1 / 37

Security Analysis of Network Protocols

CS 259. Security Analysis of Network Protocols . Prof.John Mitchell Mukund Sundararajan (CA). http://www.stanford.edu/class/cs259/. Course Staff. Prof. John Mitchell Out of Town, Back Thursday Mukund Sundararajan (CA) John for a day Your CA otherwise mukunds@stanford.edu

jacob
Download Presentation

Security Analysis of Network Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 259 Security Analysis of Network Protocols Prof.John Mitchell Mukund Sundararajan (CA) http://www.stanford.edu/class/cs259/

  2. Course Staff • Prof. John Mitchell • Out of Town, Back Thursday • Mukund Sundararajan (CA) • John for a day • Your CA otherwise • mukunds@stanford.edu • Phone: (650)725-3110  • http://www.stanford.edu/class/cs259/

  3. Course organization • Lectures • Tues, Thurs for approx first six weeks of quarter • Project presentations in 3 stages • This is a project course • There may be one or two short homeworks • Most of your work will be project and presentation • Typically done in teams Please enroll!

  4. SCPD Students • Everything you need is on the class website • You need to be able to access the /usr/class/cs259 directory • Project presentations • If you are in town, come and present • If you are elsewhere, we will try and work something out • Project report • Recorded video • On the Phone

  5. Today • Basics of formal analysis of security protocols • What is protocol analysis? • Needham Schroeder and the Murj model checker • CS259 Website • Tools • Past Projects, Project Suggestions • HW#1 out today, due 24th Jan

  6. Protocol / System Properties • Network Authentiction and privacy • Authentication, Secrecy • E.g. Kerberos, SSL, WEP • E- Commerce • Fair exchange • Voting • Anonymity with Accountability • Policy Specifications • Privacy , Access Control • Adherence to policy

  7. Characteristics of Security • Program or System Correctness • Program satisfies specification • For reasonable input, get reasonable output • Program or System Security • Program properties preserved in face of attack • For unreasonable input, output not completely disastrous • Main differences • Active interference from adversary • Distributed nature of programs

  8. Cryptographic Protocols • Two or more parties • Communication over insecure network • Cryptography used to achieve goal • Exchange secret keys • Verify identity (authentication) Class poll: Public-key encryption, symmetric-key encryption, CBC, hash, signature, key generation, random-number generators

  9. Factoring Computer Security • Cryptography (CS 255) • Encryption, signatures, cryptographic hash, … • Security mechanisms (CS 259) • Access control policy • Network protocols • Implementation (CS 155) • Cryptographic library • Code implementing mechanisms • Reference monitor and TCB • Protocol • Runs under OS, uses program library, network protocol stack Analyze protocols, assuming crypto, implementation, OS correct

  10. Security Analysis • Model system • Model adversary • Identify security properties • See if properties preserved under attack • Result • No “absolute security” • Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

  11. Important Modeling Decisions • How powerful is the adversary? • Simple replay of previous messages • Block messages; Decompose, reassemble and resend • Statistical analysis, partial info from network traffic • Timing attacks • How much detail in underlying data types? • Plaintext, ciphertext and keys • atomic data or bit sequences • Encryption and hash functions • “perfect” cryptography • algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N

  12. Protocol Attacks • Kerberos [Scederov et. Al.] • Public key version - lack of identity in message causes authentication failure • WLAN 802.11i [He , Mitchell] • Lack of authentication in msg causes dos vulnerability • Proved correct using PCL [ Datta , Derek, Sundararajan] • GDOI [meadows – Pavlovic] • Authorization failure • SSL [Mitchell – Shmatikov] • Version roll-back attack, authenticator confusion between main and resumption protocol • Needham-Schroeder [Lowe] • We saw this today; more in the homework

  13. Other approaches • Exhaustive finite-state analysis • FDR, based on CSP [Lowe, Roscoe, Schneider, …] • Search using symbolic representation of states • Meadows: NRL Analyzer, Millen: Interrogator • Prove protocol correct • PCL by Datta-Derek-Mitchell- Pavlovic • Paulson’s “Inductive method”, others in HOL, PVS, … • MITRE -- Strand spaces • Process calculus approach: Abadi-Gordon spi-calculus, applied pi-calculus, … • Type-checking method: Gordon and Jeffreys, … Many more – this is just a small sample

  14. Explicit intruder model Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error

  15. Example: Needham-Schroeder • Famous simple example • Protocol published and known for 10 years • Gavin Lowe discovered unintended property while preparing formal analysis using FDR system • Subsequently rediscovered by every analysis method • Today is our turn!

  16. Needham-Schroeder Crypto • Nonces • Fresh, Random numbers • Public-key cryptography • Every agent A has • Public encryption key Ka • Private decryption key Ka-1 • Main properties • Everyone can encrypt message to A • Only A can decrypt these messages

  17. Needham-Schroeder Key Exchange {A, NonceA} {NonceA, NonceB } { NonceB} Kb A B Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

  18. Needham Schroeder properties • Responder correctly authenticated • When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A • Initiator correctly authenticated • When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B • Initiator Nonce secrecy • When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce.

