TUCoPS :: General Information :: chickun.txt

Authentication Protocols and Their Weaknesses

Authentication protocols and there weaknesses

By: Chernobyl Chickun [BCVG].

This text is for educational purposes only.

There is a distinct difference between authorisation and authentication.
This difference is that authorisation checks is a user or a non-user is
allowed to perform certain action on a system, while authentication
checks whether user A, in a communication session with B, is in fact
talking to B and not to an intruder which we will call I. Several
protocols have been developed over the time to ensure a safe and secure
communication session with the opposite party without intrusion.

In this document I am going to show a number of these protocols along
with there weaknesses and solutions to the weaknesses. Let the record
show that the author or any member of the BCVG Network can not be held
responsible for any problems caused by using information in this article
for it is for educational purposes. Authentication protocols must be
resistant to these hostile actions: The deletion, reply and change in
and of messages that are send from A to B.

The first protocol is the secret key algorithm. It is absolutely
necessary that A and B have a common session key that is not known by
the intruder I. We will call teh session key: Kab. Along with the
session key we have variables that indicate the user that is user, they
are: A and B in the protocol. Ra and Rb are so called challenges that
are send and retrieved encrypted by the session key so that when it is
decrypted it can be checked against the original challenge to see if
they are identical.

Alice -> A,Ra -> Bob Alice sends her userID “A” plus her challenge to
Bob. Alice A,Kab(Rb) -> Bob Alice sends her userID and the challenge Bob
gave her encrypted with the session key. Bob decrypts his own challenge
and if the match, Bob knows that he is talking to Alice and not to the
intruder.

But as you might have guessed, our intruder is not giving up. He planned
an attack on this protocol: The mirror attack. The intruder has been
sniffing the network and has obtained a version of the user ID of Alice.
The attack goes as following:

(1) Intruder -> A,Ri -> Bob The intruder sends the userID of Alice and
his own challenge.

(1) Intruder A,Rb -> Bob The intruder opens another session with Bob and
sends him his own challenge back.

(2) Intruder A,Kab(Rb) -> Bob And because the intruder sends bobs
challenge in its encrypted form, Bob is convinced that the intruder is
Alice.

A possible cure for this protocol is to have Alice send the first
message in encrypted form. This way the intruder can not use the mirror
attack at all. The other solution can be the use of a KDC (Key
Distribution Centre) or the Diffie – Hellman Key distribution protocol.

The Diffie – Hellman protocol for secure key exchange solves the problem
that a key can not be exchanged by letter or phone without the
possibility of someone spying.

A and B must both choose 2 prime numbers (n and g) where (n-1)/2 is also
a prime number. Now A and B both choose a large number resp. x and y
(for example 512 bits) and A starts the protocol by sending [n, b, g^x
mod n] to B. B sends [g^y mod n]. Now A calculates [(g^y mod n)^x = g^xy
mod n] and B calculates [g^x mod n)^y = g^xy mod n] and both parties
have there secret authentication key.

This algorithm can not be bruteforced by any computer know to mankind
because of the complexity of the calculations. However there is a flaw.
How does B know that the set of numbers he received are comming from A
and not from some Intruder. This attack is know as man in the middle.

A -> [n,g,g^x mod n] -> I I -> [n,g,g^z mod n] -> B A [g^y mod n] -> B

Where A chooses x, I chooses z and B chooses y.

Authentication with a key distribution centre works with a server that
hold all keys of users. The consideration given to the KDC method is
that the centre can´t lie about someone´s identity by falsifying the
key.

A -> [A,Ka(B,Ks)] -> KDC KDC -> [Kb(A,Ks)]

(where A and B are userid´s, Ka and Kb are the personal keys of A and B
and Ks is the session key) The idea behind this protocol is simple. A
chooses a session key for her communication with B which is encrypted
with her own key containing the userid of B.

Aling with this she sends her own identity A. The KDC decrypts the
Ka(B,Ks) message and looks up the key of B. The KDC will send the
encrypted string containing A´s identity and the session key. Because of
the use of the KDC both parties can be sure that A is talking to be,
but…

If the Intuder chooses to offer A a legitimate service. A will open a
session with B (the banker) to make a deposit of money. When the
Intruder sniffs the network and copies the second string [K(A,Ks)] and
the following deposit order, the intruder can send a similar set of
srtings to make B believe that A is sending another sum of money. This
attack is known as the replay attack. This could be solved by entering a
timestamp of some sort to the strings but that would require a
synchronisation of clocks in the network.

I hope this article has shed some light on different authentication
protocols and there weaknesses.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH