AuthenticationOverview(NSchapter9) Context: • Largesetofprincipalsattachedtoanopenchannel(eg,Internet). ComputerandNetworkSecurity • Eachprincipalrepeatedly CMSC414 • attemptstoinitiateaconnection(i.e.,session)withaspecifiedprincipal • uponsuccessfulconnectionestablishment,exchangesmessages AUTHENTICATION • closestheconnection • waitsforanarbitrary(butbounded)time UdayaShankar [email protected] Authentication is about ensuring • WhenaprincipalAassumesitisconnectedtoaprincipalB, AisindeedexchangingmessageswithB,andnotsomeattackerC. • WhenprincipalAassumesconfidentiality/integrityofthemessageexchange, thisisindeedthecase. Principal can be a human or an executing computer program • Programscanuse high-quality secrets(eg,fromspaceof2 128 ) • Humanprincipalsarerestrictedto low-quality secrets(eg,spaceof2 32 ) andcannotdocryptographicoperations. • WhenwesayaprogramprincipalA assumesitisconnectedtoB, wemeanthatA’sprogram’svariablesindicatethatAisconnectedtoB.

3/27/2013shankar authenticationslide1 3/27/2013shankar authenticationslide2

Typicalauthenticationscenario TypesofAttacks principal computer Internet computer principal Anauthenticationprotocolmustidentifytheattacksitissupposedtohandle A nA nB B • networkattacker • endpointattacker [A,B,conn ] [nA,nB,[A,B,conn]] [A,B,conn ] • dictionaryattack connection • … [B,A,accpt ] [B,A,accpt ] [nB,n A, [B, A, accpt]] Anauthenticationmechanismcannotprotectagainstallattacks,eg, [A,B ,accpt ] • overrun(takeover)ahumanprincipal conversation datamsgs • overrunmemorywhileprogramprincipalisdoingloginauthentication disconnection disconnectmsgs Attackerscanspanmultipleclasses Goal: achieves following inspite of attacks • Connectionestablishment: Attackescansequentiallymountattacksofdifferentclasses • AauthenticatesB:[B,A,accpt]msgsentbyBinresponseto[A,B,conn] • Eg,recordencryptedconversation;muchlaterlearnsessionkey • BauthenticatesA:[A,B,accpt]...A...[B,A,conn] • Simultaneouslyestablishasharedsecret(sessionkey)forconversation • Conversation:encryption/MAC • Disconnection:AandBclosetheirconnectionandforgetanysessionkey

3/27/2013shankar authenticationslide3 3/27/2013shankar authenticationslide4 TypesofAttacks(contd) TypesofAttacks(contd) End-host based attacks (roughly in order of increasing difficulty) Network-based attacks (roughly in order of increasing difficulty) • PrincipalCsaysitisprincipalAonacomputern (eg,publicworkstation) • Sendingmessageswithwrongvaluesinfields: A • onlinedictionaryattack • spoofing:Catn sendsmessageswithsenderidas[A] c • Readdataonharddisk(orbackuptapes)ofn orA • changing“reject”to“accept” A • obtainoldkeys(encryptedorplaintext)passwordfiles, ⋅⋅⋅ • spoofing:Catn sendsmessageswithsenderaddr/idas[n ,A] c A • ⋅⋅⋅ • … obtaincurrentkeys(encryptedorplaintext)passwordfiles, • • Eavesdropping:observingmessagesinthechannel. offlinedictionaryattackonencryptedpasswords • • EasyinWLANsandLANs(becauseofbroadcastnature) Overruncomputern A • • Noteasyinwiredpointtopointlinks(butdoable) whileAisnotatn A • taprouterports whileAisatn A • compromiseroutecomputationalgorithm Readdatainmemoryofn AwhileAisexecuting(unlikely) • • Interceptingmessages,changingthem,resendingthem. Overruna(humanorprogram)principal • • RelativelyeasyinWLANsandLANs(becauseofbroadcastnature) mailclient,webbrowser • Noteasyinpointtopoint(butdoable)

3/27/2013shankar authenticationslide5 3/27/2013shankar authenticationslide6

TypesofAttacks(contd) Threetypesofauthentication • Password-based authentication Dictionary attacks (aka password-guessing attacks) • Authenticatingoneselfbyshowingasecretpasswordtotheremotepeer • Findingasecretbysearchingthroughaspaceofpossiblesecrets (andtothenetwork) • Doableonlyifthespaceissmallenough(givenreasonabletime/resources) • Always vulnerabletoeavesdroppingattack • Asecretfromasmallspaceissaidtobe low-quality • Always vulnerabletoonlinedictionaryattack • Asecretfromalargespaceissaidtobe high-quality Usuallyprotection:limitfrequencyofincorrectpasswordentries • Examples: • 128bitkeyfromadecentrandomnumbergeneratorishighquality • Address-based authentication • 20bitkeyfromadecentrandomnumbergeneratorislowquality • authenticatingoneselfbyusingaphysicallysecuredterminal/computer • Passwords,andkeysobtainedfromthem,arelowquality(typically) • Conceptuallysimilartopasswordbasedauthentication?? • Online dictionaryattack:needtointeractwithauthenticatorateveryguess • Offline dictionaryattack:interactswithauthenticatorjustonce • Cryptography-based authentication • authenticatingoneselfbyshowingevidenceofasecretkey totheremotepeer(andtothenetwork) butwithoutexposingthesecrettothepeer(ortothenetwork) • Note:secretkeycanbeobtainedfromapassword

3/27/2013shankar authenticationslide7 3/27/2013shankar authenticationslide8 Passwordbasedauthentication Passwordbasedauthentication(contd)

• Aauthenticatesitselfbysupplyingapassword. Approach 2: • Always vulnerabletoeavesdroppingattackandonlinedictionaryattack • Likeapproach1exceptB’spasswordfilehasentries(X,hash(pw X))foreachX Approach 1: B(passwdfilewith B(passwdfilewith A(passwdpw A) nA channel nB A(passwdpw A) nA channel nB [X,pw X]foreachX) [X,hash(pw X)]foreachX)

• enter[A,B,pw A] • enter[A,B,pw A]

• send[nA,n B,A,B,pw A] • send[nA,n B,A,B,pw A] • checkrcvd[A,pw A] • checkhash(rcvdpw A)against againstpasswdfile passwdfileentryforA • matchauthenticatesA; • matchauthenticatesA msgsfromn Auntillogout assumedtobefromA • Vulnerabletoeavesdroppingandtoonlinedictionaryattack(asbefore)

• Vulnerabletopasswordfileexposurebutrequires offline dictionaryattack • • Vulnerabletoeavesdroppingandtoonlinedictionaryattack Defense1:store(X,salt,hash(pw X,salt)) • Defenseagainstlatter:limitnumberofsuccessivefailedattempts • Defense2:store(X,encrypt K(pw X))whereKishighqualitykeymaintained onlyinB’smemoryandnotharddisk(i.e.,manuallyenteredwhenBis • Vulnerabletoexposureofpasswordfile(overrunofn BorB) activated).

