Notes - Computer Security MT24, Key distribution and mediated authentication
Flashcards
What problem does a trusted third party (TTP) solve in the context of key distribution?
It prevents the need of $O(n^2)$ shared secrets.
What is the precise meaning of “trusted” in trusted third party (TTP)?
In this context, trusted refers to subjects who can destroy the system by behaving badly.
@Describe the key distribution centre (KDC) approach to key distribution.
If Alice wants an authenticated session with Bob, she talks securely to the TTP, which then communicated to Bob in order to set up a shared session key.
@Describe the certification authority (CA) approach to key distribution.
Alice generates a public key which is then signed by the CA, indicating that it is valid. Then when Bob wants to communicate with Alice, assuming his trust in the CA, he can be sure that Alice’s public key is correct.
What are the pros and cons of key distribution centres versus certification authorities?
- Key distribution centres must be online (and are therefore a bottleneck and vulnerable to a DOS attack), whereas CAs don’t need to be online
- If a KDC is compromised, it can eavesdrop on all communication between users whereas a CA could issue false certificates but cannot itself decrypt any communications (at least before it eventually causes false authentications)
- It’s difficult to revoke certificates in a CA, whereas this is easy with a KDC.
- If certificate revocation lists are online, then CAs must be online
@Define a chain of trust in the context of certificate authorities.
Alice and Bob don’t necessarily need to both trust the same CAs. As long as both CAs trust a chain of CAs which eventually trust a shared root CA, they can validate the certificate chains.
@Define public key infrastructure (PKI).
A network of trust authenticating public keys, along with security procedures for establishing that network.
@Define mediated authentication.
Authentication using a third party.
@Describe the Needham-Schroeder protocol for mediated authentication with a KDC.
- $A \to KDC$: Alice, Bob, $\mathbf{nonce} _ {A’}$
- $KDC \to A$: $E _ {k _ A}(\mathbf{nonce} _ {A’} \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{ticket})$ where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB})$
- $A \to B$: $\mathbf{ticket}$, $E _ {k _ {AB} }(\mathbf{nonce} _ A)$
- $B \to A$: $E _ {k _ {AB} }(\mathbf{nonce} _ A - 1 \parallel \mathbf{nonce} _ B)$
- $A \to B$: $E _ {k _ {AB} }(\mathbf{nonce} _ B - 1)$
- $A \to B$: $E _ {k _ {AB} }(m _ 1 \parallel \text{Alice} \parallel \text{counter})$
- …
The Needham-Schroeder protocol for mediated authentication with a KDC is as follows:
- $A \to KDC$: Alice, Bob, $\mathbf{nonce} _ {A’}$
- $KDC \to A$: $E _ {k _ A}(\mathbf{nonce} _ {A’} \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{ticket})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB})$
- $A \to B$: $\mathbf{ticket}$, $E _ {k _ {AB}}(\mathbf{nonce} _ A)$
- $B \to A$: $E _ {k _ {AB}}(\mathbf{nonce} _ A - 1 \parallel \mathbf{nonce} _ B)$
- $A \to B$: $E _ {k _ {AB}}(\mathbf{nonce} _ B - 1)$
- $A \to B$: $E _ {k _ {AB}}(m _ 1 \parallel \text{Alice} \parallel \text{counter})$
- …
What two of its main problems, one under the assumption that the underlying symmetric cipher uses an ECB block mode, the other without such an assumption?
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB})$
- If $E _ k$ is using an ECB block mode, step 4 might be insecure if the cipher texts can be separated. If they can be separated, this leads to a man-in-the-middle attack (solution: don’t use ECB).
- If an old session key $k _ {AB}$ is compromised, a man-in-the-middle attack allows an adversary to replay the old ticket which first established $k _ {AB}$ and then snoop on new communications. In other words, it doesn’t guarantee freshness of tickets (solution: use something like Kerberos).
@Describe the Kerberos protocol for mediated authentication with a KDC, ensuring the freshness of tickets.
- $A \to KDC$: Alice, Bob, $\mathbf{nonce}’ _ A$
- $\text{KDC} \to A$: $E _ {k _ A}(\mathbf{nonce} _ A’ \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{expiry} \parallel \mathbf{ticket})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB} \parallel \mathbf{expiry})$
- $A \to B$: $\mathbf{ticket}, E _ {k _ {AB} }(\mathbf{timestamp})$
- $B \to A$: $E _ {k _ {AB} }(\mathbf{timestamp} + 1)$
- …
Two protocols for mediated authentication with a KDC are as follows:
Needham-Schroeder:
- $A \to KDC$: Alice, Bob, $\mathbf{nonce} _ {A’}$
- $KDC \to A$: $E _ {k _ A}(\mathbf{nonce} _ {A’} \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{ticket})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB})$
- $A \to B$: $\mathbf{ticket}$, $E _ {k _ {AB}}(\mathbf{nonce} _ A)$
- $B \to A$: $E _ {k _ {AB}}(\mathbf{nonce} _ A - 1 \parallel \mathbf{nonce} _ B)$
- $A \to B$: $E _ {k _ {AB}}(\mathbf{nonce} _ B - 1)$
- $A \to B$: $E _ {k _ {AB}}(m _ 1 \parallel \text{Alice} \parallel \text{counter})$
- …
Kerberos:
- $A \to KDC$: Alice, Bob, $\mathbf{nonce}’ _ A$
- $\text{KDC} \to A$: $E _ {k _ A}(\mathbf{nonce} _ A’ \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{expiry} \parallel \mathbf{ticket})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB} \parallel \mathbf{expiry})$
- $A \to B$: $\mathbf{ticket}, E _ {k _ {AB} }(\mathbf{timestamp})$
- $B \to A$: $E _ {k _ {AB} }(\mathbf{timestamp} + 1)$
- …
What is the main advantage of the second protocol over the first?
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB} \parallel \mathbf{expiry})$
It ensures freshness of tickets.
The Kerberos protocol for mediated authentication with a KDC, ensuring the freshness of tickets is as follows:
- $A \to KDC$: Alice, Bob, $\mathbf{nonce}’ _ A$
- $\text{KDC} \to A$: $E _ {k _ A}(\mathbf{nonce} _ A’ \parallel \text{Bob} \parallel k _ {AB} \parallel \mathbf{expiry} \parallel \mathbf{ticket})$
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB} \parallel \mathbf{expiry})$
- $A \to B$: $\mathbf{ticket}, E _ {k _ {AB} }(\mathbf{timestamp})$
- $B \to A$: $E _ {k _ {AB} }(\mathbf{timestamp} + 1)$
- …
What are its main drawbacks?
- where $\mathbf{ticket} = E _ {k _ B}(\text{Alice} \parallel k _ {AB} \parallel \mathbf{expiry})$
- Alice doesn’t authenticate to the KDC, so an attacker can request any number of tickets
- It does not offer perfect forward secrecy, since if the long-term keys $k _ A$ or $k _ B$ are compromised then an attacker can deduce the session key and hence read the messages.