安全协议43.ppt

1、1,4.3 Authentication and Key Transport Using Public Key Cryptography,中国矿业大学计算机科学与技术学院,2,Introduction,Two potential advantages Digital signatures Simplification of key management Two costs High computational cost public keys still need managed,3,Notation,EX(M) Encryption of message M using the public

2、 key of principal X SigX(M) Signature with appendix of message M by principal X NX nonce chosen by principal X TX timestamp chosen by principal X MK Symmetric encryption of message M with key K,4,4.3.1 Entity Authentication Protocols,1. AB: TA , B, SigA(TA,B),ISO/IEC 9798-3 one-pass unilateral authe

3、ntication,5,1. BA: NB 2. AB: NA , NB, SigA (NA, NB, B),ISO/IEC 9798-3 two-pass unilateral authentication,加入 NA 的作用是不被 B 当作 oracle 标准允许省略签名中的B，但Protocol 4.1不可省略。,6,1. AB: TA , B, SigA (TA ,B) 2. BA: TB , A, SigB (TB , A),ISO/IEC 9798-3 two-pass mutual authentication,7,ISO/IEC 9798-3 three-pass mutual

4、 authentication,1. BA: NB 2. AB: NA , NB, B, SigA (NA, NB, B) 3. BA: NB , NA, A, SigB (NB, NA, A),8,Early version of Protocol 4.4,1. BA: NB 2. AB: NA , NB, B, SigA (NA, NB, B) 3. BA: NB , NA, A, SigB (NB, NA, A),1. CBA: NC 2. ACB: NA , NC, B, SigA (NA, NC, B) 1. CA B: NA 2. B CA: NB , NA, A, SigB (N

5、B, NA, A) 3. CBA: NB , NA, A, SigB (NB, NA, A),Canadian attack on Protocol 4.5,Use of a protocol identifier in every signed message,A,C,B,ISO/IEC 9798-3 two-pass parallel authentication,1. AB: NA 1. BA: NB 2. AB: NA , NB, B, SigA (NA, NB, B) 2. BA: NB , NA, A, SigB (NB, NA, A),1,1,2,2,A,B,10,4.3.2 K

6、ey Transport Protocols,1. AB: EB (A, KAB ,TA),ISO/IEC 11770-3 Mechanism 1,Key control : A Key freshness : A (没有发送方的认证，B不能保证freshness） Key auth.: A Key conf.: No Security Proof: No Attack: No,11,1. AB: B, TA,EB (A, KAB ),SigA( B, TA,EB (A, KAB),ISO/IEC 11770-3 Mechanism 2,Key control : A Key freshnes

7、s : A+B Key auth.: A+B Key conf.: B Security Proof: No Attack: No,12,1. AB: EB (B, KAB , TA, SigA (B, KAB, TA),ISO/IEC 11770-3 Mechanism 3,Swap around the order in which the signature and encryption are applied in mechanism 2. Achieves the same goals as mechanism 2.,13,1. AB: EB (KAB , TA, SigA ( KA

8、B, TA),Denning-Sacco public key protocol,AB: EB (KAB , TA, SigA ( KAB, TA) BA C: EC (KAB , TA, SigA ( KAB, TA),Attack of Protocol,A,B正常通信,同时B假冒A与C通信,A,B,C,14,AB: N A BA: A, NA, NB , EA (B, KAB ),SigB( A, NA,NB, EA (B, KAB),ISO/IEC 11770-3 Mechanism 4,Similar to mechanism 2 Key control : B Key freshn

9、ess : A+B Key auth.: A+B Key conf.: A Security Proof: Yes Attack: No,15,AB: N A BA: NB, NA ,A, EA (B, KBA ),SigB(NB,NA, A,EA (B, KBA) AB: NA, NB ,B, EB (A, KAB ),SigA(NA,NB, B,EB (B, KAB),ISO/IEC 11770-3 Mechanism 5,Key control : A+B Key freshness : A+B Key auth.: A+B Key conf.: A ? Security Proof:

10、No Attack: No,16,AB: EB (A, KAB, NA) BA: EA(B, KBA, NA, NB) AB: NB,ISO/IEC 11770-3 Mechanism 6,K=h(KAB,KBA) Key control : A+B Key freshness : A+B Key auth.: A+B Key conf.: A+B Security Proof: No Attack: No,17,AB: EB (A, KAB, NA) BA: EA( KBA, NA, NB) AB: NB,Helsinki protocol (earlier version),1. AC:

11、EC (A, KAB, NA) 1. CAB: EB (A, KAB, NA) 2. B CA: EA (KBA, NA, NB) 2. C A: EA (KBA, NA, NB) 3. AC: NB 3. CAB: NB,Attack on Helsinki protocol,A,C正常通信,同时C假冒A与B通信,A,C,B,18,AB: EB (NA, A) BA: EA(NA, NB) AB: EB (NB ),Needham-Schroeder public key protocol,1. AC: EC (NA , A) 1. CAB: EB (NA, A) 2. B CA: EA (

12、NA, NB) 2. C A: EA (NA, NB) 3. AC: EC (NB) 3. CAB: EB (NB),Attack on Needham-Schroeder protocol,A,C正常通信,同时C假冒A与B通信,A,C,B,19,AB: EB (NA, A) BA: EA(NA, NB ,B) AB: EB (NB ),Lowes variant of Needham-Schroeder protocol,Lowe prove secure using model checker FDR NA, NB can act as a shared secret, so step 3

13、 using encryption.,20,Key control : A Key freshness : A Key auth.: A Key conf.: No Attack: Yes The signature should include the unencrypted key (hashed to protect confidentiality) with the encrypted key sent separately.,攻击者I替换签名.A以为与B通信,B以为与攻击者I通信,X.509 one-pass authentication,1. AB: TA, NA, B ,EB (

14、KAB ), SigA ( TA, NA,B,EB (KAB),A,I(B),B,21,AB: TA, NA, B ,EB (KAB ), SigA ( TA, NA,B,EB (KAB) B A: TB, NB, A, NA ,EA (KBA), SigB ( TB, NB,A,NA,EA (KBA),X.509 two-pass authentication,AB: TA, NA, B ,EB (KAB ), SigA ( TA, NA,B,EB (KAB) B A: TB, NB, A, NA ,EA (KBA), SigB ( TB, NB,A,NA,EA (KBA) AB: NB ,

15、 B, SigA( NB ,B ),X.509 two-pass authentication,22,4.4 Key Agreement Protocols,23,Introduction,A key transport protocol or mechanism is a key establishment technique where one party creates or obtains a secret key, and then securely transfers it to the other(s) A key agreement protocol or mechanism

16、is a key establishment technique in which a shared secret key is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value. Key control is a term used to describe the extent to wh

17、ich principals have the ability to choose or influence the value of the shared key (or session key). It is desired that neither principal can control the shared secret value.,24,4.4.1 Diffie-Hellman Key Agreement,Notation p A larger prime ZAB 主体计算的共享秘密 q 素数， q|(p-1) KAB 会话密钥 G Z*p 的子群 SAB 静态DH密钥gxAx

18、B g G的生成元 NA,NB A、B选择的nonces rA, rB A、B在G中选择的随机数 H( ) 单向函数 tA, tB tA=grA, tB=grB xRX 从X中随机选择x xA, xB A、B 的私钥 F G 验证F与G是否相等 yA, yB yA=gxA ，yB=gxB,25,26,静态DH密钥生成会话密钥 K=H(SAB, fresh value), 传输KABK, 或 KAB= MACK (r) r是序列号或随机数。 特点：提供隐含密钥认证。 缺乏联合控制密钥，没有前向秘密性，易遭密钥泄 露假冒攻击。 小子群攻击 分析群G的结构，若ord(G)是合数，则它存在子群。如果

19、grA在某个小子群中，则grArB也在其中。小子群有助于攻击者穷尽搜索发现会话密钥。此攻击的关键是强迫（诱使）共享秘密存在于小子群中。 对策： 选ord(G)是比较大的素数。一般ord(G)=素数q，q|(p-1),27,适用于单向通信。 A、 B都有隐含密钥认证（ A 相信只有B能解密kA； B相信只有A 知道SAB。） B不都确定密钥的新鲜性。 没有前向秘密性（知xB可获得旧的ZAB) ，受密钥泄露假冒攻击(知xA 或xB可假冒A 或B)。,4.4.3 Diffie-Hellman-based protocols with Enhanced message Format,增加对DH交换消息

