1 / 10

Security Handshake Pitfalls, II

Security Handshake Pitfalls, II. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Key Establishment and Authentication with KDC. A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others). Alice, Bob. K B {Alice, K AB }. KDC.

Download Presentation

Security Handshake Pitfalls, II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Handshake Pitfalls, II CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Security Handshake Pitfalls, II

  2. Key Establishment and Authentication with KDC A simple protocol: Problem: Potential delayed key delivery to Bob. (besides others) Alice, Bob KB{Alice, KAB} KDC KA{Bob, KAB} Alice Bob Security Handshake Pitfalls, II

  3. Another simple protocol: Problems: • No freshness guarantee for KAB • Alice & Bob need to authenticate Alice, Bob KA{Bob, KAB}, ticketB where ticketB= KB{Alice, KAB} KDC Alice Bob Alice, ticketB Security Handshake Pitfalls, II

  4. Needham-Schroeder Protocol N1, Alice, Bob KA{N1, Bob, KAB, ticketB} where ticketB= KB{KAB, Alice} KDC ticketB, KAB{N2} Bob Alice KAB{N2-1, N3} KAB{N3-1} Security Handshake Pitfalls, II

  5. Needham-Schroeder Protocol • N1: for authenticating KDC& freshness of KAB. • Ticket is double-encrypted. (unnecessary) • N2, N3: for key confirmation, mutual authentication • Why are the challenges N2, N3 encrypted? • Problem: Bob doesn’t have freshness guarantee for KAB (i.e., can’t detect replays). Security Handshake Pitfalls, II

  6. Messages should be integrity protected. Otherwise, cut-and-paste reflection attacks possible: replay ticketB, KAB{N2} KAB{N2-1, N3} Trudy Bob KAB{N3-1} ticketB, KAB{N3} Trudy Bob KAB{N3-1, N4} Security Handshake Pitfalls, II

  7. Expanded Needham-Schroeder Protocol hello KB{NB} N1, Alice, Bob, KB{NB} KA{N1, Bob, KAB, ticketB} where ticketB= KB{KAB, Alice, NB} KDC Alice Bob ticketB, KAB{N2} KAB{N2-1, N3} KAB{N3-1} Security Handshake Pitfalls, II

  8. Otway-Rees Protocol NC, “Alice”, “Bob”, KA{NA, NC, “Alice”, “Bob”} KA{NA, NC, “Alice”, “Bob”} KB{NB, NC, “Alice”, “Bob”} KDC NC, KA{NA, KAB}, KB{NB, KAB} Bob Alice KA{NA, KAB} KAB{anything recognizable} Security Handshake Pitfalls, II

  9. Otway-Rees Protocol • NA, NB: Provides freshness guarantee for A & B, as well as authentication of KDC. • NC: Binds Alice, Bob, and the session. Also authenticates Bob. • Having separate NA & NC is redundant for security,though it’s good for functional separation of nonces and uniformity of KDC messages. Security Handshake Pitfalls, II

  10. Basic Kerboros Protocol N1, Alice, Bob KA{N1, Bob, KAB, ticketB} where ticketB= KB{KAB, Alice, expiration time} KDC Bob Alice ticketB, KAB{T} KAB{T+1} Security Handshake Pitfalls, II

More Related