csc 474 -- network securitydiscovery.csc.ncsu.edu/.../slides/t06.3_protocolpitfalls.ppt.pdf · csc...

11

CSC 474 Dr. Peng Ning 1

Computer Science

CSC 474 -- Network Security

Topic 6.3 Authentication Protocols

CSC 474 Dr. Peng Ning 2Computer Science

Outline

I. Attacks on authentication protocolsII. Preliminaries (KDCs and nonces)III. One-way authenticationIV. Two-way (mutual) authenticationV. Authentication + key negotiationVI. Authentication using KDCsVII. Security “Checklist”


Computer Science

Attacks onAuthentication Protocols

22


Authentication Protocols

• Secure communication almost always beginswith a “handshake”, i.e., participants…– establish who they are talking with, and…– negotiate shared session keys

• Lots of protocols available– many of them aren’t secure!– vulnerabilities / weaknesses are surprisingly subtle

• How can you tell if a protocol is secure?


What Can Attackers Do?

• Attacks involving messages– eavesdrop on communications– delete, forge, or modify messages– replay messages previously intercepted– modify message delivery sequence– send a message spliced together from pieces of

other messages– delay message delivery

• Compromise hosts or servers


Sessions and Channels

• A session is an exchange of messagesprotected by a single authentication– attackers may be able to hijack sessions, i.e., take

them over after authentication has occurred• A channel is a conversation opened between

two parties– attackers can open multiple simultaneous channels

to the target

33


Desired Protocol Properties

• Robust against attacks• Efficient

– minimum number of messages– minimum number of keys– important?

• Should minimize the amount of trust which isassumed / relied upon


Taxonomy of Protocols (For This Lecture)

Is message integrity +confidentiality for the

session desired?yes to next page…

no, only authenticationis needed

Is mutual authenticationdesired?

no, only one-wayauthentication needed

yes

How is authenticationaccomplished?

secret-keycrypto

passwordpublic keycrypto

A. B. C.

Is a KDC required?

No, notavailable

Yes,available

D. I.


secret-keycrypto

public keycrypto

E.


Taxonomy… (cont’d)


F. G. H.

secret-keycrypto

one-waypublic keycrypto

bi-directionalpublic keycrypto

…from previous page

44


Lectures <--> Text• The correspondence between Figure labels in Textbook, and Protocol

labels in lecture, is:• Textbook Lecture• 11-1 B• 11-2 variation on B• 11-4 another variation on B• 11-5 C• 11-7 D• 11-8 Optimized version of D• 11-13 variation on D• 11-14 F• 11-16 I basic idea• 11-17 I in practice• 11-18 Needham Schroeder• 11-19 Expanded Needham Schroeder• 11-20 Otway-Rees


Computer Science

Preliminaries


Trusted Key Servers

• How do a large number of users authenticateeach other?– inefficient / impractical for every pair of users to

negotiate a secret key or share passwords• Alternative: everybody shares a key with (and

authenticates to) a single trusted intermediary(third party)

• Assumes there is a way to negotiate a key withthe intermediary

55


Trusted… (cont’d)

• Shared keys between the Key DistributionCenter (KDC) and users

KDCA

BC D

EKA-KDC

KB-KDC

KC-KDCKD-KDC

KE-KDC


(Simplified) Example of Use

• Alice wishes to communicate securely with Bob;Alice has previously negotiated KA-KDC with theKDC, Bob has negotiated KB-KDC

1. Alice requests from the KDC a session key to usewith Bob

2. KDC generates session key KS, sends to Alice,encrypted with KA-KDC

3. KDC also sends KS to Bob, encrypted withKB-KDC

• Alice and Bob can then communicate using KS


Assessment

• Simplifies mutual authentication / keynegotiation, but…– secure against attacks?– robust to failures?– efficient?

