solutions pour la s curit des r seaux
play

Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL - PowerPoint PPT Presentation

Jul 21, 2023 •484 likes •1.85k views

cole Internationale de Printemps Systmes Rpartis : METIS2008 Architecture, Scurit & Fiabilit Rabat, 20-23 Mai 2008 Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL Belgium Introduction Confidentiality,

  1. Root Certificate Example Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  2. Belgian Passport Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BE Validity Not Before: Apr 10 00:00:00 2006 GMT Not After : Jul 15 23:59:59 2011 GMT Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:8f:9c:2c:f8:05:b5:bd:ed:51:1a:9f:b0:57:6e: 86:53:07:46:ac:ab:b6:05:e7:d6:e8:a6:6a:7b:ba: 9b:27:aa:8a:9f:80:ec:87:b3:9d:68:b7:29:cb:b1: df:de:5e:48:9e:34:21:9f:97:ea:98:7a:f7:f6:88: 1c:ca:a3:b1:3f:b2:d8:36:9a:06:0b:b3:f0:02:20: ce:ff:a9:e2:12:00:b2:1d:71:df:3e:cc:64:83:e2: f9:e8:30:15:a5:62:95:ab:8e:8c:ee:dc:73:9a:9f: 58:78:c9:38:fd:ae:7c:71:17:73:c8:64:23:d2:34: 99:58:ef:bc:ca:dc:e3:38:39:d4:30:16:c1:8e:52: a9:b0:eb:7f:5f:06:65:02:bc:72:1e:eb:14:40:af: 39:20:25:48:cf:2f:8e:1b:4f:2e:d6:fb:49:b7:ab: a3:e5:56:2e:31:a1:30:56:69:dc:4f:b4:d8:49:a4: af:e6:0c:e8:65:df:58:d5:ee:7f:80:02:d5:35:63: 2a:14:81:0a:eb:7d:5e:17:f8:63:9a:67:28:b0:b8: f4:39:0b:cb:91:63:4b:e3:14:e0:69:dd:dd:92:26: b2:8b:a4:0c:4d:de:10:b8:96:2b:e7:f1:ac:2e:2f: 11:15:bd:13:1d:61:c4:bf:69:24:28:9f:67:dd:b6: 49:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0E X509v3 Key Usage: critical Digital Signature Signature Algorithm: sha1WithRSAEncryption 5d:ed:53:da:14:3d:e2:ab:2d:41:3c:ea:bc:55:3b:78:2a:2c: 8e:0b:54:74:af:bd:a9:e1:c5:92:a4:f0:db:a9:0b:7d:0c:96: … Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  3. Certification Authorities Verisign 29.25 � Issuers of certificates found GeoTrust (Equifax) 19.56 on web servers. Thawte 15.21 Comodo Limited 7.64 � Source: www.securityspace.com Starfield 2.76 Technologies Unkown 1.85 � Verisign, GeoTrust, and Thawte: same group. Entrust.Net 1.61 AddTrust AB 1.51 SomeOrganization 1.22 Chained SSL 0.86 SWsoft Inc 0.85 Snake Oil Ltd 0.79 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  4. Obtaining a Certificate Each new participant must present himself. 1. The CA (physically) authenticates the participant. 2. It asks the participant to generate a pair of public/private 3. keys. It creates a certificate with the participant’s identity, his 4. public key, an expiry date, etc. and the CA’s signature. It provides a copy of its own public key to the participant. 5. The new participant can communicate with all other participants 6. who share a common “trusted ancestor”. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  5. Public-Key vs Sym-Key � Advantages ? � Drawbacks ? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  6. SSL/TLS

