Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 474 Information Systems Security

Published bySophia Phlipot Modified over 9 years ago

Similar presentations

Presentation on theme: "CSC 474 Information Systems Security"— Presentation transcript:

1 CSC 474 Information Systems Security
Topic 3.3: Security Handshake Pitfalls CSC 474 Dr. Peng Ning

2 Authentication Handshakes
Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermines secure communication This topic is about typical flaws CSC 474 Dr. Peng Ning

3 Authentication with Shared Secret
I’m Alice Alice Bob A challenge R f(KAlice-Bob, R) Weaknesses Authentication is not mutual; Trudy can convince Alice that she is Bob Trudy can hijack the conversation after the initial exchange If the shared key is derived from a password, Trudy can mount an off-line password guessing attack Trudy may compromise Bob’s database and later impersonate Alice CSC 474 Dr. Peng Ning

4 Authentication with Shared Secret (Cont’d)
I’m Alice Alice Bob KAlice-Bob{R} R A variation Requires reversible cryptography Other variations are possible Weaknesses All the previous weaknesses remain Trudy doesn’t have to see R to mount off-line password guessing if R has certain patterns (e.g., concatenated with a timestamp) Trudy sends a message to Bob, pretending to be Alice CSC 474 Dr. Peng Ning

5 Authentication with Public Key
I’m Alice Alice Bob R SigAlice{R} Bob’s database is less risky Weaknesses Authentication is not mutual; Trudy can convince Alice that she is Bob Trudy can hijack the conversation after the initial exchange Trudy can trick Alice into signing something Use different private key for authentication CSC 474 Dr. Peng Ning

6 Authentication with Public Key (Cont’d)
Alice Bob I’m Alice {R}Alice R A variation CSC 474 Dr. Peng Ning

7 Mutual Authentication
Alice Bob I’m Alice R1 f(KAlice-Bob, R1) R2 f(KAlice-Bob, R2) Optimize Alice Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) f(KAlice-Bob, R1) CSC 474 Dr. Peng Ning

8 Mutual Authentication (Cont’d)
Reflection attack Trudy Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) f(KAlice-Bob, R1) Trudy Bob I’m Alice, R1 R3, f(KAlice-Bob, R1) CSC 474 Dr. Peng Ning

9 Reflection Attacks (Con’td)
Lesson: Don’t have Alice and Bob do exactly the same thing Different keys Totally different keys KAlice-Bob = KBob-Alice + 1 Different Challenges The initiator should be the first to prove its identity Assumption: initiator is more likely to be the bad guy CSC 474 Dr. Peng Ning

10 Mutual Authentication (Cont’d)
Password guessing Alice Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) f(KAlice-Bob, R1) Countermeasure Alice Bob I’m Alice R1 f(KAlice-Bob, R1), R2 f(KAlice-Bob, R2) CSC 474 Dr. Peng Ning

11 Mutual Authentication (Cont’d)
Public keys Authentication of public keys is a critical issue Alice Bob I’m Alice, {R2}Bob R2, {R1}Alice R1 CSC 474 Dr. Peng Ning

12 Mutual Authentication (Cont’d)
Mutual authentication with timestamps Require synchronized clocks Alice and Bob have to encrypt different timestamps Alice Bob I’m Alice, f(KAlice-Bob, timestamp) f(KAlice-Bob, timestamp+1) CSC 474 Dr. Peng Ning

13 Integrity/Encryption for Data
Communication after mutual authentication should be cryptographically protected as well Require a session key established during mutual authentication CSC 474 Dr. Peng Ning

14 Establishment of Session Keys
Secret key based authentication Assume the following authentication happened. Can we use KAlice-Bob{R} as the session key? Can we use KAlice-Bob{R+1} as the session key? In general, modify KAlice-Bob and encrypt R. Use the result as the session key. No to both questions. In the second question, Trudy may impersonate Bob and use R+1 as a challenge. As a result, Trudy gets the session key. Alice Bob I’m Alice R KAlice-Bob{R} CSC 474 Dr. Peng Ning

