cryptography & authentication - colorado state university
TRANSCRIPT
Dr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 1 / 156
Cryptography & Authentication
Dr. Indrajit RayINRIA SMIS
Colorado State UniversityEmail: [email protected]
August 19, 2012
Overview of Presentation
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 2 / 156
Basic Cryptography
Secret Key Cryptography
Public Key Cryptography
Message Digests
Key Distribution & Management
Authentication
Biometrics Based Authentication
Password Based Authentication
Replay and Interception Attacks
One Time Passwords
Mutual Authentication
Secret Key Based Mediated Authentication
Certificate Based Authentication Protocols
Basic Cryptography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 3 / 156
Cryptography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 4 / 156
● Provides a tool for
✦ secrecy✦ integrity✦ authentication✦ non-repudiation
● In the face of
✦ passive and✦ active attacks
● Not intended to solve inference problem
Attacks
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 5 / 156
● Passive attacks
✦ observe but do not modify information✦ threat for confidentiality
● Active attacks
✦ delete, add, modify and replay information✦ threat for confidentiality, integrity, authentication and
non-repudiation
Terminology
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 6 / 156
● Encryption - the process of coding information such thatthe meaning is concealed
✦ encode / encipher are synonyms
● Decryption - the process of transforming an encryptedinformation back to the original form
✦ decode / decipher are synonyms
● Cryptosystem - a system for encryption and decryption
Terminology
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 7 / 156
● Plaintext - information in its original form (also calledcleartext)
● Ciphertext - information in the encrypted form● Cipher - an algorithm for transforming an intelligible
message into one that is unintelligible● Key - some critical information used by the cipher,
together with the plaintext to generate the ciphertext
Cryptographic Technologies
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 8 / 156
● Secret-key cryptosystem
✦ Also known as single key / shared key / symmetrickey cryptosystem
✦ Same key used for encryption and decryption
● Public-key cryptosystem
✦ Also known as two key / asymmetric keycryptosystem
✦ Different keys used for encryption and decryption✦ Strong mathematical relation exists between the two
keys
Cryptanalysis
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 9 / 156
● How to compromise cryptographic mechanisms
✦ benevolent intention: to judge the strength ofcryptographic techniques and improve upon them
✦ malevolent intention: to breach security
Cryptanalysis
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 10 / 156
● Cryptanalyst is assumed to know the encryption anddecryption algorithms
● Objective of the cryptanalyst is to discover the key
✦ Real objective may be to discover the plaintextmessage M, but
■ this is generally assumed to be equivalent todiscovering the key
■ it is more rewarding for the cryptanalyst to discoverthe key
Attack Models for Cryptanalysis
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 11 / 156
● Ciphertext only or Known ciphertext● Plaintext only or Known plaintext● Chosen plaintext● Chosen ciphertext
Ciphertext Only
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 12 / 156
● Cryptanalyst assumed to have access to a subset ofciphertexts
● Attack is successful if corresponding plaintexts can bededuced
✦ Any information about underlying plaintext is alsoconsidered success
✦ For example, is it information about salary.
● Must be able to guess when we have plaintext
✦ Sometimes the statistics of the ciphertext provideinsight and can lead to a break
Known Plaintext
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 13 / 156
● Cryptanalyst knows (or suspects) someplaintext-ciphertext pairs
✦ We have some, or even large, amount of matchingplaintext and ciphertext. The goal is to extract the key.
● Knowledge of text properties can be used to simplifyattack
✦ For example, if plaintext is known to be ASCII, as wellas ciphertext, then only 28 keys can produce the result
Chosen Plaintext
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 14 / 156
● Cryptanalyst has the capability to choose arbitraryplaintexts to be encrypted and obtain the correspondingciphertexts.
✦ Feasible when attacker has access to the encryptionhardware or software
✦ Can use knowledge of algorithm structure to attack✦ Batch chosen plaintext: Cryptanalyst chooses all the
plaintexts before any of them are encrypted.✦ Adaptive chosen plaintext: Cryptanalyst makes a
series of interactive queries and choosing subsequentplaintexts based on the information from the previousencryptions
Chosen Ciphertext
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 15 / 156
● Cryptanalyst knows some plaintext-ciphertext pairs forciphertext of the cryptanalyst’s choice
● Cryptanalyst submits arbitrary encrypted messages to bedeciphered and see the resulting plaintext
● Feasible when attacker has access to the decryptionhardware or software
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 16 / 156
● Brute Force (also called Exhaustive search)
✦ Try to decipher ciphertext under every possible keyuntil readable messages are produced.
✦ Given enough time all cryptosystems can be brokenby brute-force.
✦ Question remains “What is readable?”
