1 / 64

Security Protocols CS 136 Computer Security Peter Reiher October 14, 2010

Security Protocols CS 136 Computer Security Peter Reiher October 14, 2010. Outline. Designing secure protocols Basic protocols Key exchange Common security problems in protocols. Basics of Security Protocols. Assme (usually) that your encryption is sufficiently strong

lam
Download Presentation

Security Protocols CS 136 Computer Security Peter Reiher October 14, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security ProtocolsCS 136Computer Security Peter ReiherOctober 14, 2010

  2. Outline • Designing secure protocols • Basic protocols • Key exchange • Common security problems in protocols

  3. Basics of Security Protocols • Assme (usually) that your encryption is sufficiently strong • Given that, how do you design a message exchange to achieve a given result securely? • Not nearly as easy as you probably think

  4. Security Protocols • A series of steps involving two or more parties designed to accomplish a task with suitable security • Sequence is important • Cryptographic protocols use cryptography • Different protocols assume different levels of trust between participants

  5. Types of Security Protocols • Arbitrated protocols • Involving a trusted third party • Adjudicated protocols • Trusted third party, after the fact • Self-enforcing protocols • No trusted third party

  6. Alice Bob Participants in Security Protocols

  7. Eve Mallory And the Bad Guys And sometimes Alice or Bob might cheat Who only listens passively Who is actively malicious

  8. Trent Trusted Arbitrator A disinterested third party trusted by all legitimate participants Arbitrators often simplify protocols, but add overhead

  9. Key Exchange Protocols • Often we want a different encryption key for each communication session • How do we get those keys to the participants? • Securely • Quickly • Even if they’ve never communicated before

  10. Key Exchange With Symmetric Encryption and an Arbitrator • Alice and Bob want to talk securely with a new key • They both trust Trent • Assume Alice & Bob each share a key with Trent • How do Alice and Bob get a shared key?

  11. KA KB KA KB Step One Alice Bob Alice Requests Session Key for Bob Who knows what at this point? Trent

  12. KA KB KA KB Step Two Alice Bob EKA(KS), EKB(KS) Who knows what at this point? EKA(KS), EKB(KS) Trent KS

  13. EKB(KS) KA KB KA KB Step Three KS KS Alice Bob EKA(KS), EKB(KS) Who knows what at this point? Trent KS

  14. What Has the Protocol Achieved? • Alice and Bob both have a new session key • The session key was transmitted using keys known only to Alice and Bob • Both Alice and Bob know that Trent participated • But there are vulnerabilities

  15. Problems With the Protocol • What if the initial request was grabbed by Mallory? • Could he do something bad that ends up causing us problems? • Yes!

  16. The Man-in-the-Middle Attack • A class of attacks where an active attacker interposes himself secretly in a protocol • Allowing alteration of the effects of the protocol • Without necessarily attacking the encryption

  17. KA KB KM Mallory KA KB KM Applying the Man-in-the-Middle Attack Alice Bob More precisely, what do they think they know? Alice Requests Session Key for Mallory Who knows what at this point? Alice Requests Session Key for Bob Trent

  18. KA KB KM Mallory KA KB KM Trent Does His Job Alice Bob EKA(KS), EKM(KS) Trent

  19. EKM(KS) KA KM KB Mallory KA KM KB Alice Gets Ready to Talk to Bob KS Alice Bob KS EKM(KS) Mallory can now masquerade as Bob EKM(KS) Trent

  20. KA KM KB Mallory KA KM KB Really Getting in the Middle Alice KS1 Bob KS EKM(KS1), EKB(KS1) KS EKB(KS1) KS1 Mallory can also ask Trent for a key to talk to Bob Trent

  21. Mallory Mallory Plays Man-in-the-Middle Alice KS1 Bob KS KS Alice’s big secret KS1 EKS(Alice’s big secret) Bob’s big secret Alice’s big secret EKS1(Alice’s big secret) EKS1(Bob’s big secret) EKS(Alice’s big secret) EKS1(Bob’s big secret) EKS(Bob’s big secret) EKS(Bob’s big secret) Alice’s big secret Bob’s big secret Bob’s big secret

  22. Defeating the Man In the Middle • Problems: 1). Trent doesn’t really know what he’s supposed to do 2). Alice doesn’t verify he did the right thing • Minor changes can fix that 1). Encrypt request with KA 2). Include identity of other participant in response - EKA(KS, Bob)

  23. KA KM Mallory KA KM Applying the First Fix KB Alice Bob Mallory can’t read the request EKA(Alice Requests Session Key for Bob) And Mallory can’t forge or alter Alice’s request Trent KB

  24. But There’s Another Problem • A replay attack • Replay attacks occur when Mallory copies down a bunch of protocol messages • And then plays them again • In some cases, this can wreak havoc • Why does it here?

