1

Authentication Protocols

Rocky K. C. Chang, 18 March 2011

2 Rocky, K. C. Chang

Secret keyfunctions

Hashfunctions

Secrecyservice

Authenticationservice

Messageintegrity service

Nonrepudiationservice

Public keyfunctions

3

Outline

Rocky, K. C. Chang

Authentication problems Network-based authentication Password-based authentication Cryptographic authentication protocols

(challenge and response) Secret key based Public key based

Needham-Schroeder public-key authentication protocol

4

The authentication problem

Rocky, K. C. Chang

Authentication: The process of determining whether someone or

something is, in fact, who or what it is declared to be.

Binding of an identity to a subject. Authentication protocols:

Key establishment protocols, e.g., authenticated Diffie-Hellman.

Entity authentication protocols, e.g., system login, which is the focus of this set of slides.

5

Information for authentication

Rocky, K. C. Chang

What the entity knows (such as passwords or secret information)

What the entity has (such as a badge or card) What the entity is (such as fingerprints or

other biometrics) Where the entity is (such as in front of a

particular terminal)

6

The authentication process

Rocky, K. C. Chang

The entire process consists of Obtaining the required authentication information

(e.g., a hashed password) Analyzing the data (e.g., compare the received

password with the stored password), and Determining if it is associated with the principal

(e.g., confirmed if they are the same).

7

Classification of authentication problems

Rocky, K. C. Chang

Authenticated subjects: humans vs machines Authentication methods: address-based,

password, or cryptographic. Between two entities or with the help of at

least a trusted third party One-way vs mutual authentication

8

Address-based authentication

Rocky, K. C. Chang

Assume that the identity of the source can be inferred from the (IP or MAC) address of the packet.

IP source address spoofing Receiving the response is generally tricky. Randomized source address selection

MAC source address spoofing Many people teach you how to do it. Detecting them in wireless networks

9

Password-based authentications

10

Basic password protocols

Rocky, K. C. Chang

Authentication based on what the entity knows.

U sends her password to S. Vulnerability to eavesdropping, stolen password

files, and easy-to-guess passwords Protection of password files:

In UNIX, one of 4,096 hash functions is used to hash a password into an 11-character string.

A 2-character string identifying the hash function is prepended to the 11-character string.

11

Attacks on the basic protocol

Rocky, K. C. Chang

On-line attack When the hash values are not available to an attacker. Defense: maximize the time to guess the password,

exponential backoff, disconnection, disabling, and jailing. Off-line attack (dictionary attack)

Receive a copy of the hash value, and guess the password (at his leisure).

Run through a list of likely possibilities, often a list of words from a dictionary

Defense: append the password with a random string (salt) and hash the result.

E.g., User ID Salt value password hash Alice 13579 hash(13579,password-alice) Bob 24680 hash(24680,password-Bob)

12

Problems with passwords

Rocky, K. C. Chang

One fundamental problem with passwords is that they are reusable. Attacker can reply a captured password. Force users to age their passwords?

An alternative is to authenticate in such a way that the transmitted password changes each time.

Let U and S agree on a secret function f. S sends a nonce N (the challenge) to U. U replies with f(N) (the response). S validates f(N) by computing it separately.

A nonce (timestamp, random number, etc) is a “number used once”---non-repeating string freshly chosen by S.

13

One-time passwords

Rocky, K. C. Chang

A one-time password is a password that is invalidated as soon as it is used.

The challenge-response mechanism uses one-time passwords.

The response is essentially the “password.” Every time the password is different (one-time password).

For example, U chooses an initial seed k, and the key generator

computes h(k) = k1, h(k1) = k2, …, h(kn-1) = kn, where h() is a one-way hash function.

The passwords, in the order they are used, are p1 = kn, p2 = kn-1, …, pn = k1.

14

Two-factor authentication

Rocky, K. C. Chang

Hardware support for challenge-response procedures: A token that responds to a challenge. A temporal based token: displays a different

number, e.g., every 60 seconds. Two-factor authentication

Authentication based on at least two authentication factors.

E.g., the token value (what the entity has) and a password (what the entity knows)

15

Secret key based authentication

16

A simple, one-way authentication

Rocky, K. C. Chang

N

S

EK(N,S)Verify

AliceI am Alice

EK(N,S)

Assume that S is authentic. The server and Alice share a secret key k, and N is

a nonce. The nonce is to deduce that Alice is live. The inclusion of S’s identity ensures that Alice has the

knowledge of S as her entity peer.

17

A simple, mutual authentication protocol Mutual authentication 2 x one-way

authentication. Alice and Bob share a secret key k.

I am AliceAlice

(initiator)

EK(NB) Verify EK(NB)

Bob(responder)

NB

EK(NA)Verify EK(NA)

NA

Rocky, K. C. Chang

18

Reduced to a 3-way protocol Besides the reduction in the number of

messages, what else is different?

I am Alice, NA

EK(NB) Verify EK(NB)

NB, EK(NA)Verify EK(NA)

Alice(initiator)

Bob(responder)

Rocky, K. C. Chang

19

A reflection attack by Eve Assume that Eve can open multiple simultaneous

sessions with Bob.

