Handshake Protocols
COEN 350
Simple Protocol
Alice: Hi, I am Alice. My password is
“fiddlesticks”.
Bob: Welcome, Alice.
Simple Protocol
Vulnerable to sniffing and replay
attack.
Alice: Hi, I am Alice. My password is
“fiddlesticks”.
Bob: Welcome, Alice.
...
Mallory: Hi, I am Alice. My password
is “fiddlesticks”.
Bob: Welcome, Alice.
Shared Secret
Alice and Bob share a secret key K.
Alice: I am Alice.
Bob: Encrypt R.
Alice: EK(R)
Bob (calculates EK(R) as well.):
Welcome Alice.
Shared Secret
Vulnerable to DOS attack.
while(1) {
Mallory: I am Alice.
Bob: Encrypt R.
Mallory: X.
Bob (EK(R) != X): Access denied.
}
Shared Secret
Vulnerable to sniffing and replay
attack if R is not random or if R is
repeated.
Shared Secret, use of clock
Alice: I am Alice, EK(clock).
Bob calculates clock, compares with
his value: Welcome Alice.
Shared secret, use of clock
Man in the Middle + replay attack:
Mallory to Bob: KILL, KILL, KILL, KILL.
Alice: Hi, I’m Alice. EK(clock).
Mallory to Alice: KILL, KILL, KILL, KILL.
Mallory to Bob: Hi, I’m Alice. EK(clock).
Bob: Hi, Alice.
Public Key
Alice: “I’m Alice.”
Bob: “R”.
Alice: “EAlice(R)”.
Bob calculates “DAliceEAlice(R) == R: Hi
Alice.
Public Key
Alice: “I’m Alice.”
Bob creates random challenge R:
“EAlice(R)”.
Alice: “R”.
Bob checks R == R: Hi Alice.
Public Key: DOS attack
Trudy: “I’m Alice.”
Bob: “R”.
Trudy: “X”
Bob calculates “DAliceEAlice(X) != R:
Access Denied.
Bob spends much more time
computing than Trudy!
Mutual Authentication: Shared Secret
Alice: “I am Alice”
Bob: “RB”
Alice: EK(RB). RA.
Bob calculates EK(RB) himself: EK(RA).
Hi Alice.
Alice calculates EK(RA) herself: Hi Bob.
Mutual Authentication with less
messages?
Alice: I am Alice. RA
Bob: RB. EK(RA).
Alice: Hi Bob. EK(RB).
Bob: Hi Alice.
Mutual Authentication with less steps is
vulnerable to the replay attack
Session
Session
Session
Session
Session
Session
1
1
2
2
1
1
Trudy: I am Alice. RA.
Bob: RB. EK(RA).
Trudy: I am Alice. RB.
Bob: RB’. EK(RB).
Trudy: Hi Bob. EK(RB).
Bob: Hi Alice.
Warning Signals



Requestor should authenticate
herself first.
Don’t have requestor and requestee
do exactly the same thing. (E.g.
use different key pairs.)
If you provide encryption service,
you set yourself up for a key
guessing attack.
Public Key: Simple Mutual
Authentication
Alice: “I am Alice. RA”
Bob: “EBob(RA). RB”
Alice DBobEBob (RA)=RA: Hello Bob.
EAlice(RB).
Bob: DAliceEAlice(RB) = RB: Hello Alice.
Key Distribution Centers


Maintains a shared secret for each
registered user.
To set-up a connection requires the
KDC to set up a session key.
Key Distribution Center
Original Algorithm



Alice to KDC: Alice wants Bob.
KDC to Alice: Here is your session
key.
KDC to Bob: Here is your session
key.
This needs to be modified.
Key Distribution Center:
Needham Schroeder Protocol
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1,N3).
Alice to Bob: K(N3-1).
N1, N2, N3 are nonces to prevent
replay attacks.
Key Distribution Center:
Needham Schroeder Protocol Variant
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket),
where Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).
Alice to Bob: K(N3-1).
N1, N2, N3 are nonces to prevent
replay attacks.
Replay attack on modified NS
Alice to KDC: N1, Alice wants Bob.
KDC to Alice: KA(N1,KS,Bob,Ticket), where
Ticket=KB(KS,Alice).
Alice to Bob: Ticket, KS(N2).
Bob to Alice: KS(N2-1),KS(N3).
Alice to Bob: KS(N3-1).
Trudy as Alice to Bob: Ticket, KS(N2)
Bob to Alice, but intercepted by Trudy: KS(N2-1), KS(N4)
Trudy as Alice to Bob: Ticket, KS(N4).
Bob to Alice, but intercepted by Trudy. KS(N4-1), KS(N5).
Trudy as Alice to Bob: KS(N4-1).
Key Distribution Center



Assume that Alice’s key has become
compromised.
Trudy can now present herself as
Alice to Bob with an old ticket.
Tickets need to have an expiration
date!!!!!!!!!!!