AuthenticationOverview(NSchapter9) - - PowerPoint PPT Presentation

3/27/2013shankar

• authenticationslide1
• ComputerandNetworkSecurity

CMSC414

• AUTHENTICATION
• UdayaShankar

shankar@cs.umd.edu

• 3/27/2013shankar
• authenticationslide2

AuthenticationOverview(NSchapter9)

• Largesetofprincipalsattachedtoanopenchannel(eg,Internet).
• Eachprincipalrepeatedly
• attemptstoinitiateaconnection(i.e.,session)withaspecifiedprincipal
• uponsuccessfulconnectionestablishment,exchangesmessages
• closestheconnection
• waitsforanarbitrary(butbounded)time
• WhenaprincipalAassumesitisconnectedtoaprincipalB,

AisindeedexchangingmessageswithB,andnotsomeattackerC.

• WhenprincipalAassumesconfidentiality/integrityofthemessageexchange,

thisisindeedthecase.

• Programscanusesecrets(eg,fromspaceof2128)
• Humanprincipalsarerestrictedtosecrets(eg,spaceof232)

andcannotdocryptographicoperations.

• WhenwesayaprogramprincipalAitisconnectedtoB,

wemeanthatA’sprogram’svariablesindicatethatAisconnectedtoB.

3/27/2013shankar

• authenticationslide3

Typicalauthenticationscenario

• Connectionestablishment:
• AauthenticatesB:[B,A,accpt]msgsentbyBinresponseto[A,B,conn]
• BauthenticatesA:[A,B,accpt]...A...[B,A,conn]
• Simultaneouslyestablishasharedsecret(sessionkey)forconversation
• Conversation:encryption/MAC
• Disconnection:AandBclosetheirconnectionandforgetanysessionkey
• connection

conversation disconnection [nB,nA,[B,A,accpt]] [B,A,accpt] datamsgs disconnectmsgs computer nB Internet computer nA principal A [B,A,accpt] [nA,nB,[A,B,conn]] [A,B,conn] [A,B,conn] principal B [A,B,accpt]

3/27/2013shankar

• authenticationslide4

TypesofAttacks

• Anauthenticationprotocolmustidentifytheattacksitissupposedtohandle
• networkattacker
• end;pointattacker
• dictionaryattack
• …

Anauthenticationmechanismcannotprotectagainstallattacks,eg,

• overrun(takeover)ahumanprincipal
• overrunmemorywhileprogramprincipalisdoingloginauthentication
• Attackerscanspanmultipleclasses
• Attackescansequentiallymountattacksofdifferentclasses
• Eg,recordencryptedconversation;muchlaterlearnsessionkey

3/27/2013shankar

• authenticationslide5

TypesofAttacks(contd)

• ! "
• Sendingmessageswithwrongvaluesinfields:
• spoofing:Catncsendsmessageswithsenderidas[A]
• changing“reject”to“accept”
• spoofing:Catncsendsmessageswithsenderaddr/idas[nA,A]
• #
• Eavesdropping:observingmessagesinthechannel.
• EasyinWLANsandLANs(becauseofbroadcastnature)
• Noteasyinwiredpoint;to;pointlinks(butdoable)

taprouterports compromiseroutecomputationalgorithm

• Interceptingmessages,changingthem,resendingthem.
• RelativelyeasyinWLANsandLANs(becauseofbroadcastnature)
• Noteasyinpoint;to;point(butdoable)

3/27/2013shankar

• authenticationslide6

TypesofAttacks(contd)

• $ ! "
• PrincipalCsaysitisprincipalAonacomputernA

(eg,publicworkstation)

• onlinedictionaryattack
• Readdataonharddisk(orback;uptapes)ofnAorA
• obtainoldkeys(encryptedorplaintext)passwordfiles,⋅⋅⋅
• obtaincurrentkeys(encryptedorplaintext)passwordfiles,⋅⋅⋅
• offlinedictionaryattackonencryptedpasswords
• OverruncomputernA
• whileAisnotatnA
• whileAisatnA
• ReaddatainmemoryofnAwhileAisexecuting(unlikely)
• Overruna(humanorprogram)principal
• mailclient,webbrowser

3/27/2013shankar

• authenticationslide7

TypesofAttacks(contd)

• %! "
• Findingasecretbysearchingthroughaspaceofpossiblesecrets
• Doableonlyifthespaceissmallenough(givenreasonabletime/resources)
• Asecretfromasmallspaceissaidtobe
• Asecretfromalargespaceissaidtobe
• Examples:
• 128;bitkeyfromadecentrandomnumbergeneratorishigh;quality
• 20;bitkeyfromadecentrandomnumbergeneratorislow;quality
• Passwords,andkeysobtainedfromthem,arelow;quality(typically)
• &dictionaryattack:needtointeractwithauthenticatorateveryguess
• &dictionaryattack:interactswithauthenticatorjustonce

3/27/2013shankar

• authenticationslide8

Threetypesofauthentication

• Authenticatingoneselfbyshowingasecretpasswordtotheremotepeer

(andtothenetwork)

• Alwaysvulnerabletoeavesdroppingattack
• Alwaysvulnerabletoonlinedictionaryattack

Usuallyprotection:limitfrequencyofincorrectpasswordentries

• authenticatingoneselfbyusingaphysically;securedterminal/computer
• Conceptuallysimilartopassword;basedauthentication??
• authenticatingoneselfbyshowingevidenceofasecretkey

totheremotepeer(andtothenetwork) butwithoutexposingthesecrettothepeer(ortothenetwork)

• Note:secretkeycanbeobtainedfromapassword

3/27/2013shankar

• authenticationslide9

Password;basedauthentication

• Aauthenticatesitselfbysupplyingapassword.
• Alwaysvulnerabletoeavesdroppingattackandonlinedictionaryattack

' A(passwdpwA) nA channel nB B(passwdfilewith [X,pwX]foreachX)

• enter[A,B,pwA]
• send[nA,nB,A,B,pwA]
• checkrcvd[A,pwA]

againstpasswdfile

• matchauthenticatesA;

msgsfromnAuntillogout assumedtobefromA

• Vulnerabletoeavesdroppingandtoonlinedictionaryattack
• Defenseagainstlatter:limitnumberofsuccessivefailedattempts
• Vulnerabletoexposureofpasswordfile(overrunofnBorB)

3/27/2013shankar

• authenticationslide10

Password;basedauthentication(contd)

• (
• Likeapproach1exceptB’spasswordfilehasentries(X,hash(pwX))foreachX
• A(passwdpwA)

nA channel nB B(passwdfilewith [X,hash(pwX)]foreachX)

• enter[A,B,pwA]
• send[nA,nB,A,B,pwA]
• checkhash(rcvdpwA)against

passwdfileentryforA

• matchauthenticatesA
• Vulnerabletoeavesdroppingandtoon;linedictionaryattack(asbefore)
• Vulnerabletopasswordfileexposurebutrequiresdictionaryattack
• Defense1:store(X,salt,hash(pwX,salt))
• Defense2:store(X,encryptK(pwX))whereKishigh;qualitykeymaintained
• nlyinB’smemoryandnotharddisk(i.e.,manuallyenteredwhenBis

activated).

• 3/27/2013shankar
• authenticationslide11

Password;basedauthentication(contd)

• )
• StoreA’spasswordineveryserverthatAmayaccess.
• Disadvantage:handlingchangestopassword.
• Disadvantage:Allpasswordfilesneedtobeprotectedwell.
• StoreA’spasswordinaspecial *
• ServerauthenticatesAbycheckingA’spasswordwithauthenticationnode

(andpresumablyforgettingpasswordafterauthenticatingA).

