CS 736 - Spring 2007 - Paper Discussion

Summary
This paper provides an overview of several network authentication protocols in varying contexts. The authors also provide a brief overview of their ideas about authentication servers and how someone might implement a system capable of using multiple authentication servers.

Problem
The problem that is being addressed is fairly obvious: how might secure communication over an insecure network take place, especially if the network is so large that there is no system to provide centralized authentication information.

Contributions
I like that the authors focus on securing communication in applications, not by implementing some new networking technology. A pretty obvious win for overall flexibility.

Using nonces seems like a good solution to attackers replaying encrypted messages that have been sniffed, though I don't know if the idea originated from this paper.

The classification of communication types [interactive, one-way, signed] paired with the incredibly basic protocol descriptions.

Flaws
As others have mentioned, these ideas are vulnerable to MITM attacks.

Relevance
Given the obvious successes of public-key encryption and Kerberos it's hard to argue that this paper isn't fundamental to computer security.

Summary:
This paper describes the outline of three protocols to establish a secure connection over network and what type of communication will accommodate it. Basically, the protocols rely on techniques such as encryption technique and authentication servers.

Problem Addressed:
Large scale network has many difficulties to establish a secure and protected interactive and one-way connection between two nodes, due to its openness and anonymity (no guarantee of the sender). What kind of encryption technique and authentication mechanism works for specific situation was unclear and not well organized.

Contributions:
This paper presents several methods and mechanism for encrypting and authenticating very clearly and easy to understand. Also this paper organizes the ideas so that it will match to the type of usages.
Authentication requires some authentication server or off-line communication to establish it. This paper also discusses how to use multiple authentication servers and also the effectiveness of caching keys for services like lookup server.
This paper might encouraged people to discuss security technique in public and stop trying to make secret since it is impossible to keep it completely secret and publishing and getting feedback will be much faster to find the flaws and fix them.

Possible Improvements:
A little more detail might have helped people to try protocols in their work.

Authentication still requires logically centralized authentication server. But actually without authentication server or well known authorized organization that could provide some guarantee, it is really difficult to establish authenticated connection.

Security:
Due to the networks openness, it is difficult to provide secure and authenticated connection. But this paper clearly describes how does public-key or conventional-key works and also some authentication mechanism so that people could grasp the characteristic and difference of existing methods.

Paper Review: Using Ecryption for Authentication in Large Networks of Computers [Needham & Schroeder]

Summary:

This paper describes a sequence of steps and message exchanges to apply
symmetric-key and public-key cryptography to establish authenticated
communcation between machines on a network in 3 useful forms: (1)
online/interactive sessions, (2) one-way sessions (such as email), and
(3) off-line digital signatures for non-repudation.

Problem:

The problem is that a malicious party can interpose a machine in any
communication path and defeat trivial authentication mechanisms by
altering, replaying, or wholly forging messages to masquerade as another
party.

Contributions:

* The primary contribution of this work seems to be that it offers a
concise step-by-step description of how to properly implement
authentication in three useful scenarios, using both tradition
symmetric/shared key cryptography or the newer public-key cryptography
techniques.

* The authors point out that the pubic and private keys can be sometimes
alternate in their roles as encryption vs. decryption keys for the
purpose of ensuring message integrity (that the info was correctly
communicated) rather than privacy.

Flaws:

* If I assume that the sequences of message exchanges as described do as
they intend (and don't have man-in-the-middle attacks such as ssh v1
did), then I see no flaws in this work.

* In Protocol 2 (with public-key algorithms) I think it would be an
improvement to encrypt the initial queries to the authentication server.
This does not improve the strength of the protocol, but rather makes it
less likely that uninvolved parties can glean information from the
network traffic about common communcations endpoint names. With that
information, a malicious party could potentially attempt to compromise
security through some other technique, such as
denial-of-authentication-service or socially-engineering - since they
can becom familiar with the machines/services on which the principals
rely.

Security Impact:

The public-key methods described are the basis for nearly all
authenticated or secure Internet communication today. It is the basis
for much of the Internet economy, or its perceived safety, so has hugely
improved networked computing.

Summary:
THe paper talks about a few protocols of using encryption using conventional and public-key encryption to achive authenticated communication between computers in a network.

Problem:
At the time of writing the paper, the computer networks were getting more popular and bigger. Such big networks may not have a central machine that contains all information about the computers and its users. The paper proposes a a few high-level distributed protocols to ensure authenticated communication between two principals and also to sign documents digitally.

Contributions:
* Use of conventional and public-key encryption in networking domain for (probably) the first time to do authentication.
* Introduction of the concept of 'digital signing'
* Use of some hierarchy (in Authentication Servers) to achieve scalability in large networks

Flaws:
- Though the paper claims that the protocols are 'decentralized', they are not. Central Authentication Server(s), play a big role in making it work.
- There is a lot of information to be cached at the end points (about all used keys, for e.g.). This will have scalability problems
- In One-Way communication, the protocol talks about the recipient storing (source, timestamp) information for each message received, to avoid duplicates. This is impossible in most environments where messages are in millions or more.
- There is absolutely no prototype and evaluation. But then, the paper didnt claim the protocols will work as is.

