Security handshake pitfalls - Computer Science

Transcription

Security handshake pitfalls - Computer Science
Security handshake pitfalls
How come nobody gets it right?
CS349 Cryptography
Department of Computer Science
Wellesley College
Getting it right
o
We mortals should never
need to design our own
cryptographic algorithms.
o
However, it may be the
case that we will need to
design security features
into protocols.
o
We had better
understand (at least some
of) what can go wrong.
Handshake pitfalls
18-2
1
Protocol 1. Login only
Many protocols were designed in an environment where
eavesdropping was not a concern.
I’m Alice, the password is fiddlesticks
Bob
Alice
o
Handshake pitfalls
18-3
Protocol 2a. Shared secret
a challenge R
Bob
Alice
I’m Alice
f(Kalice-Bob, R)
o
This is a big improvement over passwords in the clear. An
eavesdropper cannot impersonate Alice based on
overhearing the exchange.
o
However, the protocol is not without weakness.
Handshake pitfalls
18-4
2
Protocol 2b. Shared secret, second try*
KAlice-Bob{R}
Bob
Alice
I’m Alice
R
*An attempt at mutual authentication.
Handshake pitfalls
18-5
I’m Alice, KAlice-Bob{timestamp)
Bob
Alice
Protocol 2c.
Shared secret, attempt to abbreviate*
*Requires that Bob and Alice have reasonably synchronized clocks.
Handshake pitfalls
18-6
3
I’m Alice, timestamp, hash(KAlice-Bob,timestamp}
Bob
Alice
Protocol 2d.
Shared secret, a detail
Handshake pitfalls
18-7
Protocol 3a. One-way public key
o
Our protocols based on shared secrets all have one major
disadvantage. Our bad guy can impersonate Alice if she
can read Bob’s database.
o
Protocols based on public key technology can avoid this.
a challenge R
Bob
Alice
I’m Alice
[R]Alice
Handshake pitfalls
18-8
4
Protocol 3b. One-way public key*
[R]Alice
Bob
Alice
I’m Alice
R
*A minor variant, possible with reversible public key schemes that avoids
tricking Alice into signing away the farm.
Handshake pitfalls
18-9
How can we avoid getting into trouble?
o
The general rule is that
you should not use the
same key for two
different purposes unless
the designs for all uses of
the key are coordinated.
o
Part of the purpose of the
Public-key Cryptography
Standard is to impose
enough structure to
prevent this sort of
problem.
Handshake pitfalls
18-10
5
Protocol 4a. Mutual authentication
base on a shared secret*
I’m Alice
f(Kalice-Bob, R1)
R2
Bob
Alice
R1
f(Kalice-Bob, R2)
*We could just do an authentication exchange in each direction.
Handshake pitfalls
18-11
Protocol 4b. Optimized mutual
authentication based on shared secret
R1, f(Kalice-Bob, R2)
Bob
Alice
I’m Alice, R2
f(Kalice-Bob, R1)
Handshake pitfalls
18-12
6
Reflection attack
Bob
Trudy
I’m Alice, R2
R1, f(Kalice-Bob, R2)
“I can’t explain myself, I’m afraid sir,” said Alice, “because,
I’m not myself, you see.”
Alice in Wonderland
Handshake pitfalls
18-13
Trudy opens a second session to Bob*
R3, f(Kalice-Bob, R1)
Bob
Trudy
I’m Alice, R1
*Which she still cannot complete. However, . . .
Handshake pitfalls
18-14
7
Foiling reflection attacks
o
The general principle is
simple: Don’t have Alice
and Bob do exactly the
same thing.
o
For example, we could
have the key used to
authenticate Alice be
different from the key
used to authenticate Bob.
o
Alternatively, we could
insist that the challenge
from Alice look different
from the challenge from
Bob.
Handshake pitfalls
18-15
Protocol 4a does not suffer
from reflection attack
Moral of the story
The initiator should be the first to prove its identity.
. . . if you only spoke when you were spoken to, and the
other person always waited for you to begin, you see
nobody would ever say anything . . .
Alice (in Through the Looking Glass)
Handshake pitfalls
18-16
8
Password guessing
o
Optimized Protocol 4b suffers from an another security
weakness. Trudy can mount an off-line password-guessing
attack without needing to eavesdrop.
R1, f(Kalice-Bob, R2)
Bob
Alice
I’m Alice, R2
f(Kalice-Bob, R1)
Handshake pitfalls
18-17
Protocol 4c. Less optimized mutual
authentication base on shared secret
I’m Alice
f(Kalice-Bob, R1), R2
Bob
Alice
R1
f(Kalice-Bob, R2)
Handshake pitfalls
18-18
9
Protocol 5. Mutual authentication
using Timestamps
o
f(Kalice-Bob, timestamp+1)
Bob
Alice
I’m Alice, f(Kalice-Bob, timestamp)
The issues involving one-way authentication done with
timestamps apply here as well (time must not go
backwards, they must remember values used within the
clock skew, and so forth . . .)
Handshake pitfalls
18-19
Protocol 6. Mutual authentication
with public keys
R2, {R1}Alice
Bob
Alice
I’m Alice, {R2}Bob
R1
Handshake pitfalls 18-20
10
Key management
o
Techniques for the
distribution of public keys
fall into following
schemes:
o
Public announcement;
o
Publicly available
directory;
o
Public-key authority; or
o
Public-key certificates.
Handshake pitfalls
18-21
Public announcement of public keys
Handshake pitfalls 18-22
11
Publicly available directory
Handshake pitfalls 18-23
Public-key authority
Handshake pitfalls 18-24
12
Public-key certificates
Handshake pitfalls 18-25
13