CSE331 26 27
Download
Report
Transcript CSE331 26 27
CSE331:
Introduction to Networks
and Security
Lectures 26 & 27
Fall 2002
Announcements
• Project 3 is due on Nov. 18th
CSE331 Fall 2002
2
Primary Attacks
•
•
•
•
•
•
Impersonation.
Replay.
Interleaving.
Reflection.
Forced delay.
Chosen plaintext.
CSE331 Fall 2002
3
Primary Controls
• Replay: use of challenge-response
techniques and embedding target identity in
response.
• Interleaving: link messages in a run with
chained nonces.
• Reflection: embed identifier of target party in
challenge response, use asymmetric
message formats, use uni-directional keys.
CSE331 Fall 2002
4
Primary Controls, continued
• Chosen text: embed self-chosen random
numbers (“confounders”) in responses, use
“zero knowledge” techniques.
• Forced delays: use random numbers with
short timeouts, use timestamps with other
techniques.
CSE331 Fall 2002
5
Multiple Use of Keys
• There are risks in using keys for multiple
purposes.
• Using an RSA key for both entity
authentication and signatures may allow a
chosen-text attack.
• B attacker/verifier, rB=H(M) for some
message M.
– B -> A: rB
– A -> B: B, EA(rB)
– B(A) -> C: M, EA(H(M))
B, pretending to be A
CSE331 Fall 2002
6
Effective Control
• Notice how the protocol described earlier foils
this. Here’s the protocol:
– B -> A: rB
– A -> B: rA, B, SA(rA, rB, B)
• Here’s what happens:
–
–
–
–
B -> A: rB
A -> B: rA, B, EA(rA, rB, B)
B(A) -> C: M, EA(rA, H(M), B)
C finds that EA(rA, H(M), B) EA(H(M)) and
rejects the signature.
CSE331 Fall 2002
7
Usurpation Attacks
• Identification protocols provide assurances
corroborating the identity of an entity only at a
given instant in time.
• Techniques to assure ongoing authenticity:
– Periodic re-identification.
– Tying identification to an ongoing integrity service.
For example: key establishment and encryption.
CSE331 Fall 2002
8
Key Establishment
• Symmetric keys.
– Point-to-Point.
– Needham-Schroeder.
– Kerberos.
• Asymmetric keys.
–
–
–
–
X.509 key establishment.
Attack example.
Station To Station (STS) protocol.
Bellovin-Merritt protocol.
CSE331 Fall 2002
9
Symmetric Keys
• Key establishment using only symmetric keys
requires use of pre-distribution keys to get
things going.
• These can be based on:
– Point to point distribution, or
– Key Distribution Center (KDC).
CSE331 Fall 2002
10
Point-to-Point
• Timestamp.
Session Key
– A -> B : E(K, (k, t, B))
• Nonce.
– B -> A : r
– A -> B : E(K, (k, r, B))
CSE331 Fall 2002
ISO/IEC 11770-2
11
Key Distribution Center
CSE331 Fall 2002
12
Distribution Center Setup
• A wishes to communicate with B.
• T is a trusted third party that provides session
keys.
• T has a key KAT in common with A and a key
KBT in common with B.
• A authenticates T using a nonce rA and
obtains a session key from T.
• A authenticates to B and transports the
session key securely.
CSE331 Fall 2002
13
Needham-Schroeder
1. A -> T : A, B, rA
2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) ))
A decrypts with KAT and checks rA and B. Holds
k for future correspondence with B.
3. A -> B : E( KBT, (k, A))
B decrypts with KBT.
4. B -> A : E(k, rB)
A decrypts with k.
5. A -> B : E(k, rB – 1)
B checks rB-1.
CSE331 Fall 2002
14
Attack Scenario 1
1.
2.
A -> T : A, B, rA
T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) ))
C is unable to decrypt the message to A;
passing it along unchanged does no harm. Any
change will be detected by A.
CSE331 Fall 2002
15
Attack Scenario 2
1. A -> C (T) : A, B, rA
2. C (A) -> T : A, C, rA
3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) ))
Rejected by A because C rather than B.
CSE331 Fall 2002
16
Attack Scenario 3
1.
2.
3.
4.
