UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY
Transcription
UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY
UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU ITMS: 26140230008 DOPYTOVO – ORIENTOVANÝ PROJEKT Moderné vzdelávanie pre vedomostnú spoločnosť/Projekt je spolufinancovaný zo zdrojov EÚ Cryptographic protocols – introduction Martin Stanek Department of Computer Science Comenius University [email protected] Cryptology 1 (2014/15) Content Introduction Some protocols and basic notions Diffie-Hellman protocol Interlock protocol Dolev-Yao model Freshness – nonces and timestamps Some protocol failures Needham-Schroeder protocol Modified WMF protocol Cryptographic protocols – introduction 3 / 15 , Introduction I cryptographic protocols I authentication and key agreement (session-key) session-key I I I I less data for cryptanalyis logical separation of data from different sessions using symmetric constructions for confidentiality and authenticity I IPSec (IKE), TLS (handshake), SSH I prerequisite for secure communication I various proposals (requirements, capabilities, environment) other protocols (not today) I I voting, money, private information retrieval, multiparty computation, etc. Cryptographic protocols – introduction 4 / 15 , Diffie-Hellman protocol I I two principals A, B shared group G of prime order q with generator g I I I known to everyone (e.g. an attacker) goal: key agreement DH protocol: 1. A → B: g a , for random a ∈ Zq 2. B → A: g b , for random b ∈ Zq I I I A computes K = (g b ) a = g ab , and B computes K = (g a ) b = g ab the shared secret can be used to derive a symmetric key passive adversary: CDH problem g a , g b → g ab Cryptographic protocols – introduction 5 / 15 , MITM attack I active adversary in DH protocol I I 1. 2. 3. 4. I I I I can intercept and change messages man-in-the-middle attack (M is the attacker): A → M(B): g a M(A) → B: g x B → M(A): g b M(B) → A: g y A computes KA = g ay , B computes KB = g xb M can compute KA = (g a ) y = g ay as well as KB = (g b ) x = g bx M can “translate” messages between A and B (or create his/her own) Can M enforce KA = KB in the MITM attack? I If not, M should be there till the end or “simulate” a connection error. Cryptographic protocols – introduction 6 / 15 , Fixing DH protocol I authenticate messages in the protocol I additional assumptions – PKI (distribution of authentic public keys) Station-to-Station protocol: I 1. A → B: g a 2. B → A: g b , CertB , EK (SigB (g b , g a )) 3. A → B: CertA , EK (SigA (g a , g b )) I I I I I key agreement and authentication of participants the shared secret K = g ab SigU denotes signature produced by user U certificates contain public keys for verifying signatures E is symmetric encryption and “proves” the possession of K Cryptographic protocols – introduction 7 / 15 , Interlock protocol I I idea: let’s force the MITM attacker to be “active” in the communication scenarios (possible MITM attack): I I I I A/B wants to send a message mA /mB to B/A both encrypt their message and exchange halves of the ciphertexts (cA /cB ), and then the other halves: 1. 2. 3. 4. I after unauthenticated DH protocol after unauthenticated distribution of key using asymmetric encryption A → B: cA1 B → A: cB1 A → B: cA2 B → A: cB2 (first half of cA ) (first half of cB ) (second half of cA ) (second half of cB ) a half of the ciphertext should be useless for the recipient I e.g. even/odd bits, encryption combined with MAC, . . . Cryptographic protocols – introduction 8 / 15 , Interlock protocol (2) I assume MITM attacker M and keys KA and KB used for A ↔ M and M ↔ B communications, respectively I M can send the original message to A or B but not both example (sending mB to A) I 1. 2. 3. 4. 5. 6. 7. 8. I A → M(B): cA1 0 M(A) → B: cA1 B → M(A): cB1 0 M(A) → B: cA2 B → M(A): cB2 0 M(B) → A: cB1 A → M(B): cA2 0 M(B) → A: cB2 (first half of cA ) (first half of cA0 , for some made-up mA0 ) (first half of cB ) (second half of cA0 ) (second half of cB , M can decrypt mB ) (first half of cB0 , M encrypts mB with KA ) (second half of cA , M can decrypt mA ) (second half of cB0 , A decrypts mB ) Can we detect made-up messages? I phones – reading aloud the messages from interlock protocol or session-key checksum (voice synthesis ?) Cryptographic protocols – introduction 9 / 15 , Dolev-Yao model I the adversary in the network I eavesdrop, forge, replay, delete, replay (whatever (s)he wants) I very strong (but appropriate) model I protocol secure in DY model will be secure also in a weaker model sometimes weaker model is assumed in practice: I I I verification SMS sent to a mobile phone we will assume DY model in this and subsequent lectures Cryptographic protocols – introduction 10 / 15 , What is wrong with this protocol? I I A generates a session-key K and sends it encrypted and signed to B one way authentication and key distribution 1. A → B: EB (A, B, K ), SigA (EB (A, B, K )) I I I the problem: replay attack I I I assumptions: A knows the public key of B (for asymmetric encryption), B knows the public key of A (for signature verification) B verifies the signature and decrypts K after compromising K (e.g. it leaks) the attacker can replay the message B is tricked into using K as a good key for communication with A Exercise: What other problems can you find in the protocol when we omit the IDs of participants? Cryptographic protocols – introduction 11 / 15 , What is wrong with this protocol? I I A generates a session-key K and sends it encrypted and signed to B one way authentication and key distribution 1. A → B: EB (A, B, K ), SigA (EB (A, B, K )) I I I the problem: replay attack I I I assumptions: A knows the public key of B (for asymmetric encryption), B knows the public key of A (for signature verification) B verifies the signature and decrypts K after compromising K (e.g. it leaks) the attacker can replay the message B is tricked into using K as a good key for communication with A Exercise: What other problems can you find in the protocol when we omit the IDs of participants? Cryptographic protocols – introduction 11 / 15 , What is wrong with this protocol? I I A generates a session-key K and sends it encrypted and signed to B one way authentication and key distribution 1. A → B: EB (A, B, K ), SigA (EB (A, B, K )) I I I the problem: replay attack I I I assumptions: A knows the public key of B (for asymmetric encryption), B knows the public key of A (for signature verification) B verifies the signature and decrypts K after compromising K (e.g. it leaks) the attacker can replay the message B is tricked into using K as a good key for communication with A Exercise: What other problems can you find in the protocol when we omit the IDs of participants? Cryptographic protocols – introduction 11 / 15 , Freshness of messages I I prevention of replay attacks: nonces and timestamps nonce I I I I I I usually sufficiently long random string/number (i.e. unpredictable); (sometimes “unique” is sufficient) used just for a particular instance of the protocol unlikely to be present in some previous instances of the protocol usually the confidentiality not needed examples: SSL/TLS, IKEv2 timestamp I I I I sufficiently precise time information included into a message somewhat synchronized clocks required clock manipulation should be prevented example: Kerberos Cryptographic protocols – introduction 12 / 15 , Needham-Schroeder protocol I uses trusted third party – server S I S shares symmetric keys with participants (KU with participant U) I participants A and B I goals: authentication and distribution of the session-key KAB I assumptions: NA /NB nonces generated by A/B, the protocol: I 1. 2. 3. 4. 5. A → S: A, B, NA S → A: {NA , KAB , B, {KAB , A}KB }KA A → B: {KAB , A}KB B → A: {NB }KAB A → B: {NB − 1}KAB I positives: S involved only once, stateless, . . . I insecure! Cryptographic protocols – introduction 13 / 15 , Needham-Schroeder protocol I uses trusted third party – server S I S shares symmetric keys with participants (KU with participant U) I participants A and B I goals: authentication and distribution of the session-key KAB I assumptions: NA /NB nonces generated by A/B, the protocol: I 1. 2. 3. 4. 5. A → S: A, B, NA S → A: {NA , KAB , B, {KAB , A}KB }KA A → B: {KAB , A}KB B → A: {NB }KAB A → B: {NB − 1}KAB I positives: S involved only once, stateless, . . . I insecure! Cryptographic protocols – introduction 13 / 15 , Attacking Needham-Schroeder protocol I attack found by Denning and Sacco I weakness: B cannot verify the freshness of KAB I the attacker can force B to accept a compromised KAB (by cryptanalysis or by leak) the attack (M knows KAB and thus (s)he can finish the protocol): I 3. M(A) → B: {KAB , A}KB 4. B → M(A): {NB0 }KAB 5. M(A) → B: {NB0 − 1}KAB I (replay of old message) How to fix the protocol? I e.g. A requests NB from B at the beginning Cryptographic protocols – introduction 14 / 15 , Modified Wide Mouth Frog protocol I participants A and B, trusted third party (server S) I timestamps (TU generated by U) I S shares symmetric keys with participants I goals: one-way authentication and distribution of the session-key K the protocol I 1. A → S: A, {TA , B, K }KA 2. S → B: {TS , A, B, K }KB I Original WMF: 1. A → S: A, {TA , B, K }KA 2. S → B: {TS , A, K }KB I Can you find a weakness? Cryptographic protocols – introduction 15 / 15 , Modified Wide Mouth Frog protocol I participants A and B, trusted third party (server S) I timestamps (TU generated by U) I S shares symmetric keys with participants I goals: one-way authentication and distribution of the session-key K the protocol I 1. A → S: A, {TA , B, K }KA 2. S → B: {TS , A, B, K }KB I Original WMF: 1. A → S: A, {TA , B, K }KA 2. S → B: {TS , A, K }KB I Can you find a weakness? Cryptographic protocols – introduction 15 / 15 ,