Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: - PowerPoint PPT Presentation

Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in Practice: Entity Authentication, SSH Entity Authentication 2 Kerberos 5 Renate Scheidler Station-to-Station protocol Department of Mathematics & Statistics Department of Computer Science University of Calgary A Real-Life Application: SSH 3 Week 12 The End 4 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 1 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 2 / 30 Recap: Authentication Recap: Authentication Authentication Session Key Authentication via KDCs What needs to be authenticated? How is the authentication achieved? Users register with the KDC in advance: Every user shares a master key with the KDC Messages Master keys are the only long-term keys MACs or hashing with encryption (data integrity) If Alice wishes to communicate cryptographically with Bob, she requests a Data Origin session key from the KDC: Digital signatures (also provide non-repudiation) KDC generates session key K Keys KDC sends K to Alice, encrypted with the master key shared with Key Distribution Centres (KDCs) for symmetric session keys Alice Public Key Infrastructurex (PKIs) or peer authentication for KDC sends K to Bob, encrypted with the master key shared with Bob asymmetric keys Trusted authority for private keys in identity based based crypto K is destroyed at the end of the session Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 3 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 4 / 30

Recap: Authentication Recap: Authentication Session Key Authentication via PKIs Other Key Authentication Mechanisms Each user registers with a certification authority who issues a signed public key certificate : Data part: user id, public key, validity time stamp, status flag, Peer authentication of Public Keys: algorithm info, CA signature verification info, . . . Multiple signatures by different peers are attached to public keys Signature part: digital signature of the CA over the data part Used, for example, in PGP via key rings with a framework of trust vouching for the authenticity of the certificate quantification Other users’ certificates can be obtained and verified off-line (without interaction with the CA) ID based cryptography PKI handles all key management: No need for public key authentication (your ID is your key) user registration and certificate authentication, issuance, distribution Trusted authority generates and holds all private keys use and life time of keys’ revocation and destruction of keys storage, recovery and archival of keys all technical, administrative and policy aspects Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 5 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 6 / 30 Entity Authentication Entity Authentication Entity Authentication Authentication Protocols and Nonces Definition 1 (Authentication protocol) We’ve covered data origin authentication via digital signatures and the frameworks of KDCs or PKIs for key authentication. A sequence of one or more information exchanges used to convince parties of each others’ identity. We still need protocols for ensuring entity authentication within these frameworks. Authentication may be one-way or mutual. Key issues: Confidentiality (e.g. to protect session keys) Timeliness (freshness) — to prevent replay attacks where a signed message is copied and later resent Ensured via time stamps or nonces Definition 2 (Nonce) A number or bit string that is used only once (usually in a particular message or protocol). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 7 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 8 / 30

Entity Authentication Entity Authentication Standardized Authentication Protocols Authenticated Session Key Distribution Via KDC Notation: A , B — identities of users A and B , respectively Needham-Schroeder 1978 M — identity of a masquerader (impersonator) Original KDC session key distribution protocol (basis of Kerberos 1 T — identity of a trusted authority — authenticated session key produced by the protocol session key distribution) K K XY — key shared by entities X and Y Utilizes a challenge-response mechanism and symmetric encryption E K XY — symmetric encryption using key K XY (no public key) TS X — time stamp generated by entity X T plays the role of the KDC — nonce generated by entity X N X cert X — public key certificate of entity X sig X — public key signature generated by entity X “ X → Y : m ” means that user X sends message m to user Y 1 In Ancient Greek mythology, Kerberos is three-headed dog who guards the gates of Hell and prevents dead souls from returning to the world of the living. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 9 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 10 / 30 Entity Authentication Entity Authentication Needham-Schroeder Protocol Replay Attack on Needham-Schroeder Suppose M has compromised a previous session key K ′ and has recorded message 3 from a previous run: Protocol: 1 A → B : E K BT ( K ′ , A ) . 1 A → T : A , B , N A 2 T → A : E K AT � � K , B , N A , E K BT ( K , A ) Denning, Sacco (1981) — M impersonates A as follows: 3 A → B : E K BT ( K , A ) 1 M → B : E K BT ( K ′ , A ) (replay of old, valid message) 4 B → A : E K ( N B ) 2 B → M : E K ′ ( N B ) 5 A → B : E K ( N B − 1) 3 M → B : E K ′ ( N B − 1) Steps 1,2,3: session key distribution Result: Steps 4,5: mutual authentication of A and B B accepts K ′ as a valid session key shared with A M can continue to impersonate A successfully. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 11 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 12 / 30

Entity Authentication Entity Authentication Denning’s & Sacco’s Proposed Fix Fix — Combination of Nonces and Expiration Times Let time B denote the expiration time for K (determined by B ) Uses a time stamp TS T generated by T instead of A ’s nonce N A : 1 A → B : A , N A 1 A → T : A , B 2 B → T : B , N B , E K BT ( A , N A , time B ) 2 T → A : E K AT ( K , B , TS T , E K BT ( K , A , TS T )) 3 T → A : E K AT ( B , N A , K , time B ) , E K BT ( A , K , time B ) , N B 3 A → B : E K BT ( K , A , TS T ) 4 A → B : E K BT ( A , K , time B ) , E K ( N B ) 4 B → A : E K ( N B ) 5 A → B : E K ( N B − 1) Nonces N A and N B assure both A and B of session timeliness Only B needs to check time B , so no clock synchronization needed Good news: replaying message 3 will no longer work, because B will In Message 3, the block E K BT ( A , K , time B ) serves as a ticket that A can reject the message if the current time differs greatly from TS T . use to re-authenticate with B without interaction with T during the time Bad news: a suppress-replay attack is possible if B ’s clock is not limit specified by time B : tamper-proof. M proceeds as follows: 1 A → B : E K BT ( A , K , time B ) , N ′ A Sets B ’s clock behind and suppress Message 3 2 B → A : N ′ B , E K ( N ′ A ) Sends Message 3 when B ’s clock corresponds to TS T . 3 A → B : E K ( N ′ B ) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 13 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 14 / 30 Entity Authentication Kerberos 5 Entity Authentication Kerberos 5 Kerberos 5 Kerberos (cont’d) Kerberos is a protocol for authenticated session key distribution via a trusted authority (KDC). In message 3, E K ( A , T A ) serves as an authenticator of A to B as only Utilizes a challenge-response mechanism and symmetric encryption A could have extracted K from E K AT ( K , TS T , time , B , t ) Simplified version presented here (all non-crypto stuff omitted) T plays the role of the KDC; K is the session key with validity period Similarly, timely decryption of E K ( T A + 1) in message 4 provides time ; both are generated by T limited authentication of B to A as only B could have extracted K from the ticket = E K BT ( K , TS T , time , A ). Protocol: However, the IDs and encrypted keys should be properly 1 A → T : A , B authenticated with MACs. 2 T → A : E K AT ( K , TS T , time , B , t ) where t = E K BT ( K , TS T , time , A ) 3 A → B : t , E K ( A , T A ) As before, t in message 2 serves as a ticket for A to re-authenticate 4 B → A : E K ( T A + 1) to B . Steps 1, 2, 3: session key distribution. Steps 3 and 4: mutual key confirmation – both parties encrypt and decrypt with K . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 15 / 30 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 12 16 / 30