Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6.2: Protocols - Authentication and Key Exchange II

Published byΣήθι Καζαντζής Modified over 4 years ago

Similar presentations

Presentation on theme: "Lecture 6.2: Protocols - Authentication and Key Exchange II"— Presentation transcript:

1 Lecture 6.2: Protocols - Authentication and Key Exchange II
CS 436/636/736 Spring 2012 Nitesh Saxena

2 Protocols: Authentication and Key Exchange
Course Admin Mid-Term Grading Will be done over the break  Scores will be posted online and graded exams distribute post-break Will the solution set too Any questions regarding the exam Perhaps we can quickly review? 12/10/2019 Protocols: Authentication and Key Exchange

3 Course Admin HW3 will be posted after the Spring break
12/10/2019 Course Admin HW3 will be posted after the Spring break Due in days as usual

4 Outline of Today’s lecture
Today we try to put everything together Encryption (public-key/private-key) MACs Signing Key-Distribution Secure protocols (for secure communication) Authentication We studied it somewhat while talking about key distribution (Authenticated-) Key Exchange Designing secure protocols is hard – we’ll only be able to learn the basics today We’ll use the board extensively today – be prepared to take notes 12/10/2019 Protocols: Authentication and Key Exchange

5 MAC-based Authentication
A  B: A, rA B  A: rB, HMACK(rB, rA, A) A  B: HMACK(rA, rB,B) Faster than enc-based protocols (computationally) 12/10/2019 Protocols: Authentication and Key Exchange

6 Public-key based authentication (Needham-Shroeder (NS) pk-based)
Assuming public keys are distributed through CA(s) A  B: Encpkb(rA, A) B  A: Encpka(rA, rB) A  B: Encpkb(rB) 12/10/2019 Protocols: Authentication and Key Exchange

7 Attack and fix on PK-based NS protocol
A  B: Encpkb(rA, A) B  A: Encpka(rA, rB,B) A  B: Encpkb(rB) bLowe’s attack A initiates a legitimate session with E E decrypts and forwards the same message encrypted with B’s key B’s message is simply fwded to A Finally, E auths B as A 12/10/2019 Protocols: Authentication and Key Exchange

8 Protocols: Authentication and Key Exchange
Signature-based authentication (assuming public keys are distributed through CA) A auth B A  B: Hi Bob, this is Alice! B  A: r (a challenge) A  B: SigSKa(r,B) (response) A auth B, B auth A (run two copies; piggyback common flows) A  B: A, rA (could sign this too) B  A: rB, SigSKb(rB, rA, A) A  B: SigSKa(rA,rB,B) Why the destination identifier in each message (as in the standard protocol)? Why not the source identifier? See HAC An attack similar to Lowe’s attack can be launched 12/10/2019 Protocols: Authentication and Key Exchange

9 Authenticated Key Exchange (AKE)
Public-key operations are costly Why not use public-key mutual authentication protocols to exchange a symmetric key use this symmetric key with a symmetric encryption to secure subsequent communication Parties share a key K, why do they need to establish new SESSION Keys? 12/10/2019 Protocols: Authentication and Key Exchange

10 Security Notion for AKE
Launch protocol between any pair Reveal all session key except one Try to distinguish the key of the unrevealed session from random This captures: the compromise of other sessions should not lead to the compromise of any other session 12/10/2019 Protocols: Authentication and Key Exchange

11 Protocols: Authentication and Key Exchange
AKE Protocol A  B: A, rA, EncPKb(K) (must sign this too??) B  A: rB, SigSKb(rB, rA, A) A  B: SigSKa(rA, rB, B) A and B output K as the authenticated key Such a protocol can be instantiated using RSA encryption/signing The way SSL/SSH establishes key But, generally only the server authenticates to the client, not vice versa 12/10/2019 Protocols: Authentication and Key Exchange

12 X.509: One-Way Authentication
1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message A B 1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key 12/10/2019 Protocols: Authentication and Key Exchange

13 X.509: Two-Way Authentication
2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply A 1-A {ta,ra,B,sgnData,KUb[Kab]} B 2-B {tb,rb,A,sgnData,KUa[Kba]} 12/10/2019 Protocols: Authentication and Key Exchange

14 X.509: Three-Way Authentication
3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks 1- A {ta,ra,B,sgnData,KUb[Kab]} A B 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb} 12/10/2019 Protocols: Authentication and Key Exchange

15 Discrete Logarithm Assumption
p, q primes such that q|p-1 g’ be the generator of Zp* g is an element of order q and generates a group Gq of order q; g = g’(p-1)/q x in Zq, y = gx mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key Explain the math involved, in choosing the parameters. 12/10/2019 Protocols: Authentication and Key Exchange

16 Example of DL-based system
Let’s construct an example KeyGen: p = 11, q = 2 or 5; let’s say q = 5 2 is a generator of Z11* g = 22 = 4 x = 2; y = 42 mod 11 = 5 12/10/2019 Protocols: Authentication and Key Exchange

17 Diffie-Hellman (DH) Key Exchange
A  B: Ka = ga mod p B  A: Kb = gb mod p A outputs Kab = Kba B outputs Kba = Kab Note Kab = Kba = gab mod p 12/10/2019 Protocols: Authentication and Key Exchange

18 Security of DH key exchange
No authentication of either party Secure only against a passive adversary Under the computational Diffie-Hellman assumption Given (g, ga,gb), hard to compute gab Not secure against an active attacker Man-in-the-middle attack… 12/10/2019 Protocols: Authentication and Key Exchange

19 Authenticated DH Key Exchange
A  B: Ka = ga mod p B  A: Certb, Kb = gb mod p EncKba[SigSKb(Kb, Ka )] A  B: Certa, EncKab[SigSKa(Ka,Kb)] A outputs Kab = Kba B outputs Kba = Kab 12/10/2019 Protocols: Authentication and Key Exchange

20 Protocols: Authentication and Key Exchange
Summary Designing secure protocols is not easy Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously Becomes even harder as the number of parties increase; n-party or group setting Use the protocols that are well-studied and standardized While designing a protocol, consider Reflection attacks Replay attacks Eliminating any symmetry in the messages 12/10/2019 Protocols: Authentication and Key Exchange

21 Protocols: Authentication and Key Exchange
12/10/2019 Further Reading HAC – chapter 10 Stallings – Chapter 15 12/10/2019 Protocols: Authentication and Key Exchange

Download ppt "Lecture 6.2: Protocols - Authentication and Key Exchange II"

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Intro To Encryption Exercise 11. 2 Problem Alice and Bob wish to play the game Paper, Rock and Scissors. What may be the problems with the game? The.

1 Intro To Encryption Exercise Problem Alice and Bob wish to play the game Paper, Rock and Scissors. What may be the problems with the game? The.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS 4362 - CIS 5357 Network Security.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.
Lecture 4.2: Hash Functions: Design* CS 436/636/736 Spring 2012 Nitesh Saxena * some slides borrowed from Gene Tsudik.

Lecture 4.2: Hash Functions: Design* CS 436/636/736 Spring 2012 Nitesh Saxena * some slides borrowed from Gene Tsudik.
Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.
Lecture 5: Protocols - Authentication and Key Exchange CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 5: Protocols - Authentication and Key Exchange CS 436/636/736 Spring 2015 Nitesh Saxena.

Similar presentations

Ads by Google