3/27/2013shankar authenticationslide9 3/27/2013shankar authenticationslide10

Passwordbasedauthentication(contd) Addressbasedauthentication Handling situation where A may interact with many servers • Ausesonlyaspecialsetofcomputers • StoreA’spasswordineveryserverthatAmayaccess. • Aisauthenticatedbytheaddress(network,linklevel,etc)ofitscomputer. • Disadvantage:handlingchangestopassword. • Disadvantage:Allpasswordfilesneedtobeprotectedwell. • Validif • Accesstospecialcomputersiswellguarded • StoreA’spasswordinaspecial authentication node. • Networkisprotectedagainstspoofing/interceptionofmessages • ServerauthenticatesAbycheckingA’spasswordwithauthenticationnode (andpresumablyforgettingpasswordafterauthenticatingA). • Examples: • Disadvantage:performancebottleneck. • Unix:oswide/etc/hosts.equivfile,peruser.rhostsfile. • Advantage:singlenodetoprotect • VMS:PROXYdatabase • Earlymainframemachinesaccessedbydumbterminals. • Operatorconsoleonmanyworkstations(eg,singleusermodeinLinux) • Conceptuallylikepasswordbasedauthenticationexceptthat“password”is nowassociatedwithaphysicaldevice(eg,networkinterfacecard).

3/27/2013shankar authenticationslide11 3/27/2013shankar authenticationslide12 Cryptographicauthentication Using password to get high-quality secret (eg, public-key-crypto key) • AauthenticatesitselftoBbyperformingacryptographicoperationona from directory service quantitycomposedofapartsuppliedbyBandasecretsharedbyAandB. • Becauseoperationiscryptographic,thesecretisnotdisclosedby Usepasswordtodecryptahighqualitykeykeptinadirectoryservice. • eavesdropping. LetK AbeA’shighqualitykey. • LetK Apw bethelowquality)keyobtainedfromA’spassword(eg,byhashing)

Limitations if A is human • Directoryservicestoresenc(K A,K Apw )(ie,K AencryptedbyK Apw ). • Acanonlyrememberlowqualitysecret,ie,password. • Computern Agets[A,enc(K A,K Apw )]fromdirectoryservice,

• Acannotdocryptographicoperations. KApw fromA’spassword,anddecryptstogetK A • SoAinputspasswordintocomputernAwhichconvertspasswordtokey. Hencevulnerabletooverrunofn A. • Isthisvulnerabletoofflinedictionaryattack? • Guesscandidatepassword,saycpw. Transforming password to secret-key-crypto key • ObtaincandidatelowqualitykeycK (e.g.,byhashingcpw). • Obtainkeyby(say)hashingpassword(and,forAES,takingspecified128bits). Apw • ObtaincandidatehighqualitykeycK bydecryptingenc(K ,K withcK . • Notokforpublickeycrypto,wherekeyshaveconstraints. A A Apw ) A Hereisan(wacko?)approachtoobtainanRSAkey: ButcannotdecidewhethercK AiscorrectbecauseK Ahasnostructure. • Usepasswordasseedtospecifiedpseudorandomnumbergenerator, (Note:inRSA,encrypt[d],not[d,n]becauselatterhasstructure) andchoosefirsttwoprimesgenerated. • Butitisvulnerablewithabitmoreworkinsomecases,eg, IfAusesasessionkeyencryptedwithK A,usecK Atoobtaincandidate sessionkey,andcheckifitcandecryptconversation. IfA’ssignatureonadocumentproducedusingK Aisavailable, checkifcK Amatchesthesignature.

3/27/2013shankar authenticationslide13 3/27/2013shankar authenticationslide14

Protectingagainsteavesdroppingandserverpasswdfileexposure(spfe) Lamport’sHashScheme(NSChapter12) Easy with public key crypto • Onewayauthentication(BauthenticaesA);ie,assumesBisnotspoofed. • Ahasprivatekey. • Astorespassword. • BstoresA’spublickey(soexposingB’sdatabasedoesnodamage). • BstoresforA: • Authentication: • n:positiveinteger,initiallysay1000;numberofloginsremaining • BsendsarandomvaluetoA • nhpw:nfoldhashofpw;ie,hash n(pw) • AencryptsusingA’sprivatekeyandsendsback • BchecksreceivedvalueusingA’spublickey A (storespasswordpw) B (stores(A:n,nhpw)) send[A,B,conn] Handling spfe (but not eavesdropping) with hash/secret-key crypto • BstoreshashofA’spassword send[B,A,n] ← n−1 • Authentication: x hash (pw) • AsendspasswordtoB send[A,B,x] • Bcompareshashofrecievedpasswordwithstoredhash ifhash(x)=nhpwthenAauthenticated n ←n −1 Handling eavesdropping (but not spfe) with secret-key crypto nhpw ←x • AandBshareasecretK AB (eg,A’spassword). • Authentication: Whennbecomes1,needtoresetwithnewpwandn

• Asends[A,login]toB • BsendsrandomnumberRtoA Enhancement with salt: • ArespondswithKAB {R} //NOTE:"K AB {R}”shortfor“enc(R,K AB )” • Initially:Achoosessalt;Bstores[A,n,salt,hash n(pw|salt)] n−1 Handling both with secret-key crypto • Login:Brespondswith[n,salt];Arespondswithhash (pw|salt) • Lamport’shashscheme • Tousesamepwwithmanyservers:salt=randomnumber|serverid.

3/27/2013shankar authenticationslide15 3/27/2013shankar authenticationslide16 Lamport’shashscheme(contd) ScalingtonetworkofNprincipals Reset option 1: • Straightforwardapproach: • Achoosesnew[n,nhpw]andsendsittoBunencrypted. • Distinctkeyforeverypairofprincipals. • Adequateagainstanattackerthatcaneavesdrop,intercept,spoof? • Notscalable: • AdequategivenassumptionthatBtoAauthenticationisnotneeded? N2storagecostateachnode Ncostforaddingnewprincipal Reset option 2: • Asendsnew[n,nhpw]encryptedbyakeyobtainedviaDiffieHelman. • Usehierarchyoftrustedintermediaries • Isthisanybetterwrttotheattackers? • KDC (key distribution center) insecretkeycrypto

• CA (certification authority) inpublickeycrypto Small n attack: • CimpersonatesB’snetworkaddressandwaitsforAtologin • Crespondswithmsmallerthancurrentnandthusgetshash m(pw)fromA • CcannowimpersonateA(forn −mlogins) Lamport’s Hash without workstation • Insteadofjustpassword,Ahashash i(pw)fori=1,2, ⋅⋅⋅,n1writtendown • Ateachlogin,Auseslastentryandcrossesitout. • Notvulnerableto“smalln”attack. • Isthisanydifferentfromwritingdownahighqualitykey? SKEY :InternetdeployedversionofLamport’shash

3/27/2013shankar authenticationslide17 3/27/2013shankar authenticationslide18

KDC:singledomaincase KDC:singledomaincase(cont) • AdvantagesofKDC: • KDCisahostinnetwork; KDC servessharedsecretkeys • Addingnewprincipal:oneinteractionbetweenprincipalandKDC 1 • • Revocationofprincipal:deactivateprincipal’smasterkeyatKDC 2 EveryprincipalXindomainsharesa keyK XwithKDC(offline) • DisadvantagesofKDC: 3 • A B Z • WhenAwantstotalktoB, KDCcanimpersonateanyonetoanyone. itgetsaticketfromKDC KDCcompromisemakesthewholenetworkvulnerable. (onlinesteps1,2,3) • KDCfailuremeansnonewsessionscanbestarted. • KDCcanbeaperformancebottleneck. A KDC B • LasttwocanbealleviatebyhavingKDCreplicas,but send[A,KDC,B,conn] needtoprotectallreplicas generatesessionkeyK AB whenaprincipal’smasterkeyischanged,needtosyncreplicas generatetkt AB=[K B{A,B,K AB}]( ticket ) send[KDC,A,KA{A,B,K AB},tkt AB]

send[A,Y,B,conn,tkt AB] decrypttkt AB andgetK AB <authenticationbetweeenAandBusingK AB >

