Overview of Identification Protocols in CS255 by Dan Boneh

Slide Note
Embed
Share

The lecture in CS255 covers various topics related to identification protocols, including signatures from trapdoor functions, certificates, revocation methods, certificate issuance problems, defense mechanisms like certificate transparency (CT), and moving on to protocols. The talk also explores the setup, applications of ID protocols in the physical world and on the internet, emphasizing security and authentication practices. Special focus is given to ensuring the correct issuance and usage of certificates to prevent fraudulent activities in the digital domain.

dvanc
dvanc Follow

Uploaded on Sep 19, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CS255: identification protocols Announcements: HW#4 is out on the course web site Last lecture: guest lecture by Jennifer Granick, ACLU Dan Boneh

  2. Quick recap Signatures: From trapdoor functions (such as RSA) From CRH (one-time sigs many-time sigs, good for software updates) From discrete-log: next week Certificates: bind a public key to an identity [ issuer-id, subject-id, PK, validity-period, serial #, ] + [CA sig] Revocation methods: expiration and CRLset (list of revoked serial #s) What if a CA incorrectly issues a cert to an adversary? Dan Boneh

  3. Certificate wrong issuance: the problem GET https://bank.com BadCertForBank BankCert attacker ClientHello ClientHello bank ServerCert (rogue) (cert for Bank by a valid CA -- 1200 CAs) ServerCert (Bank) TLS key exchange TLS key exchange k2 k1 k1 k2 HTTP data enc with k1 HTTP data enc with k2 Person-in-the-middle attack: attacker sees all traffic, server cannot detect Dan Boneh

  4. A defense: cert transparency (CT) Idea: CA s must push all certs. they issued to a public log Browser will only use a cert if it is published on (two) log servers Server attaches to certificate a signed statement from log (SCT) Companies can scan logs to look for invalid issuance (service by CA) April 30, 2018: CT required by chrome. Otherwise, cert is rejected. Dan Boneh

  5. Part 3: Done with crypto primitives, moving on to protocols. ID protocols Overview Dan Boneh

  6. The Setup vk either public or secret Alg. G sk vk User P (prover) Server V (verifier) yes/no no key exchange Dan Boneh

  7. Applications: physical world Physical locks: (friend-or-foe) Wireless car entry system Opening an office door Login at a bank ATM or a desktop computer Dan Boneh

  8. Applications: Internet Login to a remote web site after a key-exchange with one-sided authentication (e.g. HTTPS) ??? bank.com sk vk one-sided auth. key exchange Prover k Verifier k ID protocol Alice Dan Boneh

  9. ID Protocols: how not to use ID protocol do not establish a secure session between Alice and Bob !! Not even when combined with anonymous key exch. Vulnerable to man in to the middle attacks ??? ??? sk vk anon. key exchange Prover k Verifier k ID protocol Alice Insecure! Dan Boneh

  10. ID Protocols: how not to use ID protocol do not set up a secure session between Alice and Bob !! Not even when combined with anonymous key exch. Vulnerable to man in to the middle attack ??? ??? sk vk Prover ka Verifier key exch. key exch. ka kb kb proxy ID protocol Alice Dan Boneh

  11. ID Protocols: Security Models 1. Direct Attacker: impersonates prover with no additional information (other than vk) Door lock 2. Eavesdropping attacker: impersonates prover after eavesdropping on a few conversations between prover and verifier Wireless car entry system 3. Active attacker: interrogates prover and then attempts to impersonate prover Fake ATM in shopping mall Dan Boneh

  12. ID protocols Direct attacks Dan Boneh

  13. Basic Password Protocol (incorrect version) PWD: finite set of passwords Algorithm G (KeyGen): choose pw PWD. output sk = vk = pw. sk User P (prover) Server V (verifier) yes iff sk=vk vk sk Dan Boneh

  14. Basic Password Protocol (incorrect version) Problem: vk must be kept secret Compromise of server exposes all passwords Never store passwords in the clear! password file on server Alice pwalice Bob pwbob Dan Boneh