66


A Hierarchy of KDCs

• For an Internet, not practical to have a single KDC– instead, imagine one KDC per domain

• To communicate securely with user in your owndomain, just contact your domain’s KDC

• To talk with user in another domain, your KDCneeds to contact the other domain’s KDC– KDCs must be able to authenticate each other and

communicate securely– details omitted (for now)


Hierarchy… (cont’d)

KDC-1A

BC

KA-K1

KB-K1

KC-K1

Domain 1D

E

KD-K2

KE-K2

KDC-2

Domain 2


Use of Keys vs. Passwords

• Even when we talk about using keys (secret orpublic/private), the user doesn’t typicallymemorize those; just too long!

• Keys are often protected by or generated froma password or a passphrase– so, still vulnerable to password attacks!– (good application for electronic tokens?)

77


Keys vs. Passwords… (cont’d)

• The verifier has to store keys as well– so, compromising the server may compromise user

keys or passwords• Not a problem if public key crypto is used

– but PK crypto requires an infrastructure for storingand obtaining public keys (certificates, etc.)


Key Guessing Attack

• AssumeTrudy knows f, can guess what KAlice-

Bob is– not that unlikely if key is derived from a password

• Solutions?

Trudy Bob

I’m Alice, RAlice

RBob, f(KAlice-Bob,RAlice)


Replay Attacks

• An attacker can record a message between twoother parties, replay it for one of them later– if original message was authenticated, the replayed

message is also authenticated• Detecting replayed messages: add a nonce to

each message– a non-repeating (unique) message identifier

• Choices: sequence numbers, random numbers,and timestamps

88


Sequence Number Nonces

• Just generate a sequential number, incremented foreach successive message

• If a message with duplicate sequence number is seen,it is rejected

• Also provides message sequencing (messages onlyaccepted in a particular order)

• Requires keeping track (maintaining state) of the lastsequence number– loss of synchronization possible between sender and

receiver?

000001 … 000002 … 000003 … 000004 …


Random Number Nonces

• Just generate a random number for eachsuccessive message– receiver cannot predict what the next number will

be; is that useful?

• If a message with duplicate random number isseen, it is rejected– how many previous values do you have to store,

and for how long?• Not useful for message sequencing

8179344 … 0502961 … 7936085 … 4419532 …


Timestamp Nonces

• Just read the time from a system clock andassociate with each message– timestamp has to be precise enough to generate a

different value for each message sent

• If a message with duplicate timestamp is seen,it is rejected– how many timestamps have to be remembered?

10:03:01.56 … 10:03:01.57 … 10:41:19.21 … 10:42:57.98 …

99


Timestamps… (cont’d)

• Provides additional information (time of messagetransmission)– message can be rejected if it is too old– out of order messages can be rejected

• This requires clock synchronization between senderand receiver– synchronization is non-trivial, and can be a target of attack

• Best choice: combination of the above, i.e.,random number + one of sequence number ortimestamp


Computer Science

One Way Authentication(w/o Session Key Negotiation)


session desired? yesto next page…

no


noHow is authentication

accomplished?

secret-keycrypto

password public keycrypto


secret-keycrypto

Is a KDC required?

No, notavailable

Yes,available

yespublic keycrypto

A. B. C. D. I.

E.


Authentication Only?

• Simplest starting point for discussion ofprotocols

• Of limited value– cannot do encryption or authentication of data

traffic– session hijacking possible after the authentication

step– are there applications?

1010


One-Way Authentication

• Typically: client (supplicant) authenticatesitself to server (verifier) in order to receiveservices– client does not require server to authenticate?– how do you know what server you are contacting

then?– applications?


Method : Use Password

• We just talked about this one in the last lecture• Advantages?• Drawbacks / limitations?

A


Method : Using Shared Secrets

• The function f can be a keyed hash, or encryption; howdoes this authenticate Alice?

• RBob is a challenge from the verifier– has to be remembered by Bob (stateful protocol)

• Better than using passwords?• Problems if RBob reused? if predictable?

B

Alice Bob

I’m Alice

RBob

f(KAlice-Bob,RBob)

1111


A Variation on

• How does this authenticate Alice?• f cannot be hashing for this version; only encryption

works– why is that?

