solutions pour la s curit des r seaux
play

Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL - PowerPoint PPT Presentation

cole Internationale de Printemps Systmes Rpartis : METIS2008 Architecture, Scurit & Fiabilit Rabat, 20-23 Mai 2008 Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL Belgium Introduction Confidentiality,


  1. Root Certificate Example Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  2. Belgian Passport Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BE Validity Not Before: Apr 10 00:00:00 2006 GMT Not After : Jul 15 23:59:59 2011 GMT Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:8f:9c:2c:f8:05:b5:bd:ed:51:1a:9f:b0:57:6e: 86:53:07:46:ac:ab:b6:05:e7:d6:e8:a6:6a:7b:ba: 9b:27:aa:8a:9f:80:ec:87:b3:9d:68:b7:29:cb:b1: df:de:5e:48:9e:34:21:9f:97:ea:98:7a:f7:f6:88: 1c:ca:a3:b1:3f:b2:d8:36:9a:06:0b:b3:f0:02:20: ce:ff:a9:e2:12:00:b2:1d:71:df:3e:cc:64:83:e2: f9:e8:30:15:a5:62:95:ab:8e:8c:ee:dc:73:9a:9f: 58:78:c9:38:fd:ae:7c:71:17:73:c8:64:23:d2:34: 99:58:ef:bc:ca:dc:e3:38:39:d4:30:16:c1:8e:52: a9:b0:eb:7f:5f:06:65:02:bc:72:1e:eb:14:40:af: 39:20:25:48:cf:2f:8e:1b:4f:2e:d6:fb:49:b7:ab: a3:e5:56:2e:31:a1:30:56:69:dc:4f:b4:d8:49:a4: af:e6:0c:e8:65:df:58:d5:ee:7f:80:02:d5:35:63: 2a:14:81:0a:eb:7d:5e:17:f8:63:9a:67:28:b0:b8: f4:39:0b:cb:91:63:4b:e3:14:e0:69:dd:dd:92:26: b2:8b:a4:0c:4d:de:10:b8:96:2b:e7:f1:ac:2e:2f: 11:15:bd:13:1d:61:c4:bf:69:24:28:9f:67:dd:b6: 49:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0E X509v3 Key Usage: critical Digital Signature Signature Algorithm: sha1WithRSAEncryption 5d:ed:53:da:14:3d:e2:ab:2d:41:3c:ea:bc:55:3b:78:2a:2c: 8e:0b:54:74:af:bd:a9:e1:c5:92:a4:f0:db:a9:0b:7d:0c:96: … Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  3. Certification Authorities Verisign 29.25 � Issuers of certificates found GeoTrust (Equifax) 19.56 on web servers. Thawte 15.21 Comodo Limited 7.64 � Source: www.securityspace.com Starfield 2.76 Technologies Unkown 1.85 � Verisign, GeoTrust, and Thawte: same group. Entrust.Net 1.61 AddTrust AB 1.51 SomeOrganization 1.22 Chained SSL 0.86 SWsoft Inc 0.85 Snake Oil Ltd 0.79 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  4. Obtaining a Certificate Each new participant must present himself. 1. The CA (physically) authenticates the participant. 2. It asks the participant to generate a pair of public/private 3. keys. It creates a certificate with the participant’s identity, his 4. public key, an expiry date, etc. and the CA’s signature. It provides a copy of its own public key to the participant. 5. The new participant can communicate with all other participants 6. who share a common “trusted ancestor”. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  5. Public-Key vs Sym-Key � Advantages ? � Drawbacks ? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  6. SSL/TLS

  7. SSL Primer � Client-server communications, random client, corporate server. eavesdropping Modifying server client fake server fake client � Authentication of server based on public key. � Trusted third party: certificate authority (CA). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  8. Secure Sockets Layer (SSL) � The most widely deployed security protocol in the world. � SSL was developed by Netscape to offer secure access to web servers (https). � History � SSL v1.0 never publicly released. � SSL v2.0 released in 1994 (flawed). � SSL v3.0 released in 1996, leads to TLS 1.0 (1999). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  9. Transport Layer Security � TLS is an IETF’s standard based on SSL v3.0: � Slight modifications compared to SSL v3.0. � TLS v1.0 and SSL v3.0 do not interoperate. � TLS v1.0 sometimes called SSL v3.1. � TLS v1.0 defined in RFC 2246. � Current approved version: � TLS v.1.1 � Released in 2006 � RFC 4346 � Fixes a vulnerability discovered by Vaudenay. � Next proposed version: � TLS v.1.2 � Draft expires Sept 2008, may lead to RFC 4492. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  10. SSL in the Layers Application SSL Transport Network Data Link Physical Layer Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  11. Applications � Either create a new protocol from an existing protocol: � Examples: HTTP (80) / HTTPS (443), FTP (21) / FTPS (990), SMTP (25) / SMTPS (995), POP3 (110) / POP3S (995), IMAP (143) / IMAPS (993). � Disadvantage: only clients supporting TLS can connect � Advantage: we are sure that the communication are secure. � Or extend a protocol to negotiate SSL/TLS: � Examples: (E)SMTP, POP3, IMAP, with the help of the STARTTLS command the client can ask to use TLS. � Advantage: the client is not required to support TLS to use the service. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  12. Example: Web � HTTPS � The use of TLS or not is not negotiable. � Guarantees confidentiality of transmitted data and authenticity (server, possibly client). � The server must have a certificate � The client can have one (eg eBanking) HTTPS Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  13. TLS Layers For passing data from an application to the record layer in a transparent manner For initializing a session For managing warnings and fatal errors Processing data For setting-up cryptographic algorithms Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  14. TLS Record Layer � Processing of data: � Fragmentation � Compression (optional) � Authentication � Encryption � It delivers such processed fragments to the transport layer (TCP). � At the receiving end, the inverse operations are carried out. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  15. Record Layer Summary Data Data MAC Data MAC HEADER Encrypted Data and MAC HEADER Encrypted Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  16. Encryption � Encryption is performed on compressed and authenticated records. � Block ciphers: � DES (40 bits or 56 bits), 3DES, IDEA, RC2 (40 bits) � Why 40-bit key alternative? � AES (128 bits or 256 bits) in TLS v1.1 � Stream ciphers: � NULL, RC4 (40 bits or 128 bits). � The client should refuse 40-bit keys if such a cipher is suggested by the server (warning enforced in TLS 1.1). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  17. Handshake in Brief � Negotiation of: � The protocol version (SSL 3.0, TLS 1.0, TLS 1.1). � The algorithms: � Key exchange (RSA, Diffie-Hellman). � Encryption (DES, 3DES, IDEA, RC4, RC2, AES). � MAC (HMAC-MD5, HMAC-SHA). � The client proposes the desired algorithms in order of preference, the server chooses. � Optional authentication of the partner using a certificate. � Messages are not encrypted. � Last messages authenticate the exchange. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  18. WEP � Introduction to WLAN � WEP Description � Attacks on WEP (Theory) � Attacks on WEP (Practice)

  19. Infrastructure Mode � Access points connect to wired network. � Multiple mobile stations per Access Point. � Full internet connection for mobile users. � University campus. k r o w t e n d e r W i � Coffee shops. � Airport lounges. Access Point (AP) Mobile Devices Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  20. Ad Hoc Mode � Wireless stations communicate directly, without a wired network. � On the fly networking. � Impromptu meeting. � Rescue operations. � LAN set up is difficult. � Natural areas. � LAN set up is dangerous. � Battle field. � People are not aware that they launch an ad hoc network eg. search for networks in a train… Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  21. Eavesdropping Range � Typical use inside: ~30m � Typical outdoor range with suited antenna: ~5 km. � Record: 382 km by EsLaRed of Venezuel (2007). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  22. War Driving � Just discovering WiFi � While you drive: networks, no unauthorized � Listens and builds map of access. all WiFi networks found. � To war-drive: � Examples: � Laptop � www.wigle.net � 802.11 card � www.wardriving.com � Software � GPS � Car Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  23. Map of WiFi APs. Gildas Avoine - UCL Belgium - 2008 Source: www.wigle.net INGI2347 - Introduction

  24. Authentication, Encryption � Authentication � Open systems � Do not broadcast AP’s SSID � MAC address filter � WEP � WPA / WPA2 � Encryption � WEP � WPA / WPA2 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  25. Authentication: Open Systems � No authentication at all. � Less and less used? � Usually, providers impose authentication by default. � Not the case with Belgacom (Observed in 2007). � Public free hot spots without authentication. � Non-free hot spots in hotels, train stations, etc. � High Level Authentication (eg. RADIUS Server). � Communities sharing their access. � Eg. Communauté Neuf Wifi. � What kind of problem do we face? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  26. Authentication: AP’s SSID � The AP broadcasts its SSID. � Allow clients to dynamically discover the AP. Do not broadcast the SSID. � Can be used to authenticate a client � Client must know the SSID. � Not secure because SSID can be eavesdropped. � When a legitimate client connects to the AP. � Can be used to restrict features. � Eg. Club Internet by default (Observed in 2007). � People pay to activate the wireless feature of their router. � Lack of broadcast can be due to the channel number. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  27. Authentication: AP’s SSID � In practice, snif the environment with eg. Kismet, Airodump, Network Stumbler (Windows), etc. Kismet in a Linux shell Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  28. Authentication: MAC Address � The router has a list of authorized MAC addresses. � The router checks the MAC address of the station trying to connect to the network. � Attacker can read MAC address of a legitimate wireless station and replace his own MAC address with the stolen one. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  29. Authentication: MAC Address MAC addresses of the devices connected to the AP Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  30. WEP Features � Authentication ("shared key" user authentication). � Confidentiality (RC4 stream cipher encryption). � Integrity checking (CRC-32 integrity mechanism). � No key management. � No protection against replay attacks. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  31. Authentication + Enc: WEP � WEP = Wired Equivalent Privacy. � Part of 802.11 Standard (1999) � The stated goal of WEP is to make wireless LAN as secure as a wired LAN. � According to Tanenbaum: � “The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.” Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  32. No Key Management Key A Key A Key A Key A No key management in WEP: every wireless station and AP has the same "preshared" key that is used during authentication and encryption. This key is distributed manually. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  33. No Key Management � In practice: Belgacom’s default � Key is loaded in device by hand when set up. WEP keys… � Often keep manufacturer’s default. (64 bits) � Printed under the router, in the user guide, etc. � Never updated again. � Same key for everybody: � In a large network, users may wish to have independent secure connections. Just a single non-honest WLAN user can break the security. � Static key: � Since it is relatively easy to crack WEP encryption in a reasonably short time (see next slides), the keys should be changed often, but the preshared key concept does not support this. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  34. Replay Attacks � The adversary can “replay” a packet she has already seen. � Solutions? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  35. Integrity � Integrity is ensured using a CRC. � CRC does not provide a cryptographic integrity check. � CRC designed to detect random errors. � Not designed to detect intelligent changes. � In WEP, the message is concatenated to the CRC, then encrypted. � The encrypted message can be modified s.t. it is still valid after decryption. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  36. WEP Authentication MAC address Challenge (128 bytes) Response (encrypted) Status code Authentication is successful, if WEP decryption gives original challenge text Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  37. Stream Cipher plaintext secret key keystream Stream Cipher ciphertext Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  38. RC4 for WEP Encryption plaintext checksum IV secret key 24 bits 40 bits keystream RC4 IV ciphertext Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  39. RC4: A Well-kown Stream Cipher � Designed by Ron Rivest (MIT) in 1987 for RSA Labs. � Kept as a secret trade until 1994. � Publicly disclosed in Sept. 1994 on Cypherpunks’ mailing list. � Bytes-oriented � Generate keystream byte at a step � Efficient in software (compared to LFSR, Block Ciph.). � Encryption in software is about 10 times faster that DES. � Simple and elegant. � Widely used: � Commercial softwares as MS Office, Oracle Secure SQL. � Network protocols as SSL, IPSec, WEP. � Copy protection: inside MS XBOX. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  40. Attacks on RC4 � Not under the spotlights as all other stream ciphers. � Theoretical attacks. � Weak keys. � To be used carefully. � Remove the first bytes (e.g. the first 768 bytes) to avoid some attacks… � Do not encrypt too long stream to avoid other attacks… � If plaintext and ciphertext known, then keystream known. � No problem if keystream is not reused. � If keystream reused, at least as bad as reuse of one-time pad. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  41. #1 Known-Plaintext Attack � WEP uses 24-bit (3 byte) IV. � Each packet gets a new IV. � RC4 packet key: IV pre-pended to long-term key, K. � If long-term key and IV are same, then same keystream is used. � There is a 50% chance of key-reuse after 2 12 packets (birthday paradox). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  42. #1 Known-Plaintext Attack � Keystream leaks, under known-plaintext attack. � Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P � Let Z = RC4(K, IV) be the RC4 keystream � Since C = P ⊕ Z, we can derive the RC4 keystream Z by P ⊕ C = P ⊕ (P ⊕ Z) = Z � This is not a problem ... unless keystream is reused! Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  43. #2 CRC Property � CRC is a linear function wrt to XOR: CRC(X ⊕ Y) = CRC(X) ⊕ CRC(Y) � Attacker observes (M | CRC(M)) ⊕ K where K is the key stream output. � For any ∆ M, the attacker can compute CRC( ∆ M). � Hence, the attacker can compute: ([M | CRC(M]) ⊕ K) ⊕ [ ∆ M | CRC( ∆ M)] = ([M ⊕ ∆ M) | (CRC(M) ⊕ CRC( ∆ M)]) ⊕ K = [M ⊕ ∆ M) | CRC(M ⊕ ∆ M)] ⊕ K � Example: Modify an IP address Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  44. #3 Statistical Cryptanalysis � Fluhrer, Mantin, and Shamir (FMS) – 2001 � Two years only after WEP was published. � Some IVs are weak, ie, they allow to guess some internal states, leading to the key. � IV and first byte of plaintext/ciphertext must be known. � IV is sent in the clear. � Ciphertext is eavesdropped. � First bytes of ARP or TCP are fixed or can be easily guessed. � 4 million IVs to recover a 128-bit key. � Number of IVs linear with the key-length (vs exponential) � Key is revealed byte after byte (sequentially) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  45. #3 Statistical Cryptanalysis � Korek - 2004 � Proposed 17 attacks based on FMS. � New classes of weak IVs. � 1 million IVs. � 2 bytes must be observable. � Tews, Weinmann, Pyshkin (PTW) - 2007 � Still new classes. � 80’000 IVs. � More bytes must be observable � Variant by Vaudenay/Vuagnoux (32’000 IVs) � Key bytes are no longer necessarily guessed sequentially. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  46. WEP Cryptanalytic Attack � WEP data encrypted using RC4. � Packet key is IV and long-term key K. � 3-byte IV is pre-pended to K. � Packet key is ( IV ,K). � IV is sent in the clear (not secret). � New IV sent with every packet. � Long-term key K never changed. � Assume Trudy (=attacker) knows IVs and ciphertext, and can guess the first bytes of the plaintext. � Trudy wants to find the key K. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  47. WEP Cryptanalytic Attack � 3-byte IV pre-pended to key. � We denote the RC4 key bytes: � K 0 ,K 1 ,K 2 ,K 3 ,K 4 ,K 5 ,… � Where IV = ( K 0 ,K 1 ,K 2 ), which Trudy knows � Trudy wants to find K 3 ,K 4 ,K 5 ,… � Attack due to Fluhrer, Mantin, and Shamir: � Trudy watches IVs until she sees 3-byte IV of the form: IV=(K 0 ,K 1 ,K 2 ) = (3,255,X) where X can be anything. � Then RC4 key for this packet is key = (3,255,X,K 3 ,K 4 ,K 5 ,…) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  48. RC4 Steps � KSA (Key-Scheduling Algorithm) � Initialization � Scrambling � PRGA (Pseudo-Random Generation Algorithm) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  49. Initialization //N=256 WEP Cryptanalysis For i = 0 To N-1 S i = i Scrambling i 0 1 2 3 4 … j = 0 K i 3 255 X K 3 K 4 … For i = 0 To N-1 j = (j + Si + Ki) mod N Swap (Si,Sj) i\S 0 1 2 3 4 … 5+X … 6+X+K 3 … init 0 1 2 3 4 … 5+X … 6+X+K 3 … initial state i=0 3 1 2 0 4 … 5+X … 6+X+K 3 … i=0, j=0+S 0 +K 0 =0+0+3=3 i=1, j=3+S 1 +K 1 =3+1+255=3 [N] i=1 3 0 2 1 4 … 5+X … 6+X+K 3 … i=2, j=3+S 2 +K 2 =3+2+X=5+X i=2 3 0 5+X 1 4 … 2 … 6+X+K 3 … i=3 3 0 5+X 6+X+K 3 4 … 2 … 1 … i=3, j=(5+X)+(1)+K 3 =6+X+K 3 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  50. WEP Cryptanalytic Attack � Assumption: 6+X+K 3 > 5+X (mod N). � Otherwise 6+X+K 3 will be to the left of 5+X. � Up to now, we have only considered the first 4 steps of initialization, i = 0,1,2,3. � In reality, there are 256 steps. � For now, assume that initialization stops after i = 3. � So, outputted keystream is: PRGA //init i=j=0 i = (i + 1) mod N = 1 j = (j + S i ) mod N = S 1 = 0 Swap (S i , S j ) Swap (S 1 , S 0 ) Output S (Si+Sj) mod N Output S 3 = 6+X+K 3 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  51. WEP Cryptanalytic Attack � Note: keystreamByte = 6+X+K 3 . � If keystreamByte is known, we can solve for K 3 since K 3 = (keystreamByte − 6 − X) mod N. � But initialization does not stop at i=3. � So can this “attack” really work? � If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  52. WEP Cryptanalytic Attack � Can Trudy really recover the key? � If she sees enough IVs she gets K 3. � Suppose Trudy has found K 3. � Then how to find K 4 ? � Consider IVs of the form: IV = (4,255,X). � Then after initialization step i=4, one could show that: keystreamByte = S 4 = 10+X+K 3 +K 4 . � And so on… Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  53. Attack Summary in Practice � Client IP Discovery phase. � (Flooding). � Sniffing IV’s and keystreams. � Key cracking. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  54. Downloadable Tools � AirCrack-ng � http://www.aircrack-ng.org � Implement Korek, PTW (needs ARP flooding). � Available eg in BackTrack. � WepCrack � http://sourceforge.net/projects/wepcrack/ � “WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.” � Last version: Oct 2004 � AirSnort � http://airsnort.shmoo.com/ � Last update: 2005. � Implement Korek’s attacks. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  55. Kerberos

  56. Many-to-Many Authentication users servers � How do users prove their identities when requesting services from servers on the network? � Solution: every server knows every user’s password. � Insecure: break into one server may compromise all users. � Inefficient: passwords must be changed on every servers. � Not convenient: passwords must be typed for each request. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  57. Server-Aided Authentication 3 Credential is supplied to get the expected service. users servers Trusted third party provides a credential to the user. 2 User proves his The credential aka identity and requests a ticket is an identity credential. 1 proof but does not necessarily give the ability to use a given service. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  58. Server-Aided Authentication � Hypotheses: � There is an online (trusted) authentication server (AS). � AS shares K C with client C. � AS shared K S with server S. � Goal: � To help C and S to share a session key K. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  59. Very Weak Example Identity of the Identity of the Client Server The client can give the server’s key to other clients. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  60. Weak Example A solution consists in not revealing the server’s key: AS encrypts itself the session key K with the server’s key. “sealed envelop” An attacker can replace I c by I A Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  61. Still Weak Example Replay attack by impersonating AS if K is compromised, due to careless users: no means to be sure that K is fresh. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  62. Needham Schroeder (1978) Replay attack by impersonating C if K is compromised, due to careless users: no means to be sure that K is fresh. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  63. Kerberos V � The name Kerberos comes from Greek mythology. � It is the three-headed dog that guarded Hades’ entrance. � Created at the MIT, free of charge. � Kerberos 4 (1988), obsolete. � Kerberos 5 (1993), RFC 1510, then RFC 4120 (2005). � Deployed: � Initially on Unix systems. � Used in many commercial products eg Windows from 2K. � Based on symmetric-key cryptography. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  64. Kerberos V � Once you log into a workstation after authentication, you can access remote resources without any more input of username and password . � Kerberos software on the workstation will finish the authentication automatically on behalf of you. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  65. Kerberos Elements � Client C. � Authentication server AS � a.k.a. KDC (key distribution center) � Ticket granting server TGS. � Server S which the client wants to access to. 1- Request a Ticket Granting ticket 2- Provide a Ticket Granting Ticket TGS 3- Request a Ticket for a given service 3 4 4- Provide a Ticket for a given service 1 5 5- Forward the Ticket AS S C 2 6 6- Provide a service Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  66. Tickets � To access a service, the client must have a ticket for that service. � The user can get this ticket from the Ticket Granting Server (TGS). � The service ticket confirms that the user can access the service. � The Ticket Granting Ticket (TGT) only confirms the identity of the user. � The client shows a ticket + an authenticator. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Recommend


More recommend