View
3
Download
0
Category
Preview:
Citation preview
Lecture 9
1
Authentication&
KeyDistribution
Wherearewenow?
• We“know”abitofthefollowing:• Conventional(symmetric)cryptography• HashfunctionsandMACs• Publickey(asymmetric)cryptography• Encryption• Signatures• Identification(Fiat-Shamir)+ZeroKnowledge
• Andnowwhat?• Protocols(more“complicated”beasts)• Authentication/Identification• KeyDistribution
2
SecureProtocols
• A protocol isasetofrulesforexchangingmessages between2ormoreentities/parties
• Aprotocolhasanumberofrounds (>1)andanumberofmessages (>1)
3
1.HelloBob!
2.Goodday,Alice!
3.Howareyou?
SecureProtocols• Amessage isaunitofinformation/datasentfrom
oneentity/partytoanotheraspartofaprotocol
• Around isabasicunitofprotocoltime:1. Wakeupbecauseof:
a) Alarmclockb) Initialstartorc) Receivemessage(s)fromother(s)
2. Computesomething3. Sendmessage(s)toothers4. Repeatsteps2-3,ifneeded5. Waitformessage(s)orsleepuntilalarmclock
4
What’saSecureProtocol?
• Whenactinghonestly,entities/parties(participants)achievethestatedgoal oftheprotocol,e.g.,:• AsuccessfullyauthenticatestoB,orBtoA• AandBmutuallyauthenticateeachother• AandBexchangeafreshsessionkey
• Adversarycandefeatthisgoal• e.g.,bysuccessfullyimpersonatingAinanauthenticationprotocolwithB
5
TheEntities(2-PartySetting)
• Alice andBob•wanttomutuallyauthenticateand/orshareakey
• Eve,theadversary•passiveoractive
• MorecomplexprotocolsmayinvolveaTrustedThirdParty(TTP)•3rd partytrustedbybothAliceandBob
6
• Entity Authentication:• corroborationthatanentityistheoneclaimed
• Unilateral Authentication:• entityauthentication:providingoneentitywithassuranceoftheother’sidentity,butnotviceversa
•MutualAuthentication:• entityauthenticationwhichprovidesbothentitieswithassuranceofeachother’sidentity
7
Definitions
8
Examples:• Banktransactions,e.g.,cashwithdrawals• Remotelogin• Fileaccess• P2Ptransaction Hasuser’s
secrets
Doesn’t
Sendsecretorproveknowingit?
TTP
PeerOrServer
Purpose
BasisforAuthentication
• Somethingyouknow (aPIN,orpassword)• Somethingyouhave:• Asecuretoken,e.g.,thatgeneratesaone-timepassword• Keyembeddedina“securearea” onacomputer,inbrowsersoftware,etc.• Asmartcard(whichmaycontainkeysandcanperformcryptographicoperationsonbehalfofauser).
• Somethingyouare(abiometric)
9
10
• PIN-,PW-,Biometric-basedschemes
• Kerberos
• SecureID tokens
• Iris/retinascanners
• Thumbprint&hand/palmprint
• Handwritingacceleration&pressure
• PublicKeyIdentificationSchemes:
• Fiat-Shamir,etc.
• Authenticationprotocols
• Conventional- andpublickey-based(coveredlater)
ConcreteScenarios
11
• Humansarenotoriouslyunreliable• Humanmemoryisveryvolatilestorage
• Whatahumancanremember:• PIN(nomorethan6-8digits)• Password(awordorashortphrase)
• Canahumandosingle-digitsums?Forgetit…
HumanFailings
Biometrics
• Accuracy:• FalseAcceptanceRate(FalsePositive)• FalseRejectionRate(FalseNegative)
• Retinalscanner,fingerprintreader,handprintreader,voiceprint,keystroketiming,signature(shapeorpressure),etc.
12
Fingerprints
• Vulnerability:• Dummyfingersanddeadfingers• Lostfingers
• Suitabilityandstability:• Notforpeoplewithhighprobabilityofdamagedfingerprints(e.g.,exema)• Notfor kids whoarestillgrowing• Othernoisesources:thermalandopticalnoise,temperatureaffectingskincondition…
13
VoiceRecognition
• Singlephrase:• Canusetaperecordertofake
• Stability:• Backgroundnoise• Colds,vocalcorddamage/strain,laughinggasJ• Usewithpublicphones
14
KeystrokeTiming
• Eachpersonhasadistincttypingtimingandstyle•Hand/fingermovements
• Suitability:•Bestdonefor“local”authentication• Avoidnetworktrafficdelay
15
(Non-digital)Signatures
• Machinescannot(yet)matchhumanexpertsinrecognizingshapesofsignatures
• Addinformationonaccelerationand/orpressure• Signingonaspecialelectronictablet
16
SecureID/SecureToken
17
89458920 display
power
Id-basedkey(inside)
895980390409982
Serial#
TTP/Server:secure&knowsallsecrets!
SecureID/SecureToken
18
TTP/Server:secure&knowsallsecrets!
