390 likes | 401 Views
Protocols Symmetric Key Establishment Kerberos. Nicolas T. Courtois - U niversity C ollege L ondon. Multi-Party Protocols. Protocols. A security protocol is a sequence of communications that two or more principals undertake to securely achieve an objective .
E N D
ProtocolsSymmetric Key EstablishmentKerberos Nicolas T. Courtois - University College London
Multi-Party Protocols Nicolas T. Courtois, January 2009
Protocols A security protocol is a sequence of communications that two or more principals undertake to securely achieve an objective. Principals: people, organizations, governments, computers, USB devices, smart cards, concurrently running processes, etc… Nicolas T. Courtois, January 2009
Securely? Need for a formal definition: • Objectives of the Attacker (win a certain game). • Resources • Access However carefully designed, protocols have subtle flaws found 20 years later. Types of attacks that the designer did neither intend nor imagine. Nicolas T. Courtois, January 2009
What If? Many protocols have the following properties: • if all participants are honest, they work. • If participants are honest but curious, they learn nothing • if one participant cheats, • it will be detected • not always possible to know who cheated • It is usually always possible to disturb the protocol (denial of service) • not always possible to know who’s fault it was Nicolas T. Courtois, January 2009
Overall Goal: The protocol will either securely succeed or abort. • moreover, if all participants are honest, including honest but curious, the protocol should always succeed Nicolas T. Courtois, January 2009
The Dolev-Yao Model Defines an attacker for all cryptographic protocols. Nicolas T. Courtois, January 2009
The Dolev-Yao Model Attacker = the Network • the attacker can read, modify, copy and create his own messages. • In other words, the attacker has totally compromised the ambient medium of communication (the network). ========== our minimum standard ========== Nicolas T. Courtois, January 2009
Dynamic Authentication Nicolas T. Courtois, January 2009
K K Symmetric Key Unilateral Auth. with a Nonce • randomB B A • A, MACK(randomB, B) Nicolas T. Courtois, January 2009
PK Versions Nicolas T. Courtois, January 2009
Public Key – Based Schemes Here more possibilities than with time. Two approaches exist. Alice has her private key SK(A). Two methods to demonstrate the knowledge of this key: • sign a message chosen by Bob. • decrypt a message encrypted by Bob with Alice’s public key. The message should contain a random, + ID of the receiver, +maybe some long padding… Nicolas T. Courtois, January 2009
SKA PKA PKA PK-Unilateral with PK Encryption • h(rB), B, EPK(A)(rB, B) B A • rB Nicolas T. Courtois, January 2009
SKA PKA PKA PKCert Same with PKI • certA • h(rB), B, EPK(A)(rB, B) B A • rB Nicolas T. Courtois, January 2009
SKA PKA PKA PKCert PK-Unilateral with Dig. Sign. • rB B A • certA, rA, SSK(A)(rA, rB, B) Nicolas T. Courtois, January 2009
K K Uni-directional vs. MutualAuthentication statement1, [interactive] proof1 statement2, [interactive] proof2 Nicolas T. Courtois, January 2009
Key Establishment Nicolas T. Courtois, January 2009
The Need Secure messaging: encrypt all exchanges (commands and data) between Alice and Bob. Key establishment is kind of always needed, even if Alice and Bob already share a key. Need for a session key (a short term key): Encrypted Nicolas T. Courtois, January 2009
Why Short Term Keys? Need for a session key (a short term key): • limit key exposure, • in many systems (e.g. GSM) session keys are pre-computed in advance by a more secure part of the system (!) • bank card master key never used with data chosen by the user (foil DPA). • keys should be fresh in order to prevent reply of the messages from the last session => total session independence • cryptanalysis: security of symmetric crypto degrades with usage, => limit amount of data that the attacker can dispose of. • better to re-establish keys when needed, • avoid expensive storage of too many keys locally • in PK case, it is in fact TOTALLY impossible to use PK crypto to encrypt quantities of data, just too slow, so a symmetric key is always needed. • one method to get it is key establishment, studied here later. • second method is called hybrid encryption, e.g. in PGP / GNU PG. Nicolas T. Courtois, January 2009
Key Establishment ? Three types, we study only two: • symmetric crypto + TTP • Application: Kerberos, enterprise networks • public key crypto + authentic[ated] channel • Application: SSL/TLS: e-commerce. encrypted Nicolas T. Courtois, January 2009
Key Derivation Nicolas T. Courtois, January 2009
Symmetric Key Derivation Again needed even if the key is already shared. key diversification = key derivation, very widely used in the industry long-term shared keyK IV / data EncryptK or Hash session keyshort-lived Nicolas T. Courtois, January 2009
