Security Handshake Protocols
The following is a series of
security handshake protocols.
They are presented and
evaluated according to:
security
& pereformance
The performance parameters
are:
·
Number of messages,
·
Processing
power required, and
·
Compactness of messages
Shared Secret
· Protocol 1:
{==================================
I'm
>
<
a Challenge R
f(K, R)
>
==================================}
f(K,
R) : K is a shared secret between Alice and Bob.
f can be either encryption or hash function.
Pitfalls:
·
An
eavesdropper could mount an off-line
passwd-guessing attack
knowing both R and f (K,R).
· Protocol 2:
{===============================
Alice
Bob
I'm Alice
>
<
K{R}
R
>
===============================}
K{R}
is an encryption and not a hash function.
Pitfalls:
·
If
R is a recognizable
quantity (e.g., a 32-bit random
number padded with 32 zero bits to fill out
an encryption block), then:
Trudy, without eavesdropping, may mount a dictionary attack by
sending "I'm
Alice" and
obtaining K{R}.
·
On
the other hand,
Recognizing the 32 zero bits of R
·
To
foil the replaying of K{R} (Trudy impersonate Bob to
Use a timestamp instead of 32 zero bits to fill the encryption block.
· Protocol 3 & 4:
{===================================
Alice
Bob
Protocol 3:
I'm Alice, K{timestamp}
>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Protocol 4:
I'm
>
====================================}
These two
protocols requires both Alice and Bob to have reasonably synchronized clocks.
Beside saving two messages,
Bob does
not need to keep any volatile
state (e.g., R).
Pitfalls:
·
If
Trudy can send
the same message to another server as
·
Even
if
If Trudy can reset back
Bob's clock, he can impersonate
Clock-setting could be serious security
vulnerability.
One-way
Public Key
In
the above four protocols,
Trudy
can impersonate
This can be avoided by
using public key technology.
· Protocol 5:
{================================
Alice
Bob
I'm Alice
>
<
R
sign R:
[R]Alice >
================================}
Pitfalls:
·
Trudy
can trick
· Protocol 6:
{================================
Alice
Bob
I'm Alice
>
X < --
{R}Alice
sign X:
R = [X]Alice
>
=================================}
Pitfalls:
·
Trudy
can trick
The solution for the above two pitfalls is to make sure that:
R has a known type/structure.
Shared
Secret
· Protocol
7:
{===============================
I'm
>
<
Rb
f(K, Rb)
>
Ra
>
<
f(K, Ra)
===============================}
· Protocol 8:
Reduce number of messages in Protocol
7 by
Putting more
than one item of information into each message:
{================================
I'm
Alice, Ra
>
<
f(K, Ra), Rb
f(K, Rb)
>
================================}
·
Pitfall 1: Reflection Attack
Trudy can impersonate
Opening a second connection
to Bob
(or to another sever that
share the same secret with
Session1:
{================================
Trudy
Bob
I'm
Alice, Ra
>
<
f(K, Ra), Rb
suspend session 1......
Session
2:
{=================================
Trudy Bob
I'm Alice, Rb ----
>
<
f(K, Rb), Rb'
abort session 2.......
=================================}
continue session 1......
f(K, Rb)
>
=================================}
Possible
fix:
Add your name to the
encrypted quantity:
{================================
I'm
Alice, Ra
>
<
f(K, Bob|Ra), Rb
f(K, Alice|Rb)
>
================================}
Why Protocol
7 does not suffer from the reflection attack?
It follows a good
security principle:
The initiator should be the first to prove its identity.
·
Pitfall 2: Passwod guessing
Trudy may mount an off-line password guessing attack:
{======================================
Trudy
Bob
I'm
Alice, Ra
>
<
f(K,
Ra), Rb
.........
suspend session and
use: Ra, and f(K,Ra) to guess K.
======================================}
Protocol 7 does not suffer from such attack
(though Trudy can impersonate Bob to mount such attack,
but it is much more difficult
to impersonate Bob than to impersonate
· Protocol 9:
Protocol 7 is very good, since it does not suffer from Reflection and Password attacks.
We can improve it by reducing the number of messages to
four instead of five as
follows:
{===============================
I'm
>
<
Rb
f(K, Rb), Ra
>
<
f(K, Ra)
===============================}
· Protocol 10:
We
can use time stamps to reduce
the number of messages to two:
{=================================
I'm
>
< f(K, timestamp++)
=================================}
Two-way Public Key
· Protocol
11:
{================================
Alice
Bob
I'm Alice , Ra
>
<
[Ra]Bob , Rb
[Rb]Alice
>
=================================}
· Protocol 12:
{===============================
Alice
Bob
I'm Alice, {Ra}Bob
>
< ---
Ra, {Rb}Alice
Rb
>
===============================}
KDC operation (in Principle):
{=====================================
>
<
Ka {use Kab for Bob}
Kb {use Kab for
>
=====================================}
KDC operation (in Practice):
{======================================
>
<
Ka {use Kab for Bob},
ticket
to Bob = Kb
{use Kab for
"I'm
>
..........
mutual
authentication using
Kab ...........
======================================}
Classical Examples of KDC
authentication
The Basic Needham-Shroeder Protocol
{======================================
N1, Alice wants Bob
>
<
Ka {N1,"Bob",
Kab, ticket to Bob},
where ticket
to Bob
= Kb {Kab, "
ticket to Bob, Kab{N2}
>
<
Kab{N2--, N3}
Kab {N3--}
>
======================================}
(e.g., a sequence numer, random number, timestamp).
replaying old replies to
The Kerberos Authentication
Protocol:
It is
based on Needham-Shroered protocol,
but is
much simpler since it is based on timestamp
and the
ticket includes expiration date.
{=====================================
N1, Alice wants Bob
>
<
Ka{N1,"Bob",
Kab, ticket to Bob},
where ticket to Bob = Kb {Kab, "
ticket to Bob, Kab{timestamp}
>
<
Kab{timestamp++}
=====================================}