Unit 7
-
Upload
chintan-patel -
Category
Engineering
-
view
296 -
download
0
description
Transcript of Unit 7
Prof. Chintan Patel Information Security
CE Department. Unit - 7
MEFGI , RAJKOT
• Digital Signature
• Authentication Protocols
• Digital Signature standards
• Application Authentication Technique.
Kerberos
X 509 Directory
• Authentication Services
• Active Directory services
• have looked at message authentication but does not address issues of lack of trust
• digital signatures provide the ability to: verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes
• hence digital signatures include authentication function with additional capabilities
Alice can deny sending a message M to Bob since
Bob can also produce MACs for different
messages.
Bob can produce a MAC for another message M’
and can claim that it came from Alice.
PrivateKey
PublicKey
Bob
Key GenerationAliceBob’s
Fig 13.2 Simplified Depiction of Essential
Elements of Digital Signature Process
• Goldwaser, Micali and Rivest also defined success of breaking a signature scheme
Total break:
Attacker finds the signer’s private key
Universal forgery:
Attacker finds an efficient signing algorithm that provides an equivalent way of constructing signatures on arbitrary messages.
Selective forgery:
Attacker forges a signature for a particular message chosen by him.
Existential forgery:
Attacker can forge a signature for at least one message. However he does not have control over the message (so can not harm much the signer).
• must depend on the message signed
• must use information unique to sender
to prevent both forgery and denial
• must be relatively easy to produce
• must be relatively easy to recognize & verify
• be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
• be practical save digital signature in storage
• Direct Digital signature :
Involves only source and Destination
Assumes that Destination knows the public key of sender
Generated by
Encrypting entire message using sender’s private key.
Encrypting Generated Hash code using Sender’s private key.
Weakness : Sender can later deny of sending particularmessage by claiming that private key was lost or stolen andsome one else forged his signature.
• Message transmission in Arbitrated Digital Signature :
Every signed message from sender X to Receiver Y goes first to anarbiter A.
A will validate the signed message
Put Date and sent to Y with indication that it has been verifiedto the satisfaction of the arbiter.
Solves problem of Direct digital signature of source repudiation.
• Need : All parties must have great deal oftrust that the arbitration mechanism isworking properly.
• Mutual Authentication Protocol
Two communicating parties them selves understand about eachother’s identity and authenticate key exchange protocol.
• Problems in Authenticated Key exchange :
(1) confidentiality (2) Timeliness
• Confidentiality : Information must communicated in encryptedformat which requires prior existence of secret or public key.
• Timeliness : Important because of threat of message replays.
• Simple Replay : copies a message and replays it later.
• Repetition that can be logged : Opponent can replay a timestampmessage with the valid time window.
• Repetition that can not be detected : Original message does notarrive at destination , only replay arrives.
• Backward replay without modification : replay back to messagesender. Possible when symmetric key encryption is used.
• Can we use sequence number to cop with replay attack ??
Yes but generally not used…………
• Two general approaches
(1) Time stamp
Synchronized clock requires
Can not work with connection oriented protocol
Fault tolerant clock synchronization protocol requires.
Temporary loss of synchronization leads to successful attack
(2) Challenge and Response
A sends challenge or nonce to B. B will response to nonce.
Unsuitable for connection less protocol.
Overload of hand shaking will be increased.
• Key distribution Technique : Technique ofdelivering a key to two parties who wish toexchange the data.
• Why we need ??
Frequent key exchange is needed to limit the amount ofdata loss……….
CHAPTER NO 7 WILLIAM STALLING 4 TH EDITION
• 1) A can select a key and physically deliver it to B
• 2) A third party can select the key and physically deliverit to A and B 1 and 2 is difficult in distributed wide area network.
• 3) If A and B have previously and recently used keys. Oneparty can transmit the new key to others , encryptedusing old key. One success of and attacker will release all further keys
• 4) if A and B each has an encrypted connection to a thirdparty C. C can deliver a key on the encrypted links to Aand B KDC is responsible for distributing keys to pair of users based
on need.
• Uses Two levels of Key
• 1) Session key : Communication between endsystem is encrypted using a temporary key , oftenreferred as session key.
For particular duration of time period or logicalconnection.
• 2) Mater key : Session keys are transmitted inencrypted form using Master keys.shared by KDCand end user.
