Secure Public Instant Messaging Financial Cryptography - Feb 27, 2006 A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital Security Group Carleton University, Canada Mohammad Mannan Feb 27, 2006 1
Secure Public Instant Messaging Outline ➠ IM overview and motivation ➠ Instant Messaging Key Exchange (IMKE) – the protocol ➠ Security comments Mohammad Mannan Feb 27, 2006 2
Secure Public Instant Messaging Figure 1: IM in action Mohammad Mannan Feb 27, 2006 3
Secure Public Instant Messaging IM communication model Server Client A Client B A’s contact list B’s contact list B A D C E H H Client−Server Communications (e.g. login, profile) Client−Client Direct Communications (e.g. file data transfer) Client−Client Server−mediated Communications (e.g. text message) Mohammad Mannan Feb 27, 2006 4
Secure Public Instant Messaging Do we need secure IM? ➠ IM is a popular application • instant communication (home users) • instant collaboration (enterprise users) ➠ Number of users : MSN 185m, Yahoo! 82m, AOL 61m a ➠ 13 of Fortune 50 companies were affected by IM-related security incidents in the last 6 months b ➠ IMlogic was bought by Symantec (Jan. 2006) a Source: ComScore Media Metrix, Aug. 2005 b Source: IMlogic, Nov. 2005 Mohammad Mannan Feb 27, 2006 5
Secure Public Instant Messaging IMKE - motivation 1. Existing solutions have drawbacks • SSL: relayed user messages are visible to IM server • client plug-ins: client-server messages are plaintext • secure protocols: not designed for integration 2. Strong password protocols do not fit • efficiency • simplicity Mohammad Mannan Feb 27, 2006 6
Secure Public Instant Messaging IMKE - goals 1. Mutual assurance of identity 2. Secure communications (“C.I.A.”) 3. Forward secrecy 4. Repudiation (!) 5. Replay detection • authentication phase: � • text message / file transfers: standard techniques Mohammad Mannan Feb 27, 2006 7
Secure Public Instant Messaging IMKE - notation IM users Alice and Bob , and IM server A, B, S ID A User ID of A P A Password shared by A and S R A Random number generated by A { data } K Secret-key encryption of data using key K { data } E A Public-key encryption of data using A ’s public key KU A K s Symmetric ( s ) session encryption key shared by A and S AS [ X ] AS MAC output of X under the symmetric MAC key shared by A and S Mohammad Mannan Feb 27, 2006 8
Secure Public Instant Messaging IMKE - features ➠ Comparing IMKE re: offline dictionary attack avoidance 1. password-only (eg. EKE): { KU A } P A 2. known server public key (eg. Halevi-Krawczyk): { P A , R } E S 3. IMKE: { K AS } E S , { P A } K AS ➠ Public key protocol independence ➠ IM server works as an online public key distribution center ➠ Secure communications between users who share no long-term secret ➠ Dynamic client public keys Mohammad Mannan Feb 27, 2006 9
Secure Public Instant Messaging IMKE - message summary (1) Phases Message Messages Labels A generates a dynamic public/private key pair Authentication A , S authenticate each other using shared password and A , S establish a session key Key Exchange A ’s public key is sent to and stored by S A communicates to S a desire to talk to B Public Key S forwards B ’s public key to A (and A ’s to B ) Distribution A , B authenticate each other using the received Session public keys Key Transport A , B establish a session key Mohammad Mannan Feb 27, 2006 10
Secure Public Instant Messaging IMKE - message summary (2) Phases Message Messages Labels a 1 A → S : ID A , { K AS } E S , { KU A , f 1 ( P A ) } K AS Authentication a 2 A ← S : { R S } E A , { f 2 ( P A ) } K AS and Key Exchange a 3 A → S : f 3 ( R S ) b 1 A ← S : { KU B , ID B } K s AS , [ KU B , ID B ] AS Public Key b 2 B ← S : { KU A , ID A } K s BS , [ KU A , ID A ] BS Distribution c 1 A → B : { K AB } E B , { R A } K AB Session c 2 A ← B : { R B } E A , { f 6 ( R A ) } K AB Key Transport c 3 A → B : f 7 ( R A , R B ) K s AS = f ( K AS , R S ) , K s AB = f ( K AB , R B ) Mohammad Mannan Feb 27, 2006 11
Secure Public Instant Messaging IMKE - security ➠ Formal proofs: ✗ ➠ BAN-like analysis (outline): � ➠ AVISPA protocol analysis tool: � http://www.scs.carleton.ca/~mmannan/avispa-imke/ Mohammad Mannan Feb 27, 2006 12
Secure Public Instant Messaging IMKE - attacks not addressed 1. Keyloggers can collect passwords 2. A false public key of S on client allows offline dictionary attacks 3. Malicious IM server may forward false client public keys (MIM) 4. IM worms Mohammad Mannan Feb 27, 2006 13
Secure Public Instant Messaging IMKE - implementation 1. Integrated with Jabber 2. Usable performance ➠ authentication time doubles, but still less than 0.5 second ➠ little effect on text messaging and bulk data transfer 3. Incrementally deployable Mohammad Mannan Feb 27, 2006 14
Secure Public Instant Messaging Concluding remarks 1. Secure IM: becoming increasingly important 2. IMKE: simple, integratable 3. Main lesson from IMKE implementation: practical today Mohammad Mannan Feb 27, 2006 15
Recommend
More recommend
