Intro To Secure Comm.Exercise 3

Problem

The following scenario is suggested for establishing session keys Alice and Bob share a secret (key phrase/password) Alice generates Session key K and send EP(K) to Bob

Bob receives EP(K), deciphers and uses K as the new session key.

What are the threats to the model? Is this solution secure against an eavesdropper?

Solution

The solution is problematic when a password is used.

Passwords are susceptible to dictionary attack.

The eavesdropper may discover p and thus the session key k (and may discover any other session keys)

Suggest a better protocol

Solution Alice Generates pubA and privA. Alice sends EP(pubA) to Bob Bob deciphers and sends to Alice PubA(k) Alice sends to Bob Ek(challengeA) Bob responds Ek(challengeA||challengeB) Alice responds (challengeB) What cryptographic method is E?

Solution

The cryptographic method is a MAC Why not simply use an encryption

method?

Problem

Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code).

Namely, they send Encrypt(Message||Hash(Message)),and hope that in so doing, they achieve encryption and authentication together.

Show that this design is insecure (an attacker can modify a message and it would still be considered authentic).

Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

Solution

Assuming OTP is used and ADV knows some information about the message.

ADV knows the algorithm, so knows which hash function is used.

Knowing so, he can figure out the key encrypting the message (known plain text).

Since he knows the message and hash of the message, he can figure out the key encrypting the hash.

ADV can now calculate new message and new hash for the message and replace them.

Solution

ADV’s playout: km=mcm (revealing the key of m)

kh(m)=h(m) ch(m)

Forge: m’km||h(m’)kh(m)

This is a poor MAC because it isn’t even immune to KMA.

Problem

Often CAs are single entities which provideuser registraion/identification certificate creation

What may be the problems associated with that model?

Solution

CA may be single point of failure CA may not be able to supply the demand CA may be easier to corrupt/perform DOS

Alice(subject)

CA(issuer)

RegistrationAuthority

(RA)

Ali

ce p

rove

s h

er id

enti

tyA

nd

pro

vid

es Pub A

Alice, PubA, MACk(Alice,PubA)

CertA=SignCA(Alice,PubA)

Cer

t A

k(shared key)

Registration Authority

CA combines two functions: Validate identity of source of public key Sign public key with attributes (identity, others)

CA secret key required only to sign cert Identify by separate

registration authority Exercise: motivate by

analyzing threat!

RA – Registration Authority Also called LRA – Local RA Goal: Off-load some work of CA to LRAs Support all or some of:

IdentificationUser key generation/distribution

passwords/shared secrets and/or public/private keys

Interface to CAKey/certificate management

Revocation initiation Key recovery

CA – Certification Authority

Issuer/Signer of the certificate Binds public key w/ identity+attributes

Enterprise CA Individual as CA (PGP)

Web of trust “Global” or “Universal” CAs

VeriSign, Equifax, Entrust, CyberTrust, Identrus, …

Trust is the key word

Problem

Define the threats to the above modelWhat type of threats/ADV can harm the

solution?

Solution

External Attackers Operators Viruses controlling CA pc’s

Alice(subject)

Alic

e p

rove

s h

er id

enti

tyA

nd

pro

vid

es PA

Alice, PA

Sign(PrivCA,(Alice,PA))

Sign

(Pri

v CA,(

Ali

ce,P

A))

Secure Hardware

Operator

Enter PINor smartcard

Problem

What may be the problem of the secured hardware box?

Solution

Lack of UI at the hardware Trojan may send bogus certificates than

what the operator approved Hardware only certifies one certificate per

smartcard (good thing) but wrong certificate may still be used.

A better solution

Integrate UI with secure hardware Secure log to go over issues/suspected

certificates What if found a “corrupted” certificate?

May revoke it by publishing CRL