Scribd
Upload
3 views

BA Chapter5 Authentication and Key Agreement

Chapter 5 of the IT-Security lecture focuses on authentication and key establishment, covering mechanisms for entity authentication, including MAC-based and signature-based methods. It discusses the importance of establishing session keys for secure communication and outlines protocols for key distribution, such as key transport and key agreement. Additionally, the chapter addresses challenges like reflection attacks and emphasizes the need for efficiency in authentication protocols.

Uploaded by

diepminhchi1617
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

BA Chapter5 Authentication and Key Agreement

Chapter 5 of the IT-Security lecture focuses on authentication and key establishment, covering mechanisms for entity authentication, including MAC-based and signature-based methods. It discusses the importance of establishing session keys for secure communication and outlines protocols for key distribution, such as key transport and key agreement. Additionally, the chapter addresses challenges like reflection attacks and emphasizes the need for efficiency in authentication protocols.

Uploaded by

diepminhchi1617
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

IT-Security

Chapter 5: Authentication and Key Establishment

Prof. Dr.-Ing. Ulrike Meyer


Overall Lecture Context

● In the last chapters we covered

► Symmetric and asymmetric mechanisms to provide

► Integrity protection
§ Message Authentication Codes and digital signatures schemes

► Confidentiality
§ Symmetric and asymmetric encryption schemes

● All these mechanisms require keys to be distributed

► to the authentic entities

● In this chapter we learn how to

► authenticate entities, i.e., check that they are who they claim to be

► establish keys between different entities

IT-Security - Chapter 5: Authentication and Key Establishment 2


Overview

● Building Blocks for Entity Authentication ● Key Distribution with trusted Third Parties

► Definition of Entity Authentication ► Key Distribution Centers

► MAC-based authentication ► Certificates and Public Key Infrastructures

► Signature-based authentication

● Authenticated Session Key Establishment ● Password-based authentication


► Definitions around session key establishment ► Password-based user authentication
► Authenticated Diffie Hellman variants ► Password-based authenticated key
► Session key establishment w-o DH establishment
► Session Key derivation principles ► Dictionary attacks on password-based
authentication

IT-Security - Chapter 5: Authentication and Key Establishment 3


Definition of Entity Authentication

Objectives
► Correctness: A can always successfully
authenticate to B
Unilateral entity authentication of A to B
► Resistance against transferability: After A
► A (claimant) proofs its identity to B (verifier)
authenticated to B successfully, B cannot
► B is assured that A is currently interacting with B
authenticate as A to C (∗)

Mutual authentication ► Resistance against impersonation: C ≠ A cannot


make B believe that it is A (∗)
► A authenticates to B and B authenticates to A
All three objectives still hold
► if an attacker has observed multiple
authentication instances between A and B

(∗) Except for with negligible probability: guessing is of course always possible
IT-Security - Chapter 5: Authentication and Key Establishment 4
Example

● Assume A and B have agreed upon a secret password when they last met

● Now A authenticates to B with the following protocol

Hi, I’m Alice!

Oh, really? Proof it!


Password
Correct?
► Yes!

Resistant against transferability?


► Yes, at least if Alice does not use the password in multiple places

Resistant against impersonation?


► No! The password is sent in the clear so any eavesdropper can impersonate Alice after the first run of the protocol

IT-Security - Chapter 5: Authentication and Key Establishment 5


Challenge-Response Authentication

Hi, I’m Alice!

Oh, really? Here’s my Challenge

Response

Idea:
► B generates a fresh challenge
§ E.g., a random number or a time stamp (implicit challenge) Response Calculation must
► A proofs its identity by computing a response that guarantee that the objectives hold
§ Depends on the challenge and a secret

§ Secret can be a secret key shared with B, a private key of A,…

IT-Security - Chapter 5: Authentication and Key Establishment 6


Example Building Bocks for Unilateral Entity Authentication based on shared key K

Alice Requires time Bob Alice Bob


synchronization

𝐾 𝐾 𝐾 𝐾
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝑅𝐴𝑁𝐷
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝) 𝑀𝐴𝐶𝐾 (𝑅𝐴𝑁𝐷)
Check 𝑀𝐴𝐶 Check 𝑀𝐴𝐶 by computing it
Verify 𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 is current on sent 𝑅𝐴𝑁𝐷

► Alice computes a 𝑀𝐴𝐶 on timestamp ► Bob selects a random number RAND as challenge

► Sends timestamp and 𝑀𝐴𝐶 to Bob and sends it to Alice

► Bob verifies 𝑀𝐴𝐶 by computing 𝑀𝐴𝐶 on received ► Alice computes a MAC on RAND using K

timestamp and comparing it to received 𝑀𝐴𝐶 ► Bob verifies that the received MAC corresponds to

► Bob checks if 𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 is in an acceptable range the one he computes using RAND as input

around Bob’s current time


IT-Security - Chapter 5: Authentication and Key Establishment 7
Example Building Bocks for Unilateral Entity Authentication

Unilateral authentication of A to B based on a private key 𝑠𝑘 of Alice assuming Bob knows Alice’s public key 𝑝𝑘
Alice Bob Alice Bob

