1 / 21

Lecture 6.2: Protocols - Authentication and Key Exchange II

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring 2012 Nitesh Saxena. Course Admin. HW2 solution emailed Grading ongoing Exam study topics emailed. Course Admin. Mid-Term Exam On March 08 In class, from 11am-12:15pm Covers lectures up to Feb 23

adanna
Download Presentation

Lecture 6.2: Protocols - Authentication and Key Exchange II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena

  2. Course Admin • HW2 solution emailed • Grading ongoing • Exam study topics emailed Protocols: Authentication and Key Exchange

  3. Course Admin • Mid-Term Exam • On March 08 • In class, from 11am-12:15pm • Covers lectures up to Feb 23 • In-class review on Mar 06 (Tuesday) • Strictly closed-book (no cheat-sheets are allowed) • A sample exam will be provided as we near the exam date

  4. Outline of Today’s lecture • Today we try to put everything together • Encryption (public-key/private-key) • MACs • Signing • Key-Distribution • Secure protocols (for secure communication) • Authentication • We studied it somewhat while talking about key distribution • (Authenticated-) Key Exchange • Designing secure protocols is hard – we’ll only be able to learn the basics today • We’ll use the board extensively today – be prepared to take notes Protocols: Authentication and Key Exchange

  5. MAC-based Authentication • A  B: A, rA • B  A: rB, HMACK(rB, rA, A) • A  B: HMACK(rA, rB,B) • Faster than enc-based protocols (computationally) Protocols: Authentication and Key Exchange

  6. Public-key based authentication(Needham-Shroeder (NS) pk-based) • Assuming public keys are distributed through CA(s) • A  B: Encpkb(rA, A) • B  A: Encpka(rA, rB) • A  B: Encpkb(rB) Protocols: Authentication and Key Exchange

  7. Attack and fix on PK-based NS protocol • Attack: • Fix: • A  B: Encpkb(rA, A) • B  A: Encpka(rA, rB,B) • A  B: Encpkb(rB) Protocols: Authentication and Key Exchange

  8. Signature-based authentication(assuming public keys are distributed through CA) A auth B • A  B: Hi Bob, this is Alice! • B  A: r (a challenge) • A  B: SigSKa(r,B)(response) A auth B, B auth A (run two copies; piggyback common flows) • A  B: A, rA (could sign this too) • B  A: rB, SigSKb(rB, rA, A) • A  B: SigSKa(rA,rB,B) Protocols: Authentication and Key Exchange

  9. Authenticated Key Exchange (AKE) • Public-key operations are costly • Why not • use public-key mutual authentication protocols to exchange a symmetric key • use this symmetric key with a symmetric encryption to secure subsequent communication Protocols: Authentication and Key Exchange

  10. Security Notion for AKE • Launch protocol between any pair • Reveal all session key except one • Try to distinguish the key of the unrevealed session from random • This captures: the compromise of other sessions should not lead to the compromise of any other session Protocols: Authentication and Key Exchange

  11. A  B: A, rA, EncPKb(K) (must sign this too??) • B  A: rB, SigSKb(rB, rA, A) • A  B: SigSKa(rA, rB, B) • A and B output K as the authenticated key • Such a protocol can be instantiated using RSA encryption/signing • The way SSL/SSH establishes key • But, generally only the server authenticates to the client, not vice versa Protocols: Authentication and Key Exchange

  12. X.509: One-Way Authentication • 1 message ( A->B) used to establish • the identity of A and that message is from A • message was intended for B • integrity & originality of message A B 1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key Protocols: Authentication and Key Exchange

  13. X.509: Two-Way Authentication • 2 messages (A->B, B->A) which also establishes in addition: • the identity of B and that reply is from B • that reply is intended for A • integrity & originality of reply A 1-A {ta,ra,B,sgnData,KUb[Kab]} B 2-B {tb,rb,A,sgnData,KUa[Kba]} Protocols: Authentication and Key Exchange

  14. X.509: Three-Way Authentication • 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks 1- A {ta,ra,B,sgnData,KUb[Kab]} A B 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb} Protocols: Authentication and Key Exchange

  15. Discrete Logarithm Assumption • p, q primes such that q|p-1 • g’ be the generator of Zp* • g is an element of order q and generates a group Gq of order q; g = g’(p-1)/q • x in Zq, y = gx mod p • Given (p, q, g, y), it is computationally hard to compute x • No polynomial time algorithm known • p should be 1024-bits and q be 160-bits • x becomes the private key and y becomes the public key Protocols: Authentication and Key Exchange

  16. Example of DL-based system • Let’s construct an example • KeyGen: • p = 11, q = 2 or 5; let’s say q = 5 • 2 is a generator of Z11* • g = 22 = 4 • x = 2; y = 42 mod 11 = 5 Protocols: Authentication and Key Exchange

  17. Diffie-Hellman (DH) Key Exchange • A  B: Ka = ga mod p • B  A: Kb = gb mod p • A outputs Kab = Kba • B outputs Kba = Kab • Note Kab = Kba = gab mod p Protocols: Authentication and Key Exchange

  18. Security of DH key exchange • No authentication of either party • Secure only against a passive adversary • Under the computational Diffie-Hellman assumption • Given (g, ga,gb), hard to compute gab • Not secure against an active attacker • Man-in-the-middle attack… Protocols: Authentication and Key Exchange

  19. Authenticated DH Key Exchange • A  B: Ka = ga mod p • B  A: Certb, Kb = gb mod p EncKba[SigSKb(Kb, Ka )] • A  B: Certa, EncKab[SigSKa(Ka,Kb)] • A outputs Kab = Kba • B outputs Kba = Kab Protocols: Authentication and Key Exchange

  20. Summary • Designing secure protocols is not easy • Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously • Becomes even harder as the number of parties increase; n-party or group setting • Use the protocols that are well-studied and standardized • While designing a protocol, consider • Reflection attacks • Replay attacks • Eliminating any symmetry in the messages Protocols: Authentication and Key Exchange

  21. Further Reading • HAC – chapter 10 • Stallings – Chapter 15 Protocols: Authentication and Key Exchange

More Related