Docstoc

Authentication Protocols

Document Sample
Authentication Protocols Powered By Docstoc
					  A Survey of Authentication
Protocol Literature: Version 1.0
              Written by
     John Clark and Jeremy Jacob

            Presented by
           Brian Sierawski
               Overview
• Background
• Cryptography
• Forms of Attack
               Background
• Term: Users, hosts, processes referred to as
  principals
• Goal: Want to be sure that a received
  message has been created recently by the
  principal who claims to have send it
               Overview
• Background
• Cryptography
• Forms of Attack
             Cryptography
• Cryptography is fundamental to
  authentication
• Cryptographic algorithm converts plaintext
  to unintelligible ciphertext
• Encryption depends on key
                  Notation
• E(K : M) denotes M encrypted with key K
• Principals are capital letters A, B, S for
  server, Z for attacker
• Z(A) denotes Z acting as A
• Na refers to a number generated by A
• Eg. A B : A, E(Kab : Na)
  – A sends B an identifier with an encrypted nonce
  Symmetric Key Cryptography
• The encryption key K and decryption key
  K-1 are easily obtainable from each other
• Anyone in possession of they key may read
  or create ciphertexts => key must be shared
  secret between principals
• Kab denotes key for communication
  between principals A and B
  Symmetric Key Cryptography
• Classical Cryptography
  – Substitution cipher: substitutes a ciphertext
    character for a plaintext character
  – Transposition cipher: shuffles plaintext
    characters
• Modern Cryptography
  – Block cipher
  – Stream cipher
              Block Cipher
• Encrypts a block of 64 or 128 bits at a time
• DES encrypts 56 bits (at insistence of NSA)
  which is insufficient to modern day attacks
• Other block ciphers: MADRYGA,
  NEWDES, FEAL-N, RC2, RC4, IDEA
     Modes of Block Ciphers
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback Mode (CFB)
   Electronic Code Book (EBC)
• Simplest mode
• Consecutive blocks of plaintext are
  encrypted => identical blocks of plaintext
  are always encrypted in the same way
• Problem 1: Analyst may be able to build up
  a codebook of plaintext-ciphertext pairs
• Problem 2: Possible to replace an encrypted
  block with another
  Cipher Block Chaining (CBC)
• Block i of plain text is XORed with block i
  - 1 of ciphertext then encrypted
• Choosing different initial block I will create
  different ciphertexts
• Problem: Should initial block be sent in
  clear or encrypted?
  Cipher Feedback mode (CFB)
• Useful to transmit data less than block size
• Process:
  –   Shift register initialized
  –   Contents encrypted as a block
  –   Leftmost byte XORed with plaintext data
  –   Ciphertext pushed on right end of register
               Stream Ciphers
• Encrypt one bit of plaintext at a time
• Generate bit stream and XOR successive
  bits with successive bits of plaintext
        Internal State

            Next-State
 Key                          Pi
            Function

       Output Function   Ki        Ci
Symmetric Key Without Trusted
         Third Party
• ISO One-pass Symmetric Key Unilateral
  Authentication Protocol
  – A B : Text2, E(Kab : [Ta | Na], B, Text1)
• Text2 identifies sender
• Timestamp or nonce prevent replay attacks
• B’s identity included as sole receiver
  Symmetric Key With Trusted
         Third Party
• Eg. Needham Schroeder Symmetric Key
  Authentication:
  –   (1) A S : A, B, Na
  –   (2) S A : E(Kas:Na, B, Kab, E(Kbs:Kab, A))
  –   (3) A B : E(Kbs:Kab, A)
  –   (4) B A : E(Kab:Nb)
  –   (5) A B : E(Kab:Nb - 1)
• Problem: Freshness Attacks
     Public Key Cryptography
• No shared secret, each principal A is
  associated with key pair (Ka, Ka-1)
• Only public key revealed
• Encryption with Ka-1 and decryption with
  Ka guarantees authenticity.
• 1024 bit key recommended
     Public Key Cryptography
• Problem: RSA is 100x slower than DES
• => Exchanging symmetric keys through
  public key cryptography good idea!
• Typically a trusted server S called
  certification authority stores public keys
  and distributes them under Ks-1
               Overview
• Background
• Cryptography
• Forms of Attack
          Freshness Attack
• Occurs when a message is recorded and
  replayed
• Needham Schroeder protocol weak
  – (3) A B : E(Kbs:Kab, A)
  – Old key K’ab may have been compromised
                 Type Flaws
• Arises when recipient accepts a message as
  valid but imposes different interpretation
• Otway-Rees protocol
  –   (1) A B : M,A,B,E(Kas:Na,M,A,B)
  –   (2) B S : M,A,B,E(Kas:Na,M,A,B),E(Kbs:Nb,M,A,B)
  –   (3) S B : M,E(Kas:Na,Kab),E(Kbs:Nb,Kab)
  –   (4) B A : M,E(Kas:Na,Kab)
• Attack
  – (1) A Z(B) : M,A,B,E(Kas,Na,M,A,B)
  – (4) Z(B) A : M,E(Kas:Na,M,A,B)
        Parallel Session Attacks
• Occurs when two or more protocol runs are
  executed concurrently and messages from
  one are used to form messages in another
  – (1) A B : E(Kab : Na)
  – (2) B A : E(Kab : Na + 1)
• Attack
  –   (1.1) A Z(B) : E(Kab : Na)
  –   (2.1) Z(B) A : E(Kab : Na)
  –   (2.2) A Z(B) : E(Kab : Na + 1)
  –   (1.2) Z(B) A : E(Kab : Na + 1)
    Implementation Dependent
            Attacks
• Stream Ciphers (Needham Schroeder)
  – (4) B A : E(Kab : Nb)
  – (5) A B : E(Kab : Nb - 1)
  – If Nb is odd, Nb - 1 has good chance of being
    formed by flipping last cipher bit
  – Changing Identity
     • Same attack on A B : E(Kbs : Kab, A)
     • A can masquerade as C
    Implementation Dependent
            Attacks
• Cipher Block Chaining
  – Cut and Paste
         P1 P2 P3 P4 P5            P’1 P’2 P’3 P’4

     C0 C1 C2 C3 C4 C5        C’0 C’1 C’2 C’3 C’4

                 C0 C1 C2 C3 C’2 C’3 C’4

                     P1 P2 P3 X P’3 P’4

  – Random jibberish X may be expected
  Implementation Dependent
          Attacks
– Initialization Attacks
   • Given ciphertext C0C1 and known P1
   • Decryption alg: P1 = C0 dk(C1)
   • Desired block value W = W P1 P1
   • W = W P1 (C0 dk(C1)
   • W = C’0 dk(C1) where C’0 = W P1 C0
   • Without knowing they key, P1 has now been easily
     replaced with W
   • In Needham Schroeder the first block is the nonce!
              Binding Attack
• A simple public key distribution
  – (1) C AS : C, S, Nc
  – (2) AS C : AS, E(Kas-1: AS, C, Nc, Ks)
• Leads to the following problem
  –   (1.1) C Z(AS) : C, S, Nc
  –   (2.1) Z(C) AS : C, Z, Nc
  –   (2.2) AS Z(C) : AS, E(Kas-1 : AS, C, Nc, Kz)
  –   (1.2) Z(AS) C : AS, E(Kas-1 : AS, C, Nc, Kz)
              Conclusions
• Even though protocols have few messages,
  construction is complex
• The whole system is important
• Need tool support for rigorous development
  and analysis of protocols

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:10/22/2011
language:English
pages:27