• Disadvantage:performancebottleneck.
• Advantage:singlenodetoprotect

3/27/2013shankar

• authenticationslide12
• Address;basedauthentication
• Ausesonlyaspecialsetofcomputers
• Aisauthenticatedbytheaddress(network,linklevel,etc)ofitscomputer.
• Validif
• Accesstospecialcomputersiswell;guarded
• Networkisprotectedagainstspoofing/interceptionofmessages
• Examples:
• Unix:os;wide/etc/hosts.equivfile,per;user.rhostsfile.
• VMS:PROXYdatabase
• Earlymain;framemachinesaccessedbydumbterminals.
• Operatorconsoleonmanyworkstations(eg,single;usermodeinLinux)
• Conceptuallylikepassword;basedauthenticationexceptthat“password”is

nowassociatedwithaphysicaldevice(eg,networkinterfacecard).

3/27/2013shankar

• authenticationslide13

Cryptographicauthentication

• AauthenticatesitselftoBbyperformingacryptographicoperationona

quantitycomposedofapartsuppliedbyBandasecretsharedbyAandB.

• Becauseoperationiscryptographic,thesecretisnotdisclosedby

eavesdropping.

• +
• Acanonlyrememberlow;qualitysecret,ie,password.
• Acannotdocryptographicoperations.
• SoAinputspasswordintocomputernAwhichconvertspasswordtokey.

HencevulnerabletooverrunofnA.

• ,
• Obtainkeyby(say)hashingpassword(and,forAES,takingspecified128bits).
• Notokforpublickeycrypto,wherekeyshaveconstraints.

Hereisan(wacko?)approachtoobtainanRSAkey:

• Usepasswordasseedtospecifiedpseudo;randomnumbergenerator,

andchoosefirsttwoprimesgenerated.

3/27/2013shankar

• authenticationslide14
• !."
• Usepasswordtodecryptahigh;qualitykeykeptinadirectoryservice.
• LetKAbeA’shigh;qualitykey.
• LetKApwbethelow;quality)keyobtainedfromA’spassword(eg,byhashing)
• Directoryservicestoresenc(KA,KApw)(ie,KAencryptedbyKApw).
• ComputernAgets[A,enc(KA,KApw)]fromdirectoryservice,

KApwfromA’spassword,anddecryptstogetKA

• Isthisvulnerabletoofflinedictionaryattack?
• Guesscandidatepassword,saycpw.
• Obtaincandidatelow;qualitykeycKApw(e.g.,byhashingcpw).
• Obtaincandidatehigh;qualitykeycKAbydecryptingenc(KA,KApw)withcKA.

ButcannotdecidewhethercKAiscorrectbecauseKAhasnostructure. (Note:inRSA,encrypt[d],not[d,n]becauselatterhasstructure)

• Butitisvulnerablewithabitmoreworkinsomecases,eg,

IfAusesasessionkeyencryptedwithKA,usecKAtoobtaincandidate sessionkey,andcheckifitcandecryptconversation. IfA’ssignatureonadocumentproducedusingKAisavailable, checkifcKAmatchesthesignature.

3/27/2013shankar

• authenticationslide15

Protectingagainsteavesdroppingandserverpasswdfileexposure(spfe)

$

• Ahasprivatekey.
• BstoresA’spublickey(soexposingB’sdatabasedoesnodamage).
• Authentication:
• BsendsarandomvaluetoA
• AencryptsusingA’sprivatekeyandsendsback
• BchecksreceivedvalueusingA’spublickey

) ! "/

• BstoreshashofA’spassword
• Authentication:
• AsendspasswordtoB
• Bcompareshashofrecievedpasswordwithstoredhash

) !"

• AandBshareasecretKAB(eg,A’spassword).
• Authentication:
• Asends[A,login]toB
• BsendsrandomnumberRtoA
• ArespondswithKAB{R}
• //NOTE:"KAB{R}”shortfor“enc(R,KAB)”

)

• Lamport’shashscheme

3/27/2013shankar

• authenticationslide16

Lamport’sHashScheme(NSChapter12)

• One;wayauthentication(BauthenticaesA);ie,assumesBisnotspoofed.
• Astorespassword.
• BstoresforA:
• n:positiveinteger,initiallysay1000;numberofloginsremaining
• nhpw:n;foldhashofpw;ie,hashn(pw)

(storespasswordpw) 0(stores(A:n,nhpw)) send[A,B,conn]

• send[B,A,n]

x←hashn−1(pw) send[A,B,x]

• ifhash(x)=nhpwthenAauthenticated

n←n−1 nhpw←x Whennbecomes1,needtoresetwithnewpwandn

• $
• Initially:Achoosessalt;Bstores[A,n,salt,hashn(pw|salt)]
• Login:Brespondswith[n,salt];Arespondswithhashn−1(pw|salt)
• Tousesamepwwithmanyservers:salt=randomnumber|serverid.

3/27/2013shankar

• authenticationslide17

Lamport’shashscheme(contd)

• 1'
• Achoosesnew[n,nhpw]andsendsittoBunencrypted.
• Adequateagainstanattackerthatcaneavesdrop,intercept,spoof?
• AdequategivenassumptionthatB;to;Aauthenticationisnotneeded?

1(

• Asendsnew[n,nhpw]encryptedbyakeyobtainedviaDiffie;Helman.
• Isthisanybetterwrttotheattackers?
• 2
• CimpersonatesB’snetworkaddressandwaitsforAtologin
• Crespondswithmsmallerthancurrentnandthusgetshashm(pw)fromA
• CcannowimpersonateA(forn−mlogins)
• +3)
• Insteadofjustpassword,Ahashashi(pw)fori=1,2,⋅⋅⋅,n;1writtendown
• Ateachlogin,Auseslastentryandcrossesitout.
• Notvulnerableto“smalln”attack.
• Isthisanydifferentfromwritingdownahigh;qualitykey?
• 24$5:InternetdeployedversionofLamport’shash

3/27/2013shankar

• authenticationslide18

ScalingtonetworkofNprincipals

• Straightforwardapproach:
• Distinctkeyforeverypairofprincipals.
• Notscalable:

N2storagecostateachnode Ncostforaddingnewprincipal

• Usehierarchyoftrustedintermediaries
• 4%! "insecret;keycrypto
• !"inpublic;keycrypto
• 3/27/2013shankar
• authenticationslide19

KDC:single;domaincase

• A

KDC B send[A,KDC,B,conn]

• generatesessionkeyKAB

generatetktAB=[KB{A,B,KAB}]() send[KDC,A,KA{A,B,KAB},tktAB] send[A,Y,B,conn,tktAB]

• decrypttktABandgetKAB

<;;;authenticationbetweeenAandBusingKAB;;;;>

• KDC

A B Z 1 2 3

• KDCisahostinnetwork;

servesshared;secretkeys

• EveryprincipalXindomainsharesa

keyKXwithKDC(off;line)

• WhenAwantstotalktoB,

itgetsaticketfromKDC (onlinesteps1,2,3)

3/27/2013shankar

• authenticationslide20

KDC:single;domaincase(cont)

• AdvantagesofKDC:
• Addingnewprincipal:oneinteractionbetweenprincipalandKDC
• Revocationofprincipal:deactivateprincipal’smasterkeyatKDC
• DisadvantagesofKDC:
• KDCcanimpersonateanyonetoanyone.

KDCcompromisemakesthewholenetworkvulnerable.