𝑝𝑘 𝑝𝑘
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝑅𝐴𝑁𝐷
sig𝑠𝑘 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝) 𝑠𝑖𝑔𝑠𝑘 (𝑅𝐴𝑁𝐷)
Check sig𝑠𝑘 with 𝑝𝑘
Verify 𝑠𝑖𝑔𝑠𝑘 𝑅𝐴𝑁𝐷
Verify 𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 is current
on sent 𝑅𝐴𝑁𝐷 with 𝑝𝑘

► Alice computes a signature on the current ► Bob selects a random number 𝑅𝐴𝑁𝐷 as challenge
timestamp (implicit challenge) using 𝑠𝑘 and sends it to Alice
► Sends the 𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 and the signature to Bob ► Alice computes a signature on 𝑅𝐴𝑁𝐷
► Bob verifies signature with 𝑝𝑘 and checks if ► Bob verifies that the received signature is a
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 is in an acceptable range signature on the sent 𝑅𝐴𝑁𝐷
IT-Security - Chapter 5: Authentication and Key Establishment 8
Example Building Bocks for Mutual Entity Authentication

● Mutual authentication of A to B and B to A based on a shared secret key K

Alice Bob Alice Bob

𝐾 𝐾 𝐾 𝐾
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝑅𝐴𝑁𝐷𝐵
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝐼𝐷𝐴)
𝑀𝐴𝐶𝐾 (𝑅𝐴𝑁𝐷𝐴 ∥ RANDB) ∥ RANDA
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥
𝑀𝐴𝐶𝐾 (𝑅𝐴𝑁𝐷𝐵 ∥ RANDA)
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝐼𝐷𝐵)

Does work with signatures just as well

IT-Security - Chapter 5: Authentication and Key Establishment 9


Example for Insecure Building Blocks for Mutual Authentication
Simply combining the building blocks for unilateral authentication MAY NOT be SECURE

𝑅𝐴𝑁𝐷 Bob thinks this


Alice will see is a new
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ that the authentication
𝑅𝐴𝑁𝐷
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝) timestamp of started by Alice
Bob is a little 𝑀𝐴𝐶𝐾 𝑅𝐴𝑁𝐷
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ behind hers but
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝) may accept this 𝑀𝐴𝐶𝐾 (𝑅𝐴𝑁𝐷)

► Attacker could start a second run of the protocol by


► Attacker could claim to be Bob and just reflect
reflecting RAND back to Bob
Alice’s message to Alice
► Wait for Bob’s reply
► Not impersonation resistant
► Then reflect the MAC computed by Bob back to Bob
► Need messages of Alice and Bob to be different

IT-Security - Chapter 5: Authentication and Key Establishment 10


Protection against Reflection Attacks

● Making A and B compute MACs on different messages, where each message contains input

controlled by the other part protects these building blocks from reflection attacks

𝑅𝐴𝑁𝐷𝐵
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥
? ? ∥ 𝑅𝐴𝑁𝐷 ?
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝐼𝐷𝐴)
Can’t compute
𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝑀𝐴𝐶𝐾(𝑅𝐴𝑁𝐷𝐵 ∥ 𝑅𝐴𝑁𝐷)
𝑀𝐴𝐶𝐾 (𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝 ∥ 𝐼𝐷𝐴)
𝑀𝐴𝐶𝐾 (𝑅𝐴𝑁𝐷𝐵 ∥ 𝑅𝐴𝑁𝐷)

► Attacker can only reflect message including Alice’s ► Attacker can only reflect with the random number
ID which will be detected by Alice in Bob’s order not in the order expected from Alice

IT-Security - Chapter 5: Authentication and Key Establishment 11


Overview

● Building Blocks for Entity Authentication ● Key Distribution with trusted Third Parties

► Definition of Entity Authentication ► Key Distribution Centers

► MAC-based authentication ► Certificates and Public Key Infrastructures

► Signature-based authentication

● Authenticated Session Key Establishment ● Password-based authentication


► Definitions around session key establishment ► Password-based user authentication
► Authenticated Diffie Hellman variants ► Password-based authenticated key
► Session key establishment w-o DH establishment
► Session Key derivation principles ► Dictionary attacks on password-based
authentication

IT-Security - Chapter 5: Authentication and Key Establishment 12


Entity Authentication Alone is useless!

► Authentication exchange typically only guarantees that


one specific message originates from a particular entity

► If hash of previously sent messages is included, these


Solution: Session Keys
can be authenticated as well
► Establish new session keys for integrity
► But: what about future messages exchanged? And what
protection and encryption
about encryption?
► Thus, create independence across
● Could keep signing messages if signatures are used
communication sessions
► Very inefficient
► Limit amount of data protected under
● Could keep computing MACs with key K on all the same key
messages
► Key K would be used repeatedly on lots of traffic

IT-Security - Chapter 5: Authentication and Key Establishment 13


Session Key Establishment Protocols

A session key establishment protocol is a protocol Examples


► that establishes a shared secret key between two ► Simple key transport protocol
parties § Assume A and B share a long-term key 𝐾

