CMSC 414 Computer and Network Security Lecture 17 - PowerPoint PPT Presentation

About This Presentation
Title:

CMSC 414 Computer and Network Security Lecture 17

Description:

... and have user decrypt it. Mutual authentication (if decrypts 'validly' ... And how to fix it... Public-key based... Include Epk(session-key) in protocol? ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 12
Provided by: jka9
Learn more at: https://www.cs.umd.edu
Category:

less

Transcript and Presenter's Notes

Title: CMSC 414 Computer and Network Security Lecture 17


1
CMSC 414Computer and Network SecurityLecture 17
  • Jonathan Katz

2
Diffie-Hellman key exchange
  • Secure against passive eavesdropping
  • but insecure against a man-in-the-middle attack

3
Adding key exchange
  • Not sufficient to simply add on key
    establishment before/after authentication
  • Splicing attack
  • Need authenticated key exchange

4
Authentication Protocols (Chapter 11, KPS)
5
Overview
  • Protocol design is subtle
  • Small changes can make a protocol insecure!
  • Historically, designed in an ad-hoc way, by
    checking protocol for known weaknesses
  • Great example of where provable security helps!

6
Example
  • Reverse challenge-response
  • I.e., send a ciphertext and have user decrypt it
  • Mutual authentication (if decrypts validly)??
  • Weaknesses?
  • Uses encryption for authentication
  • (Note that a MAC cannot, in general, be used)
  • Vulnerable to dictionary attack just by false
    attempted login (not eavesdropping)
  • Authentication of server assumes no replay

7
Example
  • User sends time, MACK(time)
  • What if she had used encryption, or a hash?
  • What about just sending MACK(time)?
  • Considerations?
  • Requires (loosely) synchronized clocks
  • Must guard against replay
  • What if user has same key on multiple servers?
  • Clock reset attacks clock DoS attacks!
  • No mutual authentication

8
Adding mutual authentication
  • Double challenge-response (symmetric key) in 4
    rounds
  • Variant in which user sends nonce first?
  • Insecure (reflection attack)
  • Also vulnerable to off-line password guessing
    without eavesdropping
  • To improve security, make protocol asymmetric
  • No such attack on original protocol
  • Security principle let initiator prove its
    identity first

9
Using timestamps?
  • User sends time, MACK(time), server responds with
    MACK(time1)
  • What if they used encryption?
  • Vulnerabilities?
  • Symmetric protocol

10
Establishing a session key
  • Double challenge-response compute session key as
    FK(R2)
  • Secure against passive attacks if F is a
    pseudorandom permutation
  • Active attacks? And how to fix it

11
Public-key based
  • Include Epk(session-key) in protocol?
  • Encrypt session-key and sign the result?
  • No forward secrecy
  • Potentially vulnerable to replay attacks
  • User sends E(R1) server sends E(R2) session key
    is R1R2
  • Reasonable
Write a Comment
User Comments (0)
About PowerShow.com