Purpose Notation Protocol is a sequence of message between participants Write A − → B : M if Alice sends Bob the message M Key exchange protocols ensure that both parties have same In the literature encryption of M with key K often written as { M } K symmetric key Will write N A , N B for nonce (number used once, mostly a random Usually requires trusted third party, often called Trent. number) chosen by Alice and Bob respectively Will write S A , S B , S T for timestmaps chosen by Alice, Bob and Trent respectively Eike Ritter Cryptography 2013/14 123 Eike Ritter Cryptography 2013/14 124 Wide-Mouth Frog Needham-Schroeder Simple key exchange protocol using timestamps to synchronise In this protocol key generation done by Trent clocks Timestamps used to protect against replay attacks Write E A , E B for encryption with a key Trent shares with Alice and Write E K for encryption with session key Bob respectively Protocol works as follows: Protocol works as follows: A − → T : A � B � N A A − → T : A � E A ( S A � K � B ) T − → A : E A ( N A � K � B � E B ( K � A )) T − → B : E B ( S T � K � A ) A − → B : E B ( K � A ) B − → A : E K ( N B ) On receiving packet, Trent checks whether timestamp is recent A − → B : E K ( N B − 1) Bob trusts Alice to produce a meaningful key (very strong assumption) Eike Ritter Cryptography 2013/14 125 Eike Ritter Cryptography 2013/14 126
Replay Attack Kerberos Uses timestamps instead of nonces to prevent replay attacks Write L for the lifetime of the session key K Have replay attack Protocol works as follows: Assume Mallory captures one run of the protocol between Alice, A − → T : A � B Trent and Bob, and learns key K T − → A : E A ( S T � L � K � B � E B ( S T � L � K � A )) Can now replay the message E B ( K || A ) to Bob, who will accept it A − → B : E B ( S T � L � K � A ) � E K ( A � S A ) ⇒ Mallory can fool Bob into hinking he is communicating with B − → A : E K ( S A + 1) Alice Provides secure key exchange but relies heavily on timestamps and lifetime L as indicators of freshness Eike Ritter Cryptography 2013/14 127 Eike Ritter Cryptography 2013/14 128 WPA2 EAP Used for connecting clients to a network via access point 8: Unblock WEP and WPA had security problems, mainly due to the usage of 7: Challenge Reply the RC4 cipher 4: Challenge 3: Send Identity WPA2 was introduced to overcome these issues. Have 1 AES in Counter Mode (CTR) for encryption, 2 CBC-MAC based on AES to guarantee message integrity, 3 a unique 48 bit packet number (PN), 0: Establish Link 4 Extensible Authentication Protocol (EAP) for client 1: Request Identity authentication. 2: Send Identity 5: Challenge 6: challenge Reply Eike Ritter Cryptography 2013/14 129 Eike Ritter Cryptography 2013/14 130
Packet format MAC PN0 Res Res Ext Key PN2. . . PN5 Data Payload MIC Header PN1 IV ID 16bit 8bit 5bit 1bit 2bit 32bit 64bit MAC Header here stands for Medium Access Control address, which is unique to every ethernet device. MIC is the actual message integrity code computed from Data plus MAC Header using CBC-MAC. PN0–PN5 are the 6 bytes of the package number PN. Res are reserved areas (for possible future extensions,e.g., to other variants of AES). Ext IV indicates whether PN2–PN5 are present. Key ID stores the index of the key, within the default key table, which holds different keys for pairwise or group communication. Eike Ritter Cryptography 2013/14 131
Recommend
More recommend