● Divide and Conquer to make brute-force easier
✦ Isolate small components or aspects so they can besolved separately
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 17 / 156
● Dictionary
✦ Form a list of the most likely keys, then try those keysone-by-one (a way to improve brute force)
● Codebook
✦ Develop or collect a lookup table of transformations.Each plaintext has one or more ciphertexts in thetable
✦ Match a plaintext-ciphertext pair against the codebook
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 18 / 156
● Birthday Attacks
✦ Use the birthday paradox; the idea is that it is mucheasier to find two values which match than it is find amatch to some particular value
✦ Typically birthday attacks are used to break messagedigest algorithms
● Replay Attacks
✦ Record and save some ciphertext blocks ormessages (especially if the content is known) thenresend those blocks when useful
✦ Very common technique to bypass authenticationprotocols (More later)
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 19 / 156
● Differential Cryptanalysis
✦ Find a statistical correlation between key values andcipher transformations (typically the XOR of textpairs); then use sufficient defined plaintext to developthe key
✦ Typically used against symmetric key cryptosystemthat is iterative in structure
● Algebraic Coding
✦ From the cipher design, develop equations for the keyin terms of known/ chosen plaintext, then solve thoseequations
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 20 / 156
● Related Key: Specify a change in any particular key bit, orsome other relationship between keys and observe theeffect on the ciphertext, specially patterns ofnon-randomness
✦ 10 round AES-256 has been broken this way withinpractical complexity
● Timing: Measure the duration of ciphering operations anduse that to reveal information about the algorithm, key ordata
● Fault Analysis: Induce random faults into the cipheringsystem and use those to expose the key
General Attack Techniques
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 21 / 156
● Man-in-the-middle: Subvert the routing capabilities of anetwork and pose as the other side to each end of thecommunications
✦ Have been used to break Double DES✦ Diffie-Hellman is susceptible to this kind of attacks
● Use pitfalls in protocol design (More in the discussion)● Use bugs in crypto implementation
Strength of Encryption
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 22 / 156
● There is no theory which guarantees strength for anyconventional cipher
● Ciphers traditionally are considered strong when theyhave been used for a long time with “nobody” knowinghow to break them
● While cryptanalysis can prove “weakness” for a givenlevel of effort, cryptanalysis cannot prove that there is nosimpler attack
Security of Ciphers
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 23 / 156
● Two fundamentally different ways ciphers may be secure
✦ Unconditional security
■ No matter how much computer power is available,the cipher cannot be broken
✦ Computational security
■ Given limited computing resources (eg timeneeded for calculations is greater than age ofuniverse), the cipher cannot be broken
Secret Key Cryptography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 24 / 156
Model of Secret Key Cryptosystem
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 25 / 156
Cryptanalyst
Encrypt M withkey K1
C = E[M, K1]Source
Message MessageDestination
Key SourceKey SourceGenerates
Random Key
Decrypt C with
Provides OrProduces Key
key K2M = D[C, K2]
K1
Secure KeyChannel
K1 K2
M MC
Insecure CommunicationsChannel
C
Block Ciphers vs. Stream Ciphers (1)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 26 / 156
P1 P2 PnPn-1
64 / 128 bitsblock
64 / 128 bitsblock
P1
EncryptKey
C1
Pi
EncryptKey
Ci
Pn
EncryptKey
Cn
C1
DecryptKey
P1
Ci
DecryptKey
Pi
Cn
DecryptKey
Pn
Plaintext
Ciphertext
Plaintext
Block Cipher vs. Stream Ciphers (2)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 27 / 156
Plaintext
Plaintext byte stream
Pseudorandom byte generator
(key stream generator)
+Key
Ciphertextbyte stream
Pseudorandom byte generator
(key stream generator)
+Key
Ciphertextbyte stream
Plaintextbyte stream
Modes of Operation for Block Ciphers
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 28 / 156
● 4 modes of operation
✦ ECB - Electronic Code Book✦ CBC - Cipher Block Chaining✦ CFB - Cipher Feedback✦ OFB - Output Feedback
Electronic Code Book Mode
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 29 / 156
64 bit data block
64 bit data block
56 bit key 56 bit keyE D
● Ok for small messages● Identical data blocks will be identically encrypted
Cipher Block Chaining
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 30 / 156
56 bit key 56 bit key
+
+
64 bit data block
64 bit data block
ciphertext block
ciphertext block64 bit previous
64 bit previous
E D
Cipher Block Chaining
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 31 / 156
● CBC seeks to make each ciphertext block a function of
✦ the key and✦ all previous plaintext blocks
● Needs an Initialization Vector (IV) to serve as the firstfeedback block
Cipher Block Chaining
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 32 / 156
● IV need not be secret or random● Integrity of IV is important, otherwise first data block can
be arbitrarily changed● IV should be changed from message to message, or first
block of every message should be distinct
✦ otherwise the first blocks will be encrypted identically
Cipher Feedback
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 33 / 156
8, 8-bit blocks
56 bitkey
+
8-bitplaintext
+
8, 8-bit blocks
leftshift
leftshift
8-bitplaintext
leftmost8 bits
leftmost8 bits
56 bitkeyE D
8-bit ciphertext
Cipher Feedback
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 34 / 156
● Intended for character-by-character transmission, amongother things
● Operates at 1/8th the speed of CB or ECB● We can have k-bit feedback, in general● Needs a 64-bit Initialization Vector to initialize the shift
register● Error in 1 8-bit incoming ciphertext will be extended to the
next 8 8-bit decrypted ciphertexts
Output Feedback
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 35 / 156
8, 8-bit blocks
56 bitkey
+
8-bitplaintext
+
8, 8-bit blocks
leftshift
leftshift
8-bitplaintext
leftmost8 bits
leftmost8 bits
56 bitkeyE D
8-bit ciphertext
Output Feedback
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 36 / 156
● Similar to CFB except that the key stream generated asinput to exclusive OR is independent of plaintext
✦ Error is not extended
● OFB is intended for use with speech or video (due to lackof error extension)
● ANSI and ISO only allow 64 bit feedback in OFB
✦ otherwise average cycle of repetition in key stream is231
Public Key Cryptography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 37 / 156
Public Key Cryptosystem
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 38 / 156
● Traditional secret key cryptography uses a single keyshared by both sender and receiver
✦ Problem – How to share the key?
