anjum reyaz-ahmed. part i : authentication protocols kerberos protocol needham-schroder protocol ...
Post on 12-Jan-2016
231 Views
Preview:
TRANSCRIPT
Anjum Reyaz-Ahmed
Part I : Authentication ProtocolsKerberos ProtocolNeedham-Schroder Protocol
Part II: Current Literary Review“Elliptical Curve Cryptography How it Works" Sun Microsystems Laboratory 2005
“Security Challenges in Seamless Mobility – How to Handover The Keys”, WICON 2008
Part III: Future Research Initiatives
KerberosProvide authentication for a user that works
on a workstation.Uses secret key technology
Because public key technology still had patent projection.
Implements authentication by Needham & Schroeder.
On the market in versions 4 and 5.
[Chow and Johnson 1997]
KerberosKerberos consists of
Key Distribution Center (KDC) Runs on a physically secure node
Library of Subroutines Modifies known UNIX libraries such as telnet,
rlogin, …
[Chow and Johnson 1997]
Key Distribution CenterKDC:
Database of keys for all users
Invents and hands out keys for each transaction between clients.
Alice KDC Bob Alice wants BobKAlice{ KAB for
Bob }KBob{KAB for Alice}
[Chow and Johnson 1997]
Key Distribution CenterMessage from KDC to Bob has some
problems.Timing problem: Alice needs to wait to make
sure that Bob got the key.Change the protocol so that Alice receives a ticket to talk to Bob.
[Chow and Johnson 1997]
Key Distribution Center
Alice KDC Bob Alice wants
BobKAlice{Use KAB for Bob}
Ticket for Bob :=
KBob{Use KAB for Alice}
I’m Alice, my ticket is KBob{Use KAB for Alice}
[Chow and Johnson 1997]
Key Distribution CenterNeedham Schroeder:
Combines KDC operation with authentication.Uses nonces instead of timestamps to prevent
replay attacks. A (sequential / random) number used only once.
[Chow and Johnson 1997]
Needham Schroeder
Alice KDC BobN1, Alice, Bob
KAlice{N1, Bob, KAB, ticket to Bob}
KAB{N2-1, N3}
KAB{N3-1}
Ticket, KAB{N2}
Ticket = KBob{KAB, Alice}
[Chow and Johnson 1997]
Trudy waits until Alice makes a request to the KDC.Trudy now incorporates Bob.
Needham Schroeder
Alice KDC Bob Alice, Bob
Purpose of the nonce is the following scenario:
Assume that Trudy has stolen an old key of Bob’s and stolen the message where Alice previously has requested a key. Bob has in the meantime changed his key.
Trudy (KDC)Kalice{ Bob, KAB, ticket to Bob}
Trudy as Bob
Ticket = KBob{KAB, Alice}, …
Trudy impersonates the KDC and replays the old captured message, which looks like a normal message.
Trudy can now successfully authenticate herself to Alice as Bob.
But the nonces make all messages unique!
[Chow and Johnson 1997]
Message 2: KAlice{N1, Bob, KAB, ticket} with ticket = KBob{KAB,Alice}N1 prevents replay attacks.“Bob” to prevent Trudy from trying to play
Bob.Ticket does not have to be sent encrypted with
Alice’s key.
Needham Schroeder
[Chow and Johnson 1997]
Message 3: ticket, KAB{N2}Alice presents a challenge together with her
ticket.Bob decodes ticket to find KAB. He decodes the latter part of the message to
find the challenge.
Needham Schroeder
[Chow and Johnson 1997]
Message 4: KAB{N2-1,N3}Bob solves Alice’s challenge.Bob sends Alice his own challenge.
Your turn: What is the vulnerability if message 4 were to read: KAB{N2-1}, KAB{N3} ?
Needham Schroeder
Answer on next two slides.
Needham SchroederAnswer:
Trudy eavesdrops on an exchange and then splices her own messages to Bob:
[Chow and Johnson 1997]
Needham Schroeder
Alice BobTicket, KAB{N2}KAB{N2-1}, KAB{N3}
Trudy (later)Replays Ticket, KAB{N2}KAB{N2-1} KAB{N4}
Trudy (second connection)
Ticket, KAB{N4}KAB{N4-1} KAB{N5}
Trudy now resumes her first connection: KAB{N4-1} and is authenticated
[Chow and Johnson 1997]
Needham SchroederExpanded Needham Schroeder
Prevents replay attacks after Alice’s master key was stolen and Alice changed her master key.
