Protocol Analysis
CSCE 522 - Farkas 2
Cryptographic ProtocolsTwo or more partiesCommunication over insecure networkCryptography used to achieve goal
Exchange secret keysVerify identity (authentication)Secure transaction processing
CSCE 522 - Farkas 3
Emerging Properties of Protocols
Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats
CSCE 522 - Farkas 4
ProtocolsGood protocol characteristics:Established in advanceMutually subscribedUnambiguousComplete
CSCE 522 - Farkas 5
Symmetric-Key Distribution: Symmetric-Key Distribution: Symmetric-Key TechniquesSymmetric-Key Techniques
(repeat from lecture on 05/13/2014)Symmetric-Key without ServerSymmetric-Key with Server
CSCE 522 - Farkas 6
Symmetric-Key Distribution without ServerChange encryption key E(Knew,K), where Knew is
the session key, K is the master key
Encryption Decryption
New key New keyCiphertext C
Sender RecipientK
Originator
(O,R,IO) E([(IO,R,KOR,E((KOR,O), KR)], KO)
E((KOR,O), KR)
Server
CSCE 522 - FarkasCSCE 522 - Farkas 7
Symmetric-Key Distribution with Server
Recipient
Decrypts with KO
Knows KOR
Does not know E((KOR,O), KR)
Decrypts with KR
Knows KOR
Knows KO and KR
CSCE 522 - Farkas 8
Symmetric-Key Distribution: Symmetric-Key Distribution: Public-Key TechniquesPublic-Key Techniques
Simple secret key distribution – insecure Secret key distribution with confidentiality
and authenticationDiffie-Hellman Key Exchange
CSCE 522 - Farkas 9
Simple secret key distribution
Sender Recipient
1. KE-S ||ID-S
2. E KE-S(Ksession)
Vulnerable to active attack!HOW?
Public key of S
Secret Session key
CSCE 522 - Farkas 10
With confidentiality and authentication
Sender Recipient
1. E KE-R[N1||ID-S]
2. E KE-S[N1||N2]
3. E KE-R[N2]
4. E KE-R E KD-S(Ksession)
Assume: KE-R and KE-S are known in advanceNonce
Question: Why do we need reliable distribution of public keys?
CSCE 522 - Farkas 11
Diffie-Hellman Key Exchange
Proposed in 1976 First public key algorithm Allows group of users to agree on secret key over
insecure channel Cannot be used to encrypt and decrypt messages
CSCE 522 - Farkas 12
Diffie-Hellman Key Exchange
Protocol for A and B want to agree on shared secret key: A and B agree on two large numbers n and g, such that
1<g<n A chooses random x and computes X=gx mod n and sends
X to B B chooses random y and computes Y=gy mod n and sends
Y to A A computes Yx mod n = gyx mod n B computer Xy mod n = gyx mod n Secret key: gyx mod n
CSCE 522 - Farkas 13
Diffie-Hellman Key Exchange
Requires no prior communication between A and B
Security depends on difficulty of computing x given X=gx mod n
Choices for g and n are critical: both n and (n-1)/2 should be prime, n should be large
Susceptible to intruder in the middle attack (active intruder)
CSCE 522 - Farkas 14
Intruder in the Middle Attack
Bob AliceEveHi Alice, I’m Bob.
Hi Bob, I’m Alice. Hi Bob, I’m Alice.
Hi Alice, I’m Bob.
Intruder and BobUses Diffie-HellmanTo agree on key K.
Intruder and AliceUses Diffie-HellmanTo agree on key K’.
Question: the attacker may want to have K and K’ be the same, Why?
CSCE 522 - Farkas 15
Public-Key DistributionPublic-Key DistributionWithout server
Broadcasting - insecure Publicly available directory
With trusted serverPublic key distribution centerCertificates
CSCE 522 - Farkas 16
Public announcement
John Smith
KE-J.S.
KE-J.S.
KE-J.S.
KE-J.S.
KE-J.S.
KE-J.S.
Question: What are the vulnerabilities of this approach?
CSCE 522 - Farkas 17
Publicly available directory
PublicKeyDirectory
John Smith Mary Rose
KE-J.S. KE-M.R..
Better but notgood enough Directory could Be compromised
CSCE 522 - Farkas 18
Public-key authority
Public-Key Authority
Sender Recipient
1. Request || Time1
2. EKD-Auth[KE-R||Request||Time1]
3. EKE-R(ID-S||N1)
4. Request || Time2
5. EKD-Auth[KE-S||Request||Time2]
6. EKE-S(N1||N2)
7. EKE-R(N2)
Question1: What should the Authority, the Sender and the Recipient know before communication?
