Introduction
Two-level hierarchy of symmetric encryption keys can be used to provide confidentiality for communication in a distributed environment. In general, this strategy involves the use of a trusted Key Distribution Centre (KDC). Each party in the network shares a secret key, known as a master key, with the KDC. The KDC is responsible for generating keys to be used for a short time over a connection (session key for logical connection) between two parties, known as session keys, and for distributing those keys using the master keys to protect the distribution. Initially proposed by Needham and Schroeder for secret key distribution using a KDC includes authentication features.
Needham – Schroeder Protocol
Figure : Needham Schroeder Protocol |
The
protocol can be summarized as follows.
π΄
→ πΎπ·πΆ: πΌπ·π΄||πΌπ·π΅||π1
πΎπ·πΆ
→ π΄: πΈ (πΎπ, [πΎπ ||πΌπ·π΅||π1||πΈ
(πΎπ, [πΎπ ||πΌπ·π΄])])
π΄
→ π΅: πΈ (πΎπ, [πΎπ ||πΌπ·π΄])
π΅
→ π΄: πΈ (πΎπ , π2)
π΄
→ π΅: πΈ (πΎπ , π(π2))
The protocol is still vulnerable to a form of replay attack. Suppose that an opponent, X, has been able to compromise an old session key. X can impersonate A and trick B into using the old key by simply replaying step 3. Unless B remembers indefinitely all previous session keys used with A, B will be unable to determine that this is a replay. If X can intercept the handshake message in step 4, then it can impersonate A’s response in step 5. From this point on, X can send bogus messages to B that appear to B to come from A using an authenticated session key. Denning proposes to overcome this weakness by a modification to the Needham/Schroeder protocol that includes the addition of a timestamp to steps 2 and 3.
Solution by Denning
Figure : Denning's Solution |
Her
proposal assumes that the master keys, Ka and Kb, are
secure, and it consists of the following steps.
π΄
→ πΎπ·πΆ: πΌπ·π΄||πΌπ·π΅
πΎπ·πΆ
→ π΄: πΈ (πΎπ, [πΎπ ||πΌπ·π΅||π||πΈ
(πΎπ, [πΎπ ||πΌπ·π΄||π])])
π΄
→ π΅: πΈ (πΎπ, [πΎπ ||πΌπ·π΄||π])
π΅
→ π΄: πΈ (πΎπ , π1)
π΄
→ π΅: πΈ (πΎπ , π(π1))
T is a
timestamp that assures A and B that the session key has only just been
generated. Thus, both A and B know that the key distribution is a fresh
exchange.
A and B
can verify time by checking that |πΆππππ
− π| < ∆π‘1 + ∆π‘2, where ∆π‘1,
is the estimated normal difference between the KDC’s clock and the local clock
(at A or B) and ∆π‘2 is the expected network delay time. A
new concern is raised: namely, that this new scheme requires rely on clocks
that are synchronized throughout the network points out a risk involved.
The risk
is based on the fact that the distributed clocks can become unsynchronized as a
result of damage on or faults in the clocks or the synchronization mechanism. The
problem occurs when a sender’s clock is ahead of the intended recipient’s
clock.
In this
case, an opponent can intercept a message from the sender and replay it later
when the timestamp in the message becomes current at the recipient’s site. This
replay could cause unexpected results. Gong refers to such attacks as
suppress-replay attacks. One way to counter suppress-replay attacks is to
enforce the requirement that parties regularly check their clocks against the
KDC’s clock.
Alternate Solution for Suppress-replay attacks
Figure : Suppress Replay Attack Solution
The other
alternative, which avoids the need for clock synchronization, is to rely on
handshaking protocols using nonces. This alternative is not vulnerable to a
suppress-replay attack, because the nonces the recipient will choose in the
future are unpredictable to the sender.
The Needham/Schroeder
protocol relies on nonces only but, as we have seen, has other vulnerabilities.
Improved strategy was presented in this protocol is:
π΄
→ π΅: πΌπ·π΄ || ππ
π΅
→ πΎπ·πΆ: πΌπ·π΅ || ππ
|| πΈ(πΎπ, [πΌπ·π΄
|| ππ || ππ])
πΎπ·πΆ
→ π΄: πΈ(πΎπ, [πΌπ·π΅
|| ππ || πΎπ || ππ])
|| πΈ(πΎπ, [πΌπ·π΄
|| πΎπ || ππ])||ππ)
π΄ → π΅: πΈ(πΎπ, [πΌπ·π΄ || πΎπ || ππ]) || πΈ(πΎπ , ππ)
This
protocol provides an effective, secure means for A and B to establish a session
with a secure session key. Furthermore, the protocol leaves A in possession of
a key that can be used for subsequent authentication to B, avoiding the need to
contact the authentication server repeatedly. Suppose that A and B establish a
session using the aforementioned protocol and then conclude that session. Subsequently,
but within the time limit established by the protocol, A desires a new session
with B.
The
following protocol ensures:
π΄
→ π΅: πΈ (πΎπ, [πΌπ·π΄||πΎπ ||ππ])||ππ′
π΅
→ π΄: ππ′||πΈ (πΎπ ,
ππ′)
π΄
→ π΅: πΈ (πΎπ , ππ′)
When B
receives the message in step 1, it verifies that the ticket has not expired. The
newly generated nonces and assure each party that there is no replay attack.
One-way Authentication
Figure : One way Authentication
With some
refinement, the KDC strategy is a candidate for encrypted electronic mail. Because
we wish to avoid requiring that the recipient (B) be on line at the same time
as the sender (A), steps 4 and 5 must be eliminated. For a message with
content, the sequence is as follows:
π΄
→ πΎπ·πΆ: πΌπ·π΄ || πΌπ·π΅
|| π1
πΎπ·πΆ
→ π΄: πΈ (πΎπ, [πΎπ
|| πΌπ·π΅ || π1 || πΈ
(πΎπ, [πΎπ || πΌπ·π΄])])
π΄
→ π΅: πΈ (πΎπ, [πΎπ ||πΌπ·π΄])
|| πΈ (πΎπ , π)
This
approach guarantees that only the intended recipient of a message will be able
to read it. It also provides a level of authentication that the sender is A.
The protocol does not protect against replay attack.
To learn more about Remote user authentication using symmetric encryption, Click here
Watch more videos click here.
No comments:
Post a Comment