3/27/2013shankar authenticationslide19 3/27/2013shankar authenticationslide20 KDCsformultidomaincase KDCsformultidomaincase(contd) Case 1: Aindomain(withKDCX)wantstotalktoBindomain(withKDCY), Case 2: KDCschainfromsourcetodestination andXandYshareakey,sayKXY. • Inalargeinternetworkwithmanydomains, A X(KDCofD 1) Y(KDCofD2) B unlikelythateverytwodomainswillhaveasharedkey. send[A,X,conntoBinD 2] • ButifthereisasequenceofdomainsD 1,D 2, ⋅⋅⋅,D Nsuchthat generatesessionkeyK AY foreveryi,KDCofD iandKDCofD i+1 haveasharedkey generatetkt AY=[K XY{A,X,K AY}] send[X,A,K {A,Y,K },tkt ] thenAofD 1cansecurelyobtainasessionkeytotalktoBofD N: A AY AY • LetX ibetheKDCofD i • AtalkstoX 1andgets[sessionkey,ticket AX2 ]totalktoX 2 send[A,Y,conntoBinD 2,tkt AY] • AtalkstoX 2andgets[sessionkey,ticket AX3 ]totalktoX 3 generatesessionkeyK AB • andsoonuntil generatetkt AB=[K BY{A,B,K AB}] • AtalkstoX Nandgets[sessionkey,ticket AB]totalktoB send[Y,A,KAY{A,B,K AB},tkt AB] • ⋅⋅⋅ send[A,B,K AB{A,B,conn},tkt AB] HowdoesAgetthesequenceX 1,X 2, ,X N. • Statichierarchywithadditionallinks(perhapscached)forefficiency. • GoodifAalsopassesalongthesequenceofdomainstobetraversed,sothat BcanseewhetherittrustseveryKDConthechain.

3/27/2013shankar authenticationslide21 3/27/2013shankar authenticationslide22

CA:singledomaincase CA:singledomaincase(contd) • Eachprincipalhasapublickeypair. CA • CAisahostbutneednotbenetworked; RemembersitsownprivatekeyandCA’spublickey. generatescertificates(signedpublickeys) • CAgenerates certificate (signedpublickey)foreachprincipalX: andCRLs(certificaterevocations) • [(serialno,X,pubkey X,expdate), privkey {(serialno,X,pubkey ,expdate)}]. • Onlinedirectoryserver(DS)periodicallygets CA X DS • Certificatesarepubliclydisseminated(e.g.,atdirectoryservices). certificatesandCRLsfromCA 3 4 • DSservescertificatesandCRLstoanyone • AauthenticatesBasfollows(ignoringcertificaterevocation): 1 A B Z (onlinesteps3,4) • ObtaincertificateforBfromanywhere,typicallyfromB. 2 • Ifcertificatenotexpiredandsignatureverifies(usingCA’spublickey), • EveryprincipalXindomain thenAhasB’spublickey. generatesapublickeypair • AsendschallengeandexpectschallengeencryptedbyB’sprivatekey, getsitspublickeysignedbyCA(certificate) afterwhichAandBsettleonasessionkey. getsCA’spublickey (alloffline) • Advantages • WhenAwantstotalktoB, • CAdoesnotneedtobeonlineornetworked,socanbemoresecure. AshowsBitscertificateandCRL • CAcrashdoesnotstopnewsessionsfromstartinguntilexpirationdate. BshowssimilardocumentstoA • Certificatesneednotbesecured(exceptfordeletionofcertificates). (onlinesteps1,2) • CompromisedCAcannotdecryptconversations(unlikeKDC).Butitcan servefalsepublickeysandthusimpersonateanyprincipal.

3/27/2013shankar authenticationslide23 3/27/2013shankar authenticationslide24 CA:handlingrevocation CAsformultidomaincase • CertificaterevocationismorecomplexthaninKDC. Case 1: AindomainwithCAXwantstotalktoBindomainwithCAY, • CAperiodically(eg,hourly)issuesCRL(CertificateRevocationList) andXandYhavecertificatesforeachother. • signed{issuetime,listofcertificatesrevokedatissuetime} A X directory service Y directory service B • AauthenticatesB(inpresenceofCRL)byobtaining(typicallyfromB) • GetsfromX’sdirectoryserviceacertificateforYsignedbyX; • acertificateforBthathasnotexpired(asabove),and AcanverifycertificatebecauseAhasX’spublickey; • aCRLthatdoesnothaveBandwasissuedsufficientlyrecently,eg, soAnowhasY’spublickey. atthestartofthecurrentperiod. • AsendsachallengeandawaitschallengeencryptedbyB’sprivatekey, • GetsfromY’sdirectoryserviceacertificateforBsignedbyY; afterwhichAandBsettleonasessionkey. AcanverifycertificatebecauseAnowhasY’spublickey; soAnowhasB’spublickey • X.509formatforcertificateandCRL • Certificate= • AcannowsendmessgestoBencryptedwithB’spublickey [username,userpublickey,expirationtime,serialnumber, CA’ssignatureonentirecontentsofcertificate] • CRL=[issuetime,listofserialnumersofunexpiredrevokedcertificates]

3/27/2013shankar authenticationslide25 3/27/2013shankar authenticationslide26

CAsformultidomaincase(contd) Sessionkeys Case 2: CA chain from source to destination Sessionkeys • Protectthedataexchangeafteraconnectionisestablished • Inalargeinternetworkwithmanydomains,unlikelythattheCAsofeverytwo • Shouldbedifferentfromlongtermsharedkeyusedforauthentication domainswillhaveacertificateforeachother. • solongtermkeydoesnot“wearout”(offlinecryptoattack) • Shouldbeuniqueforeachsession • • ButifthereisasequenceofdomainsD 1,D 2, ⋅⋅⋅,D Nsuchthat Ifcompromised,onlyaffectsdatasentinthatsession. • foreveryi,directoryservicesofD iandD i+1 havecertificatesforeachother Canbegiventorelativelyuntrustedsoftware signedbytheirCA’s • Sessionkeyshouldbeforgottenaftersessionends thenAofD 1cansecurelyobtainthepublickeyofBofD 2byiterating: • LetX ibetheCAofD i Delegation or authentication forwarding • • AgetscertificateforX 2signedbyX 1 IfA,whenloggedintoB,wantstoaccessC(eg,printer), • AgetscertificateforX 3signedbyX 2 thenBneedstoauthenticateitselfasAtoC. • andsoonuntil • AcanlogintoCexplicitly(toomuchtrouble) • • AgetscertificateforX NsignedbyX N1 AcangiveBitspassword(toorisky) • • AgetscertificateforBsignedbyX N AcangiveBaticket(called delegation or authentication forwarding )with typesofaccessallowedbyB(eg,A’sprintqueue) expirytime(typicallyshort)

3/27/2013shankar authenticationslide27 3/27/2013shankar authenticationslide28 Establishingsessionkeywithsecretkeyauthentication(NSCh12) Establishingsessionkeywithpublickeyauthentication(NSCh12) • ConsiderAandBwithsharedkeyK AB . • AchoosesrandomRassessionkeyandsends{R} BtoB. Duringauthentication,AandBhaveexchangedchallenges,eg: Attack: CspoofsA(afterauthentication)andchooseitsownR 1assessionkey. • R (inonewayauth) 1 SoimportanttohaveRbepartofauthentication. • R1,R 2(intwowayauth) • AchoosesRassessionkeyandsends[{R} ] • B A SessionkeycanbeR 1and/orR 2encryptedbyaspecfiedfunctiongofKAB ,eg, HereCcannotinjectspuriousR assessionkey • g(K )){R }or(g(K )){R ⊕R } 1 AB 1 AB 1 2 IfClaterobtainsB’sprivatekey,CcanextractRanddecrypt • g(K )isK +1,K −1, −K ,etc Attack: AB AB AB AB conversation.