• Does this authenticate Bob as well as Alice? If so, anyconditions?

B

Alice Bob

I’m Alice

RBob

KAlice-Bob{RBob}


Another Variation on !

• Authenticate both? f = hashing? encryption?• Timestamp = nonce; Alice chooses, cannot

reuse, requires synchronization• If KAlice-S is used by Alice to authenticate to

multiple servers, any problems with that?

B

Alice Bob

I’m Alice, timestamp, f(KAlice-Bob,timestamp)


Method : Using Public Key Crypto

• Advantages over and ?• Authenticate Bob?• Can attacker reuse Alice’s messages with other

servers? Any other harm Trudy can do?• Can RBob be reused? Other requirements?

C

A B

Alice Bob

I’m Alice

RBob

SigAlice{Rbob}Trudy

1212


Computer Science

Mutual Authentication(w/o Session Key Negotiation)


session desired?yes

to next page…

no


no


secret-keycrypto



secret-keycrypto

Is a KDC required?

No, notavailable

Yes,available

yes public keycrypto

A. B. C. D. I.

E.


Method : Using a Shared Secret

• Does this authenticate Bob as well as Alice?– who authenticates first, and does it matter?

• Can f be either hashing or encrypting?• Threat of replaying messages to other servers?

D

Alice Bob

I’m AliceRBob

f(KAlice-Bob,RBob)

RAlice

f(KAlice-Bob,RAlice)


Method … (cont’d)

• An optimized (fewer messages) version of thisprotocol:

D

Alice Bobf(KAlice-Bob,RBob)

I’m Alice, RAlice

Rbob, f(KAlice-Bob,RAlice)

Who authenticates first, and does it matter?

1313


It Matters: The Reflection Attack!

• Attacker opens two simultaneous channels

Trudy Bob

I’m Alice, RAlice

f(KAlice-Bob,RBob1)

RBob1, f(KAlice-Bob,RAlice)

Trudy Bob

I’m Alice, RBob1

RBob2, f(KAlice-Bob,RBob1)


Reflection… (cont’d)

• Lesson: Don’t have Alice and Bob do exactlythe same thing! Examples…– Alice uses a slightly different key than Bob (e.g.,

adds 1 to the shared key, or complements lsb)– Alice includes her name with her nonce, Bob

includes his name with his nonce• If initiator must prove her identity first, the

reflection attack is not possible– e.g., unoptimized method D


Key Guessing Attack

• AssumeTrudy knows f, can guess what KAlice-

Bob is– not that unlikely if key is derived from a password

• Solutions?

Trudy Bob

I’m Alice, RAlice

RBob, f(KAlice-Bob,RAlice)

1414


A Variation on

• Super-optimized; one message each direction! Whoauthenticates first?– stateless, but synchronized clocks needed

• Why does Bob’s response have to be a variation ofAlice’s challenge? What variations work?

• Can A.’s messages be replayed to other servers?

D

Alice Bob

I’m Alice, timestamp, f(KAlice-Bob,timestamp)

f(KAlice-Bob,timestamp+1)


Method : Mut. Auth. w. Pub.Key

• Advantages?• Who authenticates first? Reflection attack possible?• Why doesn’t Bob’s response have to be a variation of

the challenge RAlice? Problems if it is?

E

Alice Bob

I’m Alice, KBob{RAlice}

RAlice, KAlice{RBob}

RBob


Variations on Method

• Differences? Advantages over ?• Trick Bob into signing arbitrary values?

E

Alice Bob

I’m Alice, KBob{RAlice}, SigAlice{RAlice}

RAlice

Alice Bob

I’m Alice, RAlice

SigBob{RAlice},RBob

SigAlice{RBob}

#1

#2

E

1515


Computer Science

Authentication Including Session KeyNegotiation


session desired?

yes

no


F. G. H.

one-waysecret-keycrypto

one-waypublic keycrypto

mutualpublic keycrypto


Session Keys

• Usually, communication after authenticationshould be cryptographically protected as well

• Session keys are negotiated and used just forthe duration of one session

• If “permanent” public keys, or shared secretkeys, are available, why bother with sessionkeys?


