Protocols
and
An Introduction To Authentication
Friday, October 10, 2008
Reading: S&M Ch. 9; Schneier Chs. 2-4;
CS342 Computer Security
Department of Computer Science
Wellesley College
What is a Protocol?
Schneier’s definition: “A protocol is a series of steps, involving two or
more parties, designed to accomplish a task.”
Computational examples:
• low-level network protocols (UDP, TCP, IP)
• higher-level communication protocols (FTP, HTTP, SMTP, SSL)
• authentication (SSH, Kerberos)
• public key infrastructure
• electronic voting
• electronic money
Protocols/Authentication
12-2
Simple Noncomputational Protocol Examples
• Exchanging names when meeting for the first time:
Alice (holding out hand to Bob): “Hi, I’m Alice”.
Bob (shakes Alice’s hand): “I’m Bob. Pleased to meet you.”
Conversation ensues.
• Establishing a phone conversation:
Alice dials Bob’s phone number.
Bob (answering ringing phone): “Hello.”
Alice: “May I please speak to Bob?”
Bob: “This is Bob. Who’s calling?”
Alice: “This is Alice.”
Protocols/Authentication
12-3
Planning Protocols for Pot-Luck Dinner
Alice is planning a pot-luck dinner party with a large group of friends.
When is it? Who brings what? (Don’t want only desserts!)
o Many protocols for this problem involve a large number of messages.
o Here’s a simple protocol in which Alice broadcasts a single message
to all friends and need no responses:
I’m holding a pot-luck dinner party at my house on Fri. Oct. 17 at
7pm. Please come if you can make it. In order determine what kind
of dish to bring, please flip two coins:
• if both are heads, bring an appetizer or salad;
• if both are tails, bring a dessert;
• otherwise (one head, one tail), bring a main dish.
Protocols/Authentication
12-4
Bicycle Transfer Protocol
Alice and Bob both work at Wellesley, but are never on campus at the
same time. Alice wants to transfer her bicycle to Bob at Wellesley.
How can she accomplish this in the following scenarios?
• Both Alice and Bob have keyed bicycle locks.
• Alice has a keyed bicycle lock.
• Neither Alice nor Bob has a lock.
Protocols/Authentication
12-5
Computational Protocol Building Blocks
• Symmetric-key encryption/decryption with key K: D(K, E(K, M)) = M
• One-way hash function H (can be combined with key for signature).
• Public-key cryptography: D(Kpriv, E(Kpub, M)) = M
Some public key systems (e.g. RSA) even have commutativity,
a la two-lock bicycle transfer protocol:
D(Kpriv1, E(Kpub2, E(Kpub1, M))) = E(Kpub2, M)
• Public-key signatures: E(Kpub, D(Kpriv, M)) = M
(not all PK systems, but RSA has)
• Timestamps
• Sequence Numbers
• Nonces
Protocols/Authentication
12-6
Timestamps, Sequence Numbers, and Nonces
Protocol messages often contain numbers that distinguish messages or
serve to foil various attacks:
oTimestamps:
• Include the current time in a message to foil replay attacks.
• Requires participants have synchronized clocks, which can be
challenging (maintained by other protocols).
• Subject to clock-resetting attacks.
oSequence Numbers:
• Include a sequence number to foil replay attacks.
• Problem: attacker can determine next number from previous.
o Nonces = values used once (e.g., for unique IDs, challenges)
• Typically a large random number, since hard for attacker to guess.
• Timestamps and sequence numbers are often inappropriate,
since easy for attackers to guess.
Protocols/Authentication
12-7
Protocol Example: Electronic Coin Flip
Alice and Bob are in separate locations but want to flip a coin fairly.
I.e., both of Alice and Bob win/lose a flip with 50% probability. How
can they do this?
Note: In this protocol, we aren’t worried about Eve or Mallory.
Protocols/Authentication
12-8
Coin Flipping with Simple Encryption
R
1. Bob sends nonce R to Alice.
b’
4. Alice now knows whether she won
or lost; she sends K to Bob.
Bob
3. Bob guesses that Alice’s bit is b′
and sends this to Alice. (He wins
if b = b ′ and loses otherwise.)
E(K, <R,b>)
Alice
2. Alice generates random bit b
and random key K and sends
E(K, <R, b>) to Bob.
