DOCSLIB.ORG

Wpa3, Owe, Dpp

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Wpa3, Owe, Dpp WLAN Security Enhancements: WPA3, OWE, DPP Hemant Chaskar @CHemantC Arista Networks Hemant Chaskar -- 1 -- Networks Agenda • OWE / Enhanced OpenTM • SAE / WPA3TM- Personal • 192-bit Security / WPA3TM- Enterprise • DPP / Easy ConnectTM Hemant Chaskar -- 2 -- Networks Diffie-Hellman Key Generation • Generates common secret between two parties • No pre-shared secret required • MITM cannot generate the common secret Whitfield Diffie • Based on public key cryptography • Used in SSH, TLS, IPSec and now in OWE, WPA3 and DPP Martin Hellman Hemant Chaskar -- 3 -- Networks Key Generation Steps Known Values: Generator g, Modulus p Random Priv Key: x Random Priv Key: y Compute Pub Key: gx Send gx Compute Pub Key: gy Send gy Common Secret Common Secret Impractical to compute s from gx & gy x y xy s = (gy)x = gxy s = (g ) = g Symmetric Keys Encryption, auth and integrity Symmetric Keys k = Hash (s, labels) protection of messages with k k = Hash (s, labels) Delete Delete x, s, k FS: Forward Secrecy y, s, k Recorded messages cannot be decrypted in future even if endpoint is compromised Hemant Chaskar -- 4 -- Networks Mathematical Schemes Finite Field Crypto (FFC) Elliptic Curve Crypto (ECC) Era Classical Modern Elliptic Curves: Math MODP Groups P-256 (secp256r1), P-384 (secp384r1) etc. Referred as DH ECDH IANA has assigned Group IDs to standard triplets of (scheme, g, p): RFCs 3526, 5114, 5903. Hemant Chaskar -- 5 -- Networks Public Key Sizes for High Quality Key Generation Group ID 15360 bits None 256 bits AES ID: 21 521 bits 192 bits AES 8192 bits ID: 18 ID: 20 384 bits 3072 bits ID: 15 128 bits AES ID: 19 256 bits 112 bits TDES 2048 bits ID: 14 Symmetric Key Size Key Symmetric 224 bits ID: 26 Public Key Size DH ECDH (For Private Key Size = 2 x Symmetric Key Size) • Ref: NIST Special Publication 800-57, Table 2 and RFC 3766. Hemant Chaskar -- 6 -- Networks OWE (Opportunistic Wireless Encryption) • Encryption for hitherto OPEN wireless links • Idea: Carry ECDH public keys in Association Req/Res to generate symmetric encryption key • OWE is defined in RFC 8110 • Enhanced OpenTM: Wi-Fi Alliance certification of OWE Hemant Chaskar -- 7 -- Networks OWE Message Flow Open Auth Req & Res ECDH priv/pub key pair Assoc Req [Group ID, client ECDH pub key] Group 19 (P-256 Curve) mandatory to support. Assoc Res [AP ECDH pub key] ECDH priv/pub key pair AKM Suite Selector 00-0F-AC:18 for OWE s = Common secret s = Common secret PMK = HMAC (s, labels) PMK = HMAC (s, labels) (256 bits master key) (256 bits master key) PTK = [KCK | KEK | TK] = EAPOL 4-way handshake PTK = [KCK | KEK | TK] = HMAC(PMK, MACs, Nonces) HMAC(PMK, MACs, Nonces) Transport random GTK, IGTK CCMP with 128 bits TK & GTK BIP CMAC with 128 bits IGTK (Others optional) Hemant Chaskar -- 8 -- Networks OWE Packet Trace Assoc Req/Res AKM: 00-0F-AC:18 (Hex 12) ECDH Public Key Hemant Chaskar -- 9 -- Networks Enhanced Open Supplemental Requirements • Protected Management Frame (PMF) • PMK caching to avoid ECDH computation on reassociation • OWE Transition Mode Beacon #1 (shows up in client scan) Beacon #2 (used for OWE connection) BSSID: BSSID-OPEN BSSID: BSSID-OWE SSID: SSID-OPEN SSID: Length = 0 BSSID-OWE, SSID-OWE, BSSID-OPEN, SSID-OPEN, OTME: OTME: OWE band, OWE channel OPEN band, OPEN channel AKM Suite = 00-0F-AC:18 OTME: OWE Transition Mode Element RSNE: MFPR = 1, MFPC = 1 RSNE: Robust Security Network Element Group, Pairwise, BIP Ciphers Hemant Chaskar -- 10 -- Networks OWE Security Forecast: Sunny, but Cold! Encryption better than not (e.g., for HTTP browsing). In TLS (e.g., HTTPS), sensitive traffic is encrypted e2e. • OWE can protect against one off situations, e.g., HTTPS cookies installed in