  7. SSL Primer � Client-server communications, random client, corporate server. eavesdropping Modifying server client fake server fake client � Authentication of server based on public key. � Trusted third party: certificate authority (CA). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  8. Secure Sockets Layer (SSL) � The most widely deployed security protocol in the world. � SSL was developed by Netscape to offer secure access to web servers (https). � History � SSL v1.0 never publicly released. � SSL v2.0 released in 1994 (flawed). � SSL v3.0 released in 1996, leads to TLS 1.0 (1999). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  9. Transport Layer Security � TLS is an IETF’s standard based on SSL v3.0: � Slight modifications compared to SSL v3.0. � TLS v1.0 and SSL v3.0 do not interoperate. � TLS v1.0 sometimes called SSL v3.1. � TLS v1.0 defined in RFC 2246. � Current approved version: � TLS v.1.1 � Released in 2006 � RFC 4346 � Fixes a vulnerability discovered by Vaudenay. � Next proposed version: � TLS v.1.2 � Draft expires Sept 2008, may lead to RFC 4492. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  10. SSL in the Layers Application SSL Transport Network Data Link Physical Layer Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  11. Applications � Either create a new protocol from an existing protocol: � Examples: HTTP (80) / HTTPS (443), FTP (21) / FTPS (990), SMTP (25) / SMTPS (995), POP3 (110) / POP3S (995), IMAP (143) / IMAPS (993). � Disadvantage: only clients supporting TLS can connect � Advantage: we are sure that the communication are secure. � Or extend a protocol to negotiate SSL/TLS: � Examples: (E)SMTP, POP3, IMAP, with the help of the STARTTLS command the client can ask to use TLS. � Advantage: the client is not required to support TLS to use the service. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  12. Example: Web � HTTPS � The use of TLS or not is not negotiable. � Guarantees confidentiality of transmitted data and authenticity (server, possibly client). � The server must have a certificate � The client can have one (eg eBanking) HTTPS Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  13. TLS Layers For passing data from an application to the record layer in a transparent manner For initializing a session For managing warnings and fatal errors Processing data For setting-up cryptographic algorithms Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  14. TLS Record Layer � Processing of data: � Fragmentation � Compression (optional) � Authentication � Encryption � It delivers such processed fragments to the transport layer (TCP). � At the receiving end, the inverse operations are carried out. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  15. Record Layer Summary Data Data MAC Data MAC HEADER Encrypted Data and MAC HEADER Encrypted Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  16. Encryption � Encryption is performed on compressed and authenticated records. � Block ciphers: � DES (40 bits or 56 bits), 3DES, IDEA, RC2 (40 bits) � Why 40-bit key alternative? � AES (128 bits or 256 bits) in TLS v1.1 � Stream ciphers: � NULL, RC4 (40 bits or 128 bits). � The client should refuse 40-bit keys if such a cipher is suggested by the server (warning enforced in TLS 1.1). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  17. Handshake in Brief � Negotiation of: � The protocol version (SSL 3.0, TLS 1.0, TLS 1.1). � The algorithms: � Key exchange (RSA, Diffie-Hellman). � Encryption (DES, 3DES, IDEA, RC4, RC2, AES). � MAC (HMAC-MD5, HMAC-SHA). � The client proposes the desired algorithms in order of preference, the server chooses. � Optional authentication of the partner using a certificate. � Messages are not encrypted. � Last messages authenticate the exchange. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  18. WEP � Introduction to WLAN � WEP Description � Attacks on WEP (Theory) � Attacks on WEP (Practice)

  19. Infrastructure Mode � Access points connect to wired network. � Multiple mobile stations per Access Point. � Full internet connection for mobile users. � University campus. k r o w t e n d e r W i � Coffee shops. � Airport lounges. Access Point (AP) Mobile Devices Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  20. Ad Hoc Mode � Wireless stations communicate directly, without a wired network. � On the fly networking. � Impromptu meeting. � Rescue operations. � LAN set up is difficult. � Natural areas. � LAN set up is dangerous. � Battle field. � People are not aware that they launch an ad hoc network eg. search for networks in a train… Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  21. Eavesdropping Range � Typical use inside: ~30m � Typical outdoor range with suited antenna: ~5 km. � Record: 382 km by EsLaRed of Venezuel (2007). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  22. War Driving � Just discovering WiFi � While you drive: networks, no unauthorized � Listens and builds map of access. all WiFi networks found. � To war-drive: � Examples: � Laptop � www.wigle.net � 802.11 card � www.wardriving.com � Software � GPS � Car Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  23. Map of WiFi APs. Gildas Avoine - UCL Belgium - 2008 Source: www.wigle.net INGI2347 - Introduction

