Principles of Info Security
Principles of Info Security CS 5323
Popular in Course
Popular in ComputerScienence
verified elite notetaker
This 15 page Class Notes was uploaded by Mireya Heidenreich on Thursday October 29, 2015. The Class Notes belongs to CS 5323 at University of Texas at San Antonio taught by Staff in Fall. Since its upload, it has received 22 views. For similar materials see /class/231401/cs-5323-university-of-texas-at-san-antonio in ComputerScienence at University of Texas at San Antonio.
Reviews for Principles of Info Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 10/29/15
Principles of Information Security CS 5323 Lecture Ten Prof William Winsborough October 21 2008 Business 0 lwill return the exams this Thursday This week is about chapter 8 Next week we will start chapter 9 reading 0 Questions from previous lectures 21 OEtDbEY 2m Winsbuiuuuh cs 5323 Lecture 1 2 Vigenere Cipher Like Caesar cipher but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Caesar cipher for each letter ey VIGVIGVIGVIGVIGV cipher OPKWWECIYOPKWIRG 21 Comm 2m WinsbuiUUEhCS 5323LEctuieiEI Relevant Parts of Tableau Useful Terms period length of key In earlier example period is 3 tableau table used to encipher and decipher Vigenere cipher has key letters on top plaintext letters on the left polyaphabetic the key has several different letters Caesar cipher is monoalphabetic 21 Comm 2m WinsbuiUUEhCS 5323LEctuieiEI G I V Tableau shown has A G 1 V relevant rows columns B H J w 039 E L M Z 39 Example encipherments H N P c r keyv letterT follow L R T G column downtoT row 0 U w J W r keyiienerH followl S Y A N column own 0 T Z B 0 giving Y E H T 21 Octubei 2m Winsbuiuuuh cs 5323 mm 1 a Attacking the Cipher Approach Establish period call it n Break message into 11 parts each part being enciphered using the same key letter Solve each part You can leverage one part from another We will show each step 21 OEtDbEY 2m Winsbuiuuuh cs 5323 Lecture 1 a The Target Cipher We want to break this cipher ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF WTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX 21 Octuber 2m WinsburUUEhCS 5323 Lecturem 7 Establish Period Kasiski repetitions in the cipherteXt occur when characters of the key appear over the same characters in the plain text Example v1 on on on on GV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Note the key and plaintext line up overthe repetitions underlined As distance between repetitions is 9 the period is a factor on that is 1 3 or 9 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 a Repetitions in Example 21 Octuber 2m WinsburUUEhCS 5323 Lecturem a Estimate of Period OEQOOG is probably not a coincidence Its too long for that Period may be 1 2 3 5 6 10 15 or 30 Most others 710 have 2 in their factors Almost as many 610 have 3 in their factors Begin with period of2 X 3 6 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 1n Check on Period Index of coincidence is probability that two randomly chosen letters from ciphertext will be the same Tabulated for different periods 1 0066 3 0047 5 0044 2 0052 4 0045 10 0041 Large 0038 21 Octuber 2m WinsburUUEhCS 5323 Lecturem 11 Compute IC IC n 7 11205525FIFI1 where n is length of ciphertext and F the number of times character occurs in ciphertext Here IC 0043 Indicates a key of slightly more than 5 A statistical measure so it can be in error but it agrees with the previous estimate which was 6 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 12 Splitting lnto Alphabets alphabet 1 AIKHOIATTOBGEEERNEOSAI alphabet 2 DUKKEFUAWEMGKWDWSUFWJU alphabet 3 QSTIQBMAMQBWQVLKVTMTMI alphabet 4 YBMZOAFCOOFPHEAXPQEPOX alphabet5 SOIOOGVICOVCSVASHOGCC alphabet 6 MXBOGKVDIGZINNVVCIJHH ICS 1 0069 2 0078 3 0078 4 0056 5 0124 6 0043 indicate an alphabets hav period 1 except 4 and 6 assume statistics off 21 Ocluber 2m WinsburUUEhCS 5323 Lecturei 13 Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ 31004011301001300112000000 10022210013010000010404000 l2000000201140004013021000 21102201000010431000000211 10500021200000500030020000 01110022311012100000030101 Letterfrequencies are H high M medium L low HMMMHMMHHMMMMHHMLHHHMLLLLL owcnwa x 21 Ocluber 2m Winsburuuuh cs 5323 Lecture 10 N Begin Decryption First matches