocol –Replay –Oracle session –Parallel session
SMUCSE 5349/73499
SMUCSE 5349/734910
SMUCSE 5349/ Fix for Replay Attack Use time stamps –Needs securely synchronised clocks to prevent replay – not trivial –Drift window –Log of recent messages within the window –Logical time stamps?
SMUCSE 5349/ Digital Signature Algorithms
SMUCSE 5349/ Need for DS No complete trust between the sender and the receiver Properties: –Able to verify the author, time –Authenticate the content at time of signature –Signature verifiable by a third party Direct and arbitrated
SMUCSE 5349/ Use of RSA When using RSA for both encryption and authentication: –Use the senders private key to sign the message –Use the recipients public key to encrypt the message RSA can be used without increasing message size More commonly use a hash function to create a digest which is then signed –Send this signed digest separate
SMUCSE 5349/ DSA (Digital Signature Algorithm) US Federal Govt. approved signature scheme – used with SHA hash algorithm Designed by NIST & NSA in early 90's DSA is the algorithm, DSS is the standard DSA is a variant on the ElGamal and Schnorr algorithms –Creates a 320 bit signature –Security again rests on difficulty of computing discrete logarithms –Has been quite widely accepted
SMUCSE 5349/ Keyed Hash Functions All the above signature schemes involve public key methods –Cost and size overheads Have a need for a private key signature scheme –Use a fast hash function Include a key along with the message: –KeyedHash = Hash(Key|Message) –KeyedHash = Hash(Key1|Hash(Key2|Message))
SMUCSE 5349/ HMAC Use a keyed hash function HMAC K = Hash((K+ XOR opad)||Hash((K+ XOR ipad)||M)) –where K+ is the key padded out to size –opad, ipad are specified padding values Security is directly related to the security of the underlying hash Any of MD5, SHA-1, RIPEMD-160 hash algorithms can be used
SMUCSE 5349/ Kerberos
SMUCSE 5349/ Kerberos Trusted 3rd party authentication scheme. Assumes that hosts are not trustworthy. Requires that each client (each request for service) prove its identity. Does not require user to enter password every time a service is requested Part of project Athena (MIT)
SMUCSE 5349/ Kerberos Design User must identify itself once at the beginning of a session Every user has a password. Every service has a password. The only entity that knows all the passwords is the Authentication Server Passwords are never sent across the network in clear-text (or stored in memory)
SMUCSE 5349/ ServerServer ServerServer ServerServer ServerServer KerberosDatabase Ticket Granting Server Server Ticket Granting Server Server Authentication Authentication WorkstationWorkstation
SMUCSE 5349/ Components Encryption Current Kerberos implementations (v4) use DES, although Kerberos V5 has hooks so that other algorithms can be used Tickets Each request for a service requires a ticket. A ticket provides a single client with access to a single server Tickets are dispensed by the “Ticket Granting Server” (TGS), which has knowledge of all the encryption keys Tickets are meaningless to clients, they simply use them to gain access to servers.
SMUCSE 5349/ Components - Tickets (cont’d) The TGS seals (encrypts) each ticket with the secret encryption key of the server. Sealed tickets can be sent safely over a network - only the server can make sense out of it. Each ticket has a limited lifetime (a few hours) Ticket Contents Client name (user login name) Server name Client Host network address Session Key for Client/Server Ticket lifetime Creation of timestamp
SMUCSE 5349/ Components - Session Key Random number that is specific to a session. Session Key is used to seal client requests to server Session Key can be used to seal responses (application specific usage)
SMUCSE 5349/ Authenticators Authenticators prove a client’s identity. Includes: –Client user name. –Client network address. –Timestamp. Authenticators are sealed with a session key.
SMUCSE 5349/ Bootstrap Each time a client wants to contact a server, it must first ask the 3rd party (TGS) for a ticket and session key. In order to request a ticket from the TGS, the client must already have a TG ticket and a session key for communicating with the TGS
SMUCSE 5349/ Authentication Server The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. Request: –login name –TGS name Since this request contains only well-known names, it does not need to be sealed.
SMUCSE 5349/ Authentication Server The AS finds the keys corresponding to the login name and the TGS name. The AS creates a ticket: –login name –TGS name –client network address –TGS session key The AS seals the ticket with the TGS secret key.
SMUCSE 5349/ Authentication Server Response The AS also creates a random session key for the client and the TGS to use. The session key and the sealed ticket are sealed with the user (login name) secret key. TGS session key Ticket: login name TGS name net address TGS session key Sealed with user key Sealed with TGS key
SMUCSE 5349/ Accessing the TGS The client decrypts the message using the user’s password as the secret key. The client now has a session key and ticket that can be used to contact the TGS. The client cannot see inside the ticket, since the client does not know the TGS secret key.
SMUCSE 5349/ When a client wants to start using a server (service), the client must first obtain a ticket. The client composes a request to send to the TGS: Accessing a Server TGS Ticket Authenticator Server Name sealed with TGS key sealed with session key
SMUCSE 5349/ TGS response The TGS decrypts the ticket using its secret key. Inside is the TGS session key. The TGS decrypts the Authenticator using the session key. The TGS check to make sure login names, client addresses and TGS server name are all OK. TGS makes sure the Authenticator is recent.
SMUCSE 5349/ TGS Response Once everything checks out - the TGS: Builds a ticket for the client and requested server. The ticket is sealed with the server key. Creates a session key Seals the entire message with the TGS session key and sends it to the client.
SMUCSE 5349/ Client Accesses Server The client now decrypts the TGS response using the TGS session key. The client now has a session key for use with the new server, and a ticket to use with that server. The client can contact the new server using the same format used to access the TGS.
SMUCSE 5349/ Requirements Secure Reliable Transparent Scalable
SMUCSE 5349/ Problems Single point of failure –Denial-of-service attack Traffic Reliability will compromise security