2. Topics
• In a confidential communication the authenticity needs to
be carefully established for:
• The two partners
– Before sending any confidential information one needs to be
sure to whom it sends that information: authentication
protocols
• The messages received by each partner
– One needs to be sure that the message received has not been
modified –it coincides with the sent message: message
authentication
– If the two partners do not quite trust each other, they need to
make sure that the sender cannot later deny having sent the
message and the receiver cannot have devised the message
himself: digital signatures
3. I. Authentication protocols
• Such protocols enable communicating parties to satisfy themselves
mutually about each other’s identity and possibly, to exchange session keys
• Two central problems here: confidentiality and timeliness
– Essential identification information and the session keys must be communicated
in encrypted form
– Because of the threat of replay, timeliness is essential here
• Replays could allow the attacker to get a session key or to impersonate another party
• At minimum, the attacker could disrupt operations by presenting parties with messages
that appear genuine but are not –aims at a denial of service attack
• Two approaches are generally used to defend replay attacks
– Timestamps: A accepts a message as fresh only if it contains a timestamp that,
in A’s judgment, is close enough to A’s knowledge of current time –clocks need
to be synchronized
– Challenge/response: A, expecting a fresh message from B, first sends B a
random number (challenge) and requires that the subsequent message
(response) received from B contains that random number or some agree-upon
transformation on it (this is also called hand-shaking sometimes
4. Authentication protocols and
setting up secret keys
A Direct authentication
1.Based on a shared secret master key
2.Based on a public-key system
3.Diffie-Hellman
B. Mediated authentication
1.Based on key distribution centers
2.Kerberos
5. A1. Authentication based on a
shared secret key
• Assume here that A and B already share a secret key –this is called
sometimes the master key MK because the two will only use this
rarely, whenever they need to authenticate each other and establish
a session key
– Master keys will only be used to establish session keys
– Concentrate here on how to establish session keys
• Protocol
– A issues a requests to B for a session key and includes a nonce N1
– B responds with a message encrypted using the shared master key –
include there the session key he selects, A’s id, a value f(N1) and
another nonce N2
• At this point, A is sure of B’s identity: only he knows the master key; B is not
sure of anything yet
• Using the new session key, A return f(N2) to B
• B is sure of A’s identity: only A can read the message he sent, including the
session key
6.
7. A2. A general scheme of public-key authentication
(and distribution of secret keys)
• Assume here that A and B
know each other’s public key
• N1 and N2 in the scheme are
random numbers –they ensure
the authenticity of A and B
(because only they can decrypt
the messages and read N1
and N2)
• After Step 2, A is sure of B’s
identity: right response to its
challenge
• After Step 3, B is sure of A’s
identity: right response to its
challenge
8. A3. A concrete scheme: Diffie-Hellman key
exchange
• This is the first ever published public-key algorithm –used in a number of
commercial products
• Elegant idea: establish a secret key based on each other’s public keys
• Protocol
– Alice and Bob need to agree on two large numbers n,g, where n is prime, (n-1)/2
is also prime and some extra conditions are satisfied by g (to defeat math
attacks) –these numbers may be public so Alice could generate this on her own
– Alice picks a large (say, 512-bit) number x and B picks another one, say y
– Alice initiates the key exchange protocol by sending Bob a message containing
(n,g,g^xmod n)
– Bob sends Alice a message containing g^ymod n
– Alice raises the number Bob sent her to the x-th power mod n to get the secret
key: (g^ymod n)^ x mod n=g^xy mod n
– Bob raises the number Alice sent to the y-thpower modulo n to get the secret
key: (g^x mod n)^y mod n= g^xy mod n
9.
10. B1. Authentication using key distribution
centers (KDC)
Authentication using key distribution centers
(KDC)
• Setting up a shared key was fairly involved
with the previous approaches and perhaps
not quite worth doing
• Each user has to maintain a secret key
(perhaps on some plastic card) for each of
his friends –this may be a problem for
popular people
• Different approach: have a trusted key
distribution center (KDC)
– Each user maintains one single secret key –
the one to communicate with KDC
– Authentication and all communications go
through KDC
– Alice picks Ks and tells KDC that she wants
to talk to Bob using Ks–A uses secret key KA
used only to communicate with KDC
– KDC decrypts the message and sends Ks to
Bob together with Alice’s id –KDC uses key
KB used only to communicate with B
– Authentication here is for free –key KA is
only known to A and KDC
11. Replay attack to the KDC-based protocol
• Say Eve manages to get a job with Alice and after doing the job, she asks
Alice to pay her by bank transfer.