: 1-Way Auth+Sess’n Key (Symm.)F

Alice Bob

I’m Alice

RBob

KAlice-Bob{RBob}

• Who is authenticated?• Possible session keys

– RBob? KAlice-Bob{RBob}? KAlice-Bob{RBob +1}?• Other choices; better?

– KAlice-Bob{f(RBob)}, where f() is “unguessable”?– (KAlice-Bob+1){RBob}?

1616


: 1-Way Auth+Session Key (PubKey)

• Who is authenticated? How?• Session key choice: RAlice ; Problems?• Another choice (not shown): use D-H to

negotiate a key, and Bob signs his messages

G

Alice BobKBob{RAlice}

I’m Bob

SigBob{KBob{RAlice}}


: 2-Way Auth+Sess’n Key (PubKey)

• How does this authenticate Alice and Bob?• Session key possibilities (problems?)

– RAlice? KBob{RAlice}? KAlice{RAlice}?– what if response from Bob is KAlice{RAlice} instead?

H

Alice Bob

I’m Alice, KBob{RAlice}, SigAlice{KBob{RAlice}}

RAlice


Method , version 2

• How does this authenticate both? Why aren’tsignatures needed?

• Session key: RAlice ⊕ RBob ; Problems?

H

Alice Bob

I’m Alice, KBob{RAlice}

KAlice{RAlice}, KAlice{RBob}

KBob{RBob}

1717


Method version 3

• (not shown) Alice and Bob negotiate a sessionkey using D-H (and all messages are signed)– problems?

H


Computer Science

Authentication Using KDCsIs message integrity +confidentiality for the

session desired?yes

to next page…

no


no


secret-keycrypto



secret-keycrypto

Is a KDC required?

No, notavailable

Yes,available

yes public keycrypto

A. B. C. D. I.

E.


: Mediated Authentication

• Use of KDC eliminates need ofcommunicating parties to know or trust eachother

To establish a shared session key KAB :

I

Alice Bob

I’m Alice, and I want to speaksecurely with Bob

KAlice-KDC{KAB} KDCKBob-KDC{KAB}

BASIC IDEA

Use of KDC reduces need of communicating parties toknow or trust each other

In addition to this, a separate “handshake” between Aliceand Bob required for mutual authentication (not shownabove)

1818


… (cont’d)

• A problem with this basic approach: the KDCmay be slow, or may have difficulty contactingBob– why would this happen?

• Result: messages encrypted by Alice may getto Bob before the KDC’s message to Bobarrives– what should Bob do with these messages?

I


Solution

• is a ticket given by KDC toAlice to present later to Bob directly herself

I

Use of KDC eliminates need of communicatingparties to know or trust each other

Alice Bob

I’m Alice, and I want to speaksecurely with Bob

KDC

IN PRACTICE

KAlice-KDC{KAB} + KBob-KDC{KAB}

I’m Alice, let’s use… KBob-KDC{KAB}

KBob-KDC{KAB}


The Needham-Schroeder Protocol

• An influential protocol (many systems, includingKerberos, have been modeled after it)

Alice

Bob

#1 Alice wants to speak with Bob, NAlice1

KDCKBob-KDC{KAB,Alice}#2 KAlice-KDC{NAlice1, Bob, KAB , }

KBob-KDC{KAB,Alice}#3 , KAB{NAlice2}

#4 KAB{NAlice2+1, NBob}

#5 KAB{NBob +1}

How is Bob authenticated? How is Alice authenticated? How is KDCauthenticated? What are the N’s used for? Why N+1 needed?

