Computer Science CSC/ECE 574 Computer and Network Security Topic 6.2 Authentication Protocols CSC/ECE 574 Dr. Peng Ning 1 Computer Science CSC/ECE 574 Dr. Peng Ning 2 Authentication Handshakes • Secure communication almost always includes an initial authentication handshake. – Authenticate each other – Establish session keys – This process is not trivial; flaws in this process undermine secure communication Computer Science CSC/ECE 574 Dr. Peng Ning 3 Authentication with Shared Secret • Weaknesses – Authentication is not mutual; Trudy can convince Alice that she is Bob – Trudy can hijack the conversation after the initial exchange – If the shared key is derived from a password, Trudy can mount an off-line password guessing attack – Trudy may compromise Bob’s database and later impersonate Alice Alice Bob I’m Alice A challenge R f(KAlice-Bob, R)Computer Science CSC/ECE 574 Dr. Peng Ning 4 Authentication with Shared Secret (Cont’d) • A variation – Requires reversible cryptography – Other variations are possible • Weaknesses – All the previous weaknesses remain – Trudy doesn’t have to see R to mount off-line password guessing if R has certain patterns (e.g., concatenated with a timestamp) • Trudy sends a message to Bob, pretending to be Alice Alice Bob I’m Alice R KAlice-Bob{R} Computer Science CSC/ECE 574 Dr. Peng Ning 5 Authentication with Public Key • Bob’s database is less risky • Weaknesses – Authentication is not mutual; Trudy can convince Alice that she is Bob – Trudy can hijack the conversation after the initial exchange – Trudy can trick Alice into signing something • Use different private key for authentication Alice Bob I’m Alice R SigAlice{R} Computer Science CSC/ECE 574 Dr. Peng Ning 6 Authentication with Public Key (Cont’d) A variation Alice Bob I’m Alice {R}Alice RComputer Science CSC/ECE 574 Dr. Peng Ning 7 Mutual Authentication Alice Bob I’m Alice R1 f(KAlice-Bob, R1) R2 f(KAlice-Bob, R2) Alice Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) f(KAlice-Bob, R1) Optimize Computer Science CSC/ECE 574 Dr. Peng Ning 8 Trudy Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) Mutual Authentication (Cont’d) • Reflection attack f(KAlice-Bob, R1) Trudy Bob I’m Alice, R1 R3, f(KAlice-Bob, R1) Computer Science CSC/ECE 574 Dr. Peng Ning 9 Reflection Attacks (Con’td) • Lesson: Don’t have Alice and Bob do exactly the same thing – Different keys • Totally different keys • KAlice-Bob = KBob-Alice + 1 – Different Challenges – The initiator should be the first to prove its identity • Assumption: initiator is more likely to be the bad guyComputer Science CSC/ECE 574 Dr. Peng Ning 10 Mutual Authentication (Cont’d) • Password guessing Alice Bob I’m Alice, R2 R1, f(KAlice-Bob, R2) f(KAlice-Bob, R1) Alice Bob I’m Alice R1 f(KAlice-Bob, R1), R2 f(KAlice-Bob, R2) Countermeasure Computer Science CSC/ECE 574 Dr. Peng Ning 11 Mutual Authentication (Cont’d) • Public keys – Authentication of public keys is a critical issue Alice Bob I’m Alice, {R2}Bob R2, {R1}Alice R1 Computer Science CSC/ECE 574 Dr. Peng Ning 12 Mutual Authentication (Cont’d) • Mutual authentication with timestamps – Require synchronized clocks – Alice and Bob have to encrypt different timestamps Alice Bob I’m Alice, f(KAlice-Bob, timestamp) f(KAlice-Bob, timestamp+1)Computer Science CSC/ECE 574 Dr. Peng Ning 13 Integrity/Encryption for Data • Communication after mutual authentication should be cryptographically protected as well – Require a session key established during mutual authentication Computer Science CSC/ECE 574 Dr. Peng Ning 14 Establishment of Session Keys • Secret key based authentication – Assume the following authentication happened. – Can we use KAlice-Bob{R} as the session key? – Can we use KAlice-Bob{R+1} as the session key? – In general, modify KAlice-Bob and encrypt R. Use the result as the session key. Alice Bob I’m Alice R KAlice-Bob{R} Computer Science CSC/ECE 574 Dr. Peng Ning 15 Establishment of Session Keys (Cont’d) • Two-way public key based authentication – Alice chooses a random number R, encrypts it with Bob’s public key • Trudy may hijack the conversation – Alice encrypts and signs R • Trudy may save all the traffic, and decrypt all the encrypted traffic when she is able to compromise Bob • Less severe threatComputer Science CSC/ECE 574 Dr. Peng Ning 16 Two-Way Public Key Based Authentication (Cont’d) • A better approach – Alice chooses and encrypts R1 with Bob’s public key – Bob chooses and encrypts R2 with Alice’s public key – Session key is R1⊕R2 – Trudy will have to compromise both Alice and Bob • An even better approach – Alice and Bob estatlish the session key with Diffie-Hellman key exchange – Alice and Bob signs the quantity they send – Trudy can’t learn anything about the session key even if she compromises both Alice and Bob Computer Science CSC/ECE 574 Dr. Peng Ning 17 Establishment of Session Keys (Cont’d) • One-way public key based authentication – It’s only necessary to authenticate the server • Example: SSL – Encrypt R with Bob’s public key – Diffie-Hellman key exchange • Bob signs the D-H public key Computer Science CSC/ECE 574 Dr. Peng Ning 18 Mediated Authentication (With KDC) • Some concerns – Trudy may claim to be Alice and talk to KDC • Trudy cannot get anything useful – Messages encrypted by Alice may get to Bob before KDC’s message – It may be difficult for KDC to connect to Bob Alice Bob KDC Generate KAB Alice wants Bob KBob{KAB} KAlice{KAB} KDC operation (in principle)Computer Science CSC/ECE 574 Dr. Peng Ning 19 Mediated Authentication (With KDC) • Must be followed by a mutual authentication exchange – To confirm that Alice and Bob have the same key KDC operation (in practice) Alice Bob KDC Generate KAB Alice wants Bob KBob{KAB} KAlice{KAB}, KBob{KAB} ticket Computer Science CSC/ECE 574 Dr. Peng Ning 20 Needham-Schroeder Protocol • Classic protocol for authentication with KDC – Many others have been modeled after it (e.g., Kerberos) • Nonce: A number that is used only once – Deal with replay