Authentication protocols and there weaknesses

Note: This article first appeared over at our affiliates site Black Cat Virii Group. The original article can be found here

By: Chernobyl Chickun [BCVG].

This text is for educational purposes only.

There is a distinct difference between authorisation and authentication. This difference is that authorisation checks is a user or a non-user is allowed to perform certain action on a system, while authentication checks whether user A, in a communication session with B, is in fact talking to B and not to an intruder which we will call I. Several protocols have been developed over the time to ensure a safe and secure communication session with the opposite party without intrusion.

In this document I am going to show a number of these protocols along with there weaknesses and solutions to the weaknesses. Let the record show that the author or any member of the BCVG Network can not be held responsible for any problems caused by using information in this article for it is for educational purposes.
Authentication protocols must be resistant to these hostile actions:
The deletion, reply and change in and of messages that are send from A to B.

The first protocol is the secret key algorithm. It is absolutely necessary that A and B have a common session key that is not known by the intruder I. We will call teh session key: Kab. Along with the session key we have variables that indicate the user that is user, they are: A and B in the protocol. Ra and Rb are so called challenges that are send and retrieved encrypted by the session key so that when it is decrypted it can be checked against the original challenge to see if they are identical.

Alice -> A,Ra -> Bob
Alice sends her userID “A” plus her challenge to Bob.
Alice A,Kab(Rb) -> Bob
Alice sends her userID and the challenge Bob gave her encrypted with the session key. Bob decrypts his own challenge and if the match, Bob knows that he is talking to Alice and not to the intruder.

But as you might have guessed, our intruder is not giving up. He planned an attack on this protocol: The mirror attack. The intruder has been sniffing the network and has obtained a version of the user ID of Alice. The attack goes as following:

(1) Intruder -> A,Ri -> Bob
The intruder sends the userID of Alice and his own challenge.

(1) Intruder A,Rb -> Bob
The intruder opens another session with Bob and sends him his own challenge back.

(2) Intruder A,Kab(Rb) -> Bob
And because the intruder sends bobs challenge in its encrypted form, Bob is convinced that the intruder is Alice.

A possible cure for this protocol is to have Alice send the first message in encrypted form. This way the intruder can not use the mirror attack at all. The other solution can be the use of a KDC (Key Distribution Centre) or the Diffie – Hellman Key distribution protocol.

The Diffie – Hellman protocol for secure key exchange solves the problem that a key can not be exchanged by letter or phone without the possibility of someone spying.

A and B must both choose 2 prime numbers (n and g) where (n-1)/2 is also a prime number. Now A and B both choose a large number resp. x and y (for example 512 bits) and A starts the protocol by sending [n, b, g^x mod n] to B. B sends [g^y mod n]. Now A calculates [(g^y mod n)^x = g^xy mod n] and B calculates
[g^x mod n)^y = g^xy mod n] and both parties have there secret authentication key.

This algorithm can not be bruteforced by any computer know to mankind because of the complexity of the calculations. However there is a flaw. How does B know that the set of numbers he received are comming from A and not from some Intruder. This attack is know as man in the middle.

A -> [n,g,g^x mod n] -> I
I -> [n,g,g^z mod n] -> B
A [g^y mod n] -> B

Where A chooses x, I chooses z and B chooses y.

Authentication with a key distribution centre works with a server that hold all keys of users. The consideration given to the KDC method is that the centre can´t lie about someone´s identity by falsifying the key.

A -> [A,Ka(B,Ks)] -> KDC
KDC -> [Kb(A,Ks)]

(where A and B are userid´s, Ka and Kb are the personal keys of A and B and Ks is the session key)
The idea behind this protocol is simple. A chooses a session key for her communication with B which is encrypted with her own key containing the userid of B.

Aling with this she sends her own identity A. The KDC decrypts the Ka(B,Ks) message and looks up the key of B. The KDC will send the encrypted string containing A´s identity and the session key. Because of the use of the KDC both parties can be sure that A is talking to be, but…

If the Intuder chooses to offer A a legitimate service. A will open a session with B (the banker) to make a deposit of money. When the Intruder sniffs the network and copies the second string [K(A,Ks)] and the following deposit order, the intruder can send a similar set of srtings to make B believe that A is sending another sum of money. This attack is known as the replay attack. This could be solved by entering a timestamp of some sort to the strings but that would require a synchronisation of clocks in the network.

I hope this article has shed some light on different authentication protocols and there weaknesses.
Chernobyl Chickun © 2002

1.) Dumpster Diving - One Man's Trash - Grifter
2.) Ham Radio: An Introduction - A
3.) Pirate Radio - Manic Velocity
4.) Hacking by Numbers - madirish
5.) Authentication protocols and there weaknesses - Chernobyl Chickun
6.) Remote access and Security - Mark Jorgensen & Neil H Watson
7.) Myths about TCP Spoofing - Grandmaster Plague