Nov 4, 2003IssuesNotationSession, Interchange KeysBenefitsKey Exchange AlgorithmsClassical Key ExchangeSimple Key Exchange ProtocolProblemsNeedham-SchroederArgument: Alice talking to BobArgument: Bob talking to AliceProblem with Needham-SchroederSolution: Denning-Sacco ModificationNeedham-Schroeder with Denning-Sacco ModificationOtway-Rees ProtocolThe ProtocolSlide 18Slide 19Replay AttackPublic Key Key ExchangeProblem and SolutionNotesMan-in-the-Middle AttackKey GenerationWhat is “Random”?What is “Pseudorandom”?Best Pseudorandom NumbersDigital SignatureCommon ErrorClassical Digital SignaturesPublic Key Digital SignaturesRSA Digital SignaturesAttack #1Attack #2: Bob’s RevengeEl Gamal Digital SignatureExampleAttackKerberosOverviewTicketAuthenticatorProtocolAnalysisSlide 45ProjectProject Topics (not limited to these only!)Project ScheduleCourtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1Nov 4, 2003Nov 4, 2003Introduction to Introduction to Computer SecurityComputer SecurityLecture 8Lecture 8Key ManagementKey ManagementINFSCI 2935: Introduction to Computer Security 2IssuesIssuesAuthentication and distribution of keysAuthentication and distribution of keysSession keyKey exchange protocolsMechanisms to bind an identity to a keyMechanisms to bind an identity to a keyGeneration, maintenance and revoking of Generation, maintenance and revoking of keyskeysINFSCI 2935: Introduction to Computer Security 3NotationNotationXX  YY : { : { ZZ || || WW } } kkXX,,YYX sends Y the message produced by concatenating Z and W enciphered by key kX,Y, which is shared by users X and YAA  TT : { : { ZZ } } kkAA || { || { WW } } kkAA,,TTA sends T a message consisting of the concatenation of Z enciphered using kA, A’s key, and W enciphered using kA,T, the key shared by A and Trr11, , rr22 nonces (nonrepeating random numbers) nonces (nonrepeating random numbers)INFSCI 2935: Introduction to Computer Security 4Session, Interchange KeysSession, Interchange KeysAlice wants to send a message Alice wants to send a message mm to Bob to BobAssume public key encryptionAlice generates a random cryptographic key ks and uses it to encipher mTo be used for this message onlyCalled a session keyShe enciphers ks with Bob’s public key kBkB enciphers all session keys Alice uses to communicate with BobCalled an interchange keyAlice sends { m } ks { ks } kBINFSCI 2935: Introduction to Computer Security 5BenefitsBenefitsLimits amount of traffic enciphered with single keyLimits amount of traffic enciphered with single keyStandard practice, to decrease the amount of traffic an attacker can obtainMakes replay attack less effectiveMakes replay attack less effectivePrevents some attacksPrevents some attacksExample: Alice will send Bob message that is either “BUY” or “SELL”. Eve computes possible ciphertexts {“BUY”} kB and {“SELL”} kB. Eve intercepts enciphered message, compares, and gets plaintext at onceINFSCI 2935: Introduction to Computer Security 6Key Exchange AlgorithmsKey Exchange AlgorithmsGoal: Alice, Bob use a shared key to Goal: Alice, Bob use a shared key to communicate secretelycommunicate secretelyCriteriaCriteriaKey cannot be sent in clearAttacker can listen inKey can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropperAlice, Bob may trust third partyAll cryptosystems, protocols publicly knownOnly secret data is the keys, ancillary information known only to Alice and Bob needed to derive keysAnything transmitted is assumed known to attackerINFSCI 2935: Introduction to Computer Security 7Classical Key ExchangeClassical Key ExchangeHow do Alice, Bob begin? How do Alice, Bob begin? Alice can’t send it to Bob in the clear!Assume trusted third party, CathyAssume trusted third party, CathyAlice and Cathy share secret key kABob and Cathy share secret key kBUse this to exchange shared key Use this to exchange shared key kkssINFSCI 2935: Introduction to Computer Security 8Simple Key Exchange ProtocolSimple Key Exchange ProtocolAliceCathy{ request for session key to Bob } kAAliceCathy{ ks }kA , { ks }kBAliceBob{ ks } kBAliceBob{m}ksEveINFSCI 2935: Introduction to Computer Security 9ProblemsProblemsHow does Bob know he is talking to Alice?How does Bob know he is talking to Alice?Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’tSession key reuse: Eve replays message from Alice to Bob, so Bob re-uses session keyProtocols must provide authentication and Protocols must provide authentication and defense against replaydefense against replayINFSCI 2935: Introduction to Computer Security 10Needham-SchroederNeedham-SchroederAlice CathyAlice || Bob || r1Alice Cathy{ Alice || Bob || r1 || ks , { Alice || ks } kB } kAAlice Bob{ Alice || ks } kBAlice Bob{ r2 } ksAlice Bob{ r2 – 1 } ksINFSCI 2935: Introduction to Computer Security 11Argument: Alice talking to BobArgument: Alice talking to BobSecond messageSecond messageEnciphered using key only she, Cathy knowSo Cathy enciphered itResponse to first messageAs r1 in it matches r1 in first messageThird messageThird messageAlice knows only Bob can read itAs only Bob can derive session key from messageAny messages enciphered with that key are from BobINFSCI 2935: Introduction to Computer Security 12Argument: Bob talking to AliceArgument: Bob talking to AliceThird messageThird messageEnciphered using key only he, Cathy knowSo Cathy enciphered itNames Alice, session keyCathy provided session key, says Alice is other partyFourth messageFourth messageUses session key to determine if it is replay from EveIf not, Alice will respond correctly in fifth messageIf so, Eve can’t decipher r2 and so can’t respond, or responds incorrectlyINFSCI 2935: Introduction to Computer Security 13Problem withProblem withNeedham-Schroeder Needham-Schroeder Assumption: all keys are secretAssumption: all keys are secretQuestion: suppose Eve can obtain session key. Question: suppose Eve can obtain session key. How does that affect protocol?How does that affect protocol?In what follows, Eve knows ksEve Bob{ Alice || ks } kB [Replay] Eve Bob{ r3 } ks [Eve intercepts] Eve Bob{ r3 – 1 }