22 Questions
In the context of authenticated key establishment protocols, what is the purpose of using long-term keys or passwords?
Verifying the identities of communicating parties
Which standard document specifies key-based authentication using message authentication codes?
ISO/IEC 9798-4
What type of attack can EMV cards be vulnerable to due to relay attacks launched via malicious Point of Sale (POS) terminals?
Man-in-the-Middle (MiTM) attack
Which protocol commonly implemented for Internet banking uses message authentication codes for authentication?
One-time password (OTP)
What is the primary goal of a relay attack on EMV cards launched via malicious POS terminals?
To intercept and alter communication between cardholder and bank server
Which aspect ensures the notion of a secure channel in authenticated key establishment protocols like TLS, SSH, IPsec, and VPN?
Message authentication codes
What technique is recommended to slow down dictionary and brute-force attacks in password hashing?
Using key derivation functions
What method can make pre-computed rainbow tables infeasible in recovering passwords?
Adding salt to passwords
In which document has key-based authentication using secret-key encryption been standardized?
ISO/IEC 9798-2
What is the main purpose of using symmetric-key encryption in authentication protocols?
To authenticate using keys stored in secure devices
Which technique is intentionally designed to use large amounts of RAM to thwart password attacks with custom-built circuits like ASIC and GPU?
SCrypt Key Derivation Functions
What problem does adding salt aim to solve in password hashing?
Dictionary attacks
What does the base64 encoding do for hashed passwords in Cisco devices?
Identifies the hash type
What is the main purpose of using digital signatures in authentication protocols?
To provide non-repudiation of the message sender
What does the ICT2213 course cover related to authentication protocols?
Different key-based authentication standards using primitives like digital signatures and MACs
What type of attack can be successful even against long passwords if stolen?
Dictionary Attacks
What is the recommended approach for signing and encrypting a message, as described in the text?
Sign-then-Encrypt (StE)
What is the purpose of including an addressee in the message when using the Sign-then-Encrypt (StE) approach?
To prevent a masquerading attack
Which of the following is NOT a way of implementing authentication protocols, as mentioned in the text?
What you are (e.g. biometrics)
In the context of authentication protocols, what is the purpose of a 'challenge-response' mechanism?
All of the above
Which of the following cryptographic primitives is most likely used to ensure the integrity and authenticity of a message, as described in the text?
Digital Signatures
What is the purpose of the PKCS#7 standard mentioned in the text?
It specifies the format for encrypted messages
Study Notes
Cardholder Verification Method (CVM)
- Prevents use of lost/stolen card PIN (chip-and-PIN) and signature (chip-and-signature)
- No CVM for low-value transactions only
Public Key Generation and Distribution under DDA
- Illustrates how public keys are generated and distributed under the Dynamic Data Authentication protocol
DDA and PIN Verification
- DDA and PIN verification
Relay Attack on EMV Cards
- EMV cards vulnerable to relay attacks launched via malicious POS terminals
ISO/IEC 9798-4 Standard
- Key-based authentication using message authentication codes standardized in ISO/IEC 9798-4 document
One-time Password (OTP)
- Example authentication protocol using MAC, commonly implemented for Internet banking
- Vulnerable to Man-in-the-Middle (MiTM) attack if attacker is able to place himself between customer and bank’s server, e.g., via phishing attack
Authenticated Key Establishment (AKE) Protocols
- After successful authentication, secure communications often require AKE protocols
- AKE protocol consists of:
- Authentication: Using long-term keys or passwords to verify identities of communicating parties
- Key establishment: Establishing short-term session keys for connection session
- Session key protects subsequent communications using authenticated encryption, achieving notion of secure channel, e.g., TLS, SSH, IPsec, VPN
Key Establishment Protocols
- Categorized into key transport or key agreement protocols
Decentralized vs. Centralized
- Administrator can be malicious
Storing Hashed Passwords
- Stored using cryptographically secure hash function h()
- Vulnerable to attacks, e.g., rainbow tables
Using Salt
- Adding random bits (salt) to password makes pre-computed rainbow tables infeasible
Dictionary Attack
- Even salted hashed passwords can be vulnerable to dictionary attacks with increasing computing power
- Skillful attackers can recover even long passwords
NIST’s New Password Guidelines
- Issued in 2017, regarding digital identity guidelines
Alternative Approach by Bruce Schneier
- Recommends scheme to create strong password
Key Derivation Functions
- Used to further slow down dictionary and brute-force attacks
- Generate password hashes, controlling amount of time to verify a single password guess
- Example: SCrypt KDF, designed to use large amounts of RAM to thwart password attacks using custom-built parallel circuits like ASIC and GPU
Example Password Hashes in Cisco Devices
- Options for storing hashed passwords in Cisco devices
- Hashed password is base64-encoded, with type of algorithm identified by number at the beginning of the string
Cisco’s Base64 Encoding
- Different base64 table used
Key-Based Authentication
- Implemented using keys stored in secure devices, a “what you have” type of authentication
- Implementation options: symmetric-key encryption, digital signatures, MACs
Earliest Key-Based Authentication Protocol
- Implemented in IFF system, a simple challenge-response protocol using a secret key
- Mutual authentication with IFF: to prevent friendly fighters from shooting down each other
- Vulnerable to reflection attacks
ISO/IEC 9798-2 Standard
- Key-based authentication using secret-key encryption standardized in ISO/IEC 9798-2 document
Test your knowledge on Cardholder Verification Methods (CVM) like chip-and-PIN, chip-and-signature, and no CVM. Learn about Public key generation and distribution in Dynamic Data Authentication (DDA) protocol, as well as DDA and PIN verification techniques. Explore the vulnerability of EMV cards to relay attacks.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free