characteristics of unshifted alphabet Third matches ifl shifted to A Sixth matches if V shifted to A Substitute into ciphertext bold are substitutions H m a w m m v c m m lt v 3 mt 0 H F E E v C r 2 c F F C C H BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEU L QONOF EEGOS WLPCM AJEOC MIUAX 21 Ocluber 2m WinsburUUEhCS 5323 Lecturei 15 Look For Clues o AJE in last line suggests are meaning second alphabet maps A into S ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CN39ESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX 21 Ocluber 2m Winsburuuuh cs 5323 L221qu 10 10 Next Alphabet MICAX in last line suggests mical a common ending for an adjective meaning fourth alphabet maps 0 into A ALI RICKP OCKSL AIGHS ANOTO MICOL PACET VATIS QIITE ECCNO MICOL EGOOD CNESI VSSEE NSCSE LDOAA s ANAND HHECL EONON ESGOS ELDCM wH CZ 0116 ltmm ARECC MICAL 21 Ocluber 2m WinsburUUEhCS 5323 Lecturei 17 Got It QI means that U maps into I as Q is always followed by U ALIME RICKP ACKSL AUGHS ANATO MICAL PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL H z gt O m 21 Ocluber 2m Winsburuuuh cs 5323 L221qu 10 1a OneTime Pad long as the message Provably unbreakable correspond to plaintext DOIT key AJI cipher by trying to regenerate the ke Approximations such as u generators to generate keys are nolra 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 A Vigenere cipherwith a random key at least as Why Look at ciphertext DXQR Equally likely to and to plaintext DONT key AJDY and any other 4 letters Warning keys must be random or you can attackthe sing pseudorandom number 0 Overvrew of the DES A block cipher encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition permutation on the its Cipher consists of 16 rounds iterations each with a round key generated from the user supplied key 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 Generation of Round Keys bits each 21 Octuber 2m Winsburuuuh cs 5323 Lecture 1 Round keys are 48 The fFunction a 5 1mm each 9I I I I 41m wutufuch 21 Octuber 2m WinsburuuuhCS 5323LEcturelEI 21 Octuber 2m Encipherment Winsburuuuh cs 5323 Lecture 1 Considered too weak Diffie Hellman said in a few years technology Design decisions not public 21 Octuber 2m Controversy would allow DES to be broken Design using 1999 technology published Sboxes may have backdoors Winsburuuuh cs 5323 Lecture 1 Undesirable Properties 4 weak keys They are their ovm inverses 12 semiweak keys Each has another semiweak key as inverse Complementation property DESKm c 2 DESKm c S boxes exhibit irregular properties Distribution ofodd even numbers nonrandom Outputs offourth box depends on input to third box 21 October 2m WinshurUUEhCS 5323 Lemma 25 Differential Cryptanalysis A chosen ciphertext attack Requires 247 plaintext ciphertext pairs Revealed several properties Small changes in Sboxes reduce the number of pairs Making every bit ofthe round keys independent does notimpe e attack Linear cryptanalysis improves result Requires 2 3 plaintext ciphertext pairs 21 October 2m Winshuruuuh cs 5323 Lecture 1U 25 DES Modes Electronic Code Book Mode ECB Encipher each block independently Cipher Block Chaining Mode CBC Xor each block with previous ciphertext block Requires an initialization vectorfor the rst one EncryptDecrypt Encrypt Mode 2 keys k k EsyDEs DEsgm EncryptEncrypt Encrypt Mode 3 keys k k k c DEsArDEsK DESK m 21 October 2m WinshurUUEhCS 5323 Lemma 27 CBC Mode Encryption 21 October 2m Winshuruuuh cs 5323 Lecture 1U 23 CBC Mode Decryption mxt vector 21 October 2m WinshurUUEhCS 5323 Lemma 2a SelfHealing Property Initial message 3231343336353837 3231343336353837 3231343336353837 3231343336353837 Received as underlined 4c should be 4b ef7c4cb2b4ce6f3b f626663a97afDeZC 746ab9a63 8f4256 3366Bb451b 96 3d Which decrypts to efca lelgf4836fl 3231 3336353837 3231343336353837 3231343336353837 Incorrect bytes underlined Plaintext heals after 2 blocks 21 October 2m Winshuruuuh cs 5323 Lecture 1D 3 Business Thursday October 9 will be devoted to Principles of Information Security reVleW I CS 5323 L ct N Bring your questions e me me Tuesday October 14will be midterm 1 Prof Wimam Winsborough It will cover material from the rst 7 chapters and lectures through Thursday 925 This change of date re ects my inability to