Alexander Potapov








Authentication definition
Protocol architectures
Cryptographic properties
Freshness
Types of attack on protocols
Two-way authentication protocol attack
The Diffie-Hellman key exchange attack
Authentication protocol using a KDC


Authentication deals with the question of whether
you are actually communicating with a specific
process.
Authorization is concerned with what that process
is permitted to do.


Authentication deals with the question of whether
you are actually communicating with a specific
process.
Authorization is concerned with what that process
is permitted to do.
Example:
Delete file
Scott


Request
Server
Is this actually Scott's process (authentication)?
Is Scott allowed to delete this file (authorization)?


Existing cryptographic keys
Method of session key generation



The principals already share a secret key
An off-line server is used. Principals possess
certified public keys
An on-line server is used. Each principal
shares a key with a trusted server



The principals already share a secret key
An off-line server is used. Principals possess
certified public keys
An on-line server is used. Each principal
shares a key with a trusted server



The principals already share a secret key
An off-line server is used. Principals possess
certified public keys
An on-line server is used. Each principal
shares a key with a trusted server


A key transport protocol
A key agreement protocol
One of the principals
generates the key and
this key is then
transferred to all
protocol users
(Ks in this example)


A key transport protocol
A key agreement protocol
Session key is a function of inputs by all protocol users




Confidentiality
Data integrity
Data origin authentication
Non-repudiation
Ensures that data is only available to those
authorised to obtain it.
Usually achieved through encryption/decryption.




Confidentiality
Data integrity
Data origin authentication
Non-repudiation
Ensures that data has not been altered by
unauthorised entities.
Usually achieved:
• Use of hash functions in combination with
encryption
• Use of message authentication code to create
a separate check field




Confidentiality
Data integrity
Data origin authentication
Non-repudiation
Guarantees the origin of data.
Normally achieved by the same mechanisms like we
have in data integrity.




Confidentiality
Data integrity
Data origin authentication
Non-repudiation
Ensures that entities cannot deny sending data
that they have committed to.
Typically provided using a digital signature
mechanism.
User of the session key should be able to
verify that key is new and not replayed from
old sessions.



Timestamps
Nonces (random challenges)
Counters
On recipients side if message is within an acceptable
window of the current time then the message is
regarded as fresh.
User of the session key should be able to
verify that key is new and not replayed from
old sessions.



Timestamps
Nonces (random challenges)
Counters
The message is fresh
because the message
cannot have been
formed before the
nonce was generated.
User of the session key should be able to
verify that key is new and not replayed from
old sessions.



Timestamps
Nonces (random challenges)
Counters
The sender and recipient maintain a synchronized
counter whose value is sent with the message
and then incremented.










Eavesdropping
Eavesdropping
The adversary captures
Modification
the information sent in
Replay
the protocol
Preplay
Reflection
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary alters
Modification
Modification
the information sent in
Replay
the protocol
Preplay
Reflection
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary records
Modification
information seen in
Replay
Replay
the protocol and then
Preplay
sends it to the same, or
Reflection
a different, principal,
Denial of service
possibly during a later
Typing attacks
protocol run
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary engages
Modification
in a run of the protocol
Replay
prior to a run by the
Preplay
Preplay
legitimate principals
Reflection
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary sends
Modification
protocol message back
Replay
to the principal who sent
Preplay
them
Reflection
Reflection
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction
Eavesdropping
The adversary prevents
 Modification
or hinders legitimate
 Replay
principals from completing
 Preplay
the protocol
 Reflection
 Denial
Denialofofservice
service
 Typing attacks
 Cryptanalysis
 Certificate manipulation
 Protocol interaction











Eavesdropping
The adversary replaces
Modification
a protocol message field
Replay
of one type with a
Preplay
message field of another
Reflection
type
Denial of service
Typing
attacks
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary gains
Modification
some useful leverage
Replay
from the protocol to
Preplay
help in cryptanalysis
Reflection
Denial of service
Typing attacks
Cryptanalysis
Cryptanalysis
Certificate manipulation
Protocol interaction










Eavesdropping
The adversary chooses
Modification
or modifies certificate
Replay
information to attack
Preplay
one or more protocol
Reflection
runs
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Certificate
manipulation
Protocol interaction










Eavesdropping
The adversary chooses
Modification
a new protocol to
Replay
interact with a known
Preplay
protocol
Reflection
Denial of service
Typing attacks
Cryptanalysis
Certificate manipulation
Protocol interaction
Protocol
interaction
A, B are the identities of Alice and Bob.
Ri - the challenge, where the subscript identifies the
challenger.
Ki - are keys, where i indicates the owner.
Second session is opened (message 3), supplying the RB taken
from message 2.
Bob encrypts it and sends back KAB (RB) in message 4.
• HMAC – hashed message authentication code
• Data structured is hashed into the HMAC, for example using SHA-1.
• Based on received information, Alice can compute the HMAC herself.
Both HMACs include values chosen by the sending party,
something which Trudy cannot control.
n and g are two agreed large numbers
x and y are large (say, 512-bit) private numbers generated by both sides
x
The trouble is, given only g mod n, it is hard to find x. All currentlyknown algorithms simply take too long, even on massively parallel
supercomputers.
Alice thinks she is talking to Bob so she establishes a session key (with
Trudy). So does Bob.
Every message that Alice sends on the encrypted session is captured by
Trudy, stored, modified if desired, and then (optionally) passed on to
Bob. Similarly, in the other direction.
KDC - Key distribution center
Ks - generated session key
By snooping on the network, Trudy copies message 2 and
the money-transfer request that follows it. Later, she replays
both of them to Bob.
½ messages – ticket request (RA assures that message 2 is fresh,
and not a replay)
Message 4 - Bob sends back it to prove to Alice that she is
talking to the real Bob
Protocols for authentication
and key establishment
Colin Boyd, Anish Mathuria
Computer networks
Andrew S. Tanenbaum