Lecture 11
1
Protocols (Continued)
Chapters 9 and 11 in KPS
Key Distribution Center (KDC) or Trusted Third Party (TTP)
2
• Alice and Bob communicate using K as a short-term (session) key for encryption and/or data integrity• Note:
• Msg2 is not tied to Msg1• Msg1 is possibly old• Msg2 is possibly old and so is Msg3• Bob and Alice don’t authenticate each other!
AliceObtains
K
Bob obtains K and knows to use as a
key for communicating with
Alice
KDC generates fresh K
Msg3: KB(A,K)
Msg1: KA(A,B)
Msg2: KA(K, KB
(A,K) )
K(X) = Encryption of X with key K
3
KDC
A B
(1) Request, B, N1 (2) E
Ka[ K
s, Request, N
1, E
Kb(K
s,A) ]
(3) EKb
[Ks, A]
(4) EKs
[A, N2]
(5) EKs
[f(N2)]Notes:
•Msg2 is tied to Msg1•Msg2 is fresh/new•Msg3 is possibly old *•Msg1 is possibly old (KDC doesn’t authenticate Alice)•Bob authenticates Alice•Bob authenticates KDC•Alice DOES NOT authenticate Bob
A Typical Key Distribution ScenarioE
K[X] = Encryption of X with K
Public Key Distribution
General schemes:•Public announcement (e.g., in a newsgroup or email message)•Can be forged
•Publicly available directory•Can be tampered with
•Public-key certificates (PKCs) issued by trusted off-line Certification Authorities (CAs)
4
Certification Authorities
• Certification authority (CA): binds public key to a specific entity
• Each entity (user, host, etc.) registers its public key with CA.• Bob provides “proof of identity” to CA. • CA creates certificate binding Bob to this public key.• Certificate containing Bob’s public key digitally signed by CA:
CA says: “this is Bob’s public key”
5
Bob’s public
key PK
B
Bob’s identifying
information
digitalsignature
CA private
key SK
CA
PK B
certificate for Bob’s public key, signed by
CA
•When Alice wants to get Bob’s public key:• Get Bob’s certificate (from Bob or elsewhere)• Using CA’s public key verify the signature on Bob’s certificate• Check for expiration• Check for revocation (we’ll talk about this later)• Extract Bob’s public key
6
Bob’s Public
Key PK
B
digitalsignature
CA Public
Key PK
CA
PK B
Certification Authority
7
•Serial number (unique to issuer)
•Info about certificate owner, including algorithm and key value itself (not shown)
• info about certificate issuer
• valid dates
• digital signature by issuer
A Certificate Contains
8
A Sample Certificate (1/2)
9
A Sample Certificate (2/2)
Back to Protocols
10
11
Alice Bob
1 2
3
4
5
1. A → T: A, B, NA
2. T → A: {NA, B, K, {K, A}
KB }
KA
3. A → B: {K, A}KB
4. B → A: {NB}
K
5. A → B: {NB-1}
K
B
KDC
Needham-Schroeder Protocol (1978):
First Distributed Security Protocol{X}
K = Encryption of X with key K
Security?
Denning-Sacco Attack: suppose Eve recorded an old protocol session for which she somehow knows the session key K‘:
1.A ➔ T: A, B, NA
2.T ➔ A: {NA, B, K’, {K’, A}
KB }
K A3.A ➔ B: {K’, A}
KB
-----------------------------------------------------At a later time:
1.E ➔ B: {K’, A}KB
●B ➔ E: {NB}
K’1.E ➔ B: {N
B-1}
K’12
Fixing the Attack
•Bob has no guarantees about freshness of the message in step 3.
•Eve exploits this to impersonate Alice to Bob - old session keys are useful.
