handshake protocols
DESCRIPTION
Handshake Protocols. COEN 350. Threat Model. Passive Sniffing Malicious Mallory can read messages between Alice and Bob. Spoofing Malicious Mallory can create messages that seem to come from either Alice or Bob. Standard Attack Modes: Breaking Cryptography Man-in-the-Middle - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/1.jpg)
Handshake Protocols
COEN 350
![Page 2: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/2.jpg)
Threat Model Passive Sniffing
Malicious Mallory can read messages between Alice and Bob.
Spoofing Malicious Mallory can create messages that
seem to come from either Alice or Bob. Standard Attack Modes:
Breaking Cryptography Man-in-the-Middle Replay Attacks Reflection Attack (Open several connections)
![Page 3: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/3.jpg)
Simple Password Protocol
Alice: Hi, I am Alice. My password is “fiddlesticks”.
Bob: Welcome, Alice.
Vulnerable to sniffing and replay attack:Mallory sniffs the exchange.Mallory: Hi, I am Alice. My password is
“fiddlesticks”.Bob: Welcome, Alice.
![Page 4: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/4.jpg)
Shared Secret
Alice and Bob share a secret key K.Alice: I am Alice.Bob: Encrypt random number R.Alice: EK(R)
Bob (calculates EK(R) as well.):
Welcome Alice.
![Page 5: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/5.jpg)
Shared Secret
Vulnerable to DOS attack.while(1) {
Mallory: I am Alice.
Bob: Encrypt R.
Mallory: X.
Bob (EK(R) != X): Access denied.
}
![Page 6: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/6.jpg)
Shared Secret
Vulnerable to sniffing and replay attack if R is not random or if R is repeated.
![Page 7: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/7.jpg)
Shared Secret
Use of Clock:Alice: I am Alice, EK(clock).Bob calculates clock, compares with his
value: Welcome Alice.
Problems with clock accuracy:Demand tight accuracy: drifting clocks can be bad.Otherwise: replay attack.
![Page 8: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/8.jpg)
Shared secret, use of clockSniffing + replay attack:
Mallory to Bob: KILL, KILL, KILL, KILL. (Bob cannot receive messages because his message buffer is
filled up.)
Alice: Hi, I’m Alice. EK(clock).Mallory to Alice: KILL, KILL, KILL, KILL.(Alice cannot receive messages because her message buffer
is filled up.)
Mallory to Bob: Hi, I’m Alice. EK(clock).Bob: Hi, Alice.
![Page 9: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/9.jpg)
Shared secret, use of clock
Alice Bob
Mallory
Hi, I’m Alice, EK(clock)
KILLKILL
Hi, I’m Alice, EK(clock)
![Page 10: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/10.jpg)
Public Key
Alice: “I’m Alice.”Bob: “R”.Alice: “EAlice(R)”.
Bob calculates “DAliceEAlice(R) == R”: Hi Alice.
![Page 11: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/11.jpg)
Public Key
Alice: “I’m Alice.”Bob creates random challenge R:
“EAlice(R)”.
Alice: “R”.Bob checks “R == R”: Hi Alice.
![Page 12: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/12.jpg)
Public Key: DOS attack
Trudy: “I’m Alice.”Bob: “R”.Trudy: “X”Bob calculates “DAliceEAlice(X) != R:
Access Denied.
Bob spends much more time computing than Trudy!
![Page 13: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/13.jpg)
Mutual Authentication: Shared Secret
Alice: “I am Alice”Bob: “RB”
Alice: EK(RB). RA.
Bob calculates EK(RB) himself: EK(RA). Hi Alice.
Alice calculates EK(RA) herself: Hi Bob.
![Page 14: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/14.jpg)
Mutual Authentication with less messages?
Alice: I am Alice. RA
Bob: RB. EK(RA).
Alice: Hi Bob. EK(RB).
Bob: Hi Alice.
![Page 15: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/15.jpg)
Mutual Authentication with less steps is vulnerable to the reflection attack
Session 1 Trudy: I am Alice. RA.
Session 1 Bob: RB. EK(RA).
Session 2 Trudy: I am Alice. RB.
Session 2 Bob: RB’. EK(RB).
Session 1 Trudy: Hi Bob. EK(RB).
Session 1 Bob: Hi Alice.
![Page 16: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/16.jpg)
Warning Signals
Requestor should authenticate herself first.
Don’t have requestor and requestee do exactly the same thing. (E.g. use different key pairs.)
If you provide encryption service, you set yourself up for a key guessing attack.
![Page 17: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/17.jpg)
Public Key: Simple Mutual Authentication
Alice: “I am Alice. RA”
Bob: “EBob(RA). RB”
Alice DBobEBob (RA)=RA: Hello Bob. EAlice(RB).
Bob: DAliceEAlice(RB) = RB: Hello Alice.
![Page 18: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/18.jpg)
Key Distribution Centers
Maintains a shared secret for each registered user.
To set-up a connection requires the KDC to set up a session key.
![Page 19: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/19.jpg)
Key Distribution CenterOriginal Algorithm
Alice to KDC: Alice wants Bob. KDC to Alice: Here is your session
key. KDC to Bob: Here is your session
key.
This needs to be modified.
![Page 20: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/20.jpg)
Key Distribution Center:Needham Schroeder ProtocolAlice to KDC: N1, Alice wants Bob.KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1,N3).
Alice to Bob: KS(N3-1).
N1, N2, N3 are nonces to prevent replay attacks.
![Page 21: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/21.jpg)
Key Distribution Center:Needham Schroeder Protocol Variant
Alice to KDC: N1, Alice wants Bob.KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).Alice to Bob: K(N3-1).
N1, N2, N3 are nonces to prevent replay attacks.
![Page 22: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/22.jpg)
Replay attack on modified NSAlice to KDC: N1, Alice wants Bob.KDC to Alice: KA(N1,KS,Bob,Ticket), where
Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).
Alice to Bob: KS(N3-1).
Trudy as Alice to Bob: Ticket, KS(N2)
Bob to Alice, but intercepted by Trudy: KS(N2-1), KS(N4)
Trudy as Alice to Bob: Ticket, KS(N4).
Bob to Alice, but intercepted by Trudy. KS(N4-1), KS(N5).
Trudy as Alice to Bob: KS(N4-1).
![Page 23: Handshake Protocols](https://reader035.vdocuments.site/reader035/viewer/2022062217/56813bc2550346895da4ed43/html5/thumbnails/23.jpg)
Key Distribution Center
Assume that Alice’s key has become compromised.
Trudy can now present herself as Alice to Bob with an old ticket.
Tickets need to have an expiration date!!!!!!!!!!!