browser without secure flag set later get sent in HTTP request. No protection from wireless MITM: • OWE does not provide AP authentication. • Honeypot / Evil Twin AP threat in public WiFi is not addressed by OWE. Hemant Chaskar -- 11 -- Networks SAE (Simultaneous Authentication of Equals) • Eliminates offline dictionary attack on WiFi passwords • SAE is specified in IEEE 802.11 Standard • Based on Dragonfly protocol (IRTF RFC 7664) • Dragonfly is based on SPEKE protocol, circa 1996 • These types of schemes are called PAKE • WPA3TM- Personal: Wi-Fi Alliance SAE certification SPEKE: Simple Password Exponential Key Exchange PAKE: Password Authenticated Key Exchange Hemant Chaskar -- 12 -- Networks Offline Dictionary Attack on WPA2-Personal Password PMK -- Begin 4-Way handshake -- [ANonce, …] PTK = [KCK | KEK | TK] = HMAC(PMK, MAC adrs, ANonce, SNonce) [SNonce, …, MIC Computed with KCK] Use Information from sniffed frames • Decrypt frames sniffed on air Guess Compute Compute MIC Y Password (past and future) Password PMK, PTK MIC Match? Cracked! • Unauthorized N access to Next Guess network Hemant Chaskar -- 13 -- Networks Offline Dictionary Attack: Root Cause Analysis • WPA2-Personal: Password converted to PMK via PBKDF2: • PMK = Hash(Password, SSID, counters)_4096 times (RFC 2898) PMK Entry Method Key Combinations 256 bits PMK (= PSK) directly entered 2256 8-character alphanumeric password 256 bits PMK 248 Dictionary words, short/weak passwords, social Even smaller engineering etc. search space • SAE: Ensures PMK combinations space of 2128 or more • Irrespective of size or quality of password Hemant Chaskar -- 14 -- Networks PMK Generation Analogy Wheel Size Readout PMK guess is over at least 2128 values [random (Sectors) Position spin on large wheel], independent of password. • Forward Secrecy: Impractical to decrypt sniffed traffic even if password is revealed. • Password Crack Resistance: Password guess indistinguishable as right or wrong. Password is for mutual authentication only [readout position]. Spin WPA2-Personal SAE ReadoutPosition Static Password Dependent Wheel Size (Sectors) Password Combinations 2128 or more Spin Password Actual Random (ECDH Private Key) Hemant Chaskar -- 15 -- Networks SAE = OWE + Password • g is derived as function of password (and MAC adrs). It is called PWE (PassWord Element). • p is still taken from standard set. ECDH parameters = g,g p Random: x Random: y x Compute: gx Send g Compute: gy Send gy Common Secret Common Secret x y Impractical to compute s from g & g x y xy s = (gy)x = gxy s = (g ) = g PMK = PMK = Hash (s, labels) -- Begin 4-Way handshake -- Hash (s, labels) Hemant Chaskar -- 16 -- Networks SAE Message Flow Password PWE Auth Commit [Group ID, client ECDH pub key] ECDH priv/pub key pair Password PWE Auth Algo Number = 3 ECDH priv/pub key pair Auth Commit [AP ECDH pub key] Group 19 support must s = Common Secret s = Common Secret [PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels1] [PMK,CK] = HMAC(s, labels) Auth Confirm [HMAC of CK and labels2] Client authenticated to AP AP authenticated to client Assoc Req/Res [AKM: 00-0F-AC:8] EAPOL 4-way handshake PTK = [KCK | KEK | TK] PTK = [KCK | KEK | TK] CCMP with 128 bits TK & GTK GTK, IGTK BIP CMAC with 128 bits IGTK (Others optional) Hemant Chaskar -- 17 -- Networks SAE Packet Trace (Auth Commit) Auth Handshake Auth Algo = 3 Auth Commit containing ECDH public key (FFE) Hemant Chaskar -- 18 -- Networks SAE Packet Trace (Auth Confirm) Auth Handshake Auth Algo = 3 Auth Confirm containing HMAC hash of (CK,labels1) Hemant Chaskar -- 19 -- Networks WPA3-Personal Supplemental Requirements • Protected Management Frame (PMF) • PMK caching to avoid ECDH computation on reassociation • Anti-clogging tokens: • Throttle Auth Commit flood from