  15. Basic Password Protocol: version 1 H: one-way hash function from PWD to X Given H(x) it is difficult to find y such that H(y)=H(x) sk password file on server User P (prover) Server V (verifier) Alice H(pwA) sk vk = H(sk) Bob H(pwB) yes iff H(sk)=vk Dan Boneh

  16. Problem: Weak Password Choice Users frequently choose weak passwords: (SplashData, 2018, from more than 5 million passwords leaked on the Internet) 1. 123456 6. 111111 2. password 7. 1234567 3. 123456789 8. sunshine 4. 12345678 9. qwerty 5. 12345 10. iloveyou Dictionary of 360,000,000 words covers about 25% of user passwords Note: Google password checker Dan Boneh

  17. The 25 top passwords on the list cover more than 10% of users Nearly 3% of people use the worst password, 123456. Online dictionary attack: attacker has a list of usernames. For each username the attacker tries the password 123456 . Success after 33 tries on average (!) Can be mitigated by e.g., IP-based rate limiting Dan Boneh

  18. Offline Dictionary Attacks Suppose attacker obtains a single vk = H(pw) from server Offline attack: hash all words in Dict until a word w is found such that H(w) = vk Time O(|Dict|) per password Off the shelf tools (e.g. John the ripper): Scan through all 7-letter passwords in a few minutes Scan through 360,000,000 guesses in few seconds will recover 23% of passwords Dan Boneh

  19. Batch Offline Dictionary Attacks Suppose attacker steals entire pwd file F Obtains hashed pwds for all users Example (2012): Linkedin (6M: SHA1(pwd) ) Alice H(pwA) Bob H(pwB) Batch dict. attack: For each w Dict: test if H(w) appears in F (using fast look-up) Total time: O( |Dict| + |F| ) [Linkedin: 6 days, 90% of pwds. recovered] Much better than attacking each password individually ! Dan Boneh

  20. Preventing Batch Dictionary Attacks id S h Public salt: Alice SA H(pwA , SA) When setting password, pick a random n-bit salt S Bob SB H(pwB , SB) When verifying pw for A, test if H(pw, SA) = hA Recommended salt length, n = 64 bits Attacker must re-hash dictionary for each user Batch attack time is now: O( |Dict| |F| ) Dan Boneh

  21. How to hash a password? Linked-in: SHA1 hashed (unsalted) passwords 6 days, 90% of passwords recovered by exhaustive search The problem: SHA1 is too fast attacker can try all words in a large dictionary To hash passwords: Use a keyed hash function (e.g., HMAC) where key stored in HSM In addition: use a slow, space-hard function Dan Boneh

  22. How to hash? PBKDF2, bcrypt: slow hash functions Slowness by iterating a crypto hash function like SHA256 Example: H(pw) = SHA256(SHA256( SHA256(pw, SA) )) Number of iterations: set for 1000 evals/sec Unnoticeable to user, but makes offline dictionary attack harder Problem: custom hardware (ASIC) can evaluate hash function 50,000x faster than a commodity CPU attacker can do dictionary attack much faster than 1000 evals/sec. Dan Boneh

  23. How to hash: a better approach Scrypt: a slow hash function AND need lots of memory to evaluate custom hardware not much faster than commodity CPU Problem: memory access pattern depends on input password local attacker can learn memory access pattern for a given password eliminates need for memory in an offline dictionary attack Is there a space-hard function where time is independent of pwd? Password hashing competition (2015): Argon2i (also Balloon) Dan Boneh

  24. ID protocols Security against eavesdropping attacks (one-time password systems) Dan Boneh

  25. Eavesdropping Security Model Adversary is given: Server s vk, and the transcript of several interactions between honest prover and verifier. (example: remote car unlock) adv. goal is to impersonate prover to verifier A protocol is secure against eavesdropping if no efficient adversary can win this game The password protocol is clearly insecure ! Dan Boneh

  26. One-time passwords (secret vk, stateful) Setup(algorithm G): Choose random key k Output sk = (k,0) ; vk = (k,0) Identification: r0 F(k,0) r1 F(k,1) prover sk = (k,0) server vk = (k,0) Yes iff r = F(k,0) sk = (k,1) vk = (k,1) 6 digits often, time-based updates: r F(k, time) [stateless] Dan Boneh

