770 likes | 907 Views
CIS/TCOM 551 Computer and Network Security Slide Set 5. Carl A. Gunter Spring 2004. Protocols. Overview Entity Authentication Key Establishment. General Definition of “Protocol”.
E N D
CIS/TCOM 551Computer and Network SecuritySlide Set 5 Carl A. Gunter Spring 2004
Protocols • Overview • Entity Authentication • Key Establishment
General Definition of “Protocol” • A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.
Protocol Sample Threat • Common strategy. • Encrypt for confidentiality. • Sign for integrity. • Is it better to sign then encrypt? • Or is it better to encrypt then sign? • There is a pitfall.
Messages • P -> R : ER(M, DP(M)) • R decodes with DR • Verifies with EP: • EP(DP(M)) = M ? • P -> R : ER(M), DP(ER(M)) • R decodes with DR • Verifies with EP: • EP(DP(ER(M))) = ER(M) ?
Pitfall • Interception Scenario • P -> O (R) : ER(M), DP(ER(M)) • O -> R : ER(M), DO(ER(M)) • R might think that M came from O. • Is this really a problem? • To be safe: sign then encrypt.
Foundations of Authentication • Authentication is based on one or more of the following: • Something you know. • Something you have. • Something inherent about you.
Entity Authentication • Aims and Threats • Weak Security: Passwords • Strong Security: Challenge-Response
Typical Setup Identification Authentication Userid: Password: Claimant Verifier Terminology: identification will be used to refer to the combination of claimed identity and its authentication.
Aim • For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.
Threats • Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C. • Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.
Assumptions • A large number of previous authentications between A and B may have been observed. • The adversary C has participated in previous protocol executions with A and/or B. • Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.
Attacks Not Addressed • Identification affirms that communication with the expected party occurred at a given point in time. • Two active attacks are not addressed: • Usurpation: The session beginning with the identification is “usurped” by the attacker as a man-in-the-middle. • Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.
Unix Passwords • Humans need memorable keys, care must be taken to use these keys properly. • Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979), 594-597.
Make a File of Passwords • At first Unix was implemented with a password file holding the actual passwords of users. • This was vulnerable to many lapses • Copies were made by privileged users • Copies were made by bugs: classic example posted password file on daily message file • Physical access to backup was a vulnerability • Information from the password file needed to be replicated into many other files
First Approach • Encrypt the passwords and keep the encrypted version. • Take the password from the user, encrypt it, and compare with password file entry. • Problems • poor user selection of passwords • online dictionary attack • On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.
Heuristics for Guessing • The dictionary with the words spelled backwards • A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. • The above with initial upper-case letters. • All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) • Room numbers, social security numbers, telephone numbers, and the like.
A Survey of 3,289 Passwords • With no constraints on choice of password, Morris and Thompson got the following results: • 15 were a single ASCII letter. • 72 were strings of two ASCII letters. • 464 were strings of three ASCII letters. • 47 were strings of four alphanumerics. • 706 were five letters, all upper-case or all lower-case. • 605 were six letters, all lower case.
Risk in Password Restrictions • An installation required users to accept a machine-selected password. • These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator. • There were only 2**15 starting values (seeds). • Time to search strings of length 8 required 112 years (on machines of the time). • Time to check 2**15 seeds, not long!
Improvements to First Approach • Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm. • Enforce password rules. • “Mess up” DES: change algorithm so that stock hardware cannot be used.
Slowing Dictionary Attacks • “Salt” the passwords by adding random bits. • Makes dictionary attacks more expensive. • Decreases the likelihood that two identical passwords will appear as identical entries in the password file. • 12 bit salt results in 4,096 versions of each password.
Classic Unix Crypt – part 1 • Supplied by the user: a password P, truncated to 8 characters by the system. • Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows. • Pad password with zeros if necessary to get 56 bit key K.
Classic Unix Crypt – part 2 • Create a modified DES with expansion permutations (32 to 48 bits) determined by S. • Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times. • This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.
One Time Passwords • Shared lists. • Sequentially updated. • One-time password sequences based on a one-way function.
