Nov 1, 2005IssuesNotationSession, Interchange KeysBenefitsKey Exchange AlgorithmsClassical Key ExchangeSimple Key Exchange ProtocolProblemsNeedham-SchroederArgument: Alice talking to BobArgument: Bob talking to AliceProblem with Needham-SchroederSolution: Denning-Sacco ModificationNeedham-Schroeder with Denning-Sacco ModificationOtway-Rees ProtocolThe ProtocolSlide 18Slide 19Replay AttackKerberosSlide 22OverviewTicketAuthenticatorProtocolAnalysisSlide 28Public Key Key ExchangeProblem and SolutionNotesMan-in-the-Middle AttackKey GenerationWhat is “Random”?What is “Pseudorandom”?Best Pseudorandom NumbersCryptographic Key InfrastructureCertificatesUseMerkle’s Tree SchemeDetailsValidationProblemCertificate Signature ChainsX.509 ChainsX.509 Certificate ValidationIssuersValidation and Cross-CertifyingPGP ChainsOpenPGP Signature PacketSigningValidating CertificatesStream and Block CipherDigital SignatureCommon ErrorClassical Digital SignaturesPublic Key Digital Signatures (RSA)RSA Digital SignaturesAttack #1Attack #2: Bob’s RevengeEl Gamal Digital SignatureExampleAttack1IS2150/TEL2810: Introduction to Computer SecurityNov 1, 2005Nov 1, 2005Introduction to Introduction to Computer SecurityComputer SecurityLecture 8Lecture 8Key ManagementKey ManagementIS2150/TEL2810: Introduction to Computer Security 2IssuesIssuesAuthentication and distribution of keysAuthentication and distribution of keysSession keyKey exchange protocolsKerberosMechanisms to bind an identity to a keyMechanisms to bind an identity to a keyGeneration, maintenance and revoking of Generation, maintenance and revoking of keyskeysIS2150/TEL2810: Introduction to Computer Security 3NotationNotationXX YY : { : { ZZ || || WW } } kkXX,,YYX sends Y the message produced by concatenating Z and W enciphered by key kX,Y, which is shared by users X and YAA TT : { : { ZZ } } kkAA || { || { WW } } kkAA,,TTA sends T a message consisting of the concatenation of Z enciphered using kA, A’s key, and W enciphered using kA,T, the key shared by A and Trr11, , rr22 nonces (nonrepeating random numbers) nonces (nonrepeating random numbers)IS2150/TEL2810: Introduction to Computer Security 4Session, Interchange KeysSession, Interchange KeysAlice wants to send a message Alice wants to send a message mm to Bob to BobAssume public key encryptionAlice generates a random cryptographic key ks and uses it to encipher mTo be used for this message onlyCalled a session keyShe enciphers ks with Bob’s public key kBkB enciphers all session keys Alice uses to communicate with BobCalled an interchange keyAlice sends { m } ks { ks } kBIS2150/TEL2810: Introduction to Computer Security 5BenefitsBenefitsLimits amount of traffic enciphered with single keyLimits amount of traffic enciphered with single keyStandard practice, to decrease the amount of traffic an attacker can obtainMakes replay attack less effectiveMakes replay attack less effectivePrevents some attacksPrevents some attacksExample: Alice will send Bob message that is either “BUY” or “SELL”. Eve computes possible ciphertexts {“BUY”} kB and {“SELL”} kB. Eve intercepts enciphered message, compares, and gets plaintext at onceIS2150/TEL2810: Introduction to Computer Security 6Key Exchange AlgorithmsKey Exchange AlgorithmsGoal: Alice, Bob use a shared key to Goal: Alice, Bob use a shared key to communicate secretlycommunicate secretlyCriteriaCriteriaKey cannot be sent in clearAttacker can listen inKey can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropperAlice, Bob may trust third partyAll cryptosystems, protocols publicly knownOnly secret data is the keys, ancillary information known only to Alice and Bob needed to derive keysAnything transmitted is assumed known to attackerIS2150/TEL2810: Introduction to Computer Security 7Classical Key ExchangeClassical Key ExchangeHow do Alice, Bob begin? How do Alice, Bob begin? Alice can’t send it to Bob in the clear!Assume trusted third party, CathyAssume trusted third party, CathyAlice and Cathy share secret key kABob and Cathy share secret key kBUse this to exchange shared key Use this to exchange shared key kkssIS2150/TEL2810: Introduction to Computer Security 8Simple Key Exchange ProtocolSimple Key Exchange ProtocolAliceCathy{ request for session key to Bob } kAAliceCathy{ ks }kA , { ks }kBAliceBob{ ks } kBAliceBob{m}ksEveIS2150/TEL2810: Introduction to Computer Security 9ProblemsProblemsHow does Bob know he is talking to Alice?How does Bob know he is talking to Alice?Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’tSession key reuse: Eve replays message from Alice to Bob, so Bob re-uses session keyProtocols must provide authentication and Protocols must provide authentication and defense against replaydefense against replayIS2150/TEL2810: Introduction to Computer Security 10Needham-SchroederNeedham-SchroederAlice CathyAlice || Bob || r1Alice Cathy{ Alice || Bob || r1 || ks , { Alice || ks } kB } kAAlice Bob{ Alice || ks } kBAlice Bob{ r2 } ksAlice Bob{ r2 – 1 } ksIS2150/TEL2810: Introduction to Computer Security 11Argument: Alice talking to BobArgument: Alice talking to BobSecond messageSecond messageEnciphered using key only she, Cathy knowSo Cathy enciphered itResponse to first messageAs r1 in it matches r1 in first messageThird messageThird messageAlice knows only Bob can read itAs only Bob can derive session key from messageAny messages enciphered with that key are from BobIS2150/TEL2810: Introduction to Computer Security 12Argument: Bob talking to AliceArgument: Bob talking to AliceThird messageThird messageEnciphered using key only he, Cathy knowSo Cathy enciphered itNames Alice, session keyCathy provided session key, says Alice is other partyFourth messageFourth messageUses session key to determine if it is replay from EveIf not, Alice will respond correctly in fifth messageIf so, Eve can’t decipher r2 and so can’t respond, or responds incorrectlyIS2150/TEL2810: Introduction to Computer Security 13Problem withProblem withNeedham-Schroeder Needham-Schroeder Assumption: all keys are secretAssumption: all keys are secretQuestion: suppose Eve can obtain session key. Question: suppose Eve can
View Full Document