Fun/Informative Bit: Brain Study to Measure Security Behavior

Similar documents
CS 392/681 - Computer Security

Key Management and Distribution

Key Management and Distribution

Computer and Network Security. Outline

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

CS 356 Lecture 28 Internet Authentication. Spring 2013

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Authentication Applications

Lecture VII : Public Key Infrastructure (PKI)

Cryptography and Network Security

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Protocols

How To Understand And Understand The Security Of A Key Infrastructure

How To Use Kerberos

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

How To Make A Trustless Certificate Authority Secure

Introduction to Network Security Key Management and Distribution

Authentication Applications

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Security Digital Certificate Manager

Security Digital Certificate Manager

Cryptography and Network Security Chapter 14

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Number of relevant issues

Public Key Infrastructure (PKI)

CERTIFICATION PRACTICE STATEMENT UPDATE

Introduction to Cryptography

Asymmetric cryptosystems fundamental problem: authentication of public keys

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Configuring Digital Certificates

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

SSL/TLS: The Ugly Truth

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

CS549: Cryptography and Network Security

Lecture 10 - Authentication

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Cryptography and Network Security Digital Signature

ARCHIVED PUBLICATION

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

Cryptography and network security CNET4523

Network Security: Public Key Infrastructure

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

HKUST CA. Certification Practice Statement

Lecture 10 - Authentication

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Danske Bank Group Certificate Policy

Chapter 6 Electronic Mail Security

Strong Security in Multiple Server Environments

Chapter 16: Authentication in Distributed System

AD CS.

Neutralus Certification Practices Statement

SBClient SSL. Ehab AbuShmais

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Overview. SSL Cryptography Overview CHAPTER 1

Controller of Certification Authorities of Mauritius

1 Public Key Cryptography and Information Security

Public Key Infrastructure for a Higher Education Environment

Chapter 14. Key management and Distribution. Symmetric Key Distribution Using Symmetric Encryption

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

DIMACS Security & Cryptography Crash Course, Day 2 Public Key Infrastructure (PKI)

White Paper. The risks of authenticating with digital certificates exposed

CSCE 465 Computer & Network Security

What s wrong with FIDO?

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

SSL Protect your users, start with yourself

CS Network Security: Public Key Infrastructure

Concept of Electronic Approvals

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

Chapter 10. Network Security

Public Key Infrastructure

Symantec Trust Network (STN) Certificate Policy

SSL A discussion of the Secure Socket Layer

IT Networks & Security CERT Luncheon Series: Cryptography

SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Authentication Application

IBM i Version 7.3. Security Digital Certificate Manager IBM

Take-home points. Distributed Systems Security II. Remember digital signatures. Today: Auth protocols

Windows Server 2008 PKI and Certificate Security

How To Encrypt Data With Encryption

Network Security Essentials Chapter 7

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

Transcription:

Lecture 4.2: Key Distribution CS 436/636/736 Spring 2016 Nitesh Saxena Fun/Informative Bit: Brain Study to Measure Security Behavior Read More 2 1

Course Administration HW2 due Monday, 11am March 07 HW1 distributed Please pick if you haven t already HW1 solution has been emailed Accidentally sent to another class earlier Lecture 5.2: Private Key Distribution 3 Mid-Term Exam Course Administration On March 17 (Thursday) In class, from 5-7pm Covers lectures up to lectures 4.* (this week) In-class review on Mar 09. Strictly closed-book (no cheat-sheets are allowed) A sample exam will be provided as we near the exam date Lecture 5.2: Private Key Distribution 4 2

Outline of Today s lecture Key Distribution Introduction Protocol for private key distribution Kerberos: Real-world system Public Key distribution 5 Some questions from last time Can OTP make for a good MAC? Can H(K m) make for a good MAC? Does HMAC provide non-repudiation? 6 3

Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a trusted (or authenticated) copy of Bob s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 7 Private Key Distribution: an attempt Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA (K) to Alice and E KB (K) to Bob. Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack! 8 4

Session Key Exchange with KDC Needham- Schroeder Protocol A -> KDC ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA ( K ID B N 1 E KB (K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E KB (K ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(n 2 )) (Sure I can!) Dennig-Sacco (replay) attack on the protocol 9 Session Key Exchange with KDC Needham- Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA ( K ID B N 1 E KB (TS1, K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2), E KB (TS1, K ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1) (OK Alice, here is a proof that I am really Bob) 10 5

Kerberos - Goals Security Next slide. Reliability Transparency Minimum modification to existing network applications. Scalability Modular distributed architecture. 11 Kerberos Security Goals No cleartext passwords over network. No cleartext passwords stored on servers. Minimum exposure of client and server keys. Compromise of a session should only affect that session Require password only at login. 12 6

Kerberos - Assumptions Global clock. There is a way to distribute authorization data. Kerberos provides authentication and not authorization. 13 Kerberos Key Distribution (1) Step 1 Joe to KDC Joe I would like to Talk to the File Server KDC Step 2 KDC Session key for User KDC Session key for service 14 7

Kerberos Key Distribution (2) Step 3 KDC Box 1 Session Key for Joe Box 2 Session Key for File server Dear Joe, This key for File server Locked With Joe s key Dear File server, This key for Use with Joe Locked With File Server s key Step 4 KDC to Joe Joe Box 1 Box 2 KDC 15 Kerberos Key Distribution (3) Step 5 Joe Opened Box 1 Box 2 Session Key for File server Dear Joe, This key for File server Dear File server, This key for Use with Joe Locked With File Server s key Step 6 Joe Box 3 Dear File server, The time is 3:40 pm Locked With Session key Box 2 Session Key for File server Dear File server, This key for Use with Joe Locked With File Server s key 16 8

Kerberos Key Distribution (4) Step 7 Joe to File server Joe Box 2 Box 3 File Server Unlocked Box 3 Unlocked Box 2 Step 8 File server Dear File server, The time is 3:40 pm Dear File server, This key for Use with Joe 17 Kerberos Key Distribution (5) For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe. Box 2 is called ticket. KDC issues ticket only after authenticating password To avoid entering passwords every time access needed, KDC split into two authenticating server and ticket granting server. 18 9

Kerberos One Slide Overview 19 Version 4 Summary 20 10

Kerberos - Limitations Every network service must be individually modified for use with Kerberos. Requires a global clock Requires secure Kerberos server. Requires continuously available or online server. 21 Stallings Chapter 15 HAC Chapter 12 Further Reading 22 11

Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? What if the KDC server is down or congested? What if the KDC server is compromised? 23 Public Key Distribution Public announcements (such as email) Can be forged Public directory Can be tampered with Public-key certification authority (CA) (such as verisign) This is what we use in practice CA issues certificates to the users 24 12

Naming and Certificates Certification authority s vouch for the identity of an entity - Distinguished Names (DN). /O=UAB/OU=CIS/CN=Nitesh Saxena Although CN may be same, DN is different. Policies of certification Authentication policy What level of authentication is required to identify the principal. Issuance policy Given the identity of principal will the CA issue a certificate? 25 Types of Certificates CA s vouch at some level the identity of the principal. Example Verisign: Class 1 Email address Class 2 Name and address verified through database. Class 3- Background check. 26 13

Public Key Certificate Public Key Certificate Signed messages specifying a name (identity) and the corresponding public key. Signed by whom Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA s public key. CA could be Internal CA. Outsourced CA. Trusted Third-Party CA. 27 Public Key Certificate Note: Mechanism of certification and content of certificate, will vary but at the minimum we have email verification and contains ID and Public Key. 28 14

Certificate Verification/Validation 29 Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) a list of every certificate that has been revoked but not expired. CRL s quickly grow large! CRL s distributed periodically. What about time period between revocation and distribution of CRL? Other mechanisms OCSP (online certificate status protocol) 30 15

X.509 Clearly, there is a need for standardization X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA). 31 X.509 Certificate 32 16

Advantages of CA Over KDC CA does not need to be on-line all the time! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. 33 Internet Certificate Hierarchy Internet Policy Registration Authority Policy Certification Authorities Certification Authority Individuals/roles/orgs. 34 17

Types of certificates Organizational Certificates Principal s affiliation with an organization Residential certificates Principal s affiliation with an address Persona Certificates Principal s Identity Principal need not be a person. It could be a role. 35 Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust PKI providers. Your own PKI using Mozilla/Microsoft certificate servers 36 18

Problems with PKI Private Key Where and how is private key stored? Host encrypted with pass phrase Host encrypted by OS or application Smart Card Assumes secure host or tamper proof smartcard. 37 Problems with PKI - Conflicts X.509, and PGP remain silent on conflicts. They assume CA s will ensure that no conflicts arise. But in practice conflicts may exist John A. Smith and John B. Smith may live at the same address. 38 19

Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled How do you trust CA from country XYZ (your favorite prejudice). 39 Further Reading Kerberos RFC: RFC-1510 X.509 page http://www.ietf.org/html.charters/pkixcharter.html Ten Risks of PKI - http://www.schneier.com/paper-pki.html 40 20

Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do? 41 Some Questions Sometimes when you access an https website, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? 42 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information