  25. KA KB Mallory KA KB Step One Alice EKA(Alice Requests Session Key for Bob) Bob EKA(Alice Requests Session Key for Bob) Trent

  26. KA KB Mallory KA KB Step Two Alice EKA(Alice Requests Session Key for Bob) Bob EKA(KS), EKB(KS) EKA(KS), EKB(KS) Trent KS

  27. EKB(KS) KA KB Mallory KA KB Step Three KS KS Alice EKA(Alice Requests Session Key for Bob) Bob EKA(KS), EKB(KS) EKA(KS), EKB(KS) EKB(KS) What can Mallory do with his saved messages? Trent KS

  28. EKA(KS), EKB(KS) KA KB Mallory KA KB Mallory Waits for His Opportunity EKA(Alice Requests Session Key for Bob) EKA(KS), EKB(KS) EKA(Alice Requests Session Key for Bob) EKB(KS)

  29. EKB(KS) KA KB Mallory KA KB What Will Happen Next? KS KS EKA(Alice Requests Session Key for Bob) KS EKA(KS), EKB(KS) What’s so bad about that? EKB(KS) What if Mallory has cracked KS?

  30. Key Exchange With Public Key Cryptography • With no trusted arbitrator • Alice sends Bob her public key • Bob sends Alice his public key • Alice generates a session key and sends it to Bob encrypted with his public key, signed with her private key • Bob decrypts Alice’s message with his private key • Encrypt session with shared session key

  31. Alice’s PK is KDA Bob’s PK is KDB EKEA(EKDB(KS)) Basic Key Exchange Using PK KEA , KDA KEB , KDB Bob Alice EKDB(KS) KS KS Bob verifies the message came from Alice Bob extracts the key from the message

  32. Mallory Alice’s PK is KDM Alice’s PK is KDA Man-in-the-Middle With Public Keys KEA , KDA KEM , KDM KEB , KDB Alice Bob Now Mallory can pose as Alice to Bob

  33. Mallory Bob’s PK is KDB Bob’s PK is KDM And Bob Sends His Public Key KEA , KDA KEM , KDM KEB , KDB Alice Bob Now Mallory can pose as Bob to Alice

  34. EKEA (EKDM(KS)) Mallory EKEM (EKDB(KS)) Alice Chooses a Session Key KEA , KDA KEM , KDM KEB , KDB KS KS Alice KS Bob Bob and Alice are sharing a session key Unfortunately, they’re also sharing it with Mallory

  35. Combined Key Distribution and Authentication • Usually the first requires the second • Not much good to be sure the key is a secret if you don’t know who you’re sharing it with • How can we achieve both goals? • In a single protocol • With relatively few messages

  36. Needham-Schroeder Key Exchange • Uses symmetric cryptography • Requires a trusted authority • Who takes care of generating the new key • More complicated than some protocols we’ve seen

  37. Alice,Bob,RA Needham-Schroeder, Step 1 KA KB RA Alice Bob Trent KA KB

  38. What’s the Point of RA? • RA is random number chosen by Alice for this invocation of the protocol • Not used as a key, so quality of Alice’s random number generator not too important • Helps defend against replay attacks • This kind of random number is sometimes called a nonce

  39. Including RA prevents replay Including Bob prevents attacker from replacing Bob’s identity Including the encrypted message for Bob ensures Bob’s message can’t be replaced EKA(RA,Bob,KS, EKB(KS,Alice)) What’s all this stuff for? Needham-Schroeder, Step 2 KA KB RA Alice Bob Trent RA KS KA KB

  40. EKB(KS,Alice) Needham-Schroeder, Step 3 KA KB KS Alice So we’re done, right? Bob KS Wrong! Trent KA KB

  41. EKS(RB) Needham-Schroeder, Step 4 KB KA KS KS Alice Bob RB RB Trent KA KB

  42. EKS(RB-1) Needham-Schroeder, Step 5 KB KA KS KS Alice Bob RB RB Now we’re done! RB-1 Trent KA KB

  43. Alice knows she’s talking to Bob Trent said she was EKA(RA,Bob,KS, EKB(KS,Alice)) No, only Bob could read the key package Trent created What’s All This Extra Stuff For? KA KB Alice Bob Can Mallory jump in later? Trent KS KA KB

  44. EKB(KS,Alice) Trent said he was Bob knows he’s talking to Alice What’s All This Extra Stuff For? KA KB KS Alice Bob Can Mallory jump in later? What about those random numbers? No, all later messages will use KS, which Mallory doesn’t know Trent KA KB

  45. Mallory Causes Problems • Alice and Bob do something Mallory likes • Mallory watches the messages they send to do so • Mallory wants to make them do it again • Can Mallory replay the conversation? • Let’s try it without the random numbers

  46. EKA(Bob,KS, EKB(KS,Alice)) Alice,Bob Mallory Waits For His Chance KB KA Alice Bob Mallory Trent KA KB

  47. What Will Alice Do Now? • The message could only have been created by Trent • It properly indicates she wants to talk to Bob • It contains a perfectly plausible key • Alice will probably go ahead with the protocol

  48. EKB(KS,Alice) Mallory The Protocol Continues KB KA KS KS Alice Bob Mallory steps aside for a bit With no random keys, we’re done Trent KA KB

  49. So What’s the Problem? • Alice and Bob agree KS is their key • They both know the key • Trent definitely created the key for them • Nobody else has the key • But . . .

  50. EKS(Old message 1) Mallory EKS(Old message 2) Mallory Steps Back Into the Picture KB KA KS KS Alice Bob Mallory can replay Alice and Bob’s old conversation It’s using the current key, so Alice and Bob will accept it Trent KA KB

More Related