CSCE 813 Internet Security Cryptographic Protocol Analysis.

CSCE 813 Internet SecurityCSCE 813 Internet SecurityCryptographic Protocol AnalysisCryptographic Protocol Analysis

Internet Security - Farkas 2

Reading AssignmentReading Assignment

Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysisof Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8 http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf


ProtocolProtocolSequence of interactions between entities to

achieve a certain endTypes of protocols:

– Diplomatic– Communication– Graduation– Security– Etc.


Security ProtocolsSecurity Protocols

Cryptographic protocolsServices: secrecy, integrity, authentication,

key exchange, non-repudiation, etc.Components: communicating parties

(nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.

Security AnalysisSecurity Analysis

Protocol analysisCryptanalysis


Performed independentlyDisjoint communities


Cryptographic ProtocolsAttackers’ capabilitiesSecurity?

– Hostile environment

Vulnerabilities– Weakness of cryptography– Incorrect specifications

What is Protocol AnalysisWhat is Protocol Analysis


Emerging Properties of ProtocolsEmerging Properties of Protocols

Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats


Attackers’ CapabilitiesAttackers’ Capabilities

Read trafficModify trafficDelete trafficPerform cryptographic operationsControl over network principals


AttacksAttacks

Known attacks – Can be picked up by careful inspection

Nonintuitive attacks– Not easily apparent– May not depend on flaws or weaknesses of

cryptographic algs. – Use variety of methods, e.g., statistical analysis,

subtle properties of crypto algs., etc.

Type of Known AttacksType of Known Attacks

Man-in-the-middle (see attack agains Diffie-Hellman key exchange)

Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation)

Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol)

Replay: replay part of previous protocol steps Interleave: attacker contrives for 2 or more runs of the

protocol to overlap (see following example)



Example: Needham-SchroederExample: Needham-Schroeder

Famous simple example (page 30-31)– Protocol published and known for 10 years– Gavin Lowe discovered unintended property while

preparing formal analysis using FDR system

Subsequently rediscovered by every analysis method

From: J. Mitchell


Needham-Schroeder CryptoNeedham-Schroeder Crypto

Nonces – Fresh, Random numbers

Public-key cryptography – Every agent A has

Public encryption key Ka Private decryption key Ka-1

– Main properties Everyone can encrypt message to A Only A can decrypt these messages

From: J. Mitchell


Needham-Schroeder Key ExchangeNeedham-Schroeder Key Exchange

{ A, NonceA }

{ NonceA, NonceB }

{ NonceB}

Ka

Kb

On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

A B

Kb

From: J. Mitchell


Needham Schroeder properties Needham Schroeder properties

Responder correctly authenticated– When initiator A completes the protocol apparently with

Honest responder B, it must be that B thinks he ran the protocol with A

Initiator correctly authenticated– When responder B completes the protocol apparently with

Honest initiator A, it must be that A thinks she ran the protocol with B

Initiator Nonce secrecy– When honest initiator completes the protocol with honest peer,

intruder does not know initiators nonce.

From: J. Mitchell


Anomaly in Needham-SchroederAnomaly in Needham-Schroeder

A E

B

{ A, NA }

{ A, NA }{ NA, NB }

{ NA, NB }

{ NB }

Ke

KbKa

Ka

Ke

Evil agent E trickshonest A into revealingprivate key NB from B

Evil E can then fool B

[Lowe]

From: J. Mitchell


Requirements and PropertiesRequirements and Properties

Authentication – Authentication, Secrecy

Trading– Fairness

Special applications (e.g., voting) – Anonymity and Accountability

Forward secrecy

Forward SecrecyForward Secrecy

Compromised key: permits the disclosure of the data encrypted by the compromised key.

No additional keys can be generated from the compromised key.

Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key



Formal MethodsFormal Methods

Combination of a mathematical or logical model of a system and its requirements and

Effective procedures for determining whether a proof that a system satisfies its requirements is correct.

Can be automated!Can be automated!


Security AnalysisSecurity Analysis Understand system requirements Model

– System – Attacker

Evaluate security properties– Under normal operation (no attacker)– In the presence of attacker

Security results: under given assumptions about system and about the capabilities of the attackers.


Explicit intruder modelExplicit intruder model

Intruder Model

AnalysisTool

Formal Protocol

Informal Protocol

Description

Find error

From: J. Mitchell


Protocol Analysis SpectrumProtocol Analysis Spectrum

Low High

Hig

hL

owSo

ph

isti

cati

on

of

atta

ck

s

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

Bolignano

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Symbolic methods (MSR)

Protocol logic

From: J. Mitchell


First Analysis MethodFirst Analysis Method Dolev-Yao Set of polynomial-time algorithms for deciding

security of a restricted class of protocols First to develop formal model of environment in

which– Multiple executions of the protocol can be running

concurrently– Cryptographic algorithms considered as “black boxes”– Includes intruder’s model

Tools based on Dolev-Yao– NRL protocol analyzer– Longley-Rigby tool

Intruder’s BehaviourIntruder’s Behaviour Kill a message Sniff a message Intercept the message Re-route a message Delay the delivery of the message Reorder the messages Replay the messages Fake a message Use encryption/decryption algorithms



Model checkingModel checking

Two components– Finite state system– Specification of properties

Exhaustive search the state space to determine security– Check whether all possible behaviors are

permitted


Theorem ProverTheorem Prover

Theorems: properties of protocolsProve or check proofs automaticallyCould find flaws not detected by manual

analysisDo not give counterexamples like the model

checkers


LogicLogic

Burrows, Abadi, and Needham (BAN) logic Logic of belief Set of modal operators: describing the relationship

of principal to data Set of possible beliefs Inference rules Seems to be promising but weaker than state

exploration tools and theorem proving (higher level abstraction)

Limitations of Formal AnalysisLimitations of Formal Analysis

Mathematical models are approximations to reality

Hard to predict the intruder’s capabilitiesComplexity


Evaluating a New Security Evaluating a New Security ProtocolProtocol

Establish – how the protocol works – what security properties it is intended to

provide – which threats have been considered

Find obvious flawsUse formal methods to evaluate the

protocolInternet Security - Farkas 28

NEXT CLASSNEXT CLASSNETWORK ACCESS LAYER NETWORK ACCESS LAYER SECURITYSECURITY


CSCE 813 Internet Security Cryptographic Protocol Analysis.

Documents

Transcript of CSCE 813 Internet Security Cryptographic Protocol Analysis.