• Alice establishes a secret key with the banker Bob and then sends Bob a
message requesting money to be transferred to Eve’s account
• Eve however is back to her old business, snooping on the network–
she copies message 2 in the protocol and the request for money
that follows
• Later Eve replays both messages to Bob –Bob will think that Alice
has hired again Eve and pays Eve the money
• Eve is able to do many iterations of the procedure –replay attack
• Solution 1: include a timestamp with the message –any old message
will be discarded
• Problem: clocks are not always exactly synchronized so there will be a
period when the message is still valid
12. Authentication using Kerberos
• Kerberos is an authentication protocol used in many systems, including
Windows 2000, using the KDC-based approach
– Kerberos was the name of a multi head dog in Greek mythology that used to
guard the entrance to Hades
• Designed at MIT to allow workstation users to access network resources
securely
– As such, it relies on the assumption that all clocks are fairly well synchronized
• Kerberos v4 is the most widely used version –the one we discuss here
• Includes three servers that communicate with Alice (at the workstation)
– Authentication server (AS) –verifies the user during login
• It shares a secret password with each user (plays the role of the KDC)
– Ticket-granting server (TGS) –issues “proof of identity tickets”
• Tickets will be used by the user to perform various jobs
– Bob the server –actually does the work Alice needs to do, based on the identity
ticket
• Based on the identity ticket will grant Alice the right she is entitled to
13. Authentication using Kerberos
1. A sits down at an arbitrary public workstation
and types her name
– Workstation sends her name to the AS in plaintext
2. AS sends back a session key KS and a ticket
KTGS(A,KS) for TGS –both encrypted with A’s
secret key
– At this point the workstation asks for A’s password
• Password is used to generate the secret key and decrypt
the message, obtaining the ticket for TGS
15. Authentication using Kerberos
• A tells the workstation she needs to contact the file server Bob
3. Workstation sends a message to TGS asking for a ticket to use Bob
– Key element here is the ticket for TGS received from AS –this proves to TGS
that the sender is really A
4. TGS creates and sends back a session key KAB for A to use with B
– TGS sends a message encrypted with KS so that A can read and get KAB
– TGS also includes a message intended only for Bob, sending A’s identity and
the key KAB
• If Eve replays message 3 she will be foiled by the timestamp t
– Even if she replays the message quickly she will only get a copy of message 4
that she cannot read
5 Alice can now communicate with Bob using KAB
6. Bob confirms he has received the request and is ready to do the work
16. II. Digital signatures
• Having a sort of digital signature replacing hand written signatures is
essential in the cyber-world
• This is crucial between two parties who do not trust each other and need
protection from each other’s later false claims
• Requirements for a digital signature
– Must authenticate the content of the message at the time of the signature
– Must authenticate the author, date, and time of the signature
– Receiver can verify the claimed identity of the sender
– Sender cannot later repudiate the content of the message
– Receiver cannot possibly have concocted the message himself
– Can be verified by third-parties to resolve disputes
• Examples:
– The bank needs to verify the identity of the client placing a transfer order
– The client cannot deny later having sent that order
– It is impossible for the bank to create transfer orders and claim they actually
came from the client
17. Digital signatures
• Computational requirements
– Must be a bit pattern depending on the message being signed
– Signature must use some information unique to the sender to
prevent forgery and denial
– Computationally easy to produce a signature
– Computationally easy to recognize and verify the signature
– Computationally infeasible to forge a digital signature
• Practical to retain a copy of the digital signature in
storage
18. Two general schemes for digital
signatures
• Arbitrated digital signatures
• Every signed message from A to B goes to an
arbiter BB (Big Brother) that everybody trusts
• BB checks the signature and the timestamp,
origin, content, etc.
• BB dates the message and sends it to B with an
indication that it has been verified and it is
legitimate
19. Arbitrated digital signatures
• E.g., every user shares a secret key
with the arbiter
– A sends to BB in an encrypted form the plaintext
P together with B’s id, a timestamp and a random
number RA
– BB decrypts the message and thus makes sure it
comes from A; it also checks the timestamp to
protect against replays
– BB then sends B the message P, A’s id, the
timestamp and the random number RA; he also
sends a message encrypted with his own private
key (that nobody knows) containing A’s id,
timestamp t and the plaintext P (or a hash)
– B cannot check the signature but trusts it
because it comes from BB –he knows that because
the entire communication was encrypted with KB
– B will not accept old messages or messages
containing the same RA to protect against replay
– In case of dispute, B will show the signature he
got from BB (only BB may have produced it) and
BB will decrypt it
20. Direct digital signatures
• This involves only the communicating parties
and it is based on public keys
• The sender knows the public key of the
receiver
• Digital signature: encrypt the entire message
(or just a hash code of the message) with the
sender’s private key
• If confidentiality is required: apply the
receiver’s public key or encrypt using a shared
secret key
21. DS
• Weaknesses:
– The scheme only works as long as KRA remains secret: if it is
disclosed (or A discloses it herself), then the argument of the
judge does not hold: anybody can produce the signature
• Attack: to deny the signature right after signing, simply claim that
the private key has been lost–similar to claims of credit card misuse
• If A changes her public-private keys (she can do that
often) the judge will apply the wrong public key to check
the signature
– Attack: to deny the signature change your public-private key
pair–this should not work if a PKI is used because they may
keep trace of old public keys
• A should protect her private key even after she
changes the key