• KDCfailuremeansnonewsessionscanbestarted.
• KDCcanbeaperformancebottleneck.
• LasttwocanbealleviatebyhavingKDCreplicas,but

needtoprotectallreplicas whenaprincipal’smasterkeyischanged,needtosyncreplicas

3/27/2013shankar

• authenticationslide21

KDCsformulti;domaincase

• 'Aindomain(withKDCX)wantstotalktoBindomain(withKDCY),
• andXandYshareakey,sayKX;Y.
• A

X(KDCofD1) Y(KDCofD2) B send[A,X,conntoBinD2]

• generatesessionkeyKA;Y

generatetktA;Y=[KX;Y{A,X,KA;Y}] send[X,A,KA{A,Y,KA;Y},tktA;Y]

• send[A,Y,conntoBinD2,tktA;Y]
• generatesessionkeyKA;B

generatetktA;B=[KB;Y{A,B,KA;B}] send[Y,A,KA;Y{A,B,KA;B},tktA;B] send[A,B,KA;B{A,B,conn},tktA;B]

• 3/27/2013shankar
• authenticationslide22

KDCsformulti;domaincase(contd)

• (KDCschainfromsourcetodestination
• Inalargeinternetworkwithmanydomains,

unlikelythateverytwodomainswillhaveasharedkey.

• ButifthereisasequenceofdomainsD1,D2,⋅⋅⋅,DNsuchthat

foreveryi,KDCofDiandKDCofDi+1haveasharedkey thenAofD1cansecurelyobtainasessionkeytotalktoBofDN:

• LetXibetheKDCofDi
• AtalkstoX1andgets[session;key,ticketA;X2]totalktoX2
• AtalkstoX2andgets[session;key,ticketA;X3]totalktoX3
• andsoonuntil
• AtalkstoXNandgets[session;key,ticketA;B]totalktoB
• HowdoesAgetthesequenceX1,X2,⋅⋅⋅,XN.
• Statichierarchywithadditionallinks(perhapscached)forefficiency.
• GoodifAalsopassesalongthesequenceofdomainstobetraversed,sothat

BcanseewhetherittrustseveryKDConthechain.

3/27/2013shankar

• authenticationslide23

CA:single;domaincase

• CA

A B Z 1 2

• CAisahostbutneednotbenetworked;

generatescertificates(signedpublickeys) andCRLs(certificaterevocations)

• Onlinedirectoryserver(DS)periodicallygets

certificatesandCRLsfromCA

• DSservescertificatesandCRLstoanyone

(onlinesteps3,4)

• EveryprincipalXindomain

;generatesapublic;keypair ;getsitspublickeysignedbyCA(certificate) ;getsCA’spublickey (alloff;line)

• WhenAwantstotalktoB,

AshowsBitscertificateandCRL BshowssimilardocumentstoA (onlinesteps1,2)

• DS

3 4

3/27/2013shankar

• authenticationslide24

CA:single;domaincase(contd)

• Eachprincipalhasapublic;keypair.

RemembersitsownprivatekeyandCA’spublickey.

• CAgenerates(signedpublickey)foreachprincipalX:
• [(serialno,X,pubkeyX,expdate),

privkeyCA{(serialno,X,pubkeyX,expdate)}].

• Certificatesarepubliclydisseminated(e.g.,atdirectoryservices).
• AauthenticatesBasfollows(ignoringcertificaterevocation):
• ObtaincertificateforBfromanywhere,typicallyfromB.
• Ifcertificatenotexpiredandsignatureverifies(usingCA’spublickey),

thenAhasB’spublickey.

• AsendschallengeandexpectschallengeencryptedbyB’sprivatekey,

afterwhichAandBsettleonasessionkey.

• Advantages
• CAdoesnotneedtobeonlineornetworked,socanbemoresecure.
• CAcrashdoesnotstopnewsessionsfromstartinguntilexpirationdate.
• Certificatesneednotbesecured(exceptfordeletionofcertificates).
• CompromisedCAcannotdecryptconversations(unlikeKDC).Butitcan

servefalsepublickeysandthusimpersonateanyprincipal.

3/27/2013shankar

• authenticationslide25

CA:handlingrevocation

• CertificaterevocationismorecomplexthaninKDC.
• CAperiodically(eg,hourly)issuesCRL(CertificateRevocationList)
• signed{issuetime,listofcertificatesrevokedatissuetime}
• AauthenticatesB(inpresenceofCRL)byobtaining(typicallyfromB)
• acertificateforBthathasnotexpired(asabove),and
• aCRLthatdoesnothaveBandwasissuedsufficientlyrecently,eg,

atthestartofthecurrentperiod.

• AsendsachallengeandawaitschallengeencryptedbyB’sprivatekey,

afterwhichAandBsettleonasessionkey.

• X.509formatforcertificateandCRL
• Certificate=

[username,userpublickey,expirationtime,serialnumber, CA’ssignatureonentirecontentsofcertificate]

• CRL=[issuetime,listofserialnumersofunexpiredrevokedcertificates]

3/27/2013shankar

• authenticationslide26

CAsformulti;domaincase

• 'AindomainwithCAXwantstotalktoBindomainwithCAY,
• andXandYhavecertificatesforeachother.
• 6

5

• GetsfromX’sdirectoryserviceacertificateforYsignedbyX;

AcanverifycertificatebecauseAhasX’spublickey; soAnowhasY’spublickey.

• GetsfromY’sdirectoryserviceacertificateforBsignedbyY;

AcanverifycertificatebecauseAnowhasY’spublickey; soAnowhasB’spublickey

• AcannowsendmessgestoBencryptedwithB’spublickey
• 3/27/2013shankar
• authenticationslide27

CAsformulti;domaincase(contd)

• (
• Inalargeinternetworkwithmanydomains,unlikelythattheCAsofeverytwo

domainswillhaveacertificateforeachother.

• ButifthereisasequenceofdomainsD1,D2,⋅⋅⋅,DNsuchthat

foreveryi,directoryservicesofDiandDi+1havecertificatesforeachother signedbytheirCA’s thenAofD1cansecurelyobtainthepublickeyofBofD2byiterating:

• LetXibetheCAofDi
• AgetscertificateforX2signedbyX1
• AgetscertificateforX3signedbyX2
• andsoonuntil
• AgetscertificateforXNsignedbyXN;1
• AgetscertificateforBsignedbyXN
• 3/27/2013shankar
• authenticationslide28

Sessionkeys

• Sessionkeys
• Protectthedataexchangeafteraconnectionisestablished
• Shouldbedifferentfromlong;termsharedkeyusedforauthentication
• solong;termkeydoesnot“wearout”(offlinecryptoattack)
• Shouldbeuniqueforeachsession
• Ifcompromised,onlyaffectsdatasentinthatsession.
• Canbegiventorelativelyuntrustedsoftware
• Sessionkeyshouldbeforgottenaftersessionends
• %
• IfA,whenloggedintoB,wantstoaccessC(eg,printer),

thenBneedstoauthenticateitselfasAtoC.

• AcanlogintoCexplicitly(toomuchtrouble)
• AcangiveBitspassword(toorisky)
• AcangiveBaticket(called or )with

typesofaccessallowedbyB(eg,A’sprintqueue) expirytime(typicallyshort)

3/27/2013shankar

• authenticationslide29

Establishingsessionkeywithsecret;keyauthentication(NSCh12)

• ConsiderAandBwithsharedkeyKAB.

Duringauthentication,AandBhaveexchangedchallenges,eg:

• R1(inone;wayauth)
• R1,R2(intwo;wayauth)
• SessionkeycanbeR1and/orR2encryptedbyaspecfiedfunctiongofKAB,eg,
• g(KAB)){R1}or(g(KAB)){R1⊕R2}
• g(KAB)isKAB+1,KAB−1,−KAB,etc
• :ifCobtainsKABlater,Ccandecrypt(recorded)conversation.
• Sessionkeyshouldnotbeg(R1)org(R1,R2)encryptedbyKAB,eg,KAB{g(R1)}.