● Does not protect sender from the receiver forging amessage & claiming that message is sent by sender, thetwo parties being equal
● Solution - public key / asymmetric key cryptosystem
Public Key Cryptosystem
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 39 / 156
● Public-key (or two-key or asymmetric key) cryptographyinvolves the use of two keys:
✦ a public-key, which may be known by anybody, andcan be used to encrypt messages, andverify signatures
✦ a private-key, known only to the recipient, used todecrypt messages, and create signatures
Public Key Cryptosystems
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 40 / 156
● Three important classes of public-key algorithms:
✦ Public-Key Distribution Schemes (PKDS) - used tosecurely exchange a single piece of information that isthen used as a session key for a secret-key scheme
✦ Public Key Schemes (PKS) - used for encryption,where the public-key encrypts and the private-keydecrypts messages
✦ Signature Schemes - used to create a digitalsignature, where the private-key creates and thepublic-key verifies signatures
Public Key Cryptography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 41 / 156
● Any public-key scheme can be used as a PKDS, just byselecting a message which is the required session key
● Many public-key schemes are also signature schemes(provided encryption & decryption can be done in eitherorder)
Public Key Cryptosystem
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 42 / 156
Cryptanalyst
Encrypt M with
SourceMessage Message
Destination
Key SourceKey Source
Decrypt C with
Channel
M MC
Insecure CommunicationsChannel
C
Reliable Key
Bob’s Public Key
Provides Bob’sPublic Key
GeneratesKey Pair
Bob’s Private Key
Alice Bob
C = E[M, KE ] M = D[C, KD]
KE KD
Properties of Public/Private Keys
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 43 / 156
● Public / Private key pairs, (KE , KD) are easy to generate(a polynomial time (P-time) problem)
● D[E[M, KE ], KD] = M● D[E[M, KD], KE ] = M● KE 6= KD
● D[E[M, KE ], K′] = M→ KD = K′
Properties of Public/Private Keys
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 44 / 156
● The keys KE and KD are mathematically related● A plaintext encrypted with KE can be decrypted only with
KD and vice versa
✦ Does not matter which one you choose to call publickey / private key
Property of the Keys
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 45 / 156
● Knowing the public-key and public description of thecipher, it is
✦ Computationally infeasible to compute the private key(KD) (an NP-time problem)
✦ Thus the public-key may be distributed to anyonewishing to communicate securely with its owner
■ Although proper distribution of the public-key is anon-trivial problem - the key distribution problem
Privacy For Small Payload (One Way)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 46 / 156
● Look up the recipient’s public key● Encrypt the payload with the recipient’s public key and
send on an unprotected network● The recipient will receive and decrypt the message with
their private key
Privacy For Small Payload (Two Way)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 47 / 156
● Look up the recipient’s public key● Encrypt the following with the recipient’s public key and
send on an unprotected network
✦ The payload✦ Your public key1
● The recipient will receive and decrypt the message andyour public key with their private key and encrypt theirresponse with your public key
● When you receive the response, decrypt it with yourprivate key
1Could have recipient look up originator’s public key
Privacy For A Session
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 48 / 156
● Look up the recipient’s public key● Encrypt the following with the recipient’s public key and
send on an unprotected network:
✦ Your public key✦ Your part of a session key
● The recipient will decrypt the message, combine yoursession key part with their session key part, and encryptthis with your public key
● When you receive the response, decrypt it with yourprivate key and begin the private key session
Digital Signatures
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 49 / 156
SourceMessage Message
Destination
Key SourceKey Source
Channel
M MC
Channel
Reliable Key
Alice Bob
Generates Alice’sPrivate Key
Provides Alice’sPublic Key
Decrypt M withAlice’s Private Key
Encrypt C withAlice’s Public Key
Reliable Communications
C = D[M, KD] M = E[C, KE ]
KD KE
Signature and Non Repudiation
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 50 / 156
● A signature is a non repudiable proof assuming that aone-to-one mapping can be established between a publickey and its owner
● In general non-repudiation requires a notarized signature,involving a third party, that vouches for the one-to-onemapping between a public key and its owner
● In large systems this can involve hierarchies ofnotarization
Signature and Encryption
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 51 / 156
D DE E
Alice’sPrivate Key
Bob’sPublic Key
Bob’sPrivate Key
Alice’sPublic Key
Alice BobEncrypted
SignedPlaintext
Signature and Encryption
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 52 / 156
● We can do the encryption first followed by the signature
✦ From Bob’s perspective both provide the samefunctionality
✦ Signature later (that is signature on the clear) has theadvantage that the signature can be verified byparties other than Bob
Special Signature Schemes
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 53 / 156
● Relax one or more of the following characteristics ofregular signature schemes
✦ Signer knows the contents of the message signed✦ Anyone with knowledge of public key of signer can
verify correctness of signature without consent orinput from signer
✦ Security of signature scheme is based on certaincomplexity theoretic assumptions
Blind Signature
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 54 / 156
● Allows a subject to get a message signed by anotherparty without revealing any information about themessage to the other party
● Usage in
✦ Digital timestamping✦ Anonymous access control✦ Digital cash
Group Signature
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 55 / 156
● Allows a member of a group to sign a message such thatthe verifier can confirm that it came from the group, butdoes not know which individual in the group signed themessage