client with varying MAC addresses to prevent DoS on AP • Fast Transition (FT) not required for certification • Though SAE in 802.11 standard supports FT (AKM: 00-0F-AC:9) Hemant Chaskar -- 20 -- Networks What About Online Dictionary Attack? Online Dictionary Attack: Preventive Measures: Try pwd1 • Limit attempt rate by Try pwd2 introducing delay after failed attempts Try pwdN • Alert on multiple authentication failures • SAE does not prevent this attack. • Don’t use passwords like welcome123, abcd123, • With SAE though, password guest123 etc., which could cracking still does not result in traffic be the top attempt choices decryption, i.e., FS is achieved. Hemant Chaskar -- 21 -- Networks WPA3TM - Enterprise • Use at least 192-bit security strength across the protocol • 802.1x TLS, 4-way handshake, pairwise/group/BIP ciphers • N-bit security means bruteforcing requires searching 2N key values AES Key Key Space Some Comparable Orders of Magnitude 128 bits 2128 Number of water drops in earth’s oceans ~ 285 192 bits 2192 Number of atoms in sun ~ 2188 256 bits 2256 Number of atoms in known universe ~ 2257 • For public key crypto, we need private key size = 2 x N Hemant Chaskar -- 22 -- Networks 802.1x EAP-TLS 192-bit Security TLS_ECDHE_ECDSA_WITH_ AES_256_GCM_SHA384; [Server ECDSA static pub key]in x509 cert with P-384 [Server ECDH pub key]Sig by server ECDSA static priv key ECDHE_ECDSA with both being keys from P-384 curve (Group 20) [Client ECDSA static pub key]in x509 cert [Client ECDH pub key]Sig by client ECDSA static priv key ECDHE_ECDSA with both being keys from P-384 curve (Group 20) TLS tunnel with encryption and integrity protection Symmetric key gen with HMAC-SHA-384 AES-GCM with 256 bits key PMK PMK transport outside of WPA3 scope: Use IPSec, RadSec etc. 4-way handshake AKM #12: KCK 192 bits, KEK 256 bits Encrypted wireless link Ciphers #09 & #12: GCMP and BIP GMAC with 256 bits key Hemant Chaskar -- 23 -- Networks Summary of Ciphers for WPA3TM - Enterprise TLS Cipher RFC Static Keys Ephe. Keys Encryption Symmetric Key Gen TLS_ECDHE_ECDSA_WITH_ 8422 ECC
Load more

Recommended publications
  • Topic 3: One-Time Pad and Perfect Secrecy
    Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings • Outline • One-time pad • Perfect secrecy • Limitation of perfect secrecy • Usages of one-time pad • Readings: • Katz and Lindell: Chapter 2 CS555 Spring 2012/Topic 3 2 One-Time Pad • Fix the vulnerability of the Vigenere cipher by using very long keys • Key is a random string that is at least as long as the plaintext • Encryption is similar to shift cipher • Invented by Vernam in the 1920s CS555 Spring 2012/Topic 3 3 One-Time Pad Let Zm ={0,1,…,m-1} be the alphabet. Plaintext space = Ciphtertext space = Key space = n (Zm) The key is chosen uniformly randomly Plaintext X = (x1 x2 … xn) Key K = (k1 k2 … kn) Ciphertext Y = (y1 y2 … yn) ek(X) = (x1+k1 x2+k2 … xn+kn) mod m dk(Y) = (y1-k1 y2-k2 … yn-kn) mod m CS555 Spring 2012/Topic 3 4 The Binary Version of One-Time Pad Plaintext space = Ciphtertext space = Keyspace = {0,1}n Key is chosen randomly For example: • Plaintext is 11011011 • Key is 01101001 • Then ciphertext is 10110010 CS555 Spring 2012/Topic 3 5 Bit Operators • Bit AND 0 0 = 0 0 1 = 0 1 0 = 0 1 1 = 1 • Bit OR 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 1 • Addition mod 2 (also known as Bit XOR) 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 • Can we use operators other than Bit XOR for binary version of One-Time Pad? CS555 Spring 2012/Topic 3 6 How Good is One-Time Pad? • Intuitively, it is secure … – The key is random, so the ciphertext is completely random • How to formalize the confidentiality requirement? – Want to say “certain thing” is not learnable by the adversary (who sees the ciphertext).
