1 Authentication Protocols Rocky K. C. Chang 9 March 2007.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Computer Security Key Management
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Authentication System
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Strong Password Protocols
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 11: Strong Passwords
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Digital Signatures, Message Digest and Authentication Week-9.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Computer and Network Security - Message Digests, Kerberos, PKI –
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Chapter eight: Authentication Protocols 2013 Term 2.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
1 Authentication Celia Li Computer Science and Engineering York University.
@Yuan Xue Authentication Protocol and System Yuan Xue.
پروتكلهاي احرازاصالت Authentication protocols
Presentation transcript:

1 Authentication Protocols Rocky K. C. Chang 9 March 2007

Rocky, K. C. Chang2

3 Outline  Authentication problems  Network-based authentication  Password-based authentication  Cryptographic authentication protocols (challenge and response) Secret key based Public key based  Needham-Schroeder public-key authentication protocol

Rocky, K. C. Chang4 The authentication problem  Authentication: The process of determining whether someone or something is, in fact, who or what it is declared to be. Binding of an identity to a subject.  Authentication protocols: Key establishment protocols, e.g., authenticated Diffie-Hellman. Entity authentication protocols, e.g., system login, which is the focus of this set of slides.

Rocky, K. C. Chang5 Information for authentication  What the entity knows (such as passwords or secret information)  What the entity has (such as a badge or card)  What the entity is (such as fingerprints or other biometrics)  Where the entity is (such as in front of a particular terminal)

Rocky, K. C. Chang6 The authentication process  The entire process consists of Obtaining the required authentication information (e.g., a hashed password) Analyzing the data (e.g., compare the received password with the stored password), and Determining if it is associated with the principal (e.g., confirmed if they are the same).

Rocky, K. C. Chang7 Classification of authentication problems  Authenticated subjects: humans vs machines  Authentication methods: address-based, password, or cryptographic.  Between two entities or with the help of at least a trusted third party  One-way vs mutual authentication

Rocky, K. C. Chang8 Address-based authentication  Assume that the identity of the source can be inferred from the (IP or MAC) address of the packet.  IP source address spoofing Receiving the response is generally tricky. Randomized source address selection  MAC source address spoofing Many people teach you how to do it. Detecting them in wireless networks

9 Password-based authentications

Rocky, K. C. Chang10 Basic password protocols  Authentication based on what the entity knows.  U sends her password to S. Vulnerability to eavesdropping, stolen password files, and easy-to-guess passwords  Protection of password files: In UNIX, one of 4,096 hash functions is used to a password into an 11-character string. A 2-character string identifying the hash function is prepended to the 11-character string.

Rocky, K. C. Chang11 Attacks on the basic protocol  On-line attack When the hash values are not available to an attacker. Defense: maximize the time to guess the password, exponential backoff, disconnection, disabling, and jailing.  Off-line attack (dictionary attack) Receive a copy of the hash value, and guess the password (at his leisure). Run through a list of likely possibilities, often a list of words from a dictionary Defense: append the password with a random string (salt) and hash the result. E.g.,  User IDSalt valuepassword hash  Alice13579hash(13579,password-alice)  Bob24680hash(24680,password-Bob)

Rocky, K. C. Chang12 Problems with passwords  One fundamental problem with passwords is that they are reusable. Attacker can reply a captured password. Force users to age their passwords?  An alternative is to authenticate in such a way that the transmitted password changes each time.  Let U and S agree on a secret function f. S sends a nonce N (the challenge) to U. U replies with f(N) (the response). S validates f(N) by computing it separately.  A nonce (timestamp, random number, etc) is a “ number used once ” ---non-repeating string freshly chosen by S.

Rocky, K. C. Chang13 One-time passwords  A one-time password is a password that is invalidated as soon as it is used.  The challenge-response mechanism uses one-time passwords.  The response is essentially the “password.” Every time the password is different (one-time password).  For example, U chooses an initial seed k, and the key generator computes h(k) = k 1, h(k 1 ) = k 2, …, h(k n-1 ) = k n, where h() is a one-way hash function. The passwords, in the order they are used, are p 1 = k n, p 2 = k n-1, …, p n = k 1.

Rocky, K. C. Chang14 Two-factor authentication  Hardware support for challenge-response procedures: A token that responds to a challenge. A temporal based token: displays a different number, e.g., every 60 seconds.  Two-factor authentication Authentication based on at least two authentication factors. E.g., the token value (what the entity has) and a password (what the entity knows)

15 Secret key based authentication

Rocky, K. C. Chang16 A simple, one-way authentication  Assume that S is authentic.  The server and Alice share a secret key k, and N is a nonce. The nonce is to deduce that Alice is live. The inclusion of S’s identity ensures that Alice has the knowledge of S as her entity peer.