✦ In case of disputes identity of signer can bediscovered by a designated group authority that hassome additional information
One Time Signature
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 56 / 156
● Allows the signature of only a single message using agiven piece of private (and public) information
✦ Schemes that require new key pairs for each messagesigned are not susceptible to key compromise
✦ Generally quite fast✦ Schemes tend to be unwieldy when used to
authenticate multiple messages because additionaldata needs to be generated to both sign and verifyeach new message
Message Digests
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 57 / 156
Message Digests
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 58 / 156
● Motivation
✦ Public-key technology is very slow
■ Cannot sign big messages
✦ Signed message is at least as long as originalmessage, often longer
● Message digests are one way hash values of originalmessages that represent concisely the message fromwhich it was computed
Message Digests
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 59 / 156
Easy to Compute
Hard to Compute
Properties of Cryptographic Hash Functions
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 60 / 156
● The hash function H(x) is relatively easy to compute forany given x
● H(x) is one-way
✦ “hard to invert”, that is given a hash value h, it iscomputationally infeasible to find some input x suchthat H(x) = h
● H(x) is collision-free
Weakly Collision Free
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 61 / 156
● Given a message M, it is computationally infeasible to finda message M′ 6= M such that H(M) = H(M′)
✦ Given M, m = H(M) try messages at random to findM’ with H(M’) = m
✦ 2k trials on an average for messages of size k bits
Strongly Collision Free
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 62 / 156
● It is computationally infeasible to find any two messagesM and M′ such that H(M) = H(M′)
✦ Try pairs of messages at random to find M and M′
such that H(M′) = H(M)✦ 2k/2 trials on an average
Current Generation Algorithms
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 63 / 156
● MD5 (Message Digest 5)
✦ 128 bit message digest proposed by Rivest of RSA✦ simple, compact and fast
● SHA (Secure Hash Algorithm)
✦ 160 bit message digest similar to MD5✦ slightly slower than MD5 but more secure
Keyed Message Digest
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 64 / 156
● Secret-key technique to provide efficient
✦ Authentication✦ Integrity
● Does not provide Non-repudiation● Also known as Message Authentication Codes (MAC)
Message Authentication Code
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 65 / 156
● Its is an authentication tag (also called a checksum)derived by applying an authentication scheme, togetherwith a secret key, to a message digest
● MACs are computed and verified with the same key, sothat they can only be verified by the intended recipient
✦ This is unlike digital signatures
● Many different types of MACs – most popular are
✦ hash function-based✦ block cipher-based
Hash Based MACs
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 66 / 156
● Often called HMAC (example: HMAC-MD5, HMAC-SHA)● Use a key or keys in conjunction with a hash function to
produce a checksum that is appended to the message● HMACK(M) = H(K ⊕ opad ‖ H(K ⊕ ipad ‖ M))
✦ H is any message digest function✦ M message✦ K secret key✦ opad, ipad: fixed outer and inner padding
Block Cipher-based MACs
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 67 / 156
● Encrypt the message blocks using a symmetric blockcipher in Cipher Block Chaining mode and output the finalblock in the ciphertext as the checksum
● DES based MACs are 64 bit and not considered stronganymore
Key Distribution & Management
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 68 / 156
Public-Key Certificates
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 69 / 156
● Reliable distribution of public-keys● Public-key encryption
✦ Sender needs public key of receiver
● Public-key digital signatures
✦ Receiver needs public key of sender
● Public-key key agreement
✦ Both need each other’s public keys
Public-Key Certificates
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 70 / 156
● Public key should be linked with subject’s ID
✦ Allows verification of the claim that a specific publickey does indeed belong to a specific subject
● Trusted authority must certify the authenticity of publickeys
● Achieved by means of certificates
✦ In its simplest form contain a public key and a name✦ Most widely accepted format defined by the ITU-T
X.509 standard
X.509 Certificate
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 71 / 156
Subject Public Key Info
Version
Serial Number
Signature Algorithm
Issuer
Validity
Subject
Signature
X.509 Certificate
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 72 / 156
1
1234567891011121314
RSA + MD5, 512
C=US, S=CO, O=CSU, OU=CS
01/01/2002 - 01/10/2002
C=US, S=CO, O=CSU, OU=CS, CN=Indrajit Ray
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxxx
yyyyyyyyyyy
Certificate Revocation
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 73 / 156
● Certificates may need to be revoked
✦ Key specified in certificate may have beencompromised
✦ Subject specified may no longer have the authority touse the key
✦ Certifying authority’s key is compromised
● Achieved by means of Certificate Revocation Lists (CRLs)stored at CRL repositories – usually the certifyingauthority itself
CRL Format
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 74 / 156
Revoked Certificates
Signature Algorithm
Issuer
Last Update
Next Update
Signature
Serial Number
Revocation Date
Serial Number
Revocation Date
CRL Distribution
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 75 / 156
● Pull Model
✦ Verifier downloads the CRL from the certifyingauthority as needed
● Push Model
✦ Certifying authority sends the CRL to verifiers atregular intervals
● Hybrid Model
✦ CRL is “pushed” to several intermediate repositoriesfrom which the verifier “pulls” the CRL as needed
Certificate Trust
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 76 / 156
● How to acquire public key of the issuer to verifysignature?
