Berkeley COMPSCI 161 - Authentication Protocols - D666169

Home> Schools> University of California, Berkeley> Computer Science (COMPSCI) > COMPSCI 161> Authentication Protocols

DOC PREVIEW

Berkeley COMPSCI 161 - Authentication Protocols

School name University of California, Berkeley

Course Compsci 161- Computer Security

Pages 10

This preview shows page 1-2-3 out of 10 pages.

Save

View full document

Premium Document

Do you want full access? Go Premium and unlock all 10 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Unformatted text preview:

CS 161 Authentication Protocols 27 September 2006 2006 Doug Tygar 1 CS 161 27 September 2006 Zero knowledge review Goal authenticate without leaking any information What you need to know about Rabin signatures Squares mod pq have four square roots r r s s If we add together r and s And take the greatest common divisor with pq We get p or q GCD pq r s p or q 2006 Doug Tygar 2 CS 161 27 September 2006 1 Leaky protocols Many protocols leak information For example consider the following authentication protocol A B Prove you are Bob sign message M B A Sign M B Now Alice has some information she didn t have before She has Sign M B Perfect for what kind of attack 2006 Doug Tygar 3 CS 161 27 September 2006 Zero knowledge protocol Idea interactive proof At the end of the proof A is convinced B knows a proof of fact F But A has no information about that proof 2006 Doug Tygar 4 CS 161 27 September 2006 2 How to prove identity using zero knowledge B publishes b2 mod pq B A r2 mod pq random r A flips coin A B coin flip If heads B A r mod pq A verifies r mod pq 2 r2 mod pq If tails B A rb mod pq A verifies rb mod pq 2 r2 b2 mod pq 2006 Doug Tygar 5 CS 161 27 September 2006 Comments 1 This is an easy to perform protocol 2 After each round convinced with 50 probability If B knows both rb r mod pq he knows rb r mod pq Fake B will be caught 50 of the time 3 A learns nothing if she does she could just generate pairs r r2 on her own Or rb rb 2 2006 Doug Tygar 6 CS 161 27 September 2006 3 Authentication Alice and Bob love each other but they live far apart We ve learned how they can encrypt their messages How can they make sure they are talking to each other This is the question of authentication 2006 Doug Tygar 7 CS 161 27 September 2006 Types of authentication End user End user Alice Bob End user Local computer login End user Remote computer web site login Computer Computer DRM Local computer End user fake ATM check Remote computer End user phishing check 2006 Doug Tygar 8 CS 161 27 September 2006 4 More types of authentication Software authentication tougher Still under active development we may talk about it at the end of class Trusted computing 2006 Doug Tygar 9 CS 161 27 September 2006 Authentication is complicated It is surprisingly hard to get authentication right Most first second third attempts get it wrong Ph D level courses on authentication don t cover all This lecture will talk about the basics 2006 Doug Tygar 10 CS 161 27 September 2006 5 Encrypting digital content Goal prevent people from copying digital content Contemporary high definition TV sets accept HDMI with HDCP high definition copy protection Handshake to authenticate recipient enforces copy protection Older HD TVs don t accept HDCP Rules say HDCP cannot be converted to analogue 2006 Doug Tygar 11 CS 161 27 September 2006 HDCP strippers SPATZ TECH I am not making this up Makes DVI HDMI equivalent repeater Called DVI Magic Strips HDCP 2006 Doug Tygar 12 CS 161 27 September 2006 6 HDCP strippers continued MPAA could revoke SPATZ TECH s key Then SPATZ TECH could no longer authenticate Revocation list is contained in every HD broadcast every HD DVD Equipment suddenly stops working 2006 Doug Tygar 13 CS 161 27 September 2006 Public key authentication is tricky A B random message B B A random message What s wrong with this 2006 Doug Tygar 14 CS 161 27 September 2006 7 Ultimate public key authentication We learned zero knowledge authentication But it is patented slow What if we want something more streamlined 2006 Doug Tygar 15 CS 161 27 September 2006 Original Needham Schroeder Keberos We need a trusted server S Alice shares symmetric key a with S Bob shares symmetric key b with S A S I want Bob a S A Use temp key t send to Bob this ticket This is Alice using temporary key t b a A B This is Alice using temporary key t b A B I love you t 2006 Doug Tygar 16 CS 161 27 September 2006 8 Problems with original N S Needham Schroeder reigned supreme for many years But then people noticed a problem Replay attack Bad Guy B This is Alice using temporary key t b Bad Guy B I love you t 2006 Doug Tygar 17 CS 161 27 September 2006 Solution nonces One needs to add nonces such as a timestamp TS A S I want Bob TS a S A Use temp key t send to Bob this ticket TS This is Alice using temporary key t TS b a A B This is Alice using temporary key t TS b A B I love you TS t 2006 Doug Tygar 18 CS 161 27 September 2006 9 Problems with revised N S Requires a trusted third party Requires real time access to trusted third party 2006 Doug Tygar 19 CS 161 27 September 2006 Authentication still a problem Most attacks we see today are authentication attacks often on passwords Phishing Spyware password stealing Bogus web sites We need better solutions 2006 Doug Tygar 20 CS 161 27 September 2006 10

View Full Document