  27. The SecurID system (secret vk, stateful) Thm : if F is a secure PRF then protocol is secure against eavesdropping RSA SecurID uses AES-128: 128 bit key 32 bit ctr F 6 digit output Advancing state: sk (k, i+1) Time based: every 60 seconds (TOTP) User action: every button press Both systems allow for skew in the counter value Dan Boneh

  28. TOTP: Google authenticator 6-digit timed one-time passwords (TOTP) based on [RFC 6238] To enable TOTP for a user: web site presents QR code with embedded data: otpauth://totp/Example:alice@dropbox.com? secret=JBSWY3DPEHPK3PXP & issuer=Example Subsequent user logins require user to present TOTP Dan Boneh

  29. Server compromise exposes secrets March 2011: RSA announced servers attacked, secret keys stolen enabled SecurID user impersonation Is there an ID protocol where server key vk is public? Dan Boneh

  30. The S/Key system (public vk, stateful) Notation: H(n)(x) = H(H( H(x) )) n times Algorithm G: (setup) Choose random key k K Output sk = (k,n) ; vk = H(n+1)(k) Identification: H(n-2)(k) H(n-1)(k) H(n)(k) H(n+1)(k) k H(k) vk pwd #4 pwd #3 pwd #2 pwd #1 Dan Boneh

  31. The S/Key system (public vk, stateful) Identification (in detail): H(i)(k) ; set sk Prover (sk=(k,i)): send t (k,i-1) Verifier(vk=H(i+1)(k), t): if H(t)=vk then vk t, output yes Notes: vk can be made public; but need to generate new sk after n logins (n 106 ) Thm : S/Keyn is secure against eavesdropping (public vk) provided H is one-way on n-iterates Dan Boneh

  32. SecurID vs. S/Key S/Key: public vk, limited number of authentications Long authenticator t (e.g., 80 bits) SecurID / TOTP: secret vk, unlimited number of authentications Short authenticator (6 digits) Dan Boneh

  33. Online Cryptography Course Dan Boneh ID protocols Security against active attacks (challenge-response protocols) Dan Boneh

  34. Active Attacks vk probe #1 User P (prover) Server V (verifier) probe #q impersonate sk vk Offline fake ATM: interacts with user; later tries to impersonate user to real ATM Offline phishing: phishing site interacts with user; later authenticates to real site All protocols so far are vulnerable Dan Boneh

  35. MAC-based Challenge Response (secret vk) k K vk = k sk = k User P (prover) Server V (verifier) random m M sk t SMAC(k, m) vk VMAC(k, m, t) Thm : protocol is secure against active attacks (secret vk), provided (SMAC , VMAC) is a secure MAC and |M| 2128 Dan Boneh

  36. MAC-based Challenge Response Problems: vk must be kept secret on server dictionary attack when k is a human pwd: Given [ m , SMAC (pw, m) ] eavesdropper can try all pw Dict to recover pw Main benefit: Both m and t can be short CryptoCard: 8 chars each Dan Boneh

  37. Sig-based Challenge Response (public vk) Replace MAC with a digital signature: (sk, vk) GSIG vk sk User P (prover) Server V (verifier) random m M t Sign(sk, m) sk vk Verify(vk, m, t) Thm : Protocol is secure against active attacks (public vk), provided (GSIG ,Sign,Verify) is a secure digital sig. and |M| 2128 but t is long ( 20 bytes) Dan Boneh

  38. Signature-based Challenge Response in the real world Dan Boneh

  39. The Universal Second Factor (U2F) Standard (and WebAuthn) Goals: Browser malware cannot steal user credentials U2F should not enable tracking users across sites U2F uses counters to defend against token cloning U2F token service (github.com) browser Dan Boneh

  40. The U2F protocol: two parts (simplified) Device registration: ID, challenge ID, challenge (pkID, handle) sk pkID, sigID, handle pkID, sigID, handle service (github.com) browser skID Authentication: ID, chal., handle verify sig. with pkID ID, chal., handle sk sigID, ctr sigID, ctr service skID browser Dan Boneh

