Overview of Identification Protocols in CS255 by Dan Boneh

Slide Note
Embed
Share

The lecture in CS255 covers various topics related to identification protocols, including signatures from trapdoor functions, certificates, revocation methods, certificate issuance problems, defense mechanisms like certificate transparency (CT), and moving on to protocols. The talk also explores the setup, applications of ID protocols in the physical world and on the internet, emphasizing security and authentication practices. Special focus is given to ensuring the correct issuance and usage of certificates to prevent fraudulent activities in the digital domain.

dvanc
dvanc Follow

Uploaded on Sep 19, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CS255: identification protocols Announcements: HW#4 is out on the course web site Last lecture: guest lecture by Jennifer Granick, ACLU Dan Boneh

  2. Quick recap Signatures: From trapdoor functions (such as RSA) From CRH (one-time sigs many-time sigs, good for software updates) From discrete-log: next week Certificates: bind a public key to an identity [ issuer-id, subject-id, PK, validity-period, serial #, ] + [CA sig] Revocation methods: expiration and CRLset (list of revoked serial #s) What if a CA incorrectly issues a cert to an adversary? Dan Boneh

  3. Certificate wrong issuance: the problem GET https://bank.com BadCertForBank BankCert attacker ClientHello ClientHello bank ServerCert (rogue) (cert for Bank by a valid CA -- 1200 CAs) ServerCert (Bank) TLS key exchange TLS key exchange k2 k1 k1 k2 HTTP data enc with k1 HTTP data enc with k2 Person-in-the-middle attack: attacker sees all traffic, server cannot detect Dan Boneh

  4. A defense: cert transparency (CT) Idea: CA s must push all certs. they issued to a public log Browser will only use a cert if it is published on (two) log servers Server attaches to certificate a signed statement from log (SCT) Companies can scan logs to look for invalid issuance (service by CA) April 30, 2018: CT required by chrome. Otherwise, cert is rejected. Dan Boneh

  5. Part 3: Done with crypto primitives, moving on to protocols. ID protocols Overview Dan Boneh

  6. The Setup vk either public or secret Alg. G sk vk User P (prover) Server V (verifier) yes/no no key exchange Dan Boneh

  7. Applications: physical world Physical locks: (friend-or-foe) Wireless car entry system Opening an office door Login at a bank ATM or a desktop computer Dan Boneh

  8. Applications: Internet Login to a remote web site after a key-exchange with one-sided authentication (e.g. HTTPS) ??? bank.com sk vk one-sided auth. key exchange Prover k Verifier k ID protocol Alice Dan Boneh

  9. ID Protocols: how not to use ID protocol do not establish a secure session between Alice and Bob !! Not even when combined with anonymous key exch. Vulnerable to man in to the middle attacks ??? ??? sk vk anon. key exchange Prover k Verifier k ID protocol Alice Insecure! Dan Boneh

  10. ID Protocols: how not to use ID protocol do not set up a secure session between Alice and Bob !! Not even when combined with anonymous key exch. Vulnerable to man in to the middle attack ??? ??? sk vk Prover ka Verifier key exch. key exch. ka kb kb proxy ID protocol Alice Dan Boneh

  11. ID Protocols: Security Models 1. Direct Attacker: impersonates prover with no additional information (other than vk) Door lock 2. Eavesdropping attacker: impersonates prover after eavesdropping on a few conversations between prover and verifier Wireless car entry system 3. Active attacker: interrogates prover and then attempts to impersonate prover Fake ATM in shopping mall Dan Boneh

  12. ID protocols Direct attacks Dan Boneh

  13. Basic Password Protocol (incorrect version) PWD: finite set of passwords Algorithm G (KeyGen): choose pw PWD. output sk = vk = pw. sk User P (prover) Server V (verifier) yes iff sk=vk vk sk Dan Boneh

  14. Basic Password Protocol (incorrect version) Problem: vk must be kept secret Compromise of server exposes all passwords Never store passwords in the clear! password file on server Alice pwalice Bob pwbob Dan Boneh

  15. Basic Password Protocol: version 1 H: one-way hash function from PWD to X Given H(x) it is difficult to find y such that H(y)=H(x) sk password file on server User P (prover) Server V (verifier) Alice H(pwA) sk vk = H(sk) Bob H(pwB) yes iff H(sk)=vk Dan Boneh

  16. Problem: Weak Password Choice Users frequently choose weak passwords: (SplashData, 2018, from more than 5 million passwords leaked on the Internet) 1. 123456 6. 111111 2. password 7. 1234567 3. 123456789 8. sunshine 4. 12345678 9. qwerty 5. 12345 10. iloveyou Dictionary of 360,000,000 words covers about 25% of user passwords Note: Google password checker Dan Boneh

