PRTCLS Flashcards

Question

Authenticated Key Establishment – 1

Answer 1

**Entity authentication is** **only** **achieved** **for a single moment in time****, typically provided at start of a connection/session.** * **Mallory might be able to hijack the connection after that point.** **What if a secure session is needed?** * **Session = combination of confidentiality, integrity, and data origin authenticity for remainder of a communications session.** **Solution: securely agree session keys as part of the authentication protocol.** * **Then use those session keys in encryption and MAC mechanisms to build a secure session.** * **Bind the session keys to the authentication to get an authenticated key establishment (AKE) protocol.**

Answer 2

If Alice and Bob already share key K, what is the point of them agreeing a second key SK? * **SK can be used for a short period of time (the lifetime of the session) while key K, their `long term secret’ is used only to encrypt a single message.** * **The long-term secret is only exposed as much as it needs to be. It can be `deleted’ from Alice’s local memory as soon as the message is transmitted.**

Answer 3

**As a simple example, we can adapt our one message time-stamp based protocol:** * *A → B: {T || B}_K** * *simply by adding a session key SK in Alice’s message:** **A → B: {T || B || SK}_K** **Alice is authenticated to Bob and they now share session key SK.** * **Because SK is agreed as part of the authentication protocol, it is bound to that protocol run.** * **So Bob can be sure that only Alice knows SK.** * **Alice can be sure that only Bob could know SK: only Bob could decrypt the message to extract SK.**

Answer 4

**Public-key encryption can also be used to create authenticated session keys:** * **Alice checks the authenticity of Bob’s public encryption key PKB using a certificate.** **A → B: {SK}_{PK_B}** * **Bob can obtain the session key SK by decrypting using his private key.** * **Alice and Bob both use SK to derive encryption and MAC keys to protect their session.** * **Alice can be sure that only Bob could know the session key.**

Answer 5

**In the previous protocol, Alice is not authenticated (anyone can encrypt messages for Bob).** **B is only _implicitly_ authenticated to A:** * **A is only assured she’s talking to B if messages in the subsequent session make sense (e.g. MACs compute correctly with SK).** * **These subsequent messages will usually contain redundancy or nonces which allow A to be sure they originated only from someone who could decrypt the message {SK}PKB, i.e. B.** **A (much) more complicated version of this protocol is an option in SSL**

Answer 6

**Alice and Bob agree ahead of time on a large prime** ***p*** **(*****p*****has, say, 2048 bits) and a number** ***g*** **(more on** ***g*** **later...).** **Alice chooses a random x and computes** ***g_x mod p*****.** **Bob chooses a random y and computes** ***g_y mod p.*** **Recall: Time for computing discrete logarithms is** ***O(e ^{(log n)3}),*** **exponentiation is only** ***O((log n)³)***

Answer 7

**Given: prime** ***p*****, PR*****g*** **A → B:** ***g^x mod p*** **(*****x \< p*****, chosen by A and kept secret)** **B → A:** ***g^y mod p*** **(*****y*** **,chosenbyBandkeptsecret)** **The trick:** ***(g^x mod p)^y mod p*** * *=** ***g^xy mod p*** **(easy to compute for B)** * *=** ***g^yxmod p*** **(rules of modular arithmetic)** * *=** ***(g^y mod p)^x mod p*** **(easy to compute for A)** **A and B now share a common key** ***gxy mod p***

Answer 8

If p is prime, a primitive root (or generator) g is a number, such that: for n from 1,...,p-1, gn mod p enumerates 1,...,(p-1) in some order.

Answer 9

If p is prime, a primitive root (or generator) g is a number, such that: for n from 1,...,p-1, gn mod p enumerates 1,...,(p-1) in some order.

