Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiprotocol Attacks and the Public Key Infrastructure* Jim Alves-Foss Center for Secure and Dependable Software University of Idaho

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Multiprotocol Attacks and the Public Key Infrastructure* Jim Alves-Foss Center for Secure and Dependable Software University of Idaho"— Presentation transcript:

1 Multiprotocol Attacks and the Public Key Infrastructure* Jim Alves-Foss Center for Secure and Dependable Software University of Idaho http://www.cs.uidaho.edu *Supported in part by NSA Grant MDA 904-1-0108

2 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss2 What are Multiprotocol Attacks? ä Multiprotocol Attack ä Interleaves messages from two separate protocols to attack one of them. ä The attacked protocol is subverted using either: ä An incidental collision with another protocol. ä A deliberately tailored protocol. ä An attacker may successfully masquerade as client A to server B using protocol P, even if A does not support P.

3 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss3 Why the Public-Key Infrastucture ä Attacks in this work are specific to public- key protocols. ä Work for a shared, certified key ä Work for newly generated, self-certified keys. ä Work for fully signed messages, or signed hashes of messages. ä Work against public-key usage for privacy. ä May not work against all private-key protocols.

4 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss4 Cryptographic Protocol Notation ä Encryption ä {…} K AB - Using private key shared between A and B ä {…} K A - Using the public part of A’s public key ä {…} K A -1 - Using the private part of A’s public key ä Other Techniques ä H(…) - Hashing ä R A - random value generated by A (for use as a nonce or part of a Diffie-Hellman key-distribution)

5 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss5 A “Secure” Protocol RARARARAAB {A,R B,R A } K B -1 {B,R B } K A -1 Adapted From: Blake-Wilson and Menezes. “Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques”. In Proc. Security Protocols, 1997 (LNCS 1361). pp 137-158. “Protocol 1 - mutual authentication”

6 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss6 Simple Tailoring of a Protocol MAB RBRBRBRB {B,R B } K A -1 “Protocol 2 - one-way authentication” Adapted From: Jelsey, Schneier and Wagner. “Protocol Interactions and the Chosen Protocol Attack”. In Proc. Security Protocols, 1997 (LNCS 1361). pp 91-104.

7 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss7 Attack Against B in Protocol 1 MA EBEBEBEB RBRBRBRB {B,R B } K A -1 EBEBEBEB A RARARARA EAEAEAEAB {A,R B,R A } K B -1 {B,R B } K A -1 EAEAEAEA B B B A EAEAEAEA EBEBEBEB

8 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss8 A Portion of a “Secure” Protocol AB {B,M 1,M 2,M 3,K AB,M 4,R B } K A {A,B,R B } K AB “Protocol 3 - Portion of a Key Distribution Protocol”

9 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss9 Simple Tailoring of a Protocol “Protocol 4 - Tailored Decoding Protocol” AE {B,M 1,M 2,M 3,R B1,M 4,R B2 } K A {A,E,R B1,R B2 } K E

10 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss10 Attack Against B in Protocol 3 EAEAEAEAB {B,M 1,M 2,M 3,K AB,M 4,R B } K A {A,B,R B } K AB AE {E,M 1,M 2,M 3,R B1,M 4,R B2 } K A {A,E,R B1,R B2 } K E EAEAEAEA B AE

11 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss11 Protection Against Tailored Protocol Attacks ä Why do the attacks occur? 1. Keys (even certified keys) may be shared between multiple protocols. 2. Tailored (or chosen) protocol is installed on a victim’s machine.

12 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss12 Protection Against Tailored Protocol Attacks ä How do we stop the attacks? ä Kelsey, et. al: ä Limit the scope of the key ä Uniquely identify each application, protocol, version and protocol step ä All protocols should have a fixed unique identifier in a fixed position in the message ä Tie the unique identifier to encryption ä Include support in smartcards

13 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss13 Protection Against Tailored Protocol Attacks ä Do these work? ä For smartcards they may, but not for general computers. ä Requirements that insist on a unique identifier assumes that protocols follow the rules, a tailored protocol need not follow the rules. ä Without these identifiers, we can not limit key usage to a particular protocol.

14 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss14 Solution ä What is the solution? ä We must limit key usage to protected/trusted subsystems. ä The subsystems must only allow encryption by certified applications, (those that follow the rules). ä Operating system security must be in place to protect subsystems and stored keys.

15 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss15 Challenges ä Enhance PKI certificates to include protocol limitations ä Develop specific guidelines for protocol message content identifiers ä Enforce guidelines, limitations, and trust model in key management and crypto packages for protocols ä Establish protocol certification authority ä Prevent user apps from accessing certified keys

16 October 6, 1998Multiprotocol Attacks, Jim Alves-Foss16 Suggested Protocol Architecture ä Develop a protocol message specification language. ä The protocol developer obtains certification of protocol message set, and releases to application developers ä Protocol application submits certification to crypto library to establish protocol ä Subsequent calls to crypto library specify protocol and message identifiers; crypto library performs operation ONLY if message format matches specification

Download ppt "Multiprotocol Attacks and the Public Key Infrastructure* Jim Alves-Foss Center for Secure and Dependable Software University of Idaho"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
G22.3250-001 Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

G Robert Grimm New York University Using Encryption for Authentication in Computer Networks.
Cryptography Basic (cont)

Cryptography Basic (cont)

Similar presentations

Ads by Google