Podcast
Questions and Answers
In the context of authenticated key establishment protocols, what is the purpose of using long-term keys or passwords?
In the context of authenticated key establishment protocols, what is the purpose of using long-term keys or passwords?
Which standard document specifies key-based authentication using message authentication codes?
Which standard document specifies key-based authentication using message authentication codes?
What type of attack can EMV cards be vulnerable to due to relay attacks launched via malicious Point of Sale (POS) terminals?
What type of attack can EMV cards be vulnerable to due to relay attacks launched via malicious Point of Sale (POS) terminals?
Which protocol commonly implemented for Internet banking uses message authentication codes for authentication?
Which protocol commonly implemented for Internet banking uses message authentication codes for authentication?
Signup and view all the answers
What is the primary goal of a relay attack on EMV cards launched via malicious POS terminals?
What is the primary goal of a relay attack on EMV cards launched via malicious POS terminals?
Signup and view all the answers
Which aspect ensures the notion of a secure channel in authenticated key establishment protocols like TLS, SSH, IPsec, and VPN?
Which aspect ensures the notion of a secure channel in authenticated key establishment protocols like TLS, SSH, IPsec, and VPN?
Signup and view all the answers
What technique is recommended to slow down dictionary and brute-force attacks in password hashing?
What technique is recommended to slow down dictionary and brute-force attacks in password hashing?
Signup and view all the answers
What method can make pre-computed rainbow tables infeasible in recovering passwords?
What method can make pre-computed rainbow tables infeasible in recovering passwords?
Signup and view all the answers
In which document has key-based authentication using secret-key encryption been standardized?
In which document has key-based authentication using secret-key encryption been standardized?
Signup and view all the answers
What is the main purpose of using symmetric-key encryption in authentication protocols?
What is the main purpose of using symmetric-key encryption in authentication protocols?
Signup and view all the answers
Which technique is intentionally designed to use large amounts of RAM to thwart password attacks with custom-built circuits like ASIC and GPU?
Which technique is intentionally designed to use large amounts of RAM to thwart password attacks with custom-built circuits like ASIC and GPU?
Signup and view all the answers
What problem does adding salt aim to solve in password hashing?
What problem does adding salt aim to solve in password hashing?
Signup and view all the answers
What does the base64 encoding do for hashed passwords in Cisco devices?
What does the base64 encoding do for hashed passwords in Cisco devices?
Signup and view all the answers
What is the main purpose of using digital signatures in authentication protocols?
What is the main purpose of using digital signatures in authentication protocols?
Signup and view all the answers
What does the ICT2213 course cover related to authentication protocols?
What does the ICT2213 course cover related to authentication protocols?
Signup and view all the answers
What type of attack can be successful even against long passwords if stolen?
What type of attack can be successful even against long passwords if stolen?
Signup and view all the answers
What is the recommended approach for signing and encrypting a message, as described in the text?
What is the recommended approach for signing and encrypting a message, as described in the text?
Signup and view all the answers
What is the purpose of including an addressee in the message when using the Sign-then-Encrypt (StE) approach?
What is the purpose of including an addressee in the message when using the Sign-then-Encrypt (StE) approach?
Signup and view all the answers
Which of the following is NOT a way of implementing authentication protocols, as mentioned in the text?
Which of the following is NOT a way of implementing authentication protocols, as mentioned in the text?
Signup and view all the answers
In the context of authentication protocols, what is the purpose of a 'challenge-response' mechanism?
In the context of authentication protocols, what is the purpose of a 'challenge-response' mechanism?
Signup and view all the answers
Which of the following cryptographic primitives is most likely used to ensure the integrity and authenticity of a message, as described in the text?
Which of the following cryptographic primitives is most likely used to ensure the integrity and authenticity of a message, as described in the text?
Signup and view all the answers
What is the purpose of the PKCS#7 standard mentioned in the text?
What is the purpose of the PKCS#7 standard mentioned in the text?
Signup and view all the answers
Study Notes
Cardholder Verification Method (CVM)
- Prevents use of lost/stolen card PIN (chip-and-PIN) and signature (chip-and-signature)
- No CVM for low-value transactions only
Public Key Generation and Distribution under DDA
- Illustrates how public keys are generated and distributed under the Dynamic Data Authentication protocol
DDA and PIN Verification
- DDA and PIN verification
Relay Attack on EMV Cards
- EMV cards vulnerable to relay attacks launched via malicious POS terminals
ISO/IEC 9798-4 Standard
- Key-based authentication using message authentication codes standardized in ISO/IEC 9798-4 document
One-time Password (OTP)
- Example authentication protocol using MAC, commonly implemented for Internet banking
- Vulnerable to Man-in-the-Middle (MiTM) attack if attacker is able to place himself between customer and bank’s server, e.g., via phishing attack
Authenticated Key Establishment (AKE) Protocols
- After successful authentication, secure communications often require AKE protocols
- AKE protocol consists of:
- Authentication: Using long-term keys or passwords to verify identities of communicating parties
- Key establishment: Establishing short-term session keys for connection session
- Session key protects subsequent communications using authenticated encryption, achieving notion of secure channel, e.g., TLS, SSH, IPsec, VPN
Key Establishment Protocols
- Categorized into key transport or key agreement protocols
Decentralized vs. Centralized
- Administrator can be malicious
Storing Hashed Passwords
- Stored using cryptographically secure hash function h()
- Vulnerable to attacks, e.g., rainbow tables
Using Salt
- Adding random bits (salt) to password makes pre-computed rainbow tables infeasible
Dictionary Attack
- Even salted hashed passwords can be vulnerable to dictionary attacks with increasing computing power
- Skillful attackers can recover even long passwords
NIST’s New Password Guidelines
- Issued in 2017, regarding digital identity guidelines
Alternative Approach by Bruce Schneier
- Recommends scheme to create strong password
Key Derivation Functions
- Used to further slow down dictionary and brute-force attacks
- Generate password hashes, controlling amount of time to verify a single password guess
- Example: SCrypt KDF, designed to use large amounts of RAM to thwart password attacks using custom-built parallel circuits like ASIC and GPU
Example Password Hashes in Cisco Devices
- Options for storing hashed passwords in Cisco devices
- Hashed password is base64-encoded, with type of algorithm identified by number at the beginning of the string
Cisco’s Base64 Encoding
- Different base64 table used
Key-Based Authentication
- Implemented using keys stored in secure devices, a “what you have” type of authentication
- Implementation options: symmetric-key encryption, digital signatures, MACs
Earliest Key-Based Authentication Protocol
- Implemented in IFF system, a simple challenge-response protocol using a secret key
- Mutual authentication with IFF: to prevent friendly fighters from shooting down each other
- Vulnerable to reflection attacks
ISO/IEC 9798-2 Standard
- Key-based authentication using secret-key encryption standardized in ISO/IEC 9798-2 document
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge on Cardholder Verification Methods (CVM) like chip-and-PIN, chip-and-signature, and no CVM. Learn about Public key generation and distribution in Dynamic Data Authentication (DDA) protocol, as well as DDA and PIN verification techniques. Explore the vulnerability of EMV cards to relay attacks.
