Lectue 14 Potocols 1 Key Distiution Cente (KDC) o Tusted Thid Pty (TTP) KDC genetes R1 lice otins R1 Msg1: K () Msg2: K (R1 K (R1) ) Msg3: K (R1) o otins R1 nd knows to use s key fo communicting with lice lice nd o communicte using R1 s shot-tem (session) key fo encyption nd/ o dt integity Note: Msg2 is not tied to Msg1 Msg1 is possily old Msg2 is possily old nd so is Msg3 2 o nd lice don t uthenticte ech othe! 1
Typicl Key Distiution Scenio KDC (1) Request N 1 (2) E K [K s Request N 1 E K (K s )] (3) E K [K s ] (4) E Ks [N 2 ] (5) E Ks [f(n 2 )] Notes: Msg2 is tied to Msg1 Msg2 is fesh/new Msg3 is possily old * Msg1 is possily old (KDC doesn t uthenticte lice) o uthentictes lice o uthentictes KDC lice DOES NOT uthenticte o (ecll discussion in clss) 3 Pulic Key Distiution Genel schemes: Pulic nnouncement (e.g. in newsgoup o emil messge) Cn e foged Pulicly ville diectoy Cn e tmpeed with Pulic-key cetifictes (PKCs) issued y tusted off-line Cetifiction uthoities (Cs) 4 2
Cetifiction uthoities Cetifiction uthoity (C): inds pulic key to specific entity Ech entity (use host etc.) egistes its pulic key with C. o povides poof of identity to C. C cetes cetificte inding o to this pulic key. cetificte contining o s pulic key digitlly signed y C: C sys: this is o s pulic key o s pulic key o s identifying infomtion PK digitl signtue C pivte key SK C PK cetificte fo o s pulic key signed y C 5 Cetifiction uthoities When lice wnts to get o s pulic key: get o s cetificte (fom o o elsewhee). using C s pulic key veify the signtue on o s cetificte check fo expition check fo evoction (we ll tlk out this lte) extct o s pulic key PK digitl signtue PK o s pulic key C pulic key PK C 6 3
Cetificte Contins Seil nume (unique to issue) info out cetificte owne including lgoithm nd key vlue itself (not shown) info out cetificte issue vlid dtes digitl signtue y issue 7 ck to potocols 8 4
Needhm-Schoede Potocol (1978): 1 st distiuted secuity potocol 1.! T: N 2. T! : {N K {K } K } K 3.! : {K } K KDC 4.! : {N } K 1 2 lice 5.! : {N -1} K 3 4 5 o 9 Secuity? Denning-Scco ttck: suppose Eve ecoded n old session fo which session key K is known to he: 1. " T: N 2. T " : {N K {K } K } K 3. " : {K } K ----------------------------------------------------- t lte time: 1. E " : {K } K 2. " E: {N } K 3. E " : {N -1} K 10 5
Fixing the ttck o hs no guntees out the feshness of the messge in step 3. Eve exploits this to impesonte lice to o - old session keys e useful. Cn e fixed y dding timestmps: limits usefulness of old session keys Eve s ttck ecomes: 3: E! : {K T } K ttck is now thwted ecuse T is stle 11 PK-sed Needhm-Schoede potocol 1.{} 2.{PK } SKT KDC TTP 5.{PK } SKT 4.{} lice 3. [N ] PK 6. [N N ] PK o 7. [N ] PK CERT = Messge 2 CERT = Messge 5 PK : lice s pulic key PK : o s pulic key SK T : TTP s secet (pivte) key used fo signing Eveyone knows TTP s pulic key PK T 12 6
nothe ttck 1 2 4 5: Delivey of pulic key Does not guntee feshness of the pulic key How to solve it? Timestmp in messges 2 nd 5 o chllenges in messges 1&2 nd 4&5 Pulic Key Cetificte: ssign expition time/ dt to ech cetificte (messges 2 nd 5) 13 PK-sed Denning-Scco ttck 1. KDC TTP Cet ={PK } SK T Cet ={PK } SK T Cet C ={PK C C} SK T 2. Cet Cet lice 3. Cet Cet [ {K T } SK ] PK 4. Secue communiction with K o Thinks she is tlking to C Petends to e 3. Cet Cet C [ {K T } ] SK PK C 4. Secue communiction with K o 14 7
Lowe s ttck (Impesontion y inteleving) Oiginl 3. : [N ] PK 6. : [N N ] PK 7. : [N ] PK ttck E plys : 1.3. E: [N ] PKe 2.3. E : [N ] PK 2.6. E: [N N ] PK 1.6. E : [N N ] PK Fix 3. : [N ] PK 1.7. E: [N ] PKe 2.7. E : [N ] PK 6. : [ N N ] PK 7. : [N ] PK 15 PK-sed Needhm-Schoede potocol 1.{} 2.{PK } SKT KDC TTP 5.{PK } SKT 4.{} lice 3. [N ] PK 6. [N N ] PK o 7. [N ] PK 16 8
Reflection ttck nd fix Oiginl potocol 1. : 2. : { } K 3. : ttck 1. E : 2. E : : Stting new session 3. E : { } K : Reply to (2) 4. E : { } K : Reply to (1) 5. E : Solutions? Use 2 diffeent uni-diecionl keys k (!) nd k (!) Remove symmety (diection msg identifies) 17 Inteleving ttcks Potocol fo mutul uthentiction 1. : 2. : { } SK 3. : { } SK ttck 1. E : 2. E : { } SK 3. E : 4. E : { } SK 5. E : { } SK ttck due to symmetic messges (2) (3) 18 9
Lessons lened? Designing secue potocols is hd. Thee e mny documented filues in the litetue. Good potocols e ledy stnddized (e.g. ISO 9798 X.509 ) use them! The polem of veifying secuity gets much hde s potocols get moe complex (moe pties messges ounds) 19 If inteested in knowing moe ed the ppe: Pogmming Stn s Compute y ndeson nd Needhm ville t: http://www.cl.cm.c.uk/~j14/ppes/stn.pdf 20 10
Some Secue Potocol exmples 21 uthenticted Pulic-Key-sed Key Exchnge (Sttion-to-Sttion o STS Potocol) Choose ndom v Compute v K = ( y ) mod p SIG = { y y } lice lice y v = mod p CERT y SIG o CERT lice SIG lice o Choose ndom w Compute w K = ( y ) mod p w y = mod p SIG = { y y } o o 22 11
12 23 x.509 uthentiction & Key Distiution Potocols SK PK K othe t } ] [ {2 SK PK K othe t } ] [ {2 SK PK K othe t } ] [ {1 SK PK K othe t } ] [ {3 SK PK K othe t } ] [ {3 SK } {3 One-wy! Two-wy! Tee-wy "!