A -> C (T) : A, B, rA
C -> T : C, B, rA
T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
A is unable to decrypt the message.
CSE331 Fall 2002
17
Attack Scenario 4
1. C -> T : C, B, rA
2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) ))
3. C (A) -> B : E( KBT, (k, C))
B will see that the purported origin (A) does not
match the identity indicated by the distribution
center.
CSE331 Fall 2002
18
Kerberos Setup
• A,T,B, shared keys KAT, KBT as in distribution
center.
• Nonce rA generated by A.
• Trusted synchronous clocks for generating a
time t and checking expiration of a lifetime L.
CSE331 Fall 2002
19
Kerberos Messages
1.
2.
3.
4.
Ticket
A -> T : A, B, rA
T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))
A -> B : E( KBT, (k, A, L)), E( k, (A, t))
B -> A : E(k, t)
Authenticator
CSE331 Fall 2002
20
Kerberos Actions
1.
2.
A -> T : A, B, rA
T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B))
Decrypt using KAT, check rA, B, and hold L for
future reference.
3. A -> B : E( KBT, (k, A, L)), E( k, (A, t))
Decrypt the ticket using KBT to get the session
key and lifetime. Use the session key to decrypt
the authenticator. Check A, t, L.
4. B -> A : E(k, t)
Check t.
CSE331 Fall 2002
21
Asymmetric Key Exchange
•
•
•
•
X.509 key establishment.
Impersonation case study.
STS.
Bellovin-Merritt protocol.
CSE331 Fall 2002
22
X.509 Key Establishment Setup
• X.509 is part of the X.500 series of ISO/IEC
standards.
• certA and certB are certificates for the public
keys of A and B.
• A has encryption function EA and signature
function SA. B has signature function SB.
• rA and rB are nonces.
• LA and LB are lifetimes (validity periods).
CSE331 Fall 2002
23
X.509 Key Est. Messages
•
•
•
Let DA = EB(k), rA, LA, A.
Let DB = rB, LB, rA, A
Two messages:
1. A -> B : certA, DA, SA(DA)
Check that the nonce rA has not been seen, and is not
expired according to LA. Remember it for its lifetime
LA.
2. B -> A : certB, DB, SB(DB)
Check the rA and A. Check that rB has not been seen
and is not expired according to LB.
CSE331 Fall 2002
24
X.509 Variant
•
•
•
•
X.509 supports several variants on the
previously-described protocol.
Let DA = EB(kA), rA, LA, A.
Let DB = EA(kB), rB, LB, rA, A
Two messages:
1. A -> B : certA, DA, SA(DA)
2. B -> A : certB, DB, SB(DB)
Both A and B compute a session key f(kA, kB) as a
function of subkeys supplied by A and B.
CSE331 Fall 2002
25
Impersonation Case Study
CSE331 Fall 2002
26
Protocol X
1.
2.
3.
4.
5.
6.
A -> T : A, B
T -> A : ST(EB, B)
A -> B : EB(kA, A)
B -> T : B, A
T -> B : ST(EA, A)
B -> A : EA(kA, kB)
– Check kA. Calculate session key as f(kA,kB).
7. A -> B : EB(kB)
– Check kB. Calculate session key as f(kA,kB).
CSE331 Fall 2002
27
Interleaving Attack on Protocol X
• An interleaving attack on this protocol is
possible.
• An adversary C convinces:
– A that he is talking to C using session key
k = f(kA, kB).
– B that his is talking to A using session key k.
• C has access to the key k and can use it to
decrypt the responses that B makes to A.
CSE331 Fall 2002
28
Compromise Scenario
• B, C are taxpayers. A is the IRS.
• A contacts C, (presumably) authenticates and
sets up a session key k. C uses the
interleaving attack with B.
• B now thinks he is talking to the IRS.
• C answers questions directed to him by the
IRS.
• Meanwhile C, pretending to be IRS, asks B
for information about his income for the last 5
years.
CSE331 Fall 2002
29
What Went Wrong?
• Entity authentication: determining who you
are talking to.
• Key establishment: settling on a shared
session key.
• Protocol X admits an interleaving attack that
allows an adversary to exploit entity
authentication and then step in to exploit key
establishment.
CSE331 Fall 2002
30