CS 494/594 CS 494/594 Computer and Network SecurityComputer and Network Security

Dr. Jinyuan (Stella) Sun

Dept. of Electrical Engineering and Computer Science

University of Tennessee

Fall 2010

1

Security Handshake PitfallsSecurity Handshake Pitfalls

• Login only

• Mutual authentication• Mutual authentication

• Integrity/encryption after authentication

• Nonce types

• Picking random numbers

2

Security Protocol Security Protocol

� An agreement between communication parties about the process and the format of security bootstrap, authentication, key establishment, encryption/hashing algorithm and parameter encryption/hashing algorithm and parameter negotiation, etc.

� Typically include:

- Authentication handshake

- Session key negotiation, algorithm/parameter negotiation

- Data encryption and/or integrity protection

3

Security Bootstrap Security Bootstrap

Shared secret:

� Password (for human users)

� Pre-shared key (between firewalls)

Ticket by KDC (among a large number of participates)� Ticket by KDC (among a large number of participates)

Public key:

� Manually configured

� Certificate by CA

4

Login Only: A Bad Idea Login Only: A Bad Idea

� Alice sends name and password in clear (across network) to Bob

� Bob verifies name and password and communication proceeds communication proceeds

5

Login Only: A Better Idea Using Login Only: A Better Idea Using Shared Secret (1)Shared Secret (1)

� f(K,R) can be K{R} or h(K,R)

� Authentication is one way: impersonation of Bob, offline password guessing, database reading

� How to encrypt subsequent conversation?

6

Login Only: A Better Idea Using Login Only: A Better Idea Using Shared Secret (2)Shared Secret (2)

� Problems: same as the previous one

� Requires reversible cryptography (hash will not work)

� If R is a recognizable number, this protocol does mutual authentication

� Can make R recognizable but with limited lifetime, e.g., timestamp. It however requires clock synchronization

7

Login Only: A Better Idea Using Login Only: A Better Idea Using Shared Secret (3)Shared Secret (3)

Advantages:

� It can be easily added to an existing protocol

� More efficient: it saves two message exchanges

� Bob is stateless

Problems:

� Replay attack (single server, multiple servers)

� Reset clock attack

8

Login Only: A Better Idea Using Login Only: A Better Idea Using Shared Secret (4)Shared Secret (4)

� Same as the previous one, but using a hash

� Why transmit timestamp in the clear?

9

Login Only: A Better Idea Using Login Only: A Better Idea Using PKC (1)PKC (1)

Implications:

� Compromise of Bob's database will not allow attacker to impersonate Alice

� Attacker may be able to trick Alice into signing anything

10

Login Only: A Better Idea Using Login Only: A Better Idea Using PKC (2)PKC (2)

Implications:

� Compromise of Bob's database will not allow attacker to impersonate Alice

� Attacker may be able to trick Alice into decrypting anything

11

Mutual Authentication (1)Mutual Authentication (1)

� Problem: inefficient

12

Mutual Authentication (2) Mutual Authentication (2) ––OptimizedOptimized

Implications:

� More efficient

� Subject to reflection attack: easy to obtain chosen plaintext

13

Reflection AttackReflection Attack� Trudy opens 1st session to Bob

� Trudy opens 2nd session to Bob in order to get information needed to complete 1st session

14

Reflection Attack (Cont’d)Reflection Attack (Cont’d)

Solution:

� Alice and Bob should not do exactly the same thing: different keys, different challenges

� Different keys: have Bob encrypt with KAlice-Bob and Alice � Different keys: have Bob encrypt with KAlice-Bob and Alice encrypt with KAlice-Bob+1, etc.

� Different challenges: initiator (Alice) sends odd R,

responder (Bob) sends even R, etc.

15

Mutual Authentication (3) Mutual Authentication (3) ––Less OptimizedLess Optimized

Implications:

� One "extra" message and Trudy cannot obtain chosen plaintext

Rule: the initiator should be the first to prove its identity (the assumption is that the initiator is more likely the bad guy)

16

Mutual Authentication (4)Mutual Authentication (4)

Implications:

� How to obtain public keys?

� Store Bob’s public key encrypted with Alice’s password

� Store Bob’s public key certificate signed by Alice

17

Mutual Authentication (5)Mutual Authentication (5)

Implications:

� Can be easily added to existing challenge/response protocols

� Alice and Bob must encrypt different things

� Clock synchronization: time is now security-critical

� Reflection attack

18

Integrity/Encryption After Integrity/Encryption After AuthenticationAuthentication

� How to establish a session key during authentication?

� By shared secret� By shared secret

� By two-way public key

� By one-way public key

19

Shared SecretShared Secret

After this authentication:

� Can we use K{R+1} as the shared session key?

� How about K XOR R, K{K+R}, K+R{R}, h{K|R}?

In general, a good session key is

� different for each session

� unguessable by attacker

20

Two Way Public KeyTwo Way Public Key

� Alice and Bob each has a public/private key pair

� How about Alice picks a random R, and sends {R}Bob to Bob

- Trudy can impersonate Alice

� How about Alice sends [{R}Bob]Alice to Bob

- Trudy can obtain R by overrunning Bob and decrypt old messages-Trudy can obtain R by overrunning Bob and decrypt old messages

� Alice sends Bob [{R1}Bob]Alice, Bob sends Alice [{R2}Bob]Alice, and the session key is R = R1 XOR R2

- Trudy needs to overrun both Alice and Bob

� Diffie-Hellman key establishment: Alice sends Bob [gR1 mod p]Alice, Bob sends Alice [gR2 mod p]Bob, and the session key is R = gR1R2 mod p

- Doesn’t help even if Trudy overruns both Alice and Bob

21

One Way Public KeyOne Way Public Key

� Only Server Bob has a public/private key pair, Client Alice won’t bother having keys and certificate: SSL

� Alice picks a random R, and sends {R}Bob to Bob

- Trudy can decrypt old messages by overrunning Bob-Trudy can decrypt old messages by overrunning Bob

� Diffie-Hellman key establishment: Alice sends Bob gR1 mod p, Bob sends Alice [gR2 mod p]Bob, and the session key is R = gR1R2 mod p

� Trudy can impersonate Alice in either case

22

Nonce TypesNonce Types� Nonce: a quantity used only once

- Large random number: unguessable, unpredictable, non-reuse w.h.p.,

makes the best nonce

-Timestamp: requires clock synchronization

- Sequence number: needs to maintain state- Sequence number: needs to maintain state

23

unpredictability is important

unpredictability is not required

Picking Random NumbersPicking Random Numbers

� Different applications require different types of random numbers

� A common approach for cryptographic operations: pseudorandom number generatorpseudorandom number generator

- seed value is critical

- common mistakes: seed is from a small space, hashing the current time when a random value is needed, divulging the seed value

24

Authentication Protocol ChecklistAuthentication Protocol Checklist

Authentication protocols protect against

� eavesdropping

� impersonationimpersonation

� database reading

� message modification

� combinations of the above

25

Reading AssignmentReading Assignment

• [Kaufman] Chapter 11

26