ece 454/cs594 computer and network security
DESCRIPTION
ECE 454/CS594 Computer and Network Security. Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011. Security Handshake Pitfalls. Login only Mutual authentication Integrity/encryption after authentication - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/1.jpg)
1
ECE454/CS594 Computer and Network Security
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2011
![Page 2: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/2.jpg)
2
Security Handshake Pitfalls• Login only• Mutual authentication• Integrity/encryption after authentication• Nonce types• Picking random numbers
![Page 3: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/3.jpg)
3
Security Protocol An agreement between communication
parties about the process and the format of security bootstrap, authentication, key establishment, encryption/hashing algorithm and parameter negotiation, etc.
Typically include:- Authentication handshake- Session key negotiation, algorithm/parameter negotiation- Data encryption and/or integrity protection
![Page 4: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/4.jpg)
4
Security Bootstrap Shared secret:Password (for human users)Pre-shared key (between firewalls)Ticket by KDC (among a large number of
participates)Public key:Manually configuredCertificate by CA
![Page 5: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/5.jpg)
5
Login Only: A Bad Idea Alice sends name and password in
clear (across network) to BobBob verifies name and password and
communication proceeds
![Page 6: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/6.jpg)
6
Login Only: A Better Idea Using Shared Secret (1)
f(K,R) can be K{R} or h(K,R) Authentication is one way: impersonation of Bob,
offline password guessing, database reading How to encrypt subsequent conversation?
![Page 7: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/7.jpg)
7
Login Only: A Better Idea Using Shared Secret (2)
Problems: same as the previous one Requires reversible cryptography (hash will not work) If R is a recognizable number, this protocol does
mutual authentication Can make R recognizable but with limited lifetime,
e.g., timestamp. It however requires clock synchronization
![Page 8: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/8.jpg)
8
Login Only: A Better Idea Using Shared Secret (3)
Advantages: It can be easily added to an existing protocol More efficient: it saves two message exchanges Bob is statelessProblems: Replay attack (single server, multiple servers) Reset clock attack
![Page 9: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/9.jpg)
9
Login Only: A Better Idea Using Shared Secret (4)
Same as the previous one, but using a hash Why transmit timestamp in the clear?
![Page 10: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/10.jpg)
10
Login Only: A Better Idea Using PKC (1)
Implications: Compromise of Bob's database will not allow attacker
to impersonate Alice Attacker may be able to trick Alice into signing
anything
![Page 11: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/11.jpg)
11
Login Only: A Better Idea Using PKC (2)
Implications: Compromise of Bob's database will not allow attacker
to impersonate Alice Attacker may be able to trick Alice into decrypting
anything
![Page 12: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/12.jpg)
12
Mutual Authentication (1)
Problem: inefficient
![Page 13: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/13.jpg)
13
Mutual Authentication (2) – Optimized
Implications: More efficient Subject to reflection attack: easy to obtain chosen
plaintext
![Page 14: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/14.jpg)
14
Reflection Attack Trudy opens 1st session to Bob Trudy opens 2nd session to Bob in order to get
information needed to complete 1st session
![Page 15: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/15.jpg)
15
Reflection Attack (Cont’d)Solution:Alice and Bob should not do exactly the same
thing: different keys, different challenges Different keys: have Bob encrypt with KAlice-Bob
and Alice encrypt with KAlice-Bob+1, etc. Different challenges: initiator (Alice) sends
odd R, responder (Bob) sends even R, etc.
![Page 16: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/16.jpg)
16
Mutual Authentication (3) – Less Optimized
Implications: One "extra" message and Trudy cannot obtain chosen
plaintext Rule: the initiator should be the first to prove its
identity (the assumption is that the initiator is more likely the bad guy)
![Page 17: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/17.jpg)
17
Mutual Authentication (4)
Implications: How to obtain public keys? Store Bob’s public key encrypted with Alice’s
password Store Bob’s public key certificate signed by Alice
![Page 18: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/18.jpg)
18
Mutual Authentication (5)
Implications: Can be easily added to existing challenge/response
protocols Alice and Bob must encrypt different things Clock synchronization: time is now security-critical Reflection attack
![Page 19: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/19.jpg)
19
Integrity/Encryption After AuthenticationHow to establish a session key during
authentication?By shared secretBy two-way public keyBy one-way public key
![Page 20: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/20.jpg)
20
Shared Secret
After this authentication: Can we use K{R+1} as the shared session key? How about K XOR R, K{K+R}, K+K{R}, h{K|R}?In general, a good session key is different for each session unguessable by attacker
![Page 21: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/21.jpg)
21
Two Way Public KeyAlice and Bob each has a public/private key pairHow about Alice picks a random R, and sends {R}Bob to
Bob- Trudy can impersonate Alice
How about Alice sends [{R}Bob]Alice to Bob- Trudy can obtain R by overrunning Bob and decrypt old messages
Alice sends Bob [{R1}Bob]Alice, Bob sends Alice [{R2}Bob]Alice, and the session key is R = R1 XOR R2
- Trudy needs to overrun both Alice and BobDiffie-Hellman key establishment: Alice sends Bob [gR1
mod p]Alice, Bob sends Alice [gR2 mod p]Bob, and the session key is R = gR1R2 mod p- Doesn’t help even if Trudy overruns both Alice and Bob
![Page 22: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/22.jpg)
22
One Way Public KeyOnly Server Bob has a public/private key pair,
Client Alice won’t bother having keys and certificate: SSL
Alice picks a random R, and sends {R}Bob to Bob- Trudy can decrypt old messages by overrunning Bob
Diffie-Hellman key establishment: Alice sends Bob gR1 mod p, Bob sends Alice [gR2 mod p]Bob, and the session key is R = gR1R2 mod p
Trudy can impersonate Alice in either case
![Page 23: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/23.jpg)
23
Nonce TypesNonce: a quantity used only once
- Large random number: unguessable, unpredictable, non-reuse w.h.p., makes the best nonce- Timestamp: requires clock synchronization- Sequence number: needs to maintain state
unpredictability is important
unpredictability is not required
![Page 24: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/24.jpg)
24
Picking Random NumbersDifferent applications require different types of
random numbersA common approach for cryptographic
operations: pseudorandom number generator- seed value is critical- common mistakes: seed is from a small space, hashing the current time when a random value is needed, divulging the seed value
![Page 25: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/25.jpg)
25
Authentication Protocol Checklist
Authentication protocols protect againsteavesdropping impersonationdatabase reading message modification combinations of the above
![Page 26: ECE 454/CS594 Computer and Network Security](https://reader035.vdocuments.mx/reader035/viewer/2022062411/5681668e550346895dda5eca/html5/thumbnails/26.jpg)
26
Reading Assignment• [Kaufman] Chapter 11