Last Class: The Problem

Bob Alice

Eve

Private Message

Eavesdropping

Last Class: The Solution

Bob Alice

Eve

Scrambled Message

Eavesdropping

Encryption Decryption

Private Message Private Message

Other Security Problems

– Are you who you say you are?• Authentication

– How does Bob know that he’s really talking to Alice?– How does Alice know the message was sent by Bob?

• Mutual authentication

– How does Alice know that the message she receives hasn’t been tampered with?

• Message Integrity

– Are you authorized to do what you want to do?• Authorization

Secure Channels

Given credit where it is due

• Most slides are from Prof. Kenneth Chiu at SUNY Binghamton

• Some slides are from Scott Shenker and Ion Stoica at University of California, Berkeley and Ariel J. Frank at Bar-Ilan University

• I have modified and added some slides

Authentication• Can you have authentication without

message integrity?– I know that Bob sent the message, but someone

may have tampered with it.– I know that no one tampered with it, but I don’t

know whether or not it was really Bob who sent it.– Authentication & message integrity cannot do

without each other !• Set-up phase precedes message exchange• Session keys to ensure message integrity

Notation for Cryptography

Notation Description

KA, B Secret key shared by A and B

Public key of A

Private key of A

K A

K A

Shared Secret Key Authentication• Suppose Alice and Bob share a secret key (KA,

B). How can they setup a secure channel over an insecure medium?

1. Alice sends her identity to Bob.2. Bob sends a challenge (random number).3. Alice must encrypt and return.4. Alice then sends a challenge to Bob.5. Bob must encrypt and return.

An Optimization

• Authentication based on a shared secret key, but using three instead of five messages.

Attack Attempt

• Chuck tries to pretend to be Alice.• He sends the initial message to Bob.• Bob responds with the encrypted challenge, but then his own challenge.• Chuck cannot properly respond to the challenge because he doesn’t have

the key.

Chu

ck…

er…

Alic

e

?

Reflection Attack

• Lesson: never encrypt anything without knowing who you are encrypting it for.

Key Distribution Centers

• If there are N parties using shared secret keys, how many keys are needed?

• Alternative is to use a trusted KDC. It has a shared key with every host.

Key Distribution Centers

• Disadvantage is that Bob has to get into the loop first.

Tickets

• Using a ticket and letting Alice set up a connection to Bob.• Vulnerable to replay attacks if Chuck gets hold on KB,KDC

old

16

Authentication using KDC(Needham-Schroeder Protocol)

Relate messages 1 and 2: use challenge response mechanism RA1, RA2, RB: nonces

- Nonce: random number used only once to relate two messages

Alic

e

Bob

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,B(RA2), KB,KDC(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

17

What if RA1 is Missing?

Assume Chuck intercepted- KA,KDC(B,KA,B, KB,KDC

old(A,KA,B))

- Knows KB,KDCold

Bob

(K

B,K

DC)

A,B1

KD

C

Alic

e

3 KA,B(RA2), KB,KDCold(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)C

huck

(K

B,K

DC

old )2 KA,KDC(B,KA,B, KB,KDC

old(A,KA,B))

(replayed message)

Here Chuck gets KA,B !

18

Authentication using KDC(Needham-Schroeder Protocol)

Why do we need to include B in message 2?

Alic

e

Bob

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,B(RA2), KB,KDC(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

19

What if B is Missing from Message 2?

Assume Chuck intercepts message 1

Alic

e

Bob

(K

B,K

DC)

RA1,A,B1

KD

C

2 KA,KDC(RA1,KA,C, KC,KDC(A,KA,C))

3 KA,C(RA2), KC,KDC(A, KA,C)

4 KA,C(RA2-1, RB)

5 KA,C(RB-1)

Chu

ck

RA1,A,C

Here Chuck gets KA,C !

20

Authentication using KDC(Needham-Schroeder Protocol)

Alic

e

Bob

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,B(RA2), KB,KDC(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

Vulnerable to replay attacks if Chuck gets hold on KA,B

21

What if Chuck gets KA,B?

Assume Chuck intercepted- KA,B(RA2), KB,KDC,(A,KA,B)

- Knows KA,B

Alic

e

Bob

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,B(RA2), KB,KDC(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

(replayed message)

Chu

ck (

KA

,B)

22

Defend Against leaking of KA,B

Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided by Bob. Chuck can no longer simply replay message 5 (former 3) to fool Bob, cause

message 5 is now related to message 2 by including nonce RB1.

Alic

e

Bob

RA1,A,B, KB,KDC(RB1)3

KD

C

4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1))

5 KA,B(RA2), KB,KDC(A, KA,B,RB1)

6 KA,B(RA2-1, RB2)

7 KA,B(RB2-1)

A1

2 KB,KDC(RB1)

23

Authentication Using Public-Key Cryptography

KA+, KB

+: public keysA

lice

Bob

KB+(A, RA)1

2 KA+(RA, RB,KA,B)

3 KA,B(RB)

?

More on Secure Channels• In addition to authentication, a secure

channel also requires that messages are confidential, and that they maintain their integrity.

More on Secure Channels• For example: Alice needs to be sure that

Bob cannot change a received message and claim it came from her. And Bob needs to be sure that he can prove the message was sent by/from Alice, just in case she decides to deny ever having sent it in the first place.

• Solution: Digital Signing. ?

Digital Signatures

• Digital signing a message using public-key cryptography.

• This is implemented in the RSA technology. • Note: the entire document is encrypted/signed -

this can sometimes be a costly overkill.

Message Digest (MD)

• Can provide data integrity and non-repudiation– Used to verify the authentication of a message

• Idea: compute a hash on the message and send it along with the message

• Receiver can apply the same hash function on the message and see whether the result coincides with the received hash

Message Digest Operation• Transformation contains complex operations (see textbook)

512 bits 512 bits 512 bits

Message (padded)

Initial digest(constant)

Transformation

Transformation

Transformation

...

Message digest

Digital Signature• In practice someone cannot alter the message without modifying the

digest– Digest operation very hard to invert

• Encrypt digest with sender’s private key• KA

-, KA+: private and public keys of A

30

Secure Replicated Servers

A client issues a request to a group of replicated servers

Servers can be subject to Byzantine failures

How does the client gets the correct answer?

31

Strawman Solution

Client gets replies from all servers…

… and take majority voting

Problem: client needs to authenticate each server

32

Solution: Secret Sharing

Secret sharing: none of processes know the entire secret

Intuition:- Assume we want to tolerate c failures (some of them can by

Byzantine failures)

- Need to combine responses such that c+1 correct servers are sufficient to get the correct response

33

(k,n)-threshold Signature Scheme

One public key K+

n shares of corresponding private keys, Ki-, 1 <= i <= n

Encrypted value v with each of private key shares, i.e., vi=Ki

-(v)

A client can decrypt value v using K+ only if it knows at least k values of vi

34

Example

Assume 5 replicated servers that tolerate 2 corrupted servers, i.e., we need to adopt a (k,n)-threshold signature scheme where k=3 & n=5