Authentication Protocol
Authentication Protocol
Authentication Protocol
Spring 2012
http://users.abo.fi/ipetre/crypto/
Ion Petre
Department of IT, Åbo Akademi University
A. Direct authentication
1. Based on a shared secret master key
2. Based on a public-key system
3. Diffie-Hellman
B. Mediated authentication
1. Based on key distribution centers
2. Otway-Rees
3. Kerberos
Assume here that A and B already share a secret key – this is called sometimes the
master key MK because the two will only use this rarely, whenever they need to
authenticate each other and establish a session key
Master keys will only be used to establish session keys
Concentrate here on how to establish session keys
Protocol
A issues a requests to B for a session key and includes a nonce N1
B responds with a message encrypted using the shared master key – include there the session
key he selects, A’s id, a value f(N1) (say the successor of N1) and another nonce N2
At this point, A is sure of B’s identity: only he knows the master key; B is not sure of anything yet
A knows that the message is fresh: B sends a transformation on N1
Using the new session key, A return f(N2) to B
B is sure of A’s identity: only A can read the message he sent, including the session key
B knows that the message is fresh: A sends a transformation on N2
Assume here that A and B know each other’s public key (through a protocol such
as those in Lecture 8)
N1 and N2 in the scheme are random numbers – they ensure the authenticity of A
and B (because only they can decrypt the messages and read N1 and N2)
After Step 2, A is sure of B’s identity: right response to its challenge
After Step 3, B is sure of A’s identity: right response to its challenge
B. Mediated authentication
1. Based on key distribution centers
2. Otway-Rees
3. Kerberos
Say Eve manages to get a job with Alice and after doing the job, she asks Alice to pay her
by bank transfer
Alice establishes a secret key with the banker Bob and then sends Bob a message
requesting money to be transferred to Eve’s account
Eve however is back to her old business, snooping on the network – she copies message 2
in the protocol and the request for money that follows
Later Eve replays both messages to Bob – Bob will think that Alice has hired again Eve and pays
Eve the money
Eve is able to do many iterations of the procedure – replay attack
Solution 1: include a timestamp with the message – any old message will be discarded
Problem: clocks are not always exactly synchronized so there will be a period when the message is
still valid
Solution 2: include a nonce (random number) with the message
Problem: the nonces have to be remembered forever and any old one is discarded
A tells the workstation she needs to contact the file server Bob
3. Workstation sends a message to TGS asking for a ticket to use Bob
Key element here is the ticket for TGS received from AS – this proves to TGS that
the sender is really A
4. TGS creates and sends back a session key KAB for A to use with B
TGS sends a message encrypted with KS so that A can read and get KAB
TGS also includes a message intended only for Bob, sending A’s identity and the
key KAB
If Eve replays message 3 she will be foiled by the timestamp t
Even if she replays the message quickly she will only get a copy of message 4 that
she cannot read
Computational requirements
Must be a bit pattern depending on the message being signed
Signature must use some information unique to the sender to prevent
forgery and denial
Computationally easy to produce a signature
Computationally easy to recognize and verify the signature
Computationally infeasible to forge a digital signature
either by constructing a new message for an existing digital signature
or by constructing a fraudulent digital signature for a given message
Practical to retain a copy of the digital signature in storage
Two general schemes for digital signatures
Direct
Arbitrated
Weaknesses:
The scheme only works as long as KRA remains secret: if it is disclosed (or
A discloses it herself), then the argument of the judge does not hold:
anybody can produce the signature
Attack: to deny the signature right after signing, simply claim that the private
key has been lost – similar to claims of credit card misuse
If A changes her public-private keys (she can do that often) the judge will
apply the wrong public key to check the signature
Attack: to deny the signature change your public-private key pair – this should
not work if a PKI is used because they may keep trace of old public keys
A should protect her private key even after she changes the key
Attack: Eve could get hold of an old private key and sign a document with an
old timestamp