Download Secure Channels - Distributed Operating Systems - Lecture Slides and more Slides Operating Systems in PDF only on Docsity!
Other Security Problems
- Are you who you say you are?
- How does Bob know that he’s really talking to Alice?
- How does Alice know the message was sent by Bob?
- How does Alice know that the message she receives
hasn’t been tampered with?
- Message Integrity
- Are you authorized to do what you want to do?
- Authorization
Secure Channels
Authentication
- Can you have authentication without message integrity?
- I know that Bob sent the message, but someone may have tampered with it.
- I know that no one tampered with it, but I don’t know whether or not it was really Bob who sent it.
- Authentication & message integrity cannot do without each other!
- Set-up phase precedes message exchange
- Session keys to ensure message integrity
Notation for Cryptography
Notation Description
KA, B Secret key shared by A and B
Public key of A
Private key of A
K A K A
1. Alice sends her identity to Bob.
2. Bob sends a challenge (random number).
3. Alice must encrypt and return.
4. Alice then sends a challenge to Bob.
5. Bob must encrypt and return.
An Optimization
- Authentication based on a shared secret key, but using three instead of five messages.
Reflection Attack
- Lesson : never encrypt anything without knowing who you are encrypting it for.
Key Distribution Centers
- If there are N parties using shared secret keys, how many keys are needed?
- Alternative is to use a trusted KDC. It has a shared key with every host.
Tickets
- Using a ticket and letting Alice set up a connection to Bob.
- Vulnerable to replay attacks if Chuck gets hold on K B,KDC old
Authentication using KDC (Needham-Schroeder Protocol)
Relate messages 1 and 2: use challenge response mechanism
RA1, RA2, RB: nonces
- Nonce : random number used only once to relate two messages Alice^ Bob
1 RA1,A,B
KDC
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3 KA,B(RA2), KB,KDC(A, KA,B)
4 KA,B(RA2-1, RB)
5 K
A,B(RB-1)
Authentication using KDC (Needham-Schroeder Protocol)
Why do we need to include B in message 2?
Alice^ Bob
1 RA1,A,B
KDC
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))
3 KA,B(RA2), KB,KDC(A, KA,B)
4 KA,B(RA2-1, RB)
5 K
A,B(RB-1)
What if B is Missing from Message 2?
Assume Chuck intercepts message 1
Alice Bob (K B,KDC
1 RA1,A,B
KDC
2 KA,KDC(RA1,KA,C, KC,KDC(A,KA,C))
3 KA,C(RA2), KC,KDC(A, KA,C)
4 KA,C(RA2-1, RB)
5 KA,C(RB-1)
Chuck
RA1,A,C
Here Chuck gets KA,C!
What if Chuck gets K A,B ?
Assume Chuck intercepted
- KA,B(RA2), KB,KDC,(A,KA,B)
- Knows KA,B Alice^ Bob
1 RA1,A,B
2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))^ KDC
3 KA,B(RA2), KB,KDC(A, KA,B)
4 KA,B(RA2-1, RB)
5 K
A,B(RB-1)
(replayed message) Chuck (K A,B
Defend Against leaking of K A,B
Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided
by Bob.
Chuck can no longer simply replay message 5 (former 3) to fool Bob,
cause message 5 is now related to message 2 by including nonce RB1.
Alice^ Bob
3 RA1,A,B, KB,KDC(RB1)
KDC
4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1))
5 KA,B(RA2), KB,KDC(A, KA,B,RB1)
6 KA,B(RA2-1, RB2)
7 K
A,B(RB2-1)
1 A
2 K
B,KDC(RB1)