A Survey of Authentication Protocol Literature: Version 1.

0
Written by John Clark and Jeremy Jacob
Presented by Brian Sierawski

Overview
Background Cryptography Forms of Attack

Background
Term: Users, hosts, processes referred to as principals Goal: Want to be sure that a received message has been created recently by the principal who claims to have send it

Overview
Background Cryptography Forms of Attack

Cryptography
Cryptography is fundamental to authentication Cryptographic algorithm converts plaintext to unintelligible ciphertext Encryption depends on key

Notation
E(K : M) denotes M encrypted with key K Principals are capital letters A, B, S for server, Z for attacker Z(A) denotes Z acting as A Na refers to a number generated by A Eg. A B : A, E(Kab : Na)
A sends B an identifier with an encrypted nonce

Symmetric Key Cryptography

The encryption key K and decryption key K-1 are easily obtainable from each other Anyone in possession of they key may read or create ciphertexts => key must be shared secret between principals Kab denotes key for communication between principals A and B

Symmetric Key Cryptography

Classical Cryptography
Substitution cipher: substitutes a ciphertext character for a plaintext character Transposition cipher: shuffles plaintext characters

Modern Cryptography
Block cipher Stream cipher

Block Cipher
Encrypts a block of 64 or 128 bits at a time DES encrypts 56 bits (at insistence of NSA) which is insufficient to modern day attacks Other block ciphers: MADRYGA, NEWDES, FEAL-N, RC2, RC4, IDEA

Modes of Block Ciphers

Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher Feedback Mode (CFB)

Electronic Code Book (EBC)

Simplest mode Consecutive blocks of plaintext are encrypted => identical blocks of plaintext are always encrypted in the same way Problem 1: Analyst may be able to build up a codebook of plaintext-ciphertext pairs Problem 2: Possible to replace an encrypted block with another

Cipher Block Chaining (CBC)

Block i of plain text is XORed with block i - 1 of ciphertext then encrypted Choosing different initial block I will create different ciphertexts Problem: Should initial block be sent in clear or encrypted?

Cipher Feedback mode (CFB)

Useful to transmit data less than block size Process:
Shift register initialized Contents encrypted as a block Leftmost byte XORed with plaintext data Ciphertext pushed on right end of register

Stream Ciphers
Encrypt one bit of plaintext at a time Generate bit stream and XOR successive bits with successive bits of plaintext
Internal State Key Next-State Function Output Function Ki Pi Ci

Symmetric Key Without Trusted Third Party

ISO One-pass Symmetric Key Unilateral Authentication Protocol
A B : Text2, E(Kab : [Ta | Na], B, Text1)

Text2 identifies sender Timestamp or nonce prevent replay attacks Bs identity included as sole receiver

Symmetric Key With Trusted Third Party

Eg. Needham Schroeder Symmetric Key Authentication:
(1) A S : A, B, Na (2) S A : E(Kas:Na, B, Kab, E(Kbs:Kab, A)) (3) A B : E(Kbs:Kab, A) (4) B A : E(Kab:Nb) (5) A B : E(Kab:Nb - 1)

Problem: Freshness Attacks

Public Key Cryptography

No shared secret, each principal A is associated with key pair (Ka, Ka-1) Only public key revealed Encryption with Ka-1 and decryption with Ka guarantees authenticity. 1024 bit key recommended

Public Key Cryptography

Problem: RSA is 100x slower than DES => Exchanging symmetric keys through public key cryptography good idea! Typically a trusted server S called certification authority stores public keys and distributes them under Ks-1

Overview
Background Cryptography Forms of Attack

Freshness Attack
Occurs when a message is recorded and replayed Needham Schroeder protocol weak
(3) A B : E(Kbs:Kab, A) Old key Kab may have been compromised

Type Flaws
Arises when recipient accepts a message as valid but imposes different interpretation Otway-Rees protocol
(1) A B : M,A,B,E(Kas:Na,M,A,B) (2) B S : M,A,B,E(Kas:Na,M,A,B),E(Kbs:Nb,M,A,B) (3) S B : M,E(Kas:Na,Kab),E(Kbs:Nb,Kab) (4) B A : M,E(Kas:Na,Kab)

Attack
(1) A Z(B) : M,A,B,E(Kas,Na,M,A,B) (4) Z(B) A : M,E(Kas:Na,M,A,B)

Parallel Session Attacks

Occurs when two or more protocol runs are executed concurrently and messages from one are used to form messages in another
(1) A B : E(Kab : Na) (2) B A : E(Kab : Na + 1)

Attack
(1.1) A Z(B) : E(Kab : Na) (2.1) Z(B) A : E(Kab : Na) (2.2) A Z(B) : E(Kab : Na + 1) (1.2) Z(B) A : E(Kab : Na + 1)

Implementation Dependent Attacks

Stream Ciphers (Needham Schroeder)
(4) B A : E(Kab : Nb) (5) A B : E(Kab : Nb - 1) If Nb is odd, Nb - 1 has good chance of being formed by flipping last cipher bit Changing Identity
Same attack on A B : E(Kbs : Kab, A) A can masquerade as C

Implementation Dependent Attacks

Cipher Block Chaining
Cut and Paste
P1 P2 P3 P4 P5 C0 C1 C2 C3 C4 C5 P1 P2 P3 P4 C0 C1 C2 C3 C4

C0 C1 C2 C3 C2 C3 C4 P1 P2 P3 X P3 P4

Random jibberish X may be expected

Implementation Dependent Attacks

Initialization Attacks
Given ciphertext C0C1 and known P1 Decryption alg: P1 = C0 dk(C1) Desired block value W = W P1 P1 W = W P1 (C0 dk(C1) W = C0 dk(C1) where C0 = W P1 C0 Without knowing they key, P1 has now been easily replaced with W In Needham Schroeder the first block is the nonce!

Binding Attack
A simple public key distribution
(1) C AS : C, S, Nc (2) AS C : AS, E(Kas-1: AS, C, Nc, Ks)

Leads to the following problem

(1.1) C Z(AS) : C, S, Nc (2.1) Z(C) AS : C, Z, Nc (2.2) AS Z(C) : AS, E(Kas-1 : AS, C, Nc, Kz) (1.2) Z(AS) C : AS, E(Kas-1 : AS, C, Nc, Kz)

Conclusions
Even though protocols have few messages, construction is complex The whole system is important Need tool support for rigorous development and analysis of protocols