Answer 10

**Eve sees only the public values,** ***gx mod p*** **and** ***gy mod p*****. But to derive the key, Eve needs to compute** ***g^xy mod p*****.** * **DH depends on the discrete logarithm problem: It is believed tobe computationally infeasible to calculate the shared secret key** ***k = gxy mod p*** **given the two public values** ***gx mod p*** **and** ***gy mod p*** **when the prime** ***p*** **is sufficiently large** * **Then Diffie-Hellman key exchange protocol will be secure against Eve, a passive adversary.**

Answer 11

**Alice thinks she has exchanged key K₁ with Bob.** * **Instead, it’s with Mallory.** **Bob thinks he has exchanged key K₂ with Alice.** * **Instead, it’s with Mallory.** **Mallory can now** * **intercept all messages from A intended for to B,** * **decrypt them using K₁,** * **read them,** * **re-encrypt them under K₂ and** * **pass them on to B.** **And vice-versa for messages from B to A.**

Answer 12

**Alice and Bob exchanged a key without any performing any entity authentication.** * **keys were exchanged, but Alice and Bob have no guarantees about with whom their exchange took place!** **For the long-term memory:** * **The Diffie-Hellman key exchange protocol is not secure against MiM-Attacks!**

Answer 13

**A → B: g^x** **B → A: g^y, {S_B{g^y , g^x}}_^g^xy** **A → B: {S_A{g^x, g^y}}_^g^xy** **B can compute the shared key g^xy after step 1, A after 2Why are the additional messages encrypted and signed?** **The station-to-station (Diffie, van Oorschot, Wiener) protocol adds authentication (via signatures) to DHKE:** * Encryption alone not enough – Mallory can easily break this with a MIM attack. * Encryption with key K assures both Alice and Bob that the sender of the messages really does know K. * This property is called key confirmation. It’s an important valuable property for a key agreement protocol.

Answer 14

**Scenario:** * **A network with n hosts,** * **All pairs of hosts might want to be able to communicate securely.** * **Would need n(n-1)/2 symmetric keys, each host holding n-1 keys.** **Option: Use public-key techniques with trust in keys based on certificates** **Alternatively, use a trusted third party called a Key Distribution Centre (KDC) who co-operates to enable users to authenticate one another and share session keys.** * **The** **Needham-Schroeder** **protocol.**

Answer 15

**Each host H shares a single long-term key KH,T with the KDC,** **T; thus:** * **Alice shares a long-term key KA,T with KDC.** * **Bob also shares a long-term key KB,T with KDC.** * **Alice and Bob do not initially share a key.**

Answer 16

1. A → T: A || B || N_A 2. T → A: {N_A || B| | K || {K || A}_^KB,T}_^KA,T 3. A → B: {K||A}K_B,T 4. B → A: {N_B}_K 5. A → B: {N_B-1}_K **In messages 1 and 2, Alice and Trent (the TTP) interact: Trent gives Alice a session key K and authenticates himself.** **In messages 3, 4, and 5, the interaction is between Alice and Bob. Alice transfers an encrypted copy of the session key to Bob in message 3 and is authenticated to Bob in messages 4 and 5.** **There’s no need to make the Alice/Trent interaction mutually authenticated: if Mallory tries to impersonate Alice to Trent, all he gets back in step 2 is a message encrypted under the Alice/Trent shared key.**

Answer 17

**T is authenticated by A.** **A is not authenticated by T, but A can only decrypt message 2 if she has the correct key K_A,T.** **A is authenticated to B (challenge/response based on N_B).** **If key K is used for subsequent encryption or MACing, then we get implicit authentication of B to A.** * **Recipient of message 3 can only obtain K if he knows correct key K_B,T.** **We can make authentication between A and B mutual.** * **E.g. A issues a challenge to B as part of message 3 and B responds in message 4.** **Session key established: chosen by T, the KDC.**

Answer 18

* **Key storage efficiency: only n keys to look after at KDC.** * **Only one long-term key per client (K_A,T) instead of n-1.** * **Simple symmetric key cryptography is used.** * **Bob can be off-line in steps 1 & 2 and TTP can be off-line in steps 3,4 & 5.** * **So Alice can obtain K from TTP, cache it and then use it later with Bob.** * **Trent never has to interact with Bob. This fits nicely with a client-server model: Trent can grant Alice a session key for communicating with Bob (another server say) without having to check the status of Bob.**

Answer 19

* **KDC is a single point of failure – in terms of security and availability.** * **KDC can be a computation/communication bottleneck.** * **An on-line, trusted server is needed:** * *TTP knows all session keys and all long-term keys.** * **How can we ensure clients look after their long-term keys properly?** * **If long-term key is compromised, then entities can be impersonated.** * **An issue in non-TTP based solutions too.**

Answer 20

**Old session keys are valuable: Assume Mallory can get hold of an old K and has recorded message 3 of the old protocol run** 1. A → T:A||B||N_A 2. T → A: {N_A ||B||K||{K||A}K_B,T}K_A,T 3. M → B: {K || A}_^KB,T 4. B → M: {N_B}_K 5. M → B: {N_B-1}_K **Bob won’t realize a replay attack.** **Cure: Introduction of a time stamp in step 2** • **Needs accurate & trusted clocks**

Answer 21

**A corporate network, with KDC being a server managed by IT department (say), and hosts being networked resources or users’ machines.** * **Printers** * **Storage** * **Computational Resources** **The Needham-Schroeder approach simplifies key management in such a network.**

Answer 22

* **Kerberos is a TTP-based authentication protocol developedfrom Needham-Schroeder.**

Answer 23

**Authentication Server (AS)** * **Authenticated by client at login based on long-term key,** * **AS gives client ticket granting ticket and short-term key.** * **AS provides an authentication service.** **Ticket Granting Server (TGS)** * **Authentication with client based on short-term key and ticket** * **TGS then issues tickets to client which give client access to further servers.** * **TGS provides an access control/authorization service.**

Answer 24

**Logical separation of authentication and authorisation/access control.** * **But: AS and TGS are often implemented on same physical platform.** **Differentiated control over lifetime of ticket granting tickets (typically 10 hours) and session tickets for actual access to services (typically 5 minutes).** **A user only needs to use his long-term secret key once per 10 hour session, to establish short-term key and ticket granting ticket.** * **Convenient for users.** * **Reduces possibility of exposure of long-term key.**

Answer 25

Messages 1 and 2 are exchanged between the client and the AS. This typically happens only once per ‘log in’. A short-term key is provided by the AS. Message 2 contains the ticket granting ticket and a version of that ticket encrypted under KAS,TGS for the client to forward to the TGS. Messages 3 and 4 are exchanged between the client and the TGS (using the short- term key provided by the AS). Message 3 and 4 can be repeated a number of times without repeating messages 1 and 2. 3,4 messages exchange happens whenever the client wants to communicate with a new server. Messages 5 and 6 are exchanged between the client and server (using a key provided by the TGS). Message 5 and 6 can be repeated a number of times without repeating messages 3 and 4, during the lifetime of the key set up between the client and the server.

Answer 26

Phase 1**: In messages** 1 and 2**, C and AS use long-term key to authenticate. AS gives C short-term key and ticket granting ticket (TGT).** Phase 2**: In messages** 3 and 4**, C and TGS use short-term key and ticket granting ticket to authenticate. TGS gives C session key and ticket.** Phase 3**: In messaged** 5 and 6**, C and S use session key and ticket to authenticate and set up secure session.** **Phases 2 and 3 will usually be repeated many times for each execution of Phase 1.**

Answer 27

**K_AS,TGS is a long-term key shared by AS and TGS.** **K_AS,Cis a long-term key shared by AS and C.** **K_TGS,S is a long-term key shared by TGS and S.** **-\> These keys need to be established in advance!** **K_C,TGS is a short-term key shared by C and TGS (established by messages 1 and 2).** * **This key is transported securely from C to TGS in the ticket granting ticket.** **K_C,S is a session key shared by C and S (established by messages 3 and 4).** * **This key is transported securely from C to S in the ticket.**

Answer 28

{K_C,TGS||C||from||to}_^KAS,TGS * **Is the** **ticket granting ticket****.** * **Received by C in message 2 and forwarded to TGS in message 3** * **Only TGS can decrypt it to obtain short-term key** K_C,TGS **and validity period** from||to**. These parameters determine ticket given to C in message 4.** {K_C,S||C||from||to}K_TGS,S * **Is the** **ticket****.** * **Received by C in message 4 and forwarded to S in message 5.** * **Only S can decrypt it to obtain session key** K_C,S **and validity period** from||to**. These parameters determine access given to C in subsequent session with server S.** **These tickets are similar to message 3 in Needham- Schroeder: {K || A}_^KB,T** * **Now extended with validity periods for keys.**

Answer 29

**Entity authentications are achieved using a mixture of nonces and timestamps.** **Methods are similar to the protocols discussed earlier (and in particular the Needham-Schroeder protocol).** **For example: AS is authenticated to C using challenge/response protocol based on encryption, shared key K_AS,C and nonce N_C in messages 1 and 2.** **C is not authenticated to AS explicitly, but C can only decrypt message 2 if it has the correct key K_AS,C.** **Other authentications: C and TGS; C and S.**