• A wishes to establish logical connection with B. and require one time sessionkey to protect the data transmission over the connection.
• A has a master key, Ka , known only to itself and KDC same with B.
• (1) A request to KDC for session key with message including identity of A andB and Unique identifier N1 for this transaction. Can be any random number.Must be differ in each request
• (2) KDC Responds with message encrypted using Ka. Message includes: One time session key Ks.
Original message with N1,to enable A to match response with its request.
Message encrypted using Kb which has Ks and Identifier of A.
• (3) A stores Ks for use in upcoming session and forward to B. A sends Ks and ID of A encrypted with Kb to B.
With ID of A , B will know that other party is A. and this information is originated fromKDC because KDC only know Kb except itself.
• (4) B sends N2 encrypted with Ks.
• (5) A responds f(N2) encrypted with Ks
TO STOP REPLAY
• Local KDC will communicate with Global KDC , if very large network is there.
• Life time of session key depends on protocol used. Either connection oriented or connection less
• (1) A issues a request to B for session key and includes N1.
• (2) B responds with message encrypted using shared master key which includes session key Selected by B and identifier of B , the f(N1),N2
• (3) Using new session key , A returns f(N2) to B
• GATE Que. :
• (1) How many session keys and master keys are neededin centralized key distribution if there are N entities?
Answer : N master keys and [N(N-1)]/2 Session keysat any one time.
• (2)How many master keys are used in Decentralized keydistribution ?
• Answer : N-1 Master keys at any one time.
• Example of One way Application : E-Mail
• Not necessary for sender and receiver to beonline at same time.
• SMTP , need not access of plain text.
• Authentication : Recipient wants come assurancethat the message is from alleged sender.
• (1) Symmetric Approach
• (2) Public key encryption Approach
• This scheme Requires the sender to issue a request to the intendedrecipient, awaits a response that includes session key.
• No need to worry about Replay
1 A KDC : IDa||IDb||N1
2 KDCA : E(Ka,[Ks||IDb||N1||E(Kb,[Ks||IDa])])
3 AB : E(Kb,[Ks||IDa])||E(Ks,M)
3 Potential Delay in E mail Process , Timess stemp is not thatmuchuseful.
• Sender should know the recipient’s public key : confidentiality
• Receiver know the sender’s public key : Authentication
• If confidentiality is important :
AB : E(PUb,Ks) || E(Ks,M)
• If Authentication is important :
AB : M||E(PRa,H(M))
• Message confidentiality plus Signature
A B : E(PUb,[M||E(PRa,H(M))])
• DSS Makes use of SHA algorithms to present new digitalsignature technique called Digital SignatureAlgorithms…..
• Proposed in 1991 revised in 1993 and after that in 1996.
• DSS uses an algorithms that is designed to provide onlythe digital signature function. Unlike RSA , which is used for encryption as well as key –
exchange.
• Two approaches to Digital signature
Authentication Applications:
Kerberos, X.509 and Certificates
Outline
Introduction to KERBEROS
How Kerberos works?
Comparison between version 4 and 5
Certificates
X.509 Directory Authentication Service
Conclusion
Introduction to Kerberos
An authentication service developed for Project
Athena at MIT
Provides
– strong security on physically insecure network
– a centralized authentication server which authenticates
Users to servers
Servers to users
Relies on conventional encryption rather than public-
key encryption
Why Kerberos is needed ?
Problem: Not trusted workstation to identify
their users correctly in an open distributed environment
3 Threats:
– Pretending to be another user from the workstation
– Sending request from the impersonated
workstation
– Replay attack to gain service or disrupt operations
Why Kerberos is needed ? Cont.
Solution:
– Building elaborate authentication protocols
at each server
– A centralized authentication server
(Kerberos)
Requirements for KERBEROS
Secure: – An opponent does not find it to be the weak link
Reliable:– The system should be able to back up another
Transparent:– An user should not be aware of authentication
Scalable:– The system supports large number of clients and
severs
Versions of KERBEROS
Two versions are in common use
– Version 4 is most widely used version
– Version 4 uses of DES
– Version 5 corrects some of the security
deficiencies of Version 4
– Version 5 has been issued as a draft
Internet Standard (RFC 1510)
Kerberos Version 4: Dialog 1- Simple
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key between AS and
V (Server)
Pc=password of client
More secure Authentication Dialogue
Target :
– Minimize the number of times user need to enter password.