Symmetric Key Establishment No shared key. Requires a Trusted Third Party = TTP. • which is also a sort of “symmetric key infrastructure” (<> PKI). Example: Needham-Schroeder Symmetric Key Establishment Protocol, • Basis of the Kerberos protocol. Applications: domain server in Windows 2000 and better • security part of Microsoft Active Directory system Nicolas T. Courtois, January 2009
Symmetric Needham-SchroederKey Exchange Protocol with TTP Nicolas T. Courtois, January 2009
Needham-Schroeder - Summary There are two Needham-Schroeder protocols 1,2. Very different. Beware of confusion! • symmetric key est. N-S: broken by [Denning and Sacco 1981] • fixed by Denning and Sacco and in Kerberos v4/5 adding timestamps, • and by [Needham-Shroeder 1987] adding an extra nonce and extra messages. • VERY WIDELY used: Unix, Windows… • asymmetric mut. auth. N-S: attack was found [Lowe 1995] after as many as 17 years… Nicolas T. Courtois, January 2009
Symmetric Needham-Schroeder [78] 3 Goals: Mutual Authentication and Key Establishment. T=Trusted Third Party, A and T have a shared key KAT 1) key retrieval: A T: A, B, rA (1) A T: {rA, B, k, {k,A} _KBT } _KAT (2) so T knows k… A B: {k,A} _KBT (3) 2) key confirmation: A B: {rB}_k (4) A B: {rB -1}_k (5) ticket Nicolas T. Courtois, January 2009
Kerberos Nicolas T. Courtois, January 2009
Kerberos A protocol for enterprise networks. authentication + secure channels. Developed at MIT. • Fixed in Version 5 = RFC510. Very widely used [Microsoft,Unix,Cisco,Apple]. Nicolas T. Courtois, January 2009
The n2 problem and Securing Public Networks • If we have n users, we need n2/2 keys * key size ! • How to distribute these keys ? Wish list: a combination of public key techniques and AES… But can this be solved with secret key techniques alone? Nicolas T. Courtois, January 2009
Kerberos Goals • user->server authentication • + secure channels • works in enterprise networks • typically uses port 88 on machines • on Windows, Unix and Mac • supports Single Sign On • uses secret key cryptography only. • initially used only DES, 3DES added later. Nicolas T. Courtois, January 2009
Outline Nicolas T. Courtois, January 2009
Name-Based Authentication Two principals know each other by names in the central database. e.g. ncourtois.root@UCL.AC.UK they are authenticated as such Nicolas T. Courtois, January 2009
Key Notion: Ticket Tickets are like one-time passwords. • They are encrypted, can be decrypted by the intended recipient only. • Can encapsulate other encrypted quantities (or tickets). • There are valid for limited time • bail expires eventually • Replay attacks are possible • must be timely: tickets have timestamps and expire • possible policy: check if the same ticket was used twice and deny access. Hassle from false alarms + reissue of new tickets. Nicolas T. Courtois, January 2009
Simplified Kerberos = Symmetric N-S with Timestamps 3 Goals: Mutual Authentication and Key Establishment. T=Trusted Third Party, A and T have a shared key KAT L=Lifetime 1) key retrieval: A T: A, B (1) A T: {tT, L, k, B, {tT,L,k,A} _KBT } _KAT (2) A B: {tT,L,k,A} _KBT, {A, tA}_k (3) 2) key confirmation: A B: {tA+1}_k (4) ticket service ticket Nicolas T. Courtois, January 2009
Real Kerberos Two types of these Tickets at two different levels: • Master Ticket = Ticket Granting Ticket • allows to request many individual tickets • Service Ticket. Contains an Authenticator. • allows to access to one service at one moment for limited time Nicolas T. Courtois, January 2009
Keys In Kerberos Highest level: long–term private keys KAT: One per each of • users • services • servers • Workstations Important question: Does the workstation store the key KAT? Could be used to clone it. No, they are typically derived from passwords by hashing • can be either permanent stored in the Active Directory database, or created each time when the user logs on with his workstation to the domain Nicolas T. Courtois, January 2009
Kerberos Authentication Server = AS e.g. domain controller e.g. Ms Active Directory once per type of service: ftp, telnet, http, etc. Ticket Granting Service = TGScan be a different server as well Encrypted Service Ticket conveys an authenticator and a session key • client authenticated by the ticket • server authenticated [optional] • encrypted channel is created Nicolas T. Courtois, January 2009
Kerberos Is Not Perfect • Requires to trust the TTP • Security requires tight clock synchronization. • Frequently relaxed for convenience. • Password changing method vary in different implementations • Key length: apparently simple DES 56-bit keys still widely used… Nicolas T. Courtois, January 2009
Quiz • What is a session key? • Why is it needed if two principals already share a key? • Recall 5 types of dynamic authentication. • What is the purpose of the Needham-Schroeder protocol in a Windows 2000 domain? Nicolas T. Courtois, January 2009