    [Show full text]
  • Applications of SKREM-Like Symmetric Key Ciphers
    Applications of SKREM-like symmetric key ciphers Mircea-Adrian Digulescu1;2 February 2021 1Individual Researcher, Worldwide 2Formerly: Department of Computer Science, Faculty of Mathematics and Computer Science, University of Bucharest, Romania [email protected], [email protected], [email protected] Abstract In a prior paper we introduced a new symmetric key encryption scheme called Short Key Random Encryption Machine (SKREM), for which we claimed excellent security guarantees. In this paper we present and briey discuss some of its applications outside conventional data encryption. These are Secure Coin Flipping, Cryptographic Hashing, Zero-Leaked-Knowledge Authentication and Autho- rization and a Digital Signature scheme which can be employed on a block-chain. We also briey recap SKREM-like ciphers and the assumptions on which their security are based. The above appli- cations are novel because they do not involve public key cryptography. Furthermore, the security of SKREM-like ciphers is not based on hardness of some algebraic operations, thus not opening them up to specic quantum computing attacks. Keywords: Symmetric Key Encryption, Provable Security, One Time Pad, Zero Knowledge, Cryptographic Commit Protocol, Secure Coin Flipping, Authentication, Authorization, Cryptographic Hash, Digital Signature, Chaos Machine 1 Introduction So far, most encryption schemes able to serve Secure Coin Flipping, Zero-Knowledge Authentication and Digital Signatures, have relied on public key cryptography, which in turn relies on the hardness of prime factorization or some algebraic operation in general. Prime Factorization, in turn, has been shown to be vulnerable to attacks by a quantum computer (see [1]). In [2] we introduced a novel symmetric key encryption scheme, which does not rely on hardness of algebraic operations for its security guarantees.
