Raw Slides (Pdf)
Total Page:16
File Type:pdf, Size:1020Kb
2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 I am Alice 푘 푘퐴퐵 퐴퐵 푁푎2 푘퐴퐵 푁푎2 − 1 푘퐴퐵 푁푎2 − 1 푘퐴퐵 Pay Bob 500$ 푘퐴퐵 Pay Eve 500$ Eve 푘퐴퐵 Man in the Middle attack Attempt #4 Alice I am Alice Bob 푁푎 푘퐴퐵 푁푎 − 1, Pay Eve 500$ 푘퐴퐵 푘퐴퐵 푘퐴퐵 Eve Key establishment • The protocol worked because Alice and Bob shared a key • How do parties agree on a key? – Run a key agreement protocol (later in the semester) – Use a trusted third party (this lecture) • Key distribution center (KDC): – Shares a key with each entity – Single point of failure – Reasonable assumption for organizations – Not useful for open environments (e.g. the Internet) Naïve solution • KDC generates a key for each pair 푛 푛−1 • Number of keys 푛 푛 − 1 , number of key pairs = 푛 2 2 • Drawbacks: – Quadratic number of keys – Adding new users is complex • May be useful for static small networks 푘퐴퐵 푘 퐴퐵 푘퐵퐶 푘 퐴퐶 푘퐵퐷 푘퐴퐷 KDC 푘 푘퐴퐷 퐴퐶 푘 푘퐵퐷 퐵퐶 푘 푘퐶퐷 퐶퐷 Desire: solution with linear keys • KDC shares a key with each user • Number of keys 2푛 • Number of key pairs 푛 • These are long-term keys • Alice and Bob establish a fresh session key 푘 푘퐴푆 퐵푆 푘퐴푆 KDC 푘퐵푆 푘퐶푆 푘 푘 퐷푆 퐷푆 푘퐶푆 Needham-Schroeder Protocol (1978) 푘퐴퐵, 퐴 푘퐵푆 푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎 Why do we need 푁푏? 푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 Why do we need 푁푎? Is Needham-Schroeder secure? Can Mallory impersonate Alice to KDC? Mallory 푘퐴푆 푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 퐴, 퐵, 푁푎 KDC 푘퐴푆 푘퐵푆 Is Needham-Schroeder secure? 푘 푘퐴푆 Can Mallory impersonate 퐵푆 Alice to Bob? KDC 푘퐴푆 푘퐵푆 Mallory Needham-Schroeder replay attack 푘퐴퐵, 퐴 푘퐵푆 푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵 푘 푘 퐴퐵 퐴퐵 푁 ′ 퐴, 퐵, 푁푎 푏 푘퐴퐵 푘퐴퐵, 퐴 푘퐵푆 푁푎, 푘퐴퐵, 퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 푁푏′ − 1 푘퐴퐵 1) Mallory observes 1st instance 2) Suppose Mallory breaks into Alice, Mallory obtains (old) 푘퐴퐵 푘 푘 푘 , 퐴 3) Alice updates 퐴푆 and erases 퐴퐵 퐴퐵 푘퐵푆 푘퐴퐵 Fixed Needham-Schroeder 푘퐴퐵, 퐴, 푻 푘퐵푆 푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎 Use time stamps 푁푎, 푘퐴퐵, 푘퐴퐵, 퐴, 푻 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 Kerberos • Developed in MIT in the ‘80s • Based on Needham-Schroeder – Versions 1-3 not published – Version 4 not secure – Version 5 published in 1993 • Widely used nowadays: – The basis of Microsoft’s active directory – Many Unix versions Kerberos KDC AC (Authentication server) Get TGT (ticketing granting ticket) Once per login session TGT (Ticketing granting server) Get ticket for a service pw Once per service 푘퐵푆 Mutual authentication Kerberos • Passwords are not sent over the network • Alice’s key 푘퐴푆 is a hash of her password • Kerberos weaknesses: – KDC is a single point of failure – DoS the KDC and the network ceases to function – Compromise the KDC leads to network-wide compromise – Time synchronization is a very hard problem Access delegation (valet key) “Single Sign on” Same problem as before pw pw Internet Alice pw pw pw pw pw OAuth “I want to use your service” Some resource Alice pw on the internet Identity Provider pw Recap • Distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth.