Embed Size (px)
Citation preview
Authentication of Kerberos and
Wireless Communication
• Kerberos• AMPS• IS-95 : A-Key• GSM• DECT• Bluetooth• 802.11b
KerberosKerberos
Abbreviation of Kerberos andTwo Simple Types of Authentication Dialogue
• C = client TGS = ticket-granting server• AS = authentication server IDtgs = identifier of TGS• V = server • IDC = identifier of user on C
• IDV = identifier of V
• PC = password of user on C
• ADC = network address of C
• KV = secret encryption key shared by AS and V
C AS : IDC , PC , IDV
AS C : Ticket
C V : IDC , Ticket
Abbreviation :
A Simple Authentication Dialogue
Ticket = Ekv [ IDC , ADC , IDV ]C
AS
V
shared KV
C AS : IDC , IDtgs
AS C : Ekc [Tickettgs]
C TGS : IDC , IDV , Tickettgs
TGS C : TicketV
C V : IDC , TicketV
A More Secure Authentication Dialogue
C
TGS
V
shared KV
1. Pc : plaintext2. Replay attack3: Pc : each time
Tickettgs = EKtgs [ IDC , ADC , IDtgs , TS1 , Lifetime1]TicketV = EKv [ IDC , ADC , IDV , TS2 , Lifetime2]
AS
shared KC
shared Ktgslifetime : short(user)long(replay) {
{
Once per userlogon session
Once per typeof service
Once per service session
Overview of Kerberos
Kerberos Server
Authentication Server Ticket Granted Server
AS TGS
1 2 3 4
5
Client C Server D
6
1 IDc,IDtgs,TS1
2 Ekc[Kc,tgs,IDtgs,TS2,Lifetime2,Tickettgs]
Tickettgs=Ektgs[Kc,tgs,IDc,ADc,IDtgs,TS2,Lifetime2]
3 IDv,Tickettgs,Authenticatorc
4 Ekc,tgs[Kc,v,IDv,TS4,Ticketv]
Ticketv =Ekv[Kc,v,IDc,ADc,IDv,TS4,Lifetime4]
Authenticatorc=Ekc,tgs[IDc,ADc,TS3]
5 Ticketv,Authenticatorc
6 Ekc,v [TS5+1 ]
Authenticatorc=Ekc,v[IDc,ADc,TS5]
How To Request for Service In Another Realm
AS
TGS
Kerberos
Client
AS
TGS
Kerberos
Server
Realm A
Realm B
1. Request ticket for local TGS.
2. Ticket for local TGS.
3. Request ticket for remote TGS
4. Ticket for remote TGS
5. Request ticket for remote server.
6. Ticket for remote server.
7. Request for rem
ote service
NOTE : If there are N realms then there must be N(N-1)/2 secure key exchanges so that each Kerberos realm can interoperate with all other Kerberos realms.
我國電子化政府公開金鑰基礎建設之整體架構
NationalRoot
CA1 CA2 CA3
CA11 CA21 CA22 CA31 CA32
使用者 ( 含自然人 , 法人 )
研考會 經濟部 交通部
憑證授與 ( 階層式 )
交互憑證
外國政府 PKI Root
PAA
PCA
SCA
PCA PCA
外國企業 PKI Root
PCA
PCA
( 設於台灣之外國政府 PKI 所屬 CA)
NNCA
PAA : Policy Approval AuthorityPCA : Policy Certificate AuthoritySCA : Subordinate Certificate AuthorityNNCA : National Network Certificate Authority
AMPS 類比行動電話系統的安全與識別
• 手機識別碼 (Mobile Identification Number; MIN) : 34 位元
• 手機序號 (Serial Number) : 32 位元 (1) 唯一且不可變更 (2) 製造廠碼由 FCC 指配
手機號碼 (10 進位 ) 34 位元手機識別碼
製造廠碼 (8) 製造序號碼序號 (18)保留備用碼 (6)
31 24 23 18 17 0
MSC手機
Radio Path
建立呼叫時送出手機識別碼 + 手機序號
截收並解碼出手機識別碼和手機序號 製造拷貝機
MSC 核對手機識別碼與手機序號對照表
甲機
乙機
AMPS 一號多機 (拷貝機 )現況及防治 : IS-95 A-KEY 認證功能
SSD_Generation Procedure
RANDSSD A-Key
Auth_Signature Procedure
SSD_B_NEW
SSD_A_NEWRANDBS
AUTHBS = AUTHBS?
SSD_Generation Procedure
RANDSSDA-Key
Auth_Signature Procedure
SSD_B_NEW
SSD_A_NEW
SSD Update Message(RANDSSD)
Base Station Challenge Order(RANDBS)
Base Station Challenge Confirmation Order(RANDBS)
SSD Update Confirmation Order (success)SSD Update Rejection Order (failure)
A-Key : 64 bits 存在用戶手機永久安全識別記憶體及系統認證中心SSD(Shared Secret Data) : SSD_A(64 bits) + SSD_B(64 bits), SSD_A : 認證 / SSD_B : 保密 CAVE(Cellular Authentication and Voice Encryption algorithm) 函數 : 認證運算法則 , 受美國的國際運輸及武器條例及輸出許可條例所管制
GSM 數位行動電話系統的安全與識別(GSM Rec. 02.09)
HLR/AUC
Network SideMS
Radio Path
VLR/MSCBSS MS
SIM+ME
安全與識別
( 密語 )
( 明語 )
Cryptographic Functions A3, A8 and A5in GSM Protocol
The components A3 , A8 , and A5.
• A3 : one-way function.
• A8 : one-way function.
• A5 : one-way encryption/decryption algorithm using Kc. A5/1: Western Europe, A5/2: other countries (GSM MoU is attempting to establish A5/2 as the global standard)
A3
A8
A5/2
SRES(32 bits)
RAND(128 bits)
Ki
(128 bits)
Kc(64 bits)
Authentication
PrivacyTDMA Frame No. (22 bits)
+
Data Stream(114 bits)
Ciphertext114 bits
• The repeated cycle of TDMA Frame No. is 3 hrs 28 min 53 sec 760 msec (Range: 0~2,715,647).
GSM 數位行動電話系統的安全與識別詳細步驟
HLR/AUC
VLR/MSC
MSSIM+ME
TMSIIMSI
(RAND,SRES,Kc )..
(RAND,SRES,Kc )IMSI 2 Ki 2
IMSI 1 Ki 1
....
AUC Database
AUC RAND Gen.
RAND
A3
A8
RAND
Ki
} 5
RAND
RAND
Ki
A3
A8
SIMCard
SRES
A5密語Kc
識別
加 / 解密
?=SRES SRES
A5明語Kc
明語
Mobile Equipment(ME) Identity Procedure in GSM System
EIRVLR/MSC
MSSIM+ME
TMSI
IMEI Request
IMEI
IMEI
Access/Barring
Eavesdropping and Unauthorized Use are Impossible with DECT : Privacy and Authentication
Network SidePP
Radio Path
FP VLR HLR
ID
RS, RAND_F
RES
A11
A12
K
RS
KS
RAND_F
Ciphertext
Authentication
Privacy
?=RES RES
Encryption Key
RS, RAND_F, RES, KS
RS, KS
K
• easy• security problem• VLR : A11, A12
• similar as GSM• VLR does not know K• VLR : No need of A11 and A12
• VLR choose RAND_F• RS and KS can be reused• VLR : A12• Traffic between HLR and VLR can be reduced
Security Scheme of Bluetooth
Generation of Unit Key
Generation of Initialization Key
Authentication (Kinit)
Link Key Exchange
Authentication (KAB)
Generation of Encryption Key
Encrypted communication
Generation of Unit Key
Unit – Unit First Handshake
Unit – Unit following handshakes
Unit A First Startup Unit B First Startup
Generation of Unit Key
Generation of Initialization Key
Authentication (Kinit)
Link Key Exchange
Authentication (KAB)
Generation of Encryption Key
Encrypted communication
Generation of Unit Key
Unit – Unit First Handshake
Unit – Unit following handshakes
Unit A First Startup Unit B First Startup
Generation of Bluetooth Unit Key
E21
BD_ADDRA
RANDA
KA
This happens only the first time a unit is used (i.e. turned on), and the unit key is then saved into its non-volatile memory
E21
BD_ADDRB
RANDB
KB
E21
BD_ADDRA
RANDARANDA
KAKA
This happens only the first time a unit is used (i.e. turned on), and the unit key is then saved into its non-volatile memory
E21
BD_ADDRB
RANDBRANDB
KBKB
Generation of Bluetooth Initialization Key
K’initKinit
E22PIN
L
IN_RAND
E22PIN’
L’
IN_RANDIN_RAND
Unit A sends a random number IN_RAND to unit B, for both to generate the initialization key. Success of this step depends on
PIN’ = PIN
A B
K’initKinit
E22PIN
L
IN_RAND
E22PIN’
L’
IN_RANDIN_RAND
Unit A sends a random number IN_RAND to unit B, for both to generate the initialization key. Success of this step depends on
PIN’ = PIN
A B
L=Length (PIN)L’=Length (PIN’)
Authentication of Bluetooth
E1
BD_ADDRBKlink
AU_RAND
SRES
AU_RAND
SRES’
BD_ADDRB
ACO
E1
BD_ADDRBK’link
AU_RAND
SRES’ ACO’
Klink could be either Kinit or KAB, i.e. the temporary initialization key or the effective link key between A and B. Success of this step
depends on K’link=Klink.
A B
E1
BD_ADDRBKlink
AU_RAND
SRES
AU_RANDAU_RAND
SRES’
BD_ADDRBBD_ADDRB
ACO
E1
BD_ADDRBK’link
AU_RAND
SRES’ ACO’
Klink could be either Kinit or KAB, i.e. the temporary initialization key or the effective link key between A and B. Success of this step
depends on K’link=Klink.
A B
Link Key Exchange (Unit Key)
Kinit
KA K
K
Kinit
K KA=KAB
This step happens only when one of the two units is going to provide its own unit key as the link key between A-B. When a more secure authentication is required, the link key will be built upon both A and B’s unit keys (Combination Key). After the link key has been exchanged, the initialization key is discarded and a new authentication procedure (using the new semi-permanent link key) is required. The new link key will also be the base on which to build the encryption key.
A B
Kinit
KA K
KK
Kinit
K KA=KAB
This step happens only when one of the two units is going to provide its own unit key as the link key between A-B. When a more secure authentication is required, the link key will be built upon both A and B’s unit keys (Combination Key). After the link key has been exchanged, the initialization key is discarded and a new authentication procedure (using the new semi-permanent link key) is required. The new link key will also be the base on which to build the encryption key.
A B
Link Key Exchange (Combination Key)
BD_ADDRA
E21
LK_RANDA
LK_RANDA
LK_RANDB
E21
BD_ADDRB
LK_RANDB
LK_KB
LK_KA
KAB
BD_ADDRB
E21
LK_RANDB
E21
BD_ADDRA
LK_RANDA
LK_KA
LK_KB
KAB
A B
BD_ADDRA
E21
LK_RANDA
LK_RANDALK_RANDA
LK_RANDBLK_RANDB
E21
BD_ADDRB
LK_RANDB
LK_KB
LK_KA
KAB
BD_ADDRB
E21
LK_RANDB
E21
BD_ADDRA
LK_RANDA
LK_KA
LK_KB
KAB
A B
Generation of Bluetooth Encryption Key
E3
EN_RANDA
Klink
COFEN_RANDA
KC
RED
KC’
E3
EN_RANDA
Klink
COF
K’C
RED
K’C’
The encryption key KC is generated on the link key and a random number produced by A. If necessary, a length-reduced key Kc’ is generated.
A B
E3
EN_RANDA
Klink
COFEN_RANDAEN_RANDA
KC
RED
KC’
E3
EN_RANDA
Klink
COF
K’C
RED
K’C’
The encryption key KC is generated on the link key and a random number produced by A. If necessary, a length-reduced key Kc’ is generated.
A B
Encrypted Communication of Bluetooth
E 0
BD_ADDR A clock A
K C’
K cipher
K cipher
K cipher
data A - B
data B - A
E 0
BD_ADDR A clock A
K’ C’
K’ cipher
K’ cipher
K’ cipher
data A - B
data B - A
data
A B
E 0
BD_ADDR A clock A
K C’
K cipher
K cipher
K cipher
data A - B
data B - A
E 0
BD_ADDR A clock A
K’ C’
K’ cipher
K’ cipher
K’ cipher
data A - B
data B - A
data
A B
Unit Key Stealing
A B
C
A
BC
AB and AC Link Keys are A’s Unit Key
B pretends to be C by simply using C’s address
(a) (b)
KAB
KACKAC=KAB
A B
C
A B
C
A
BC
AB and AC Link Keys are A’s Unit Key
B pretends to be C by simply using C’s address
(a) (b)
KAB
KACKAC=KAB
IEEE 802.11b Security Wired Equivalent Privacy (WEP)
Encryption
WEP Decryption
C RC4(IV,k)
=( P RC4(IV,k) ) RC4(IV,k)
= P
= <M,c(M)>
Check c(M)
Ciphertext
IV
Message
||
Secret Key
RC4
Seed
Integrity Check Value (ICV)
Key Sequence
Integrity AlgorithmICV’
Plaintext
ICV-ICV’?
Authentication of 802.11b
There are two types of authentication
1. Open system authentication. This is the default authentication service that does not has any authentication.
2. Shared key authentication. This involves a shared secret key to authenticate the station to the AP(access point).
Shared key authentication
The challenge text(128bytes) is generated by using the WEP pseudo-random number generator(PRNG) with the shared secret and a random initialization vector(IV).
Security Flaws
The risks of keystream reuse
If C1= P1RC4(IV,k)
and C2= P2RC4(IV,k)
then
C1 C2 = ( P1RC4(IV,k)) ( P2RC4(IV,k))
= P1 P2
The WEP standard recommends(but does not require) that the IV be changed after every packet.
Reuse Initialization Vector
• The IV field used bye WEP is only 24 bits wide, nearly guaranteeing that the same IV will be reused for multiple messages.
packet size 2000-byte
at average 5Mbps bandwidth
( ( (2000 8)/(5 106)) 224)/3600=14 hours
• PCMCIA cards that they tested reset the IV to 0 each time it’s re-initialized, and the IV is incremented by one for each packet.
Decryption Dictionaries
• Some access points transmit broadcast messages in plaintext and encrypted form when access control is disabled.
• The attacker can build a table of the keystream corresponding to each IV.
It does not matter if 40 bits or 104 bits shared secret key use as the attack centers on the IV collision.
Message Modification
The WEP checksum is a linear function of the message. may be chosen arbitrarily bye the attacker• A(B) : <IV, C>• (A)B : <IV, C’>• C’= C < ,c()> = RC4(IV,k) <M, c(M)> < ,c()> = RC4(IV,k) <M , c(M) c()> = RC4(IV,k) <M , c(M )> = RC4(IV,k) <M’, c(M’)> M’=M
Message Injection
It is possible to reuse old IV values without triggering any alarms at the receiver.
• That is, if attacker ever learns the complete plaintext P of any given ciphertext packet C, he can recover keystream used to encrypt the packet.
P C = P (PRC4(IV,k))= RC4(IV,k)
(A)B : <IV,C’>
where C’= <M’, c(M’) > RC4(IV,k)
Authentication Spoofing
• The message injection attack can be used to defeat the shared-key authentication mechanism used by WEP.
• The attacker learns both the plaintext challenge sent by the access point and the encrypted version sent by the mobile station.
