Professional Documents
Culture Documents
Lec 9
Lec 9
Sheng Zhong
Password Authentication
Oldest(?) way to authenticate an entity. Each user has a password.
Host keeps a list of (user id, password).
Woo-Lam Authentication
Assume there is a trusted third party: Trent.
Alice shares a key KAT with Trent. Bob shares a key KBT with Trent. Alice wants to authenticate to Bob.
Woo-Lam Protocol
Alice Bob: Alice Bob Alice: Nonce. Alice Bob: {Nonce}KAT Bob Trent: {Alice, {Nonce}KAT}KBT Trent Bob: {Nonce}KBT Bob: Decrypt the above ciphertext. If getting Nonce back, then accept. Otherwise, reject.
10
12
15
A Quick Fix
The main problem causing the parallel session attack is that messages from different sessions are not appropriately separated.
So each message should carry a session number. Accept a session only if the last message of this session is accepted. However, this fixed version is still subject to other attacks.
16
IPSec
Internet security standard.
Established by Internet Engineering Task Force (IETF). Provides authentication (mandatory) and data confidentiality (optional) services. Very complex. Has many security problems.
17
Authentication Header
A header immediately following IP header in an IP packet. Includes Security Parameter Index (SPI).
Specifies the method used for authentication.
Data Confidentiality
Optional service provided by Encapsulating Security Payload (ESP).
Also includes SPI specifying the method used for confidentiality. Also includes sequence number. Optionally includes authentication data for integrity of ciphertext.
19
Variants of Phase 1
Four types of keys:
Pre-shared symmetric key. Public key for encryption (old style). Public key for encryption (new style). Public key for digital signature.
Two modes:
Main mode and aggressive mode.
So altogether 8 variants.
21
22
To prevent replay attack, nonces are needed for Diffie-Hellman key exchange. What signature scheme/ pseudorandom function/ should be used?
Need to first agree on SAs.
25
Effect of Attack
R recognizes Malice as I.
This is complete failure of mutual authentication. So an amount of resource of R is held for this session with Malice. Potentially denial-of-service attack.
28
Kerberos
(Mutual authentication and) key exchange protocol between client and server who do not know each other.
Based on Trusted Third Party (TTP). Proposed by Project Athena@MIT. Very popular, e.g., adopted by Windows.
30
Principals Involved
U: User; always using client computer C. C: Client; the computer used by U. S: Application Server, e.g., a database server C wants to access. TGS: Ticket Granting Server; the server that grants a ticket for accessing S. AS: Authentication Server; the server that grants a ticket for accessing TGS.
31
32
T(C, S)={U, C, S, KC, S, Time_start, Time_expire}KTGS, S TKT(C)={S, KC, S, Time_start, Time_expire, Nonce2}KC,
TGS
33
34
Summary of Kerberos
Evolved from the time-stamped version of Needham-Schroeder Protocol.
To establish mutual authentication and key agreement between C and S, C need to first get a ticket from TGS. However, since the number of TGSs is large, C may not know all of them. So C needs to first get a ticket from AS so that he can contact the right TGS.