CSE543 - Introduction to Computer and Network Security Module: - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Patrick McDaniel Fall 2008 CSE543 - Introduction to Computer and Network Security Page 1

Meet Alice and Bob …. • Alice and Bob are the canonical players in the cryptographic world. ‣ They represent the end points of some interaction ‣ Used to illustrate/define a security protocol • Other players occasionally join … ‣ Trent - trusted third party ‣ Mallory - malicious entity ‣ Eve - eavesdropper ‣ Ivan - an issuer (of some object) CSE543 - Introduction to Computer and Network Security Page 2

Some notation … • You will generally see protocols defined in terms of exchanges containing some notation like ‣ All players are identified by their first initial • E.g., Alice=A, Bob=B ‣ d is some data ‣ pw A is the password for A ‣ k AB is a symmetric key known to A and B ‣ K A+ ,K A- is a public/private key pair for entity A ‣ E( k , d ) is encryption of data d with key k ‣ H( d ) is the hash of data d ‣ Sig(K A- , d ) is the signature (using A’s private key) of data d ‣ “+” is used to refer to concatenation CSE543 - Introduction to Computer and Network Security Page 3

Some interesting things • … when communicating. ‣ Ensure the authenticity of a user ‣ Ensure the integrity of the data • Also called data authenticity ‣ Keep data confidential ‣ Guarantee non-repudation CSE543 - Introduction to Computer and Network Security Page 4

Basic (User) Authentication • Bob wants to authenticate Alice’s identity ‣ (is who she says she is) [pw A ] 1 Alice Bob 2 [Y/N] CSE543 - Introduction to Computer and Network Security Page 5

Hash User Authentication • Bob wants to authenticate Alice’s identity ‣ (is who she says she is) [h(pw A )] 1 Alice Bob 2 [Y/N] CSE543 - Introduction to Computer and Network Security Page 6

Challenge/Response User Authentication • Bob wants to authenticate Alice’s identity ‣ (is who she says she is) [c] 1 [h(c+pw A )] 2 Alice Bob 3 [Y/N] CSE543 - Introduction to Computer and Network Security Page 7

User Authentication vs. Data Integrity • User authentication proves a property about the communicating parties ‣ E.g., I know a password • Data integrity ensures that the data transmitted... ‣ Can be verified to be from an authenticated user ‣ Can be verified to determine whether it has been modified • Now, lets talk about the latter, data integrity CSE543 - Introduction to Computer and Network Security Page 8

Simple Data Integrity? • Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) [d,h(d)] 1 Alice Bob CSE543 - Introduction to Computer and Network Security Page 9

HMAC Integrity • Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) [d,hmac(k,d)] 1 Alice Bob CSE543 - Introduction to Computer and Network Security Page 10

Signature Integrity • Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) [d, Sig(K A - , d) ] 1 Alice Bob CSE543 - Introduction to Computer and Network Security Page 11

Data Integrity vs. Non-repudiation • If the integrity of the data is preserved, is it provably from that source? ‣ Hash integrity says what about non-repudiation? ‣ Signature integrity says what about non-repudiation? CSE543 - Introduction to Computer and Network Security Page 12

Confidentiality • Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality) [E(k AB ,d ), hmac(k AB , d) ] 1 Alice Bob CSE543 - Introduction to Computer and Network Security Page 13

Question • If I already have an authenticated channel (e.g., the remote party’s public key), why don’t I simply make up a key and send it to them? CSE543 - Introduction to Computer and Network Security Page 14

Confidentiality • Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality) • But, Alice and Bob have never met !!!! [E(k x ,d ), hmac(k x , d),E(K B + ,k x ) ] 1 Alice Bob • Alice randomly selects key k x to encrypt with CSE543 - Introduction to Computer and Network Security Page 15

Real Systems Security • The reality of the security is that 90% of the frequently used protocols use some variant of these constructs. ‣ So, get to know them … they are your friends ‣ We will see them (and a few more) over the semester • They also apply to systems construction ‣ Protocols need not necessarily be online ‣ Think about how you would use these constructs to secure files on a disk drive (integrity, authenticity, confidentiality) ‣ We will add some other tools, but these are the basics CSE543 - Introduction to Computer and Network Security Page 16

