Thoughts on KeySec John Viega

Slides:

Advertisements

Similar presentations

EAP STATE Machine Proposal

Advertisements

Secure Pre-Shared Key Authentication for IKE

Internet Protocol Security (IP Sec)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

A Survey of Key Management for Secure Group Communications Celia Li.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

IPsec – IKE CS 470 Introduction to Applied Cryptography

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless and Security CSCI 5857: Encoding and Encryption.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

Initial Keying for KeySec John Viega, Russ Housley

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.

SSL/TLS How to send your credit card number securely over the internet.

Digital Signatures, Message Digest and Authentication Week-9.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No

Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.

IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

Lecture 5.1: Message Authentication Codes, and Key Distribution

CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Fall 2006CS 395: Computer Security1 Key Management.

August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Protocol Coexistence Issue in MSA Subsequent Authentication

BGP Validation Russ White Rule11.us.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Paxos Steve Ko Computer Sciences and Engineering University at Buffalo.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

PANA Issues and Resolutions

Password Management Limit login attempts Encrypt your passwords

Providing Secure Storage on the Internet

Diffie/Hellman Key Exchange

Presentation transcript:

Thoughts on KeySec John Viega

Review of phases In Orlando, seemed to agree on.af phases: –Discovery (insecure) –Authentication –Authorization –Key Management

Authentication issues Where does the cipher suite get negotiated? –… along with any other options Have to be very careful with message design in authentication phase Authorization phase: no real handle on req’s –To what degree are we specifying this, or is it for vendors? Proposed solution: –Carefully design into authentication protocol.

Authentication issues What are the semantics for cipher suite negotiation? –If we both support A and B, and prefer different algorithms, who wins? The initiator? Once we’ve authenticated a single time: –We almost certainly want fast reconnects –Can someone change algorithms on a fast reconnect? I think this should be possible. Should fast reconnects occur even if the box was out of commission for 2 months (e.g., being repaired)

Fast reconnects Initial authentication decisions usually made with help of some authority (e.g., PKI, Radius server) Authority’s endorsement is good for some period of validity Once mutual identities are established, two parties generally share a symmetric key We can keep using this key until it’s lifetime ends, and can leverage it to choose a replacement before that happens

Authentication issues When *shouldn’t* we use a fast reconnect? Authorization can still occur after a fast reconnect. Only time we can’t do a fast reconnect is when bootstrapping a connection for the first time In the two-party case, we can leave it unspecified –SNMP, enter into console, or whatever the vendor likes –This way, very lightweight and easier to make robust Central management is an issue here

We should not use EAP Even w/o methods, EAP is large and complex –Will implementations really be robust? –How often will there be a failure? –Is this a DoS risk? –No one could ever put this in hardware EAP is designed for a different environment –Designed for dial-up to modem pool –Popular methods fail on shared media (prone to misuse) –Even today, the slant is customer interfacing –“customer interfacing” vs. infrastructure ports

More EAP issues “pass-through” model is not ideal –EAP effectively has both parties auth to AAA server –Hardware should directly auth with HELP from AAA Does not support dual pass-through (switch- to-switch case) –Realistic, but will generally both backend to same server –No support for trusted third parties, either! It makes key management decisions for us –An artifact of an ad hoc design –Ensuring conformance will add complexity

AAA servers Do we care about specifying pass-through? Let a vendor worry about it if they really want it Trusted-third party model is more useful “TTP, I am A and I want to connect to B. Give me a key for it.” B doesn’t even need to talk to the TTP to determine the key A got, just A’s identity

Some authentication recommendations Keep it simple –No EAP –No pluggable methods –Leverage the mandatory cipher suite We should only support “fast reconnect” authentication It may be useful to support a TTP protocol for centralized management

Towards a protocol Many ways to do fast reconnects –Just pick up the old connection where you left off –Use the old key to create a new key, and replace the old key –Use one key long-term, just to generate transient keys Third solution makes key management much, much easier

Preliminaries A and B share S (long-term secret) A and B each maintain two counters –Last key ID set by A, last key ID set by B (nonces) A can say, “if this is successful, I’d like to change our long-term key” –Necessary but hopefully rare key-lifetime issue –Call additional information O –What else should go in here? Cipher suite?

Partial protocol A sends identities of A& B, key ID and GCM(A&B, O) A increments key ID B validates the MAC B ensures key ID of A is higher than the previous (successful) key ID of A B uses specified key to generate authentication output –Key for authorization discussion –Key for use in.ae B Beginning authorization signals valid authentication. Might need to finish cipher-suite negotiation here.

Issues What happens if an attacker doesn’t allow B to respond? –A will eventually run out of nonces –Fall-back to a challenge-response protocol If nonce is too low, B assumes it is randomly chosen (though it could be a replay) B chooses his own random nonce of a particular form B GCM-encrypts a new key and the nonce value it had stored. It authenticates A’s original packet as well. A validates the packet then tries to connect with new key. On failure, A discards new key. On success, A discards old key. B keeps old key until he is sure he and A agree on keys. What happens in race condition? –Highest MAC address wins

Key Management, etc. Time to rekey? –Redo the fast authentication protocol Need to choose a new random key? –Reserve a low key ID that B will reject (e.g., zero) –Use a trusted third party –Have it be part of the “other” data