Wednesday, November 10, 2021

Remote User Authentication using Symmetric Encryption | Needham – Schroeder Protocol | Solution by Denning | Solution for Suppress-replay attacks | One-way Authentication

Introduction

Two-level hierarchy of symmetric encryption keys can be used to provide confidentiality for communication in a distributed environment. In general, this strategy involves the use of a trusted Key Distribution Centre (KDC). Each party in the network shares a secret key, known as a master key, with the KDC. The KDC is responsible for generating keys to be used for a short time over a connection (session key for logical connection) between two parties, known as session keys, and for distributing those keys using the master keys to protect the distribution. Initially proposed by Needham and Schroeder for secret key distribution using a KDC includes authentication features.


Needham – Schroeder Protocol

Figure : Needham Schroeder Protocol

The protocol can be summarized as follows.

𝐴 → 𝐾𝐷𝐢: 𝐼𝐷𝐴||𝐼𝐷𝐡||𝑁1

𝐾𝐷𝐢 → 𝐴: 𝐸 (πΎπ‘Ž, [𝐾𝑠||𝐼𝐷𝐡||𝑁1||𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴])])

𝐴 → 𝐡: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴])

𝐡 → 𝐴: 𝐸 (𝐾𝑠, 𝑁2)

𝐴 → 𝐡: 𝐸 (𝐾𝑠, 𝑓(𝑁2))

The protocol is still vulnerable to a form of replay attack. Suppose that an opponent, X, has been able to compromise an old session key. X can impersonate A and trick B into using the old key by simply replaying step 3. Unless B remembers indefinitely all previous session keys used with A, B will be unable to determine that this is a replay. If X can intercept the handshake message in step 4, then it can impersonate A’s response in step 5. From this point on, X can send bogus messages to B that appear to B to come from A using an authenticated session key. Denning proposes to overcome this weakness by a modification to the Needham/Schroeder protocol that includes the addition of a timestamp to steps 2 and 3.


Solution by Denning

Figure : Denning's Solution

Her proposal assumes that the master keys, Ka and Kb, are secure, and it consists of the following steps.

𝐴 → 𝐾𝐷𝐢: 𝐼𝐷𝐴||𝐼𝐷𝐡

𝐾𝐷𝐢 → 𝐴: 𝐸 (πΎπ‘Ž, [𝐾𝑠||𝐼𝐷𝐡||𝑇||𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴||𝑇])])

𝐴 → 𝐡: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴||𝑇])

𝐡 → 𝐴: 𝐸 (𝐾𝑠, 𝑁1)

𝐴 → 𝐡: 𝐸 (𝐾𝑠, 𝑓(𝑁1))

T is a timestamp that assures A and B that the session key has only just been generated. Thus, both A and B know that the key distribution is a fresh exchange.

A and B can verify time by checking that |πΆπ‘™π‘œπ‘π‘˜ − 𝑇| < ∆𝑑1 + ∆𝑑2, where ∆𝑑1, is the estimated normal difference between the KDC’s clock and the local clock (at A or B) and ∆𝑑2 is the expected network delay time. A new concern is raised: namely, that this new scheme requires rely on clocks that are synchronized throughout the network points out a risk involved.

The risk is based on the fact that the distributed clocks can become unsynchronized as a result of damage on or faults in the clocks or the synchronization mechanism. The problem occurs when a sender’s clock is ahead of the intended recipient’s clock.

In this case, an opponent can intercept a message from the sender and replay it later when the timestamp in the message becomes current at the recipient’s site. This replay could cause unexpected results. Gong refers to such attacks as suppress-replay attacks. One way to counter suppress-replay attacks is to enforce the requirement that parties regularly check their clocks against the KDC’s clock.

 

Alternate Solution for Suppress-replay attacks

Figure : Suppress Replay Attack Solution

The other alternative, which avoids the need for clock synchronization, is to rely on handshaking protocols using nonces. This alternative is not vulnerable to a suppress-replay attack, because the nonces the recipient will choose in the future are unpredictable to the sender.

The Needham/Schroeder protocol relies on nonces only but, as we have seen, has other vulnerabilities. Improved strategy was presented in this protocol is:

𝐴 → 𝐡: 𝐼𝐷𝐴 || π‘π‘Ž

𝐡 → 𝐾𝐷𝐢: 𝐼𝐷𝐡 || 𝑁𝑏 || 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || π‘π‘Ž || 𝑇𝑏])

𝐾𝐷𝐢 → 𝐴: 𝐸(πΎπ‘Ž, [𝐼𝐷𝐡 || π‘π‘Ž || 𝐾𝑠 || 𝑇𝑏]) || 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || 𝐾𝑠 || 𝑇𝑏])||𝑁𝑏)

𝐴 → 𝐡: 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || 𝐾𝑠 || 𝑇𝑏]) || 𝐸(𝐾𝑠, 𝑁𝑏)

This protocol provides an effective, secure means for A and B to establish a session with a secure session key. Furthermore, the protocol leaves A in possession of a key that can be used for subsequent authentication to B, avoiding the need to contact the authentication server repeatedly. Suppose that A and B establish a session using the aforementioned protocol and then conclude that session. Subsequently, but within the time limit established by the protocol, A desires a new session with B.

The following protocol ensures:

𝐴 → 𝐡: 𝐸 (𝐾𝑏, [𝐼𝐷𝐴||𝐾𝑠||𝑇𝑏])||π‘π‘Ž

𝐡 → 𝐴: 𝑁𝑏′||𝐸 (𝐾𝑠, π‘π‘Ž′)

𝐴 → 𝐡: 𝐸 (𝐾𝑠, 𝑁𝑏′)

When B receives the message in step 1, it verifies that the ticket has not expired. The newly generated nonces and assure each party that there is no replay attack.

 

One-way Authentication


Figure : One way Authentication

With some refinement, the KDC strategy is a candidate for encrypted electronic mail. Because we wish to avoid requiring that the recipient (B) be on line at the same time as the sender (A), steps 4 and 5 must be eliminated. For a message with content, the sequence is as follows:

𝐴 → 𝐾𝐷𝐢: 𝐼𝐷𝐴 || 𝐼𝐷𝐡 || 𝑁1

𝐾𝐷𝐢 → 𝐴: 𝐸 (πΎπ‘Ž, [𝐾𝑠 || 𝐼𝐷𝐡 || 𝑁1 || 𝐸 (𝐾𝑏, [𝐾𝑠 || 𝐼𝐷𝐴])])

𝐴 → 𝐡: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴]) || 𝐸 (𝐾𝑠, 𝑀)

This approach guarantees that only the intended recipient of a message will be able to read it. It also provides a level of authentication that the sender is A. The protocol does not protect against replay attack.

To learn more about Remote user authentication using symmetric encryption, Click here

   Watch more videos click here.

No comments:

Post a Comment