K
5. Bob calculates D(K, E(K, <R, b>)) = <R, b>
and now knows whether he won or lost.
Protocols/Authentication
12-9
Coin Flipping with Simple Encryption: Discussion
R
o Alice commits to b before Bob guesses. She
cannot change her mind after Bob guesses.
• If Alice loses, she can:
(1) claim Bob sent her the wrong bit b ′ or
(2) refuse to send him K or send him the
wrong K, so he can’t verify he won.
b’
Bob
o We assume both Alice and Bob
“play by the rules”. If not:
E(K, <R,b>)
Alice
o Bob does not know b choice before he
guesses, but can verify b after he guesses.
K
•If Bob loses, he can:
(1) claim he sent the winning bit instead; or
(2) claim that the R he finds in the last step is not
the one he sent.
Protocols/Authentication 12-10
Coin Flipping with Hashing
3. Alice now knows whether she won
or lost; she sends R to Bob.
b
Alice
2. Bob guesses whether R is even or odd,
and sends guess (b) to Alice.
Bob
H(R)
1. Alice chooses nonce R and sends H(R) to Bob.
R
4. Bob verifies H(R) = h and now knows whether he won or lost.
Notes:
• This depends on R and H(R) having uncorrelated even/oddness.
• Again, Alice commits to a choice (R) before Bob guesses;
she cannot change her mind after Bob guesses.
• Again, Bob does not know Alice’s choice before he guesses,
but can verify her choice after the guess.
• Again, both Alice and Bob have to play by the rules.
Protocols/Authentication
12-11
What is Authentication?
Authentication binds a subject/principal outside the computer to an
identity inside the computer.
All subsequent stages assume the mapping is correct, so this is really
important!
Protocols/Authentication 12-12
Information for Authentication
• What you know: password, cryptographic key, algorithm
• What you have: smart card, USB token, RSA SecurID tokens
• What you are (biometrics): fingerprint, voice, etc.
• Where you are: e.g., sitting at microfocus Linux workstation
(person can’t be in two places at once!)
Protocols/Authentication 12-13
Two-Factor Authentication
Can use multiple forms of information to authenticate:
• smart card/SecurID token (what you have)
with PIN/password (what you know)
• GPS device (what you have, where you are)
Protocols/Authentication 12-14
Biometrics = “What You Are” Authentication
• fingerprint
• iris/retina scans
• face
• voice
• gait
• hand geometry
• DNA
• keystroke/mouse dynamics
Protocols/Authentication 12-15
Problems with Biometrics
Not a panacea — lots of problems:
• Squeamishness – especially with retinal scans.
• Accuracy – what are consequences of false positives/negatives?
• Faking
• Replay
• Privacy issues – why should others get your fingerprints, DNA, etc.?
See Betsy Masiello’s thesis!
Protocols/Authentication 12-16
Zero-Knowledge Authentication
Idea:
Convince someone that you know a secret without telling them
what you know.
Afterwards, they are convinced you know the secret, but they
have no knowledge of what the secret actually is!
Protocols/Authentication 12-17
Zero-Knowledge Authentication: Ali Baba’s Cave*
Passage in cave splits into two-dead end paths. Thief claims to know
magic words to get from one dead end to other.
Test this probabilistically:
1. Thief randomly chooses path.
2. You flip coin, and ask him to come
out of path determined by flip.
If after a large number of trials
he always succeeds, you are
convinced he knows magic without
learning the magic.
* Quisquater and Guillou, “How to Explain Zero-Knowledge Protocols to your Children”,
http://pages.cs.wisc.edu/~mkowalcz/628.pdf
Protocols/Authentication 12-18
Zero-Knowledge Authentication in Practice
Idea: convince someone that you have the solution to a
computationally intractable problem without telling them the solution.
E.g. Graph Isomorphism:
Alice claims to know isomorphism π between two large graphs
G1 and G2. Easy to verify, but extremely hard to find.
Alice convinces B she knows π without revealing it as follows:
1.Generate a new graph G3 that’s
isomorphic to G1 and G2.
2.Ask Bob to pick which of
π1 and π2 he wants to see.
π
G1
π1
G1
π2
G3
Protocols/Authentication 12-19