Otherwise,laterCcanimpersonateB,sendg(R1)asachallengetoA, getbackKAB{g(R1)},anddecryptearlierconversationbetweenAandB. Defense:includesenderidinchallenges.

• SessionkeycanobtainedbyDiffie;Hellmanafter/duringauthentication

(theDiffie;HellmanexchangemessagesareencryptedbyKAB). ThenevenifCobtainsKABlater,itstillcannotdecryptconversation.

• 3/27/2013shankar
• authenticationslide30

Establishingsessionkeywithpublic;keyauthentication(NSCh12)

• AchoosesrandomRassessionkeyandsends{R}BtoB.

CspoofsA(afterauthentication)andchooseitsownR1assession;key. SoimportanttohaveRbepartofauthentication.

• AchoosesRassessionkeyandsends[{R}B]A

HereCcannotinjectspuriousR1assession;key IfClaterobtainsB’sprivatekey,CcanextractRanddecrypt conversation.

• ApicksR1,BpicksR2,theyexchange{R1}Band{R2}A,setR1⊕R2assessionkey.

HereChastooverrunbothAandBtoobtainsessionkey.

• SessionkeycanbeobtainedbyDiffie;Hellmanafter/duringauthentication

(theDiffie;Hellmanexchangemessagesareencryptedorsigned). ThenevenifCoverrunsAandB,itstillcannotdecryptconversation.

• 3/27/2013shankar
• authenticationslide31

AuthenticationofPeople(KPS10)

• Canonlyremembersecret

(eg,10letter“pronounceable”password).

• Cannotperformcryptographicoperations.
• )
• Whatyouknow:password
• Whatyouhave:authenticationtokens,eg,
• physicalkeys,ATMcard
• Whatyouare:biometricfeatures,eg,
• fingerprint,voicerecognition,retinascan
• Eavesdropping
• Onlinedictionaryattack
• defense:limitnumberofattemptsafterwhichusermusttalktoadmin

problem:vandalcaneasilylockupaccounts(denial;of;service)

• defense:limitspeedofattempts
• Exposureofpasswordfileonserver
• Doingofflinedictionaryattackifpasswordfileishashed.
• Exposingpasswordsinemail,scriptfiles,etc.
• 3/27/2013shankar
• authenticationslide32

AuthenticationofPeople(contd)

• .. '(7.
• 20randomdigits
• 11randomchars(from0;9,a−z,A−Z,coupleofpunctuationmarks)
• Computer;generatedrandompronounceablepassword
• Caseinsensitive:4.5bitsofrandomnesspercharacter
• Everythirdcharacteravowel,6vowels:2.5bitsofrandomnesspervowel
• Requires16characters
• Human;generatedpasswords
• About2bitsofrandomnesspercharacter
• Sorequireabout32characterpassword
• Ifpasswordistoogood,userswriteitdown
• 8
• “pass;phrase”withintentionalmisspelling,punctuationmarks,

symbols(eg,$forS),oddcapitalization,etc.

3/27/2013shankar

• authenticationslide33

AuthenticationofPeople(contd)

• +,9)
• Leaveprogramrunningonpublicterminalthatimitatesloginprompt
• getspasswordfromnaiveuserandattemptstoexitinconspicuously

eg,exitwith“loginfailed”message betteryet:runsvirtualOSfordurationofusersession

• DefensesbyOS/hardware:
• Havespecialpromptsymbolatanyinputfieldbynon;loginprogram
• Allowonlyloginscreentofillentiredisplay
• Non;mappablekeytointerruptanyrunningprogram

eg,alt;ctrl;del(butoftenOSallowsremappingofthis)

• Displaynumberofunsuccessfulloginattemptssincelastsuccessfullogin.
• :
• ! "

3/27/2013shankar

• authenticationslide34

AuthenticationofPeople(contd)

• :physicaldevicethatapersoncarriesaround:
• ;
• Creditcards,debitcards,idcards,moneycard,etc
• Canholdhigh;qualitysecretandotherdata(usuallyread;only)
• Ifcardhaspictureorsignature,thenalsoservesasbiometriccheckbyhuman.
• 2 ! - "
• canholdhigh;qualitysecret
• memorycanbepasswordprotected
• candocryptographicoperations(challenge/response)
• . .
• Tokenscanbelostorstolen(unlessitisattached/embeddedinuser)
• Sousuallyneedstobeaugmentedwithpassword
• Whentokenislost,needanoverridethatisusuallynotmuchless

convenientthantheoverridefor“Iforgotmypassword”

• Requirescustomhardware(keyslot,cardreader,etc)oneveryaccessdevice
• exceptioniscryptographiccalculator(orreaderlesssmartcard)
• 3/27/2013shankar
• authenticationslide35

AuthenticationofPeople(contd)

• ! "
• Smartcardthatdoesnotrequirespecialhardware.
• Hasdisplayandkeyboardforhumaninteraction
• Userenterspasswordtounlockdevice
• Userenterschallengeintodeviceandreadscryptographicresponse
• Time;basedalternative
• Userenterspasswordtounlockdevice
• Carddisplaysencryptionofcurrenttime,whichuserentersas

authenticationinformation.

• Authenticatingcomputerchecksthatresultisvalid

Needstocheckforallpossiblecurrenttimeswithinallowedclockdrift.

• Advantages:

Saveshalfthetyping Workswithpassword“form;factor”authenticationprotocols

3/27/2013shankar

• authenticationslide36

AuthenticationofPeople(contd)

• Retinalscanner
• scansbloodvesselsinbackofyoureye
• expensiveand“psychologicallythreatening”(lookintolaserdevice)
• Irisscanner
• Lessintrusivethanretinalscanner(canusecameraseveralfeetaway).
• Fingerprintreader
• devicesavailablebutautomationhasnotbeensuccessfulformanyyears
• Facerecognition
• notintrusivebutnotveryaccurate;susceptibletofalsenegatives
• Handprintreaders
• Morefalsepositivesthanfingerprintreaders,butcheaper/fewerproblems
• Voiceprints
• Cheapandcanbeasaccurateasfingerprinting
• Canbedefeatedwithtaperecording
• Falsenegatives(voicechangeduetoillness)
• Keystroketiming
• Falsenegatives(injury)
• Signature
• Notaccuratebasedonlyonstaticsignature
• Accurateifalsobasedontiminginfo

3/27/2013shankar

• authenticationslide37

SecurityHandshakePitfalls(NSchapter11)

• AssumeAinitiatesconnectiontoB.
• Canclassifytheauthenticationprotocolsalongfollowingfeatures:
• One;wayauthentication:
• BauthenticatesA(eg,login)or
• AauthenticatesB(serverBwithpublickey,clientAw/opublickey)
• Mutual;authentication:
• BauthenticatesAandAauthenticatesB
• Secret;keycryptovsPublic;keycrypto
• 3/27/2013shankar
• authenticationslide38

One;WayAuthentication

• 2'*'.!40"
• send[A,B,conn]
• sendchallenge[B,A,R]

sendresponse[A,B,f{KAB,R}]

• Responsef{KAB,R}isakeyed;hashofRorRencryptedwithKAB
• ChallengeRmustbenew(a)sothatf{KAB,R}hasnotbeensentbefore

(byAorbyB)andhencehasnotbeenseenbyattacker.