Attack :ifCobtainsK later,Ccandecrypt(recorded)conversation. AB • ⊕ ApicksR 1,BpicksR 2,theyexchange{R 1}Band{R 2}A,setR 1 R2assessionkey. • Sessionkeyshouldnotbeg(R 1)org(R 1,R 2)encryptedbyK AB ,eg,K AB {g(R 1)}. Attack: HereChastooverrunbothAandBtoobtainsessionkey. Otherwise,laterCcanimpersonateB,sendg(R 1)asachallengetoA, • getbackK AB {g(R 1)},anddecryptearlierconversationbetweenAandB. SessionkeycanbeobtainedbyDiffieHellmanafter/duringauthentication Defense:includesenderidinchallenges. (theDiffieHellmanexchangemessagesareencryptedorsigned). ThenevenifCoverrunsAandB,itstillcannotdecryptconversation. • SessionkeycanobtainedbyDiffieHellmanafter/duringauthentication (theDiffieHellmanexchangemessagesareencryptedbyK AB ). ThenevenifCobtainsK AB later,itstillcannotdecryptconversation.

3/27/2013shankar authenticationslide29 3/27/2013shankar authenticationslide30

AuthenticationofPeople(KPS10) AuthenticationofPeople(contd)

Constraints when authenticating human: Good password, ie, random 128-bit, not feasible • Canonlyremember low-quality secret • 20randomdigits (eg,10letter“pronounceable”password). • − − • Cannotperformcryptographicoperations. 11randomchars(from09,a z,A Z,coupleofpunctuationmarks) • Computergeneratedrandompronounceablepassword • Caseinsensitive:4.5bitsofrandomnesspercharacter Human authentication based on one or more of • • Whatyouknow:password Everythirdcharacteravowel,6vowels:2.5bitsofrandomnesspervowel • • Whatyouhave:authenticationtokens,eg, Requires16characters • • physicalkeys,ATMcard Humangeneratedpasswords • • Whatyouare:biometricfeatures,eg, About2bitsofrandomnesspercharacter • • fingerprint,voicerecognition,retinascan Sorequireabout32characterpassword • Ifpasswordistoogood,userswriteitdown Password limitations • Eavesdropping Workable approach • • Onlinedictionaryattack “passphrase”withintentionalmisspelling,punctuationmarks, • defense:limitnumberofattemptsafterwhichusermusttalktoadmin symbols(eg,$forS),oddcapitalization,etc. problem:vandalcaneasilylockupaccounts(denialofservice) • defense:limitspeedofattempts • Exposureofpasswordfileonserver • Doingofflinedictionaryattackifpasswordfileishashed. • Exposingpasswordsinemail,scriptfiles,etc.

3/27/2013shankar authenticationslide31 3/27/2013shankar authenticationslide32 AuthenticationofPeople(contd) AuthenticationofPeople(contd) Login Trojan Horse to capture passwords Authentication tokens :physicaldevicethatapersoncarriesaround: • Leaveprogramrunningonpublicterminalthatimitatesloginprompt • getspasswordfromnaiveuserandattemptstoexitinconspicuously Magnetic strip cards eg,exitwith“loginfailed”message • Creditcards,debitcards,idcards,moneycard,etc betteryet:runsvirtualOSfordurationofusersession • Canholdhighqualitysecretandotherdata(usuallyreadonly) • Ifcardhaspictureorsignature,thenalsoservesasbiometriccheckbyhuman. • DefensesbyOS/hardware: • Havespecialpromptsymbolatanyinputfieldbynonloginprogram Smart card (embedded CPU and memory) • Allowonlyloginscreentofillentiredisplay • canholdhighqualitysecret • Nonmappablekeytointerruptanyrunningprogram • memorycanbepasswordprotected eg,altctrldel(butoftenOSallowsremappingofthis) • candocryptographicoperations(challenge/response) • Displaynumberofunsuccessfulloginattemptssincelastsuccessfullogin. • Any defense fails given a sufficiently naive user Advantages, disadvantages, features • Tokenscanbelostorstolen(unlessitisattached/embeddedinuser) • Sousuallyneedstobeaugmentedwithpassword Initial distribution of passwords needs to be secure • Whentokenislost,needanoverridethatisusuallynotmuchless convenientthantheoverridefor“Iforgotmypassword” • Requirescustomhardware(keyslot,cardreader,etc)oneveryaccessdevice Passwords can also be used for non-login purposes (protecting individual files) • exceptioniscryptographiccalculator(orreaderlesssmartcard)

3/27/2013shankar authenticationslide33 3/27/2013shankar authenticationslide34

AuthenticationofPeople(contd) AuthenticationofPeople(contd) Cryptographic calculator (or readerless smart card) Biometric authentication devices • Retinalscanner • Smartcardthatdoesnotrequirespecialhardware . • scansbloodvesselsinbackofyoureye • Hasdisplayandkeyboardforhumaninteraction • expensiveand“psychologicallythreatening”(lookintolaserdevice) • Userenterspasswordtounlockdevice • Irisscanner • Userenterschallengeintodeviceandreadscryptographicresponse • Lessintrusivethanretinalscanner(canusecameraseveralfeetaway). • Timebasedalternative • Fingerprintreader • Userenterspasswordtounlockdevice • devicesavailablebutautomationhasnotbeensuccessfulformanyyears • Carddisplaysencryptionofcurrenttime,whichuserentersas • Facerecognition authenticationinformation. • notintrusivebutnotveryaccurate;susceptibletofalsenegatives • Authenticatingcomputerchecksthatresultisvalid • Handprintreaders Needstocheckforallpossiblecurrenttimeswithinallowedclockdrift. • Morefalsepositivesthanfingerprintreaders,butcheaper/fewerproblems • Advantages: • Voiceprints Saveshalfthetyping • Cheapandcanbeasaccurateasfingerprinting Workswithpassword“formfactor”authenticationprotocols • Canbedefeatedwithtaperecording • Falsenegatives(voicechangeduetoillness) • Keystroketiming • Falsenegatives(injury) • Signature • Notaccuratebasedonlyonstaticsignature • Accurateifalsobasedontiminginfo

3/27/2013shankar authenticationslide35 3/27/2013shankar authenticationslide36 SecurityHandshakePitfalls(NSchapter11) OneWayAuthentication AssumeAinitiatesconnectiontoB. Solution 1.1: one-way auth, secret-key (K AB ) A B Canclassifytheauthenticationprotocolsalongfollowingfeatures: send[A,B,conn] sendchallenge[B,A,R] • Onewayauthentication: sendresponse[A,B,f{K ,R}] • BauthenticatesA(eg,login)or AB • AauthenticatesB(serverBwithpublickey,clientAw/opublickey) Note • Mutualauthentication: • Responsef{K AB ,R}isakeyedhashofRorRencryptedwithK AB • BauthenticatesAand AauthenticatesB • ChallengeRmustbenew (a nonce )sothatf{K AB ,R}hasnotbeensentbefore • SecretkeycryptovsPublickeycrypto (byAorbyB)andhencehasnotbeenseenbyattacker. • IfchallengeRisobtainedfromaclockoracounterand ifBmayhavereceivedpastmsgsmtowhichitsentf{K AB ,m}responses (eg,anotherauthenticationprotocolwithAusingKAB ) then • BmustensurethatchallengeRisnotamongthesemsgs,or • responseshouldalsoindicatethesender(eg,f{K AB ,A,R}) • TheseproblemsarenotthereifRisobtainedfromarandomnumber generator. Question:Wouldtheseattacks,ifsuccessful,yieldsessionkey?

