Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

Slides:

Advertisements

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Advertisements

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Session 4 Asymmetric ciphers.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Environmental Key Generation towards Clueless Agents James Riordan School of Mathematics University of Minnesota. Bruce Schneier Counterpane Systems. Published:

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Key Distribution CS 470 Introduction to Applied Cryptography

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

8/13/20151 Computer Security Authentication in Distributed Systems.

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

A Survey of Authentication Protocol Literature: Version 1.0 Written by John Clark and Jeremy Jacob Presented by Brian Sierawski.

Key Agreement Guilin Wang School of Computer Science 12 Nov

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

© UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)

Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.

Digital Signatures, Message Digest and Authentication Week-9.

6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

Cryptographic Hash Functions and Protocol Analysis

Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management.

M.S. Dousti FORSAKES: A Forward-Secure AKE Mohammad Sadeq Dousti Weekly Seminars on Discrete Mathematics and Computer Science.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.

1 Authentication Protocols Rocky K. C. Chang 9 March 2007.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.

Whatsapp Security Ahmad Hijazi Systèmes de Télécommunications & Réseaux Informatiques (STRI) 20 April 2016.

Dr. Nermin Hamza.  Attacks:  Traffic Analysis : traffic analysis occurs when an eavesdroppers observes message traffic on network. Not understand the.

Network Security and It’s Issues

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

1 Authentication Celia Li Computer Science and Engineering York University.

Presentation transcript:

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect Forward Secrecy IV. Adversary Attacks Presented By: Ashley Bruno & Blayne White

Key Establishment Protocols I. Cryptographic protocols that establish keys for use by other protocols I. examples: AKEP2, MAP1, Diffie-Hellman, Station- to-station

Definitions I. Principal: a party wishing to establish shared keys II. Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks

Definitions (cont'd) III. MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key IV. Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997) (probably no longer fresh)

Oracles I. An I/O device that responds to every query with a random response chosen uniformly from it's output domain. if given the same input query, the same output response is given.

Oracle Freshness I. An oracle is fresh if : I. It has accepted a session key II. Its session key has not been given a Reveal query (oracle is “unopened”) III. There is no opened oracle with whom it has a matching conversation that has accepted the session key.

Mutual Entity Authentication I. Provides assurance to both entities of the identity of the other entity involved I. If a pair of oracles has matching conversations, then both oracles accept. II. The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.

Matching Conversations I. A conversation consists of all messages sent and received by an oracle. II. Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.

(Implicit) Key Authentication I. Provides assurance that no entity other than a specifically identified entity can gain access to the key. II. Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party

Perfect Forward Secrecy It is still desirable to design protocols where past sessions remain secure. Perfect forward secrecy: compromise of long-term keys does not compromise past session keys. “Forward secrecy” indicates that the secrecy of old keys is carried forward into the future.

Authenticated Key Exchange Protocol 2 I. A three-pass protocol II. Uses symmetric authentication III. Uses keyed hash functions instead of encryption IV. Does not rely on a trusted third party (TTP) V. Provides mutual entity authentication and (implicit) key authentication VI. Provides Perfect Forward Secrecy

AKEP2 I. A and B are principals II. A and B share two long term symmetric keys: K, K' III. each protocol run generates fresh nonces: n a, n b IV. uses a keyed hash function (MAC): h k and a keyed one-way function: h' k'

AKEP2 A B A B A B A sends a challenge nonce to B. nana B resonds with h k (B,A,n a,n b ) and sends it's own challenge nonce. ● k is the shared key; k = h' k' (n b ) h k (B,A, n a,n b ), n b A responds to the challenge nonce with h k (A,n b ) to B h k (A, n b )

AKEP2 Security I. The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output II. At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.

AKE Security: Session Keys I. The compromise of one of these keys should have minimal consequences. I. It should not subvert subsequent authentication. II.It should not leak information about other session keys.

AKEP2 Security I. Protocol II is secure if it is a secure mutual authentication protocol. This requires: a)That two oracles, in the absence of an active adversary, always accept b)The advantage of a probabilistic polynomial adversary is negligible. II. The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.

Attacks allowed by current definitions I. Key-compromise impersonation: the adversary reveals a long-term secret key of a party and then impersonates others to this party. II. An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.

Attacks allowed (cont'd) III. Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key. IV. Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key. However, all four of these attacks are not considered violations of protocol security!

Authenticated Key Exchange I. M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, II. Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”