Alexander Potapov Authentication definition Protocol architectures Cryptographic properties Freshness Types of attack on protocols Two-way authentication protocol attack The Diffie-Hellman key exchange attack Authentication protocol using a KDC Authentication deals with the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do. Authentication deals with the question of whether you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do. Example: Delete file Scott Request Server Is this actually Scott's process (authentication)? Is Scott allowed to delete this file (authorization)? Existing cryptographic keys Method of session key generation The principals already share a secret key An off-line server is used. Principals possess certified public keys An on-line server is used. Each principal shares a key with a trusted server The principals already share a secret key An off-line server is used. Principals possess certified public keys An on-line server is used. Each principal shares a key with a trusted server The principals already share a secret key An off-line server is used. Principals possess certified public keys An on-line server is used. Each principal shares a key with a trusted server A key transport protocol A key agreement protocol One of the principals generates the key and this key is then transferred to all protocol users (Ks in this example) A key transport protocol A key agreement protocol Session key is a function of inputs by all protocol users Confidentiality Data integrity Data origin authentication Non-repudiation Ensures that data is only available to those authorised to obtain it. Usually achieved through encryption/decryption. Confidentiality Data integrity Data origin authentication Non-repudiation Ensures that data has not been altered by unauthorised entities. Usually achieved: • Use of hash functions in combination with encryption • Use of message authentication code to create a separate check field Confidentiality Data integrity Data origin authentication Non-repudiation Guarantees the origin of data. Normally achieved by the same mechanisms like we have in data integrity. Confidentiality Data integrity Data origin authentication Non-repudiation Ensures that entities cannot deny sending data that they have committed to. Typically provided using a digital signature mechanism. User of the session key should be able to verify that key is new and not replayed from old sessions. Timestamps Nonces (random challenges) Counters On recipients side if message is within an acceptable window of the current time then the message is regarded as fresh. User of the session key should be able to verify that key is new and not replayed from old sessions. Timestamps Nonces (random challenges) Counters The message is fresh because the message cannot have been formed before the nonce was generated. User of the session key should be able to verify that key is new and not replayed from old sessions. Timestamps Nonces (random challenges) Counters The sender and recipient maintain a synchronized counter whose value is sent with the message and then incremented. Eavesdropping Eavesdropping The adversary captures Modification the information sent in Replay the protocol Preplay Reflection Denial of service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary alters Modification Modification the information sent in Replay the protocol Preplay Reflection Denial of service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary records Modification information seen in Replay Replay the protocol and then Preplay sends it to the same, or Reflection a different, principal, Denial of service possibly during a later Typing attacks protocol run Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary engages Modification in a run of the protocol Replay prior to a run by the Preplay Preplay legitimate principals Reflection Denial of service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary sends Modification protocol message back Replay to the principal who sent Preplay them Reflection Reflection Denial of service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary prevents Modification or hinders legitimate Replay principals from completing Preplay the protocol Reflection Denial Denialofofservice service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary replaces Modification a protocol message field Replay of one type with a Preplay message field of another Reflection type Denial of service Typing attacks Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary gains Modification some useful leverage Replay from the protocol to Preplay help in cryptanalysis Reflection Denial of service Typing attacks Cryptanalysis Cryptanalysis Certificate manipulation Protocol interaction Eavesdropping The adversary chooses Modification or modifies certificate Replay information to attack Preplay one or more protocol Reflection runs Denial of service Typing attacks Cryptanalysis Certificate manipulation Certificate manipulation Protocol interaction Eavesdropping The adversary chooses Modification a new protocol to Replay interact with a known Preplay protocol Reflection Denial of service Typing attacks Cryptanalysis Certificate manipulation Protocol interaction Protocol interaction A, B are the identities of Alice and Bob. Ri - the challenge, where the subscript identifies the challenger. Ki - are keys, where i indicates the owner. Second session is opened (message 3), supplying the RB taken from message 2. Bob encrypts it and sends back KAB (RB) in message 4. • HMAC – hashed message authentication code • Data structured is hashed into the HMAC, for example using SHA-1. • Based on received information, Alice can compute the HMAC herself. Both HMACs include values chosen by the sending party, something which Trudy cannot control. n and g are two agreed large numbers x and y are large (say, 512-bit) private numbers generated by both sides x The trouble is, given only g mod n, it is hard to find x. All currentlyknown algorithms simply take too long, even on massively parallel supercomputers. Alice thinks she is talking to Bob so she establishes a session key (with Trudy). So does Bob. Every message that Alice sends on the encrypted session is captured by Trudy, stored, modified if desired, and then (optionally) passed on to Bob. Similarly, in the other direction. KDC - Key distribution center Ks - generated session key By snooping on the network, Trudy copies message 2 and the money-transfer request that follows it. Later, she replays both of them to Bob. ½ messages – ticket request (RA assures that message 2 is fresh, and not a replay) Message 4 - Bob sends back it to prove to Alice that she is talking to the real Bob Protocols for authentication and key establishment Colin Boyd, Anish Mathuria Computer networks Andrew S. Tanenbaum