    [Show full text]
  • NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Superseded)
    ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-56 (dated July 2005), has been superseded and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsSPs.html#800-56A. NIST Special Publication 800-56 Recommendation for Pair-Wise July 2005 Key Establishment Schemes Using Discrete Logarithm Cryptography Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C U R I T Y NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography DRAFT July 2005 DRAFT Abstract This Recommendation specifies key establishment schemes using discrete logarithm cryptography, based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography). Worked examples are provided in Appendix D. KEY WORDS: assurances; Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key agreement; key confirmation; key derivation; key establishment; key management; MQV. 2 NIST SP 800-56: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography DRAFT July 2005 DRAFT Acknowledgements The National Institute of Standards and Technology (NIST) gratefully acknowledges and appreciates contributions by Rich Davis, Mike Hopper and Laurie Law from the National Security Agency concerning the many security
    [Show full text]
  • Public Key Infrastructure (PKI)
    Public Key Infrastructure Public Key Infrastructure (PKI) Neil F. Johnson [email protected] http://ise.gmu.edu/~csis Assumptions • Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures Copyright 1999, Neil F. Johnson 1 Public Key Infrastructure Overview • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM) Public Key Cryptosystems – Quick Review • Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext Copyright 1999, Neil F. Johnson 2 Public Key Infrastructure Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2 Chris Chris 7 5 8 9 Ellie 3 Ellie 6 David 4 David Secret Key Distribution Directory of Public Keys (certificates) Public Key Cryptosystem INSECURE CHANNEL Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm Bob’s PUBLIC
    [Show full text]
  • Introduction, Overview, One Time Pad
    University of Illinois, Urbana Champaign LECTURE CS 598DK Special Topics in Cryptography Instructor: Dakshita Khurana Scribe: Joshua Reynolds, Amit Agarwal Date: August 28, 2019 1 Introduction, Overview, One Time Pad 1.1 Introduction This introductory lecture introduces some fundamental goals of cryptography and defines the basic requirement for a useful private key (symmetric) encryption scheme. A basic problem in Cryptography is that of encryption. The encryption problem is that two parties wish to communicate a message without an eavesdropper being able to learn their secret, or even any information about that secret. This problem can be solved with private key (symmetric) encryption under the assumption that both parties already have a shared secret key. This problem can also be solved with public key (asymmetric) key encryption under various other assumptions. These primitives are among the building blocks of more complicated cryptography sys- tems and a useful medium to explore the assumptions made in cryptographic systems. Encryption, in particular, is important because it allows us to communicate secrets safely through an untrusted medium like the Internet. Focusing first on private key encryption, we define the property of correctness. The second necessary property of encryption is security and is covered in part 2 of these lecture notes. 1.2 Notation This set of scribe notes will use the following notation and definitions: • A set will be denoted by a capital letter { M is the set of all possible messages { K is the set of all possible keys { C is the set of all possible ciphertexts • Set subtraction will use the /operator and jSj means the cardinality of set S • An item from a set will be denoted by a lower case letter { m is a message in plaintext (not encrypted) { ct is a ciphertext (encrypted message) { sk is a secret key used as an input in symmetric encryption and decryption • A statistical method of sampling from a set will be denoted with an arrow combined with a description of how the selection is done.
    [Show full text]
  • Solutions Problem 1. the Ipsec Architecture Documents States That
    Homework 5 - Solutions Problem 1. The IPSec architecture documents states that when two transport mode SA are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of security protocols seems appropriate: performing the ESP protocol before performing the AH protocol. Why is this approach recommended rather than authentication before encryption? Solution This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service attacks. It also allows for the possibility of parallel processing of packets at the receiver, i.e., decryption can take place in parallel with authentication. Problem 2. Consider the following threats to web security and describe how each is countered by a particular feature of IPSec. a. Brute force cryptoanalitic attack. An exhaustive search of the key space for a conventional encryption algorithm. b. Known plaintext dictionary. Many messages will have predictable plaintext such as HTTP DET command. An attacker can construct a dictionary containing every possible encryption of the known plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. This attack is especially effective against small key sizes (e.g. 40-bit keys). c. Replay attack. Earlier SSL handshake messages are replayed. d. Man in the middle. An attacker interposes during key exchange, acting as the client to the server and a server to the client.
    [Show full text]
  • Analysing and Patching SPEKE in ISO/IEC
    1 Analysing and Patching SPEKE in ISO/IEC Feng Hao, Roberto Metere, Siamak F. Shahandashti and Changyu Dong Abstract—Simple Password Exponential Key Exchange reported. Over the years, SPEKE has been used in several (SPEKE) is a well-known Password Authenticated Key Ex- commercial applications: for example, the secure messaging change (PAKE) protocol that has been used in Blackberry on Blackberry phones [11] and Entrust’s TruePass end-to- phones for secure messaging and Entrust’s TruePass end-to- end web products. It has also been included into international end web products [16]. SPEKE has also been included into standards such as ISO/IEC 11770-4 and IEEE P1363.2. In the international standards such as IEEE P1363.2 [22] and this paper, we analyse the SPEKE protocol as specified in the ISO/IEC 11770-4 [24]. ISO/IEC and IEEE standards. We identify that the protocol is Given the wide usage of SPEKE in practical applications vulnerable to two new attacks: an impersonation attack that and its inclusion in standards, we believe a thorough allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, analysis of SPEKE is both necessary and important. In and a key-malleability attack that allows a man-in-the-middle this paper, we revisit SPEKE and its variants specified in (MITM) to manipulate the session key without being detected the original paper [25], the IEEE 1363.2 [22] and ISO/IEC by the end users. Both attacks have been acknowledged by 11770-4 [23] standards.
