Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls

2 slide 2 Secure Sessions uSecure sessions are one of the most important applications in network security Enable us to talk securely on an insecure network uGoal: secure bi-directional communication channel between two parties The channel must provide confidentiality –Third party cannot read messages on the channel The channel must provide authentication –Each party must be sure who the other party is Other desirable properies: integrity, protection against denial of service, anonymity against eavesdroppers

3 slide 3 Key Establishment Protocols uCommon implementation of secure sessions: establish a secret key known only to two parties Can then use block ciphers for confidentiality, HMAC for authentication, and so on uChallenge: how to establish a secret key using only public information uEven if the two parties share a long-term secret, a fresh key should be created for each session Long-term secrets are valuable; want to use them as sparingly as possible to limit exposure and the damage if the key is compromised

4 slide 4 Key Establishment Techniques uUse a trusted key distribution center (KDC) Every party shares a pairwise secret key with KDC KDC creates a new random session key and then distributes it, encrypted under the pairwise keys –Example: Kerberos uUse public-key cryptography Diffie-Hellman authenticated with signatures –Example: IKE (Internet Key Exchange) One party creates a random key, sends it encrypted under the other party’s public key –Example: TLS (Transport Layer Security)

5 slide 5 Private-Key Needham-Schroeder AliceBob KDC (knows secret keys K Alice and K Bob ) N 1, “I’m Alice, wanna talk to Bob” Creates fresh random session key K AB Encrypt K Alice (N 1,“Bob”,K AB, Encrypt K Bob (K AB,“Alice”)) ticket ticket, Encrypt K AB (N 2 ) Encrypt K AB (N 2 -1, N 3 ) Encrypt K AB (N 3 -1) Fresh, random nonce Another nonce Yet another nonce

6 slide 6 Weird Reflection Attack Bob Encrypt K AB (N 2 -1, N 3 ) uSuppose symmetric encryption is in ECB mode… Bad idea in general Can’t decrypt, but in ECB mode can extract Encrypt K AB (N 3 ) Open a new session with Bob… Alice’s ticket, Encrypt K AB (N 3 ) Encrypt K AB (N 3 -1, N 4 ) Extract Encrypt K AB (N 3 -1) Now successfully authenticate in first session… Encrypt K AB (N 3 -1) Alice’s ticket, Encrypt K AB (N 2 ) Replay an old message from Alice

7 slide 7 Otway-Rees Protocol AliceBob KDC (knows secret keys K Alice and K Bob ) Creates fresh random session key K AB N C, “Alice”, “Bob”, Encrypt K Alice (N A,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A, K AB ) Encrypt K AB (anything recognizable) This nonce is sent in the clearThis nonce is hidden from Bob Encrypt K Alice (N A,N C,“Alice”,“Bob”) Encrypt K Bob (N B,N C,“Alice”,“Bob”) Bob’s own nonce N C, Encrypt K Alice (N A,K AB ), Encrypt K Bob (N B,K AB ),     

8 slide 8 Brief Analysis of Otway-Rees AliceBob KDC (knows secret keys K Alice and K Bob ) N C, “Alice”, “Bob”, Encrypt K Alice (N A,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A, K AB ) Encrypt K AB (anything recognizable) Encrypt K Alice (N A,N C,“Alice”,“Bob”) Encrypt K Bob (N B,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A,K AB ), Encrypt K Bob (N B,K AB ),      Match between these values is the only thing that authenticates Bob to KDC If N C is predictable, attacker can send a bogus message to Bob and fool him into creating Encrypt K Bob (N B,N C,“Alice”,“Bob”). When Alice actually uses N C, attacker will be able to impersonate Bob to KDC. uLesson: randomness of nonces is essential

9 slide 9 Public-Key Needham-Schroeder Alice Bob Encrypt PublicKey(Bob) (“Alice”, N A ) Encrypt PublicKey(Alice) (N A, N B ) Encrypt PublicKey(Bob) (N B ) Alice’s nonce Bob’s nonce Create new key from N A and N B, e.g., N A  N B Alice’s reasoning: The only person who could know N A is the person who decrypted 1 st message Only Bob can decrypt message encrypted with Bob’s public key Therefore, Bob is on the other end of the line Bob is authenticated! Bob’s reasoning: The only way to learn N B is to decrypt 2 nd message Only Alice can decrypt 2 nd message Therefore, Alice is on the other end Alice is authenticated!

10 slide 10 Encrypt PublicKey(Bob) (“Alice”, N A ) Evil Bob tricks honest Alice into revealing Charlie’s secret N c Charlie is convinced that he is talking to Alice! [published by Gavin Lowe] Attack on Needham-Schroeder Alice Bob Bob can’t decrypt this message, but he can replay it to Alice Encrypt PublicKey(Alice) (N A, N C ) Evil Bob pretends that he is Alice Charlie Encrypt PublicKey(Charlie) (“Alice”, N A ) Encrypt PublicKey(Alice) (N A, N C ) Encrypt PublicKey(Bob) (N C )

11 slide 11 Lessons of Needham-Schroeder uYet another example of faulty reasoning Alice is correct that Bob must have decrypted Encrypt PublicKey(Bob) (“Alice”, N A ), but this does not mean that Encrypt PublicKey(Alice) (N A, N B ) came from Bob uIt is important to realize limitations of protocols The attack requires that Alice willingly talk to attacker –Attacker uses a legitimate conversation with Alice to impersonate Alice to Charlie Needham and Schroeder intended this protocol to be used by well-behaved workstations on an insecure network. In their setting, the protocol is correct!

Download ppt "Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication

Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
CSC 474 Information Systems Security

CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Similar presentations

Ads by Google