•Can be fixed by adding timestamps:• Limits usefulness of old session keys• Eve’s attack becomes:
3: E → B: {K’, T’, A}KB
attack is now thwarted because T’ is stale
13
PK-based Needham-Schroeder Protocol
14
TTP
A B3. [N
a, A]
PKb
6. [Na, N
b]
PKa
7. [Nb]
PKb
• CERTB = Message 2, CERT
A = Message 5
• PKA: Alice’s public key, PK
B: Bob’s public key
• SKT: TTP’s secret (private) key used for signing
• Everyone knows TTP’s public key PKT
1.{A,B
}
2.{PK b
,B} SKT 4.{B,A}
5.{PKa ,A}
SKT
KDC
Alice Bob
[X]K = Encryption of X with key K
Another Attack
•1, 2, 4, 5: Delivery of public key
•Does not guarantee freshness of the public key
How to solve it?• Timestamp in messages 2 and 5 or challenges in messages 1&2 and 4&5
• Public Key Certificate: assign expiration time/data to each certificate (messages 2 and 5)
15
PK-based Denning-Sacco Attack
16
TTP
A B3. Cert
A,Cert
B, [ {K
AB,T
A}
SKA ]
PKB
1. A, B
2. CertA, Cert
B
4. Secure communication with KAB
3’. CertA,Cert
C, [ {K
AB,T
A}
SKA ]
PKC
4’. Secure communication with KAB
B
Bob impersonates Alice
C
Thinks she is talking to A
Alice BobB
BobB
TTPKDC CertA={PK
A,A}
SKT Cert
B={PK
B,B}
SKT Cert
C={PK
C,C}
SKT
Lowe’s Attack(Impersonation by Interleaving)
17
Original3. A → B: [N
a, A]
PKb
6. B → A: [Na, N
b]
PKa
7. A → B: [Nb]
PKb
Attack E ‘plays’ A:1.3. A → E: [N
a, A]
PKe
2.3. E → B: [Na, A]
PKb
2.6. B → E: [Na,N
b]
PKa
1.6. E → A: [Na,N
b]
PKa
1.7. A → E: [Nb]
PKe
2.7. E → B: [Nb]
PKb Fix3. A → B: [N
a, A]
PKb
6. B → A: [B, Na, N
b]
PKa
7. A → B: [Nb]
PKb
Fixed PK-based Needham-Schroeder Protocol
18
TTP
A B3. [N
a, A]
PKb
6. [B, Na, N
b]
PKa
7. [Nb]
PKb
1.{A,B
}
2.{PK b
,B} SKT 4.{B,A}
5.{PKa ,A}
SKT
KDC
Alice Bob
Reflection Attack and a Fix• Original Protocol
1. A → B : rA
2. B → A : { rA, r
B }
K3. A → B : r
B
1. Attack2. A → E : r
A3. E → A : r
A : Starting a new session
4. A → E : { rA, r
A’ }
K : Reply to (2)
5. E → A : { rA, r
A’ }
K : Reply to (1)
6. A → E : rA’
Solutions?2. Use 2 different uni-directional keys k” (A→B) and k’ (B→A)
3. Remove symmetry (direction, msg identifiers)
19
Interleaving Attacks
• Protocol for Mutual Authentication1. A → B : A, r
A,2. B → A : r
B, { r
B, r
A, A }
SKB 3. A → B : r
A’, { r
A’, r
B, B }
SKA
1. Attack2. E → B : A, r
A3. B → E : r
B, { r
B, r
A, A }
SKB4. E → A : B, r
B5. A → E : r
A’, { r
A’, r
B, B }
SKA6. E → B : r
A’, { r
A’, r
B, B }
SKA
2. Attack due to symmetric messages (2), (3)
20
Lessons learned?
•Designing secure protocols is hard. There are many documented failures in the literature.
•Good protocols are already standardized (e.g., ISO 9798, X.509, …) – use them!•In other words, don’t invent your own!
•The problem of verifying (proving) protocol security gets much harder as protocols get more complex: more parties, messages and rounds.
21
If interested to learn further,read this paper:
“Programming Satan’s Computer”
by R. Anderson and R. Needham
available at:
http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf
22
Secure Protocol Examples
23
Authenticated Public-Key-based Key Exchange (Station-to-Station or STS Protocol)
24
Choose random v
Chooserandom w,Compute
Compute
x.509 Authentication & Key Distribution Protocols
25
One-ms
g
A→B
Two-ms
g
A→B
Three-ms
g
A←→B