370 likes | 568 Views
Authentication of Kerberos and Wireless Communication. Kerberos AMPS IS-95 : A-Key GSM DECT Bluetooth 802.11b. Kerberos. Abbreviation of Kerberos and Two Simple Types of Authentication Dialogue. Abbreviation :. C = client TGS = ticket-granting server
E N D
Authentication of Kerberos andWireless Communication • Kerberos • AMPS • IS-95 : A-Key • GSM • DECT • Bluetooth • 802.11b
Abbreviation of Kerberos andTwo Simple Types of Authentication Dialogue Abbreviation : • C = client TGS = ticket-granting server • AS = authentication server IDtgs = identifier of TGS • V = server • IDC = identifier of user on C • IDV = identifier of V • PC = password of user on C • ADC = network address of C • KV = secret encryption key shared by AS and V A Simple Authentication Dialogue AS shared KV 1. Pc : plaintext 2. Replay attack 3: Pc : each time • C AS : IDC , PC , IDV • AS C : Ticket • C V : IDC , Ticket V C Ticket = Ekv [ IDC , ADC , IDV ] A More Secure Authentication Dialogue shared Ktgs lifetime : short(user) long(replay) • C AS : IDC , IDtgs • AS C : Ekc [Tickettgs] • C TGS : IDC , IDV , Tickettgs • TGS C : TicketV • C V : IDC , TicketV { Once per user logon session AS shared KV TGS { Once per type of service shared KC Once per service session V C Tickettgs = EKtgs [ IDC , ADC , IDtgs , TS1, Lifetime1] TicketV = EKv [ IDC , ADC , IDV , TS2, Lifetime2]
Overview of Kerberos K e r b e r o s S e r v e r A u t h e n t i c a t i o n S e r v e r T i c k e t G r a n t e d S e r v e r A S T G S 1 2 3 4 5 C l i e n t C S e r v e r D 6 1 I D c , I D t g s , T S 1 2 E k c [ K c , t g s , I D t g s , T S , L i f e t i m e , T i c k e t ] 2 2 t g s T i c k e t = E k [ K c , t g s , I D c , A D c , I D t g s , T S , L i f e t i m e ] t g s t g s 2 2 I D v , T i c k e t , A u t h e n t i c a t o r 3 t g s c 4 E k c , t g s [ K c , v , I D v , T S , T i c k e t v ] 4 T i c k e t = E [ K c , v , I D c , A D c , I D v , T S , L i f e t i m e ] v k v 4 4 A u t h e n t i c a t o r = E k c , t g s [ I D c , A D c , T S ] c 3 T i c k e t , A u t h e n t i c a t o r 5 v c E k c , [ T S ] 6 v 5 + 1 A u t h e n t i c a t o r = E k c , [ I D c , A D c , T S ] c v 5
How To Request for Service In Another Realm Kerberos Client 1. Request ticket for local TGS. AS Realm A 2. Ticket for local TGS. 3. Request ticket for remote TGS TGS 4. Ticket for remote TGS 7. Request for remote service 5. Request ticket for remote server. Kerberos 6. Ticket for remote server. AS Realm B TGS Server NOTE : If there are N realms then there must be N(N-1)/2 secure key exchanges so that each Kerberos realm can interoperate with all other Kerberos realms.
我國電子化政府公開金鑰基礎建設之整體架構 National Root 外國政府 PKI Root 外國企業 PKI Root PAA NNCA 經濟部 交通部 研考會 PCA PCA PCA CA1 CA2 CA3 PCA SCA CA11 CA21 CA22 CA31 CA32 PCA 使用者(含自然人, 法人) (設於台灣之外國政府PKI 所屬CA) 憑證授與(階層式) 交互憑證 PAA : Policy Approval Authority PCA : Policy Certificate Authority SCA : Subordinate Certificate Authority NNCA : National Network Certificate Authority
AMPS類比行動電話系統的安全與識別 • 手機識別碼 (Mobile Identification Number; MIN) : 34位元 手機號碼(10進位) 34位元手機識別碼 • 手機序號 (Serial Number) : 32位元 • (1) 唯一且不可變更 (2) 製造廠碼由FCC指配 製造廠碼(8) 保留備用碼(6) 製造序號碼序號(18) 31 24 23 18 17 0 甲機 MSC核對手機識別碼與手機序號對照表 Radio Path 建立呼叫時送出 手機識別碼+ 手機序號 手機 MSC 截收並解碼出 手機識別碼和手機序號 製造拷貝機 乙機
AMPS一號多機(拷貝機)現況及防治: IS-95 A-KEY認證功能 SSD Update Message (RANDSSD) A-Key A-Key RANDSSD RANDSSD SSD_Generation Procedure SSD_Generation Procedure Base Station Challenge Order (RANDBS) SSD_B_NEW SSD_B_NEW RANDBS SSD_A_NEW SSD_A_NEW Auth_Signature Procedure Auth_Signature Procedure Base Station Challenge Confirmation Order (RANDBS) ? AUTHBS = AUTHBS SSD Update Confirmation Order (success) SSD Update Rejection Order (failure) A-Key : 64 bits存在用戶手機永久安全識別記憶體及系統認證中心 SSD(Shared Secret Data) : SSD_A(64 bits) + SSD_B(64 bits), SSD_A :認證 / SSD_B :保密 CAVE(Cellular Authentication and Voice Encryption algorithm) 函數 :認證運算法則, 受美國的國際運輸及武器條例及輸出許可條例所管制
GSM數位行動電話系統的安全與識別(GSM Rec. 02.09) Radio Path Network Side MS (密語) HLR/ AUC VLR/ MSC MS SIM+ME BSS (明語) 安全與識別
+ Cryptographic Functions A3, A8 and A5in GSM Protocol • The components A3, A8, and A5. • A3: one-way function. • A8: one-way function. • A5: one-way encryption/decryption algorithm using Kc. • A5/1: Western Europe, A5/2: other countries (GSM MoU is attempting to establish • A5/2 as the global standard) SRES (32 bits) A3 Authentication RAND (128 bits) TDMA Frame No. (22 bits) Privacy Ki (128 bits) 114 bits A5/2 Ciphertext Data Stream (114 bits) A8 Kc(64 bits) • The repeated cycle of TDMA Frame No. is 3 hrs 28 min 53 sec 760 msec (Range: 0~2,715,647).
