outline more security protocols
play

Outline More Security Protocols Combining key distribution and - PDF document

Jan 12, 2023 •178 likes •297 views

Outline More Security Protocols Combining key distribution and authentication CS 239 Verifying security protocols Computer Security February 4, 2004 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004

  1. Outline More Security Protocols • Combining key distribution and authentication CS 239 • Verifying security protocols Computer Security February 4, 2004 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004 Combined Key Distribution and Needham-Schroeder Key Authentication Exchange • Usually the first requires the second • Uses symmetric cryptography –Not much good to be sure the key is • Requires a trusted authority a secret if you don’t know who –Who takes care of generating the you’re sharing it with new key • How can we achieve both goals? • More complicated than some protocols –In a single protocol we’ve seen –With relatively few messages Lecture 7 Lecture 7 Page 3 Page 4 CS 239, Winter 2004 CS 239, Winter 2004 Needham-Schroeder, Step 1 What’s the Point of R A ? K A K B • R A is nonce chosen by Alice for this invocation of the protocol R A Alice Bob –A random number –Not used as a key, so quality of Alice’s random number generator Alice,Bob,R A not too important • Helps defend against replay attacks Trent K A K B Lecture 7 Lecture 7 CS 239, Winter 2004 Page 5 CS 239, Winter 2004 Page 6 1

  2. Needham-Schroeder, Step 2 Needham-Schroeder, Step 3 E KB (K S ,Alice) Including R A prevents replay K A K A K B K B Including Bob prevents K S R A attacker from replacing Alice Alice So we’re done, right? K S Bob Bob Bob’s identity Wrong! Including the E KA (R A ,Bob,K S , encrypted message for Bob ensures E KB (K S ,Alice)) that message can’t Trent Trent be replaced K S What’s all this K A K B K A K B stuff for? Lecture 7 Lecture 7 Page 7 Page 8 CS 239, Winter 2004 CS 239, Winter 2004 Needham-Schroeder, Step 4 Needham-Schroeder, Step 5 E KS (R B ) K B E KS (R B -1) K B K A K A K S K S K S K S Alice R B Alice R B Bob Bob R B R B Now we’re done! R B -1 Trent Trent K A K B K A K B Lecture 7 Lecture 7 Page 9 Page 10 CS 239, Winter 2004 CS 239, Winter 2004 What’s All This Extra Stuff For? What’s All This Extra Stuff For? E KB (K S ,Alice) K A K A Alice knows she’s K B K B talking to Bob K S ? s r e Alice Alice b m u Bob Bob Trent said she was n m o d n a Can Mallory Can Mallory Trent said he was r e s o h t t Bob knows u o jump in later? jump in later? b a E KA (R A ,Bob,K S , t a h W he’s talking No, all later No, only Bob to Alice E KB (K S ,Alice)) messages will use could read the Trent K S , which Mallory Trent key package K S K A K B doesn’t know K A K B Trent created Lecture 7 Lecture 7 CS 239, Winter 2004 Page 11 CS 239, Winter 2004 Page 12 2

  3. Mallory Causes Problems Mallory Waits For His Chance E KA (Bob,K S , K B K A • Alice and Bob do something Mallory likes E KB (K S ,Alice)) • Mallory watches the messages they send to Alice do so Mallory Bob • Mallory wants to make them do it again • Can Mallory replay the conversation? – Let’s try it without the random numbers Alice,Bob Trent K A K B Lecture 7 Lecture 7 Page 13 Page 14 CS 239, Winter 2004 CS 239, Winter 2004 What Will Alice Do Now? The Protocol Continues E KB (K S ,Alice) K B K A • The message could only have been created by Trent K S K S Alice Mallory Bob • It properly indicates she wants to talk to Bob Mallory steps With no aside for a bit • It contains a perfectly plausible key random keys, • Alice will probably go ahead with the we’re done protocol Trent K A K B Lecture 7 Lecture 7 Page 15 Page 16 CS 239, Winter 2004 CS 239, Winter 2004 Mallory Steps Back Into the Picture So What’s the Problem E KS (Old message 1) E KS (Old message 2) K B K A • Alice and Bob agree K S is their key K S –They both know the key K S Alice Mallory Bob –Trent definitely created the key for Mallory can It’s using the them replay Alice and current key, so –Nobody else has the key Bob’s old Alice and Bob • But . . . conversation will accept it Trent K A K B Lecture 7 Lecture 7 CS 239, Winter 2004 Page 17 CS 239, Winter 2004 Page 18 3