• IfchallengeRisobtainedfromaclockoracounterand

ifBmayhavereceivedpastmsgsmtowhichitsentf{KAB,m}responses (eg,anotherauthenticationprotocolwithAusingKAB) then

• BmustensurethatchallengeRisnotamongthesemsgs,or
• responseshouldalsoindicatethesender(eg,f{KAB,A,R})
• TheseproblemsarenotthereifRisobtainedfromarandomnumber

generator.

• Question:Wouldtheseattacks,ifsuccessful,yieldsessionkey?

3/27/2013shankar

• authenticationslide39
• 2
• IfKABisderivedfrompassword,aneavesdroppercandoofflinedictionary

attack.

• IfattackergetsB’spasswordfile,itcanimpersonateA
• ProtectingpasswordfileisharderifBisreplicated
• rAusessamepasswordondifferentservers.

3/27/2013shankar

• authenticationslide40

2'*(.!40"

• send[A,B,conn]
• sendchallenge[B,A,KAB{R}]

send[A,B,R]

• Requireschallengetobereversable(ie,encryption,notkeyed;hash).
• Rshouldnotonlybeanoncebutunpredictable(ie,randomlygenerated).
• Eg,ifRisobtainedfromacounter,anattackercanimpersonateA

becauseitwouldknowthatthenextchallengegeneratedbyBisR+1. <asinsolution1.1plusthefollowing:

• IfKABderivedfrompasswordandRhasstructure,then

aspoofer(w/oeavesdropping)cangetKAB{R}anddoofflinedictionaryattack.

• Note:Risrandomlygeneratedandneednothavestructure.

= IfAandBhaveclocksthatarewithinDsecondsofeachother andRhasatimestamp(inadditiontotherandomnumber), thenthisalsoauthenticatesBtoAinthefollowingsense:

• AassuredthatKAB{R}messagewasoriginallysentbyBwithinlastDseconds
• AnotassuredthatKAB{R}wassentinresponsetoits[A,B,conn]msg
• Canbefixedbyincludinganoncein[A,B,conn]andinR.

3/27/2013shankar

• authenticationslide41

2'*>.!40".

• AssumingAandBhaveclocksthatarewithinDsecondsofeachother.
• send[A,B,conn,KAB{ts}]
• Bdecrypts,checksthattswithinD
• Singletransmissionsuffices,nohandshakeneeded
• Bdoesnotneedtomaintainstateperactiveconnection

<

• ReplayattackwithinclockskewD
• defense:BrememberstssentbyAwithinlastDseconds(requiresstate)
• ReplayattackifKABusedwithmultipleservers
• defense:includeserveridalongwithts

MaynotbedoableifserversarereplicasofB(withsameexternalid)

• B’sclockbeingsetback

Ifencryptionisreplacedbykeyed;hash,Bhasmuchmorework

• Bhastogetkeyed;hashofeverypossiblevalueinDandcompare.
• CanovercomebyAincludingunencryptedtsinconnmsg.(Isthisassecure?)

3/27/2013shankar

• authenticationslide42

2'*?.!. "

• send[A,B,conn]
• sendchallenge[B,A,R]

send[A,B,[R]A] //[R]AisRencryptedwithA’sprivatekey

• B’spwfilecontainsA’spublickey;canbereadable(butnotmodifiable)
• NeedtoensurethatRhasdistinctstructurethatisnotusedforsigning

messages

3/27/2013shankar

• authenticationslide43
• 2'*@.! ."
• send[A,B,conn]
• sendchallenge[B,A,{R}A]
• ({R}AisRencryptedwithA’spublickey)

send[A,B,R]

• B’spwfilecontainsA’spublickey;canbereadable(butnotmodifiable)
• NeedtoensurethatRhasdistinctstructurethatisnotusedforsending

confidentialmessagestoA

• WhyisoktosendresponseRintheopen,insteadofsay{R}B
• 3/27/2013shankar
• authenticationslide44

Mutual(two;way)Authentication(AinitiatesconnectiontoB)

• 2(*'.!40"
• 1

send[A,B,conn]

• 2
• sendchallenge[B,A,R1]

3 sendresponse[A,B,f{KAB,R1}]

• 4

sendchallenge[A,B,R2]

• 5
• sendresponse[B,A,f{KAB,R2}]
• Consistsoftwo2;wayhandshakes
• Messages3and4canbecombinedintoonemessage
• VulnerabletoB’spasswdfilebeingread
• IfKABobtainedfrompasswd,vulnerabletoofflinedictionaryattack
• byattackerwhocaneavesdrop
• byattackerwhocanimpersonateB

ImpersonatingserverBisharderthanimpersonatingclientA (assumingserverisalwaysconnectedwhereasclientismomentary)

• InterchangingorderofR1andR2introducesfurthervulnerability(below)

3/27/2013shankar

• authenticationslide45

2(*((*'1'1(

• 1 send[A,B,conn,R2]
• 2

send[B,A,R1,f{KAB,R2}] 3 send[A,B,f{KAB,R1}]

• Reducessolution2.1toone3;wayhandshake
• Asusual,vulnerabletoB’spasswdfilebeingread
• UsualofflinedictionaryattackifCeavesdrops

andKABobtainedfrompasswd

• IfCcanspoofA,thenCcandoofflinedictionaryattack

(withouteavesdropping)

• 3/27/2013shankar
• authenticationslide46

2(*(

• 1

send[A,B,conn,R2]

• 2
• send[B,A,R1,f{KAB,R2}]
• 1’ send[A,B,conn,R1]
• 2’

send[B,A,S1,f{KAB,R1}]

• 3

send[A,B,f{KAB,R1}]

• ChassuccessfullyimpersonatedAtoB
• BremembersR1anddoesnotacceptit(difficultwithreplicatedservers)
• Rhasstructureindicatingsenderofchallenge(butthenofflinedictionary

attack)

• Usedifferentkeysforeachdirection:
• KAB(forAB)andKBA(forAB)
• KBAcanbepredictablyrelatedtoKAB

[eg,KAB+1,KAB–1,–KAB,orKAB⊕(F0F0...F0)16]

• ,:

3/27/2013shankar

• authenticationslide47

2(*>..

• 1 send[A,B,conn,f(KAB,ts)]

2 send[B,A,f(KAB,ts+1)]

• Note
• One2;wayhandshakesuffices
• Msg1assuresBthatmsgwasgeneratedbyAandsentwithinclockskew
• “ts+1”canbereplacedbyanypredicatablefunctionofts
• responseshouldincludestructureindicatingsender

(todefendagainstreplayattack),or

• Bmustremembertimestampvaluestsandts+1

(todefendagainstreplayattack)

• 3/27/2013shankar
• authenticationslide48

2(*?.