Rocky, K. C. Chang17 A simple, mutual authentication protocol  Mutual authentication  2 x one-way authentication.  Alice and Bob share a secret key k.

Rocky, K. C. Chang18 Reduced to a 3-way protocol  Besides the reduction in the number of messages, what else is different?

Rocky, K. C. Chang19 A reflection attack by Eve  Assume that Eve can open multiple simultaneous sessions with Bob.

Rocky, K. C. Chang20 The key problems and solutions  The same key is used by the initiator and responder. Have them use different keys (maintain a pair of secret keys between two parties).  Improve the protocol resistance to attacks involving parallel sessions.  Have the initiator and responder draw from different sets of nonce.  Have the initiator to prove who she is before the responder’s.

Rocky, K. C. Chang21 Will the original 5-way protocol be subject to the reflection attack?

Rocky, K. C. Chang22 Will the original 5-way protocol be subject to the reflection attack?

Rocky, K. C. Chang23 Another solution  The main problem is that the encrypted elements in the second and three messages are the same. Have the responder influence on what she encrypts or hashes. A possible solution:

24 Public key based authentication

Rocky, K. C. Chang25 Public-key authentication  It is very difficult to build a provably secure authentication protocol based on symmetric cryptographic primitives.  It is not feasible to use secret-key authentication without a trusted third party.  The secret key has to be placed in both parties.

Rocky, K. C. Chang26 A simple, one-way authentication  Alice signs the challenge from S, and N S, N A are nonces picked by S and Alice, respectively.  It is important that Alice influences what she signs.

Rocky, K. C. Chang27 A simple, mutual authentication  Each side authenticates the other side by requesting for a correct digital signature.  Another implementation can have the challenger to encrypt a nonce.

Rocky, K. C. Chang28 A pitfall in this simple C-R protocol  Eve can impersonate Alice by having Alice’s help in signing Bob’s nonce.

Rocky, K. C. Chang29 The main problem is  The challenged party (Alice) has no influence on what she will sign. As a general principle, it is better if both parties have some influence over the quantity signed. Otherwise, the challenger can abuse this protocol to get a signature on any quantity she chooses.

Rocky, K. C. Chang30 An improved protocol  The signer includes her nonce into the message that she is going to sign.

Rocky, K. C. Chang31 Needham-Schroeder public-key authentication protocol  Kerberos is based on the improved Needham- Schroeder public-key authentication protocol.  The original protocol had security flaws.  Assume that both A and B have a pair of public and private keys. Denote A's public key by K a and the private key by K -1 a, and similarly for B.  We also write {m} K for message m encrypted with key K. Moreover N a and N b are nonces generated by A and B, respectively.  We have a trusted key server S.

Rocky, K. C. Chang32 The original protocol was a. A  S: A, B b. S  A: {K b, B} K -1 s c. A  B: {N a, A} K b d. B  S: B, A e. S  B: {K a, A} K -1 s f. B  A: {N a, N b } K a g. A  B: {N b } K b

Rocky, K. C. Chang33 Eve can impersonate Alice by i. (1) A  E: {N a, A} K e (A establishes a normal session with E.) ii. (1’) E  B: {N a, A} K b (E attempts to impersonate A when establishing a session with B.) iii. (2’) B  E: {N a, N b } K a (B's response to A intercepted by E.) iv. (2) E  A: {N a, N b } K a (E forwards B's response to A.) v. (3) A  E: {N b } K e (A's response to E) vi. (3’) E  B: {N b } K b (E's response to B, therefore successfully impersonating A)

Rocky, K. C. Chang34 A simple fix  Include B's identity in the response message. That is, the message (f) becomes B  A: {B, N a, N b } K a.  Therefore, the message (iii) in the attack becomes B  E: {B, N a, N b } K a.  In this case E cannot replay the message and send it to A, because A expects B's identity in the message.

Rocky, K. C. Chang35 Conclusions  Designing a secure and efficient authentication protocol turned out to be more difficult than people thought.  We have discussed the basic protocols based on password, secret-key, and public-key. We have not addressed the system with a trusted third party yet.  The result of authentication may also include an agreement of a secret key, i.e., authenticated key exchange (to be addressed later).

Rocky, K. C. Chang36 Acknowledgments  The notes are prepared mostly based on C. Kaufman, R. Perlman and M. Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall PTR, Various articles

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.