3/27/2013shankar authenticationslide37 3/27/2013shankar authenticationslide38

Solution 1.2: one-way auth, secret-key (K ) Some vulnerabilities: AB A B

send[A,B,conn] sendchallenge[B,A,K {R}] • IfK isderivedfrompassword,aneavesdroppercandoofflinedictionary AB AB send[A,B,R] attack. Note • IfattackergetsB’spasswordfile,itcanimpersonateA • Requireschallengetobereversable(ie,encryption,notkeyedhash). • ProtectingpasswordfileisharderifBisreplicated • Rshouldnotonlybeanoncebutunpredictable(ie,randomlygenerated). orAusessamepasswordondifferentservers. • Eg,ifRisobtainedfromacounter,anattackercanimpersonateA becauseitwouldknowthatthenextchallengegeneratedbyBisR+1. Vulnerabilities: asinsolution1.1plusthefollowing: • IfK AB derivedfrompasswordandRhasstructure,then aspoofer(w/oeavesdropping)cangetK AB {R}anddoofflinedictionaryattack. • Note:Risrandomlygeneratedandneednothavestructure. Feature IfAandBhaveclocksthatarewithinDsecondsofeachother andRhasatimestamp(inadditiontotherandomnumber), thenthisalsoauthenticatesBtoAinthefollowingsense: • AassuredthatK AB {R}messagewasoriginallysentbyBwithinlastDseconds • AnotassuredthatK AB {R}wassentinresponsetoits[A,B,conn]msg • Canbefixedbyincludinganoncein[A,B,conn]andinR.

3/27/2013shankar authenticationslide39 3/27/2013shankar authenticationslide40 Solution 1.3: one-way auth, secret-key (K ), timestamp-based AB Solution 1.4: one-way auth, public-key (open challenge, signed response)

AssumingAandBhaveclocksthatarewithinDsecondsofeachother. A B send[A,B,conn] A B sendchallenge[B,A,R] send[A,B,conn,K AB {ts}] send[A,B,[R] ] Bdecrypts,checksthattswithinD A //[R] AisRencryptedwithA’sprivatekey Note Note • Singletransmissionsuffices,nohandshakeneeded • B’spwfilecontainsA’spublickey;canbereadable(butnotmodifiable) • Bdoesnotneedtomaintainstateperactiveconnection Vulnerable • NeedtoensurethatRhasdistinctstructurethatisnotusedforsigning • ReplayattackwithinclockskewD messages • defense:BrememberstssentbyAwithinlastDseconds(requiresstate) • ReplayattackifK AB usedwithmultipleservers • defense:includeserveridalongwithts MaynotbedoableifserversarereplicasofB(withsameexternalid) • B’sclockbeingsetback Ifencryptionisreplacedbykeyedhash,Bhasmuchmorework • BhastogetkeyedhashofeverypossiblevalueinDandcompare. • CanovercomebyAincludingunencryptedtsinconnmsg.(Isthisassecure?)

3/27/2013shankar authenticationslide41 3/27/2013shankar authenticationslide42

Mutual(twoway)Authentication(AinitiatesconnectiontoB) Solution 1.5: one-way auth, public-key (encrypted challenge, open response) Solution 2.1: two-way auth, secret key (K AB ) A B send[A,B,conn] A B sendchallenge[B,A,{R} A] 1 send[A,B,conn] 2 sendchallenge[B,A,R1] ({R} AisRencryptedwithA’spublickey) 3 sendresponse[A,B,f{K AB ,R 1}] send[A,B,R] 4 sendchallenge[A,B,R ] 2 5 sendresponse[B,A,f{K ,R }] Note AB 2 • B’spwfilecontainsA’spublickey;canbereadable(butnotmodifiable) Note • NeedtoensurethatRhasdistinctstructurethatisnotusedforsending • Consistsoftwo2wayhandshakes confidentialmessagestoA • Messages3and4canbecombinedintoonemessage • VulnerabletoB’spasswdfilebeingread • WhyisoktosendresponseRintheopen,insteadofsay{R} B • IfK AB obtainedfrompasswd,vulnerabletoofflinedictionaryattack • byattackerwhocaneavesdrop • byattackerwhocanimpersonateB ImpersonatingserverBisharderthanimpersonatingclientA (assumingserverisalwaysconnectedwhereasclientismomentary) • InterchangingorderofR 1andR 2introducesfurthervulnerability(below)

3/27/2013shankar authenticationslide43 3/27/2013shankar authenticationslide44 Solution 2.2: solution 2.1 with R 1-R2 order interchanged Solution 2.2 vulnerable to reflection attack A B C B 1 send[A,B,conn,R 2] 1 send[A,B,conn,R 2] 2 send[B,A,R ,f{K ,R }] 2 send[B,A,R1,f{K AB ,R 2}] 1 AB 2 3 send[A,B,f{K ,R }] AB 1 1’ send[A,B,conn,R ] 1 2’ send[B,A,S1,f{K AB ,R 1}] Note • Reducessolution2.1toone3wayhandshake 3 send[A,B,f{K AB ,R 1}] • Asusual,vulnerabletoB’spasswdfilebeingread ChassuccessfullyimpersonatedAtoB • UsualofflinedictionaryattackifCeavesdrops andK AB obtainedfrompasswd Possible defenses:

• IfCcanspoofA,thenCcandoofflinedictionaryattack • BremembersR 1anddoesnotacceptit(difficultwithreplicatedservers) (withouteavesdropping) • Rhasstructureindicatingsenderofchallenge(butthenofflinedictionary attack) • Usedifferentkeysforeachdirection: • KAB (forA B)andKBA (forAB) • KBA canbepredictablyrelatedtoK AB [eg,K AB +1,KAB –1,–KAB ,orK AB ⊕(F0F0...F0) 16 ] Thumb-rule: Initiator should be first to authenticate itself

3/27/2013shankar authenticationslide45 3/27/2013shankar authenticationslide46

Solution 2.4: two-way auth, public keys Solution 2.3: two-way auth, secret key, timestamps

A B A B 1 send[A,B,conn,{R 2}B] 1 send[A,B,conn,f(K AB ,ts)] 2 send[B,A,R2,{R 1}A] 2 send[B,A,f(K ,ts+1)] AB 3 send[A,B,R 1] Note Note • One2wayhandshakesuffices • Moreruggedthansecretkey:notvulnerabletooverruningB. • Msg1assuresBthatmsgwasgeneratedbyAandsentwithinclockskew • IsitnecessarytoencryptresponseR 1? • “ts+1”canbereplacedbyanypredicatablefunctionofts • HumanAhastoobtainitsprivatekeyandB’spublickey(alreadydiscussed): • responseshouldincludestructureindicatingsender • DirectoryservicesuppliesA’sprivatekeyencryptedbyA’spwd (todefendagainstreplayattack),or • BsuppliesB’spublickeysignedbyA’sprivatekey • Bmustremembertimestampvaluestsandts+1 • etc (todefendagainstreplayattack) ______ Solution 2.5: two-way auth, public keys, variant of solution 2.4

A B 1 send[A,B,conn,R 2] 2 send[B,A,[R 2]B,R 1] 3 send[A,B,[R 1]A]

