Chapter 6
Chapter 6
Identification
Xiang-Yang Li
Tradeoff between
false rejection (type I error)
false acceptance (type II error)
Authentication
Xiang-Yang Li
Mechanisms
MAC: message authentication code
Hash functions, security in hash functions
Hash and MAC algorithms
MD5, SHA, RIPEMD-160, HMAC
Digital signatures
“I am Alice”
Failure scenario??
in a network,
Bob can not “see”
Alice, so Trudy simply
“I am Alice” declares
herself to be Alice
Alice’s
IP address “I am Alice”
Failure scenario??
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later
plays it back to Bob
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s encrypted
IP addr password
“I’m Alice” record
and
Alice’s
OK playback
IP addr
still works!
Alice’s encrypted
“I’m Alice”
IP addr password
“I am Alice”
R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
drawbacks? be Alice!
Cryptography and Network Security 22
Authentication: ap5.0
ap4.0 requires shared symmetric key
can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
Bob computes
R + -
- KA(KA (R)) = R
K A (R) and knows only Alice
could have the private
“send me your public key”
+ key, that encrypted R
KA such that
+ -
K (K (R)) = R
A A
I am Alice I am Alice
R -
K (R)
T
R - Send me your public key
K (R) +
A K
T
Send me your public key
+
K
A +
K (m)
Trudy gets T
- +
+ m = K (K (m))
K (m)
A sends T T Alice
m to
- + encrypted with
m = K (K (m))
A A Alice’s public key
Cryptography and Network Security 24
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:
Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
problem is that Trudy receives all messages as well!
26
Problems with Password
Authentication
The host’s list of (user id, password) may
be revealed to adversary.
This list becomes an attractive target of attack.
The password may be eavesdropped in
transmission.
27
No Password Storage in Clear
We can address the first problem using
one-way hash function.
Host stores H(password) instead of password.
Verifying password is still easy for host.
Adversary can’t figure out password even if he sees
H(password).
28
Lamport’s Hash Chain
We can address the second problem using a
hash chain.
Let H() be a one-way hash function.
Host keeps a list of (user id, Hn(password)).
When user needs to login for the ith time, he sends the
host h=Hn-i(password).
The host checks Hi(h)= Hn(password).
29
Security of Lamport’s Hash Chain
Suppose the adversary can see all
communications and all storage of host.
So he sees Hn-1(password), Hn-2(password), …, Hn-(i-
1)(password) in the i-1 previous sessions.
30
Vulnerability of Lamport’s Hash
Chain
The above “security analysis” assumes that
adversary can’t find password from
H(password) since H() is one-way.
Unfortunately, normally this is not true.
Most human memorizable passwords belong to a very
small space: a few letters and digits with special
meanings.
So exhaustive search in this space is efficient.
The most important part of the attack is construction of
the space; usually we build it based on a dictionary.
This is called “dictionary attack”.
31
Entity Authentication without
Shared Secret
Password-based authentication needs both
parties to share a secret—the password.
Can Alice authenticates to Bob who does
not share any secret with her?
Without further assumption this is impossible.
Who is “Alice” anyway? What is the definition of
Alice?
With further assumption (e.g., trusted third party) this is
possible.
32
Woo-Lam Authentication
Assume there is a trusted third party:
Trent.
Alice shares a key KAT with Trent.
Bob shares a key KBT with Trent.
Alice wants to authenticate to Bob.
Woo and Lam proposed a protocol.
This protocol is flawed.
There are many fixes, but most fixed versions are also
flawed.
33
Woo-Lam Protocol
Alice →Bob: Alice
Bob → Alice: Nonce.
Alice →Bob: {Nonce}KAT
Bob →Trent: {Alice, {Nonce}KAT}KBT
Trent →Bob: {Nonce}KBT
Bob: Decrypt the above ciphertext. If
getting Nonce back, then accept.
Otherwise, reject.
34
Idea behind Woo-Lam Protocol
(1)
Why did they think this is secure?
If Bob finally gets Nonce through decryption, then in
5th step Trent sends Bob {Nonce}KBT.
This implies Trent gets Nonce when he decrypts the
message received in 4th step.
This further implies in 4th step the inner-layer key used
to encrypt Nonce corresponds to Alice.
In the 3rd step, Nonce is encrypted using KAT.
35
Idea behind Woo-Lam Protocol
(2)
Since only Alice and Trent know KAT, the
message in the 3rd step must be sent by
Alice.
So this is indeed Alice.
36
Error in the Idea
Look at the 2nd part of the idea:
“This implies Trent gets Nonce when he decrypts the
message received in 4th step.”
In the 4th step of which session?
This is not clear; actually not necessary this session.
When there are more than one sessions in parallel, the
protocol is broken.
37
Parallel Session Attack (1)
Malice impersonates Alice →Bob: (Session
1) Alice
Malice →Bob: (Session 2) Malice
Bob → Alice (intercepted by Malice):
Nonce1.
Bob → Malice: Nonce2.
Malice impersonates Alice →Bob:
{Nonce2}KMT
Malice →Bob: {Nonce1}KMT Note Malice
exchanges the
nonces of two
sessions 38
Parallel Session Attack (2)
Bob →Trent: {Alice, {Nonce2}KMT}KBT
Bob →Trent: {Malice, {Nonce1}KMT}KBT
Trent →Bob: Garbage
Trent →Bob: {Nonce1}KBT
Bob: Reject session 2 for Malice. Accept
session 1 for “Alice” (Who is actually
Malice).
Actually Bob should reject session 1; but he identifies
session using the nonce, which has been switched.
39
A Quick Fix
The main problem causing the parallel
session attack is that messages from
different sessions are not appropriately
separated.
So each message should carry a session number.
Accept a session only if the last message of this session
is accepted.
However, this fixed version is still subject to other
attacks.
40
MESSAGE
AUTHENTICATION CODE
Requirements of MAC
Size of MAC: n
Size of key: k
Need 2n computations of MAC and n/k pairs of Mi and
MACi
countermeasures include
use of sequence numbers (generally impractical)
timestamps (needs synchronized clocks)
challenge/response (using unique nonce)