Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth - - PDF document

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 8 November, 2012

Handout 7

Summary of this handout: Key Exchange Protocols — Wide-Mouth Frog — Needham-Schroeder — Kerberos — Otway-Rees — Some Cryptanalysis Techniques — Overview on Passive and Active Attacks

II.5 Key Exchange Protocols

For the symmetric ciphers discussed so far we have assumed that both sender and receiver are familiar with the key used for encryption and decryption. In practise, however, exchanging and maintaining keys is a major issue. In particular, in the situation where many users want to communicate over an insecure network (e.g., the Internet), it is important that shared keys are exchanged in a manner that is private and integrity-assured. Moreover, we need to be able to establish ad hoc communications between participants unknown to each other. This is achieved by means of key exchange protocols Some of the important aspects for key maintenance are: Key Lifetime The longer a key is used the more vulnerable the communication. Keys therefore have to be renewed frequently and old keys have to be properly destroyed. Key Security Keys should never be reused and should be chosen as randomly as possible in order to increase security. Key reuse is theoretically not a problem. Suppose we take Rijndael in its eas- iest form, i.e., with keylength of 128 bits, then even if we would have used one new key every nanosecond since the beginning of the universe (which is assumed to be 234 years old), we still would have 286 keys left. Although we can assume that the security of a cipher does not depend

• n the particular choice of key, i.e., all keys lead to an equally secure cipher, it is nevertheless

important that the key is random and can therefore not be easily guessed. [See point 56 below.] Key Distribution The most vulnerable part of key management is the actual exchange of keys. The main idea of symmetric key exchange protocols is that one uses a trusted third party. Both Alice and Bob only share a permanent key only with this trusted third party, which then produces session keys that are distributed to Alice and Bob and used for their subsequent communication. We will discuss some of the key exchange protocols in this handout.

• 56. Aside: Non-linear Keyspaces

Most ciphers are designed such that they provide full security no matter what the secret key is. However,

• ccasionally one might want to design a cipher that behaves differently, in that it is secure only for some

keys in the space of all possible keys, while it is deliberately defined to be weak for other keys. Such keyspaces are called non-linear. If a user is unaware which keys make the cipher secure and which leave it weak, the cipher designer can use this knowledge as a back door. The NSA is known to have defined ciphers that had non-linear keyspaces.

• 57. New People Involved

We need some new players in our game of Cryptography: Trent A trusted third party that is often central to symmetric key exchange. For example, this can be an authentication server or an Internet service provider. Mallory A malicious attacker, who can modify messages, substitute her own messages, replay old mes- sages, and so on. Unlike defending against Eve, who can only eavesdrop, securing a system against Mallory is much harder. 55

• 58. Notation

Recall, that the main idea of the symmetric key exchange protocols is that both Alice and Bob only share a permanent key with Trent and get a unique session key issued by Trent for communication. In order to establish this session key, however, we will need additional information that is to be exchanged. Here is an overview of the concepts we will use for defining the protocols: A Alice’s name. B Bob’s name. T Trent’s name. EA Encryption with a key Trent shares with Alice. EB Encryption with a key Trent shares with Bob. K The session key produced by Trent for communication between Bob and Alice. EK Encryption with the session key K. I An index number. SA, SB, ST A timestamp issued by Alice, Bob, or Trent, respectively. L The lifetime of timestamps. NA, NB A nonce chosen by Alice or Bob, respectively. M An additional nonce. In addition, we have to denote the direction of message passing. We will for instance write A → B when a message is sent from Alice to Bob or T → A if Trent sends a message to Alice. For the definition of protocols we will employ the notation we have used so far during the handouts. Since

• ur notation varies somewhat from the notation for cryptographic protocols used in many textbooks and

research papers here is a brief comparison. If we write A − → B : SAAEK(BNAM) which means that Alice sends Bob the concatenation of a timestamp, Alice’s name, and Bob’s name, a nonce and the plaintext encrypted with Alice’s and Bob’s shared key. One can express this in security protocol notation as A − → B : SA, A, {B, NA, M}K where {M}K means everything inside the curly brackets is encrypted with key K. II.5.1 Wide-Mouth Frog Wide-mouth frog is a very simple protocol that transfers a key K from Alice to Bob via Trent, using

• nly two messages. It uses timestamps to synchronise clocks between the parties involved, which makes

it often difficult to implement. In addition the protocol relies on Alice to choose the session key K and then transports this key over to Bob. This implies that Bob trusts Alice to be competent in making secure keys and keeping them secret. This is a very strong assumption and the main reason that this protocol is not used much in real life. However, it is very simple and gives a good example of how protocols are described.

Trent Alice Bob

1:AEA(SAKB) 2:EB(ST KA) 56

First Alice sends her name together with an encrypted timestamp and session key to Trent. A − → T : AEA(SAKB) On obtaining the first message Trent decrypts the last part and checks that the timestamp is recent. This decrypted message tells Trent he should forward the key to Bob. If the timestamp is verified to be recent, Trent encrypts the key along with his timestamp and passes this encryption to Bob. T − → B : EB(ST KA) On obtaining this message Bob decrypts it and checks if the timestamp is recent, then he can recover both the key K and the name of Alice, i.e., the person who wants to send data to him using this key. Observe that the concept of “recent” is left open for interpretation! II.5.2 Needham-Schroeder In Needham-Schroeder Alice initiates the communication directly with Bob, but first obtains the rele- vant information and session key K from Trent. During the key exchange nonces are used to ensure authenticity of messages:

Trent Alice Bob

1:ABNA 2:EA(NAKBEB(KA)) 3:EB(KA) 4:EK(NB) 5:EK(NB − 1) First Alice sends a message to Trent identifying herself and Bob, telling Trent she wants to communicate with Bob: A − → T : ABNA Trent generates K and sends back to Alice two copies of the key. One decipherable by Alice and one encrypted with EB for Alice to forward to Bob. Since Alice may be requesting keys for several different people, the nonce NA assures Alice that the message is fresh and that Trent is replying to that particular message and the inclusion of Bob’s name tells Alice who she is to share this key with: T − → A : EA(NAKBEB(KA)) Alice forwards the key to Bob who can decrypt it with the key he shares with Trent, thus authenticating the data: A − → B : EB(KA) Bob needs to check that the third message was not a replay. So he needs to know if Alice is still alive, hence, in the fourth message he encrypts a nonce back to Alice: B − → A : EK(NB) Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key: A − → B : EK(NB − 1) 57

Since Alice and Bob have their secret session key generated by Trent neither needs to trust the other to produce secure keys. They of course trust Trent to generate secure keys since everyone trusts Trent. In some applications this last assumption is not valid and more involved algorithms, such as public key algorithms, are required. We will get to public key cryptography later in this lecture. The main problem with the NeedhamSchroeder protocol is that Bob does not know that the key he shares with Alice is fresh, a weakness which can be exploited for an attack as we will see later. This weakness has been avoided in the Kerberos protocol. II.5.3 Kerberos Kerberos is a variant of Needham-Schroeder that uses timestamps of a limited lifetime instead of nonces. It was developed 1987 at MIT and is now widely used in many applications such as Secure Shell or Windows 2000. Kerberos works with a network of clients and servers (i.e., Trents). Clients log into the server to obtain a session key for EA and can then initiate communications or obtain secure access to resources.

Trent Alice Bob

1:AB 2:EA(ST LKBEB(ST LKA)) 3:EB(ST LKA)EK(ASA) 4:EK(SA + 1) If Alice wishes to communicate with Bob (or access the resource Bob), she asks Trent to initiate com- munication with Bob: A − → T : AB If Trent allows this access then a ticket is created consisting of the session key K, a timestamp ST together with its lifetime L. Alice gets two versions of this ticket: one encrypted with its own key and

• ne encrypted with Bob’s key used to authenticate subsequent communication with Bob:

T − → A : EA(ST LKBEB(ST LKA)) Then Alice wants to verify that the ticket is valid and that Bob is alive. Hence, she sends an encrypted timestamp SA to Bob: A − → B : EB(ST LKA)EK(ASA) Bob sends back the encryption of SA + 1, after checking that the timestamp SA is recent, thus proving he knows the key and is alive: B − → A : EK(SA + 1) We can observe that all authentication messages are marked with the names of the respective communica- tion partner, either A or B. This enables the parties involved to initiate or reply to several communication requests from different parties without confusion. The security of Kerberos relies heavily on timestamps and lifetime L as reliable indicators of the fresh- ness of a communication. 58

II.5.4 Otway-Rees As opposed to all protocols discussed so far, in the Otway-Rees protocol communication is initiated by Alice via contacting Bob who then gets the session key from Trent. The protocol itself uses nonces to flag that encrypted messages are recent similar to Needham-Schroeder. In addition a nonce M is used to flag that the current set of communications are linked.

Trent Alice Bob

2:MABEA(MABNA)EB(MABNB) 3:MEA(NAK)EB(NBK) 1:MABEA(MABNA) 4:MEA(NAK) Alice initiates the communication by sending Bob the general message nonce M, her name, Bob’s name and another copy of this message together with a specific nonce NA encrypted with EA: A − → B : MABEA(MABNA) Bob then adds its own encryption of the message with its own nonce NB and sends it for authentication to Trent: B − → T : MABEA(MABNA)EB(MABNB) Trent can compare the plaintext message with the encrypted parts from Alice and Bob. If they match he returns the session key K together with the nonces NA and NB encrypted by Alice’s and Bob’s key respectively: T − → B : MEA(NAK)EB(NBK) Now Bob gets the session key and initiates the actual communication by passing the session key to Alice. B − → A : MEA(NAK) Observe that the nonce NA has never been decrypted by Bob and therefore receiving it back guarantees Alice the authenticity of the communication. However, Bob does not know whether the original nonce was fresh or a replay. The Otway-Rees protocol has several drawbacks, which we will discuss at the end

• f this handout.

II.6 Example: WPA2

As an example of a technology that brings many of the components of symmetric cryptography we have seen so far together, we consider the WPA2 or 802.11i standard to ensure privacy in wireless networks. WPA2 supersedes the previous standards WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access), which are considered insecure for wireless network communication. Both WEP and WPA are based on the RC4 stream cipher. WEP has a 64 or 128 bit encryption mode corresponding to an 8 or 16 byte RC4 key that is computed by concatenating a 40 or 104 bit WEP key with a 24 bit initialisation vector (IV). For each transmitted package a new RC4 stream is computed using the same WEP key and an unprotected potentially, but not necessarily, new IV. Moreover, WEP only implements a weak checksum check to guarantee message integrity. To counter WEP’s weaknesses, in particular against replay attacks and packet injections, WPA aimed at strengthening WEP mainly by 59

• 1. using a 48 bit IV,
• 2. replacing the simple key concatenation by a Temporal Key Integrity Protocol (TKIP) that imple-

ments a mixing function to combine key and IV to get derived keys,

• 3. a sequence counter for packets,
• 4. as well as a non-linear message integrity check.

However, it retained the RC4 stream cipher which meant it was backward compatible for old hardware. But mainly due to the insecurity of RC4 both WEP and WPA can be broken in a matter of minutes. The address all the security problems with WEP and WPA, their successor WPA2 works with keys and IVs of length 128 bits and uses

• 1. AES in Counter Mode (CTR) for encryption,
• 2. CBC-MAC based on AES to guarantee message integrity,
• 3. a unique 48 bit packet number (PN),
• 4. Extensible Authentication Protocol (EAP) for client authentication.

We have a look at the simplified EAP, where a client connects to a network via an access point (AP) and is authorised by the Authentication Server:

Auth Server Client AP

3:Send Identity 4:Challenge 7:Challenge Reply 8:Unblock (if successful) 0:Establish Link 1:Request Identity 2:Send Identity 5:Challenge 6:Challenge Reply

In addition WPA2 has four-way handshake protocols to derive temporary keys for communication be- tween client and AP as well as for multicasting. It also has hand-off protocols to handle the transition between different access points. The actual packets that are transmitted have the following composition (called the CCMP packet format): MAC PN0 Res Res Ext Key

• PN2. . . PN5

Data Payload MIC Header PN1 IV ID 16bit 8bit 5bit 1bit 2bit 32bit 64bit MAC Header here stands for Medium Access Control address, which is unique to every ethernet device. MIC is the actual message integrity code computed from Data plus MAC Header using CBC-MAC. PN0–PN5 are the 6 bytes of the package number PN. Res are reserved areas (for possible future extensions,e.g., to other variants of AES). Ext IV indicates whether PN2–PN5 are present. Key ID stores the index of the key, within the default key table, which holds different keys for pairwise

• r group communication.

60

III. Cryptanalysis

We give a brief overview on different cryptanalysis attacks on ciphers and protocols. Attacks can be roughly divided into passive or active attacks. Passive attacks are considered to be just eavesdropping

• n transmitted information. Active attacks on the other hand rely on actively modifying data, disrupting

communication or forcefully accessing data. Therefore, detecting a passive attack is more difficult than an active attack, requiring prevention by defencive means. Active attacks on the other hand, become often apparent by their disruptive nature. So to defend against an active attack is to detect them where possible and recover. In the game of cryptography the passive attacks are carried out by Eve a (not necessarily harmless) eavesdropper, whereas active attacks are carried out by Mallory, a malicious attacker.

III.1 Different Forms of Passive Attacks

Passive attacks are classified by the information available to Eve into: Ciphertext-only Attack Eve has access only to a collection of ciphertexts or codetexts. Known-plaintext Attack Eve has a set of ciphertexts to which she knows the corresponding plaintext. Chosen-plaintext Attack Eve can obtain the ciphertexts corresponding to arbitrary plaintexts of her choice. Chosen-ciphertext Attack Eve can obtain the plaintexts corresponding to arbitrary ciphertexts of her choice. Adaptive chosen-plaintext Attack Similar to chosen-plaintext attack but Eve can choose subsequent plaintexts based on information learnt from previous encryptions. Adaptive chosen-ciphertext Attack Similar to chosen-ciphertext attack but Eve can choose subsequent ciphertexts based on information learnt from previous encryptions. Related-key Attack Similar to a chosen-plaintext attack, except that Eve can obtain ciphertexts en- crypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in one bit. Having obtained the information, Eve now has to analyse the data. There are essentially two major analytical techniques for passive attacks: Linear Cryptanalysis is the approximation of the action of a cipher by some function. Linear crypt- analysis is generally performed with a known plaintext attack, but there are variants for some of the other attacks above. Differential Cryptanalysis is the study of how differences in an input can affect the resulting difference at the output. While differential cryptanalysis is usually a chosen plaintext attack, there are extensions that would allow for instance also known plaintext or even ciphertext-only attacks. For example, one can successfully cryptanalyse DES using around 247 chosen plaintexts. There are various other analytical techniques that do not only use the actual texts for an attack. For instance, for certain block ciphers one can measure the CPU cycles used for en-/decryption and thereby deduce keys. Those types of attacks are generally referred to as side-channel attacks. 61

III.2 Different Forms of Active Attacks

There are many forms of active attacks. We will only mention a few important ones here: Insertion Attack Data is modified by inserting parts into the ciphertext. Deletion Attack Data is modified by deleting parts of the ciphertext. We have briefly discussed inser- tion and deletion attacks for the ECB mode of operation for block ciphers. Substitution Attack Data is modified by substituting parts of the ciphertext. These attacks are partic- ular effective on stream ciphers, if one knows the plaintext for a sequence of intercepted bits. One can then xor out this plaintext and substitute it by xor-ing in malicious content. Replay Attack Mallory repeats or delays a valid data transmission maliciously or fraudulently. Replay attacks are often part of masquerading attacks. For example, suppose Alice wants to prove her identity to Bob. Bob requests her password as proof

• f identity (possibly encrypted). Mallory eavesdrops the conversation and keeps the password.

After the interchange is over, Mallory connects to Bob posing as Alice; when asked for a proof of identity, Mallory sends Alice’s password read from the last session, which Bob must accept. Masquerading Attack An attack in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Masquerading attacks are also known as spoofing attacks. Some examples of masquerading attacks are: Man-in-the-Middle Attack Mallory spoofs Alice into believing she’s Bob, and spoofs Bob into believing she’s Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. It is often abbreviated with MITM. Phishing A legitimate web page such as a bank’s site is reproduced in ”look and feel” on another server under Mallory’s control. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. IP Spoofing A computer poses as another computer by illegitimately assuming its IP address. This attack is often used to gain access to a closed LAN or to pose as some trusted server. MAC Spoofing Similar to IP Spoofing only with respect to the Medium Access Code, e.g. of a wireless ethernet card. Denial of Service Attack This is an attempt to make a computer resource unavailable to its intended

• users. It is often abbreviated with DoS.

Let’s have a look at a few attacks on the key exchange protocols from above:

• 59. Attacks on Needham-Schroeder

The protocol is vulnerable to a replay attack. If Mallory records one run of this protocol, then subse- quently learns the value K used, she can then replay the message EB(KA) to Bob, who will accept it, being unable to tell that the key is not fresh. Hence Bob thinks he is communicating with Alice instead

• f Mallory. This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp.