Relevance:
The paper explained the adaptation of encryption in networking world to achieve authenticated services and digital signing. However since there was no prototypes done, and I do see some scalability issues, I am not sure how well these protocols were received.

Summary
This paper discusses the use of encryption for providing secure authentication in large networks. In particular the paper discusses how secure authentication can occur in a network of machines where their is no one machine or authority to provide network-wide authentication or naming.

Problem
The problem that this paper addresses is the problem that most networks are not secured between end points and messages can be viewed and tampered with. In particular, these challanges had not been dealt with previously in a decentralized environment.

Contributions
* Identification of the security problem with networks and the possibility of traffic being intercepted and/or modified.
* USE OF PUBLIC KEY ENCRYPTION to allow secure communication without a shared secret key.
* Protocols for using both conventional and public key encryption (though at this point public key encryption is "conventional"
* Digital signatures with both public and private key encryption.

Flaws
I do not feel that this paper was flawed in the context of when it was published, and it did point the way to several important advances in security. While their may be flaws in the specifics of this paper, the paper is an excellent advance.

Summary:

The paper presents a set of protocols that help provide encrypted authenticated communication over insecure networks. Example protocols for the establishment of authenticated connections, management of authenticated mail and signed communication using both conventional (symmetric) and public key (asymmetric) encryption are presented.

Problem addressed:

An authenticated secure channel of communication over an insecure network is one of the most essential requirement for many types of applications. Protocols which achieve this are of immense value and utility.

Contributions:

The Needham-Schroder protocol is one of the classic security protocol for authenticated and secure communication with proposals for both conventional and public key encryption mechanisms.

The paper shows that even the conventional (symmetric) encryption algorithm still holds utility even after the discovery of public key encryption algorithms with the best case benefit in public key algorithms is caching of keys.

The authentication service is a useful primitive to provide authentication.

Kerberos is based on the Needham-Schroder protocol.

Flaws/ Possible improvement:

The susceptibility to MITM (Man in the middle attack) is a very serious one. Gavin Lowe showed the flaw and proposed a newer protocol to defend against the attack.

The author themselves present the protocols as "examples" and encourage the interested reader to use this as a starting point for a formal engineering solution (Kerberos case in point).

Security:

One of the classic papers on security which isn't mathematics heavy! In 1978, this paper was probably too early to be implemented into an engineering solution or maybe not.

Summary:
Use of encryption for authentication and digital signatures is discussed and several protocols using both private and public/private key techniques are outlined.

Problems Addressed:
Due to the openness of networks encryption is often required to safeguard communication between two parties on different machines. Also due to the ease of copying digital material a way of digital signing a document is needed to prove it was not altered in anyway since the time the creator digitally signed it. Both one way and two way encrypted communication is addressed.

Contributions:
The proposed encryption protocols all rely on an authentication server that maintains a database of all parties secret keys and/or public keys. This authentication server hands out information to parities contacting it. This information that the authentication server hands out enables encrypted communication between two separate parties on the network. All key data does not necessarily have to be on a single authentication server but rather can be distributed to several servers. In this second case the authentication servers communicate between themselves using secure protocols, possibly utilizing a master server that contains secret keys for both authentication servers. In addition to providing a means for messages to only be read by the receiving party encryption can be used to authoritatively say who a certain message came from. Both a more traditional algorithm and a public-key algorithm is presented to implement digital signatures.

Flaw:
Though the paper brings up some important security issues when sending messages over an insecure network and provided an outline of some protocols to address the issues it would have been nice to see some implementation and testing of the proposed ideas.

Security:
The security of a user's identity and the data that user passes to others is of primary concern in this work. Protection is provided by either hiding data from unauthorized users or providing a cryptographic check to verify the author of a document.

SUMMARY
In "Using encryption for authentication in large computer networks" presents several protocols for establishment of secure authenticated connections, message authentication and non-repudiation.

PROBLEM
How should various cryptographic techniques be used in networks?

CONTRIBUTIONS
* Mutual and one-side authentication protocols, digital signature technique
* Authors attempt to design protocols that would work where the attacker controls the network

FLAWS
* Mutual authentication algorithm now known to be vulnerable to man-in-the middle attack
* The authors did not address how to actually implement something like this in a scalable fashion, how to manage keys, etc.

Summary
Public-key and shared private key cryptography are compared for two-way secure communication, one-way secure transfers, and signed communication based on the number of steps needed in the algorithm.

