Authentication protocols use elementary authentication functions to
establish authentication
Usages:
One-way authentication
Mutual authentication
Digital signatures
Mutual authentication
Key exchange
Confidentiality
Requires existing keys (secret or public/private pairs)
Mechanisms to prevent replays.
Replay attacks (Gong, 1993):
Simple replay: Attacker copies messages to be resent later
Replay that can be logged: The receiver must accept messages
with a timestamp
within some timing window. The attacker can replay messages soon enough
for the
messages to arrive within the window.
Undetectable replay. Original message blocked and does not arrive;
only replay message arrives.
May or may not be a threat.
(Conventional encryption): Backward replay: Message is replayed
back to sender.
Prevention mechanisms:
Sequence numbers? Would solve the problem, but it may be too complex
to maintain
a full history of sequence numbers for every potential connection.
Challenge/response: A protocol that requires current authentication.
For example, the receiver can issue a nonce and demand that the
message is
accompanied by an encrypted version of the nonce. Requires a connection-oriented
type
of communication because of the inherent overhead.
A connectionless communication should rather use....
Timestamps
Requires timing window. The length of the window depends on the
typical delays in
the network, as well as on the degree of clock synchronization throughout
the network.
Clock synchronization over a faulty and delay-prone network is itself a process
that
requires a sophisticated protocol.
Mutual authentication protocols based on conventional encryption:
By use of a Key Distribution Center
Needham and Schroeder. (1978)..Fig. 5.9
Handshake of steps 4&5 is there to prevent a replay attack
on the message in step 3
Another attack: The attacker
has obtained an old session key (Ks),
has obtained a copy of the message in number 3, and
can intercept (read and stop) message #4 in the protocol.
In this case the attacker can impersonate A.
Improvement: Timestamps in steps 2 and 3. assumes Ka
and Kb safe. (Denning 1982)
A -> KDC: IDA | IDB
KDC -> A: EKa(Ks | IDB |
T | EKb(Ks | IDA | T ) )
A -> B: EKb
(Ks | IDA | T )
B-> A: EKs
(N1 )
A->B: E
Ks( f(N1 ) )
Prevents the mentioned attack, but...
The clocks or the clock synchronization protocol can fail or can be sabotaged.
If sender's clock is ahead of the receiver's clock:
An attacker could intercept a message and replay it later when it is still
within the recipient's
allowable time window. (suppress/replay attack....), so, still another
protocol...
(Kehne et. al, 1992, Neuman and Stubblebine, 1993)
A -> B: ID
A | Na
A's identifier and A's nonce. Nonce will be returned to A,
encrypted, in step 3
(authenticating message 3 and guaranteeing timeliness)
B-> KDC: IDB | Nb |
EKb( IDA | Na | Tb )
B requests a session key. B's nonce will be returned, in encrypted
form, in step 4
(authenticating message 3 and guaranteeing timeliness).
Asks to send a "ticket" to A
KDC -> A: EKa(( IDB
| Na | Ks | Tb ) | EKb
( IDA | Ks | Tb ) ) |
Nb
KDC sends an encrypted session key & nonce, as well as
a ticket, to A
A->B: EKb( ID
A | Ks | Tb ) ) | E
Ks( Nb )
A presents current ticket to B, and the encrypted nonce as
proof of timeliness.
Note that both time stamping and time checking goes on at B, so there is
no need for
clock synchronization.
The ticket can be retained by A and used repeatedly to establish
a new connection,
as long as the time stamp Tb remains within B's time window, with
a simple
challenge/response protocol and without asking the KDC:
A -> B: EKb
( IDA | Ks | Tb ) )
| N'a
Old ticket; new nonce
B-> A: E
Ks( N'a ) | N'b
A->B:
EKs( N'b )
Mutual authentication protocols based on public key encryption:
Fig. 6.15
What if A and B do not possess each other's public keys?
Denning 1981: Use of an Authentication Server (AS)
A -> AS: ID
A | IDB
AS-> A:
EKRas( IDA | KUa | T ) |
EKRas( IDB | KUb | T )
A->B:
EKRas( IDA | KUa | T ) |
EKRas( IDB | KUb | T )
| EKUb( EKRa ( K
s | T ) )
Requires clock synchronization. Solution without need for synchronization:
Woo and Lam, 1992
A -> KDC: IDA | IDB
Initialization request
KDC -> A: EKRauth(IDB | KU
b )
B's certificate.
A -> B: E
KUb(Na | IDA )
Send encrypted nonce & identifier
B -> KDC: IDB | IDA | E
KUauth(Na )
Request for A's certificate and session key
KDC -> B: EKRauth(IDA | KU
a ) | EKUb( EKRauth(
Na | Ks | IDA| IDB ) )
A's certificate, and an encrypted and authenticated session
key, together with nonce, and
an identifier that ties the nonce to A
B -> A: E
KUa( EKRauth( Na | Ks
| IDA| IDB ) | Nb )
A receives its own nonce back and knows that this is no replay
and that Ks is current
A->B:
EKs( Nb )
B gets its encrypted nonce back
One-way authentication
Used when two parties cannot engage in a two-way conversation to establish
authentication, e. g. e-mail.
Note: E-mail is delivered by agent programs (acting on behalf
of the users). The agent programs
communicate by use of a connection oriented protocols. However, at the
application (or user) level
from the user's point of view, the communicaton is connectionless. This perspective
makes sense in
an encryption/authentication context, since all encryption keys should be
kept at the user level.
One-way authentication protocols based on conventional
encryption:
Fig. 5.11 is impractical since the communication is connectionless
Fig 5.9, with KDC. Some refinements are necessary:
We must avoid the dialog of steps 4 and 5:
A -> KDC:
IDA | IDB | N1
KDC-> A:
EKa( Ks | IDB | N1
| EKb( Ks | ID
A ) )
A->B:
EKb( Ks | IDA
) | EKs( M )
Confidentiality and basic authentication. No protection against replays.
Replay prevention:
A timestamp could be included, but that makes limited
sense for e-mail messages.
However, two messages with the exact same timestamps could be regarded replicas
with this approach.
Sequence numbers at the applicaton level? i. e.,
"Order number 12345: Buy 1000 Kværner shares"
One-way authentication protocols based on public key encryption:
Schemes with authentication, confidentiality, or both, using,
respectively,
digital signatures, encryption or both.
Will see more of this in Chapter 12.