There is also a public key variant of Needham-Schroeder, which is vulnerable to man-in-the-middle

• attack. We will discuss this later.
• 60. Attacks on Otway-Rees

One problem with the Otway-Rees protocol is that Mallory can arrange for Alice and Bob to end up with different keys: After Alice and Bob execute the first three messages, Bob has received the key K. Mallory then intercepts the fourth message. She resends message 2, which results in Trent generating a new key K′, subsequently sent to Bob. Mallory intercepts this message too, but sends to Alice the part of it that Bob would have sent to Alice. So now Alice has finally received the expected fourth message, but with K′ instead of K. Otway-Rees is also vulnerable to replay attacks, since although Trent tells Bob that Alice used a nonce, Bob doesn’t know if this was a replay of an old message. 62

Cryptography Glossary 7

Active Attack A cryptanalysis attack that relies on actively disrupting communication

• r forcefully getting access to data.

61 Adaptive chosen-ciphertext Attack Similar to chosen-ciphertext attack but Eve can choose subsequent ci- phertexts based on information learnt from previous encryptions. 61 Adaptive chosen-plaintext Attack Similar to chosen-plaintext attack but Eve can choose subsequent plain- texts based on information learnt from previous encryptions. 61 AES The advanced encryption standard that is the successor of DES. 60 CBC-MAC A method to produce a MAC from a block cipher. 60 Chosen-ciphertext Attack Eve can obtain the plaintexts corresponding to arbitrary ciphertexts of her choice. 61 Chosen-plaintext Attack Eve can obtain the ciphertexts corresponding to arbitrary plaintexts of her choice. 61 Ciphertext-only Attack Eve has access only to a collection of ciphertexts or codetexts. 61 Deletion Attack Data is modified by deleting parts of the ciphertext. 61 Denial of Service Attack This is an attempt to make a computer resource unavailable to its in- tended users. 62 Differential Cryptanalysis is the study of how differences in an input can affect the resulting differ- ence at the output. 61 DoS Short for Denial of Service attack. 62 EAP Extensible Authentication Protocol serves for client authentication in wireless networks. 60 Insertion Attack Data is modified by inserting parts into the ciphertext. 61 IP Spoofing A computer poses as another computer by illegitimately assuming its IP address. 62 Kerberos A symmetric key exchange protocol derived from Needham-Schroeder, but based on timestamps. It is used in Windows 2000. 58 Key Exchange Protocols Precisely defined communication methods to exchange keys for crypto- graphic algorithms. 55 Known-plaintext Attack Eve has a set of ciphertexts to which she knows the corresponding plain- text. 61 Linear Cryptanalysis is the approximation of the action of a cipher by some function. 61 MAC Spoofing Similar to IP Spoofing only with respect to the Medium Access Code, e.g. of a wireless ethernet card. 62 Mallory A malicious attacker, who can modify messages, substitute her own mes- sages, replay old messages, and so on. 55 Man-in-the-Middle Attack Mallory spoofs Alice into believing she’s Bob, and spoofs Bob into be- lieving she’s Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. 62 Masquerading Attack An attack in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. 62 MITM Short for Man-in-the-Middle attack. 62 Needham-Schroeder A symmetric key exchange protocol based on nonces. 57 Non-linear Keyspaces A technique to have a cipher secure only for some keys in the keyspace and deliberately weaken it for other keys, possibly unknown to the user. 55

Otway-Rees A symmetric key exchange protocol based on nonces. 58 Passive Attack A cryptanalysis attack that relies essentially on eavesdropping. 61 Phishing A legitimate web page such as a bank’s site is reproduced in look and feel on another server under Mallory’s control. 62 RC4 A stream cipher used in many protocols such as SSL/TLS and 802.11b WEP. 60 Related-key Attack Similar to a chosen-plaintext attack, except that Eve can obtain cipher- texts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in

• ne bit.

61 Replay Attack Mallory repeats or delays a valid data transmission maliciously or fraud- ulently. 62 Side-channel Attack An attack on a cipher that is based on observations of physical properties

• f its implementation, as opposed to examining input/output instances or

theoretical properties of an algorithm. 61 Spoofing Attack See Masquerading Attack. 62 Substitution Attack Data is modified by substituting parts of the ciphertext. 61 Temporal Key Integrity Protocol A key mixing algorithm with a counter based integrity check that strengthens wireless security of the WPA protocols. 60 TKIP Short for Temporal Key Integrity Protocol 60 Trent A trusted third party that is often central to symmetric key exchange. 55 WEP Wired Equivalent Privacy protocol for wireless networks. 59 Wide-Mouth Frog A very basic symmetric key exchange protocol based on timestamps. 56 WPA Wi-Fi Protected Access protocol for wireless networks. The successor

• f WEP.

59 WPA2 A wireless network protocol based on AES. It is the successor of both WEP and WPA. 59