• 1 send[A,B,conn,{R2}B]
• 2

send[B,A,R2,{R1}A] 3 send[A,B,R1]

• Moreruggedthansecret;key:notvulnerabletooverruningB.
• IsitnecessarytoencryptresponseR1?
• HumanAhastoobtainitsprivatekeyandB’spublickey(alreadydiscussed):
• DirectoryservicesuppliesA’sprivatekeyencryptedbyA’spwd
• BsuppliesB’spublickeysignedbyA’sprivatekey
• etc

__________________________________________________ 2(*@..(*?

• 1 send[A,B,conn,R2]
• 2

send[B,A,[R2]B,R1] 3 send[A,B,[R1]A]

3/27/2013shankar

• authenticationslide49

Extensionsfordynamiccontex

• Dynamiccontext:
• usersjoinandleavedomains
• usersdonotsharepre;assignedkeys
• usersrelyonKDCs/CAs/directoryservices
• userschangepasswords
• replicatedKDCs
• etc
• Newattacksbecomerelevant:
• attackerwithanoldpasswordofauser(tryingtoimpersonateuser)
• others?
• Newsituationshavetobehandled:
• userApresentsuserBaticketissuedunderoldpasswordofB
• userAcontactsaKDCthatstillhasanoldpasswordofA
• etc
• 3/27/2013shankar
• authenticationslide50

AuthenticationwithKDCmediator

• 4%

send[A,KDC,conntoB]

• generatesessionkeyKAB

generatetktAB=[KB{A,B,KAB}] send[KDC,A,KA{KAB},tktAB] send[A,B,conn,tktAB]

• <;;;;;;AandBdomutualauthenticationusingKAB;;;;;;;;;>

(examplefollows)

• send[B,A,R1]

send[A,B,R2,KAB{R1}]

• send[B,A,KAB{R2}]

<;;;AandBuseKAB(orderivative,eg,(KAB+1){R1⊕R2}assessionkeydata;;;>

• Note:
• EvenifCisspoofingA,CcannotgetaccesstoKAB.
• IsauthenticationbetweenAandKDCneeded(oristhatalreadydoneabove)?
• EvenifCisspoofingKDC,CcannotgiveaKABthatBwillaccept.

3/27/2013shankar

• authenticationslide51

Needham;SchroederProtocol

• BelowN1,N2,N3arenonces.
• 4%

1 send[A,KDC,connB,N1]

• 2
• generatesessionkeyKAB

generatetktAB=[KB{A,B,KAB}] send[KDC,A,KA{N1,B,KAB,tktAB}] 3 send[A,B,tktAB,KAB{N2}]

• 4

send[B,A,KAB{N2−1,N3}] 5 send[A,B,KAB{N3−1}]

• <;;;;useKAB(orderivative,eg,(KAB+1){N2⊕N3}assessionkeydata;;;>

3/27/2013shankar

• authenticationslide52

Needham;Schroeder(cont)

• NonceN1usedtoassureAthatmsg2isresponsebyKDCtomsg1

IfN1notpresent,CwithanoldpasswordofBcanimpersonateBtoA:

• Crecordsaboveexchange(refertothemasoldmsgs1,2,3,4,5)
• CstealsKB;Bchangeskey
• CdecryptstktABandgetKAB
• CwaitsuntilAinitiatesconnectiontoB
• CinterceptsA’snewmsg1,respondswitholdmsg2(=KA{B,KAB,tktAB})
• Arespondswithnewmsg2(=[tktAB,KAB{newN2}]toB
• Cintercepts,respondswithKAB{newN2–1}(CknowsKAB)
• Msg2:idBencryptedbyKAensuresthatCcannotreplayoldKDCreplytoC

(i.e.,KDCreplytorequestbyCtotalktoB)

• Msg2:noneedtodoublyencrypttktAB

3/27/2013shankar

• authenticationslide53

Needham;Schroeder(cont)

• IfEBCisused(insteadofCBC)andeachnoncefitsinanencryptionblock,

thenCcanimpersonateAtoBwithreflectionattack

• Ceavesdropsandgetsmsgs3and4
• LaterCreplaysmsg3
• BreplieswithKAB{N2−1,N4}whereN4≠N3
• CneedstogetKAB{N4−1},whichitdoesasfollows:

Creplaysmsg3withKAB{N4}replacingKAB{N2}andgetsKAB{N4−1}fromB ReplacingEBCwithCBCmakesattacknotpossible (butthenthereisnoneedforN3−1;canjustuseN3)

• 3/27/2013shankar
• authenticationslide54

Needham;Schroeder(cont)

• <'
• 1.AttackerCoverhearsN1=nduringnormalsessionbetweenAandB
• 4%

1send[A,KDC,connB,N1=n]

• 2
• generatesessionkeyKAB

generateticketTAB=[KB{A,B,KAB}] send[KDC,A,KA{N1,B,KAB,TAB}] 3send[A,B,TAB,KAB{N2}]

• 4

send[B,A,KAB{N2−1,N3}] 5send[A,B,KAB{N3−1}]

• <;;;;;;;;;;;;;AandBexchangedata,close;;;;;;;;;;>
• 3/27/2013shankar
• authenticationslide55

2 '!"

• 2.AttackerClearnsKB,spoofsAtoKDCwithN1=n+1asfollows
• 4%

6send[A,KDC,connB,N1=n+1]

• 7
• generatesessionkeyJAB

generateticketSAB=[KB{A,B,JAB}] send[KDC,A,KA{N1,B,JAB,SAB}](rcvdbyC)

• 3.CstealsKB.Bchangesitskey.

CwaitsforAtoconnecttoB,thenimpersonatesKDCandthenB

• 8

send[A,KDC,connB,N1=n+1](interceptedbyC) 9

• send[KDC,A,KA{N1,B,JAB,SAB}](replaymsg7)

10 send[A,B,SAB,JAB{L2}](interceptedbyC)

• CdecryptsSAB(encryptedusing(old)KB)

andobtainsJAB

• <;;;;CcannowcompletetheauthenticationandimpersonateB;;;;;>
• 3/27/2013shankar
• authenticationslide56

2

• IfCgetsA’smasterkey(sayKA)andAchangesit(tosayJA),

CcanstillimpersonateAtoB(becauseBnevertalkstoKDC).

• 4%

1send[A,KDC,B,N1]

• 2
• generatesessionkeyKAB

generatetktAB=[KB{A,B,KAB}] send[KDC,A,KA{N1,B,JAB,tktAB}] 3send[A,B,tktAB,KAB{N2}]

• 4

send[B,A,KAB{N2−1,N3}] 5send[A,B,KAB{N3−1}]

• Crecordsabove.ThenCobtainsKA.ThenAchangesmasterkeytoJA(≠KA).

send[A,B,tktAB,KAB{M2}]

• send[B,A,KAB{M2−1,M3}]

send[A,B,KAB{M3−1}]

3/27/2013shankar

• authenticationslide57

2 !"

• =

BsendsanonceencryptedbyKBinresponsetoA’sconnectionrequest, andlooksforthenonceintheticket.

• SeveralwaystoincludesuchaB;KDCinteraction:

A KDC B

KB{NA}

A KDC B

KB{NA}

A KDC B

KB{NA}

Expanded Needham;Schroeder: ▪ 7msgs Otway;Rees: ▪ 5messages Notgood: ▪ requiresKDCto matchupmessages

3/27/2013shankar

• authenticationslide58
• ExpandedNeedham;Schroeder:requirestwoadditionalmessages
• 4%

1a send[A,B,conn] 1b send[B,A,KB{NB}] 1 send[A,KDC,connB,N1,KB{NB}]

• 2
• generatesessionkeyKAB

generatetktAB=[KB{A,B,KAB,NB}] send[KDC,A,KA{N1,B,KAB,tktAB}] 3 send[A,B,tktAB,KAB{N2}]

• 4
• send[B,A,KAB{N2−1,N3}](asbefore)

5 send[A,B,KAB{N3−1}](asbefore)

• <;;;;AandBestablishdatasessionkey(eg,(KAB+1){N2⊕N3};;;>
• 3/27/2013shankar
• authenticationslide59

Otway;Reesauthenticationprotocol

Doesmutualauthenticationandhandlesticketinvalidationin5messages

• 4%

1 generatenoncesNAandNC send[A,B,NC,KA{NA,NC,A,B}]

• 2
• generatenonceNB

send[B,KDC,KA{NA,NC,A,B}, KB{NB,NC,A,B}]