1919


Needham-Schroeder … (cont’d)

• A problem: if Trudy can somehow obtain anoldKAlice-KDC , she can reuse an old ticket grantedby the KDC to masquerade as Alice to Bob

• Solutions to this problem (following slides)1. use timestamps with messages2. use nonces with messages3. modify who contacts the KDC


Solution #1: Use Timestamps

• Ignore the ticket if timestamp T is too old– requires Bob and KDC to have more or less

synchronized clocks

Alice

Bob

#1 Alice wants to speak with Bob, NAlice1

KDC

#4 KAB{NAlice2+1, NBob}

#5 KAB{NBob +1}

KBob-KDC{KAB,Alice},T#2 KAlice-KDC{NAlice1,Bob,KAB , }

KBob-KDC{KAB,Alice,T}#3 , KAB{NAlice2}


Solution #2:Use Nonces (“Expanded N-S”)

• Two Tickets: B-->A-->KDC, and KDC-->A-->B• How does this help?

Alice BobKDCKBob-KDC{KAB,Alice,NBob1}#2 Kalice-KDC{NAlice1,Bob,KAB , }

KBob-KDC{KAB,Alice,NBob1}#3 , KAB{NAlice2}

#4 KAB{NAlice2+1, NBob2}

#5 KAB{NBob2 +1}

# -1 Hi, this is Alice, I want to speak with you

#0 KBob-KDC{NBob1}

#1 Alice wants to speak with Bob, NAlice1, KBob-KDC{NBob1}

2020


Solution #3: Bob Contacts KDC (Otway-ReesProtocol)

• Who is authenticated, and how?• How does this help?

Alice BobKDC

I’m Alice, NAlice1, Bob, KAlice-KDC{NAlice2,NAlice1,Alice,Bob}

KAlice-KDC{NAlice2,KAB} , KBob-KDC{NBob,KAB}

KAB{anything recognizable}

KBob-KDC{NBob,NAlice1,Alice,Bob}KAlice-KDC{NAlice2,NAlice1,Alice,Bob}

KAlice-KDC{NAlice2,KAB}


Computer Science

Security Protocol “Checklist”


Some Things to Worry About

• Password attack possible?• Database attack possible?• Is the server required to be stateful?• Is PKI required?• Can messages be reused / replayed?• Can you trick someone into encrypting or

signing something arbitrary?

2121


Scenarios

• Possible assumptions:1. Trudy can passively eavesdrop on a conversation2. Trudy can initiate a conversation, and masquerade

as Alice3. Trudy can intercept (and interfere with) attempts

to communicate with Bob4. Trudy can read Alice’s or Bob’s key database5. Trudy can play “man-in-the-middle”


1. If Trudy Can Eavesdrop…

• then design the protocol so she will not be able to dothe following…

?Learn info that allows her tomasquerade as either party

?Learn info that will make an off-linedictionary attack easy

?Learn the contents of encryptedmessages


2. If Trudy Can Initiate a Conversation asAlice…

?Learn info that allows her to masquerade as Bobto Alice

?Learn info that will make an off-line dictionaryattack easy

?Learn info that enables her to masquerade asAlice (either later, or now, on anotherconnection)

?Trick Bob into signing an arbitrary message

2222


3. If Trudy Can Intercept Connections toBob…

?Learn info that will allow her to masqueradeas Bob at a later time

?Learn info that will make an off-linedictionary attack easy

?Trick Alice into signing an arbitrarymessage

?Learn info that allows her to masquerade asBob to Alice, or as Alice to Bob


4. If Trudy Can Read Alice’s or Bob’sDatabase…

?Decrypt old (previously-eavesdropped)conversations

?Masquerade as the other party, to the ownerof the database


5. If Trudy Can Be a Man-in-the-Middle…

?Learn info that will make an off-line dictionaryattack easy

?Modify, duplicate, reorder, or replay themessages without being detected

?Hijack the conversation

?Decrypt encrypted messages

2323


Summary

1. KDCs are necessary to scale authentication tolarge systems

2. Nonces prevent replay attacks3. Many styles of authentication protocols; they

all have subtle vulnerabilities4. “Know thy enemy” (understand their

capabilities and goals)5. Use protocol standard correctly; rolling your

own is very hard to do right

csc 474 -- network securitydiscovery.csc.ncsu.edu/.../slides/t06.3_protocolpitfalls.ppt.pdf · csc...

Documents