Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An...
-
Upload
alison-strickland -
Category
Documents
-
view
216 -
download
4
Transcript of Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An...
![Page 1: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/1.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 1
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
An Authentication layering model
Robert Moskowitz
Trusecure Corporation
ICSALabs
![Page 2: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/2.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 2
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Motivation
• Authentication has grown beyond a small component of security to a self-standing pillar of secure systems design– Monolithic authentication systems are being replaced
by componentized systems
• Develop a layered model for Authentication– flows, channels, algorithms, and entities
• A clear taxonomy for Authentication• This effort is limited to two-party Authentication
![Page 3: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/3.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 3
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
The Authentication Model
• In most authentication systems these layers are not obvious– The channel is frequently not provided
• The advent of the channel (e.g. EAP) that makes this well defined model valuable
Authentication Flow
Authentication Channel [optional]
Authentication Algorithm Authentication Algorithm Authentication Algorithm
Identity & Key Identity & Key Identity & Key Identity & Key
![Page 4: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/4.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 4
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Authentication Flows
• Three groupings– Unidirectional, Bi-directional, Coupled unidirectional
• Unidirectional has two state machines– Initiator and Responder
• Bi-directional as a single state machine– For both the Initiator and Responder– Handles directional reversal and race conditions
• Coupled unidirectional– 2 unidirectional that both must complete before the authentication is
finished– Ignores race condition and direction reversal
![Page 5: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/5.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 5
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Unidirectional Versus Bi-directional
• Unidirectional advantageous– Clear cut Initiator
• Benefits from smaller Initiator state machine size
• Bi-directional advantageous– Single state machine
– Either party may initiate
– Handles race condition
– Can ‘emulate’ unidirectional through role enforcement
• Coupled unidirectional NOT equivalent to bi-directional
![Page 6: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/6.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 6
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Establishing Identities
• Authentication’s raison d'être is establishing Identities
• Identities are established by a cryptographic binding
• Bindings can be based on Symmetric or Asymmetric cryptography
![Page 7: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/7.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 7
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Nature of Cryptographic Bindings
• Weak binding– Party has the key, but no proof of identity
• Strong binding– Identity is tied to key
• Examples of Bindings– Name to Symmetric Key
– Two names to Symmetric Key
– Name to Asymmetric Key
![Page 8: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/8.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 8
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Using bindings in an authentication algorithm
• Well-designed algorithm will maximize the trust for each party
• Examples of an authentication algorithm– Single Identity with key
– Two Identities with a single key
– Two Identities with keys in a nested algorithm
– Two Identities with keys
![Page 9: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/9.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 9
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Authentication Channels
• An authentication algorithm muxing service• Helps further the development and use of good
authentication algorithms
![Page 10: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/10.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 10
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
What is Mutual Authentication?
• where the parties authenticate to each other within a single authentication process
• An authentication process may be called ‘mutual’ and still the following issues are undefined:– Is one or both identities exchanged?– If only one identity is exchanged, is the other identity implied by
knowledge of a symmetric key?– Is/are the identities exchange secure?– If two identities are securely exchanged, are they protected with one
or two keys?– If two identities, is there one identity exchange, two intertwined
exchanges, or two serial or parallel exchanges?
![Page 11: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/11.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 11
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
What is Mutual Authentication?
• Limit the applicability of ‘Mutual Authentication’ to authentication algorithms and how they act on Identity bindings
• Authentication flows and channels are silent on mutuality– Mutuality is NOT established by a bi-directional or
coupled unidirectional flow
• Appropriate to delineate the requirement of mutual authentication for a system, like in IEEE 802.11
![Page 12: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/12.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 12
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
What is Mutual Authentication?
• There are two features that further typify an authentication– Are both identities explicitly included within the
algorithm or is one implicit as in AKA.
– Is one of the identities not bound to its key, but protected with the other party’s key.
![Page 13: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/13.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 13
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
What is Mutual Authentication?
• the following terminology would be appropriate to describe a particular mutual authentication algorithm– Explicit, Secured Identity Authentication
– Implicit, Secured Identity Authentication
– Explicit, Unsecured Identity Authentication
– Implicit, Unsecured Identity Authentication
– Where Explicit means identity is included in the protocol and Secure means the identity is cryptographicly protected
![Page 14: Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.](https://reader035.fdocuments.us/reader035/viewer/2022072011/56649e2a5503460f94b17ce1/html5/thumbnails/14.jpg)
Robert Moskowitz, Trusecure/ICSALabs
Slide 14
doc.: IEEE 802.11-03/492r0-I
Submission
March 2002
Security Associations
• An SA is a set of policy and key(s) used to protect information
• The successful authentication creates a unique SA for the two parties
• Each new authentication creates a new, unique, SA
• The SA is used to group all the information related to the authentication so that everything can be properly protected within the party and deleted when no longer needed
• An SA can be bi-directional or unidirectional– One set of keying material in bi-drectional, separate keying material
in unidirectional