3/27/2013shankar authenticationslide47 3/27/2013shankar authenticationslide48 Extensionsfordynamiccontex AuthenticationwithKDCmediator Dynamiccontext: A KDC B • usersjoinandleavedomains send[A,KDC,conntoB] • usersdonotsharepreassignedkeys generatesessionkeyK AB • usersrelyonKDCs/CAs/directoryservices generatetkt AB =[K B{A,B,K AB }] • userschangepasswords send[KDC,A,KA{K AB },tkt AB ] • replicatedKDCs • etc send[A,B,conn,tkt AB ] <AandBdomutualauthenticationusingK AB > Newattacksbecomerelevant: (examplefollows) • attackerwithanold passwordofauser(tryingtoimpersonateuser) • others? send[B,A,R1] send[A,B,R2,K AB {R 1}] Newsituationshavetobehandled: send[B,A,KAB {R 2}] • userApresentsuserBaticketissuedunderoldpasswordofB • userAcontactsaKDCthatstillhasanoldpasswordofA <AandBuseK AB (orderivative,eg,(K AB +1){R 1⊕R2}assessionkeydata> • etc Note: • EvenifCisspoofingA,CcannotgetaccesstoK AB . • IsauthenticationbetweenAandKDCneeded(oristhatalreadydoneabove)? • EvenifCisspoofingKDC,CcannotgiveaKAB thatBwillaccept.

3/27/2013shankar authenticationslide49 3/27/2013shankar authenticationslide50

NeedhamSchroederProtocol NeedhamSchroeder(cont) • NonceN 1usedtoassureAthatmsg2isresponsebyKDCtomsg1 BelowN1,N2,N3arenonces. IfN 1notpresent,CwithanoldpasswordofBcanimpersonateBtoA: • Crecordsaboveexchange(refertothemasold msgs1,2,3,4,5) A KDC B • CstealsK B;Bchangeskey 1 send[A,KDC,connB,N 1] • Cdecryptstkt AB andgetK AB • CwaitsuntilAinitiatesconnectiontoB generatesessionkeyK AB • CinterceptsA’snewmsg1,respondswitholdmsg2(=K A{B,K AB ,tkt AB }) generatetkt AB =[K B{A,B,K AB }] 2 • Arespondswithnewmsg2(=[tkt AB ,K AB {newN 2}]toB send[KDC,A,KA{N 1,B,K AB ,tkt AB }] • Cintercepts,respondswithK AB {newN 2–1}(CknowsK AB ) 3 send[A,B,tkt AB ,K AB {N 2}] • 4 send[B,A,KAB {N 2−1,N 3}] Msg2:idBencryptedbyK AensuresthatCcannotreplayoldKDCreplytoC (i.e.,KDCreplytorequestbyCtotalktoB) 5 send[A,B,KAB {N 3−1}] • Msg2:noneedtodoublyencrypttkt AB <useK AB (orderivative,eg,(K AB +1){N2⊕N3}assessionkeydata>

3/27/2013shankar authenticationslide51 3/27/2013shankar authenticationslide52 NeedhamSchroeder(cont) NeedhamSchroeder(cont) • IfEBCisused(insteadofCBC)andeachnoncefitsinanencryptionblock, Vulnerability if N 1 sequential thenCcanimpersonateAtoBwithreflectionattack • Ceavesdropsandgetsmsgs3and4 1.AttackerCoverhearsN 1=nduringnormalsessionbetweenAandB • LaterCreplaysmsg3 A KDC B • BreplieswithK AB {N 2 −1,N 4}whereN 4 ≠N 3 1send[A,KDC,connB,N 1=n] • CneedstogetK AB {N 4−1},whichitdoesasfollows: generatesessionkeyK AB Creplaysmsg3withK AB {N 4}replacingK AB {N 2}andgetsK AB {N 4−1}fromB generateticketT AB =[K B{A,B,K AB }]

ReplacingEBCwithCBCmakesattacknotpossible 2 send[KDC,A,KA{N 1,B,K AB ,T AB }] − (butthenthereisnoneedforN 3 1;canjustuseN 3) 3send[A,B,T AB ,K AB {N 2}] 4 send[B,A,KAB {N 2−1,N 3}]

5send[A,B,KAB {N 3−1}] <AandBexchangedata,close>

3/27/2013shankar authenticationslide53 3/27/2013shankar authenticationslide54

Needham-Schroeder vulnerability if N 1 sequential (cont) Needham-Schroeder vulnerable to old password exposure 2.AttackerClearnsK B,spoofsAtoKDCwithN 1=n+1asfollows IfCgetsA’smasterkey(sayK A)andAchangesit(tosayJ A), CcanstillimpersonateAtoB(becauseBnevertalkstoKDC). attacker C KDC B

6send[A,KDC,connB,N 1=n+1] A KDC B 1send[A,KDC,B,N 1] generatesessionkeyJ AB generatesessionkeyK generateticketS AB =[K B{A,B,J AB }] AB generatetkt =[K {A,B,K }] 7 send[KDC,A,KA{N 1,B,J AB ,S AB }](rcvdbyC) AB B AB 2 send[KDC,A,K {N ,B,J ,tkt }] A 1 AB AB 3.CstealsK B.Bchangesitskey. 3send[A,B,tkt AB ,K AB {N 2}] CwaitsforAtoconnecttoB,thenimpersonatesKDCandthenB 4 send[B,A,KAB {N 2−1,N 3}]

5send[A,B,KAB {N 3−1}] A attacker C B

8 send[A,KDC,connB,N 1 =n+1](interceptedbyC) Crecordsabove.ThenCobtainsK A.ThenAchangesmasterkeytoJ A( ≠K A).

9 send[KDC,A,KA{N 1,B,J AB ,S AB }](replaymsg7) C B 10 send[A,B,S AB ,J AB {L 2}](interceptedbyC) send[A,B,tkt AB ,K AB {M 2}] CdecryptsS AB (encryptedusing(old)K B) send[B,A,KAB {M 2−1,M 3}] andobtainsJ AB send[A,B,K {M −1}] <CcannowcompletetheauthenticationandimpersonateB> AB 3

3/27/2013shankar authenticationslide55 3/27/2013shankar authenticationslide56 Needham-Schroeder vulnerable to old password exposure (cont) ExpandedNeedhamSchroeder:requirestwoadditionalmessages Fix: BsendsanonceencryptedbyK BinresponsetoA’sconnectionrequest, andlooksforthenonceintheticket. A KDC B 1a send[A,B,conn] SeveralwaystoincludesuchaBKDCinteraction: 1b send[B,A,KB{N B}] A KDC B A KDC B A KDC B 1 send[A,KDC,connB,N 1,K B{N B}]

KB{N A} generatesessionkeyK AB KB{N A} KB{N A} generatetkt AB =[K B{A,B,K AB ,N B}] 2 send[KDC,A,KA{N 1,B,K AB ,tkt AB }]

3 send[A,B,tkt AB ,K AB {N 2}]

4 send[B,A,KAB {N 2−1,N 3}](asbefore)

Expanded Otway Rees: Notgood: 5 send[A,B,KAB {N 3−1}](asbefore) NeedhamSchroeder: ▪ requiresKDCto ▪ 5messages <AandBestablishdatasessionkey(eg,(K +1){N ⊕N }> ▪ 7msgs matchupmessages AB 2 3