Answer 30

* **Kerberos uses symmetric encryption and MACs.** * **uses DES combined with one of MD4, MD5, or a CRC**

Answer 31

Lack of revocation**: ticket granting tickets valid until they expire, typically 10 hours. What if compromised?** Key management**: within realms (domains): long-term keys need to be established between AS and TGS, TGS and Servers and AS and clients.** Scalability**: authentication across realms is complicated.** Synchronous clocks **needed, protected against attacks. Caches of recent messages to protect against replay within clock skew.** Availability**: need for on-line AS and TGS, trusted by clients not to eavesdrop.** Key storage**: short-term keys and ticket granting tickets located on largely unprotected client hosts.** Denial of Service**: potential for DoS attacks on clock service or on AS/TGS?** Passwords**: in most deployments, the Client-AS long-term key KAS,C is usually based on password entered by user at start of session** **Kerberos vulnerable to dictionary attacks** **Ultimately, then, security is dependent on users and the quality of the passwords they can be persuaded to remember.** Code Vulnerabilities**: many found over the years.**

Answer 32

**Kerberos is an example of a Single Sign On (SSO) system.** **User enters a single password, and obtains seamless access to multiple network services or applications.** **Microsoft Passport: an example of a web-based SSO solution, aimed at e-commerce consumers.** **Liberty Alliance: an open, standards-based effort at achieving federated network identity, a concept related to SSO.** **Many vendors currently offer similar SSO/password management products.**

Answer 33

**Interlock Protocol** **Secret Splitting** **SKEY**

Answer 34

**Full Version of „Authenticated Key Establishment – 3 “:** 1. **A**→**B: PK_A** 2. **B**→**A: PK_B** 3. **A**→**B: {SK}_^PKB** 4. **B**→**A: {SK}_^PKA** **If Mallory can modify 1 and 2, he can put himself in the middle by distributing PK_M to Alice and Bob** **-\> M must be able to intercept and modify traffic; how hard this is depends on the network (cf. Internet, GSM, Broadcast media,... )**

Answer 35

* **A and B want to send messages to each other.** * **A sends first half to B.** * **B sends first half to A.** * **A sends second half to B.** * **B sends second half to A.** **Since the man-in-the-middle cannot decrypt half of a message, it must pass something on.** * **Secure if the attacker cannot intelligibly mimic A or B.**

Answer 36

**Let f be a one-way (trap door) function and R a random number** * **Bob computes and (securely) transmits f(R), f²(R), ... f^n-i(R) to Alice** * **Bob remembers only one value: current := fⁿ(R)** * **Alice remembers all fⁱ(R), 1 \< i \< n-1** **Alice‘s ith authentication: A** → **B: f^n-i(R)** * **Bob authenticates A by checking f(f^n-i(R)) = current** **and sets current := f^n-i(R)** → **Knowing what Bob knows cannot compromise Alice!**

Answer 37

**Advantages of Zero-Knowledge Protocols:** * **Not requiring the revelation of one’s secret.** * **Does not involve complex encryption methods.** **Disadvantages of Zero-Knowledge Protocols:** * **Limited:** * *Secret must be numerical, otherwise a translation is needed.** * **Lengthy:** * *Each computation requires a certain amount of running time.** * **Imperfect:** * *Mallory can still intercept the transmission (i.e. messages to the Verifier or the Prover might be modified or destroyed).**

Answer 38

**Completeness:** * **The Verifier will always accept a proof from the Prover, given that they both follows the correct protocol.** **Soundness:** * **The Verifier will not accept any “incorrect” proof from the Prover, given that the Verifier follows the correct protocol.** **Zero-Knowledge:** * **During the whole “proving” process, the Verifier will learn nothing about the Prover’s secret, nor will she be able to prove that secret to any other party.**

Answer 39

**The Chess Grandmaster Problem** **Anyone can defeat or beat a grandmaster in Chess:** * **Choose a second grandmaster and act as a man-in-the- middle** **Problem with ZKP:** * **Mallory can act as a man in the middle and pass Alice‘s answers to Bob** * **Can be „fixed“ with timestamps, where each answer must be given at an exact time: no time left to pass messages ... of little value in practice**

PRTCLS Flashcards

(65 cards)