Exercise: After each message, show what the recipient of the message can do and what the Recipient know.
CSCE 522 - Farkas 19
Public-key certificates
Certificate Authority
Sender Recipient
KE-S
C-S=EKD-CAuth[Time1,ID-S,KE-S]
1. C-S
2. C-R
KE-R
CR=EKD-CAuth[Time2,ID-R,KE-R]
CSCE 522 - Farkas 20
Certificates
Guarantees the validity of the informationEstablishing trustPublic key and user identity are bound
together, then signed by someone trustedNeed: digital signature
CSCE 522 - Farkas 21
Digital SignatureNeed the same effect as a real signature
Un-forgeableAuthenticNon-alterableNot reusable
CSCE 522 - Farkas 22
Digital signature
Direct digital signature: public-key cryptography based
Arbitrated digital signature:Conventional encryption:
Arbiter sees messageArbiter does not see message
Public-key basedArbiter does not see message
CSCE 522 - Farkas 23
Digital Signatures in RSA
Sender Recipient
Insecure channel
Plaintext PlaintextSigned plaintext
Encryption Alg.
Decryption Alg.
S’s public keyS’s private key(need reliable channel)
Sign Verify
Protocol Analysis Exercise 1.
Assume that Jane and Paul want to efficiently send very large files to each other. They also want to provide integrity verification, third-party message authentication (i.e., a third party can verify who the originator of the message is), and limit the scope of a compromise (i.e., providing forward secrecy). You can assume that Jane and Paul have public and secret key encryption capabilities, can generate a hash function, and they have a shared secret key K0
established before the communication. They do not have access to a mutually trusted server, and no other keys but K0 are known at the beginning of the communication. Propose a security protocol to establish necessary keys and show how Jane can send a file to Paul.
CSCE 522 - FarkasLecture 8-9
Exercise 2.
Message authentication and key agreement
Alice wants to establish a secure communication with Bob. They agree to user the Yahalom protocol for mutual authentication and key agreement. The protocol uses symmetric key encryption only. Alice has a secret key shared with a trusted third party Server, KA and, similarly, Bob has a secret-key shared with Server, KB. NA and NB are nonces generated by Alice and Bob, respectively. E(M, K) indicates encryption of message M with key K, “||” means concatenation of messages. Explain after each protocol step what the recipient of the message knows based on the message and the properties of the encryption and what he/she is capable of doing. For example,
CSCE 522 - FarkasLecture 8-9
Exercise 2.
Message1: Alice Server:IDA || E(“request for session key to Bob”, KA)
Server:• The server sees that that claimed sender of the message is Alice.
• The server can decrypt the message using KA that is shared between Alice and the Server. The message must have been sent by Alice because KA is only known by Alice and the server.
• The server knows that Alice is requesting a session key to be used by Alice and Bob.
• The server can generate a session key KS to be used by Alice and Bob and send the key to …
CSCE 522 - FarkasLecture 8-9
Exercise 2.
Message1: Alice Bob: IDA || NA
Bob knows/can do
Message2: Bob Server: IDB || E[(IDB || NA || NB), KB]
Server knows/can do
Message3: Server Alice: E[(IDB || KS || NA || NB), KA] || E[(IDA || KS), KB]
Alice knows/can do
Message4: Alice Bob: E[(IDA || KS), KB] || E(NB, KS)]
Bob knows/can do
CSCE 522 - FarkasLecture 8-9
Exercise 3.
Secure communication
Consider the following protocol. Ann wants to send a message M securely to Bob but there is no shared secret key between Ann and Bob, Ann does not even know Bob’s public key. However, using the properties of RSA (in particular the commutative property), Ann proposes the following protocol, where E(M, K) indicates encryption/decryption of message M with key K, “||” means concatenation of messages, Kpub
A means the public key of A, KprivA
means private key of A.
CSCE 522 - FarkasLecture 8-9
Exercise 3.
Message1: Ann Bob: IDA || E(M, KpubA)
Message 2: Bob Ann: IDB || E[(E(M, KpubA)), Kpub
B)
Message3: Ann Bob: IDA || E(M, KpubB)
Show a man-in-the-middle attack against the above protocol.
CSCE 522 - FarkasLecture 8-9
CSCE 522 - Farkas 30Lecture 8-9
Next class
Review for Test 1