3/27/2013shankar authenticationslide57 3/27/2013shankar authenticationslide58

OtwayReesauthenticationprotocol Otway-Rees nonce N C must be unpredictable, o/w C can impersonate B to A. SupposeN issequentialandequals007inoneattempt.Cdoesfollowing: Doesmutualauthenticationandhandlesticketinvalidationin5messages C C KDC B A KDC B 1 send[A,B,N C=008,grbge] 1 generatenoncesN AandN C send[B,KDC,grbge,K B{N B,N C=008,A,B}] send[A,B,N C,K A{N A,NC,A,B}] 2 (C records this) generatenonceN B KDCrejectsmessage2 2 send[B,KDC,KA{N A,N C,A,B}, K B{N B,N C,A,B}] Later A attempts to connect to B ⋅⋅⋅ ⋅⋅⋅ ifN CsameinK A{ }andK B{ } A KDC C generatesessionkeyK AB 3 send[A,B,N C=008,K A{N A,NC=008,A,B}] 3 send[KDC,B,N C,KA{N A,KAB },K B{N B,KAB }] Cinterceptsthismsg3 4 send[B,A,K {N ,K }] 4 A A AB send[B,KDC,msg3K Afield,msg2KBfield] 5 send[A,B,K {“hello”}] acceptsmsg4(sinceitsN ’smatch) AB 5 C send[KDC,B,N C,K A{N A,KAB },K B{N B,KAB }] Cinterceptsmsg5 <AandBestablishdatasessionkey> send[B,A,K {N ,K }] A A AB 6 send[A,B,K {“hello”}] Note: AB • Msg3assuresBthatrequest1wasbyA AtthispointChasimpersonatedBtoA. • Msg4assuresAthatsenderisB IfAusesadatasessionkeyobtainedfromK AB ,Cwon’tsucceed (buto/wCcanimpersonateBtoAduringthedataexchange).

3/27/2013shankar authenticationslide59 3/27/2013shankar authenticationslide60 Nonce types: Example 2: using sequential nonce when unpredictable nonce is needed • Largerandomnumber:bestnonce • cryptooperationsarethebestwaytogeneratethem A B • Timestamp:notasgood send[A,B,conn]

• clocksmusthaveadequatesynchronizationandresolution send[B,A,R1]

• mustrecoverfromcrashes send[A,B,KAB {R 1}] • Sequencenumbers • requiresnonvolatilestorage C lies in wait for A to initiate to B • WhenAinitiatestoB, Example 1: using seq number nonce when unpredictable nonce is needed CinterceptsandsendschallengeR 1+1toAandgetsK AB {R 1+1}. • ThenCinitiatesconnectiontoBimpersonatingA. A B • BsendschallengeR !+1,forwhichCnowhasthecorrectresponse. send[A,B,conn] Worse than man-in-middle: AdoesnothavetobeactiveforCtodoattack. sendchallenge[B,A,KAB {R 1}] send[A,B,R 1] Example 3: where sequence number nonce is adequate Asends(A,B,conn);

If R 1 is sequential, C can impersonate A to B as follows BsendschallengeK AB {R} Asendsresponse(K AB +1){R}. C B ______ send[A,B,conn] send[B,A,KAB {R 2}]whereR 2=R 1+1 send[A,B,R 1+1]

3/27/2013shankar authenticationslide61 3/27/2013shankar authenticationslide62

StrongPasswordProtocols(NSchapter12) EKEbasic,SPEKEbasic,PDMbasic • Basicstrongpasswordprotocols(EKE,SPEKE,PDM) • ProtocolsuseDiffieHellman(DH) • UseDiffieHellman • Mutualauthentication • HumanAwithpasswordachieveshighqualityauthenticationwithB • Strongkeyprotectionagainsteavesdropping inspiteofeavesdropper • NoprotectionagainstattackerreadingB’sdb: • NoprotectionagainstreadingofB’sdb • attackergetsthekeyobtainedfromA’spassword (noneedforofflinedictionaryattack) • Augmentedstrongpasswordprotocols(EKE,SPEKE,PDM) • Sameasbasicprotocolsexceptalsoprovide lowqualityprotectionagainstreadingofB’sdb • CanbeusedbyhumanAtoobtainahighqualitykey(includingprivatekey)

3/27/2013shankar authenticationslide63 3/27/2013shankar authenticationslide64 EKEbasic EKEbasic(cont)

• DHencryptedwithpasswordderivedkeytosharehighqualitykey Todefendagainstofflinedictionaryattack,needtoensurethat • Usesharedhighqualitykeytodotwowayauthentication gamodp(andg bmodp)hasnostructure: • Strongprotectionagainsteavesdropping;noneagainstBdbreading • gamodpislessthanp A haspasswordpw B has(A,W)whereW=hash(pw) • Ifencryptionblocksizeexceeds log 2p ,extrabitsmusthaverandompad. publicDHparameters:gandp • Requireptobeslightlymorethanapowerof2. chooserna Ifpisslightlylessthanapowerof2,theng amodphasstructure: ← a TA g modp • Msb=1impliesmostofthebitstotherightofmsbarezeros send[A,B,W{T A}] • Eachincorrectcandidatepwhas50%chanceofviolatingstructure choosernb Canquicklynarrowdowntospaceofcandidatepasswords. ← b TB g modp IsthisreallyaEKEissue,ratherthanaDHissue? choosechallengeC 1 send[B,A,W{TB,C1}] b KB←(TA) modp a KA←(TB) modp generatechallengeC 2 send[A,B,K A{C 1,C2}] send[B,A,K{C 2}] ab AandBnowsharestrongkeyK A=K B=g modp

3/27/2013shankar authenticationslide65 3/27/2013shankar authenticationslide66

SPEKEbasic PDMbasic SameasEKEexceptthatWtakestheplaceofg. • LikeEKEbutg=2andprimepisobtainedfrompassword(p=f p(pw)) A B storespasswordpw stores(A,W)whereW=hash(pw) • Todefendagainstofflinedictionary,require publicp(prime) • ptobeasafeprime,i.e.,(p −1)/2isalsoaprime chooserna • pmod24=11 a TA←W modp • etc send[A,B,T A] choosernb b TB←W modp send[B,A,T B] b KB←(TA) modp a KA←(TB) modp ab AandBnowsharestrongkeyK A=K B=W modp <twowayauthenticationusingsharedkeyK>

Note: Wmustbeperfectsquaremodp,o/wW amodp/W bmodphavestructure • Otherwise,W amodp(orW bmodp)maynotbeaperfectsquare • Eliminates50%ofcandidatepasswords. ButnotasbadasEKEbecausethispruningoccursonlyonce.

3/27/2013shankar authenticationslide67 3/27/2013shankar authenticationslide68 EKEaugmented,SPEKEaugmented,PDMaugmented,SRP EKEaugmented • Mutualauthentication • PublicDHparametersgandp • Strongkeyprotectionagainsteavesdropping • WeakkeyprotectionagainstattackerreadingB’sdb: • Ahaspasswordpw • attackercangetA’spwbyofflinedictionaryattack • twokeys,WandW’,obtainedfrompw(eg,usingdifferenthashes) • Bhas[A:W’,T ’(=gW modp)](soW’isopenbutnotW) A • AandBdoDHencryptedbyW’toestablishsessionkeyg ab modp: EKEaugmentedisdescribednext;othersaresimilar. a • A:randoma; TA=g modp; W’{T A}toB b • B:randomb; TB=g modp; W’{T B}toA a b ab • KA=(T B) modp = KB=(T A) modp = g modp • AandBalsoindependentlygenerateDHkeyg Wb modpforauthentication: W • A:KA’ ←(T B) modp b • B:K B’ ←(T A’) modp