provide you with a study guide last week October 7 2008 Questions from previous lectures 7 October 2m WWW cs 3323 WW 3 Cryptosystem Example Quintuple T D M K C Example Caesar cipher 7 N set of plaintexts e M sequences of letters Ksetofkeys eKiiisanintegerandOsisZS Cset of ciphertexts e E E k E K and for all letters m r Eset of encryption functions 6 N X K C 5W m 0 m d 26 e I set of decryption functions d Cgtlt K N 7 D DKI k E K and maquot letters 0 Dc 26 c k mod 26 C M 7 October 2m WWW cs 3323 Lecture 3 3 7 October 2m WWW cs 3323 WW 3 Attacks Basis for Attacks Opponent whose goal is to break cryptosystem 0 Mathematical attacks 395 the adversary Based on analysis of underlying mathematics Assume adversary knows algorithm used but not key Statistical attacks Three types of attacks ciphenext only adversary has only ciphenext goal is Make assumptions about the distribution of to nd plaintext possibly key letters pairs of letters digrams triplets of known plaintext adversary has ciphertext letters tr39grams7 510 con39esponding plaintext goal is to nd key Called models ofthe language chosen plaintext adversary may supply plaintexts Examine ciphertext correlate properties With and obtain corresponding ciphertext goal is to nd the assumptions 7 October 2m Winsburuuuh cs 5323 Lecture 3 7 October 2m Winsburuugh cs 5323 Lecture 3 Classical Cryptography Sender receivershare common ke Keys may be the same or trivial to derive from one another Sometimes called symmetric cryptography Two basic types Transposition ciphers Substitution ciphers Combinations are called product ciphers 7 October 2m Winsburuuuh cs 5323 Lecture 5 Transposition Cipher Rearrange letters in plaintext to produce ciphertext Example RailFence Cipher Plaintext is HELLO WORLD Rearrange as HLOOL ELWRD Ciphertext is HLOOL ELWRD 7 October 2m Winsburuuuh cs 5323 Lecture 5 Attacking the Cipher Anagramming lf 1gram frequencies match English frequencies but other n gram frequencies do not probably transposition Rearrange letters to form ngrams with highest frequencies 7 October 2m Winsburuuuh cs 5323 Lecture 5 Example Ciphertext HLOOLELWRD Frequencies of 2 grams beginning with H HE 00305 HO 00043 HL HW HR HD lt 00010 Frequencies of 2 grams ending in H H 00026 LH OH RH DH 5 00002 lmplies E follows H 7 October 2m Winsburuuuh cs 5323 Lecture 5 Example Arrange so the H and E are adjacent HE LL 0 77 OR LD Read off across then down to get original 39 t t plain ex 7 October 2m Winsburuuuh cs 5323 Lecture 5 Substitution Ciphers Change characters in plaintext to produce xt cipherte Example Caesar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it X goes to A Yto B Z to C Key is 3 usuallywritten as letter D Ciphertext is KHOOR ZRUOG 7 October 2m Winsburuuuh cs 5323 Lecture 5 Attacking the Cipher Exhaustive search If the key space is small enough try all possible keys until you find the right one Caesar cipher has 26 possible keys Statistical analysis Compare to 1gram model of English 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 13 Statistical Attack Compute frequency of each letter in ciphertext G 01 H 01 K 01 O 03 R 02 U 01 Z 01 Apply 1gram model of English Frequency of characters 1grams in English is on next slide 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 m Character Frequencies 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 15 Statistical Analysis fc frequency of character 0 in ciphertext p0 correlation of frequency of letters in ciphertext with corresponding letters in English assuming key isi P0 20 s c 25 fCPC I so herei p0 01p6 i 01p7 i 01p10 i 03p14 i 02p17 i 01p20 I 01p25 i px is 39equency ofcharacter x in English 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 16 Correlation pi for O S i S 25 i i i 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 l7 The Result Most probable keys based on p2 i 6 437 00660 39 plaintext EBDL 39I LOLA i10ql00635 39 plaintext AXEEH PHKE W i 3 437 00575 39 plaintext HELLO WORLD i14ql00535 39 plaintext WTAAD LDGAS Only English phrase is fori 3 That s the key 3 or D 7 Ocluber 2003 Winshuruuuh cs 5323 Lecture 5 18 Business Read chapters 3 4 and 5 by Thursday Principles of Information Security In chapter 3 I want you to understand the basic structure of how we can prove safety is CS 