Authentication(Protocols)
19
Protocolap1.0: Alicesays“IamAlice”
inanopennetwork,Bobcannot“see”Alice,so
EvesimplydeclaresherselftobeAlice
Authentication:AnotherTry
20
Protocolap2.0: Alicesays“IamAlice”inanIPpacketcontaininghersourceIPaddress
Evecancreateapacket“spoofing”
Alice’saddress
21
Protocolap3.0: Alicesays“IamAlice”andsendshersecretpasswordto“prove”it.
playbackattack: EverecordsAlice’spacket
andlaterplaysitbacktoBob
“I’mAlice”Alice’sIPaddr
Alice’spassword
OKAlice’sIPaddr
“I’mAlice”Alice’sIPaddr
Alice’spassword
Authentication:AnotherTry
22
Protocolap3.1: Alicesays“IamAlice”andsendsherencrypted secretpasswordto“prove”it.
recordand
playbackstillworks!
“I’mAlice”Alice’sIPaddr
encryptedpassword
OKAlice’sIPaddr
“I’mAlice”Alice’sIPaddr
encryptedpassword
Authentication:AnotherTry
23
Goal: avoidplaybackattack
Nonce: numberusedonce(R)ap4.0: toproveAlice“live”,BobsendsAlicenonce,R.Alice
mustreturnR,encryptedwithsharedsecretkey
“IamAlice”
R
E(K,R) Aliceislive,andonlyAliceknowskeytoencryptnonce,soit
mustbeAlice!• KmaybederivedfromAlice’spassword…• ThisprotocolworksifBobneverauthenticatestoAliceusingK
Authentication:YetAnotherTry
Authentication:ap5.0
ap4.0requiressharedsymmetrickey• canweauthenticateusingpublickey?ap5.0: noncesandpublickeycryptography
msg2=R
UsingPKA,BobverifiesAlice’ssignatureofRinmsg3.SinceRisfreshandonlyAlicecancomputesignaturesusingSKA,BobconcludesthatAliceisreallythere.
msg3=SIGN(SKA,R)
TheProtocol(Nonces)
1. Aà B: ”HiBob,it’s,me,Alice”
2. Bà A: R (challenge)
3. Aà B: E(K,R||B) (response)
25
WhynotsimplysendE(K,R)inlastmessage?
TheProtocol(whatif?)
1.Bà A(Eve):“HiAlice,it’smeBob”
1.Eveà B: ”HiBob,it’s,me,Alice“
2.Bà A(Eve):R (challenge)
2.Eveà B:R
3.Bà Eve:E(K,R)
3.Eveà B:E(K,R) (response)26
1. Aà B: ”HiBob,it’s,me,Alice”
2. Bà A: R
3. Aà B: E(Kab,R)orE(K,R||B)
27
• KabisonlyusedinAàBdirectionandadifferentkey(Kba)isusedinBàAdirection• Alternatively,canusethesameKinbothdirectionsbutincludeexplicitdirection
identifierinmsg
TheProtocol(Nonces)
1. Aà B: ”HiBob,it’s,me,Alice”
2. Bà A: Sb (challenge)incrementSb
3. Aà B: E(K,Sb||B) (response)
■ NoPRNGneeded■ BothAandBmustrememberSb
28
TheProtocol(Seq.#s)
Time-Stamps
Inclusionofdate/time-stampinmessageallowsrecipienttocheckforfreshness(aslongastime-stampisprotectedbycryptographicmeans).
1.Aà B:E(K,TIMEA ||B)
resultsinfewermessagesinprotocol
Butrequiressynchronizedclocks…(SimilartotheSecureIDscenario)
29
KeyDistributionandManagement
• Conventional(Secret)keydistribution
• Publickeydistribution
30
TrustedIntermediaries
SymmetricKeyProblem:•Howdotwoentitiesestablishsharedsecretkeyoveradistance(i.e.,overanetwork)?
Solution:•Mutuallytrustedon-linekeydistributioncenter(KDC)actsasintermediarybetweenentities
PublicKeyProblem:•WhenAlicegetsBob’spublickey(fromawebsite,email,disk,bboard),howdoessheknowitisreallyBob’s?
Solution:•Trustedoff-line certificationauthority(CA)
31
KeyDistributionCenter(KDC)
• Responsiblefordistributingkeystopairsofusers(hosts,processes,applications)
• EachusermustshareauniquemasterkeywiththeKDC• UsethiskeytocommunicatewithKDCtogetatemporarysession keyforestablishingasecure“session”withanotheruser/program/host/entity• Eachmasterkeyisdistributed(agreedupon)insomeoff-linefashion(inperson,bysnail-mail,etc.)
32
KeyDistributionCenter(KDC)• AliceandBobneedtoshareakey• KDCsharesdifferentmasterkeywitheachregistereduser(manyusers)• AliceandBobknowtheirownmasterkeys:
KA andKBforcommunicatingwithKDC
33
KB KX
KY
KZ
KPKB
KA
KAKE
KDC
Recommended