[Chow and Johnson 1997]
Needham SchroederVulnerability Scenario
Alice has a previous key JAlice that Trudy captured.
Alice has changed her key to KAlice.Trudy has captured a previous login request
from Alice to KDC:KDC sent
JAlice{N1,Bob,JAB,KBob{JAB,Alice}}
[Chow and Johnson 1997]
Needham SchroederVulnerability Scenario
Trudy has JAlice{N1,Bob,JAB,KBob{JAB,Alice}}Trudy calculates JAB and KBob{JAB,Alice} with
JAlice.Trudy now impersonates Alice to Bob. She
sends her round 3 message to Bob:N2, KBob{JAB,Alice}
She can complete the Needham Schroeder protocol with Bob.
Since the KDC no longer participates, informing the KDC of the change does not prevent Trudy from succeeding impersonating Alice to Bob.
[Chow and Johnson 1997]
Needham Schroeder Vulnerability Scenario
Trudy hasJAlice{N1,Bob,JAB,KBob{JAB,Alice}}, JAB.
KBob{JAB,Alice}.
Trudy to Bob: JAB{N2}, KBob{JAB,Alice}
Bob to Trudy: JAB{N2–1, N3}
Trudy to Bob: JAB{N3–1}
Trudy and Bob are mutually authenticated!
[Chow and Johnson 1997]
Needham SchroederSolution:
Prevent replays after long duration:Clock and date.Certificate from Bob.
Extended Needham Schroeder picks the latter.
[Chow and Johnson 1997]
Extended Needham SchroederAlice to Bob: I want to talk to you.Bob to Alice: KBob{NB}
Alice to KDC: N1, “Alice wants Bob”, KBob{NB}
KDC to Alice: KAlice{N1,“Bob”,KAB, KBob{KAB, “Alice”, NB}}
Alice to Bob: KBob{KAB, “Alice”, NB}, KAB{N2}
Bob to Alice: KAB{N2-1,N3}
Alice to Bob: KAB{N3-1}.NB prevents the previous attack. Bob can determine whether Alice is using the key that the KDC has.
[Chow and Johnson 1997]
Extended Needham SchroederAlice now needs to receive a certificate from
Bob before starting standard Needham Schroeder.
[Chow and Johnson 1997]
Otway ReesReplaces extended Needham SchroederUses only 5 messagesSpeed-up results from the “suspicious party”
(Bob) going to the KDC.
[Chow and Johnson 1997]
Otway ReesAlice to Bob: NC, Alice Bob KAlice{NA, NC, Alice, Bob}
Bob to KDC: KAlice{NA,NC, Alice, Bob}, KBob{NB, NC, Alice, Bob}
KDC to Bob NC, KAlice{NA,KAB}, KBob{NB,KAB}
Bob to Alice: KAlice{NA, KAB}
Alice to Bob: KAB{NC}
[Chow and Johnson 1997]
KerberosBased on Needham Schroeder, but uses time
instead of nonces.Approximate time is easy in distributed
systems.
[Chow and Johnson 1997]
KerberosKerberos Authentication Service:
Alice to KDC N1 “Alice wants Bob”KDC to Alice KAlice{N1, “Bob”, KAB, KBob{KAB, Alice, expir.
Time}}Alice to Bob KBob{KAB, “Alice”, expir. Time}, KAB{cur.
Time}Bob to Alice KAB{cur. Time +1}
[Chow and Johnson 1997]
KerberosKerberos Setup
Master key shared by KDC with each principal.When Alice logs into her machine, her station asks
the KDC for a session key for Alice. The KDC also gives her a Ticket Granting Ticket. (TGT)
Alice’s workstation retains only the session key and the TGT.
Alice’s workstation uses the TGT to receive other tickets from the Ticket Granting Service (TGS).
[Chow and Johnson 1997]
KerberosTwo entities:
Key distribution center. Authentication Server (AS)
Ticket granting server (TGS).Both need the same database, so they are
usually on the same machine.
[Chow and Johnson 1997]
Summary: Elliptical curve cryptosystem (ECC) operates over points on an elliptical curve
The best known algorithm to attack ECC runs more slowly than best known algorithm to other cryptosystems
ECC can offer equivalent security with subsequently smaller size keys.
[Chang & et al. 2005]
Public-key cryptosystem offering the highest security strength per bit. Uses smaller keys for equivalent security.
Results in faster computations and savings in memory, power and bandwidth (especially important in constrained environments).
Performance advantage increases as security needs increase over time
Endorsed/standardized by NIST, ANSI, IEEE, IETF.