  17. The 25 top passwords on the list cover more than 10% of users Nearly 3% of people use the worst password, 123456. Online dictionary attack: attacker has a list of usernames. For each username the attacker tries the password 123456 . Success after 33 tries on average (!) Can be mitigated by e.g., IP-based rate limiting Dan Boneh

  18. Offline Dictionary Attacks Suppose attacker obtains a single vk = H(pw) from server Offline attack: hash all words in Dict until a word w is found such that H(w) = vk Time O(|Dict|) per password Off the shelf tools (e.g. John the ripper): Scan through all 7-letter passwords in a few minutes Scan through 360,000,000 guesses in few seconds will recover 23% of passwords Dan Boneh

  19. Batch Offline Dictionary Attacks Suppose attacker steals entire pwd file F Obtains hashed pwds for all users Example (2012): Linkedin (6M: SHA1(pwd) ) Alice H(pwA) Bob H(pwB) Batch dict. attack: For each w Dict: test if H(w) appears in F (using fast look-up) Total time: O( |Dict| + |F| ) [Linkedin: 6 days, 90% of pwds. recovered] Much better than attacking each password individually ! Dan Boneh

  20. Preventing Batch Dictionary Attacks id S h Public salt: Alice SA H(pwA , SA) When setting password, pick a random n-bit salt S Bob SB H(pwB , SB) When verifying pw for A, test if H(pw, SA) = hA Recommended salt length, n = 64 bits Attacker must re-hash dictionary for each user Batch attack time is now: O( |Dict| |F| ) Dan Boneh

  21. How to hash a password? Linked-in: SHA1 hashed (unsalted) passwords 6 days, 90% of passwords recovered by exhaustive search The problem: SHA1 is too fast attacker can try all words in a large dictionary To hash passwords: Use a keyed hash function (e.g., HMAC) where key stored in HSM In addition: use a slow, space-hard function Dan Boneh

  22. How to hash? PBKDF2, bcrypt: slow hash functions Slowness by iterating a crypto hash function like SHA256 Example: H(pw) = SHA256(SHA256( SHA256(pw, SA) )) Number of iterations: set for 1000 evals/sec Unnoticeable to user, but makes offline dictionary attack harder Problem: custom hardware (ASIC) can evaluate hash function 50,000x faster than a commodity CPU attacker can do dictionary attack much faster than 1000 evals/sec. Dan Boneh

  23. How to hash: a better approach Scrypt: a slow hash function AND need lots of memory to evaluate custom hardware not much faster than commodity CPU Problem: memory access pattern depends on input password local attacker can learn memory access pattern for a given password eliminates need for memory in an offline dictionary attack Is there a space-hard function where time is independent of pwd? Password hashing competition (2015): Argon2i (also Balloon) Dan Boneh

  24. ID protocols Security against eavesdropping attacks (one-time password systems) Dan Boneh

  25. Eavesdropping Security Model Adversary is given: Server s vk, and the transcript of several interactions between honest prover and verifier. (example: remote car unlock) adv. goal is to impersonate prover to verifier A protocol is secure against eavesdropping if no efficient adversary can win this game The password protocol is clearly insecure ! Dan Boneh

  26. One-time passwords (secret vk, stateful) Setup(algorithm G): Choose random key k Output sk = (k,0) ; vk = (k,0) Identification: r0 F(k,0) r1 F(k,1) prover sk = (k,0) server vk = (k,0) Yes iff r = F(k,0) sk = (k,1) vk = (k,1) 6 digits often, time-based updates: r F(k, time) [stateless] Dan Boneh

  27. The SecurID system (secret vk, stateful) Thm : if F is a secure PRF then protocol is secure against eavesdropping RSA SecurID uses AES-128: 128 bit key 32 bit ctr F 6 digit output Advancing state: sk (k, i+1) Time based: every 60 seconds (TOTP) User action: every button press Both systems allow for skew in the counter value Dan Boneh

  28. TOTP: Google authenticator 6-digit timed one-time passwords (TOTP) based on [RFC 6238] To enable TOTP for a user: web site presents QR code with embedded data: otpauth://totp/Example:alice@dropbox.com? secret=JBSWY3DPEHPK3PXP & issuer=Example Subsequent user logins require user to present TOTP Dan Boneh

  29. Server compromise exposes secrets March 2011: RSA announced servers attacked, secret keys stolen enabled SecurID user impersonation Is there an ID protocol where server key vk is public? Dan Boneh

  30. The S/Key system (public vk, stateful) Notation: H(n)(x) = H(H( H(x) )) n times Algorithm G: (setup) Choose random key k K Output sk = (k,n) ; vk = H(n+1)(k) Identification: H(n-2)(k) H(n-1)(k) H(n)(k) H(n+1)(k) k H(k) vk pwd #4 pwd #3 pwd #2 pwd #1 Dan Boneh