§ A selects a session key 𝑆𝐾

There are two types of key establishment protocols § Computes 𝐸𝐾 (𝑆𝐾) and sends it to B
§ B decrypts 𝐸𝐾 (𝑆𝐾) with K and thus obtains 𝑆𝐾
► Key transport protocols
§ Key generated by one party, securely transported to the ► Diffie-Hellman key agreement (Chapter4)

other party § Each party selects a random private value

► Key agreement protocols § Computes a public value based on private one

§ shared key is derived from input of bother parties, e.g. § Parties exchange the public values

like in the Diffie-Hellman key agreement protocol § Each computes that key as function of own
private and other party’s public value

IT-Security - Chapter 5: Authentication and Key Establishment 14


Objectives of Key Establishment Protocols

Authenticated key Establishment Additional Objectives


► Entity authentication (see above) ► Key freshness: a party is assured that the key is newly

► Implicit key authentication: a party is generated and not a replayed old key

assured that no other party but a ► Perfect forward secrecy: a future compromise of long-
particular second party may gain access term keys does not compromise past session keys
to the established key ► Protection against known-key attacks: the
compromise of a past session key does not allow
Explicit key authentication
§ a passive adversary to compromise future session keys
► Implicit key authentication
§ an active attacker to impersonate a party in the future
► Key confirmation: a party is assured
that a second party has possession of
the established key
The objectives can hold for none, only one or both parties

IT-Security - Chapter 5: Authentication and Key Establishment 15


Efficiency Considerations

● When analyzing the efficiency of protocols, we consider

► Number of messages exchanged between parties

► Bandwidth required by the messages (total number of bits transmitted)

► Complexity of computations that need to be carried out by the parties

► Possibility for pre-computation to reduce the online load during protocol


execution

IT-Security - Chapter 5: Authentication and Key Establishment 16


Example: Simple key transport protocol
Properties
Simple key transport protocol
► Implicit key authentication
► Assume A and B share a long-term key 𝐾
§ Yes, from both parties’ point of view
► A selects a session key 𝑆𝐾
► Key freshness
► Computes 𝐸𝐾 (𝑆𝐾) and sends it to B
§ Yes, from A’s point of view
► B decrypts 𝐸𝐾 (𝑆𝐾) with K and thus obtains 𝑆𝐾
§ No from B’s point of view

► Perfect forward secrecy


§ No
𝐾 𝐾
► Protection against known keys
Choose 𝑆𝐾
Computes 𝐸𝐾 (𝑆𝐾) § Past session keys have no influence on new future

𝐸𝐾 (𝑆𝐾) ones

► Authenticated key establishment


Decrypts 𝐸𝐾 (𝑆𝐾)
§ No! No entity authentication (replay possible)
IT-Security - Chapter 5: Authentication and Key Establishment 17
Example: Simple key transport protocol

Simple key transport protocol Properties


► Assume A and B share a long-term key 𝐾 ► Implicit key authentication

► A selects a session key 𝑆𝐾 § Yes, from both parties’ point of view

► Computes 𝐸𝐾 (𝑆𝐾) and sends it to B ► Key freshness

► B decrypts 𝐸𝐾 (𝑆𝐾) with K and thus obtains 𝑆𝐾 § Yes, from A’s point of view

§ No from B’s point of view

► Perfect forward secrecy


𝐾 𝐾 § No

Choose 𝑆𝐾 ► Protection against known keys


Computes 𝐸𝐾 (𝑆𝐾)
§ Past session keys have no influence on new ones
𝐸𝐾 (𝑆𝐾)
► Authenticated key establishment
Decrypts 𝐸𝐾 (𝑆𝐾) § No! No entity authentication (replay possible)

IT-Security - Chapter 5: Authentication and Key Establishment 18


Diffie-Hellman Key Agreement

► Implicit key authentication


§ No

► Key freshness
§ Yes, from both parties’ point of view Choose random 𝑎 Choose random 𝑏
Compute 𝐴 = 𝑔( mod 𝑝 Compute 𝐵 = 𝑔) mod 𝑝
► Perfect forward secrecy
𝐴
§ Yes, future keys completely independent
Compute K = 𝐴) mod 𝑝
► Protection against known keys 𝐵

§ Past session keys have no influence on future Compute K = 𝐵( mod 𝑝


ones

► Authenticated key establishment


§ No! No entity authentication (replay possible), no As 𝐴+ mod 𝑝 = 𝑔,+ = 𝑔+, = 𝐵, mod 𝑝
implicit key authentication Alice and Bob now share the secret key K = 𝒈𝒂𝒃

IT-Security - Chapter 5: Authentication and Key Establishment 19


Diffie-Hellman Key Agreement

► Implicit key authentication


§ No

► Key freshness
§ Yes, from both parties’ point of view Choose 𝑎 Choose 𝑏
Compute 𝐴 = 𝑔( mod 𝑝 Compute 𝐵 = 𝑔) mod 𝑝
► Perfect forward secrecy
𝐴
§ Yes, future keys completely independent
Compute K = 𝐴) mod 𝑝
► Protection against known keys 𝐵

§ Yes, past session keys have no influence on future Compute K = 𝐵( mod 𝑝


ones

► Authenticated key establishment


§ No! No entity authentication (replay possible), no As 𝐴+ mod 𝑝 = 𝑔,+ = 𝑔+, = 𝐵, mod 𝑝
implicit key authentication Alice and Bob now share the secret key K = 𝒈𝒂𝒃

IT-Security - Chapter 5: Authentication and Key Establishment 20


Diffie-Hellman Key Agreement with Implicit Key Authentication

● Implicit key authentication

Public key: 𝑝𝑘𝐴 Public key: 𝑝𝑘𝐵


► Public DH value has been
Private key: 𝑠𝑘𝐴 Private key: 𝑠𝑘𝐵 signed by the desired
Public key Bob: 𝑝𝑘𝐵 Public key of Alice: 𝑝𝑘𝐴
second party
Pick 𝒂 ∈ℙ {2, … , 𝑝 − 2}
𝑨 ∥ 𝒔𝒊𝒈𝑨 ► Only that party (if any) will
Compute 𝑨 = 𝒈𝒂 mod 𝒑
Compute 𝒔𝒊𝒈𝑨 = 𝒔𝒊𝒈𝒔𝒌𝑨 (𝐴) be able to compute K
Verify 𝑠𝑖𝑔𝐴 with 𝑝𝑘𝐴
Pick 𝒃 ∈ℙ {2, … , 𝑝 − 2} ● But: no entity authentication
Compute 𝑩 = 𝒈𝒃 mod 𝒑
Compute 𝒔𝒊𝒈𝑩 = 𝒔𝒊𝒈𝒔𝒌𝑩 𝐵 ► Old messages could be
Compute 𝑲 = 𝑨𝒃 𝑚𝑜𝑑 𝒑 replayed
𝑩 ∥ 𝒔𝒊𝒈𝑩
► Parties do not get
Verify 𝑠𝑖𝑔𝐵 with 𝑝𝑘𝐵
Compute 𝑲 = 𝑩𝒂 𝑚𝑜𝑑 𝒑 guarantee that other party
interacts right now

IT-Security - Chapter 5: Authentication and Key Establishment 21


Authenticated Diffie-Hellman Key Agreement with Signatures
Public key: 𝑝𝑘𝐴 Public key: 𝑝𝑘𝐵
Private key: 𝑠𝑘𝐴
● Mutual authentication between
Private key: 𝑠𝑘𝐵
Public key Bob: 𝑝𝑘𝐵 Public key of Alice: 𝑝𝑘𝐴 Alice and Bob

Pick 𝒂 ∈ℙ {2, … , 𝑝 − 2} ► See slide 8


Compute 𝑨 = 𝒈𝒂 mod 𝒑 ► A and B act as random values
𝑨
here
Pick 𝒃 ∈ℙ {2, … , 𝑝 − 2}
Compute 𝑩 = 𝒈𝒃 mod 𝒑 ● Implicit key authentication
Compute 𝒔𝒊𝒈𝑩 = 𝒔𝒊𝒈𝒔𝒌𝑩 (𝐵 ∥ 𝐴) ► Alice is assured that B is from B
𝑩 ∥ 𝒔𝒊𝒈𝑩
so only Bob can compute K (and
Verify 𝑠𝑖𝑔𝐵 with 𝑝𝑘𝐵
herself)
Compute 𝒔𝒊𝒈𝑨 = 𝒔𝒊𝒈𝒔𝒌𝑨 (𝐴 ∥ 𝐵)
Compute 𝑲 = 𝑩𝒂 𝑚𝑜𝑑 𝒑 ► Same holds for Bob
𝒔𝒊𝒈𝑨
Ø Authenticated key agreement
Verify 𝑠𝑖𝑔𝐴 with 𝑝𝑘𝐴
Compute 𝑲 = 𝑨𝒃 𝑚𝑜𝑑 𝒑
Works with a shared key and MACs as well!

IT-Security - Chapter 5: Authentication and Key Establishment 22


Example Session Key Establishment without DH

● Implicit key authentication


Shared secret key 𝐾 Shared secret key 𝐾
► Yes! 𝐾 required to compute
𝑆𝐾
Pick a random number
𝑹𝑨𝑵𝑫𝑨 ● Key freshness
𝑹𝑨𝑵𝑫𝑨
► Yes, for both parties
Pick a random number 𝑹𝑨𝑵𝑫𝑩
Compute ● Perfect forward secrecy
𝑺𝑲 = 𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB)
► No! If K broken and exchange
𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A) ∥ 𝑅𝐴𝑁𝐷B recorded, then SK broken
Compute ● Protection against known keys
𝑺𝑲 = 𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB)
Verify 𝑀𝐴𝐶 received ► Past session keys have no
influence on future ones
𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷𝐴 ∥ 𝑅𝐴𝑁𝐷B)
● Authenticated key establishment
Verify 𝑀𝐴𝐶 received
► Yes!

IT-Security - Chapter 5: Authentication and Key Establishment 23


Session Key Derivation: Key Hierarchies

● Key establishment protocols Example Hierarchy


► establish a session key 𝑆𝐾 based on long term
Long-term
credentials and session specific random numbers credentials

● 𝑆𝐾 often used to derive additional keys, e.g. RANDs Key establishment protocol

► Integrity key and an encryption key 𝑺𝑲


► Different keys for different directions 𝑀𝐴𝐶&' (𝑘𝑒𝑦𝑙𝑎𝑏𝑒𝑙)
► A key derivation key for future derivations

● Results in key hierarchy 𝑬𝑲𝟏 𝑰𝑲𝟏 𝑬𝑲𝟐 𝑰𝑲𝟐 𝑲𝑫𝑲

► Key derivation should be efficient


𝑀𝐴𝐶'(' (𝑘𝑒𝑦𝑙𝑎𝑏𝑒𝑙)
► A break of a lower layer key does not break
𝑫𝑲𝟏 𝑫𝑲𝟐
higher layer keys or keys on the same layer

IT-Security - Chapter 5: Authentication and Key Establishment 24


Overview

● Building Blocks for Entity Authentication ● Key Distribution with trusted Third Parties

► Definition of Entity Authentication ► Key Distribution Centers

► MAC-based authentication ► Certificates and Public Key Infrastructures

► Signature-based authentication

● Authenticated Session Key Establishment ● Password-based authentication


► Definitions around session key establishment ► Password-based user authentication
► Authenticated Diffie Hellman variants ► Password-based authenticated key
► Session key establishment w-o DH establishment
► Session Key derivation principles ► Dictionary attacks on password-based
authentication

IT-Security - Chapter 5: Authentication and Key Establishment 25


Facilitating Key Distribution with Trusted Third Parties

Assumption so far: Alice and Bob


► Either already share a secret (long-term) key

► Or have an authentic copy of each other’s public keys

Trusted Third Party


► Mediator to reduce the number of pre-installed keys required

Symmetric Case: Key Distribution Centers Asymmetric Case: Certification Authorities


► Each client shares a secret key with the key ► Each client has the public key of a certification
distribution center authority pre-installed

► The key distribution center helps to establish ► The certification authority helps to distribute
keys between its clients authentic copies of public keys

IT-Security - Chapter 5: Authentication and Key Establishment 26


Example: Key Transport with a KDC
● KDC shares a long-term secret key 𝐾/ with
KDC Alice and 𝐾0 with Bob
𝐼𝐷𝐴 : 𝐾/
𝐼𝐷𝐵 : 𝐾0 ● Upon request, KDC generates a session key
𝐼𝐷𝐶 : 𝐾1
⋮ 𝐾𝐴𝐵 for Alice and Bob

● 𝐸𝐾 here stands for an AEAD encryption with 𝐾

● 𝑁𝐵 and 𝑁𝐴 authenticates KDC to Bob and Alice

𝐼𝐷𝐴 ∥ 𝐼𝐷𝐵 ∥ 𝑵𝑨 ∥ 𝑵𝑩 𝐸'. 𝐾𝐴𝐵 𝐼𝐷) ∥ 𝑵𝑨 ∥ 𝐸'/ 𝐾𝐴𝐵 ∥ 𝐼𝐷* ∥ 𝑵𝑩 respectively



● Inclusion of 𝐼𝐷𝐵 in 𝐸2& 𝐾𝐴𝐵 ∥ 𝐼𝐷0 ∥ 𝑵𝑨
gives Alice implicit key authentication of 𝐾𝐴𝐵

𝐼𝐷𝐵 ∥ 𝑵𝑩 ● Inclusion of 𝐼𝐷𝐴 in 𝐸2' 𝐾𝐴𝐵 ∥ 𝐼𝐷/ ∥ 𝑵𝑩 gives


Bob implicit key authentication of 𝐾𝐴𝐵
𝐸'/ 𝐾𝐴𝐵 ∥ 𝐼𝐷* ∥ 𝑵𝑩
Alice Bob ● No perfect forward secrecy, no key freshness,
protection against known key attacks

IT-Security - Chapter 5: Authentication and Key Establishment 27


Facilitating Key Distribution with Trusted Third Parties

Assumption so far: Alice and Bob


► Either already share a secret (long-term) key

► Or have an authentic copy of each other’s public keys

Trusted Third Party


► Mediator to reduce the number of pre-installed keys required

Symmetric Case: Key Distribution Centers Asymmetric Case: Certification Authorities


► Each client shares a secret key with the key ► Each client has the public key of a certification
distribution center authority pre-installed

► The key distribution center helps to establish ► The certification authority helps to distribute
keys between its clients authentic copies of public keys

IT-Security - Chapter 5: Authentication and Key Establishment 28


Certification Authorities and Public Key Infrastructures

● Certification Authority
Certificate
► Sings a certificate for each of its clients
owner ID
► Certificate
§ owner ID: identifier of the owner of the public key public key of owner
§ public key of owner
issuer ID
§ issuer ID: identifier for the CA that issued the certificate
validity period
§ Validity period: not before, until dates defining when this
certificate becomes valid and when it expires signature of issuer
§ Signature of the issuing CA on all of the content of the
certificate, binds public key to owner ID

● Anyone in possession of the public key of the CA

► Can verify the authenticity of the public key of the owner


IT-Security - Chapter 5: Authentication and Key Establishment 29
Certificate Verification

● Anyone in possession of the public key of the CA


Certificate
► Can verify the authenticity of the public key of the owner
owner ID
● Certificate verification entails

► checking the validity period of the certificate public key of owner

► checking that the owner ID is as expected issuer ID


§ E.g., in the context of web does the domain name included as
validity period
identifier in the certificate match the host name part of the
URL of the visited website signature of issuer

► checking the signature on the certificate with the public


key of the issuer

► checking the revocation status of the certificate

IT-Security - Chapter 5: Authentication and Key Establishment 30


Certificate Revocation Approaches

Certificates may need to be revoked before they expire


► Due to stolen devices, precaution after malware infection,…

► Due to lost passwords unlocking private keys

Certificate revocation lists = CRLs Online Certificate Status Protocol = OSCP


► Issuing CA periodically publishes a signed CRL ► Protocol to obtain immediate feedback on

► CRL includes serial numbers of all revoked the revocation status of certificates

unexpired certificates ► Advantage: very timely revocation possible

► Disadvantage: revocation only as timely as ► May add additional overhead and requires
period used to publish CRLs connectivity to the OSCP server

IT-Security - Chapter 5: Authentication and Key Establishment 31


Chains of Certificates

● Hierarchies of certification authorities

► A root CA signs certificates for the public keys of Root CA Certificate


Get certificate
Root CA ID
second level CAs
public key of Root
► Second level CAs sign certificates of clients
CA Certificate issuer: Root CA ID
► More levels possible Get certificate
CA ID validity period

Certificate public key of CA signature of issuer


owner ID issuer: Root CA ID
public key of owner validity period
issuer: CA ID signature Root CA verify

validity period
verify
signature of CA

IT-Security - Chapter 5: Authentication and Key Establishment 32


Verifying Chains of Certificates

● Check validity period of each certificate

● Check revocation status on each certificate Root CA Certificate


Get certificate
Root CA ID
● Verify signature on each certificate in the chain
public key of Root
● Check if root CA is trusted for this application
CA Certificate issuer: Root CA ID
● Check if owner ID is as expected Get certificate
CA ID validity period

Certificate public key of CA signature of issuer


owner ID issuer: Root CA ID
public key of owner validity period
issuer: CA ID signature Root CA verify

validity period
verify
signature of CA

IT-Security - Chapter 5: Authentication and Key Establishment 33


Example Secure Authenticated DH with Chain of Certificates

Public key: 𝑝𝑘𝐴 Public key: 𝑝𝑘𝐵


Private key: 𝑠𝑘𝐴 Private key: 𝑠𝑘𝐵
Public key of root CA: 𝑝𝑘𝑟𝑜𝑜𝑡 Public key of root CA: 𝑝𝑘𝑟𝑜𝑜𝑡

Pick 𝒂 ∈ ℝ{2, … , 𝑝 − 2} ● 𝑐𝑒𝑟𝑡𝐵 / 𝑐𝑒𝑟𝑡𝐴: chain of


Compute 𝑨 = 𝒈𝒂 mod 𝒑
𝑨 certificates starting
Pick 𝒃 ∈ ℝ{2, … , 𝑝 − 2} with a certificate for A
Compute 𝑩 = 𝒈𝒃 mod 𝒑
Compute 𝒔𝒊𝒈𝑩 = 𝒔𝒊𝒈𝒔𝒌𝑩 (𝐵 ∥ 𝐴)
/ B, where the last one
𝑩 ∥ 𝒔𝒊𝒈𝑩∥ 𝒄𝒆𝒓𝒕𝑩
is the root certificate
Verify chain of certificates 𝒄𝒆𝒓𝒕𝑩
Verify 𝑠𝑖𝑔𝐵 with 𝑝𝑘𝐵 extracted
from B’s certificate
𝒔𝒊𝒈𝑨 ∥ 𝒄𝒆𝒓𝒕𝑨
Compute 𝒔𝒊𝒈𝑨 = 𝒔𝒊𝒈𝒔𝒌𝑨 (𝐴 ∥ 𝐵)
Compute 𝑲 = 𝑩𝒂 𝑚𝑜𝑑 𝒑 Verify chain of certificates 𝒄𝒆𝒓𝒕𝑨
Verify 𝑠𝑖𝑔𝐴 with 𝑝𝑘A extracted from A’s certificate
Verify 𝑠𝑖𝑔𝐴 with 𝑝𝑘𝐴
Compute 𝑲 = 𝑨𝒃 𝑚𝑜𝑑 𝒑
IT-Security - Chapter 5: Authentication and Key Establishment 34
Overview

● Building Blocks for Entity Authentication ● Key Distribution with trusted Third Parties

► Definition of Entity Authentication ► Key Distribution Centers

► MAC-based authentication ► Certificates and Public Key Infrastructures

► Signature-based authentication

● Authenticated Session Key Establishment ● Password-based authentication


► Definitions around session key establishment ► Password-based user authentication
► Authenticated Diffie Hellman variants ► Password-based authenticated key
► Session key establishment w-o DH establishment
► Session Key derivation principles ► Dictionary attacks on password-based
authentication

IT-Security - Chapter 5: Authentication and Key Establishment 35


Password-based Authentication

Three main flavors used in practice

• Certificate-based server • MAC-based authenticated • Password-Authenticated


authentication key exchange Diffie Hellman
• Password-based user • MAC-key derived from • Protected against
authentication password Dictionary attacks
• Vulnerable to dictionary • Vulnerable to dictionary • Same (one-time) password
attacks if password file attacks entered on both devices
stolen

Used, e.g., in 4- Used, e.g., Secure


Used, e.g., in
Way-Handshake Authentication of
HTTPs
in WPA2 WLAN Equals in WPA3

IT-Security - Chapter 5: Authentication and Key Establishment 36


Password-based Authentication

Three main flavors used in practice


Advance
ITSec
Lecture
• Certificate-based server • MAC-based authenticated • Password-Authenticated
authentication key exchange Diffie Hellman
• Password-based user • MAC-key derived from • Protected against
authentication password Dictionary attacks
• Vulnerable to dictionary • Vulnerable to dictionary • Same password entered on
attacks if password file attacks both devices
stolen

Used, e.g., in 4- Used, e.g., Secure


Used, e.g., in
Way-Handshake Authentication of
HTTPs
in WPA2 WLAN Equals in WPA3

IT-Security - Chapter 5: Authentication and Key Establishment 37


Password Length and Bit-Equivalence

● Assume users can chose 𝑛 character passwords

► small letters = 26 and capital letters = 26 User-selected Passwords


► numbers = 10, special characters except for space = 32

● Then there are 𝟗𝟒𝒏 theoretically possible passwords


► n = 8 ⇒ ≈ 2-. possible passwords ≙ random secret key
of 52 bit

► n = 16 ⇒ ≈ 2/01 possible passwords ≙ random secret


key of 104 bit

● Users tend NOT to select passwords randomly!

► Mainly because they cannot remember random Potential Passwords Passwords Selected by Users

passwords longer than 8 characters

► And on average only one of these


IT-Security - Chapter 5: Authentication and Key Establishment 38
Classic Example: User’s self-selected Banking PINs 2012

● Distribution of 4-Digit PINs in a data base of 32 Million

Banking PINS

● Enforcing rules on the password selection reduces the

overall number of possible passwords


► E.g., if 8 characters are used and at least one of them
needs to be an upper case letter, one a lower case letter
one a number and one a special character

► Longer passwords required

● General recommendation

► Use random passwords and a password manager

IT-Security - Chapter 5: Authentication and Key Establishment 39


Password-based User and Certificate-based Server Authentication

Public key of Server


𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑
𝐹𝑖𝑙𝑒 Contains usernames
𝑝𝑘𝑆
and passwords
Public key: 𝑝𝑘S
Pick 𝒂 ∈ℙ {2, … , 𝑝 − 2} Private key: 𝑠𝑘𝑆
Compute 𝑨 = 𝒈𝒂 mod 𝒑
𝑨
Pick 𝒔 ∈ℙ {2, … , 𝑝 − 2}
Compute 𝑺 = 𝒈𝒔 mod 𝒑
Compute 𝑲 = 𝑨𝒔 𝑚𝑜𝑑 𝒑
Compute 𝒔𝒊𝒈𝑆 = 𝒔𝒊𝒈𝒔𝒌𝑺 (𝑆 ∥ 𝐴)
𝑺 ∥ 𝒔𝒊𝒈𝑺

Verify 𝑠𝑖𝑔𝑆 with 𝑝𝑘𝑆 Server authenticated by a


Compute 𝑲 = 𝑺𝒂 𝑚𝑜𝑑 𝒑 unilaterally authenticated DH key
user, 𝑬𝑲 (𝒑𝒘𝒅) exchange; User authenticates to
server with pwd, pwd protected
Decrypt pwd, compare with fresh key K
to stored pwd

IT-Security - Chapter 5: Authentication and Key Establishment 40


Storing Passwords in Password Files (1)

In the clear? User 𝒑𝒘𝒅


Alice D^6as$%kjahG
► If attacker gains access to the file, break
Bob (*&)A8a;sdifh
is immediate

Encrypted? User 𝒑𝒘𝒅 𝑬𝑲 (𝒑𝒘𝒅)


► No immediate access Alice D^6as$%kjahG Svl0EKlmp76XcePiC+wL7g

► But: encryption key needs to be stored Bob (*&)A8a;sdifh 1YE/i6MU4lBEnmbq/Wn1Zw

somewhere Key
► Decryption adds overhead a57987a344d32336

IT-Security - Chapter 5: Authentication and Key Establishment 41


Storing Passwords in Password Files (2)

Store 𝐡 𝒑𝒘𝒅 using a cryptographic hash function Better: store random salt and 𝐡 𝒑𝒘𝒅 ∥ 𝒔𝒂𝒍𝒕
► Attacker only learns hashes from file ► Now users using the same passwords will

► Cannot compute pre-images of the hashes have different hashes

► But: what if multiple users use same pwd?

User 𝒑𝒘𝒅 salt 𝑺𝑯𝑨𝟐𝟓𝟔


Alice D^6as$%kjahG c25559cad0aca1566d4ba7609759e2de824c8af9e1e0b27891e99ac495e77877
Bob (*&)A8a;sdifh f69f1260b38daf282d8d729df34e40c0bdf0fb634f72fe7c17b09054d96c5724
Clare (*&)A8a;sdifh f69f1260b38daf282d8d729df34e40c0bdf0fb634f72fe7c17b09054d96c5724
Alice D^6as$%kjahG (*daw 3bcc5a93e5510780f3ce13b8f673758cee1e246963be321ced2d6f2d74054558
Bob (*&)A8a;sdifh &OGa8 373d0dd007c4409bdc5a05e6174e5322e88cc16d736d71c99a8876f01c70a9d9

Clare (*&)A8a;sdifh 6YY34 5ee7d56e09d86f7d262fc0d68f27861644252c1dbd80cb59bbd6cedf6c080831

IT-Security - Chapter 5: Authentication and Key Establishment 42


Dictionary Attacks on Password Files

● Dictionary
Attack on a stolen password file with salts
► List of commonly used passwords
► Compute 𝐡 𝒑𝒘𝒅 ∥ 𝒔𝒂𝒍𝒕 for any 𝑠𝑎𝑙𝑡 in
● Dictionary attack the password file and any 𝑝𝑤𝑑 in the

► Try out all passwords in the dictionary dictionary

► Compare computed hashes with stored


ones
Attack on a stolen password files w/o salts
► Pre-compute 𝐡 𝒑𝒘𝒅 for any 𝑝𝑤𝑑 in the Salts are pwd-file specific

dictionary

► Compare computed hashes with stored


Needs to be done only once
ones

IT-Security - Chapter 5: Authentication and Key Establishment 43


Authentication and Key Agreement with Password-Generated MAC Keys

● Secret key generated by a


𝐾 = ℎ(𝑝𝑤𝑑) 𝐾 = ℎ(𝑝𝑤𝑑)
shared password
Pick a random number ● Note that the key is only as
𝑹𝑨𝑵𝑫𝑨
𝑹𝑨𝑵𝑫𝑨
strong as the password
Pick a random number 𝑹𝑨𝑵𝑫𝑩
► K will be 128 bit but will
Compute
𝑺𝑲 = 𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB) be as easily guessable as
𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A) ∥ 𝑅𝐴𝑁𝐷B the pwd

Compute
𝑺𝑲 = 𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB)
Verify 𝑀𝐴𝐶 received

𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷A ∥ 𝑅𝐴𝑁𝐷B)

Verify 𝑀𝐴𝐶 received

IT-Security - Chapter 5: Authentication and Key Establishment 44


Dictionary Attack on Password-Authenticated Key Agreement

𝐾 = ℎ(𝑝𝑤𝑑) ● Record the message flow


𝐾 = ℎ(𝑝𝑤𝑑)
► 𝑅𝐴𝑁𝐷𝐴 , 𝑅𝐴𝑁𝐷𝐵
Pick 𝑹𝑨𝑵𝑫𝑨 ► 𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A)
𝑹𝑨𝑵𝑫𝑨
● For pwd in the dictionary
Pick 𝑹𝑨𝑵𝑫𝑩
Compute 𝑺𝑲 = ► compute 𝑲 = 𝒉(𝒑𝒘𝒅)
𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB)
► compute SK from recorded RANDs
𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A) ∥ 𝑅𝐴𝑁𝐷B
► Check if
Compute 𝑺𝑲 = 𝑀𝐴𝐶𝑺𝑲(𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A) =
𝐻𝑀𝐴𝐶𝑲(𝑅𝐴𝑁𝐷𝐴 ∥ RANDB)
Verify 𝑀𝐴𝐶 received 𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷B ∥ 𝑅𝐴𝑁𝐷A) recorded
𝑀𝐴𝐶𝑆𝐾 (𝑅𝐴𝑁𝐷A ∥ 𝑅𝐴𝑁𝐷B) ► If yes: pwd = pwd
Verify 𝑀𝐴𝐶 received ► Else: try next pwd in dictionary

IT-Security - Chapter 5: Authentication and Key Establishment 45


Summary

● Entity authentication requires

► an unforgeable proof that the other entity is active in the current protocol

► session key establishment


§ Ensures continuous authentication of the authenticated entity

● Entity authentication can be

► unilateral or mutual

► be based on
§ secret keys using message authentication codes
§ or public/private key pairs

● Key Establishment protocols

► can be key agreement or key transport protocols

IT-Security - Chapter 5: Authentication and Key Establishment 46


Summary

Potential properties of key establishment protocols


► entity authentication
authenticated key establishment
► implicit key authentication
explicit key authentication
► key confirmation

► key freshness

► perfect forward secrecy

► protection against known key attacks

IT-Security - Chapter 5: Authentication and Key Establishment 47


Summary

● Trusted third parties can help to

► reduce the amount of pre-stored keys that need to be exchanged

► Key distribution centers are TTPs that


§ help their clients establish symmetric keys

► CAs are TTP that


§ help to distribute authentic copies of their clients’ public keys

● End-users are often authenticated with the help of passwords

► The larger the alphabet and the longer the password the stronger the password is

● End-users tend to pick specific passwords more often than others

► Can compile a dictionary of often picked passwords

IT-Security - Chapter 5: Authentication and Key Establishment 48


References

● W. Stallings, Cryptography and Network Security: Principles and Practice, 8th edition, Pearson 2022

► Chapter 15: Cryptographic Key Management and Distribution

► Chapter 16: User Authentication

● RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF)

IT-Security - Chapter 5: Authentication and Key Establishment 49

You might also like