I am Alice, NE

Verify EK(NB)

NB, EK(NE)

Eve(initiator)

Bob(responder)

I am Alice, NB

NBB, EK(NB)

EK(NB)

Starting another session

Going back to the first session

Rocky, K. C. Chang

20

The key problems and solutions

Rocky, K. C. Chang

The same key is used by the initiator and responder. Have them use different keys (maintain a pair of secret

keys between two parties). Improve the protocol resistance to attacks

involving parallel sessions. Have the initiator and responder draw from

different sets of nonce. Have the initiator to prove who she is before the

responder’s.

21

Will the original 5-way protocol be subject to the reflection attack?

Rocky, K. C. Chang

I am AliceAlice

(initiator)

EK(NB) Verify EK(NB)

Bob(responder)

NB

EK(NA)Verify EK(NA)

NA

22

Will the original 5-way protocol be subject to the reflection attack?

Rocky, K. C. Chang

23

Another solution The main problem is that the encrypted elements

in the second and three messages are the same. Have the responder influence on what she encrypts or

hashes. A possible solution:

I am Alice, NA

HMAC(K, NA, NB) Verify HMAC

NB, HMAC(K, NA, NB, “Alice”, “Bob”)Verify HMAC

Alice(initiator)

Bob(responder)

Rocky, K. C. Chang

24

Public key based authentication

25

Public-key authentication

Rocky, K. C. Chang

It is very difficult to build a provably secure authentication protocol based on symmetric cryptographic primitives.

It is not feasible to use secret-key authentication without a trusted third party.

The secret key has to be placed in both parties.

26

A simple, one-way authentication Alice signs the challenge from S, and NS, NA are

nonces picked by S and Alice, respectively. It is important that Alice influences what she

signs.I am AliceS

NS

Alice

NS, NA, S, Alice, [NS, NA, S]AliceVerify [NS, NA, S]Alice

Rocky, K. C. Chang

27

A simple, mutual authentication Each side authenticates the other side by

requesting for a correct digital signature. Another implementation can have the challenger

to encrypt a nonce.

I am Alice, NAAlice

NB, [NA]BobVerify [NA]Bob

Bob

[NB]Alice Verify [NB]Alice

Rocky, K. C. Chang

28

A pitfall in this simple C-R protocol Eve can impersonate Alice by having Alice’s help

in signing Bob’s nonce.

I am Alice, NEAlice

NB, [NE]Bob

Bob

Verify [NB]Alice

I am Bob, NB

NA, [NB]Alice

[NB]Alice

Eve

Rocky, K. C. Chang

29

The main problem is

Rocky, K. C. Chang

The challenged party (Alice) has no influence on what she will sign. As a general principle, it is better if both parties

have some influence over the quantity signed. Otherwise, the challenger can abuse this protocol

to get a signature on any quantity she chooses.

30

An improved protocol The signer includes her nonce into the message

that she is going to sign.

I am Alice, NAAlice

NB, NA, Alice, [NB, NA, Alice]BobVerify

[NB, NA, Alice]Bob

Bob

NB, NA, Bob, [NB, NA, Bob]AliceVerify

[NB, NA, Bob]Alice

Rocky, K. C. Chang

31

Needham-Schroeder public-key authentication protocol

Rocky, K. C. Chang

Kerberos is based on the improved Needham-Schroeder public-key authentication protocol.

The original protocol had security flaws. Assume that both A and B have a pair of public

and private keys. Denote A's public key by Ka and the private key by K-1

a, and similarly for B.

We also write {m}K for message m encrypted with key K. Moreover Na and Nb are nonces generated by A and B, respectively.

We have a trusted key server S.

32

The original protocol was

Rocky, K. C. Chang

a. A S: A, Bb. S A: {Kb, B}K-1s

c. A B: {Na, A}Kb

d. B S: B, Ae. S B: {Ka, A}K-1s

f. B A: {Na, Nb}Ka

g. A B: {Nb}Kb

33

Eve can impersonate Alice by

Rocky, K. C. Chang

i. (1) A E: {Na, A}Ke (A establishes a normal session with E.)

ii. (1’) E B: {Na, A}Kb (E attempts to impersonate A when establishing a session with B.)

iii. (2’) B E: {Na, Nb}Ka (B's response to A intercepted by E.)

iv. (2) E A: {Na, Nb}Ka (E forwards B's response to A.)

v. (3) A E: {Nb}Ke (A's response to E)vi. (3’) E B: {Nb}Kb (E's response to B, therefore

successfully impersonating A)

34

A simple fix

Rocky, K. C. Chang

Include B's identity in the response message. That is, the message (f) becomes B A: {B, Na, Nb}Ka.

Therefore, the message (iii) in the attack becomes B E: {B, Na, Nb}Ka.

In this case E cannot replay the message and send it to A, because A expects B's identity in the message.

35

Conclusions

Rocky, K. C. Chang

Designing a secure and efficient authentication protocol turned out to be more difficult than people thought.

We have discussed the basic protocols based on password, secret-key, and public-key. We have not addressed the system with a trusted third

party yet. The result of authentication may also include an

agreement of a secret key, i.e., authenticated key exchange (to be addressed later).

36

Acknowledgments

Rocky, K. C. Chang

The notes are prepared mostly based on C. Kaufman, R. Perlman and M. Speciner, Network

Security: Private Communication in a Public World, Second Edition, Prentice Hall PTR, 2002.

Various articles