● Whether or not to trust certificates signed by the issuer forthis subject?
Public Key Infrastructure
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 77 / 156
● Protocols, services and standards for managing publickeys
✦ Key registration: issuing a new certificate for a publickey
✦ Certificate revocation: canceling a previously issuedcertificate
✦ Key selection: obtaining a subject’s public key✦ Trust evaluation: determining whether a certificate is
valid and what operations it authorizes
● Several PKI initiatives underway most based on X.509certificates
Internet Key Exchange (IKE) Protocol
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 78 / 156
● Uses Diffie-Hellman Key exchange to share a sessionsecret
● Uses session secret to derive keys
Diffie-Hellman Key Exchange
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 79 / 156
● Alice and Bob wants to exchange a secret key over aninsecure channel
● System wide constants
✦ p a very large prime number (∼ 200 digit)✦ α a small integer
● Alice chooses a random secret number xa● Bob chooses a random secret number xb
Diffie-Hellman Key Exchange
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 80 / 156
Alice Bob
Step 1Choosesrandom
xa
Step 1Choosesrandom
xb
Step 2Sends
yB = αxb
mod p
Step 2Sends
yA = αxa
mod pStep 3
Computes
KAB = (yB)xa
mod p
= αxa
xb
mod p
Step 3Computes
KAB = (yA)xb
mod p
= αxa
xb
mod p
Shared Key
KAB
DH Man-in-the-Middle Attack
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 81 / 156
Step 2Sends
yAC = αxa
mod p
Step 2Sends
yBC = αxb
mod p
Alice
Step 1Choosesrandom
xa
Step 3Computes
KAC = (yCA)xa
mod p
= αxcxa
mod p
Bob
Step 1Choosesrandom
xb
Step 3Computes
KBC = (yCB)xb
mod p
= αxcxb
mod pShared Keys
KAC, KBC
CryptanalystCharlie
Step 1Choosesrandom
xc
Step 2Sends
yCA = αxc mod p
Step 2Sends
yCB = αxc mod p
Charile computes
KAC = (yAC)xc mod p
= αxa
xc mod p
KBC = (yBC)xc mod p
= αxb
xc mod p
Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 82 / 156
Authentication in DBMSs
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 83 / 156
● DBMSs, in general, rely on underlying OS to provideauthentication services
● If OS provides different types of authentication services,DBMS can specify what type of authentication service touse
● DBMS can also specifiy whether authentication needs tobe done at the client side or at the server side
Entity Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 84 / 156
● Allows one party – the verifier – to gain assurance thatthe identity of another – the claimant is as declared
✦ Prevents impersonation✦ Enables authorization✦ Allows accountability
● Typically, the claimant reveals knowledge of some secretS to the verifier
● Strong Authentication – Claimant reveals knowledge of Sto the verifier without revealing S to the verifier.
Message Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 85 / 156
● Allows the receiver of a message to gain assurance that
✦ The incoming message has not been tampered within transit
✦ The incoming message did indeed originate from thesender who claimed to have sent it
● Provided by digital signatures● Provides no timeliness guarantee with respect to when
message was created● Authenticated key establishment is essentially message
authentication where the message is the key
Identification vs. Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 86 / 156
● Identification (Who you are?)
✦ Associating an identity with an individual, process orrequest
✦ Confirmed by matching characteristics to a databasecontaining records of people and characteristics
● Authentication (Are you who you claim to be?)