5323 Lecture Four undecidable in the Harrison Ruzzo and Ullman model Prof William Winsborough You don t have to be able to recreate the September 9 2008 reduction itself Questions from previous lectures a September zone Winsouruuen cs 5323 Lecture 6 Modeling Computer Systems Secure Systems We can view a computer system as a finite state Under the FSM model machine FSM Set of states one ofwhich is the initial state A secure SyStem Starts m a secure State and A set ofevents to which the FSM responds cannot enter an insecure state A 59 f NW5 the FSM W quot ia e A breach ofsecurity occurs if a system i g Lenlatw Ed39 t139gt Ef g g ye i ts transits from a secure state to an insecure and de ning actions initiated by the transition state In this context policy can be viewed as defining which states are secure and which are not Many but not all system properties ofinterest to security can be categorized this way a Semernber ZUEIB erisburuueh CS 5323 Lecture 6 3 5 SEmernher ZUEIB erisburuueh CS 5323 Lecture 6 6 Three Fundamental Properties Integrity Con dentiality Example Unix write permission 7 information l has conflderrllallyvvltn respect to entity setX lfno rnernberochanobtalnlnforrnatlonabouti Example separation of duty reqUIrements r Tells you Where the lnforrnatlon could go Information versus System Integrity e inas lnlegrllyvvltn respect to x it memoers orxtmstl Integr39ty e Tells you Where the lnforrnatlon came from and now it got to you Data can be modified by awed or Availability compromised system components 7 i has ayalablllyvvltn respect toleaii rnernberofX can access A S Stem is com romised has been 7 Tells you Wheretnelnfonnatlonrnustbe abieto go I 7 Can include quality ofserylce requirements ma 39C39OUS y a ere Example Execute permission 9 Semernber ZUEIB erisburuueh CS 5323 Lecture 6 5 5 SEmernher ZUEIB erisburuueh CS 5323 Lecture 6 B Principles of Information Security CS 5323 Lecture 13 Prof William Winsborough November 4 2008 Business Questions from previous lectures IDEA Survey will be Thursday at the end ofthe class so you can leave when you re done Remainder of slides are 2004 Matt Bishop I Nwember 2m Winsnuiuuun cs 5323 Lecture is 2 Chapter 9 Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures I Nuvember 2m Wlnsbumuuh cs 5323 Lecture is Overview Key exchange Session vs interchange keys Classical public key methods Cryptographic key infrastructure Certificates Key storage Key revocation Digital signatures I Nwember 2m Winsnuiuuun cs 5323 Lecture is I Notation Xgt Y 2 WkX V Xsends Ythe message produced by concatenating Z and Wenciphered by key kx y which is shared by users Xand Y 39 AaTZIZMAIIIWMAr se d T essage consisting ofthe concatenation on enciphered using kA A s key and Wenciphered using km the key shared byA and T r112 nonces nonrepeating random numbers I Nuvember 2m Wlnsbumuuh cs 5323 Lecture is 5 Session Interchange Keys Alice wants to send a message m to Bob Assume public key encryption Alice generates a random cryptographic key kS and uses it to enci herm To be used forthlS message ony Called a session ke She enciphers kS with Bobs public key k5 k5 encipners all session keys Alice uses to communicate Witn Bo Called an interchange key Alice sends m k5 k5k5 I Nwember 2m Winsnuiuuun cs 5323 Lecture is s Benefits Limits amount of traffic enciphered with single key Standard practice to decrease the amount of traf c tain Prevents some attacks Example Alice will send Bob message that is either BUY or SELL Eve computes possible ciphertexts BUY kg and SELL ks Eve intercepts enciphered message compares and gets plaintext at once t Noyernher 2m Wrrrshuruuerr cs 5323 Lecture t3 7 Key Exchange Algorithms Goal Alice Bob get shared key Key cannot be sent in clear Attacker can lrsten rn Key can be sent enclphered or denyed from exchanged data plus data not known to an eayesdropper Alice Bob may trust third party All cryptosystems protocols publicly known Only secret data rs tne keys ancrllary lnforrnatlon known only to Allce and Bob needed to denye keys Anythlng transrnrtted rs assurned known to attacker t Nwemher 2m Wrrrshuruuerr cs 5323 Lecture t3 8 Classical Key Exchange Bootstrap problem how do Alice Bob begin Alice can t send it to Bob in the clear Assume trusted third party