  31. The S/Key system (public vk, stateful) Identification (in detail): H(i)(k) ; set sk Prover (sk=(k,i)): send t (k,i-1) Verifier(vk=H(i+1)(k), t): if H(t)=vk then vk t, output yes Notes: vk can be made public; but need to generate new sk after n logins (n 106 ) Thm : S/Keyn is secure against eavesdropping (public vk) provided H is one-way on n-iterates Dan Boneh

  32. SecurID vs. S/Key S/Key: public vk, limited number of authentications Long authenticator t (e.g., 80 bits) SecurID / TOTP: secret vk, unlimited number of authentications Short authenticator (6 digits) Dan Boneh

  33. Online Cryptography Course Dan Boneh ID protocols Security against active attacks (challenge-response protocols) Dan Boneh

  34. Active Attacks vk probe #1 User P (prover) Server V (verifier) probe #q impersonate sk vk Offline fake ATM: interacts with user; later tries to impersonate user to real ATM Offline phishing: phishing site interacts with user; later authenticates to real site All protocols so far are vulnerable Dan Boneh

  35. MAC-based Challenge Response (secret vk) k K vk = k sk = k User P (prover) Server V (verifier) random m M sk t SMAC(k, m) vk VMAC(k, m, t) Thm : protocol is secure against active attacks (secret vk), provided (SMAC , VMAC) is a secure MAC and |M| 2128 Dan Boneh

  36. MAC-based Challenge Response Problems: vk must be kept secret on server dictionary attack when k is a human pwd: Given [ m , SMAC (pw, m) ] eavesdropper can try all pw Dict to recover pw Main benefit: Both m and t can be short CryptoCard: 8 chars each Dan Boneh

  37. Sig-based Challenge Response (public vk) Replace MAC with a digital signature: (sk, vk) GSIG vk sk User P (prover) Server V (verifier) random m M t Sign(sk, m) sk vk Verify(vk, m, t) Thm : Protocol is secure against active attacks (public vk), provided (GSIG ,Sign,Verify) is a secure digital sig. and |M| 2128 but t is long ( 20 bytes) Dan Boneh

  38. Signature-based Challenge Response in the real world Dan Boneh

  39. The Universal Second Factor (U2F) Standard (and WebAuthn) Goals: Browser malware cannot steal user credentials U2F should not enable tracking users across sites U2F uses counters to defend against token cloning U2F token service (github.com) browser Dan Boneh

  40. The U2F protocol: two parts (simplified) Device registration: ID, challenge ID, challenge (pkID, handle) sk pkID, sigID, handle pkID, sigID, handle service (github.com) browser skID Authentication: ID, chal., handle verify sig. with pkID ID, chal., handle sk sigID, ctr sigID, ctr service skID browser Dan Boneh

  41. The U2F protocol: two parts (simplified) Device registration: ID, challenge ID, challenge (pkID, handle) sk pkID, sigID, handle pkID, sigID, handle service (github.com) browser skID Authentication: Unlinkable pkID per site prevents user tracking across sites ID, chall., handle verify sig. with PKID ID, chall., handle sk sigID, ctr sigID, ctr service skID browser Dan Boneh

  42. Summary ID protocols: useful in settings where adversary cannot interact with prover during impersonation attempt Three security models: Direct: passwords (properly salted and hashed) Eavesdropping attacks: One time passwords SecurID: secret vk, unbounded logins S/Key: public vk, bounded logins Active attacks: challenge-response Dan Boneh

  43. THE END Dan Boneh

Related


Model Literasi Informasi dan Perumusan Masalah dalam Desain Komunikasi Visual

Model Literasi Informasi dan Perumusan Masalah dalam Desain Komunikasi Visual

stormi
Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

ashvin
Update on SWAG Protocols and New NICE TA Progress Report

Update on SWAG Protocols and New NICE TA Progress Report

lowie
Understanding Consistency Protocols in Distributed Systems

Understanding Consistency Protocols in Distributed Systems

rune
Understanding Control Hijacking Attacks and Defenses

Understanding Control Hijacking Attacks and Defenses

dawn_o
Secure Composition of Key Exchange Protocols

Secure Composition of Key Exchange Protocols

forb_470
Taming Adaptivity in YOSO Protocols: The Modular Way

Taming Adaptivity in YOSO Protocols: The Modular Way

pkhy
Adaptasi Fisiologi Sistem Urinari dan Gastrointestinal pada Kehamilan

Adaptasi Fisiologi Sistem Urinari dan Gastrointestinal pada Kehamilan

mikey
Understanding LRIT System for Ship Identification and Tracking

Understanding LRIT System for Ship Identification and Tracking

amias
Oklahoma School Safety Protocols Overview

Oklahoma School Safety Protocols Overview

bibi
State Transportation Department's Stormwater Monitoring Program Overview

State Transportation Department's Stormwater Monitoring Program Overview

shiv
Network Routing Algorithms and Protocols Overview

Network Routing Algorithms and Protocols Overview

kyerk
Comprehensive Overview of Computer Networks and Protocols for GCSE Level

Comprehensive Overview of Computer Networks and Protocols for GCSE Level

abdo_2
Good Laboratory Practices Study Protocols for Effective Research Management

Good Laboratory Practices Study Protocols for Effective Research Management

lowie
Work Protocols and Safety Measures for Employees Returning to Work

Work Protocols and Safety Measures for Employees Returning to Work

wilhelmina
Understanding Emergency Conditions in ERCOT Protocols

Understanding Emergency Conditions in ERCOT Protocols

galilee
Understanding Lock-Based Protocols in Database Concurrency Control

Understanding Lock-Based Protocols in Database Concurrency Control

seb
Laboratory Safety Protocols and Pathogen Classification

Laboratory Safety Protocols and Pathogen Classification

harlan
SRYA Clinic Soccer Fall 2021 Updates and Protocols

SRYA Clinic Soccer Fall 2021 Updates and Protocols

ari
Animal Use Protocols: Finding the Right Balance

Animal Use Protocols: Finding the Right Balance

sereia
Understanding Reliable Transport and User Datagram Protocol in Computer Networking

Understanding Reliable Transport and User Datagram Protocol in Computer Networking

ldar
Understanding Internet Transport Layer Services and Protocols

Understanding Internet Transport Layer Services and Protocols

daless
Securing Protocols with Fully Encrypted Protocols (FEPs)

Securing Protocols with Fully Encrypted Protocols (FEPs)

perreira_n
Overview of Vibrio cholerae: Characteristics and Identification

Overview of Vibrio cholerae: Characteristics and Identification

francine

More Related Content

Proper Clinical Chemistry Specimen Collection and Processing
Proper Clinical Chemistry Specimen Collection and Processing
Science Olympiad 2024 Alaska Coaches Meeting with Dan Nichols
Science Olympiad 2024 Alaska Coaches Meeting with Dan Nichols
Exploring Indonesian Identity in Pego dan Putri Kayangan Folklore
Exploring Indonesian Identity in Pego dan Putri Kayangan Folklore
Insights into Dan Ponder Jr.'s Impact on Racial Justice and Hate Crimes in Georgia
Insights into Dan Ponder Jr.'s Impact on Racial Justice and Hate Crimes in Georgia
The Get Rich Quick Club by Dan Gutman - Book Summary
The Get Rich Quick Club by Dan Gutman - Book Summary
Decoding the GT Identification Process: Understanding the Numbers
Decoding the GT Identification Process: Understanding the Numbers
Understanding Talent Identification and Selection in Sports
Understanding Talent Identification and Selection in Sports
Rapid Identification System for Inmate Release
Rapid Identification System for Inmate Release
Language Identification System for DARPA RATS Program Evaluation
Language Identification System for DARPA RATS Program Evaluation
Mineral Identification Challenge for 7th Grade Science Students
Mineral Identification Challenge for 7th Grade Science Students
Livestock Data Management and Recording Guidelines
Livestock Data Management and Recording Guidelines
Enforcing UWI Mona Campus COVID-19 Safety Protocols: Overview and Provisions
Enforcing UWI Mona Campus COVID-19 Safety Protocols: Overview and Provisions
Overview of Summary Court Advocacy and Procedures
Overview of Summary Court Advocacy and Procedures
VF-Italy Network Requirements and Technical Limitations Overview
VF-Italy Network Requirements and Technical Limitations Overview
Lead Testing Requirements for Schools: PA 099-0922 Overview
Lead Testing Requirements for Schools: PA 099-0922 Overview
Text Classification and Naive Bayes in Action
Text Classification and Naive Bayes in Action
Automotive Protocols and Integration in Android Development
Automotive Protocols and Integration in Android Development
Cryptography,.Quantum-safe Cryptography& Quantum Cryptography
Cryptography,.Quantum-safe Cryptography& Quantum Cryptography
Safety and Emergency Management Guidelines at Griffith University
Safety and Emergency Management Guidelines at Griffith University
Understanding Crime Scene Basics and Forensic Science Careers
Understanding Crime Scene Basics and Forensic Science Careers
BVF and Adjacent Legislation: Understanding the Regulatory Landscape
BVF and Adjacent Legislation: Understanding the Regulatory Landscape
Concussion Management Guidelines in Intercollegiate Athletics
Concussion Management Guidelines in Intercollegiate Athletics
Fall/Winter 2023 Statewide Assessments Training Materials Elementary
Fall/Winter 2023 Statewide Assessments Training Materials Elementary
Clinical Protocols for Chest Pain Management
Clinical Protocols for Chest Pain Management