  24. Authentication, Encryption � Authentication � Open systems � Do not broadcast AP’s SSID � MAC address filter � WEP � WPA / WPA2 � Encryption � WEP � WPA / WPA2 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  25. Authentication: Open Systems � No authentication at all. � Less and less used? � Usually, providers impose authentication by default. � Not the case with Belgacom (Observed in 2007). � Public free hot spots without authentication. � Non-free hot spots in hotels, train stations, etc. � High Level Authentication (eg. RADIUS Server). � Communities sharing their access. � Eg. Communauté Neuf Wifi. � What kind of problem do we face? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  26. Authentication: AP’s SSID � The AP broadcasts its SSID. � Allow clients to dynamically discover the AP. Do not broadcast the SSID. � Can be used to authenticate a client � Client must know the SSID. � Not secure because SSID can be eavesdropped. � When a legitimate client connects to the AP. � Can be used to restrict features. � Eg. Club Internet by default (Observed in 2007). � People pay to activate the wireless feature of their router. � Lack of broadcast can be due to the channel number. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  27. Authentication: AP’s SSID � In practice, snif the environment with eg. Kismet, Airodump, Network Stumbler (Windows), etc. Kismet in a Linux shell Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  28. Authentication: MAC Address � The router has a list of authorized MAC addresses. � The router checks the MAC address of the station trying to connect to the network. � Attacker can read MAC address of a legitimate wireless station and replace his own MAC address with the stolen one. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  29. Authentication: MAC Address MAC addresses of the devices connected to the AP Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  30. WEP Features � Authentication ("shared key" user authentication). � Confidentiality (RC4 stream cipher encryption). � Integrity checking (CRC-32 integrity mechanism). � No key management. � No protection against replay attacks. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  31. Authentication + Enc: WEP � WEP = Wired Equivalent Privacy. � Part of 802.11 Standard (1999) � The stated goal of WEP is to make wireless LAN as secure as a wired LAN. � According to Tanenbaum: � “The 802.11 standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.” Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  32. No Key Management Key A Key A Key A Key A No key management in WEP: every wireless station and AP has the same "preshared" key that is used during authentication and encryption. This key is distributed manually. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  33. No Key Management � In practice: Belgacom’s default � Key is loaded in device by hand when set up. WEP keys… � Often keep manufacturer’s default. (64 bits) � Printed under the router, in the user guide, etc. � Never updated again. � Same key for everybody: � In a large network, users may wish to have independent secure connections. Just a single non-honest WLAN user can break the security. � Static key: � Since it is relatively easy to crack WEP encryption in a reasonably short time (see next slides), the keys should be changed often, but the preshared key concept does not support this. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  34. Replay Attacks � The adversary can “replay” a packet she has already seen. � Solutions? Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  35. Integrity � Integrity is ensured using a CRC. � CRC does not provide a cryptographic integrity check. � CRC designed to detect random errors. � Not designed to detect intelligent changes. � In WEP, the message is concatenated to the CRC, then encrypted. � The encrypted message can be modified s.t. it is still valid after decryption. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  36. WEP Authentication MAC address Challenge (128 bytes) Response (encrypted) Status code Authentication is successful, if WEP decryption gives original challenge text Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  37. Stream Cipher plaintext secret key keystream Stream Cipher ciphertext Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  38. RC4 for WEP Encryption plaintext checksum IV secret key 24 bits 40 bits keystream RC4 IV ciphertext Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  39. RC4: A Well-kown Stream Cipher � Designed by Ron Rivest (MIT) in 1987 for RSA Labs. � Kept as a secret trade until 1994. � Publicly disclosed in Sept. 1994 on Cypherpunks’ mailing list. � Bytes-oriented � Generate keystream byte at a step � Efficient in software (compared to LFSR, Block Ciph.). � Encryption in software is about 10 times faster that DES. � Simple and elegant. � Widely used: � Commercial softwares as MS Office, Oracle Secure SQL. � Network protocols as SSL, IPSec, WEP. � Copy protection: inside MS XBOX. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  40. Attacks on RC4 � Not under the spotlights as all other stream ciphers. � Theoretical attacks. � Weak keys. � To be used carefully. � Remove the first bytes (e.g. the first 768 bytes) to avoid some attacks… � Do not encrypt too long stream to avoid other attacks… � If plaintext and ciphertext known, then keystream known. � No problem if keystream is not reused. � If keystream reused, at least as bad as reuse of one-time pad. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  41. #1 Known-Plaintext Attack � WEP uses 24-bit (3 byte) IV. � Each packet gets a new IV. � RC4 packet key: IV pre-pended to long-term key, K. � If long-term key and IV are same, then same keystream is used. � There is a 50% chance of key-reuse after 2 12 packets (birthday paradox). Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  42. #1 Known-Plaintext Attack � Keystream leaks, under known-plaintext attack. � Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P � Let Z = RC4(K, IV) be the RC4 keystream � Since C = P ⊕ Z, we can derive the RC4 keystream Z by P ⊕ C = P ⊕ (P ⊕ Z) = Z � This is not a problem ... unless keystream is reused! Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  43. #2 CRC Property � CRC is a linear function wrt to XOR: CRC(X ⊕ Y) = CRC(X) ⊕ CRC(Y) � Attacker observes (M | CRC(M)) ⊕ K where K is the key stream output. � For any ∆ M, the attacker can compute CRC( ∆ M). � Hence, the attacker can compute: ([M | CRC(M]) ⊕ K) ⊕ [ ∆ M | CRC( ∆ M)] = ([M ⊕ ∆ M) | (CRC(M) ⊕ CRC( ∆ M)]) ⊕ K = [M ⊕ ∆ M) | CRC(M ⊕ ∆ M)] ⊕ K � Example: Modify an IP address Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  44. #3 Statistical Cryptanalysis � Fluhrer, Mantin, and Shamir (FMS) – 2001 � Two years only after WEP was published. � Some IVs are weak, ie, they allow to guess some internal states, leading to the key. � IV and first byte of plaintext/ciphertext must be known. � IV is sent in the clear. � Ciphertext is eavesdropped. � First bytes of ARP or TCP are fixed or can be easily guessed. � 4 million IVs to recover a 128-bit key. � Number of IVs linear with the key-length (vs exponential) � Key is revealed byte after byte (sequentially) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  45. #3 Statistical Cryptanalysis � Korek - 2004 � Proposed 17 attacks based on FMS. � New classes of weak IVs. � 1 million IVs. � 2 bytes must be observable. � Tews, Weinmann, Pyshkin (PTW) - 2007 � Still new classes. � 80’000 IVs. � More bytes must be observable � Variant by Vaudenay/Vuagnoux (32’000 IVs) � Key bytes are no longer necessarily guessed sequentially. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  46. WEP Cryptanalytic Attack � WEP data encrypted using RC4. � Packet key is IV and long-term key K. � 3-byte IV is pre-pended to K. � Packet key is ( IV ,K). � IV is sent in the clear (not secret). � New IV sent with every packet. � Long-term key K never changed. � Assume Trudy (=attacker) knows IVs and ciphertext, and can guess the first bytes of the plaintext. � Trudy wants to find the key K. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  47. WEP Cryptanalytic Attack � 3-byte IV pre-pended to key. � We denote the RC4 key bytes: � K 0 ,K 1 ,K 2 ,K 3 ,K 4 ,K 5 ,… � Where IV = ( K 0 ,K 1 ,K 2 ), which Trudy knows � Trudy wants to find K 3 ,K 4 ,K 5 ,… � Attack due to Fluhrer, Mantin, and Shamir: � Trudy watches IVs until she sees 3-byte IV of the form: IV=(K 0 ,K 1 ,K 2 ) = (3,255,X) where X can be anything. � Then RC4 key for this packet is key = (3,255,X,K 3 ,K 4 ,K 5 ,…) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  48. RC4 Steps � KSA (Key-Scheduling Algorithm) � Initialization � Scrambling � PRGA (Pseudo-Random Generation Algorithm) Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  49. Initialization //N=256 WEP Cryptanalysis For i = 0 To N-1 S i = i Scrambling i 0 1 2 3 4 … j = 0 K i 3 255 X K 3 K 4 … For i = 0 To N-1 j = (j + Si + Ki) mod N Swap (Si,Sj) i\S 0 1 2 3 4 … 5+X … 6+X+K 3 … init 0 1 2 3 4 … 5+X … 6+X+K 3 … initial state i=0 3 1 2 0 4 … 5+X … 6+X+K 3 … i=0, j=0+S 0 +K 0 =0+0+3=3 i=1, j=3+S 1 +K 1 =3+1+255=3 [N] i=1 3 0 2 1 4 … 5+X … 6+X+K 3 … i=2, j=3+S 2 +K 2 =3+2+X=5+X i=2 3 0 5+X 1 4 … 2 … 6+X+K 3 … i=3 3 0 5+X 6+X+K 3 4 … 2 … 1 … i=3, j=(5+X)+(1)+K 3 =6+X+K 3 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  50. WEP Cryptanalytic Attack � Assumption: 6+X+K 3 > 5+X (mod N). � Otherwise 6+X+K 3 will be to the left of 5+X. � Up to now, we have only considered the first 4 steps of initialization, i = 0,1,2,3. � In reality, there are 256 steps. � For now, assume that initialization stops after i = 3. � So, outputted keystream is: PRGA //init i=j=0 i = (i + 1) mod N = 1 j = (j + S i ) mod N = S 1 = 0 Swap (S i , S j ) Swap (S 1 , S 0 ) Output S (Si+Sj) mod N Output S 3 = 6+X+K 3 Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  51. WEP Cryptanalytic Attack � Note: keystreamByte = 6+X+K 3 . � If keystreamByte is known, we can solve for K 3 since K 3 = (keystreamByte − 6 − X) mod N. � But initialization does not stop at i=3. � So can this “attack” really work? � If elements at 0,1 and 3 not swapped in remaining initialization steps, attack works. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  52. WEP Cryptanalytic Attack � Can Trudy really recover the key? � If she sees enough IVs she gets K 3. � Suppose Trudy has found K 3. � Then how to find K 4 ? � Consider IVs of the form: IV = (4,255,X). � Then after initialization step i=4, one could show that: keystreamByte = S 4 = 10+X+K 3 +K 4 . � And so on… Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  53. Attack Summary in Practice � Client IP Discovery phase. � (Flooding). � Sniffing IV’s and keystreams. � Key cracking. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  54. Downloadable Tools � AirCrack-ng � http://www.aircrack-ng.org � Implement Korek, PTW (needs ARP flooding). � Available eg in BackTrack. � WepCrack � http://sourceforge.net/projects/wepcrack/ � “WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.” � Last version: Oct 2004 � AirSnort � http://airsnort.shmoo.com/ � Last update: 2005. � Implement Korek’s attacks. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  55. Kerberos