For single logon session , the workstation can store the mail
server ticket after its received and use it on behalf of the user
for multiple accesses to mail server.
– User would need a new ticket for every different service.
– “TICKET GRANTING SERVER”
“In plain text transmission of message[1] , an opponent can
capture the password and use any service accessible to victim”
Ticket Granting Server(TGS)
Issues ticket to the user who have been authorized to AS.
User first request ticket granting ticket(Tickettgs)
From the AS. Client saves the ticket.
Each time for every new service from same server, client will
apply that ticket. TGS than give ticket for particular service
Client saves ticket for each particular service for next time use.
Kerberos Version 4 : Dialog 2-More Secure
4-TicketV
Once per user
logon session
Once per type of
service
ticketTGS=EKtgs[IDc,ADc,
IDtgs,TS1,LifeTime1 ]
Kerberos Version 4 : Dialog 2- More Secure Cont.
5- TicketV+ IDc
Once per service session
TicketV=EKv[IDc,ADc,IDv,Ts2,Lifetime2]
Kerberos: The Version 4 Authentication Dialog
1- IDc + IDtgs +TS1
2- EKc [Kc.tgs,IDtgs,Ts2,
Lifetime2,TicketTGS]
KERBEROSOnce per user logon session
ticketTGS=EKtgs [Kc.tgs,
IDc,ADc,IDtgs,TS2,
LifeTime2 ]
Kerberos: The Version 4 Authentication Dialog Cont.
KERBEROS
3- TicketTGS + AuthenticatorC +
IDv
4-EKc.tgs[ Kc.v,IDv,Ts4,Ticketv]
Once per type of service
ticketTGS=EKtgs [Kc.tgs,IDc,ADc,IDtgs, TS2,
LifeTime2 ]
AuthenticatorC=EKc.tgs[IDc,ADc,TS3]
ticketV=EKV[Kc.v,IDc,ADc,IDv, TS4,
LifeTime4 ]
Kerberos: The Version 4 Authentication Dialog Cont.
5- TicketV+ AuthenticatorC
Once per service session
TicketV=EKv [Kv.c, IDc, ADc, IDv, TS4, Lifetime4]
AuthenticatorC=EKc.v [IDc,ADc,TS5]
6- EKc.v[TS5+1]
Tickets:
Contains information which must be
considered private to the user
Allows user to use a service or to access TGS
Reusable for a period of particular time
Used for distribution of keys securely
Authenticators
Proves the client’s identity
Proves that user knows the session key
Prevents replay attack
Used only once and has a very short life time
One authenticator is typically built per
session of use of a service
Kerberos Realms
A single administrative domain includes:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
What will happen when users in one realm
need access to service from other realms?:
– Kerberos provide inter-realm authentication
Inter-realm Authentication:
Kerberos server in each realm shares a
secret key with other realms.
It requires
– Kerberos server in one realm should trust the one
in other realm to authenticate its users
– The second also trusts the Kerberos server in the
first realm
Problem: N*(N-1)/2 secure key exchange
Request for Service in another realm:
5-Request ticket for remote server
6-Ticket for remote server
4-Ticket for remote TGS
7-request for remote service
KERBEROS Version 5 versus Version4
Environmental shortcomings of Version 4:
– Encryption system dependence: DES
– Internet protocol dependence(IP Protocol)
– Ticket lifetime(Maximum = 21 hours)
– Authentication forwarding
– No fix byte ordering
– Inter-realm authentication(More kerberos-
to kerberos relation ship)
KERBEROS Version 5 versus Version4
Technical deficiencies of Version 4:
– Double encryption
– Session Keys
– Password attack(Trial and Error)
– Version 5 provides pre authentication
mechanism to protect password some
how.
