Get documents about "Handshake Protocols
Document Sample
Handshake Protocols
COEN 350
Simple Protocol
Alice: Hi, I am Alice. My password is
“fiddlesticks”.
Bob: Welcome, Alice.
Simple Protocol
Vulnerable to sniffing and replay
attack.
Alice: Hi, I am Alice. My password is
“fiddlesticks”.
Bob: Welcome, Alice.
...
Mallory: Hi, I am Alice. My password
is “fiddlesticks”.
Bob: Welcome, Alice.
Shared Secret
Alice and Bob share a secret key K.
Alice: I am Alice.
Bob: Encrypt R.
Alice: EK(R)
Bob (calculates EK(R) as well.):
Welcome Alice.
Shared Secret
Vulnerable to DOS attack.
while(1) {
Mallory: I am Alice.
Bob: Encrypt R.
Mallory: X.
Bob (EK(R) != X): Access denied.
}
Shared Secret
Vulnerable to sniffing and replay
attack if R is not random or if R is
repeated.
Shared Secret, use of clock
Alice: I am Alice, EK(clock).
Bob calculates clock, compares with
his value: Welcome Alice.
Shared secret, use of clock
Man in the Middle + replay attack:
Mallory to Bob: KILL, KILL, KILL, KILL.
Alice: Hi, I’m Alice. EK(clock).
Mallory to Alice: KILL, KILL, KILL, KILL.
Mallory to Bob: Hi, I’m Alice. EK(clock).
Bob: Hi, Alice.
Public Key
Alice: “I’m Alice.”
Bob: “R”.
Alice: “EAlice(R)”.
Bob calculates “DAliceEAlice(R) == R: Hi
Alice.
Public Key
Alice: “I’m Alice.”
Bob creates random challenge R:
“EAlice(R)”.
Alice: “R”.
Bob checks R == R: Hi Alice.
Public Key: DOS attack
Trudy: “I’m Alice.”
Bob: “R”.
Trudy: “X”
Bob calculates “DAliceEAlice(X) != R:
Access Denied.
Bob spends much more time
computing than Trudy!
Mutual Authentication: Shared Secret
Alice: “I am Alice”
Bob: “RB”
Alice: EK(RB). RA.
Bob calculates EK(RB) himself: EK(RA).
Hi Alice.
Alice calculates EK(RA) herself: Hi
Bob.
Mutual Authentication with less
messages?
Alice: I am Alice. RA
Bob: RB. EK(RA).
Alice: Hi Bob. EK(RB).
Bob: Hi Alice.
Mutual Authentication with less steps is
vulnerable to the replay attack
Session 1 Trudy: I am Alice. RA.
Session 1 Bob: RB. EK(RA).
Session 2 Trudy: I am Alice. RB.
Session 2 Bob: RB’. EK(RB).
Session 1 Trudy: Hi Bob. EK(RB).
Session 1 Bob: Hi Alice.
Warning Signals
Requestor should authenticate
herself first.
Don’t have requestor and requestee
do exactly the same thing. (E.g.
use different key pairs.)
If you provide encryption service,
you set yourself up for a key
guessing attack.
Public Key: Simple Mutual
Authentication
Alice: “I am Alice. RA”
Bob: “EBob(RA). RB”
Alice DBobEBob (RA)=RA: Hello Bob.
EAlice(RB).
Bob: DAliceEAlice(RB) = RB: Hello Alice.
Key Distribution Centers
Maintains a shared secret for each
registered user.
To set-up a connection requires the
KDC to set up a session key.
Key Distribution Center
Original Algorithm
Alice to KDC: Alice wants Bob.
KDC to Alice: Here is your session
key.
KDC to Bob: Here is your session
key.
This needs to be modified.
Key Distribution Center:
Needham Schroeder Protocol
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1,N3).
Alice to Bob: K(N3-1).
N1, N2, N3 are nonces to prevent
replay attacks.
Key Distribution Center:
Needham Schroeder Protocol Variant
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).
Alice to Bob: K(N3-1).
N1, N2, N3 are nonces to prevent
replay attacks.
Replay attack on modified NS
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket), where
Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).
Alice to Bob: KS(N3-1).
Trudy as Alice to Bob: Ticket, KS(N2)
Bob to Alice, but intercepted by Trudy: KS(N2-1), KS(N4)
Trudy as Alice to Bob: Ticket, KS(N4).
Bob to Alice, but intercepted by Trudy. KS(N4-1), KS(N5).
Trudy as Alice to Bob: KS(N4-1).
Key Distribution Center
Assume that Alice’s key has become
compromised.
Trudy can now present herself as
Alice to Bob with an old ticket.
Tickets need to have an expiration
date!!!!!!!!!!!
Related docs