Cathy Alice and Cathy share secret key kA Bob and Cathy share secret key k5 Use this to exchange shared key ks t Noyernher 2m Wrrrshuruuerr cs 5323 Lecture t3 9 Simple Protocol request for session key to Bob my Alice Cathy k k k k Alice t a Allt a 5 Cathy k k Alice 5 Bob thwemaer Inna errshuruugncs5323Lecture13 m Problems How does Bob know he is talking to Alice Replay attack Eve records message from Alice to Bob later replays it Bob may think he s talking to Alice but he isn t Session key reuse Eve replays message from Alice to Bob so Bob reuses session key Protocols must provide authentication and defense against replay t Noyernher 2m Wrrrshuruuerr cs 5323 Lecture t3 ll NeedhamSchroeder Alice ll Bob ll r Alice Cathy Alice ll Bob ll 71 ll 76 ll Alice ll 76 gt 765 gt 76A Alice Cathy Ahcellhwag Alice Bob 72 2 Alice Bob rr 1 gt76 Alice Bob t Nwemher 2m Wrrrshuruuerr cs 5323 Lecture t3 t2 Argument Alice talking to Bob Second message Enciphered using key only she Cathy knows So Cathy encipnereo it Response to rst message As a in it matcnes q in rst message Third message Alice knows only Bob can read it As only Bob can derive session key from message Any messages enciphered with that key are from Bob t November 2m vvirrsnuruuerr cs 5323 Lecture i3 i3 Argument Bob talking to Alice Third message Enciphered using key only he Cathy know So Cathy encipnereo it Names Alice session key Cathy provlded session key says Alice is otner party Fourth message Uses session key to determine ifit is replay from Eve lrnot Alice Will respond correctly in riltn messa e lrso Eye can t decipnerr2 and so can t respond orresponos incorrectly t Nwemher 2m vvirrsnuruuerr cs 5323 Lecture i3 it DenningSacco Modification Assumption all keys are secret Question suppose Eve can obtain session key How does that affect protocol In what follows Eve knows kS Alice ll k kB Eve Bob lt H gt 76 Eve Bob lt 2 a 1 gt k Bob t uuyemser Inna Wiresuruuur cs 5323 Lecture i3 i5 Solution In protocol above Eve impersonates Alice Problem replay in third step First in previous slide Solution use time stamp Tto detect replay Weakness if clocks not synchronized may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to replay Resetting clock does not eliminate vulnerability t Nwemher 2m vvirrsnuruuerr cs 5323 Lecture i3 is NeedhamSchroeder with DenningSacco Modification Alice ll Bob ll r1 Alice Cathy Alice ll Bob ll rl ll A ll Alice ll Tll k mm Alice Cathy Alice ll Tll k we Alice Bob lt H gt in Alice Bob lt r2 7 1 gt in Alice Bob t November 2m vvirrsnuruuerr cs 5323 Lecture i3 i7 OtwayRees Protocol Corrects problem That is Eve replaying the third message in the protocol Does not use timestamps Not vulnerable to the problems that Denning Sacco modification has Uses integer n to associate all messages with particular exchange t Nwemher 2m vvirrsnuruuerr cs 5323 Lecture i3 la The Protocol rt ll Alice ll Bob H r H rt ll Alice ll Bob we Alice Bob nllAlicellBoblHr llnllAlicellBobHr H can 72 ll rt ll Alice ll Bob H65 B b Cathy rt r k k r k k Bob VLHltHHk3gtkA Alice Bob a Number me Wrretureuer cs 5323 Lecture is 19 Argument Alice talking to Bob Fourth message If 11 matches first message Alice knows it is part of this protocol exchange Cathy generated ks because only she Alice A Enciphered part belongs to exchange as r matches r in encrypted part of first message t Nwember 2m Wrrrsnereuen cs 5323 Lecture t3 2 Argument Bob talking to Alice Third message If 11 matches second message Bob knows it is part of this protocol exchange Cathy generated ks because only she Bob Enciphered part belongs to exchange as r2 matches r2 in encrypted part of second message t Nuvember 2m Wrrrsneruuen cs 5323 Lecture t3 2t Replay Attack Eve acquires old ks message in third step quotIHrt IlkskA r2ksk5 Eve forwards appropriate part to Alice Alice has no ongoing key exchange with Bob n matches nothing so is rejected Alice has ongoing key exchange with Bob n does not match so is again rejected lfreplay is forthe current key exchange and Eve sent tne relevant part before Bob did Eve could simply listen to traffic no replaylnvolved t Nwember 2m Wrrrsnereuen cs 5323 Lecture t3 22 Kerberos Authentication system Based on NeedhamSchroederwith DenningSacco modi cation Central server plays role