Security Handshake Pitfalls Slide 1 Login with Shared Secret: - - PDF document

handshake 1

Security Handshake Pitfalls

Slide 1

Login with Shared Secret: Variant 1

B:

• ff-line password attack

Slide 2

November 9, 2000

handshake 2

Login with Shared Secret: Variant 2

B:

Slide 3

Login with Shared Secret: One Way

A:

use MD instead of encryption ➠ include timestamp in the clear Slide 4

November 9, 2000

handshake 3

One-Way Public Key

A: hi; B:

A: hi; B:

Slide 5

Lamport’s Hash

Authentication:

Slide 6

November 9, 2000

handshake 4

Lamport’s Hash, Salted

Slide 7

Lamport’s Hash – Small

pencil-and-paper Slide 8

November 9, 2000

handshake 5

S/KEY and OTP

– Lamport with alphanumeric salt – hash: MD4, MD5, SHA1 – challenge: otp-md5

– 64-bit hash: MD5(pw

– use either 16 hex digits or six words (1 to 4 letters, 11 bits) for key – race condition: finish before legitimate user Slide 9

Mutual Authentication: Shared Secret (simplified)

I’m Alice,

Slide 10

November 9, 2000

handshake 6

Mutual Authentication – Reflection attack

I’m Alice,

Second login by Trudy:

I’m Alice,

Fixes:

using A’s key

Slide 11

Mutual Authentication: Public Keys

I’m Alice,

variant: sign instead of encrypt

Slide 12

November 9, 2000

handshake 7

Mutual Authentication: Timestamps (Shared Secret)

I’m Alice,

Slide 13

Session Keys

– shared secrets – public keys – Bob knows Alice’s public key, Alice knows private key – Alice knows password, Bob knows

Slide 14

November 9, 2000

handshake 8

Session Key: Shared Secret

I’m Alice

• K

Slide 15

Session Key: Two-Way Public Key

A:

• R2

Diffie-Hellman with signing ➠ no bucket-brigade attack Slide 16

November 9, 2000

handshake 9

Privacy and Integrity

Slide 17

Mediated Authentication

A wants B KDC

Slide 18

November 9, 2000

handshake 10

Needham-Schroeder

1.

2.

ticket =

3.

4.

• 1;

5.

• 1g ➠ A proves knowledge of

Slide 19

Needham-Schroeder: Reflection Attack

• 1;

Slide 20

November 9, 2000

handshake 11

Needham-Schroeder: Limit Compromise

1.

2.

Slide 21

Otway-Rees

• 1. nonce

• 2. KDC checks if

• 3. give ticket; ensures that KDC and Bob are legit
• 4. B hands (unreadable to B) ticket to A
• 5. A proves knowledge of

Slide 22

November 9, 2000

handshake 12

Kerberos V4

Slide 23

Bellovin-Merritt

• K is just session key

Slide 24

November 9, 2000

handshake 13

Bellovin-Merritt, with Hash

• K

Slide 25

Avoiding Password Guessing

• 1. send to anyone ➠ active attack
• 2. prove knowledge of Alice’s secret
• 3. encrypt (2) via session key
• 4. encrypt (2) with secret or public key for Bob
• 5. use Bellovin-Merritt, then (1) or (2)

Slide 26

November 9, 2000

handshake 14

Nonce Types

Slide 27

Nonce Types: Sequence Numbers

I’m Alice

Slide 28

November 9, 2000

handshake 15

Random Numbers

needed for:

random: unpredictable ( ) or unguessable pseudorandom: deterministic algorithm

Slide 29

Slide 30

November 9, 2000

handshake 16

Generating Random Numbers

• 1. hash of seed
• 2. hash of (previous output

Slide 31

Performance

Computation: bytes hashed, private key

Delay: message exchanges Cacheability: for repeated authentication Slide 32

November 9, 2000