Message Authentication Code (MAC)

Example: HMAC

1
Trusted Third Party

2
Public key certificate
Issued by a CA (Certification Authority), such as VeriSign, etc.
Contains your name, expiration dates, your public key, and the
digital signature of the certificate-issuing authority so that a recipient
can verify that the certificate is real.

3
Authentication
The process of determining whether someone or something is, in fact,
who or what it is declared to be.

Passwords are a classic way to authenticate (PIN numbers are a type of

password)

Advantages of passwords:
easy to remember and use
everyone know how to use it

Problem
if password is sent in cleartext, can be intercepted
if password is encrypted, requires establishment of encryption key

4
Authentication Protocols
Symmetric key authentication protocols
Public key authentication protocols

A protocol consists of a sequence of messages between principals and will be

described using different notations.
Principals are parties who cooperate by exchanging messages over
networks.
Principals are generally denoted by capitals such as A, B and S (for a
server).

(1) A B : M1
(2) B S : M2
(3) S B : M3

E(K : M) denotes encrypting message M with key K.

Ra: A random number generated by a principal A.
Used only once and is generally termed as a nonce.

5
Replay attack on Authentication Protocols
The attacker records the data of a successful authentication and replays this
information to attempt to falsely authenticate to the verifier.

A B : A, E(Kab : Password)

Counter measures: using of timestamps, sequence numbers or random numbers.

Example of using a timestamp or sequence number

A B : A, E(Kab : Password, Ta)

6
Symmetric Key Authentication Protocols
Verify identity based on a secret key shared between the principles.

Symmetric Key without Trusted Third Party

Symmetric Key One-Pass Unilateral Authentication Protocol

A B : E(Kab: Ta, A, B)

B authenticates A if the timestamp has a recent value.

Replay A's message?

Symmetric Key Two-Pass Unilateral Authentication Protocol

A is authenticated by the verifier B by the means of challenge - response.
(1) B A : Rb
(2) A B : E(Kab : Rb, A, B) //Rb is a nonce

Replay A's message?

7
 Symmetric Key Three-Pass Mutual Authentication
The mutual authentication is achieved by the use of random numbers Ra and Rb.

(1) B A : Rb
(2) A B : E(Kab : Ra, Rb, A, B)
(3) B A : E(Kab : Rb, Ra, B, A)

Replay A's messages?

Replay B's messages?

8
CHAP
Authentication based on a shared secret

CHAP is defined as a one-way authentication method.

However, you use CHAP in both directions to create a two-way authentication. Hence,
with two-way CHAP, a separate three-way handshake is initiated by each side.

The shared key is Alice's password. It is vulnerable to brute force/dictionary attack.

9
Public Key Authentication Protocols
The public key certificate-based authentication mechanism is used as a representative of
the public key authentication protocols.

Public Key Protocol without Trusted Third Party

Public Key One-Pass Unilateral Authentication Protocol

(1) A B : CertA, Ta, B, E(Ka-1 : Ta, B) //Ta is a timestamp or sequence umber

Public Key Two-Pass Unilateral Authentication Protocol

(1) B A : Rb
(2) A B : CertA, Ra, Rb, B, E(Ka-1: Ra, Rb, B) // Ra and Rb are nonces

Public Key Three-Pass Mutual Authentication Protocol

(1) B A : Rb
(2) A B : CertA, Ra, Rb, B, E(Ka-1 : Ra, Rb, B)
(3) B A : CertB, Rb, Ra, A, E(Kb-1 : Rb, Ra, A)

10
 Public Key Protocol with Trusted Third Party

(1) A S: A, B
(2) S A: E(Ks-1: Kb, B) // Ra and Rb are nonces
(3) A B: E(Kb: Ra, A)
(4) B S: B, A
(5) S B: E(Ks-1: Ka, A)
(6) B A: E(Ka: Ra, Rb)
(7) A B: E(Kb: Rb)

11
Two factor authentication
use passwords plus something else

Biometric
Retina, hand geometry, hand geometry, handwriting analysis, etc.

12
One way hash chain
A hash chain is a successive application of a cryptographic hash function
h() to a string.

For example,
h(h(h(h(st)))) gives a hash chain of length 4, often denoted h4(st)

One-time password, OTP (RFC 2289)

A one-time password is a password that is valid for only one login session.
Support two-factor authentication

13
http://en.wikipedia.org/wiki/SecurID

14
Analysis of Authentication Protocols

The objective:
Highlight the design flaws of authentication protocols
The successful attacks which have uncovered flaws in protocols allows to
learn from design errors, understand general attack methods and strategies.

Attack 1: man-in-the-middle on unauthenticated Diffie-Hellman

A and B are the legitimate parties, and E is an adversary.

A forms session key KA = xy' , while B forms session key KB = x'y.

E is able to compute both these keys.

15
Attack 2: Reflection attack

Suppose A and B share a symmetric key K, and authenticate one another on the
basis of demonstrating knowledge of this key by encrypting or decrypting a
challenge as follows.
Upon A sending (1), E intercepts it, and initiates a
new protocol, sending the identical message rA back
to A.

A completes the first protocol, and believes it has

successfully authenticated B, while in fact B has not
been involved in any communications.
An adversary E can impersonate B as follows.
The attack can be prevented by using distinct keys K
and K' for encryptions from A to B and B to A,
respectively.

An alternate solution is to include the identifier of

the originating party within the encrypted portion of
(2).

16
Attack 3: Interleaving attack

sA denotes the signature operation of party A, and it is assumed that all parties
have authentic copies of all others public keys.

An enemy E can initiate one protocol with B (pretending to be A), and another
with A (pretending to be B), as shown below, and use a message from the latter
protocol to successfully complete the former, thereby deceiving B into believing
E is A (and that A initiated the protocol). This attack is possible due to the
message symmetry of (2) and (3).

This attack may be prevented

by securely binding an identifier to
each message indicating a message
number.
17
18