20、的认证： 共享秘密是瞬时ephemeral DH密钥，通常能提供前向秘密性。 对瞬时公钥(grA)签名，通常能避免密钥泄露假冒攻击(知道A的私钥不能假冒B）。,瞬时秘密提供了前向秘密性；签名抵御了密钥泄露假冒攻击。 不能达到密钥的双向确认。 加密确保对方拥有相同的会话密钥，抵御了未知密钥共享攻击，若无加密，C可替换A的签名。,不使用加密的站对站协议,A,C(B),B,tA,tA,tB, SigB(tB,tA),tB, SigB(tB,tA),SigA(tA,tB),SigC(tA,tB),A以为与B通信，实际上与C,C与B正常,30,31,4.6 Password-based Protocol

21、s,32,Password Protocols,Humans are incapable of remembering strong, random cryptographic keys; hence weak secrets (passwords/PINs) Risks of password protocols: Eavesdropping (*) Online password guessing: easy to defend Offline password guessing (dict.attack): possibly with active impersonation Serve

22、r database disclosure (+ dict.attack),33,Encrypted Key Exchange Using Diffie-Hellman,Bellovin-Merritts Original EKE,Shared Information: Shared Password . Security Parameter L.,A,B,Protocol 7.1 Diffie-Hellman-based EKE Protocol,34,针对对称加密算发的攻击：Partition attacks 敌手尝试用 解密 和 ，然后检验 和 是否为合法的DH短暂值，如果不合法则抛弃

23、。,省去1 或2中对称加密后的攻击,1. CA B : A, tA 2. B CA : tB , nBKAB 3. CA尝试用 解密 最后求出 ，然后解密 nBKAB ，如果nB有冗余 信息则判断结果是否合法。,1. A CB : A, tA 2. CB A: tB , X 3. A CB : nA ,nBKAB 4. CB尝试用 解密 ，求出KAB ，然后解密nA ,nBKAB ，判断后面部分是否等于用KAB解密X后的结果。,35,改进的EKE,改进的EKE在服务器上存储的不是口令的明文，而是口令的某个镜像，这样即使服务器被攻破，敌手也不能得到口令的明文，但是敌手得到口令镜像后，可以通过离线

24、字典攻击得到相应的口令。 如镜像是 ，则敌手可以猜测口令 ，然后比较 ,从而判断口令是否合法。 一些协议在服务器上存储 ，其中s被称为salt， 这样一旦服务器中的口令文件被泄漏，敌手想以强力搜索 的方法得到口令是很难的，但是如果敌手也知道了salt, 这样存储就没有意义了。,36,AI: Password . BI:,A,B,Protocol 7.7 Augmented Diffie-Hellman-based EKE Protocol,37,是 相应的签名公钥。 和Original Diffie-Hellman-based EKE Protocol的比较： 1、用口令的镜像加密； 2、多了

25、最后一个消息。 因为，如果没有这个消息，敌手只要知道了口令的 镜像就可以冒充A和B进行通信，而不用知道口令本身。 所以最后一条消息正是为了避免这一漏洞。 存在的攻击 敌手如果知道了历史会话密钥，可以通过最后一条消息 猜测口令。解决方案是签名消息不用会话密钥，而为和ZAB 相关的另一个值。,几点说明：,38,4.7 Privacy-Preserving Authentication,39,Deniable Authentication,Alice sends a message to Bob then it is said to be deniable if the mutual confide

26、nce is maintained but cant be proved to third party that the communication ever took place. authentication Deniability,40,anonymous channel,the third parties do not learn the identity of protocol participants. the protocols allow mobile principals to communicate when they meet, without being monitored by third parties,41,Authentication with user anonymity,The server do not learn the identity of a user,42,4.8 Group Key Agreement,43,Gen