3/27/2013shankar authenticationslide69 3/27/2013shankar authenticationslide70

EKEaugmented(cont) Obtainingcredential(eg,privatekey)fromnetwork W Ahaspw,W,W’ Bhas[A,W’,T A’(=g modp)]

chooserna; • Earlier:directoryservicehasprivKey AencryptedbykeyfromA’spassword a • TA←g modp Canalsobesolvedusingstrongpasswordprotocols send[A,B,W’{T A}]

extractT AfromW’{T A}usingW’ EKE-based protocol for obtaining credential: choosernb; • PublicDHparametersgandp b TB←g modp • Astorespasswordpw b KB←(T A) modp • WandW’aretwokeysobtainedfrompassword b KB’ ←(T A’) modp • Bstores(A,W,Y),whereY=W’{privatekeyofA}

H ←hash(KB,K B’) send[B,A,W’{T B},H] A B

extractT BfromW’{T B}usingW’ a KA←(T B) modp chooserna W KA’ ←(T B) modp computeW=hash(pw) a verifyH=hash(K A,K A’)toauthenticateB send[A,B,W{g modp}] H’ ←hash’(K A,K A’),wherehash’isanotherhashfunction choosernb send[A,B,H’] send[B,A,g bmodp,(g ab modp){Y}] computeg ab modp verifyH’=hash’(K B,K B’)toauthenticateA decrypt(g ab modp){Y}togetprivatekey AandBaremutuallyauthenticatedandsharestrongkeyK=g ab modp

3/27/2013shankar authenticationslide71 3/27/2013shankar authenticationslide72 Moreonauthentication(rtcommsec)(NSchapter16) PFS/escrowfoilageusuallyachievedwithauthenticatedDiffieHellman

Long-term secret of a principal: Masterkeyorprivatehalfofapublickeypair. Examplebasedonpublicsignaturekeys(below,[x] AdenotesxsignedbyA): A (DHparamsg,p;pubsignkeyofB) B (DHparamsg,p;pubsignkeyofA) Key escrow: generatea • a Principal’slongtermsecretheldbyanescrowagent(eg,lawenforcement). TA←g modp • Principalusuallyhasseparatepublickeypairsforencryptionandforsigning. send[A,B,[A,T A]A] Signaturekeyusuallynotescrowed. receivemsg • (o/wprincipalcandenyasignedmessage) verifysignatureon[A,T A] generateb Perfect forward security (PFS) b TB←g modp • AsessionhasPFSifanattackerwhoeavesdropsandlaterlearnslongterm K ←(T )bmodp//sessionkey secretsofparticipantsstillcannotobtainsessionkey. B A send[B,A,[B,T B]B] receivemessage Escrow-foilage K ←(T )amodp//sessionkey=K • Asessionhasescrowfoilageifescrowagentcannotobtainsessionkeyby A B B send[A,B,H(K )]//H:hash eavesdropping. A receivemessage • Ofcourse,escrowagentcanalwaysimpersonateparticipantordomanin ifH(K )=H(K )thenAauthenticted middleattack. A B send[A,B,H(1,K B)] receivemessage ifH(1,K B)=H(1,K A)thenBauthenticated

3/27/2013shankar authenticationslide73 3/27/2013shankar authenticationslide74

Protectionagainstdenialofserviceattack Example:usingastatelesscookie A B (hassecretS,notsharedwithanybody) • Typically,whenaserverreceivesa(potential)connectionrequest,itstartsto send[A,B,conn] maintainstateforthatclient(eg,clientid,challenge). • receivemsg Anattackercanoverwhelmsuchaserverbyfloodingitwithconnection ← requests. c hash(A'sipaddress,S)//c:statelesscookie send[B,A,c] • Solution: forgetc • serveraskspotentialclientdosomeworkbeforestoringstatefortheclient. receivemessage • Theworkrequestiscalleda stateless cookie. send[A,B,conn,c] (Nottobeconfusedwithwebbrowsercookies.) receivemessage ifc ≠hash(A’sipaddr,S)thenabort elsecontinuewithauthenticationhandshake • TheabovecookiejustrequiredAtosenditback. • Amoreseverecookiec:randomstringtowhichtheclienthastoreturn[x,c], wherexisanbitnumberthathashestoc • ncanbevariedtoinflictmore/lesswork.

3/27/2013shankar authenticationslide75 3/27/2013shankar authenticationslide76 Endpointidhiding ReusingDHkeyacrosssessions Hidetheidsofthecommunicatingprincipalsfromeavesdroppers,spoofers,etc. • Goal:amortizecostofcomputingDHkey • Approach:definesessionkeyasfunctionofDHkeyandarandomnonce. Below,AandBareprincipals,andn Aandn BaretheirrespectiveInternetids. A (DHparamsg,p;pubsignkeyofB) B (DHparamsg,p;pubsignkeyofA) First session (compute DH key) generatea A (DHparamsg,p;pubsignkeyofB) B (DHparamsg,p;pubsignkeyofA) T ←gamodp A generatea send[n A,n B,T A] T ←gamodp receivemsg A send[A,B,[T A]A] generateb receivemsg ← b TB g modp generateb,N 1 ← b b KB (T A) modp//sessionkey TB←g modp b send[n B,n A,T B] KB←(T A) modp//DHkey receivemessage send[B,A,[T B]B,N 1] ← K ←(T )amodp//sessionkey sessionkeyS B1 hash(N 1,K B) A B receivemessage send[n A,n B,K A{A,B,[T A]A}] ← a receivemessage KA (T B) modp//DHkey sessionkeyS A1 ←hash(N 1,K B) send[n B,n A,K B{B,A,[T B]B}]

• Eavesdroppercannotseeendpointids(AandB) <sessionkeyS A1 =S B1 > • SpooferofB(moreprecisely,ofn B)canlearnendpointids. closesession • Samecanbedonewithsecretkey,sayL,insteadofpublickey: do not forget T A, K A and T B, K B • useL{T A}andL{T B}insteadof[TA]Aand[TB]Brespectively

3/27/2013shankar authenticationslide77 3/27/2013shankar authenticationslide78

ReusingDHkeyacrosssessions(cont) Plausibledeniability Later session (reusing DH key) • PrincipalAhasplausibledeniabilityinasessionifnobodycanprovethatA A(hasTA,TB,K Afrombefore) B (hasT A,T B,K Bfrombefore) participatedinthesession(eventhoughAandBmayhaveauthenticatedeach otherinthesession). startnewsession • Plausibledeniabilitycomesforfreewithsecretkey(anyoneparticipantcan send[A,B,[T ] ]//reuseT A A A cookuptheentiresession) generateN //reuseT andK 2 B B • Notpossiblewithpublickeyunlesskeyisescrowed(eg,useencryptionpublic ← sessionkeyS B2 hash(N 2,K B) keyratherthansignaturepublickey). send[B,A,[T B]B,N 2] receivemessage T hasnotchanged,soreuseT andK ______ B A A sessionkeyS A2 ←hash(N 2,K A) Negotiatingcryptoparameters <sessionkeyS A2=S B2 > closesession • InABsessioninitiation,AsendscryptooptionsandBrespondswithcrypto accepted. • Havingcryptoparametersnegotiatedallowssameprotocoltoupgradeto • Above,BauthenticatesAbutnotviceversa(ie,attackercanreplayBmsgs). bettercryptoalgorithmswhentheybecomeavailable. • EasytofixsothatAauthenticatesBalso. • Becausecryptooptionsarenegotiatedbeforeauthentication,needto reconfirmafterauthentication(byreiteratingthenegotiationmessages). WhatislostbyreusingDHparameters?

3/27/2013shankar authenticationslide79 3/27/2013shankar authenticationslide80