Lecture 6.2: Protocols - Authentication and Key Exchange II

CS 436/636/736 Spring 2012

Nitesh Saxena

Course Admin

• HW2 solution emailed• Grading ongoing

• Exam study topics emailed

04/21/23Protocols: Authentication and Key

Exchange2

Course Admin

• Mid-Term Exam– On March 08– In class, from 11am-12:15pm

• Covers lectures up to Feb 23• In-class review on Mar 06 (Tuesday)• Strictly closed-book (no cheat-sheets are

allowed)• A sample exam will be provided as we near the

exam date3

Outline of Today’s lecture• Today we try to put everything together

– Encryption (public-key/private-key)– MACs– Signing– Key-Distribution

• Secure protocols (for secure communication)– Authentication

• We studied it somewhat while talking about key distribution– (Authenticated-) Key Exchange

• Designing secure protocols is hard – we’ll only be able to learn the basics today

• We’ll use the board extensively today – be prepared to take notes

04/21/23Protocols: Authentication and Key

Exchange4

MAC-based Authentication

1. A B: A, rA2. B A: rB, HMACK(rB, rA, A)

3. A B: HMACK(rA, rB,B)

• Faster than enc-based protocols (computationally)

04/21/23Protocols: Authentication and Key

Exchange5

Public-key based authentication(Needham-Shroeder (NS) pk-based)

• Assuming public keys are distributed through CA(s)

1. A B: Encpkb(rA, A)

2. B A: Encpka(rA, rB)

3. A B: Encpkb(rB)

04/21/23Protocols: Authentication and Key

Exchange6

Attack and fix on PK-based NS protocol

• Attack:

• Fix:

1. A B: Encpkb(rA, A)

2. B A: Encpka(rA, rB,B)

3. A B: Encpkb(rB)

04/21/23Protocols: Authentication and Key

Exchange7

Signature-based authentication(assuming public keys are distributed through

CA)A auth B• A B: Hi Bob, this is Alice!• B A: r (a challenge)• A B: SigSKa(r,B) (response)

A auth B, B auth A (run two copies; piggyback common flows)

• A B: A, rA (could sign this too)• B A: rB, SigSKb(rB, rA, A)• A B: SigSKa(rA,rB,B)

04/21/23Protocols: Authentication and Key

Exchange8

Authenticated Key Exchange (AKE)

• Public-key operations are costly• Why not

1. use public-key mutual authentication protocols to exchange a symmetric key

2. use this symmetric key with a symmetric encryption to secure subsequent communication

04/21/23Protocols: Authentication and Key

Exchange9

Security Notion for AKE

• Launch protocol between any pair • Reveal all session key except one• Try to distinguish the key of the unrevealed

session from random

• This captures: the compromise of other sessions should not lead to the compromise of any other session

04/21/23Protocols: Authentication and Key

Exchange10

1. A B: A, rA, EncPKb(K) (must sign this too??)

2. B A: rB, SigSKb(rB, rA, A)

3. A B: SigSKa(rA, rB, B)

4. A and B output K as the authenticated key

• Such a protocol can be instantiated using RSA encryption/signing– The way SSL/SSH establishes key

• But, generally only the server authenticates to the client, not vice versa

04/21/23Protocols: Authentication and Key

Exchange11

X.509: One-Way Authentication

• 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message

04/21/23Protocols: Authentication and Key

Exchange12

A B1-A {ta,ra,B,sgnData,KUb[Kab]}

Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key

X.509: Two-Way Authentication

• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply

04/21/23Protocols: Authentication and Key

Exchange13

A B

1-A {ta,ra,B,sgnData,KUb[Kab]}

2-B {tb,rb,A,sgnData,KUa[Kba]}

X.509: Three-Way Authentication

• 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks

04/21/23Protocols: Authentication and Key

Exchange14

A B

1- A {ta,ra,B,sgnData,KUb[Kab]}

2 -B {tb,rb,A,sgnData,KUa[Kab]}

3- A{rb}

Discrete Logarithm Assumption

• p, q primes such that q|p-1• g’ be the generator of Zp*

• g is an element of order q and generates a group Gq of order q; g = g’(p-1)/q

• x in Zq, y = gx mod p

• Given (p, q, g, y), it is computationally hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits

• x becomes the private key and y becomes the public key

04/21/23Protocols: Authentication and Key

Exchange15

Example of DL-based system

• Let’s construct an example• KeyGen:– p = 11, q = 2 or 5; let’s say q = 5– 2 is a generator of Z11*

– g = 22 = 4– x = 2; y = 42 mod 11 = 5

04/21/23Protocols: Authentication and Key

Exchange16

Diffie-Hellman (DH) Key Exchange

1. A B: Ka = ga mod p

2. B A: Kb = gb mod p

3. A outputs Kab = Kba

4. B outputs Kba = Kab

• Note Kab = Kba = gab mod p 04/21/23

Protocols: Authentication and Key Exchange

17

Security of DH key exchange

• No authentication of either party• Secure only against a passive adversary– Under the computational Diffie-Hellman

assumption • Given (g, ga,gb), hard to compute gab

• Not secure against an active attacker– Man-in-the-middle attack…

04/21/23Protocols: Authentication and Key

Exchange18

Authenticated DH Key Exchange

1. A B: Ka = ga mod p

2. B A: Certb, Kb = gb mod p EncKba[SigSKb(Kb, Ka )]

3. A B: Certa, EncKab[SigSKa(Ka,Kb)]

4. A outputs Kab = Kba

5. B outputs Kba = Kab

04/21/23Protocols: Authentication and Key

Exchange19

Summary• Designing secure protocols is not easy

– Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously

– Becomes even harder as the number of parties increase; n-party or group setting

• Use the protocols that are well-studied and standardized

• While designing a protocol, consider– Reflection attacks– Replay attacks– Eliminating any symmetry in the messages

04/21/23Protocols: Authentication and Key

Exchange20

Further Reading

• HAC – chapter 10• Stallings – Chapter 15

04/21/23Protocols: Authentication and Key

Exchange21