Hash-based 1-time Passwords • A claimant identifies itself to verifier B using a one-way hash function H. • One-time setup. • A chooses a secret w. • Fixes a constant t for the number of times the verification can be done. • A securely transfers H**t(w) to B. • Protocol messages. For the i’th identification where 1 <=i <= t: • A -> B: A, i, H**(t-i)(w)
Hash-based 1-time Passwords • Protocol actions. For session i, claimant A does the following to identify itself: • A computes w’ = H**(t-i)(w) and transmits the value to B. • B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1). • B saves w’ and i for use in the next session.
Challenge-Response • Background. • Random numbers (nonces). • Sequence numbers. • Timestamps. • Symmetric keys. • With timestamps or random numbers. • MAC’s. • Asymmetric keys. • With encryption or signature.
Replay • Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. • Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. • There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.
Random Numbers • A random number is a number chosen unpredictably in a range. • In a challenge-response protocol they are used as follows. • The verifier chooses a (new) random number and provides it to the claimant. • The claimant performs an operation on it showing knowledge of a secret. • This information is bound inseparably to the random number and returned to the verifier for examination. • A timeout period is used to ensure “freshness”.
Sequence Numbers • Sequence numbers provide a sequential or monotonic counter on messages. • If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. • Cannot detect forced delay. • Difficult to maintain when there are system failures.
Time Stamps • The claimant sends a message with a timestamp. • The verifier checks that it falls within an acceptance window of time. • The last timestamp received is held, and identification requests with older timestamps are ignored. • Good only if clock synchronization is close enough for acceptance window.
Unilateral Symmetric Key • Unilateral authentication with timestamp generated by A. • A -> B : E(K, (t, B)) • Unilateral authentication with random number generated by B. • B -> A : r • A -> B : E(K, (r, B))
Mutual Symmetric Key • Using random numbers: • B -> A: rB • A -> B: E(K, (rA, rB, B)) • B -> A: E(K, (rB, rA))
Mutual MAC Function • Let H be a hash function and K be a shared secret between A and B. • B -> A: rB • A -> B: rA, H(K, (rA, rB, B)) • B -> A: H(K, (rB, rA, A))
Passkey Systems Claimant A Verifier B Secret Database Login Request Passcode Generator PIN A S S e Challenge Generator F PIN F (challenge) y Compare Display (response)
Unilateral Public Key Decryption • Encryption under A’s public key is EA: • B -> A : H(r), B, EA(r, B) • A -> B : r • The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.
Mutual Public Key Decryption • Let EA and EB be the encryption functions for the public keys of A and B respectively. • A -> B: EB(rA, A) • B -> A: EA(rA, rB) • A -> B: rB
Unilateral Digital Signatures • Let SA and SB be the signature functions of A and B respectively. • Unilateral authentication with timestamps: • A -> B: t, B, SA(t, B) • Unilateral authentication with random numbers: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • The rA prevents chosen plaintext attacks.
Mutual Digital Signatures • Using random numbers. • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • B -> A: A, SB(rB, rA, A)
Primary Attacks • Impersonation. • Replay. • Interleaving. • Reflection. • Forced delay. • Chosen plaintext.
Primary Controls • Replay: use of challenge-response techniques and embedding target identity in response. • Interleaving: link messages in a run with chained nonces. • Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.
Primary Controls, continued • Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. • Forced delays: use random numbers with short timeouts, use timestamps with other techniques.
Multiple Use of Keys • There are risks in using keys for multiple purposes. • Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. • B attacker/verifier, rB=H(M) for some message M. • B -> A: rB • A -> B: B, SA(rB) • B(A) -> C: M, SA(H(M)) B, pretending to be A
Effective Control • Notice how the protocol described earlier foils this. Here’s the protocol: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • Here’s what happens: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • B(A) -> C: M, SA(rA, H(M), B) • C finds that SA(rA, H(M), B) SA(H(M)) and rejects the signature.
Usurpation Attacks • Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. • Techniques to assure ongoing authenticity: • Periodic re-identification. • Tying identification to an ongoing integrity service. For example: key establishment and encryption.
Key Establishment • Symmetric keys. • Point-to-Point. • Needham-Schroeder. • Kerberos. • Asymmetric keys. • X.509 key establishment. • Attack example. • Station To Station (STS) protocol. • Bellovin-Merritt protocol.
Symmetric Keys • Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. • These can be based on: • Point to point distribution, or • Key Distribution Center (KDC).