  4. How Do the Random Numbers Why Bob Also Needs a Random Help? Number K B K A E KB (K S ,Alice) • Alice’s random number assures her that the reply from Trent is fresh K S Alice Mallory Bob • But why does Bob need another Let’s say Alice But Mallory random number? doesn’t want to wants Bob to talk to Bob think Alice wants to talk Trent K A K B Lecture 7 Lecture 7 Page 19 Page 20 CS 239, Winter 2004 CS 239, Winter 2004 So What? So, Everything’s Fine, Right? K B E KS (Old message 1) • Not if any key K S ever gets divulged K S • Once K S is divulged, Mallory can forge Mallory Bob Alice’s response to Bob’s challenge Mallory can now play back an old message from Alice to Bob • And convince Bob that he’s talking to And Bob will have no reason to be Alice when he’s really talking to suspicious Mallory Bob’s random number exchange assured him that Alice really wanted to talk Lecture 7 Lecture 7 Page 21 Page 22 CS 239, Winter 2004 CS 239, Winter 2004 Mallory Cracks an Old Key Timestamps in Security Protocols E KS ( R B ) • One method of handling this kind of K B K S E KB (K S ,Alice) E KS (R B - 1) problem is timestamps R B K S • Proper use of timestamps can limit the Mallory Bob time during which an exposed key is R B - 1 Mallory enlists 10,000 computers belonging dangerous to 10,000 grandmothers to crack K S • But timestamps have their own Unfortunately, Mallory knows K S problems So Mallory can answer Bob’s challenge Lecture 7 Lecture 7 CS 239, Winter 2004 Page 23 CS 239, Winter 2004 Page 24 4

  5. Using Timestamps in the Using Timestamps to Defeat Needham-Schroeder Protocol Mallory K B E KB (K S ,Alice,T X ) • The trusted authority includes K S K S timestamps in his encrypted messages Mallory Bob T X to Alice and Bob T X << T now E KB (K S ,Alice,T X ) • Based on a global clock T now Now Bob checks T X against his clock • When Alice or Bob decrypts, if the timestamp is too old, abort the protocol So Bob, fearing replay, discards K S And Mallory’s attack is foiled Lecture 7 Lecture 7 Page 25 Page 26 CS 239, Winter 2004 CS 239, Winter 2004 Problems With Using The Suppress-Replay Attack Timestamps • Assume two participants in a security • They require a globally synchronized protocol set of clocks – Using timestamps to avoid replay problems –Hard to obtain, often • If the sender’s clock is ahead of the –Attacks on clocks become important receiver’s, attacker can intercept message • They leave a window of vulnerability – And replay later, when receiver’s clock still allows it Lecture 7 Lecture 7 Page 27 Page 28 CS 239, Winter 2004 CS 239, Winter 2004 Neuman-Stubblebine Protocol, Handling Clock Problems Step 1 R A K A Alice, R A K B 1). Rely on clocks that are fairly synchronized and hard to tamper R A Alice Bob –Perhaps GPS signals What does Bob 2). Make all comparisons against the know? same clock Someone –So no two clocks need to be claiming to be synchronized Trent Alice wants to K A K B talk securely Lecture 7 Lecture 7 CS 239, Winter 2004 Page 29 CS 239, Winter 2004 Page 30 5

  6. Neuman-Stubblebine Protocol, Neuman-Stubblebine Protocol, Step 2 Step 3 R A K A K A Bob,R A , K S ,T B K B K B R A Bob,R B , R B R A R B E KA (Bob,R A ,K S ,T B ), Alice Alice Bob Bob T B T B E KB (Alice,R A ,T B ) E KB (Alice,K S ,T B ),R B Alice knows: 1. Bob heard Trent knows Bob her message thinks Alice wants K S to talk to him 2. Trent created Trent Trent But does she a new key Alice,R A ,T B Alice,R A ,T B K A K B K A K B really? Lecture 7 Lecture 7 Page 31 Page 32 CS 239, Winter 2004 CS 239, Winter 2004 Neuman-Stubblebine Protocol, What Has the Protocol K B Step 4 Achieved? K S K A • Alice and Bob share a key E KB (Alice,K S ,T B ), E KS (R B ) R B • They know the key was generated by Alice Bob Trent E KB (Alice,K S ,T B ),R B K S R B • Alice knows this key matches her T B R B guarantees Alice recent request for a key Bob checks knows K S • Bob knows this key matches Alice’s R B and T B T B T B guarantees it’s a recent request and Bob’s agreement Trent fresh session K A K B Lecture 7 Lecture 7 Page 33 Page 34 CS 239, Winter 2004 CS 239, Winter 2004 What Has the Timestamp Done What Else Can You Do With For Bob and Alice? Security Protocols? • Bob knows that the whole agreement is • Secret splitting and secret sharing timely • Fair coin flips and other games • Since the only timestamp originated • Simultaneous contract signing with his clock, no danger of suppress- • Secure elections replay attacks • Zero knowledge proofs off-line • Lots of other neat stuff Lecture 7 Lecture 7 CS 239, Winter 2004 Page 35 CS 239, Winter 2004 Page 36 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of

Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of

Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols Key exchange protocols Combined

989 views • 73 slides
Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements intermission More crypto protocols and failures Stephen McCamant More causes of crypto failure University of Minnesota, Computer Science &amp;

430 views • 4 slides
Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements intermission More crypto protocols and failures Stephen McCamant More causes of crypto failure University of Minnesota, Computer Science &amp;

329 views • 5 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key distribution and PKI Introduction to Computer Security HW1 debrief Day 17: PKI and S protocols Stephen McCamant SSH University of Minnesota,

460 views • 11 slides
Lecture Outline Protocols for detecting manipulation How to think about

Lecture Outline Protocols for detecting manipulation How to think about

Lecture Outline Protocols for detecting manipulation How to think about architecture In general systems terms For security implications Tussles in architectures that affect multiple stakeholders Ethane: the

636 views • 37 slides
Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer Science, University of York 26th February 2009 Outline 1 Security Protocols 2 Type Flaws: Attacks and Defences 3 Detecting and Resolving Potential

391 views • 25 slides
Distributed Systems Rik Sarkar James Cheney Security Protocols &amp; Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols &amp; Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols &amp; Case Studies March 17, 2014 Recap &amp; outline Security is hard Cryptography is not security No &quot;security through obscurity&quot; Today:

924 views • 39 slides
Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Simone Fischer-Hbner Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues (LBS, RFID,...) IV. European Privacy Legislation/ Directives I. Definition Warren &amp; Brandeis 1890 The right to

694 views • 30 slides
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program August 12, 2014 1 Protecting

590 views • 43 slides
Security and Privacy in the Cloud Mayer Brown LLP: Cybersecurity and Data Privacy / Technology

Security and Privacy in the Cloud Mayer Brown LLP: Cybersecurity and Data Privacy / Technology

Security and Privacy in the Cloud Mayer Brown LLP: Cybersecurity and Data Privacy / Technology Transactions Practice Groups November 14, 2017 Linda Rhodes Joe Pennell Brad Peterson Partner Partner Partner 202-263-3382 312-701-8354

313 views • 29 slides
Cruft Update IETF 62 Thesis There s cruft out there Procedure Create a list of all RFCs

Cruft Update IETF 62 Thesis There s cruft out there Procedure Create a list of all RFCs

Cruft Update IETF 62 Thesis There s cruft out there Procedure Create a list of all RFCs below 2000 that were Proposed Standards as of November Create a mailing list to discuss and remove documents from the list Remove RFCs from list

439 views • 7 slides
Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We

Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We

Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We will begin shortly. Please answer the brief poll question. Ron Owston, PhD Research Associate, Contact North Professor Emeritus, York University

326 views • 28 slides
Welcome Introduction to Health Impact Assessment Webinar How to Interact Today with ZOOM

Welcome Introduction to Health Impact Assessment Webinar How to Interact Today with ZOOM

Welcome Introduction to Health Impact Assessment Webinar How to Interact Today with ZOOM Webinar Thi his s webin inar ar is s being ng reco corded ded There are many cool interactive functions for todays presentation! 4 4 butt

525 views • 37 slides
The Conversation Project Conversation Sabbath 2018 September 12, 2018 Rosemary Lloyd Naomi

The Conversation Project Conversation Sabbath 2018 September 12, 2018 Rosemary Lloyd Naomi

The Conversation Project Conversation Sabbath 2018 September 12, 2018 Rosemary Lloyd Naomi Fedna 2 WebEx Quick Reference Welcome to todays session! Please use Chat to All Participants for questions Raise your hand For technology

611 views • 20 slides
Zoom tech tips Click on microphone button to mute or unmute yourself Click on camera to start

Zoom tech tips Click on microphone button to mute or unmute yourself Click on camera to start

Zoom tech tips Click on microphone button to mute or unmute yourself Click on camera to start your video Click on participants and chat Rename yourself by ho hoverin ing over er you our r nam name an and cli clickin ing the the ren

330 views • 7 slides

More recommend