國立清華大學資訊工程系 資訊安全實驗室 孫宏民 [email protected] Phone:...
-
date post
20-Dec-2015 -
Category
Documents
-
view
262 -
download
0
Transcript of 國立清華大學資訊工程系 資訊安全實驗室 孫宏民 [email protected] Phone:...
國立清華大學資訊工程系資訊安全實驗室
孫宏民[email protected]: 03-5742968
Network Security--- User Authentication Network Security--- User Authentication and Key Agreement Protocolsand Key Agreement Protocols
第 2 頁
Outline
Basic Cryptographic Concept
Symmetric Encryption
Asymmetric Encryption
Digital Signature
Encrypted Key Exchange (EKE)
Conclusions
第 3 頁
Cryptographic System
Encryption
Plaintext Ciphertext
Decryption
Key
第 4 頁
•1. Confidentiality (Secrecy): The intruder cannot read the encrypted message from the ciphertext.
•2. Authentication: It should be possible for the receiver of a message to ascertain its origin; an intruder should not be able to masquerade as someone else.
•3. Integrity: It should be possible for the receiver of a message to verify that it has not been modified in transit; an intruder cannot substitute a false message for a legitimate one.
•4. Nonrepudiation: A sender should not be able to falsely deny later that he sent a message.
Four Basic Services of Cryptography:
第 5 頁
Plaintext(M) M
Ciphertext(C)
K1 K2
Encryption Decryption
Cryptanalyst
Symmetric Cryptosystem: The encryption & decryption keys are
the same. (EK(M)= C & DK(C)= M).
Asymmetric Cryptosystem: Encryption & decryption keys are
different. (EK1(M)=C & DK2(C)=M)
The encryption key is public, while the decryption key can not be calculated from the public key.
Cryptographic System
第 6 頁
Symmetric Cryptosystem
DES (1977) IDEA (1992)RC5 (1994)AES (2001)
第 7 頁
Security Service: Confidentiality AuthenticationIntegrity Advantage: High Speed
Disadvantages:how to obtain a common secret key between two parities,
the number of secret keys is too big, can not achieve nonrepudiation.
Symmetric Cryptosystem
第 8 頁
Asymmetric Cryptosystem
RSA (1978) El-Gamal (1984) McEliece (1978) Knapsack (1978)
第 9 頁
Security Service: Confidentiality Integrity Authentication (by Signature) Nonrepudiation (by Signature) Advantage: a pair of keys for each user
Disadvantages: Slow speed Public key need to be authenticated by CA
Asymmetric Cryptosystem
第 10 頁
RSA (Encryption & Decryption)
Public key: n = pq, p and q are large primes (512 bit), e ( gcd (e, (p-1)(q-1)) =1)Private key: d, where ed = 1 mod (p-1)( q-1) Encryption: C=M e mod nDecryption: M= C d mod n
p=47, q=71, => n=3337 e=79, => d = 1019 M=688 Encryption: C=M e mod n = 68879 mod 3337 = 1570 Decryption: M= C d mod n =15701019 mod 3337 = 688
第 11 頁
One-way hash function
Input: X (unlimited length) Output: Y=H(X) (fixed length, e.g., 160 bit)
Given X, it is easy to compute Y.
Given Y, and H( ), it is computational infeasible to compute X. Given X and Y, it is computational infeasible to find X’ such that Y=H(X’).
第 12 頁
Message Message
Signature(S)
M
Signer A Verifier B
SignatureGeneration
Private Key
SignatureVerification
Public Key
Ture or False
Digital Signature
第 13 頁
Hash Functions : SHA MD5 FFT Snefru N Hash
Hash
Signature Functions : RSA DSA El-Gamal Elliptive Curve LUC
Digital Signature
M
h(M) SS
M
第 14 頁
Public key: n = pq, p and q are large primes (512 bit), e ( gcd (e, (p-1)(q-1)) =1), h is a hash function.Private key: d, where ed = 1 mod (p-1)( q-1)
Sign: S= h(M) d mod n
Verify: h(M) = S e mod n
RSA Digital Signature
第 15 頁
Secure Communication between Client and Server
Using Symmetric Cryptosystem: Each client and the server
share a common secret key.
Disadvantages:
1. Secret key must be strong
2. If the secret key is revealed, the messages in the past will also
be revealed.
