Challenge-Response technique 询问/应答方式 Challenge/ Response) B期望从A获得一个条件 首先发给A一个随机值( challenge) ·A收到这个值之后,对它作某种变换,得到 response,并送回去 B收到这个 response,可以验证A符合这个条件 在有的协议中,这个 challenge也称为 Nonce (Number used ONCE ·可能明文传输,也可能密文传输 这个条件可以是知道某个口令,也可能是其他 的事情 变换例子:用密钥加密,说明A知道这个密钥; 简单运算,比如增一,说明A知道这个随机值 常用于交互式的认证协议中 復大软件学院 LiT
LiJT 16 Challenge-Response technique • 询问/应答方式(Challenge/Response) – B期望从A获得一个条件 • 首先发给A一个随机值(challenge) • A收到这个值之后,对它作某种变换,得到 response,并送回去 • B收到这个response,可以验证A符合这个条件 – 在有的协议中,这个challenge也称为Nonce (Number used ONCE ) • 可能明文传输,也可能密文传输 – 这个条件可以是知道某个口令,也可能是其他 的事情 • 变换例子:用密钥加密,说明A知道这个密钥; 简单运算,比如增一,说明A知道这个随机值 – 常用于交互式的认证协议中
认证协议中的常用技术时间戳( Time-stamp) 时间戳 A收到一个消息,根据消息中的时间戳信息,判 断消息的有效性 如果消息的时间戳与A所知道的当前时间足够接近 这种方法要求不同参与者之间的时钟需要同步 在网络环境中,特别是在分布式网络环境中,时钟同 步并不容易做到 ·一旦时钟同步失败 要么协议不能正常服务,影响可用性( availability),造成拒 绝服务(DOS) 要么放大时钟窗口,造成攻击的机会 时间窗大小的选择应根据消息的时效性来确定 復大软件学院 LiT
LiJT 17 认证协议中的常用技术-时间戳(Time-stamp) • 时间戳 – A收到一个消息,根据消息中的时间戳信息,判 断消息的有效性 • 如果消息的时间戳与A所知道的当前时间足够接近 – 这种方法要求不同参与者之间的时钟需要同步 • 在网络环境中,特别是在分布式网络环境中,时钟同 步并不容易做到 • 一旦时钟同步失败 – 要么协议不能正常服务,影响可用性(availability),造成拒 绝服务(DOS) – 要么放大时钟窗口,造成攻击的机会 – 时间窗大小的选择应根据消息的时效性来确定
E Challenge-response authentication Using Symmetric encryption One way functions Public key encryption Digital signatures 18 復大软件学院 LiT
LiJT 18 Challenge-response authentication Using • Symmetric encryption • One way functions • Public key encryption • Digital signatures
E Attacks on Authentication Protocols An attack consists of an attacker or a coalition of them Malice)achieving an unentitled gain a serious one such as Malice obtaining a secret message or key, or a less serious one such as Malice successfully deceiving a principal to establish a wrong belief about a claimed property Authentication protocols are insecure not they use are weak, but because of protocol because the underlying cryptographic algorith design flaws usually assume that the underlying cryptographic algorithms are"perfect"without considering their possible weakness 復大软件学院 LiT
LiJT 19 Attacks on Authentication Protocols • An attack consists of an attacker or a coalition of them (Malice) achieving an unentitled gain. – a serious one such as Malice obtaining a secret message or key, – or a less serious one such as Malice successfully deceiving a principal to establish a wrong belief about a claimed property. • Authentication protocols are insecure not because the underlying cryptographic algorithm they use are weak, but because of protocol design flaws. • usually assume that the underlying cryptographic algorithms are "perfect" without considering their possible weakness
Conventions An honest principal in a protocol does not understand the semantical meanings of any message before a protocol terminates successfull may make wrong interpretations on protocol messages An honest principal in a protocol cannot recognize a random-looking number (a nonce, a sequence number or a cryptographic key), unless the random looking number has been created by the principal in the current run of the protocol Stateless, does not maintain any state information after a protocol run terminates successfully Malice knows the"stupidities"(weaknesses)of honest principals, and will always try to exploit them 復大软件学院 LiT