  41. The U2F protocol: two parts (simplified) Device registration: ID, challenge ID, challenge (pkID, handle) sk pkID, sigID, handle pkID, sigID, handle service (github.com) browser skID Authentication: Unlinkable pkID per site prevents user tracking across sites ID, chall., handle verify sig. with PKID ID, chall., handle sk sigID, ctr sigID, ctr service skID browser Dan Boneh

  42. Summary ID protocols: useful in settings where adversary cannot interact with prover during impersonation attempt Three security models: Direct: passwords (properly salted and hashed) Eavesdropping attacks: One time passwords SecurID: secret vk, unbounded logins S/Key: public vk, bounded logins Active attacks: challenge-response Dan Boneh

  43. THE END Dan Boneh

Related


Overview of Public Key Encryption Schemes by Dan Boneh

Overview of Public Key Encryption Schemes by Dan Boneh

aren977
Estimasi Kebutuhan Energi dan Protein Ayam Arab Periode Pertengahan Peneluran

Estimasi Kebutuhan Energi dan Protein Ayam Arab Periode Pertengahan Peneluran

dono_172
Understanding Session Management and Same-Origin Policy in Web Security

Understanding Session Management and Same-Origin Policy in Web Security

januelmi
Model Literasi Informasi dan Perumusan Masalah dalam Desain Komunikasi Visual

Model Literasi Informasi dan Perumusan Masalah dalam Desain Komunikasi Visual

stormi
Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

ashvin
Update on SWAG Protocols and New NICE TA Progress Report

Update on SWAG Protocols and New NICE TA Progress Report

lowie
Understanding Consistency Protocols in Distributed Systems

Understanding Consistency Protocols in Distributed Systems

rune
Improved Merlin-Arthur Protocols for Fine-Grained Complexity Problems

Improved Merlin-Arthur Protocols for Fine-Grained Complexity Problems

giorgiva
Understanding Control Hijacking Attacks and Defenses

Understanding Control Hijacking Attacks and Defenses

dawn_o
Understanding Structural Identification in Vector Autoregressions

Understanding Structural Identification in Vector Autoregressions

kingsland_t
Adaptasi Fisiologi Sistem Urinari dan Gastrointestinal pada Kehamilan

Adaptasi Fisiologi Sistem Urinari dan Gastrointestinal pada Kehamilan

mikey
Wireless Sensor Networks: Medium Access Protocols Overview

Wireless Sensor Networks: Medium Access Protocols Overview

egne_ary
Secure Composition of Key Exchange Protocols

Secure Composition of Key Exchange Protocols

forb_470
Taming Adaptivity in YOSO Protocols: The Modular Way

Taming Adaptivity in YOSO Protocols: The Modular Way

pkhy
Towards Practical Generic Zero-Knowledge Protocols

Towards Practical Generic Zero-Knowledge Protocols

bonn_ne
Green Protocols for Greener Arbitrations

Green Protocols for Greener Arbitrations

desti
Understanding Ethernet and Multiple Access Protocols in Computer Networks

Understanding Ethernet and Multiple Access Protocols in Computer Networks

dena_990
Scalable Identity and Key Management for Publish-Subscribe Protocols

Scalable Identity and Key Management for Publish-Subscribe Protocols

torgeson_s
Comprehensive Examination Questions on Data Management Systems and Security Protocols

Comprehensive Examination Questions on Data Management Systems and Security Protocols

arozy
Quantum Distributed Proofs for Replicated Data

Quantum Distributed Proofs for Replicated Data

mkam
Data Link Control and Protocols in Computer Networks

Data Link Control and Protocols in Computer Networks

busramc
Approaches to Secure Identification in Communication Networks

Approaches to Secure Identification in Communication Networks

lobo_tum
Understanding LRIT System for Ship Identification and Tracking

Understanding LRIT System for Ship Identification and Tracking

amias
Fine-Grained Language Identification Using Multilingual CapsNet Model

Fine-Grained Language Identification Using Multilingual CapsNet Model

bkha

More Related Content