15 Establishment of Session Keys (Cont’d)
Two-way public key based authentication Alice chooses a random number R, encrypts it with Bob’s public key Trudy may hijack the conversation Alice encrypts and signs R Trudy may save all the traffic, and decrypt all the encrypted traffic when she is able to compromise Bob Less severe threat CSC 474 Dr. Peng Ning

16 Two-Way Public Key Based Authentication (Cont’d)
A better approach Alice chooses and encrypts R1 with Bob’s public key Bob chooses and encrypts R2 with Alice’s public key Session key is R1R2 Trudy will have to compromise both Alice and Bob An even better approach Alice and Bob estatlish the session key with Diffie-Hellman key exchange Alice and Bob signs the quantity they send Trudy can’t learn anything about the session key even if she compromises both Alice and Bob CSC 474 Dr. Peng Ning

17 Establishment of Session Keys (Cont’d)
One-way public key based authentication It’s only necessary to authenticate the service Example: SSL Encrypt R with Bob’s public key Diffie-Hellman key exchange Bob signs the D-H public key CSC 474 Dr. Peng Ning

18 Mediated Authentication (With KDC)
KDC operation (in principle) Alice Bob KDC Generate KAB Alice wants Bob KBob{KAB} KAlice{KAB} Some concerns Trudy may claim to be Alice and talk to KDC Trudy cannot get anything useful Messages encrypted by Alice may get to Bob before KDC’s message It may be difficult for KDC to connect to Bob CSC 474 Dr. Peng Ning

19 Mediated Authentication (With KDC)
KDC operation (in practice) Alice Bob KDC Generate KAB Alice wants Bob KBob{KAB} KAlice{KAB}, KBob{KAB} ticket Must be followed by a mutual authentication exchange To confirm that Alice and Bob have the same key CSC 474 Dr. Peng Ning

20 Needham-Schroeder Protocol
Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) Nonce: A number that is used only once Deal with replay attacks Alice Bob KDC Generate KAB N1, Alice wants Bob ticket to Bob, KAB{N2} KAlice{N1, “Bob”, KAB, ticket to Bob}, where ticket to Bob = KBob{KAB, Alice} KAB{N21, N3} KAB{N31} CSC 474 Dr. Peng Ning

21 Needham-Schroeder Protocol (Cont’d)
A vulnerability When Trudy gets a previous key used by Alice, Trudy may reuse a previous ticket issued to Bob for Alice Essential reason The ticket to Bob stays valid even if Alice changes her key CSC 474 Dr. Peng Ning

22 Expanded Needham-Schroeder Protocol
Alice Bob KDC Generate KAB; extract NB N1, Alice wants Bob, KBob{NB} ticket to Bob, KAB{N2} KAlice{N1, “Bob”, KAB, ticket to Bob}, where ticket to Bob = KBob{KAB, Alice, NB} KAB{N21, N3} KAB{N31} I want to talk to you KBob{NB} The additional two messages assure Bob that the initiator has talked to KDC since Bob generates NB CSC 474 Dr. Peng Ning

23 Otway-Rees Protocol Only has five messages
NC, “Alice”, “Bob”, KAlice{NA, NC, “Alice”, “Bob”} Alice Bob Generate KAB Extract NB KAlice{NA, NC, “Alice”, “Bob”}, KBob{NB, NC, “Alice”, “Bob”} KDC NC, KAlice{NA, KAB}, KBob{NB, KAB} KAlice{NA, KAB} KAB{anything recognizable} Only has five messages KDC checks if NC matches in both cipher-texts Make sure that Bob is really Bob CSC 474 Dr. Peng Ning

Download ppt "CSC 474 Information Systems Security"

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.4 Public Key Infrastructure (PKI) Acknowledgment: Slides revised from.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.4 Public Key Infrastructure (PKI) Acknowledgment: Slides revised from.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication

Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie

CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Similar presentations

Ads by Google