Client Server
Ek(M’)
IDc, Ek(M)
第 16 頁
Secure Communication between Client and Server
Using Asymmetric Cryptosystem: Encryption + Signature
(See next page)
Disadvantages:
1. Public keys need to be authenticated by a CA.
2. Private key must be strong.
3. If the server’s private key is revealed, the messages in the past
will also be revealed.
第 17 頁
Secure Communication between Client and Server
第 18 頁
User Authentication in general
Based on one or more of: something a user has (smart card/token card) something a user is (fingerprint/voiceprint/retinal scan) something a user knows (password/short secret)
What’s a popular user authentication system based on three of these?
第 19 頁
Secure Password Authentication
Remote user access Goal: to be secure without requiring the user to
carry/remember anything except password
Remote client Firewall
protecteddomain
VPN traffic
(authenticated using password)
第 20 頁
Dictionary Attacks (Password Guessing Attacks)
An off- line, brute force guessing attack conducted by
an attacker on the network.
Attacker usually has a “dictionary” of commonly-used
passwords to try
People pick easily remembered passwords
“Easy- to- remember” is also “easy- to- guess”
第 21 頁
Passwords in the Real World
Entropy is less than most people think
Dictionary words, e. g. “pudding”, “plan9”
– Entropy: 20 bits or less
Word pairs or phrases, e. g. “hate2die”
– Represents average password quality
– Entropy: around 30 bits
Random printable text, e. g. “nDz2\ u> O”
– Entropy: slightly over 50 bits
第 22 頁
Password-based protocols
Telnet, FTP are insecure
Client ServerIDc , Password
Client ServerIDc , h(Password)
Hash function is still insecure due to dictionary attacks.
第 23 頁
Password-based Protocol with Challenge
Insecure against the dictionary attacks.
Client Server
h(Cha,Password)
Cha
ID
第 24 頁
We need ..............
a password-based authentication protocol whichis secure against dictionary attacks.
第 25 頁
What to do after authentication?
We need a common session key to protect our communication.
Diffie-Hellman key agreement provides two parties to share a common session key.
Secure Communication between Client and Server
第 26 頁
Diffie-Hellman Key Agreement
Goal : to provide two parties share a common session key
p : large prime, g : generator
gRa mod p
gRb mod p
K= (gRb)Ra mod p K= (gRa)Rb mod p
Client Server
第 27 頁
Man-in-the-middle attack
pg a mod pg a mod'
pg b mod' pg b mod
pg ab mod)( ' pg ba mod)( 'pg ba mod)( '
pg ab mod)( '
第 28 頁
Diffie-Hellman Key Agreement
Diffie-Hellman key agreement is vulnerable to the man-in-the-middle attack; it does not reach authentication
How about Diffie-Hellman key agreement using public key?
Problem: (1) does not provide forward secrecy,
(2) hard to remember (not a password).
pgY aXa mod
aaa CertYID ,,
bbb CertYID ,,
pgY bXb mod
pgYK abab mod)( pgYK bab
a mod)(
Client Server
第 29 頁
Forward Secrecy
Prevents one compromise from causing further damage
Compromising Should Not Compromise
Current password Future passwords
Old password Current password
Current password Current or past session keys
Current session key Current password
第 30 頁
Research Goal
To design a user authentication and key agreement protocol via password.
The protocol must satisfy the following requirements:
1. based on password only,
2. password may be weak,
3. be secure against the dictionary attack,
4. can provide perfect forward secrecy.
第 31 頁
Encrypted Key Exchange (EKE)[Bellovin and Merritt, 1992]
Two parties share a common password EKE can withstand dictionary attack
)( AEP
))(( REP A
))))(((( 1 REPPDR AA
P P
Generate encrypt/decrypt keys
AA DE ,
))((1AA EPPE
Generate R
R(Cha)
R(Cha||Chb)
R(Chb)
ServerClient
第 32 頁
DHEKE [Bellovin and Merritt, 1992]
)mod(, pgPA aR
pg bR mod
pg aR mod
pgK ba RR mod)()(),mod( b
R ChKpgP b
pgK ab RR mod)()||( ba ChChK
)( aChK
第 33 頁
Three-Party Key Exchange Protocol
Each client shares an easy-to-remember password with the server.
The protocol is responsible for establishing secure communication between two clients via the help of the server.
Application: E.g., ICQ, or mobile users
第 34 頁
STW-3PEKE [Steiner, Tsudik, and Waidner, 1995]
A S B
APA BR }{
BA PBPA ARBRA }{,}{,
SS NB
NA RR ,
KN
B flowR S ]1[,
KKflow ]]1[[
pRK BS NNA mod)(
pRK AS NNB mod)(
ANA gR
BNB gR
第 35 頁
Undetectable On-line guessing attack (I)[Ding and Horster, 1995]
A S B
APA BR }{
BA PAPA ARBRA }~
{,}{,
SS NA
NA RR
~,
SS NA
NA RR
~check
?
ANA gR
recordAPA BR }{
guess AP
~ get AR
~
AB RR~
第 36 頁
Undetectable On-line guessing attack (II) [Ding and Horster, 1995]
S B
BAPBPA ARBRA }{,}
~{, ~
SS NB
NA RR ,
ASBS NNB
NNA RR
~?
)()(check
guess AP
~
compute pgR ANA mod
~ ~
pgR BN
B mod
第 37 頁
Off-line Guessing Attack on STW-3PEKE [Lin, Sun, and Hwang, 2000]
A* S* B
X
BPB ARXA }{,,
YR SNA ,
~ ~
KflowY ]1[, pRK BS NNA mod)
~(
~
BP~
guess
BNB gR
SN
A NgR A~
,~ ~
BPB ARR }{ from ~
get B AS NN
BRK~~
)~
( ~
compute
Xflow1check ,]1[decrypt?
Kflow
第 38 頁
LSH-3PEKE (with server’s public key)[Lin, Sun, and Hwang, 2000]
A S B
SKAA PRraA },,{,
SS KBKAA BPRrbPRraA },,{,},,{,
rbAraB RARB ],[,],[
KBraB CflowhRB ]),1([,],[
BC
BNARK
ANBRK
ANA gR
BNB gR
第 39 頁
LSSH-3PEKE (without server’s public key)[Lin, Sun, Steiner, and Hwang, 2001]
A S BA,B
B
S
A
SP
NP
N gg ][,][ 21
B
SS
SA
AP
NNK
NA ggBAfgRA ][),,,(,, 21
,
AS NNSA gK )( 1
,
),,(,
),,,(,
2
,
1
,
S
SB
B
S
SA
NK
NB
NKA
gBAfgR
gBAfR
BS NN
SB gK )( 2,
),,,(),,,,(,, ABKBAK RRBAfRRBAfSASB
),,(),,,,(, ', AKABKB RBAfRRBAfRSA
),,(' BK RBAf
)(1 BNARHK
)(2' BNARHK
)(1 ANBRHK
)(2' ANBRHK
第 40 頁
Performance Comparison
第 41 頁
Conclusions
Password authentication and key agreement protocols are widely used.
EX: Electronic Commerce, Electronic Stock Trading
Two-parties protocols are suitable for client/server environment.
EX: Telnet, FTP
Three-Party protocols are suit for single server and multiple clients environment. Any two clients can authenticate each other and reach secure communication.
第 42 頁
Verifier-based Protocol
A server does not store plain password directly. Instead of storing a plain password, a server stores a
verifiable text (called verifier). It provides higher security level: an attacker must perform
dictionary attack when the server is corrupted. Furthermore, a verifier-based protocol can withstand the
stolen verifier attack.
第 43 頁
1. Bellovin, S. Merritt, M., 1992, “Encrypted key Exchange: Password-based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Research in Security and privacy, Oakland. 2. Steiner, M. Tsudik G. and Waidner, M., 1995, “Refinement and Extension of Encrypted Key Exchange,” ACM Operating Systems Review, Vol.29, Issue 3, pp. 22-30. 3. Ding, Y. and Horster, P., 1995, “Undetectable On-line Password Guessing Attacks”, Technical Report, TR-95-13-F, July. 4. C. L. Lin, H. M. Sun, and T. Hwang, 2000, Three-Party Encrypted Key Exchange: Attacks and a Solution,” ACM Operating Systems Review, Vol. 34, No. 4, pp. 12-20 . 5. C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, 2001, "Three-party Encrypted Key Exchange Without Server Public-Keys," IEEE Communications Letters, Vol. 5, No. 12, pp. 497-499. 6. C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE Protocols ,” ACM Operating Systems Review, Vol. 35, No. 1, pp. 41-47.
References