1 / 24

Prudent Engineering Practice for Cryptographic Protocols

Prudent Engineering Practice for Cryptographic Protocols. By Martin Abadi and Roger Needham Presented by Jay Gyuricza. Overview. Authors’ Abstract Definitions The Principles Conclusion. Authors’ Abstract. Goal of paper is to present principles for designing cryptographic protocols

halen
Download Presentation

Prudent Engineering Practice for Cryptographic Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Prudent Engineering Practice for Cryptographic Protocols By Martin Abadi and Roger Needham Presented by Jay Gyuricza

  2. Overview • Authors’ Abstract • Definitions • The Principles • Conclusion

  3. Authors’ Abstract • Goal of paper is to present principles for designing cryptographic protocols • These principles are neither necessary nor sufficient • Adherence to them would have prevented a number of published errors

  4. Definitions • A, B, C : Arbitrary principals • S : Server • T : Timestamp • N : Nonce - Something generated for the purpose of being recent; an identifier used only once

  5. Principle 1 • Every message should say what it means. • “A should sign message M and then send B a session key K” • Necessary to explicitly say what should happen without any context

  6. Principle 2 • Conditions for a message to be acted upon should be clearly set out so that someone reviewing the design may see whether they are acceptable or not. • These conditions are called statements of trust

  7. Principle 3 • If the identity of a principal is essential to the meaning of a message, mention the principal’s name explicitly in the message.

  8. Denning and Sacco Msg 1 A  S: A, B Msg 2 S  A: CA, CB Msg 3 A  B: CA, CB, {{Kab, Ta}Ka-1}Kb

  9. Denning and Sacco • Three purposes of the protocol • No other principal should obtain Kab • B should know that A sent it • B should know that the message was intended for B

  10. Denning and Sacco Msg 1 B  S: A, C Msg 2 S  B: CA, CC Msg 3 B  C: CA, CC, {{Kab, Ta}Ka-1}Kc Msg 3’ A  B: CA, CB, {{A, B, Kab, Ta}Ka-1}Kb

  11. Principle 4 • Be clear about why encryption is being done • Encryption is expensive • Improper use can lead to errors

  12. Principle 5 • When a principle signs encrypted material, the principle may not know the content of the message • When a principle signs a message, then encrypts it, the principle knows the content

  13. CCITT X.509 Standard Msg 1 A  B: A,{Ta, Na, B, Xa, {Ya}Kb}Ka-1 • Protocol intended to ensure the integrity of Xa and Ya • Sender may not know data sent in the private part of the message • Problem can be avoided by signing the secret data before it is encrypted

  14. Principle 6 • Be clear about what properties nonces have • A nonces is best used to ensure a message is fresh • Be careful when using them to ensure association • Instead, look for another way to ensure association

  15. Woo and Lam Msg 1 A  B: A Msg 2 B  A: Nb Msg 3 A  B: {Nb}Kas Msg 4 B  S: {A, {Nb}Kas}Kbs Msg 5 S  B: {Nb}Kbs

  16. Woo and Lam Msg 1 A  B: A Msg 2 B  A: Nb Msg 3 A  B: {Nb}Kas Msg 4 B  S: A, B, {Nb}Kas Msg 5 S  B: {A, Nb}Kbs

  17. Principle 7 • A predictable quantity can serve in guaranteeing newness, but it should be protected so that an intruder cannot simulate it.

  18. Principle 8 • If timestamps are used as freshness guarantees, then the difference between local clocks at various machines must be less than the allowable age of a message to be deemed valid.

  19. Principle 9 • Recent use does not make a key fresh

  20. Varadharajan, Allen, Black Msg 5 S  B: S, B, {Tb+1}Kbs, {Kbs}Kbt • Authors claim that since S replies to a fresh message, Kbs must be fresh • B obtains no proof that Kbs is fresh, only that Kbs has been used recently

  21. Principle 10 • When an encoding is protocol dependent, is should be possible to deduce the message’s protocol, particular run, and its number in the protocol • Trivial if you follow the other principles

  22. Principle 11 • A protocol designer should know which trust relations the protocol depends on, and why the dependence is necessary

  23. Conclusion • Every message should say what it means • The conditions for a message to be acted upon should be clearly set out so that someone can review the design to see if they are acceptable or not

  24. Questions?

More Related