✦ Verifying a claimed identity✦ Confirmed by comparing characteristics to previously
recorded for that same entity
Basis of Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 87 / 156
● Something inherent to a human individual (Biometrics)
✦ Fingerprints, retinal patterns, hand geometries,signature dynamics, dynamic keyboardingcharacteristics
● Something known
✦ Standard passwords, personal identification numbers,secret key whose knowledge is demostrated in achallenge-response protocols
● Something possessed
✦ A physical key, a passport, a token, a smart card
Biometrics Based Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 88 / 156
Biometric Authentication Model
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 89 / 156
Attacks on Biometrics
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 90 / 156
● Attack the database● Attack the network – Replay● Attack the sensor or other part of the trusted computing
base● Attack the registration process
✦ Dummy finger✦ Contact lenses✦ Disguises
● Collusion
Security Considerations
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 91 / 156
● Biometrics are not secrets and are therefore susceptibleto modified or spoofed measurements
● There is no recourse for revoking a compromisedidentifier
● Threatens individual right to anonymity
✦ Cultural concerns✦ Religious concerns✦ Violates civil liberties
Types of Biometrics
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 92 / 156
● Physiological
✦ Fingerprints✦ Retinal patterns✦ Face✦ Hand geometry✦ DNA (not yet used for authentication)
● Behavioral
✦ Keystroke dynamics✦ Voice
Fingerprints for Biometric Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 93 / 156
● Very low false acceptance rate
✦ Typically 95–98% accurate✦ Accuracy varies depending on gender, racial
characteristics
● Relatively high false rejection rate
✦ Chemical residues may cause rejection
● Easy to use● Fast, small storage requirement● People handling rough materials, children require
updating the database
Retinal Patterns for Biometric Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 94 / 156
● Extremely low false acceptance rate
✦ Ethnicity and eye color can affect accuracy
● High rejection rate● Fast, very small storage needed● Very stable biometric
✦ Affected by certain diseases like blindness andcataract
Facial Features for Biometric Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 95 / 156
● Till evolving technology; about 80% accurate● Perspective, lighting, pose etc affects authentication● Comparatively larger space and computation overhead
than fingerprints or retinal patterns
Other Biometrics
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 96 / 156
● Keystroke timing for typing a password
✦ Require no special hardware✦ Can be used for generating secrets for other
password based schemes✦ Affected by network properties✦ Timing can be used to make guessing passwords
easier
● Hand geometry, hand vein patterns● Voice recognition
✦ Ambient noise can affect authentication
Password Based Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 97 / 156
Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 98 / 156
● Commonly used method● For each user, system stores in a password file
< User name, F(password) >, where F is sometransformation
✦ F(password) is easy to compute✦ From F(password), the original password is difficult
(ideally) to compute
● When a user enters the password, system computesF(password)
✦ A match provides proof of identity
Simple Password Scheme
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 99 / 156
CLAIMANTTERMINAL
f
q’ id
id
compare
AuthenticationOK or not
VERIFIER
Messagep’
qid
Choice of Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 100 / 156
● Suppose passwords can be from 1 to 8 characters inlength
✦ Lower case English alphabets used
● Possible choices for passwords = 261 + 262 + . . . + 268 =1.5 × 1012
● At the rate of 1 password per millisecond, it will take about150 years to test all passwords
Probable Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 101 / 156
● In a Bell Labs study (Morris & Thompson 1979), 3,289passwords were examined
✦ 15 single ASCII characters✦ 72 two ASCII characters✦ 464 three ASCII characters✦ 477 four alphanumeric character✦ 706 five letters (all lower or all upper case)✦ 605 six letters all lower case✦ 492 weak passwords (dictionary words spelled
backwords, first names, last names etc)
● Summary: 2831 passwords (86%) were weak, that is theywere too easily predictable, or were too short
Dictionary Attacks on Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 102 / 156
● The statistics haven’t changed much in later studies● To improve upon the expected probability of success of an
exhaustive search, an attacker may search the space ofall possible passwords in order of decreasing probability
Dictionary Attack on Simple Password Scheme
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 103 / 156
● Attacker constructs a table of values of q to values of pensuring, especially, that the table contains the most likelyexpected values for p
● Passively monitor large numbers of authenticationattempts
✦ Can obtain with high degree of probability somepasswords for some user
Dictionary Attack (Case 1)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 104 / 156
● Create a dictionary of common words and names andtheir simple transformation
✦ For example: indrajit −→ jndaitr
● Use these to guess the password
Dictionary Attack (Case 2 – knownF)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 105 / 156
Improved Password Scheme (#2)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 106 / 156
CLAIMANTTERMINAL
f
q’ id
id
compare
AuthenticationOK or not
VERIFIER
Messagep’
qid
Attack on Scheme #2
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 107 / 156
● Now we have stored password q = F(p,id)● It is still possible to prepare the table of q values for
password values but now only for one particular id.● Suffers from verifier compromise
✦ attacker gets < id, q > pair and attacker generatingan authentication message request on the wire.
Improved Scheme #3
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 108 / 156
id qCLAIMANTTERMINAL
p’
id
compare
AuthenticationOK or not
id
Message
p’
f
VERIFIER
q’
Scheme #3≡ UNIX Password
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 109 / 156
● Designed by Bob Morris and Ken Thomson to encryptpasswords in Unix
● Uses an extended DES algorithm for the passwordfunction F
● User password and salt is used as encryption key toencrypt
● Process is repeated 25 times
✦ ith encrypted block used as the plaintext for the(i+ 1)th round
Unix Crypt Algorithm
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 110 / 156
userpassword
truncate to 8ASCII characters
pad with 0s if
necessary
56 bit key
data
ModifiedDES
12 bit usersalt initiallytaken from
the system clock
repack 76 bitsinto eleven
7-bit characters
encryptedpassword
I1
next input Ii2 le i
Ii
OutputOi
O25
Password Salt
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 111 / 156
● Salt is used to make dictionary attack a bit more difficult● Salt is a 12 bit number between 0 and 4095● It is derived from the system clock and the process
identifier● Rather than computing F(password), computeF(password + salt); both salt and f(passwd + salt) isstored in the table
● With salt the same password can result in 4096 differentValues stored in the table.