• 3
• ifNCsameinKA{⋅⋅⋅}andKB{⋅⋅⋅}

generatesessionkeyKAB send[KDC,B,NC,KA{NA,KAB},KB{NB,KAB}] 4 send[B,A,KA{NA,KAB}] 5 send[A,B,KAB{“hello”}]

• <;;;AandBestablishdatasessionkey;;;>
• Msg3assuresBthatrequest1wasbyA
• Msg4assuresAthatsenderisB

3/27/2013shankar

• authenticationslide60

&1 ./0* SupposeNCissequentialandequals007inoneattempt.Cdoesfollowing:

• 4%

1 send[A,B,NC=008,grbge]

• 2

send[B,KDC,grbge,KB{NB,NC=008,A,B}] ! "

• KDCrejectsmessage2
• +0
• 4%
• 3 send[A,B,NC=008,KA{NA,NC=008,A,B}]

4 Cinterceptsthismsg3 send[B,KDC,msg3KAfield,msg2KBfield] 5 acceptsmsg4(sinceitsNC’smatch) send[KDC,B,NC,KA{NA,KAB},KB{NB,KAB}]

• Cinterceptsmsg5

send[B,A,KA{NA,KAB}] 6 send[A,B,KAB{“hello”}] AtthispointChasimpersonatedBtoA. IfAusesadatasessionkeyobtainedfromKAB,Cwon’tsucceed (buto/wCcanimpersonateBtoAduringthedataexchange).

3/27/2013shankar

• authenticationslide61
• Largerandomnumber:bestnonce
• cryptooperationsarethebestwaytogeneratethem
• Timestamp:notasgood
• clocksmusthaveadequatesynchronizationandresolution
• mustrecoverfromcrashes
• Sequencenumbers
• requiresnon;volatilestorage
• $'
• send[A,B,conn]
• sendchallenge[B,A,KAB{R1}]

send[A,B,R1]

• :1'.0
• send[A,B,conn]
• send[B,A,KAB{R2}]whereR2=R1+1

send[A,B,R1+1]

• 3/27/2013shankar
• authenticationslide62

$(

• send[A,B,conn]
• send[B,A,R1]

send[A,B,KAB{R1}]

• WhenAinitiatestoB,

CinterceptsandsendschallengeR1+1toAandgetsKAB{R1+1}.

• ThenCinitiatesconnectiontoBimpersonatingA.
• BsendschallengeR!+1,forwhichCnowhasthecorrectresponse.

8 AdoesnothavetobeactiveforCtodoattack.

• $>

Asends(A,B,conn); BsendschallengeKAB{R} Asendsresponse(KAB+1){R}. _______________________________________________

• 3/27/2013shankar
• authenticationslide63

StrongPasswordProtocols(NSchapter12)

• Basicstrongpasswordprotocols(EKE,SPEKE,PDM)
• UseDiffie;Hellman
• HumanAwithpasswordachieveshigh;qualityauthenticationwithB

inspiteofeavesdropper

• NoprotectionagainstreadingofB’sdb
• Augmentedstrongpasswordprotocols(EKE,SPEKE,PDM)
• Sameasbasicprotocolsexceptalsoprovide

low;qualityprotectionagainstreadingofB’sdb

• CanbeusedbyhumanAtoobtainahigh;qualitykey(includingprivatekey)
• 3/27/2013shankar
• authenticationslide64

EKEbasic,SPEKEbasic,PDMbasic

• ProtocolsuseDiffie;Hellman(DH)
• Mutualauthentication
• Strongkeyprotectionagainsteavesdropping
• NoprotectionagainstattackerreadingB’sdb:
• attackergetsthekeyobtainedfromA’spassword

(noneedforofflinedictionaryattack)

3/27/2013shankar

• authenticationslide65

EKEbasic

• DHencryptedwithpasswordderivedkeytosharehigh;qualitykey
• Usesharedhigh;qualitykeytodotwo;wayauthentication
• Strongprotectionagainsteavesdropping;noneagainstBdbreading

haspasswordpw 0has(A,W)whereW=hash(pw) publicDHparameters:gandp chooserna TA←gamodp send[A,B,W{TA}]

• choosernb

TB←gbmodp choosechallengeC1 send[B,A,W{TB,C1}] KB←(TA)bmod;p KA←(TB)amod;p generatechallengeC2 send[A,B,KA{C1,C2}]

• send[B,A,K{C2}]

AandBnowsharestrongkeyKA=KB=gabmodp

• 3/27/2013shankar
• authenticationslide66

EKEbasic(cont)

• Todefendagainstofflinedictionaryattack,needtoensurethat

gamodp(andgbmodp)hasnostructure:

• gamodpislessthanp
• Ifencryptionblocksizeexceedslog2p,extrabitsmusthaverandompad.
• Requireptobeslightlymorethanapowerof2.

Ifpisslightlylessthanapowerof2,thengamodphasstructure:

• Msb=1impliesmostofthebitstotherightofmsbarezeros
• Eachincorrectcandidatepwhas50%chanceofviolatingstructure

Canquicklynarrowdowntospaceofcandidatepasswords. IsthisreallyaEKEissue,ratherthanaDHissue?

3/27/2013shankar

• authenticationslide67

SPEKEbasic

SameasEKEexceptthatWtakestheplaceofg.

• storespasswordpw

stores(A,W)whereW=hash(pw) publicp(prime) chooserna TA←Wamodp send[A,B,TA]

• choosernb

TB←Wbmodp send[B,A,TB] KB←(TA)bmod;p KA←(TB)amod;p AandBnowsharestrongkeyKA=KB=Wabmodp <;;;;;;two;wayauthenticationusingsharedkeyK;;;;;;;> Wmustbeperfectsquaremod;p,o/wWamodp/Wbmodphavestructure

• Otherwise,Wamodp(orWbmodp)maynotbeaperfectsquare
• Eliminates50%ofcandidatepasswords.

ButnotasbadasEKEbecausethispruningoccursonlyonce.

3/27/2013shankar

• authenticationslide68

PDMbasic

• LikeEKEbutg=2andprimepisobtainedfrompassword(p=fp(pw))
• Todefendagainstofflinedictionary,require
• ptobeasafeprime,i.e.,(p−1)/2isalsoaprime
• pmod24=11
• etc

3/27/2013shankar

• authenticationslide69

EKEaugmented,SPEKEaugmented,PDMaugmented,SRP

• Mutualauthentication
• Strong;keyprotectionagainsteavesdropping
• Weak;keyprotectionagainstattackerreadingB’sdb:
• attackercangetA’spwbyofflinedictionaryattack
• EKEaugmentedisdescribednext;othersaresimilar.
• 3/27/2013shankar
• authenticationslide70

EKEaugmented

• PublicDHparametersgandp
• Ahaspasswordpw
• twokeys,WandW’,obtainedfrompw(eg,usingdifferenthashes)
• Bhas[A:W’,TA’(=gWmod;p)](soW’isopenbutnotW)
• AandBdoDHencryptedbyW’toestablishsessionkeyga^bmod;p:
• A:randoma; TA=gamod;p;

W’{TA}toB

• B:randomb; TB=gbmod;p;

W’{TB}toA

• KA=(TB)amod;p

= KB=(TA)bmod;p = ga^bmod;p

• AandBalsoindependentlygenerateDHkeygW^bmod;pforauthentication:
• A:KA’←(TB)Wmod;p
• B:KB’←(TA’)bmod;p
• 3/27/2013shankar
• authenticationslide71

EKEaugmented(cont)

haspw,W,W’ 0has[A,W’,TA’(=gWmod;p)]

chooserna; TA←gamod;p send[A,B,W’{TA}]