[Chang & et al. 2005]
How it worksHow it works
[Chang & et al. 2005]
Parameters: Elliptic curve, base point G
Scalar point multiplication: Q = kP, e.g. 9P = 2(2(2P)) + PHard problem: Given kP (public-key) & P, find k (private-key). EC Discrete Logarithm Problem – no known subexponential solutions.
Large keys are a big problem for small devices
Algorithm Time(s) Data Bytes Code Bytes
ECC secp160r1 0.81 282 3682
RSA 1024(priv) 10.99 930 6292
RSA 1024 (pub) 0.43 542 1072
ECC secp224r1 2.19 422 4812
RSA-2048 (priv) 83.26 1853 7736
RSA-2048 (pub**) 1.94 1332 2854[Chang & et al. 2005]
The Internet today is ...a global marketplace for goods and services enabled by security mechanisms that ensure authentication, confidentiality and integrity predominantly secured by the SSL protocol using a combination of symmetric- and public-key cryptographybut ...many new devices connecting to the Internet have limited capabilities (e.g. sensors, appliances)new applications (e.g. patient monitoring, building automation) will increase the number of transactions requiring security the future will demand higher levels of security (e.g. 128-bit AES, 2048-bit RSA)
[Chang & et al. 2005]
The security of ECC relies on the difficulty of solving the EllipticCurve Discrete Logarithm Problem (ECDLP), i.e. finding k, given Pand Q = kP. The problem is computationally intractable for largevalues of k.
Public- Key System Mathematical Problem
Best Known method for solving
Integer factorization e.g. RSA
Given a number n find its prime factors
Number field Sieve:(Sub-exponential)
Discrete logarithm e.g. DH, DSA
Given a prime n and number g and h find
x such that h = gx
mod n
Number field sieve(Sub-exponential)
Elliptic curve Discrete logarithm e.g. ECDH, ECDSA
Given an elliptic curve and points P and Q find k such
that Q = kP
Pollard-rho algorithm sqrt(n) (Fully exponential)
Key ExchangeEach node has a CPU and communication
controller running independentlyTime Triggered Communication Protocol
ECC can offer equivalent security with substantially smaller key sizes. For example, a 160-bit ECC key provides the same level of security as a 1024-bit RSA key and 224-bit ECC is equivalent to 2048-bit RSA.Smaller keys result in faster computations, lower power consumption, as well as memory and bandwidth savings.While these characteristics make ECC especially appealing for small embedded devices , they can also alleviate the computational burden on secure web servers.
[Chang & et al. 2005]
Synopsis
Key management challenges for seamless handover across heterogeneous wireless networks.
[Hoeper et al. 2008]
Handovers
Key DistributorKey DistributorThe authentication server of the serving networkthe lowest common key holder in serving and target
networkthe lowest key holder in the serving network with access to
target network via a short cut
Discussion on various security aspects of key management and seamless mobility in heterogeneous networks.
Show that Handover security and performance depends on the
method used to derive the HO key hierarchy the network position of the entity acting as key distributor the protocol used to distribute HO keys
Present three HO key distribution protocols: a push protocol and two variant of pull protocols.
Passwords are the weakest link in any systemWe need new methods of authenticating users
Password 2.0?Password 2.0?
If your mobile phone is your future authenticator, how do you authenticate to your mobile phone?One possibility is based on MIT’s “beeper-based” signature concept (R. Rivest, A. Lysyanskaya)
“Beeper” that you wear — maybe a belly button ring? — sends low-power signal to your phone
Fresh signal required for phone to generate digital signatures — otherwise phone won’t sign
Beeper can authenticate you to your phone, and/or you and your phone to the network
Users will authenticate based on what they know — and what they’re able to do — in new and sophisticated waysLife questions” are quite common already for password reset, as well as account enrollmentHuman-computer interfaces offer new possibilities for authentication, e.g., PassfaceTM
References:References:1. Randy Chow & Theodore Johnson . “Distributed Operating Systems &
Algorithms”. pp 156-163 Addison-Wesley 1997
2. Sheueling Chang, Hans Eberle, Vipul Gupta & Nils Gura. “Elliptical Curve Cryptography- How it works”. Sun Microsystem http://research.sun.com/projects/crypto/ , 2005
3. Katrin Hoeper, Lidong Chen, Antonio Izquierdo & Nada Golmie. “Security Challenges in Seamless Mobility – How to Handover the Keys”. WICON IEEE, 2008
Thank you!!
top related