Authentication Protocols by liamei12345


									  A Survey of Authentication
Protocol Literature: Version 1.0
              Written by
     John Clark and Jeremy Jacob

            Presented by
           Brian Sierawski
• Background
• Cryptography
• Forms of Attack
• Term: Users, hosts, processes referred to as
• Goal: Want to be sure that a received
  message has been created recently by the
  principal who claims to have send it
• Background
• Cryptography
• Forms of Attack
• Cryptography is fundamental to
• Cryptographic algorithm converts plaintext
  to unintelligible ciphertext
• Encryption depends on key
• E(K : M) denotes M encrypted with key K
• Principals are capital letters A, B, S for
  server, Z for attacker
• Z(A) denotes Z acting as A
• Na refers to a number generated by A
• Eg. A B : A, E(Kab : Na)
  – A sends B an identifier with an encrypted nonce
  Symmetric Key Cryptography
• The encryption key K and decryption key
  K-1 are easily obtainable from each other
• Anyone in possession of they key may read
  or create ciphertexts => key must be shared
  secret between principals
• Kab denotes key for communication
  between principals A and B
  Symmetric Key Cryptography
• Classical Cryptography
  – Substitution cipher: substitutes a ciphertext
    character for a plaintext character
  – Transposition cipher: shuffles plaintext
• Modern Cryptography
  – Block cipher
  – Stream cipher
              Block Cipher
• Encrypts a block of 64 or 128 bits at a time
• DES encrypts 56 bits (at insistence of NSA)
  which is insufficient to modern day attacks
• Other block ciphers: MADRYGA,
     Modes of Block Ciphers
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback Mode (CFB)
   Electronic Code Book (EBC)
• Simplest mode
• Consecutive blocks of plaintext are
  encrypted => identical blocks of plaintext
  are always encrypted in the same way
• Problem 1: Analyst may be able to build up
  a codebook of plaintext-ciphertext pairs
• Problem 2: Possible to replace an encrypted
  block with another
  Cipher Block Chaining (CBC)
• Block i of plain text is XORed with block i
  - 1 of ciphertext then encrypted
• Choosing different initial block I will create
  different ciphertexts
• Problem: Should initial block be sent in
  clear or encrypted?
  Cipher Feedback mode (CFB)
• Useful to transmit data less than block size
• Process:
  –   Shift register initialized
  –   Contents encrypted as a block
  –   Leftmost byte XORed with plaintext data
  –   Ciphertext pushed on right end of register
               Stream Ciphers
• Encrypt one bit of plaintext at a time
• Generate bit stream and XOR successive
  bits with successive bits of plaintext
        Internal State

 Key                          Pi

       Output Function   Ki        Ci
Symmetric Key Without Trusted
         Third Party
• ISO One-pass Symmetric Key Unilateral
  Authentication Protocol
  – A B : Text2, E(Kab : [Ta | Na], B, Text1)
• Text2 identifies sender
• Timestamp or nonce prevent replay attacks
• B’s identity included as sole receiver
  Symmetric Key With Trusted
         Third Party
• Eg. Needham Schroeder Symmetric Key
  –   (1) A S : A, B, Na
  –   (2) S A : E(Kas:Na, B, Kab, E(Kbs:Kab, A))
  –   (3) A B : E(Kbs:Kab, A)
  –   (4) B A : E(Kab:Nb)
  –   (5) A B : E(Kab:Nb - 1)
• Problem: Freshness Attacks
     Public Key Cryptography
• No shared secret, each principal A is
  associated with key pair (Ka, Ka-1)
• Only public key revealed
• Encryption with Ka-1 and decryption with
  Ka guarantees authenticity.
• 1024 bit key recommended
     Public Key Cryptography
• Problem: RSA is 100x slower than DES
• => Exchanging symmetric keys through
  public key cryptography good idea!
• Typically a trusted server S called
  certification authority stores public keys
  and distributes them under Ks-1
• Background
• Cryptography
• Forms of Attack
          Freshness Attack
• Occurs when a message is recorded and
• Needham Schroeder protocol weak
  – (3) A B : E(Kbs:Kab, A)
  – Old key K’ab may have been compromised
                 Type Flaws
• Arises when recipient accepts a message as
  valid but imposes different interpretation
• Otway-Rees protocol
  –   (1) A B : M,A,B,E(Kas:Na,M,A,B)
  –   (2) B S : M,A,B,E(Kas:Na,M,A,B),E(Kbs:Nb,M,A,B)
  –   (3) S B : M,E(Kas:Na,Kab),E(Kbs:Nb,Kab)
  –   (4) B A : M,E(Kas:Na,Kab)
• Attack
  – (1) A Z(B) : M,A,B,E(Kas,Na,M,A,B)
  – (4) Z(B) A : M,E(Kas:Na,M,A,B)
        Parallel Session Attacks
• Occurs when two or more protocol runs are
  executed concurrently and messages from
  one are used to form messages in another
  – (1) A B : E(Kab : Na)
  – (2) B A : E(Kab : Na + 1)
• Attack
  –   (1.1) A Z(B) : E(Kab : Na)
  –   (2.1) Z(B) A : E(Kab : Na)
  –   (2.2) A Z(B) : E(Kab : Na + 1)
  –   (1.2) Z(B) A : E(Kab : Na + 1)
    Implementation Dependent
• Stream Ciphers (Needham Schroeder)
  – (4) B A : E(Kab : Nb)
  – (5) A B : E(Kab : Nb - 1)
  – If Nb is odd, Nb - 1 has good chance of being
    formed by flipping last cipher bit
  – Changing Identity
     • Same attack on A B : E(Kbs : Kab, A)
     • A can masquerade as C
    Implementation Dependent
• Cipher Block Chaining
  – Cut and Paste
         P1 P2 P3 P4 P5            P’1 P’2 P’3 P’4

     C0 C1 C2 C3 C4 C5        C’0 C’1 C’2 C’3 C’4

                 C0 C1 C2 C3 C’2 C’3 C’4

                     P1 P2 P3 X P’3 P’4

  – Random jibberish X may be expected
  Implementation Dependent
– Initialization Attacks
   • Given ciphertext C0C1 and known P1
   • Decryption alg: P1 = C0 dk(C1)
   • Desired block value W = W P1 P1
   • W = W P1 (C0 dk(C1)
   • W = C’0 dk(C1) where C’0 = W P1 C0
   • Without knowing they key, P1 has now been easily
     replaced with W
   • In Needham Schroeder the first block is the nonce!
              Binding Attack
• A simple public key distribution
  – (1) C AS : C, S, Nc
  – (2) AS C : AS, E(Kas-1: AS, C, Nc, Ks)
• Leads to the following problem
  –   (1.1) C Z(AS) : C, S, Nc
  –   (2.1) Z(C) AS : C, Z, Nc
  –   (2.2) AS Z(C) : AS, E(Kas-1 : AS, C, Nc, Kz)
  –   (1.2) Z(AS) C : AS, E(Kas-1 : AS, C, Nc, Kz)
• Even though protocols have few messages,
  construction is complex
• The whole system is important
• Need tool support for rigorous development
  and analysis of protocols

To top