authenticationcvrcek/kib/lecture5.pdf · • authentication protocols – assures a party about...
TRANSCRIPT
1
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Authentication
Lecture 5
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Three basic notions
• Authentication – a process of verifying identity (with a required assurance)
• Authorization – assigning privileges and specification of allowed activities
• Identification – recognition of an entity from a predefined set
2
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
User Authentication/Identification
• Authentication (verification) – subjectproduces a statement about his/her identity – 1:1
• Identification (searching) – subject does not produce any identity. The systém goesthrough all records in the database to findout a match and the relevant subject’s identity – 1:n
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Data and Message Authentication
• no cryptography used– CRC codes (cyclic redundancy codes)
• with cryptography– shared secret symmetric key– getting hash through an authenticated channel– keyed hash / MAC (message authentication
code)– digital signature
3
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Hashing and Data Authentication
• out-of-band communication– data sent through an unsecured channel with high
throughput (e.g. email)
– a hash is computed and the result passed on via a different channel (phone, business card, …)
– recipient re-computes hash of the data and compares with the received hash
document email
hash phone
příjemce
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Digital Signature Algorithm
• there was a bid for a new Digital SignatureStandard (DSS) in 1994 –DSA (DigitalSignature Algorithm) won– modified ElGamal algorithm based on the
problem of discrete logarithm Zp
• Other algorithms based on elliptic curves
4
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Digital signature – key lengths
• RSA algorithm– author published an example believed to be
secure (uses 64 and 65 bit primes) in 1977– this crypto system was broken in 1994– end of 1999 – 512b crypto system was broken
(several hundred computers was used for a period of 4 months)
– currently used are keys computed modulo 1024-2048 bit number
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Digital signature – time complexityasymmetric algorithms are computationally hard – examples
for a smart-card
50 ms160 bits160 bitsEC DSA (GF(p)) verification
24 ms160 bitsEC DSA (GF(p)) signature
14,4 s2048 bitsRSA key generation
1,56 s1024 bitsRSA key generation
38 msF_42048 bitsRSA verification
2,8 ms32 bits1024 bitsRSA verification
0,17 s2048 bits2048 bitsRSA signature
25,2 ms1024 bits1024 bitsRSA signature
TimeExponentModuleOperation
5
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Data authentication - example
• authentication of EXE files in MS Windows– why to authenticate?
– we want and need to ensure data integrity
– we want to know the program author
– we may believe MS and want to be sure the code was not changed during distribution
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Microsoft Autenticode
• How does it work?– EXE file is digitally signed
– the digital signature is verified
– if the verification succeeds => program is started
– if the verification fails => user is asked for the decision
6
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Microsoft Autenticode
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Microsoft Autenticode
7
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Microsoft Autenticode
• still no 100% proof• 2001 – an uknown attacker gained 2 public key
certificates for Microsoft signed by Verisigh (the both companies are key players and the do have adequate security procedures)
• an attacker managed to masquerade as a Microsoft employee and got issued a certificate signed by Verisign
• any code signed with a key belonging to this certificate could be run in Windows OS without any warning
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Cryptographic protocols
• Authentication protocols – assures a party about identity of another party (the one it communicates with)
• Key establishment protocols – creates a shared secret (typically a key)
• Authenticated key establishment protocol –creates a shared secret with the party which identity has been verified
8
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Authentication protocols
• the authentication is – one way
– mutual
– continuous
• who’s authenticating who– Alice asks Bob to authenticate himself
– Bob authenticates himself without a request
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Password
• Alice authenticate herself towards Bob by sending a password
• the password can be eavesdropped• Bob (at the end of the protocol) knows Alice’s
password and can himself authenticate as Alice (e.g. towards Cyril)
•password
9
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Hashed password
• during authentication – the password is not sent in plaintext but a hash is sent instead
• eavesdropping a hash does not reveal a password automatically
• however, the has can be used for masquerading
•password hash
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Challenge-response protocols
• the protocol consists of at least two messages (challenge and response)– eavesdropping the challenge or/and response does not
allow an attacker to repeat the authentication
– Bob is able to verify Alice’s identity without knowing her secret
–binary string - Nc
digitally signed Nc
Bob Alicechallenge
response
10
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Time-dependant variables - Nc
• random numbers – number are unpredictable (random as well as pseudorandom). They ensure uniqueness and freshness. It’s not easy to generate them (requires specialised HW), usually generated in SW from a seed –labelled as r
• sequence numbers – monotonous sequence of numbers (both sides must store the last value used). Uniquely identify msgs and allow detection of replay attacks –labelled as n
• timestamps – both sides must keep clock synchronisation. Provide uniqueness and time precision – labelled as t
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Symmetric algorithms
• protocols based on symmetric algorithms (Alice and Bob share a symmetric key K)
• Standard ISO/IEC 9798-2• One-way authentication (time stamp)
– A → B: EK(tA,“B“)
• One-way authentication (random number)– A ← B: rB
– A → B: EK(rB,“B“)
• two-way (mutual) authentication (random numbers)– A ← B: rB
– A → B: EK(rA,rB,“B“)– A ← B: EK(rB,rA)
11
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Symmetric algorithms
• protocols based on one-way keyed functions(Alice and Bob share a symmetric key K)
• Standard ISO/IEC 9798-4, protokols SKID• Two-way authentication
– A ← B: rB
– A → B: rA, hK(rA,rB,”B”)– A ← B: hK(rB,rA,A)– hK is a MAC algorithms
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Asymmetric algorithms
• Based on decryption with private keys
• One-way authentication– A ← B: h(r), „B“, PA(r,”B”)
– A → B: r
• h – hash function
• h(r) serves as a proof of knowledge of rwithout revealing r
12
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Asymmetric algorithms
• based on digital signature• Standard ISO/IEC 9798-3• One-way authentication (timestamp)
– A → B: certA, tA, ”B“, SA(tA, “B“)
• One-way authentication (random number)– A ← B: rB
– A → B: certA, rA, “B“, SA(rA,rB,“B“)– rA prevents chosen plain-text attacks
• Two-way authentication (random numbers)– A ← B: rB
– A → B: certA, rA, “B“, SA(rA,rB,“B“)– A ← B: certB, “A“, SB(rB,rA,“A“)
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Key Management
• Goal– key transmission
– key agreement
– key actualisation (parties share a long-term key K)
– authentication of one or both parties
• Number of parties– two-party protocols
– protocols with trusted third party
13
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Kerberos
• Created as a part of Athena project at MIT• Symmetric cipher E• 2 parties (A, B) and trusted authentication server
(labelled T)• Goal:
– authentication of Alice towards Bob– key K establishment (T generates/selects)– optionally distribution of a shared secret for Alice + Bob
• Each party shares a secret with server T (KAT, KBT)
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Kerberos
• KDC (key distribution centre) – centre shares a key with all clients and generates and distributes keysKTC (key translation centre) – centre does not generate keys – just translates (distributes) them
•
Alice Bob
Server (KDC)
14
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
(1)
(2)
(3)
A B¨T
(4)
Kerberos• Simplified protocol
– L – ticket lifetime
– Def.: ticketB = EKBT(k, “A”, L), auth = Ek(“A”, TA)
– (1) A → T: ”A”, ”B”, nA
– (2) A ← T: ticketB, EKAT(k, nA, L, “B“)
– (3) A → B: ticketB, auth
– (4) A ← B: Ek(TA)
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Diffie Hellman
• Diffie-Hellman key agreement protocol– common prime p, generator α form Zp
– Alice chooses secret x, Bob chooses secret y– A → B: αx mod p
– A ← B: αy mod p
– Alice and Bob share K=αxy mod p