300 likes | 321 Views
This lecture covers primary attacks and controls in network security, including impersonation, replay, interleaving, reflection, forced delay, and chosen plaintext attacks. It also discusses the risks of using keys for multiple purposes, key establishment protocols, and the Kerberos authentication system.
E N D
CSE331:Introduction to Networksand Security Lectures 26 & 27 Fall 2002
Announcements • Project 3 is due on Nov. 18th CSE331 Fall 2002
Primary Attacks • Impersonation. • Replay. • Interleaving. • Reflection. • Forced delay. • Chosen plaintext. CSE331 Fall 2002
Primary Controls • Replay: use of challenge-response techniques and embedding target identity in response. • Interleaving: link messages in a run with chained nonces. • Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys. CSE331 Fall 2002
Primary Controls, continued • Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. • Forced delays: use random numbers with short timeouts, use timestamps with other techniques. CSE331 Fall 2002
Multiple Use of Keys • There are risks in using keys for multiple purposes. • Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. • B attacker/verifier, rB=H(M) for some message M. • B -> A: rB • A -> B: B, EA(rB) • B(A) -> C: M, EA(H(M)) B, pretending to be A CSE331 Fall 2002
Effective Control • Notice how the protocol described earlier foils this. Here’s the protocol: • B -> A: rB • A -> B: rA, B, SA(rA, rB, B) • Here’s what happens: • B -> A: rB • A -> B: rA, B, EA(rA, rB, B) • B(A) -> C: M, EA(rA, H(M), B) • C finds that EA(rA, H(M), B) EA(H(M)) and rejects the signature. CSE331 Fall 2002
Usurpation Attacks • Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. • Techniques to assure ongoing authenticity: • Periodic re-identification. • Tying identification to an ongoing integrity service. For example: key establishment and encryption. CSE331 Fall 2002
Key Establishment • Symmetric keys. • Point-to-Point. • Needham-Schroeder. • Kerberos. • Asymmetric keys. • X.509 key establishment. • Attack example. • Station To Station (STS) protocol. • Bellovin-Merritt protocol. CSE331 Fall 2002
Symmetric Keys • Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. • These can be based on: • Point to point distribution, or • Key Distribution Center (KDC). CSE331 Fall 2002
Point-to-Point Session Key • Timestamp. • A -> B : E(K, (k, t, B)) • Nonce. • B -> A : r • A -> B : E(K, (k, r, B)) CSE331 Fall 2002 ISO/IEC 11770-2
Key Distribution Center CSE331 Fall 2002
Distribution Center Setup • A wishes to communicate with B. • T is a trusted third party that provides session keys. • T has a key KAT in common with A and a key KBT in common with B. • A authenticates T using a nonce rA and obtains a session key from T. • A authenticates to B and transports the session key securely. CSE331 Fall 2002
Needham-Schroeder • A -> T : A, B, rA • T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) )) A decrypts with KAT and checks rA and B. Holds k for future correspondence with B. • A -> B : E( KBT, (k, A)) B decrypts with KBT. • B -> A : E(k, rB) A decrypts with k. • A -> B : E(k, rB – 1) B checks rB-1. CSE331 Fall 2002
Attack Scenario 1 • A -> T : A, B, rA • T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A. CSE331 Fall 2002
Attack Scenario 2 • A -> C (T) : A, B, rA • C (A) -> T : A, C, rA • T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) )) Rejected by A because C rather than B. CSE331 Fall 2002
Attack Scenario 3 • A -> C (T) : A, B, rA • C -> T : C, B, rA • T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) • C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) )) A is unable to decrypt the message. CSE331 Fall 2002
Attack Scenario 4 • C -> T : C, B, rA • T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) • C (A) -> B : E( KBT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center. CSE331 Fall 2002
Kerberos Setup • A,T,B, shared keys KAT, KBT as in distribution center. • Nonce rA generated by A. • Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L. CSE331 Fall 2002
Kerberos Messages • A -> T : A, B, rA • T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) • A -> B : E( KBT, (k, A, L)), E( k, (A, t)) • B -> A : E(k, t) Ticket Authenticator CSE331 Fall 2002
Kerberos Actions • A -> T : A, B, rA • T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) Decrypt using KAT, check rA, B, and hold L for future reference. • A -> B : E( KBT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. • B -> A : E(k, t) Check t. CSE331 Fall 2002
Asymmetric Key Exchange • X.509 key establishment. • Impersonation case study. • STS. • Bellovin-Merritt protocol. CSE331 Fall 2002
X.509 Key Establishment Setup • X.509 is part of the X.500 series of ISO/IEC standards. • certA and certB are certificates for the public keys of A and B. • A has encryption function EA and signature function SA. B has signature function SB. • rA and rB are nonces. • LA and LB are lifetimes (validity periods). CSE331 Fall 2002
X.509 Key Est. Messages • Let DA = EB(k), rA, LA, A. • Let DB = rB, LB, rA, A • Two messages: • A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. • B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB. CSE331 Fall 2002
X.509 Variant • X.509 supports several variants on the previously-described protocol. • Let DA = EB(kA), rA, LA, A. • Let DB = EA(kB), rB, LB, rA, A • Two messages: • A -> B : certA, DA, SA(DA) • B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B. CSE331 Fall 2002
Impersonation Case Study CSE331 Fall 2002
Protocol X • A -> T : A, B • T -> A : ST(EB, B) • A -> B : EB(kA, A) • B -> T : B, A • T -> B : ST(EA, A) • B -> A : EA(kA, kB) • Check kA. Calculate session key as f(kA,kB). • A -> B : EB(kB) • Check kB. Calculate session key as f(kA,kB). CSE331 Fall 2002
Interleaving Attack on Protocol X • An interleaving attack on this protocol is possible. • An adversary C convinces: • A that he is talking to C using session key k = f(kA, kB). • B that his is talking to A using session key k. • C has access to the key k and can use it to decrypt the responses that B makes to A. CSE331 Fall 2002
Compromise Scenario • B, C are taxpayers. A is the IRS. • A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. • B now thinks he is talking to the IRS. • C answers questions directed to him by the IRS. • Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years. CSE331 Fall 2002
What Went Wrong? • Entity authentication: determining who you are talking to. • Key establishment: settling on a shared session key. • Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment. CSE331 Fall 2002