Realm – Indicates realm of the user
Options
Times– From: the desired start time for the ticket
– Till: the requested expiration time
– Rtime: requested renew-till time
Nonce– A random value to assure the response is fresh
New Elements in Kerberos Version 5
Kerberos Version 5 Message Exchange:1
To obtain ticket-granting ticket:
(1)C AS : Options || IDc || Realmc || IDtgs ||Times ||
Nonce1
(2) AS C : Realmc || IDc || Ticket tgs ||
EKc [ Kc,tgs || IDtgs || Times || Nonce1 ||| Realm tgs ]
Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c ||
IDc || ADc || Times]
Kerberos Version 5 Message Exchange:2
To obtain service-granting ticket :
(3)C TGS : Options || IDv || Times || Nonce2 || Ticket tgs ║
Authenticator c
(4)TGS C : Realmc || IDc || Ticket v || EK c,tgs [ Kc,v ║Times||
Nonce2 || IDv ║ Realm v]
Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c || IDc || ADc ||
Times]
Ticket v : EK v [Kc,,v ║ Realmc || IDc ║ ADc ║ Times ]
Authenticator c : EK c,tgs [IDc ║ Realmc ║ TS1]
Kerberos Version 5 Message Exchange:3
To obtain service
(5) C S : Options || Ticket v|| Authenticator c
(6) S C : EK c,v [TS2|| Subkey || Seq# ]
Ticket v : EK v [Flags || Kc,v || Realmc ||
IDc || ADc || Times ]
Authenticator c : EK c,v [IDc || Realmc ||
TS2 || Subkey|| Seq# ]
Kerberos : Strengths
User's passwords are never sent across the network, encrypted or in plain text
Secret keys are only passed across the network in encrypted form
Client and server systems mutually authenticate
It limits the duration of their users' authentication.
Authentications are reusable and durable
Kerberos has been examined carefully for accuracyby many of the top programmers, cryptologists and security experts in the industry
Directory : A server or distributed set of servers that
maintains a database of information about users.
A mapping from username to network address
X.509 is based on use of public-key cryptography
and digital signatures.
Heart of X.509 IS scheme is the public key certificate
associated with each user.
Certificates created by CA(Certification authority)and
putted in to directory.
Certificate:
Electronic counterparts to driver licenses,
passports
Verifies authenticity of the public key
Prevents impersonation
Enables individuals and organizations to
secure business and personal transactions
What a certificate includes:
Version :
– Version 1 : Default
– Version 2 : If unique identifier is present
– Version 3: more than one extension.
Unique Serial Number
Signature Algorithm Identifier
Issuer name: X.500 name of CA that created and signed.
Period of validity:
– First and last date on which the certification is valid
Subject name :Name of user to whom this certificate refers
Subject’s public key information : Public key + algorithm + parameter
Issuer Unique identifier
Subject unique identifier
Extension : extra fields
Signature : Hash code encrypted with private key of CA.
Certificate Authorities:
Trusted entity which issue and manage certificates
for a population of public-private key-pair holders.
A digital certificate is issued by a CA and is signed
with CA’s private key.
Who are the Certificate Authorities?
VeriSign
GTE CyberTrust
Entrust
IBM
CertCo
USPS / Cylink
Certificate Issuance Process:
Generate public/private key pair
Sends public key to CA
Proves identity to CA - verify
CA signs and issues certificate
CA e-mails certificate or Requestor retrieves certificate from secure websites
Requestor uses certificate to demonstrate legitimacy of their public key
Types of Digital Certificates
E-Mail Certificates
Browser Certificates
Server (SSL) Certificates
Software Signing Certificates
Potential security holes:
Was the user really identified?
Security of the private key
Can the Certificate Authority be trusted?
Names are not unique
X.509 Directory Authentication Service
CCITT recommendation defining a directory
service
Defines a framework for the authentication
services
The X.500 directory serving as a repository
of public-key certificates
Defines alternative authentication protocols
X.509 Certificate format
Version
Serial number
Algorithm
Parameters
Issuer
Not before
Not after
Subject
Algorithm
Parameter
Key
Signature
Algorithm
identifier
Period of
validity
Subject’s
public key
Authentication Procedures:
Three alternative authentication procedures:
– One-Way Authentication
– Two-Way Authentication
– Three-Way Authentication
All use public-key signatures
One-Way Authentication:
1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identity
sgnData=signed with A’s private key
Two-Way Authentication
2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
A B
1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kab]}
Three-Way Authentication
3 messages (A->B, B->A, A->B) which
enables above authentication without
synchronized clocks
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}
One way : Ex., One-Way SSL Authentication,
S/MIME or PGP Message Authentication.
Two way : Two-Way SSL Authentication,
SET Protocol.
Three way :Way SSL Authentication and
Key-Session Generation and Agreement
Conclusion
Kerberos is an authentication service using
convention encryption
Certificates is the proof of the identity
X.509 defines alternative authentication
protocols
THANKS AND Have a Nice Day!!!