Lecture 6.2: Protocols - Authentication and Key Exchange II
description
Transcript of Lecture 6.2: Protocols - Authentication and Key Exchange II
![Page 1: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/1.jpg)
Lecture 6.2: Protocols - Authentication and Key Exchange II
CS 436/636/736 Spring 2012
Nitesh Saxena
![Page 2: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/2.jpg)
Course Admin
• HW2 solution emailed• Grading ongoing
• Exam study topics emailed
04/22/23Protocols: Authentication and Key
Exchange2
![Page 3: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/3.jpg)
Course Admin
• Mid-Term Exam– On March 08– In class, from 11am-12:15pm
• Covers lectures up to Feb 23• In-class review on Mar 06 (Tuesday)• Strictly closed-book (no cheat-sheets are
allowed)• A sample exam will be provided as we near the
exam date3
![Page 4: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/4.jpg)
Outline of Today’s lecture• Today we try to put everything together
– Encryption (public-key/private-key)– MACs– Signing– Key-Distribution
• Secure protocols (for secure communication)– Authentication
• We studied it somewhat while talking about key distribution– (Authenticated-) Key Exchange
• Designing secure protocols is hard – we’ll only be able to learn the basics today
• We’ll use the board extensively today – be prepared to take notes
04/22/23Protocols: Authentication and Key
Exchange4
![Page 5: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/5.jpg)
MAC-based Authentication
1. A B: A, rA2. B A: rB, HMACK(rB, rA, A)
3. A B: HMACK(rA, rB,B)
• Faster than enc-based protocols (computationally)
04/22/23Protocols: Authentication and Key
Exchange5
![Page 6: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/6.jpg)
Public-key based authentication(Needham-Shroeder (NS) pk-based)
• Assuming public keys are distributed through CA(s)
1. A B: Encpkb(rA, A)
2. B A: Encpka(rA, rB)
3. A B: Encpkb(rB)
04/22/23Protocols: Authentication and Key
Exchange6
![Page 7: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/7.jpg)
Attack and fix on PK-based NS protocol
• Attack:
• Fix:
1. A B: Encpkb(rA, A)
2. B A: Encpka(rA, rB,B)
3. A B: Encpkb(rB)
04/22/23Protocols: Authentication and Key
Exchange7
![Page 8: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/8.jpg)
Signature-based authentication(assuming public keys are distributed through
CA)A auth B• A B: Hi Bob, this is Alice!• B A: r (a challenge)• A B: SigSKa(r,B) (response)
A auth B, B auth A (run two copies; piggyback common flows)
• A B: A, rA (could sign this too)• B A: rB, SigSKb(rB, rA, A)• A B: SigSKa(rA,rB,B)
04/22/23Protocols: Authentication and Key
Exchange8
![Page 9: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/9.jpg)
Authenticated Key Exchange (AKE)
• Public-key operations are costly• Why not
1. use public-key mutual authentication protocols to exchange a symmetric key
2. use this symmetric key with a symmetric encryption to secure subsequent communication
04/22/23Protocols: Authentication and Key
Exchange9
![Page 10: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/10.jpg)
Security Notion for AKE
• Launch protocol between any pair • Reveal all session key except one• Try to distinguish the key of the unrevealed
session from random
• This captures: the compromise of other sessions should not lead to the compromise of any other session
04/22/23Protocols: Authentication and Key
Exchange10
![Page 11: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/11.jpg)
1. A B: A, rA, EncPKb(K) (must sign this too??)
2. B A: rB, SigSKb(rB, rA, A)
3. A B: SigSKa(rA, rB, B)
4. A and B output K as the authenticated key
• Such a protocol can be instantiated using RSA encryption/signing– The way SSL/SSH establishes key
• But, generally only the server authenticates to the client, not vice versa
04/22/23Protocols: Authentication and Key
Exchange11
![Page 12: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/12.jpg)
X.509: One-Way Authentication
• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message
04/22/23Protocols: Authentication and Key
Exchange12
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key
![Page 13: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/13.jpg)
X.509: Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
04/22/23Protocols: Authentication and Key
Exchange13
A B
1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kba]}
![Page 14: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/14.jpg)
X.509: Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks
04/22/23Protocols: Authentication and Key
Exchange14
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}
![Page 15: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/15.jpg)
Discrete Logarithm Assumption
• p, q primes such that q|p-1• g’ be the generator of Zp*
• g is an element of order q and generates a group Gq of order q; g = g’(p-1)/q
• x in Zq, y = gx mod p
• Given (p, q, g, y), it is computationally hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the public key
04/22/23Protocols: Authentication and Key
Exchange15
![Page 16: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/16.jpg)
Example of DL-based system
• Let’s construct an example• KeyGen:– p = 11, q = 2 or 5; let’s say q = 5– 2 is a generator of Z11*
– g = 22 = 4– x = 2; y = 42 mod 11 = 5
04/22/23Protocols: Authentication and Key
Exchange16
![Page 17: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/17.jpg)
Diffie-Hellman (DH) Key Exchange
1. A B: Ka = ga mod p
2. B A: Kb = gb mod p
3. A outputs Kab = Kba
4. B outputs Kba = Kab
• Note Kab = Kba = gab mod p 04/22/23
Protocols: Authentication and Key Exchange
17
![Page 18: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/18.jpg)
Security of DH key exchange
• No authentication of either party• Secure only against a passive adversary– Under the computational Diffie-Hellman
assumption • Given (g, ga,gb), hard to compute gab
• Not secure against an active attacker– Man-in-the-middle attack…
04/22/23Protocols: Authentication and Key
Exchange18
![Page 19: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/19.jpg)
Authenticated DH Key Exchange
1. A B: Ka = ga mod p
2. B A: Certb, Kb = gb mod p EncKba[SigSKb(Kb, Ka )]
3. A B: Certa, EncKab[SigSKa(Ka,Kb)]
4. A outputs Kab = Kba
5. B outputs Kba = Kab
04/22/23Protocols: Authentication and Key
Exchange19
![Page 20: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/20.jpg)
Summary• Designing secure protocols is not easy
– Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously
– Becomes even harder as the number of parties increase; n-party or group setting
• Use the protocols that are well-studied and standardized
• While designing a protocol, consider– Reflection attacks– Replay attacks– Eliminating any symmetry in the messages
04/22/23Protocols: Authentication and Key
Exchange20
![Page 21: Lecture 6.2: Protocols - Authentication and Key Exchange II](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815a82550346895dc7ed6f/html5/thumbnails/21.jpg)
Further Reading
• HAC – chapter 10• Stallings – Chapter 15
04/22/23Protocols: Authentication and Key
Exchange21