Ki 1 IMSI 1 Ki 2 IMSI 2 .... A3 ? = SRES SRES SIM Card A8 A5 A5 GSM數位行動電話系統的安全與識別詳細步驟 HLR/ AUC VLR/ MSC MS SIM+ME TMSI IMSI RAND RAND AUC RAND Gen. A3 } (RAND,SRES,Kc ) . . (RAND,SRES,Kc ) 5 A8 RAND Ki AUC Database SRES RAND 識別 Ki 加/解密 Kc Kc 密語 明語 明語
Mobile Equipment(ME) Identity Procedure in GSM System VLR/ MSC MS SIM+ME EIR TMSI IMEI Request IMEI IMEI Access/Barring
? = RES RES Eavesdropping and Unauthorized Use are Impossible with DECT : Privacy and Authentication Radio Path VLR HLR FP PP Network Side ID K K • easy • security problem • VLR : A11, A12 RS RS, RAND_F RS, RAND_F, RES, KS RAND_F • similar as GSM • VLR does not • know K • VLR : No need of • A11 and A12 RES A12 Authentication RS, KS KS • VLR choose • RAND_F • RS and KS can • be reused • VLR : A12 • Traffic between HLR • and VLR can be reduced Privacy Ciphertext A11 Encryption Key
Generation of Bluetooth Initialization Key L=Length (PIN) L’=Length (PIN’)
IEEE 802.11b SecurityWired Equivalent Privacy (WEP) Encryption
Integrity Check Value (ICV) Secret Key Plaintext Key Sequence Seed RC4 || IV ICV’ Integrity Algorithm Ciphertext ICV-ICV’? Message WEP Decryption C RC4(IV,k) =( P RC4(IV,k) ) RC4(IV,k) = P = <M,c(M)> Check c(M)
Authentication of 802.11b There are two types of authentication 1. Open system authentication. This is the default authentication service that does not has any authentication. 2. Shared key authentication. This involves a shared secret key to authenticate the station to the AP(access point).
Shared key authentication • The challenge text(128bytes) is generated by using the WEP pseudo-random number generator(PRNG) with the shared secret and a random initialization vector(IV).
Security Flaws The risks of keystream reuse If C1= P1RC4(IV,k) and C2= P2RC4(IV,k) then C1 C2 = ( P1RC4(IV,k)) ( P2RC4(IV,k)) = P1 P2 • The WEP standard recommends(but does not require) that the IV be changed after every packet.
Reuse Initialization Vector • The IV field used bye WEP is only 24 bits wide, nearly guaranteeing that the same IV will be reused for multiple messages. packet size 2000-byte at average 5Mbps bandwidth ( ( (2000 8)/(5 106)) 224)/3600=14 hours • PCMCIA cards that they tested reset the IV to 0 each time it’s re-initialized, and the IV is incremented by one for each packet.
Decryption Dictionaries • Some access points transmit broadcast messages in plaintext and encrypted form when access control is disabled. • The attacker can build a table of the keystream corresponding to each IV. • It does not matter if 40 bits or 104 bits shared secret key use as the attack centers on the IV collision.
Message Modification • The WEP checksum is a linear function of the message. • may be chosen arbitrarily bye the attacker • A(B) : <IV, C> • (A)B : <IV, C’> • C’= C < ,c()> = RC4(IV,k) <M, c(M)> < ,c()> = RC4(IV,k) <M , c(M) c()> = RC4(IV,k) <M , c(M )> = RC4(IV,k) <M’, c(M’)> M’=M
Message Injection • It is possible to reuse old IV values without triggering any alarms at the receiver. • That is, if attacker ever learns the complete plaintext P of any given ciphertext packet C, he can recover keystream used to encrypt the packet. P C = P (PRC4(IV,k))= RC4(IV,k) (A)B : <IV,C’> where C’= <M’, c(M’) > RC4(IV,k)
Authentication Spoofing • The message injection attack can be used to defeat the shared-key authentication mechanism used by WEP. • The attacker learns both the plaintext challenge sent by the access point and the encrypted version sent by the mobile station.