Problem
Many security ideas and algorithms have been presented, but no one has yet put all the ideas together so they can work in a decentralized environment.

Contributions
The main contribution of the paper is an incredibly clear description of the algorithms needed for two-way secure communication, one-way secure messaging, and signed communication using public-keys and shared private keys. Each step of the algorithms along with the reason for each step is explained.

The shared private key approach assumed each entity could securely communicate with a authentication server in order to obtain the private key for communication between them. The use of multiple authentication servers is briefly discussed. It is noted that untrusted authentication servers can be used as long as authentication servers do not share keys between themselves. Any key passed through an authentication server is encrypted so that the untrusted authentication server cannot steal the key.

Caching of public keys is also mentioned in order to reduce the load on public-key authentication servers.

Possible Improvements
Revocation of an authentication server's private keys is not mentioned. In the case an Authentication server is compromised any communication using a key obtained from the compromised server could also be compromised. The current system has no way to inform the clients that an authentication system is no longer trusted. An automated algorithm would help mitigate damage if an authentication server is broken.

While I do not think comparison was the main aim of this article, comparing the algorithms based on algorithm steps does not make sense to me. One step could in reality translate into many operations with various resource consumptions. I would be much more interested in seeing a comparison of the algorithms based on resources used or strength of the keys.

New and improved, with fewer unfinished thoughts!

Summary:
This paper describes protocols that could be used to establish secure communication between different parties in a network, given a trusted authentication server or servers.

Problem:
A user wants to talk to another computer across a network over which a third, malicious user could intercept, alter, replay, or forge messages; the two services want to be able to do mutual authentication and set up a secure channel for communication.

Contributions:
* What became known as the Needham-Schroeder protocols which, despite the authors cautioning were just examples, are the bases for a lot of what goes on now (especially the private key one, which Kerberos is apparently based on)
* A description of how you do things like signing in a couple different ways (especially the signing with a symmetric key protocol)
* A good description of the drawbacks of using public key signatures (the AS has to keep all old keys of each party instead of old keys of just itself, which is non-obvious just reading)
* Mention of the possibility of establishing a protocol such that public key is used for authentication and symmetric keys for actual communication, which is how some protocols like SSL work
* Comparisons between public and symmetric key approaches, to try to show how similar the support is

Flaws:
The public key protocol isn't correct; it's potentially vulnerable to a man in the middle attack. However, it took going on two decades (1995) for it to be proved, and requires only a trivial modification to the protocol. (There's another, less damaging vulnerability that is also easily fixed.) Also, it's pretty clear that the authors didn't really intend their protocols to be actually used; they talk about them as examples and say that there is a need to try to establish the correctness of this type of protocol.

Their authentication is all dependent on a trusted, central server. This works well for controlled environments (like say a school network) but doesn't really work on the scale of, say, the internet, so you need different means of authentication. (Again though, a small modification to the public key protocol gives us something very similar to how SSL works: instead of Alice asking the AS for Bob's public key, Alice asks Bob, who then responds with his public key signed by the AS. So the authentication server just becomes a certififcate signing server rather than a distribution. Key revocation is probably made harder though.)

Also, the paper broke the (admittedly then unestablished) fundamental rule of writing about crypto, which is to refer to the parties Alice, Bob, Mallory, etc.

Summary:
This paper describes protocols that could be used to establish secure communication between different parties in a network, given a trusted authentication server or servers.

Problem:
A user wants to talk to another computer across a network over which a third, malicious user could intercept, alter, replay, or forge messages; the two services want to be able to do mutual authentication and set up a secure channel for communication.

Contributions:
* What became known as the Needham-Schroeder protocols which, despite the authors cautioning were just examples, are the bases for a lot of what goes on now (especially the private key one, which Kerberos is apparently based on)
* A description of how you do things like signing in a couple different ways (especially the signing with a symmetric key protocol)
* A good description of the drawbacks of using public key signatures (the AS has to keep all old keys of each party instead of old keys of just itself, which is non-obvious just reading)

Flaws:
The public key protocol isn't correct; it's potentially vulnerable to a man in the middle attack. However, it took going on two decades (1995) for it to be proved, and requires only a trivial modification to the protocol. (There's another, less damaging vulnerability that is also easily fixed.) Also, it's pretty clear that the authors didn't really intend their

Their authentication is all dependent on a trusted, central server. This works well for controlled environments (like say a school network) but doesn't really work on the scale of, say, the internet, so you need different means of authentication. (Again though, a small modification to the public key protocol gives us something very similar to how SSL works: instead of Alice asking the AS for Bob's public key, Alice asks Bob, who then responds with his public key signed by the AS. So the authentication server just becomes a certificate signing server rather than a distribution. Key revocation is probably made harder though.)

Also, the paper broke the (admittedly then unestablished) fundamental rule of writing about crypto, which is to refer to the parties Alice, Bob, Mallory, etc.