    [Show full text]
  • Why Passwords Stink White Paper | Why Passwords Stink
    WHITE PAPER WHY PASSWORDS STINK WHITE PAPER | WHY PASSWORDS STINK 01 INTRODUCTION 02 PASSWORDS ARE FUNDAMENTALLY INSECURE 03 THE PROBLEM WITH PASSWORDS IS THAT THEY CONTENTS ARE “SHARED SECRETS” 04 CURRENT ALTERNATIVES AREN’T THE ANSWER 05 A SOLUTION TO THE PASSWORD ISSUE 06 INTRODUCING BEYOND IDENTITY 07 CONCLUSION 02 WHITE PAPER | WHY PASSWORDS STINK There are hundreds of billions of passwords in the world today, with more being created every day. In fact, the average business user maintains an astounding average of 191 passwords.1 Unfortunately, these passwords represent a fundamentally weak link in most organizations because INTRODUCTION they will always be insecure. This white paper examines why that is, investigates some alternative solutions, and introduces a new method of authentication using asymmetric keys and certificates to eliminate passwords altogether. 01 1 https://www.securitymagazine.com/articles/88475-average-business-user-has-191-passwords 03 WHITE PAPER | WHY PASSWORDS STINK Let’s face it: Passwords stink! For employees and customers, they cause friction and frustration when logging in – Who can remember the 16-character combination of letters, symbols, and digits that are indicative of strong passwords, much less come up with them in the first place? When PASSWORDS ARE a password gets lost or stolen (and they invariably do), it places a burden on the help desk. In fact, 20-50% of help FUNDAMENTALLY desk calls are for password resets, with the average call costing the organization $70.2 INSECURE For CISOs, passwords represent corporate assets that can be targeted by bad actors. And that’s a problem because they often transit networks in the clear, are stored in databases that can be and often are hacked, are shared 02 among colleagues, and are reused across multiple apps – making them easy targets for malware, phishing attacks, and other credential-stealing schemes.
    [Show full text]
  • TCP/IP Network Security
    An Intro to Network Crypto Jim Binkley- [email protected] 1 Crypto outline ◆ overview ◆ symmetric crypto (DES ... encryption) ◆ hash/MAC/message digest algorithms ◆ asymmetric crypto (public key technology) ◆ DH - how to start a secure connection ◆ KDC - a little bit on shared secret servers ◆ signatures - authentication with asymmetric keys ◆ certificates - signed public keys ◆ a little bit on authentication 2 overview ◆ there are MANY crypto algorithms and MANY academic network secure protocols ◆ how they are used in network protocols is another matter ◆ traditional IETF RFC said under security considerations (at end of doc) – “not considered here” (another F. Flub) ◆ new IETF POV: must consider here 3 symmetric encryption ◆ both sides know OUT OF BAND shared secret (password, bit string) ◆ encrypt(key, plaintext) -> cybercrud(encrypted) ◆ decrypt(key, cybercrud) -> plaintext ◆ encode/decode use same key (symmetric) – shared secret on both sides ◆ algorithms include: DES, 3DES, IDEA(128), BLOWFISH, SKIPJACK, new AES ◆ ssh uses 128 bit keyed IDEA ◆ DES key 56 bits - 0xdeadbeefdeadbeef 4 DES-CBC ◆ Cipher Block Chaining Mode ◆ DES processes one 64 bit block of data at a time (key is 64 bits (8 bits not important)) ◆ CBC is used so that e.g., two 64 bit blocks in a row that are the same, do NOT produce two 64 encrypted blocks that are the same ◆ C(n) = Ek [C(n-1) xor Plaintext(n)] ◆ requires known IV or initialization vector 5 pros/cons ◆ pros – faster than asymmetric ◆ cons – shared secrets do not scale in general to many users » more people
    [Show full text]
  • Walking the Bifrost: an Operator's Guide to Heimdal & Kerberos on Macos
    Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS Cody Thomas Objective By The Sea 3.0 March 2020 WHO AM I? Cody Thomas - @its_a_feature_ ● Operator / Instructor at SpecterOps ● Open Source Developer ○ Apfell – Red Team C2 Framework ○ Bifrost – Kerberos Manipulation ○ Orchard – Open Directory Access ○ GitHub: https://github.com/its-a-feature OVERVIEW ● Brief intro to Kerberos ○ What is it / How does it work / Why do we care? ● Attacking Active Directory Kerberos from macOS ○ Credential Storage / Theft ○ Common Attacks ● Other Kerberos details on macOS ○ LKDC KERBEROS INTRODUCTION A brief overview KERBEROS 101 ● What is Kerberos? ○ Authentication mechanism invented by MIT in 1980s ○ Designed for use on insecure networks ○ Uses math and cryptography to provide strong guarantees ○ Based on a client/server model - stateless ○ Uses ASN.1/DER encoding of data ○ Scoped to ‘realms’ of authentication ● Many implementations ○ Traditional MIT (with plugins) ○ Windows ○ macOS KERBEROS 101 – AUTH STEPS 1. Client and Key Distribution Center (KDC) have shared secret ○ Think of the KDC like an all-knowing PKI management server 2. Client makes a request to the Authentication Server (AS) to be authenticated with the shared secret – i.e. an AS-REQ ○ AS forwards request to the KDC, typically these are the same machine 3. AS responds with a ticket to the krbtgt SPN and encrypts a portion with the krbtgt hash. This ticket is called a Ticket Granting Ticket (TGT). This is an AS-REP. ○ The TGT proves you are who you say you are to the KDC because of the encrypted portion ○ Think of this like a new username/password combination KERBEROS 101 – AUTH STEPS 4.
    [Show full text]
  • On the (Non)Universality of the One-Time Pad
    On the (non)Universality of the One-Time Pad Yevgeniy Dodis Joel Spencer Department of Computer Science Department of Computer Science New York University New York University Email: [email protected] Email: [email protected] Abstract 1 Imperfect Random Sources Randomization is vital in cryptography: secret keys Randomization has proved to be extremely useful and should be randomly generated and most cryptographic fundamental in many areas of computer science, such as primitives (e.g., encryption) must be probabilistic. As a approximation algorithms, counting problems, distributed common abstraction, it is assumed that there is a source of computing, primality testing, as well as cryptographic pro- truly random bits available to all the participants of the sys- tocols (which is the topic of this paper). The common ab- tem. While convenient, this assumption is often highly un- straction used to introduce randomness into computation realistic, and cryptographic systems have to be built based is that the underlying algorithm has access to a stream of on imperfect sources of randomness. Remarkably, this fun- completely unbiased and independent random bits. This ab- damental problem has received little or no attention so far, straction allows one to use randomness in a clean way, sep- despite the fact that a related question of simulating prob- arating out the issue of actually generating such “strong” abilistic (BPP) algorithms with imperfect random sources random bits. Unfortunately, in reality we do not have has a long and rich history. sources that emit perfectly uniform and independent ran- In this work we initiate the quantitative study concerning dom bits.
    [Show full text]
  • Security Policy Trapeze Networks
    MX-200R-GS/MX-216R-GS Mobility Exchange WLAN Controllers Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision]. Security Policy TABLE OF CONTENTS 1. MODULE OVERVIEW .........................................................................................................................................3 2. SECURITY LEVEL................................................................................................................................................4 3. MODES OF OPERATION.....................................................................................................................................5 4. PORTS AND INTERFACES .................................................................................................................................5 5. IDENTIFICATION AND AUTHENTICATION POLICY................................................................................6 6. ACCESS CONTROL POLICY..............................................................................................................................7 ROLES AND SERVICES................................................................................................................................................7 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)........................................................................................7 DEFINITION OF CSPS MODES OF ACCESS ..................................................................................................................8
    [Show full text]