Raw Slides (Pdf)

2550 Intro to cybersecurity

L5: Distributed Authentication

abhi shelat/Ran Cohen Agenda

• The problem of distributed authentication

• The Needham-Schroeder protocol • Kerberos protocol

• Oauth So far: authenticating to a server

Mallory

Alice Bob

Gen pw pw Authenticating to an organization

Mallory

Alice

Gen pw pw Authenticating to an organization

Mallory

Alice

Gen pw pw Distributed authentication

• Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption

Alice Bob

푚 푚

Eve Basic tool: symmetric encryption

• Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption

• Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice

Alice Bob

푘퐴퐵 푘퐴퐵

Eve Attempt #1

Alice Bob I am Alice

푘퐴퐵 푘퐴퐵

I am Alice

Eve Attempt #2: use the key

Alice Bob I am Alice 푘퐴퐵

푘퐴퐵 푘퐴퐵

I am Alice 푘퐴퐵 Replay attack

Eve Attempt #3: use nonce

Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵

푘퐴퐵 푘퐴퐵

Nonce: a random number for a one-time use Eve Attempt #3: use nonce

Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 I am Alice 푘 푘퐴퐵 퐴퐵 푁푎2 푘퐴퐵

푁푎2 − 1 푘퐴퐵

푁푎2 − 1 푘퐴퐵 Pay Bob 500$ 푘퐴퐵 Pay Eve 500$ Eve 푘퐴퐵 Man in the Middle attack Attempt #4

Alice I am Alice Bob 푁푎 푘퐴퐵

푁푎 − 1, Pay Eve 500$ 푘퐴퐵

푘퐴퐵 푘퐴퐵

Eve Key establishment

• The protocol worked because Alice and Bob shared a key • How do parties agree on a key? – Run a key agreement protocol (later in the semester) – Use a trusted third party (this lecture) • Key distribution center (KDC): – Shares a key with each entity – Single point of failure – Reasonable assumption for organizations – Not useful for open environments (e.g. the Internet) Naïve solution

• KDC generates a key for each pair 푛 푛−1 • Number of keys 푛 푛 − 1 , number of key pairs = 푛 2 2 • Drawbacks: – Quadratic number of keys – Adding new users is complex • May be useful for static small networks

푘퐴퐵 푘 퐴퐵 푘퐵퐶 푘 퐴퐶 푘퐵퐷 푘퐴퐷 KDC 푘 푘퐴퐷 퐴퐶 푘 푘퐵퐷 퐵퐶 푘 푘퐶퐷 퐶퐷 Desire: solution with linear keys

• KDC shares a key with each user • Number of keys 2푛 • Number of key pairs 푛 • These are long-term keys • Alice and Bob establish a fresh session key

푘 푘퐴푆 퐵푆

푘퐴푆 KDC 푘퐵푆 푘퐶푆 푘 푘 퐷푆 퐷푆 푘퐶푆 Needham-Schroeder Protocol (1978)

푘퐴퐵, 퐴 푘퐵푆

푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵

푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎

Why do we need 푁푏?

푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆

Why do we need 푁푎? Is Needham-Schroeder secure?

Can Mallory impersonate Alice to KDC? Mallory

푘퐴푆

푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆

퐴, 퐵, 푁푎

KDC 푘퐴푆 푘퐵푆 Is Needham-Schroeder secure?

푘 푘퐴푆 Can Mallory impersonate 퐵푆 Alice to Bob?

KDC 푘퐴푆 푘퐵푆

Mallory Needham-Schroeder replay attack

푘퐴퐵, 퐴 푘퐵푆

푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵 푘 푘 퐴퐵 퐴퐵 푁 ′ 퐴, 퐵, 푁푎 푏 푘퐴퐵

푘퐴퐵, 퐴 푘퐵푆

푁푎, 푘퐴퐵, 퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 푁푏′ − 1 푘퐴퐵 1) Mallory observes 1st instance 2) Suppose Mallory breaks into Alice, Mallory obtains (old) 푘퐴퐵 푘 푘 푘 , 퐴 3) Alice updates 퐴푆 and erases 퐴퐵 퐴퐵 푘퐵푆 푘퐴퐵 Fixed Needham-Schroeder

푘퐴퐵, 퐴, 푻 푘퐵푆

푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵

푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎 Use time stamps

푁푎, 푘퐴퐵, 푘퐴퐵, 퐴, 푻 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 Kerberos

• Developed in MIT in the ‘80s • Based on Needham-Schroeder – Versions 1-3 not published – Version 4 not secure – Version 5 published in 1993 • Widely used nowadays: – The basis of Microsoft’s active directory – Many Unix versions Kerberos

KDC AC (Authentication server) Get TGT (ticketing granting ticket) Once per login session TGT (Ticketing granting server)

Get ticket for a service pw Once per service

푘퐵푆 Mutual authentication Kerberos

• Passwords are not sent over the network

• Alice’s key 푘퐴푆 is a hash of her password

• Kerberos weaknesses: – KDC is a single point of failure – DoS the KDC and the network ceases to function – Compromise the KDC leads to network-wide compromise – Time synchronization is a very hard problem Access delegation (valet key) “Single Sign on” Same problem as before

pw pw Internet Alice pw pw pw

pw OAuth

“I want to use your service” Some resource Alice pw on the internet

Identity Provider

pw Recap

• Distributed authentication

• The Needham-Schroeder protocol • Kerberos protocol

• Oauth