CMSC 414
Computer (and Network) Security
Lecture 20
Jonathan Katz
Diffie-Hellman key exchange
 Secure against passive eavesdropping…
 …but insecure against a man-in-the-middle
attack
 What if we add DH key exchange following
a secure authentication protocol?
Authentication Protocols
(Chapter 11, KPS)
Overview
 Handshake protocols provide authentication
(typically mutual authentication)
 Protocol design is subtle
– Small changes can make a protocol insecure!
– Historically, designed in an “ad-hoc” way, by
checking protocol for known weaknesses
– Great example of where provable security
helps!
Login only
 Some simple protocols…
 Example 1: Challenge-response using
cryptographic key and a MAC
– What if we had used encryption instead (i.e.,
send a challenge and have the user encrypt it)?
Weaknesses?
 No mutual authentication
 No session-key generation
 Off-line password guessing if entropy of
key is small
 Insecure against server compromise
Example 2
 “Reverse” challenge-response
– I.e., send a ciphertext and have user decrypt it
– Mutual authentication (if decrypts “validly”)??
 Weaknesses?
– Using encryption may be insecure
• (Note that a MAC cannot, in general, be used)
– Vulnerable to password guessing just by false
attempted login (not eavesdropping)
– Authentication of server assumes no replay…
Example 3
 User sends time, MAC(time)
– What if she had used encryption?
 Considerations?
– Requires (loosely) synchronized clocks
– Very efficient
– Must guard against replay…
– What if user has same key on multiple servers?
– Clock reset attacks; clock DoS attacks!
Public-key protocols
 Ex 4: Public-key challenge-response
– No longer vulnerable to server compromise
– What if encryption used instead of signatures?
– Note that user can be “tricked” into signing
something
• Use separate keys!
• Note problems that potentially arise when
composing two secure protocols!