  56. Many-to-Many Authentication users servers � How do users prove their identities when requesting services from servers on the network? � Solution: every server knows every user’s password. � Insecure: break into one server may compromise all users. � Inefficient: passwords must be changed on every servers. � Not convenient: passwords must be typed for each request. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  57. Server-Aided Authentication 3 Credential is supplied to get the expected service. users servers Trusted third party provides a credential to the user. 2 User proves his The credential aka identity and requests a ticket is an identity credential. 1 proof but does not necessarily give the ability to use a given service. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  58. Server-Aided Authentication � Hypotheses: � There is an online (trusted) authentication server (AS). � AS shares K C with client C. � AS shared K S with server S. � Goal: � To help C and S to share a session key K. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  59. Very Weak Example Identity of the Identity of the Client Server The client can give the server’s key to other clients. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  60. Weak Example A solution consists in not revealing the server’s key: AS encrypts itself the session key K with the server’s key. “sealed envelop” An attacker can replace I c by I A Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  61. Still Weak Example Replay attack by impersonating AS if K is compromised, due to careless users: no means to be sure that K is fresh. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  62. Needham Schroeder (1978) Replay attack by impersonating C if K is compromised, due to careless users: no means to be sure that K is fresh. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

  63. Kerberos V � The name Kerberos comes from Greek mythology. � It is the three-headed dog that guarded Hades’ entrance. � Created at the MIT, free of charge. � Kerberos 4 (1988), obsolete. � Kerberos 5 (1993), RFC 1510, then RFC 4120 (2005). � Deployed: � Initially on Unix systems. � Used in many commercial products eg Windows from 2K. � Based on symmetric-key cryptography. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  64. Kerberos V � Once you log into a workstation after authentication, you can access remote resources without any more input of username and password . � Kerberos software on the workstation will finish the authentication automatically on behalf of you. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  65. Kerberos Elements � Client C. � Authentication server AS � a.k.a. KDC (key distribution center) � Ticket granting server TGS. � Server S which the client wants to access to. 1- Request a Ticket Granting ticket 2- Provide a Ticket Granting Ticket TGS 3- Request a Ticket for a given service 3 4 4- Provide a Ticket for a given service 1 5 5- Forward the Ticket AS S C 2 6 6- Provide a service Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

  66. Tickets � To access a service, the client must have a ticket for that service. � The user can get this ticket from the Ticket Granting Server (TGS). � The service ticket confirms that the user can access the service. � The Ticket Granting Ticket (TGT) only confirms the identity of the user. � The client shows a ticket + an authenticator. Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Recommend

Jiazi Yi, Eddy Cizeron, Salima Hamma, Benot Parrein, Pascal Lesage l ECOLE POLYTECHNIQUE

Jiazi Yi, Eddy Cizeron, Salima Hamma, Benot Parrein, Pascal Lesage l ECOLE POLYTECHNIQUE

Jiazi Yi, Eddy Cizeron, Salima Hamma, Benot Parrein, Pascal Lesage l ECOLE POLYTECHNIQUE DE LUNIVERSITE DE NANTES, FRANCE Institut de Recherche en Communications et en Cyberntique de Nantes SE SE curit des RE seaux it d RE AD

318 views • 27 slides
Integrity Under Pressure Systmes intgrs pour conduites en pression Integrated systems for

Integrity Under Pressure Systmes intgrs pour conduites en pression Integrated systems for

SYSTME DE PRESSION THERMOPLASTIQUE / THERMO PLASTIC PRESSURE SYSTEM Integrity Under Pressure Systmes intgrs pour conduites en pression Integrated systems for water pipes under pressure SOLUTIONS POUR: / SOLUTIONS FOR: LINDUSTRIE /

99 views • 6 slides
NON T NON-T RADIT RADIT IONAL IONAL / / HUMAN SE HUMAN SE CURIT CURIT Y T Y T HRE

NON T NON-T RADIT RADIT IONAL IONAL / / HUMAN SE HUMAN SE CURIT CURIT Y T Y T HRE

NON T NON-T RADIT RADIT IONAL IONAL / / HUMAN SE HUMAN SE CURIT CURIT Y T Y T HRE HRE AT AT S S IN SOUT IN SOUT HE HE AST AST ASIA ASIA 30 Nove mbe r 30 Nove mbe r 2015 2015 NESTOR Z OCHOA AMBASSADOR OF THE REPUBLIC

677 views • 33 slides
A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE

A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE

A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE AT S IN NE T WORKE D ME DICAL DE VICE S Pro b le m Sta te me nt Purpo se o f the Re se a rc h Re se a rc h Que stio ns

380 views • 13 slides
T HE SPI RI T OF INNOVAT ION DE F E NSE HOME L AND SE CURIT Y SUST AINME NT

T HE SPI RI T OF INNOVAT ION DE F E NSE HOME L AND SE CURIT Y SUST AINME NT

T HE SPI RI T OF INNOVAT ION DE F E NSE HOME L AND SE CURIT Y SUST AINME NT & SUPPORT ME DICAL INST RUME NT AT ION COMME RCIAL AVIAT ION 1 AGE NDA Sta te o f Glo b a l Se c urity a nd T hre a ts

419 views • 27 slides
MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y

MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y

MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y Golab, IPO In c ollabor ation with Damian Hollow, URO & She lle y Gar r e tt, CISO Offic e F OI P L ia iso n Offic e r (F L O) Me e ting

263 views • 12 slides
CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP OPER ERTIE IES SE SECU

CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP OPER ERTIE IES SE SECU

CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP OPER ERTIE IES SE SECU CURE D RE DESIG SIGN Dr. Ben Livshits Hi High-Le Level el Course e Lo Logistics cs 2 https://co447.doc.ic.ac.uk/ Cou Course Log ogistics

984 views • 25 slides
ISO TC67 WG10 ISO TC252 WG2 Normalisation internationale pour les installations et

ISO TC67 WG10 ISO TC252 WG2 Normalisation internationale pour les installations et

ISO TC67 WG10 ISO TC252 WG2 Normalisation internationale pour les installations et quipements pour le Gaz Naturel Liqufi (GNL) Prsentation pour A.U.T.F. - PARIS - Septembre 2012 Normalisation internationale pour les installations et

502 views • 19 slides
Agr ic ultur e in Che shir e County A F OOD SE CURIT Y VISION WHY AN AGRICUL T URE

Agr ic ultur e in Che shir e County A F OOD SE CURIT Y VISION WHY AN AGRICUL T URE

Agr ic ultur e in Che shir e County A F OOD SE CURIT Y VISION WHY AN AGRICUL T URE VISION? RE CONCIL E KE E NE AGRICUL T URE COUNT Y SE AT IS CE NT E R OF COMMISSION (2012) WIT H CIT Y MAST E R AGRICUL T URE HUB

523 views • 12 slides
#Euromaritime #Eurowaterways Sponsoris par Sponsored by Avec le soutien de Supported by

#Euromaritime #Eurowaterways Sponsoris par Sponsored by Avec le soutien de Supported by

JOURNEE EUROPEENNE DU SHIPPING THE EUROPEAN SHIPPING DAY 15:00 16:30 Shipping et innovation : quelles solutions pour un nouveau souffle conomique Shipping and innovation: what are the solutions for a new economic momentum #Euromaritime

404 views • 23 slides
Descripteurs divers niveaux de concepts pour la classification concepts pour la classification

Descripteurs divers niveaux de concepts pour la classification concepts pour la classification

Descripteurs divers niveaux de concepts pour la classification concepts pour la classification dimages multi-objets Youssef Tamaazousti, Herv Le Borgne and Cline Hudelot youssef.tamaazousti@cea.fr | 1 Image Classification Labels

347 views • 22 slides
Simulations Thermo-Hydro- Mcaniques pour le stockage profond des dchets nuclaires

Simulations Thermo-Hydro- Mcaniques pour le stockage profond des dchets nuclaires

Simulations Thermo-Hydro- Mcaniques pour le stockage profond des dchets nuclaires apport des couplages pour la prdiction des zones endommages 1 5 Fvrier 2009 Journe des utilisateurs de Code_Aster en goscience - IFP Plan

566 views • 23 slides
pour le dveloppement ? Serge Tomasi, Directeur Adjoint Direction de la Coopration pour le

pour le dveloppement ? Serge Tomasi, Directeur Adjoint Direction de la Coopration pour le

La Croissance verte, nouvelle frontire pour le dveloppement ? Serge Tomasi, Directeur Adjoint Direction de la Coopration pour le Dveloppement La croissante verte: nouvelle frontire du dveloppement? I - Le dfi vert: 1. Un dfi

514 views • 30 slides
FOR YOUR START-UP CEIM, 27 FVRIER 2015 Jo Van Betsbrugge, PhD Conseiller en Innovation -

FOR YOUR START-UP CEIM, 27 FVRIER 2015 Jo Van Betsbrugge, PhD Conseiller en Innovation -

DES SOLUTIONS EFFICACES ET RENTABLES POUR VOTRE START-UP INTELLIGENT AND COST-EFFECTIVE SOLUTIONS FOR YOUR START-UP CEIM, 27 FVRIER 2015 Jo Van Betsbrugge, PhD Conseiller en Innovation - Innovation Advisor Jo.vanbetsbrugge@cnrc-nrc.gc.ca

622 views • 49 slides
M ISSION AND VALUES AVAID - Association de Volontaires pour lAide au Dveloppement,

M ISSION AND VALUES AVAID - Association de Volontaires pour lAide au Dveloppement,

AVAID - A SSOCIATION DE V OLONTAIRES POUR L A IDE AU D VELOPPEMENT 20 years on the way for the human dignity www.avaid.ch M ISSION AND VALUES AVAID - Association de Volontaires pour lAide au Dveloppement, AVAID is a Swiss ngo,

338 views • 15 slides
Machine learning solutions to visual recognition problems Jakob Verbeek Synth` ese des travaux

Machine learning solutions to visual recognition problems Jakob Verbeek Synth` ese des travaux

Machine learning solutions to visual recognition problems Jakob Verbeek Synth` ese des travaux scientifiques pour obtenir le grade de Habilitation ` a Diriger des Recherches. Summary This thesis gives an overview of my research since my

928 views • 92 slides
Who is Simrae Solutions? Simrae Solutions is a company that specializes in creative solutions

Who is Simrae Solutions? Simrae Solutions is a company that specializes in creative solutions

S IMRAE S OLUTIONS LLC A C OLORADO C ORPORATION Simrae Solutions LLC Create Manage - Promote P.O. Box 6121 Denver, CO 80206 720.432.3015 www.simrae - solutions.com Simrae Solutions LLC Who is Simrae Solutions? Simrae Solutions is a company

483 views • 5 slides
Systme lectronique de monitoring de d donnes pour sportifs de haut niveau if d h i

Systme lectronique de monitoring de d donnes pour sportifs de haut niveau if d h i

Systme lectronique de monitoring de d donnes pour sportifs de haut niveau if d h i (Etude de cas pour la Patrouille des Glaciers) ( p ) Romain Farkas, LEG EPFL Romain Farkas, LEG EPFL 12/09/2007 Architecture / Goals /

292 views • 10 slides
THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS

THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS

THE PROBLEM 1 SOLUTIONS What do you think the solutions are? 2 PROPOSED SOLUTIONS Increase need-based federal aid, like Pell Grants, which now cover less than one-third of the cost of attendance at public four-year universities;

184 views • 15 slides
PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced

PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced

PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced Solutions for existing and Best in class service products to solve tomorrows emerging markets solutions from supply chain power challenges today to

575 views • 35 slides
OCCIware un cadre formel et ou2ll pour la ges2on de

OCCIware un cadre formel et ou2ll pour la ges2on de

OCCIware un cadre formel et ou2ll pour la ges2on de toute ressource en nuage Philippe Merle - Inria Journes Cloud Nantes 18 septembre

936 views • 37 slides
S ns r N t Sensor Network Security rk S curit 3/2/2017 Sensor Network Security (Simon S. Lam)

S ns r N t Sensor Network Security rk S curit 3/2/2017 Sensor Network Security (Simon S. Lam)

3/2/2017 S ns r N t Sensor Network Security rk S curit 3/2/2017 Sensor Network Security (Simon S. Lam) 1 1 3/2/2017 R. Blom, An optimal class of symmetric key generation systems, R. Blom, An optimal class of symmetric key generation

445 views • 12 slides
GFC Missions GFC Missions Elaboration of Performance Tests Le Consulat 147 avenue Paul

GFC Missions GFC Missions Elaboration of Performance Tests Le Consulat 147 avenue Paul

Groupement Franais de Coordination pour le dveloppement des essais de performance des combustibles, des lubrifiants pour moteurs et autres fluides utiliss dans les transports GFC Missions GFC Missions Elaboration of Performance Tests Le

479 views • 27 slides
codage pour ados CAMP DT 2018 Prsent par Axiom Academy Offert par lAcad mie

codage pour ados CAMP DT 2018 Prsent par Axiom Academy Offert par lAcad mie

Camp de codage pour ados CAMP DT 2018 Prsent par Axiom Academy Offert par lAcad mie Centennial Academy Une occasion pour les ados de : Apprendre le langage Swift Apprendre rsoudre des problmes Apprendre

357 views • 33 slides

More recommend