Security Hand
Client A K
(Ka) K
(
OtwayRees: Ka{N
This message reassures Client A that
because it can check its nonce, which
and to get it back means the KDC use
dshake Pitfalls
Kab Client B
KDC (Kb)
(Ks)
Na, Kab}
both the KDC and Client B are OK
h it had encrypted with other things,
ed Ka and the KDC validated Client B.
Security Hand
Client A K
(Ka) K
(
OtwayRees: Kab{anythin
Client A proves identity to Client B b
dshake Pitfalls
Kab Client B
KDC (Kb)
(Ks)
ng recognizable}
by showing it knows Kab.
Security Hand
Nonce types:
Random number will probably never
Timestamp requires synchronized clo
Sequence number requires non volati
dshake Pitfalls
r be reused
ocks
ile memory (system crash?)
Security Hand
Protocol Checklist:
Eavesdropping: attacker should not be abl
learn the contents of messages between c
learn information enabling impersonatio
learn anything that permits offline passw
dshake Pitfalls
le to do any of the following
connecting parties
on in a future exchange
wordguessing
Security Hand
Protocol Checklist:
Eavesdropping: attacker should not be abl
learn the contents of messages between c
learn information enabling impersonatio
learn anything that permits offline passw
Impersonation of Originator: attacker shou
convince other party it is the real origina
learn information that would enable imp
passwordguessing attack against Clien
learn information that would enable imp
learn information that would enable imp
trick Server into signing or decrypting so
dshake Pitfalls
le to do any of the following
connecting parties
on in a future exchange
wordguessing
uld not be able to do any of these:
ator
personator to do an offline
nt or Server's secret information
personation of Client in the future
personation of Server to Client
omething
Security Hand
Protocol Checklist:
Eavesdropping: attacker should not be abl
learn the contents of messages between c
learn information enabling impersonatio
learn anything that permits offline passw
Impersonation of Originator: attacker shou
convince other party it is the real origina
learn information that would enable imp
passwordguessing attack against Clien
learn information that would enable imp
learn information that would enable imp
trick Server into signing or decrypting so
Pounce attacker gets part way through au
convince Client the attacker is the Serve
learn info enabling an offline password
learn info enabling impersonation of Ser
trick Client into signing or decrypting so
dshake Pitfalls
le to do any of the following
connecting parties
on in a future exchange
wordguessing
uld not be able to do any of these:
ator
personator to do an offline
nt or Server's secret information
personation of Client in the future
personation of Server to Client
omething
uthentication but should not:
er
guessing attack
rver in future or Client to Server
omething
Security Hand
Protocol Checklist:
Read Client Database: Bad news! Then at
it is the Client. Attacker can do offline
against Server's secret (if it is derived fro
must have enough info to know if party
Attacker should not be able to imperso
Attacker should not be able to decrypt
dshake Pitfalls
ttacker can convince Server
password guessing attack
om a password) since Client
really is the Server. But:
onate the Server to the Client
recorded messages between S and C
Security Hand
Protocol Checklist:
Read Client Database: Bad news! Then at
it is the Client. Attacker can do offline
against Server's secret (if it is derived fro
must have enough info to know if party
Attacker should not be able to imperso
Attacker should not be able to decrypt
Read Server Database: Bad News!! Then
it is the Server. Attacker can do offline
against Client's secret. But:
Attacker should not be able to imperso
Attacker should not be able to decrypt
dshake Pitfalls
ttacker can convince Server
password guessing attack
om a password) since Client
really is the Server. But:
onate the Server to the Client
recorded messages between S and C
attacker can convince Client that
e passwordguessing attack
onate the Client to the Server
recorded messages between S and C
Security Hand
Protocol Checklist:
Read Client Database: Bad news! Then at
it is the Client. Attacker can do offline
against Server's secret (if it is derived fro
must have enough info to know if party
Attacker should not be able to imperso
Attacker should not be able to decrypt
Read Server Database: Bad News!! Then
it is the Server. Attacker can do offline
against Client's secret. But:
Attacker should not be able to imperso
Attacker should not be able to decrypt
Sit on net and modify messages – Attacke
do an offline passwordguessing attack
read any messages
hijack a conversation without the other s
cause messages between Client and Serv
dshake Pitfalls
ttacker can convince Server
password guessing attack
om a password) since Client
really is the Server. But:
onate the Server to the Client
recorded messages between S and C
attacker can convince Client that
e passwordguessing attack
onate the Client to the Server
recorded messages between S and C
er should not be able to:
on anybody's secret information
side knowing this
ver to be misinterpreted