Kerberos • History: from UNIX to Networks (late 80s) ‣ Solves: password eavesdropping ‣ Online authentication • Variant of Needham-Schroeder protocol ‣ Easy application integration API ‣ First single sign-on system (SSO) ‣ Genesis: rsh, rcp • authentication via assertion • Most widely used (non-web) centralized password system in existence (and lately only ..) • Now: part of Windows 2K/XP/Vista network authentication ‣ Old Windows authentication was a cruel joke. CSE543 - Introduction to Computer and Network Security Page 17

An aside … • Authentication ‣ Assessing identity of users ‣ By using credentials … • Authorization ‣ Determining if users have the right to perform requested action (e.g., write a file, query a database, etc.) • Kerberos authenticates users, but does not perform any authorization functions … ‣ … beyond identify user as part of Realm ‣ Typically done by application. • Q: Do you use any “ Kerberized ” programs? ‣ How do you know? CSE543 - Introduction to Computer and Network Security Page 18

The setup … • The players ‣ Principal - person being authenticated ‣ Service (verifier) - entity requiring authentication (e.g, AFS) ‣ Key Distribution Center (KDC) • Trusted third party for key distribution • Each principal and service has a Kerberos password known to KDC, which is munged to make a password ke, e.g., k A ‣ Ticket granting server • Server granting transient authentication • The objectives CSE543 - Introduction to Computer and Network Security Page 19

The protocol • A two-phase process 1. User authentication/obtain session key (and ticket granting ticket) key from Key Distribution Center 2. Authenticate Service/obtain session key for communication with service • Setup ‣ Every user and service get certified and assigns password CSE543 - Introduction to Computer and Network Security Page 20

A Kerberos Ticket • A kerberos ticket is a token that … ‣ Alice is the only on that can open it ‣ Contains a session key for Alice/Bob (K AB ) ‣ Contains inside it a token that can only be opened by Bob • Bob’s Ticket contains ‣ Alice’s identity Ticket (K AB ) ‣ The session key (K AB ) Ticket (K AB ) “Locked” by K B “Locked” by K A • Q: What if issuing service is not trusted? CSE543 - Introduction to Computer and Network Security Page 21

The protocol (obtaining a TGT) • Time exp - time of expiration • n - nonce (random, one-use value: e.g., timestamp) [A,TGS,Time exp ,n] 1 Alice KDC 2 E(k A ,[k A,TGS ,TGS,Time exp ,n]),E(K TGS ,[A, k A,TGS , Time exp ],) TGT CSE543 - Introduction to Computer and Network Security Page 22

The protocol (performing authentication) [B,Time exp ,n,E(k A,TGS ,[B,Time exp ,n])], E(K TGS ,[A,k A,TGS , Time exp ])] 1 TGS Alice 2 E(k A,TGS ,[k A,B ,B,Time exp ,n]), 3 E(k B ,[A,k A,B ,Time exp ])] E(k A,B ,[A,Time exp ,n]), E(k B ,[A,k A,B ,Time exp ])] Bob Authenticator CSE543 - Introduction to Computer and Network Security Page 23

Cross-Realm Kerberos • Extend philosophy to more servers ‣ Obtain ticket from TGS for foreign Realm ‣ Supply to TGS of foreign Realm ‣ Rinse and repeat as necessary Ohio St. Michigan Penn St. Pitt Purdue • “There is no problem so hard in computer science that it cannot be solved by another layer of indirection.” ‣ David Wheeler, Cambridge University (circa 1950) CSE543 - Introduction to Computer and Network Security Page 24

Kerberos Reality • V4 was supposed to be replaced by V5 ‣ But wasn’t because interface was ugly, complicated, and encoding was infuriating • Assumes trusted path between user and Kerberos • Widely used in UNIX domains • Robust and stable implementation • Problem : trust ain’t transitive, so not so good for large collections of autonomous enterprises CSE543 - Introduction to Computer and Network Security Page 25

Assignment #2 • A password protecting file processor. CSE543 - Introduction to Computer and Network Security Page 26