• extractTAfromW’{TA}usingW’

choosernb; TB←gbmod;p KB←(TA)bmod;p KB’←(TA’)bmod;p H←hash(KB,KB’) send[B,A,W’{TB},H] extractTBfromW’{TB}usingW’ KA←(TB)amod;p KA’←(TB)Wmod;p verifyH=hash(KA,KA’)toauthenticateB H’←hash’(KA,KA’),wherehash’isanotherhashfunction send[A,B,H’]

• verifyH’=hash’(KB,KB’)toauthenticateA

AandBaremutuallyauthenticatedandsharestrongkeyK=gabmodp

• 3/27/2013shankar
• authenticationslide72

Obtainingcredential(eg,privatekey)fromnetwork

• Earlier:directoryservicehasprivKeyAencryptedbykeyfromA’spassword
• Canalsobesolvedusingstrongpasswordprotocols
• $4$
• PublicDHparametersgandp
• Astorespasswordpw
• WandW’aretwokeysobtainedfrompassword
• Bstores(A,W,Y),whereY=W’{privatekeyofA}
• chooserna

computeW=hash(pw) send[A,B,W{gamodp}]

• choosernb

send[B,A,gbmodp,(gabmodp){Y}] computegabmod;p decrypt(gabmodp){Y}togetprivatekey

3/27/2013shankar

• authenticationslide73

Moreonauthentication(rtcommsec)(NSchapter16)

+Masterkeyorprivatehalfofapublickeypair.

• 4
• Principal’slong;termsecretheldbyanescrowagent(eg,lawenforcement).
• Principalusuallyhasseparatepublickeypairsforencryptionandforsigning.

Signaturekeyusuallynotescrowed.

• (o/wprincipalcandenyasignedmessage)
• !=2"
• AsessionhasPFSifanattackerwhoeavesdropsandlaterlearnslong;term

secretsofparticipantsstillcannotobtainsessionkey.

• $
• Asessionhasescrow;foilageifescrowagentcannotobtainsessionkeyby

eavesdropping.

• Ofcourse,escrowagentcanalwaysimpersonateparticipantordoman;in;

middleattack.

3/27/2013shankar

• authenticationslide74

PFS/escrow;foilageusuallyachievedwithauthenticatedDiffie;Hellman

Examplebasedonpublicsignaturekeys(below,[x]AdenotesxsignedbyA): (DHparamsg,p;pubsignkeyofB) 0(DHparamsg,p;pubsignkeyofA) generatea TA←gamodp send[A,B,[A,TA]A]

• receivemsg

verifysignatureon[A,TA] generateb TB←gbmodp KB←(TA)bmodp//sessionkey send[B,A,[B,TB]B] receivemessage KA←(TB)amodp//sessionkey=KB send[A,B,H(KA)]//H:hash

• receivemessage

ifH(KA)=H(KB)thenAauthenticted send[A,B,H(1,KB)] receivemessage ifH(1,KB)=H(1,KA)thenBauthenticated

• 3/27/2013shankar
• authenticationslide75

Protectionagainstdenial;of;serviceattack

• Typically,whenaserverreceivesa(potential)connectionrequest,itstartsto

maintainstateforthatclient(eg,clientid,challenge).

• Anattackercanoverwhelmsuchaserverbyfloodingitwithconnection

requests.

• Solution:
• serveraskspotentialclientdosomeworkbeforestoringstatefortheclient.
• Theworkrequestiscalleda*

(Nottobeconfusedwithwebbrowsercookies.)

3/27/2013shankar

• authenticationslide76

Example:usingastatelesscookie

• 0(hassecretS,notsharedwithanybody)

send[A,B,conn]

• receivemsg

c←hash(A'sipaddress,S)//c:statelesscookie send[B,A,c] forgetc receivemessage send[A,B,conn,c]

• receivemessage

ifc≠hash(A’sipaddr,S)thenabort elsecontinuewithauthenticationhandshake

• TheabovecookiejustrequiredAtosenditback.
• Amoreseverecookiec:randomstringtowhichtheclienthastoreturn[x,c],

wherexisan;bitnumberthathashestoc

• ncanbevariedtoinflictmore/lesswork.

3/27/2013shankar

• authenticationslide77

End;pointidhiding

Hidetheidsofthecommunicatingprincipalsfromeavesdroppers,spoofers,etc. Below,AandBareprincipals,andnAandnBaretheirrespectiveInternetids. (DHparamsg,p;pubsignkeyofB) 0(DHparamsg,p;pubsignkeyofA) generatea TA←gamodp send[nA,nB,TA]

• receivemsg

generateb TB←gbmodp KB←(TA)bmodp//sessionkey send[nB,nA,TB] receivemessage KA←(TB)amodp//sessionkey send[nA,nB,KA{A,B,[TA]A}]

• receivemessage

send[nB,nA,KB{B,A,[TB]B}]

• Eavesdroppercannotseeend;pointids(AandB)
• SpooferofB(moreprecisely,ofnB)canlearnend;pointids.
• Samecanbedonewithsecretkey,sayL,insteadofpublickey:
• useL{TA}andL{TB}insteadof[TA]Aand[TB]Brespectively

3/27/2013shankar

• authenticationslide78

ReusingDHkeyacrosssessions

• Goal:amortizecostofcomputingDHkey
• Approach:definesessionkeyasfunctionofDHkeyandarandomnonce.

=!%)" (DHparamsg,p;pubsignkeyofB) 0(DHparamsg,p;pubsignkeyofA) generatea TA←gamodp send[A,B,[TA]A]

• receivemsg

generateb,N1 TB←gbmodp KB←(TA)bmodp//DHkey send[B,A,[TB]B,N1] sessionkeySB1←hash(N1,KB) receivemessage KA←(TB)amodp//DHkey sessionkeySA1←hash(N1,KB)

• <;;;;;;;;;;;;;;;sessionkeySA1=SB1;;;;;;;;;;;;;;;;;;;;;;>

closesession ,.4 ,0.40

3/27/2013shankar

• authenticationslide79

ReusingDHkeyacrosssessions(cont)

+!%)" (hasTA,TB,KAfrombefore) 0(hasTA,TB,KBfrombefore) startnewsession send[A,B,[TA]A]//reuseTA

• generateN2//reuseTBandKB

sessionkeySB2←hash(N2,KB) send[B,A,[TB]B,N2] receivemessage TBhasnotchanged,soreuseTAandKA sessionkeySA2←hash(N2,KA)

• <;;;;;;;;;;;;;;;sessionkeySA2=SB2;;;;;;;;;;;;;;;;;;;;;;>

closesession

• Above,BauthenticatesAbutnotviceversa(ie,attackercanreplayBmsgs).
• EasytofixsothatAauthenticatesBalso.
• WhatislostbyreusingDHparameters?

3/27/2013shankar

• authenticationslide80

Plausibledeniability

• PrincipalAhasplausibledeniabilityinasessionifnobodycanprovethatA

participatedinthesession(eventhoughAandBmayhaveauthenticatedeach

• therinthesession).
• Plausibledeniabilitycomesforfreewithsecretkey(anyoneparticipantcan

cookuptheentiresession)

• Notpossiblewithpublickeyunlesskeyisescrowed(eg,useencryptionpublic

keyratherthansignaturepublickey).

• ________________________________________________________________
• Negotiatingcryptoparameters
• InA;Bsessioninitiation,AsendscryptooptionsandBrespondswithcrypto

accepted.

• Havingcryptoparametersnegotiatedallowssameprotocoltoupgradeto

bettercryptoalgorithmswhentheybecomeavailable.

• Becausecryptooptionsarenegotiatedbeforeauthentication,needto

reconfirmafterauthentication(byreiteratingthenegotiationmessages).