Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

secure-channels

advertisement 
Last Class: The Problem
Private Message
Bob
Alice
Eavesdropping
Eve
Last Class: The Solution
Private Message
Private Message
Encryption
Decryption
Scrambled Message
Bob
Alice
Eavesdropping
Eve
Other Security Problems
– Are you who you say you are?
• Authentication
– How does Bob know that he’s really talking to Alice?
– How does Alice know the message was sent by Bob?
• Mutual authentication
– How does Alice know that the message she receives
hasn’t been tampered with?
• Message Integrity
– Are you authorized to do what you want to do?
• Authorization
Secure Channels
Given credit where it is due
• Most slides are from Prof. Kenneth Chiu at
SUNY Binghamton
• Some slides are from Scott Shenker and
Ion Stoica at University of California,
Berkeley and Ariel J. Frank at Bar-Ilan
University
• I have modified and added some slides
Authentication
• Can you have authentication without
message integrity?
– I know that Bob sent the message, but
someone may have tampered with it.
– I know that no one tampered with it, but I
don’t know whether or not it was really Bob
who sent it.
– Authentication & message integrity cannot do
without each other !
• Set-up phase precedes message exchange
• Session keys to ensure message integrity
Notation for Cryptography
Notation Description
KA, B
Secret key shared by A and B
K A
Public key of A
K A
Private key of A
Shared Secret Key Authentication
• Suppose Alice and Bob share a secret key
(KA, B). How can they setup a secure
channel over an insecure medium?
1.
2.
3.
4.
5.
Alice sends her identity to Bob.
Bob sends a challenge (random number).
Alice must encrypt and return.
Alice then sends a challenge to Bob.
Bob must encrypt and return.
An Optimization
• Authentication based on a shared secret key,
but using three instead of five messages.
Chuck…er…Alice
Attack Attempt
•
•
•
•
?
Chuck tries to pretend to be Alice.
He sends the initial message to Bob.
Bob responds with the encrypted challenge, but then his own challenge.
Chuck cannot properly respond to the challenge because he doesn’t have
the key.
Reflection Attack
• Lesson: never encrypt anything without knowing
who you are encrypting it for.
Key Distribution Centers
• If there are N parties using shared secret
keys, how many keys are needed?
• Alternative is to use a trusted KDC. It has
a shared key with every host.
Key Distribution Centers
• Disadvantage is that Bob has to get into the loop first.
Tickets
• Using a ticket and letting Alice set up a connection
to Bob.
• Vulnerable to replay attacks if Chuck gets hold on
KB,KDCold
Authentication using KDC
(Needham-Schroeder Protocol)
- Nonce: random number used only once to relate two messages
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC

Relate messages 1 and 2: use challenge response mechanism
RA1, RA2, RB: nonces
Alice

16
What if RA1 is Missing?
Assume Chuck intercepted
KA,KDC(B,KA,B, KB,KDCold(A,KA,B))
(replayed message)
3
KA,B(RA2), KB,KDCold(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Here Chuck
gets KA,B !
Bob (KB,KDC)
2
A,B
Chuck (KB,KDCold)
1
KDC
- KA,KDC(B,KA,B, KB,KDCold(A,KA,B))
- Knows KB,KDCold
Alice

17
Authentication using KDC
(Needham-Schroeder Protocol)
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC
Why do we need to include B in message 2?
Alice

18
What if B is Missing from Message 2?
RA1,A,B
2
KA,KDC(RA1,KA,C, KC,KDC(A,KA,C))
3
KA,C(RA2), KC,KDC(A, KA,C)
4
KA,C(RA2-1, RB)
5
KA,C(RB-1)
RA1,A,C
Bob (KB,KDC)
Alice
1
KDC
Assume Chuck intercepts message 1
Chuck

Here Chuck
gets KA,C !
19
Authentication using KDC
(Needham-Schroeder Protocol)
RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
Bob
1
KDC
Vulnerable to replay attacks if Chuck gets hold on KA,B
Alice

20
What if Chuck gets KA,B?
Assume Chuck intercepted
RA1,A,B
Chuck (KA,B)
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3
KA,B(RA2), KB,KDC(A, KA,B)
Bob
1
KDC
- KA,B(RA2), KB,KDC,(A,KA,B)
- Knows KA,B
Alice

(replayed message)
4
KA,B(RA2-1, RB)
5
KA,B(RB-1)
21
Defend Against leaking of KA,B
A
2
KB,KDC(RB1)
3
RA1,A,B, KB,KDC(RB1)
4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1))
5
KA,B(RA2), KB,KDC(A, KA,B,RB1)
6
KA,B(RA2-1, RB2)
7
KA,B(RB2-1)
Bob
1
KDC

Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided
by Bob.
Chuck can no longer simply replay message 5 (former 3) to fool Bob,
cause message 5 is now related to message 2 by including nonce RB1.
Alice

22
Authentication Using Public-Key
Cryptography
KA+, KB+: public keys
?
KB+(A, RA)
2
KA+(RA, RB,KA,B)
3
KA,B(RB)
Bob
1
Alice

23
More on Secure Channels
• In addition to authentication, a secure
channel also requires that messages are
confidential, and that they maintain their
integrity.
More on Secure Channels
• For example: Alice needs to be sure that
Bob cannot change a received message
and claim it came from her. And Bob
needs to be sure that he can prove the
message was sent by/from Alice, just in
case she decides to deny ever having sent
it in the first place.
• Solution: Digital Signing.
?
Digital Signatures
• Digital signing a message using public-key
cryptography.
• This is implemented in the RSA technology.
• Note: the entire document is encrypted/signed this can sometimes be a costly overkill.
Message Digest (MD)
• Can provide data integrity and nonrepudiation
– Used to verify the authentication of a message
• Idea: compute a hash on the message and
send it along with the message
• Receiver can apply the same hash function
on the message and see whether the result
coincides with the received hash
Message Digest Operation
• Transformation contains complex operations
(see textbook)
Initial digest
(constant)
Message (padded)
512 bits 512 bits
Transformation
Transformation
..
.
Transformation
Message digest
512 bits
Digital Signature
• In practice someone cannot alter the message without modifying the
digest
– Digest operation very hard to invert
• Encrypt digest with sender’s private key
• KA-, KA+: private and public keys of A
Secure Replicated Servers

A client issues a request to a group of replicated servers

Servers can be subject to Byzantine failures

How does the client gets the correct answer?
30
Strawman Solution

Client gets replies from all servers…

… and take majority voting

Problem: client needs to authenticate each server
31
Solution: Secret Sharing

Secret sharing: none of processes know the entire secret

Intuition:
- Assume we want to tolerate c failures (some of them can by
Byzantine failures)
- Need to combine responses such that c+1 correct servers are
sufficient to get the correct response
32
(k,n)-threshold Signature Scheme

One public key K+

n shares of corresponding private keys, Ki-, 1 <= i <= n

Encrypted value v with each of private key shares, i.e.,
vi=Ki-(v)

A client can decrypt value v using K+ only if it knows at
least k values of vi
33
Example

Assume 5 replicated servers that tolerate 2 corrupted servers, i.e., we
need to adopt a (k,n)-threshold signature scheme where k=3 & n=5
34
Related documents
Homework 1
Homework 1
Solution
Solution
CMSC 414 Computer (and Network) Security
CMSC 414 Computer (and Network) Security
Lecture 9
Lecture 9
CNT Assignment Doc
CNT Assignment Doc
Lec9
Lec9
Network Authentication Standards:
Network Authentication Standards:
Problem Set 1
Problem Set 1
Download
advertisement