Attack on Scheme #3
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 112 / 156
● Password on the clear in the network
✦ Vulnerable to eavesdropping
■ Serious concern on any network
✦ Also susceptible to replay attacks
■ Attacker eavesdrops on the communicationchannel and intercepts a legitimate authenticationexchange
■ Attacker later replays the authentication exchange■ Serious on interconnected networks
Improved Password Scheme #4
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 113 / 156
CLAIMANTTERMINAL
id
compare
AuthenticationOK or not
id
Message
VERIFIER
id r
r’g
q’
f
p’
Replay and Interception Attacks
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 114 / 156
Replay on a Different Verifier
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 115 / 156
Reflection Attack
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 116 / 156
Man-in-the-Middle Attack
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 117 / 156
Replay on the Same Verifier
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 118 / 156
Improved Scheme 4
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 119 / 156
compare
AuthenticationOK or not
g
id
f
CLAIMANTTERMINAL
Message
id
r
q
VERIFIER
nrv
g
q’
id
nrv
p’
r’
One Time Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 120 / 156
One Time Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 121 / 156
● Use a password exactly once● Such schemes are safe from passive adversaries who
eavesdrop and later attempt impersonation.● Variations include
✦ Shared lists of one time passwords✦ Sequentially updated one time passwords✦ One time password sequences based on one-way
functions
Shared Lists of One Time Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 122 / 156
● User and system use a sequence of n secret passwords –each valid for a single authentication
● Drawback – maintenance of shared list
✦ Have to use passwords in exact sequence✦ Otherwise system has to check password against all
remaining unused passswords✦ Not widely used
Sequentially Updated One Time Passwords
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 123 / 156
● Initially only a single secret is shared● During authentication, user creates and transmits a new
password using the current password
✦ New password typically encrypted under a keyderived from current password
● New password transmitted in current session, forms thepassword for the next session
● Method becomes difficult if communication failure occurs
One Time Password Sequences
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 124 / 156
● User does not send new password everytime; insteaduser and system compute next passwords locally
● Use one-way functions to compute passwords● Improvement on Sequentially Updated One Time
Passwords Scheme
✦ More efficient with respect to bandwidth
Lamport’s One-Time Password Scheme
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 125 / 156
● Uses one-way hash function● Relies on the fact that it is easier to compute the hash of a
particular value than to compute the original value fromthe hashed value
✦ That is, H(x) is easy to compute given x
✦ H−1(x) is difficult to compute given H(x)
Lamport’s Scheme (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 126 / 156
● Notation Ht(x) = H(Ht−1(x))● User A begins with a secret w and a one-way function H● A constant t is fixed – for example t = 100 or 1000
✦ t defines the number of identifications allowed✦ The system has to be restarted thereafter with a new
w
● A transfers (the initial shared secret) w0 = Ht(w) to thesystem; system initializes its counter for A to iA = 1
Lamport’s Scheme (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 127 / 156
● System stores (User name A, Ht(w))● The ith identification message, 1 ≤ i ≤ t, is as follows:
A → system : A, i, wi (= Ht−i(w))
✦ Ht−i(w) = H(Ht−i−1(w))
● A computes Ht−1(w) the first time● If authentication is correct, system replaces Ht(w) by
Ht−1(w) and sets iA ← iA + 1
Lamport’s Scheme (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 128 / 156
Time Synchronized Schemes
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 129 / 156
Hand Held Authenticator
Secret Key
f(S,t)Time
One Time Password
Time Synchronized Scheme
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 130 / 156
● A hand-held authenticator is used
✦ It contains an internal clock, a secret key and adisplay
✦ Display outputs a function (DES / one-way function) ofthe current time and the key
✦ Current time is in minutes, rather than seconds, sothe value changes about once per minute
Time Synchronized Scheme (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 131 / 156
● User supplies the user-id and the display value● System uses the secret key, the one-way function and its
clock to calculate the expected output – login is valid ifvalues match
● Clocks need to be synchronized
Challenge Response Schemes
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 132 / 156
● A non-repeating challenge from the system is usedinstead of the clock
Workstation
NetworkVerifier
User ID
Challenge
Response
Non Repeating Values
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 133 / 156
● Ensures that an attempt to replay an earlier authenticationexchange will be detected
● Potential sources:
✦ Sequence numbers – claimant and verifier agreeupon policy to generate sequence numbers
✦ Time stamps – clocks need to be synchronized to atleast within a window
Non Repeating Values (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 134 / 156
● Time stamps
✦ To guarantee uniqueness, verifier needs to buffercopies of all messages received within window
● Random value (or nonce) sent previously from the verifier
Improved Password Scheme #6
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 135 / 156
id
f
compare