  19. [Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { A, NA } { NA, NB } Evil agent E tricks honest A into revealing private key NB from B Kb Ka B Evil E can then fool B

  20. Murj [Dill et al.] • Describe finite-state system • State variables with initial values • Transition rules • Communication by shared variables • Scalable: choose system size parameters • Automatic exhaustive state enumeration • Space limit: hash table to avoid repeating states • Research and industrial protocol verification

  21. Limitations of Finite State Methods • Two sources of infinite behavior • Many instances of participants, multiple runs • Message space or data space may be infinite • Finite approximation • Assume finite participants • Example: 2 clients, 2 servers • Assume finite message space • Represent random numbers by r1, r2, r3, … • Do not allow encrypt(encrypt(encrypt(…)))

  22. Applying Murj to security protocols • Formulate protocol • Model initiator, responder state machines • Model n/w as a shared variable • Model properties using invariants • Add adversary • Control over “network” • Possible actions • Intercept any message • Remember parts of messages • Generate new messages, using observed data and initial knowledge (e.g. public keys)

  23. Modeling Message Structure, N/W Message : record source: AgentId; --source of message dest: AgentId; --intended destination of msg key: AgentId; --key used for encryption mType: MessageType; --type of message nonce1: AgentId; --nonce1 nonce2: AgentId; --nonce2 OR sender id OR empty end; var net: multiset[NetworkSize] of Message; -- state variable for for n/w

  24. Modeling Protocol Actions (3) ruleset i: InitiatorId do ruleset j: AgentId do rule 20 "initiator starts protocol (step 3)" ini[i].state = I_SLEEP & multisetcount (l:net, true) < NetworkSize ==> var outM: Message; -- outgoing message begin undefine outM; outM.source := i; outM.dest := j; outM.key := j; outM.mType := M_NonceAddress; outM.nonce1 := i; outM.nonce2 := i; multisetadd (outM,net); ini[i].state :=I_WAIT; ini[i].responder := j; end; end;end;

  25. Modeling Properties invariant "responder correctly authenticated" forall i: InitiatorId do ini[i].state = I_COMMIT & ismember(ini[i].responder, ResponderId) -> res[ini[i].responder].initiator = i & ( res[ini[i].responder].state = R_WAIT | res[ini[i].responder].state = R_COMMIT ) end;

  26. Adversary Model • Formalize “knowledge” • initial data • observed message fields • results of simple computations • Optimization • only generate messages that others read • time-consuming to hand simplify • Possibility: automatic generation

  27. Modeling the attacker (3) -- intruder i sends recorded message ruleset i: IntruderId do --arbitrary choice of choose j: int[i].messages do --recorded message ruleset k: AgentId do --destination rule "intruder sends recorded message" !ismember(k, IntruderId) & --not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end; end; end;

  28. Needham-Schroeder in Murj(1) const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

  29. Run of Needham-Schroeder • Find error after 1.7 seconds exploration • Output: trace leading to error state • Murj times after correcting error:

  30. Homework #1 • Investigate the NS flaw and the fixed Needham Schroeder Lowe protocol • Investigate conditions under which attack succeeds: adversary power, initiator behavior and crypto • Due 24th • Find a partner by the end of the week • If you can’t, then tell us • SCPD students, same guidelines

  31. Limitations • System size with current methods • 2-6 participants Kerberos: 2 clients, 2 servers, 1 KDC, 1 TGS • 3-6 steps in protocol • May need to optimize adversary • Adversary model • Cannot model randomized attack • Do not model adversary running time

  32. State Reduction on N-S Protocol

  33. Security Protocols in Mur • Standard “benchmark” protocols • Needham-Schroeder, TMN, … • Kerberos • Study of Secure Sockets Layer (SSL) • Versions 2.0 and 3.0 of handshake protocol • Include protocol resumption • Tool optimization • Additional protocols • Contract-signing • Wireless networking … ADD YOUR PROJECT HERE …

  34. Plan for this course • Protocols • Authentication, key establishment, assembling protocols together (TLS ?), fairness exchange, … • Tools • Finite-state and probabilistic model checking, constraint-solving, process calculus, temporal logic, proof systems, game theoretic methods, polynomial time … • Projects • Choose aprotocol or other security mechanism • Choose a tool or method and carry out analysis • Hard part: formulating security requirements

  35. Tools (CS259 web site) • Tools • Murphi  • Finite-state tool developed by David Dill’s group at Stanford • PRISM • Probabilistic model checker, University of Birmingham • MOCHA • Alur and Henzinger; now consortium • Constraint solver using prolog • Shmatikov and Millen • Isabelle • Theorem prover developed by Larry Paulson in Cambridge, UK • A number of case studies available on line • PCL • Logic for Security Protocols developed at Stanford

  36. Project Ideas (CS259 web site) • Wireless networking protocols • DoS issues • VoIP • Privacy , authentication, DoS issues, Billing fraud • SIP, H.323, Skype etc. • Password based authentication protocols • For TLS and in other settings • Privacy Policies • HIPAA • Fair exchange protocols, voting protocols • Browse 2004 projects • Browse Vitaly Shmatikov’s courses • Any system you find cool!

  37. Hope you enjoy the course • John will lecture for a few weeks to get started • Case studies are the best way to learn this topic • Sections will deal with tools • For the first month or so • Choose a project that interests you !!! • If you have another idea, come talk with us • Can build or extend a tool, or paper study if you prefer

More Related