oftrusted third party Cathy Ticket lssu er vou ches for identity of requester of service Authenticator Identi es sender t Nuvember 2m Wrrrsneruuen cs 5323 Lecture t3 23 Idea User u authenticates to Kerberos server Obtains ticket TumS for ticket granting service TGS User u wants to use service 3 User sends authenticatorAu ticket TumS to TGS asking for ticket for service TGS sends ticket Tu to user User sends Au Tu to server as request to use 5 Details follow t Nwember 2m Wrrrsnereuen cs 5323 Lecture t3 2t Ticket Credential saying issuer has identified ticket requester Example ticket issued to user u for service 5 Tw s H u H u s address valid time ku 5ks where kw is session key for user and service Valid time is interval for which ticket valid u s address may be IP address or something else Note more fields but not relevant here Authenticator Credential containing identity of sender of ticket ed to con rm sender is entity to which ticket was issued Example authenticator user u generates for AMS u H generation time H k kw where k is alternate session key Generation time is when authenticator generated Note more fields not relevant here e Nwember 2m Winshuruuuh cs 5323 Lemme 13 2e Protocol m mllTGS Cathy Jr Jr T Cathy gt H 1427 527W HAuJGXH Two 1427 39 TGS uszrlHk k HT user lt quot GS TGS A ll Tm user servzce I t 1 gt 7m 14527 SEWZCE e November 2m Winshumuuh cs 5323 Lemme 13 27 Analysis First two steps get user ticket to use TGS User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service s Service s validates request by checking sender using AM is same as entity ticket issued to Step 6 optional used when u requests confirmation e Nwember 2m Winshuruuuh cs 5323 Lemme 13 2a Problems Relies on synchronized clocks If not synchronized and old tickets authenticators not cached replay is possible Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak had much less than 56 bits of randomness researchers at Purdue found them from tickets in minutes e November 2m Winshumuuh cs 5323 Lemme 13 2a Public Key Key Exchange Here interchange keys known eA e5 Alice and Bob s public keys known to all dA d5 Alice and Bob s private keys known onlyto owner Simple protocol k5 is desired session key k Alice Bob e Nwember 2m Winshuruuuh cs 5323 Lemme 13 3 Principles of Information Security CS 5323 Lecture Four Prof William Winsborough September 4 2007 Business Start reading 4042 ofAnderson Any questions about anything related to the course t September 2on7 Wrnsouruuen cs 5323 Lecture t Protocol Objectives and Evaluation Security protocols are the rules that govern communications between principals in a given Designed so that the system will survive certain threats malicious acts Normally it is impractical to protect against all threats realistic threats high likelihood andor high value are identified by a threat model Evaluating a protocol involves answering two ns Is the threat model realistic Does the protocol deal with it t September 2on7 Wlnsbumuuh cs 5323 Lecture t 3 Simplest Authentication Protocol Passwords Early applications car doors garage doors Guessing 16 bit at 10second 1 hour Eavesdropping Grabber device records and retransmits passcode More bits don t help t September 2on7 Wrnsouruuen cs 5323 Lecture t Simple Authentication Garage door openers T s G T T r l kr T ls lrlrcartokerl or lts senal number G ls arage N ls a nancea nurnoertnat ls used only orlceiserves to ensure freshrless KT ls a shared secret Key posslbly Um for some master Key KM Such protocols can otten be subverted without breaking the enc 39 r Cholce of rlorlce hCWtO el lSLll e lt has rlot beerl used before Random nonce or counter 7 Random key nas to rernernoera lot oroast nonces e Co rlter htwyto syrlchrorllze when key ls rncrernented out not oc t September 2on7 Wrnsouruuen cs 5323 Lecture t 5 Challenge and Response A slightly more sophisticated protocol used in car ignitions T 2 E T MK E ls erlglrle controller T ls transponder ror car key N ls a nancea nurnoertnat ls used only orlceiservesto ensure K ls a secret key snared between erlglrle controllerand key transponder The values ofN generated by E must be dif cult to predict must be random enough 7 A good source orrandornness ls physlcal world t September 2on7 Wrnsouruuen cs 5323 Lecture t