AuthenticationOK or not
g
id
r
q
VERIFIER
CLAIMANTTERMINAL
g
id
p’
r’
q’nrv
nrv
ResponseMessage
Hand Held Password Generator
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 136 / 156
UserPINfrom
Token/
entered
f(PIN,S,e)
challengegenerator
=
A (user)
Secret Key
f(PIN,S,e)(challenge)
e e
y(response)
yes
no
Reject
Accept
A(login request)
Password GeneratorA
PINS
System
Mutual Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 137 / 156
Mutual Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 138 / 156
Mutual Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 139 / 156
● Problem – How to share key
✦ This is more critical than in the case of secret keybased encryption schemes because authentication isa more fundamental issue
● Solution – Mediated Authentication
✦ Secret key based – Needham-Schroeder andKerberos
✦ Public key based – X.509
Secret Key Based MediatedAuthentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 140 / 156
Needham-Schroeder Protocol
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 141 / 156
Message 1: Alice→ TP A, B, NA
Message 2: TP→ Alice {NA, B, KAB, {KAB, A}KBS}KAS
Message 3: Alice→ Bob {KAB, A}KBS
Message 4: Bob→ Alice {NB}KAB
Message 5: Alice→ Bob {NB - 1}KAB
Kerberos – Improved Needham-Schroeder
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 142 / 156
● Designed as part of Project Athena at MIT● Provides the means of authenticating workstation users
(clients) to server and sharing a session key● Uses the ticket approach
✦ Client authenticates itself to an authentication server✦ Authentication Server gives ticket to client✦ Client uses ticket to get authenticated
Notation
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 143 / 156
Symbol used What it means
c client principals server principalKDC Kerberos serverTGS Ticket granting serverKx private key of xKc,s session key for c & s{info}Kx string info encrypted in Kx
Tc,s ticket for c to use sAc authenticator for caddr client’s IP address
Notation (continued)
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 144 / 156
Message innetwork
Structure of message
Tc,s – ticket forc to use s
{s,c,addr,timestamp,lifetime,Kc,s}
Ac – authenti-cator for c
{c,addr,timestamp}
Kerberos Protocol
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 145 / 156
✚✙✛✘
✚✙✛✘✚✙✛✘
✚✙✛✘
✻
❄✲
✚✚
✚✚
✚✚❂✚
✚✚✚
✚✚❃
Server
TGS
Client
KDC
1 23
5
4
✚✙✛✘
✚✙✛✘✚✙✛✘
✚✙✛✘
✻
❄✲
✚✚
✚✚
✚✚❂✚✚
✚✚
✚✚❃
Server
TGS
Client
KDC
1 23
5
4
MS Windows Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 146 / 156
● Based on Kerberos V5
✦ 128 bit RC4-HMAC✦ 56 bit DES-CBC-CRC✦ 56 bit DES-CBC-MD5
● Has extensions for using public-key certificates
Windows SSPI Architecture
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 147 / 156
Certificate Based AuthenticationProtocols
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 148 / 156
X.509 – Directory Authentication Service
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 149 / 156
● Part of CCITT X.500 directory services● Defines framework for authentication services● Directory may store public-key certificates● Uses public-key cryptography and digital signatures● Algorithms not standardised but RSA is recommended● Does not require physically secured on-line servers –
Advantage over Kerberos
Symbols Used
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 150 / 156
● Ex{}: indicates encryption of a sequence of data valuesunder the public key of party x
● Sx{}: indicates a sequence of data values together with asignature over those values, using the private key of partyx
● tsxy: a current time-stamp generated by party x to assistparty y in detecting replayed messages (may contain bothgeneration and expiry date/time for the messageconveying it)
● nrvxy: a non-repeating value sent by party x to assistparty y in detecting replayed messages
● keyxy a secret key generated by x to be used in protectingsubsequent communications between x and y
X.509 Authentication Exchange
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 151 / 156
Optional Message 3
Alice Bob
X.509Server
Message 1Message 2
Public-keycertificate
distribution
X.509 Authentication Exchange
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 152 / 156
Message 1:
A, SA{tsAB, nrvAB, B, EB{keyAB}}
● The field EB{keyAB} is optional● B verifies A’s signature, checks that the identifier B in
the message is correct, checks that the time-stamp iscurrent and (optionally if an effective non-repeatingvalue procedure is in use) checks the non-repeatingvalue as protection against replay
X.509 Authentication Exchange
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 153 / 156
Message 2:
SB{tsBA, nrvBA, A, nrvAB, EA{keyBA}}
● The field EA{keyBA}} is optional● A performs the correspondinng set of actions
Optional Message 3: The first two messages are identicalexcept that the time-stamps are not conveyed. The thirdmessage is
SA{B, nrvBA}
LOCKOut Fortezza Authentication Protocol
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 154 / 156
● Fortezza is a PCMCIA card developed by the NSA toprovide general purpose cryptographic capabilities
✦ Has built in implementation for SHA and DSS amongother features
✦ Tamper evident
● Computes hash functions and digital signatures forauthentication
LOCKOut Fortezza Authentication
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 155 / 156
Bibliography
Basic Cryptography
Secret KeyCryptography
Public KeyCryptography
Message Digests
Key Distribution &Management
Authentication
Biometrics BasedAuthentication
Password BasedAuthentication
Replay andInterception Attacks
One TimePasswords
MutualAuthentication
Secret Key BasedMediatedAuthentication
Certificate BasedAuthenticationProtocolsDr. Indrajit Ray, INRIA SMIS & Colorado State University Cryptography & Authentication Tutorial, October 9 2009 – 156 / 156