Professional Documents
Culture Documents
Z08 Lecture 1 - 2
Z08 Lecture 1 - 2
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
DS DCN
Lecture Objectives
u u u u Define authentication Identify types of protocols needed Identify threats Examine classic protocols based on SKC and identify weaknesses
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1-2
Page 1
1
DS DCN
Authentication
u Assurance that messages are from claimed originator u Generally implies that original message has not been tampered with - message integrity u Does not necessarily imply secrecy Mutual authentication: Two parties satisfy themselves of each others identity usually for long term (session or transaction) interaction u One-way Authentication: One party is authenticated, eg. your login to Unix u
1-3
Z08
DS DCN
Cryptography
u Use cryptography to achieve these functions u Need keys to be distributed u Key distribution different for PKC and SKC u Need Key Distribution Protocols u Need PKC and SKC protocols u Also, need message oriented (single-ended) protocols and stream oriented (two-way) protocols
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1-4
Page 2
2
DS DCN
Two-way SKC
Two-way PKC
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1-5
DS DCN
Notation
A, B U, V E S Kx Ks {Data}K Principals - good guys eg. Alice, Bob Domains - organisations eg. UCL, IBM Eavesdropper - bad guys, eg. Eve Security server/service Personal key of x Session key Data encrypted with key K
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1-6
Page 3
3
DS DCN
Z08
DS DCN
Z08
Page 4
4
DS DCN
Z08
DS DCN
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 10
Page 5
5
DS DCN
Two-Way Authentication
Protocol is broadly of form below Ka, Kb are Personal Keys Ks is the Session Key
1 2 Authentication Server - S
Ka
Kb
Ka
Client - A Ks 3 4
Server - B Ks
Kb
Z08
1 - 11
DS DCN
u A, B are parties involved u S is Authentication Server u Ka, Kb are personal keys of A, B known only to owner and S u I is nonce used once only u Ks is conversation key or session key generated by S u , indicates message composition or concatenation
Authentication with SKC 1. 2. 3. 4. 5. 6. A->S: S->A: A->B: B->A: A->B: A<->B: A, B, Ia1 {Ia1, B, Ks, {Ks, A}Kb }Ka {Ks, A}Kb {Ib}Ks {f(Ib)}Ks {Data}Ks
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 12
Page 6
6
DS DCN
Z08
DS DCN
Authentication with Secret Keys 1. A->Su: A, B, Ia1 {Ks, B, A, Ia1}Ksas {{Ks, A}Kb, Ia1, A}Ksas {Ia1, B, Ks, {Ks, A}Kb }Ka {Ks, A}Kb {Ib}Ks {f(Ib)}Ks
u As before, plus: u Su, Sv are Authentication Servers u Ka, Kb are secret keys of A, B known only to owner & Su, Sv resp. u Ksas is conversation key between authentication servers
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 14
Page 7
7
DS DCN
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 15
DS DCN
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 16
Page 8
8
DS DCN
u A, B are parties involved u S is Authentication Server u Ka, Kb are personal keys of A, B known only to owner and S u T is timestamp u Ks is conversation key or session key generated by S u , indicates message composition or concatenation
Authentication with SKC 1. A->S: 2. S->A: 3. A->B: 4. B->A: 5. A->B: 6. A<->B: A, B {T, B, Ks, {Ks, A, T}Kb }Ka {Ks, A, T}Kb {Ib}Ks {f(Ib)}Ks {Data}Ks
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 17
DS DCN
Z08
u Provided Bs personal key not compromised, only replay of message 3 is possible and timestamp thwarts this attack
1 - 18
Page 9
9
DS DCN
Z08
DS DCN
Z08
u A, B are parties involved u S is Authentication Server u Ka, Kb are personal keys of A, B known only to owner and S u Tb is time limit for session key u Ia, Ib are nonces u Ks is conversation key or session key generated by S u , indicates message composition or concatenation
Authentication with SKC 1. A->B: 2. B->S: 3. S->A: A, Ia B, Ib, {A, Ia, Tb}Kb {B, Ia, Ks, Tb}Ka, {A, Ks, Tb}Kb, Ib 4. A->B: 5. A<->B: {A, Ks, Tb}Kb, {Ib}Ks {Data}Ks
1 - 20
Page 10
10
DS DCN
Z08
DS DCN
u Can avoid repeated KDC exchanges by use of ticket within validity period u Tb is relative to Bs clock so no clock sync. issue Z08
Creation of new session 1. A->B: 2. B->A: 3. A->B: 4. A<->B: {A, Ks, Tb}Kb, Ia Ib, {Ia}Ks {Ib}Ks {Data}Ks
1 - 22
Page 11
11
DS DCN
Single-ended Authentication
u In some applications parties are not necessarily available simultaneously, e.g. e-mail u Ideally, we would like to have mutual authentication so that A knows only B can read message and B knows that it could only have come from A u If not possible to have 2-way dialogue, assurances may be weaker u Note: this is not strictly one-way authentication
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 23
DS DCN
u Single-ended system, e.g. email u As before, plus: u TS is senders timestamp u Sn is serial number of message fragment u Recipient must check for possible replays (via max. clock asynchrony and estimated delivery delay)
Authentication with Secret Keys 1. A->S: 2. S->A: 3. A->B: A, B, Ia1 {Ia1, B, Ks, {Ks, A}Kb }Ka {Ks, A}Kb, {TS,S1, Mess1}Ks, {S2,Mess2}Ks, ..
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 24
Page 12
12
DS DCN
E-mail Protocols
u This can form the basis of secure e-mail protocols u However, e-mail is often distributed by the originator to several recipients so there are additional threats and additional service requirements u What might they be? u See Pretty Good Privacy (PGP) and Privacy Enhanced Mail (PEM) for more details
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 25
DS DCN
Further Reading
u W Stallings, Cryptography and Network Security: Principles and Practice, 2ed, Prentice Hall, 1999, 0-13869017-0 o Key Distribution: pp 141-149 o Authentication: pp 303-311 o Pretty Good Privacy: pp 356-374 C Pfleeger, Security in Computing, 2ed, Prentice Hall, 1997, 0-13-185794-0 o Privacy Enhanced Mail: pp 422-426
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 26
Page 13
13
DS DCN
Further Reading - 2
u R Needham & M Schroeder, Using Encryption for Authentication in Large Networks of Computers, CACM, Dec 1978 D Denning, Cryptography and Data Security, AddisonWesley, 1982 B Neuman & S Stubblebine, A Note on the use of Timestamps as Nonces, ACM Operating Systems Review, 1993
Z08
MSc in Data Communications Networks and Distributed Systems, UCL
1 - 27
Page 14
14