Loading in 5 sec....

Verification of Security ProtocolsPowerPoint Presentation

Verification of Security Protocols

- 432 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'slides of day two.' - niveditha

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Outline

- Day 2: Practice
- analysis of many flawed protocol...
- ...using the online demo

- Resources:
- The online tool, reachable at
- wwwes.cs.utwente.nl/24cqet

- The Clark-Jacob library
- http://citeseer.nj.nec.com/clark97survey.html
- www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps

Security Protocols & the Attacks

- Otway-Rees
- Secrecy+type-flaw attack

- Kao-chow
- replay-attack

- Woo-Lam
- authentication+type flaw attack

- NSL (as bonus protocol)
- auth+type-flaw attack

Otway-Rees Protocol

1. A->B : [M,A,B,[Na,M,A,B]+Kas]

2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs

3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs

4. B->A : [M,[Na,Kab]+Kas ]

- Aim: key distribution using a trusted server.
- Kab: short-term key.
- Could be guessed.

- Na and Nb serve as challenges.

Attack upon Otway-Rees

a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas]

a.4 e(B)->A : [M,A,B,[Na,M,A,B]+Kas]

- Type flaw attack
- A takes [M,A,B] to be the key

- The intruder just replies the first message.
- It is an authentication flaw.
- It is also a secrecy flaw (the intruder knows the key, now).

Otway-Rees in the tool

initiator(A,B,Na,Nb,M,X,Kas,Kab,[

recv([A,B]), % for origination assumption

send([M,A,B,[Na,M,A,B]+Kas]]),

recv([M,[Na,Kab]+Kas]),

send(X+Kab)]). % another way of checking secrecy

responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT

recv([M,A,B,[Na,M,A,B]+Kas]),

send([[M,A,B,[Na,M,A,B]+Kas],

[Nb,M,A,B]+Kbs]),

recv([[M,Na,Kab]+Kas,

[Nb,Kab]+Kbs]),

send([M,[Na,Kab]+Kas]),

recv(X+Kab) ]).

Otway-Rees in the tool cont’d

secrecy(N,[recv(N)]).

server(A,B,Na,Nb,M,X,Kas,Kab,[

recv([[M,A,B,[Na,M,A,B]+Kas]]],

[Nb,[M,[A,B]]]+Kbs]),

send([[M,[Na,Kab]]+Kas,

[Nb,Kab]+Kbs])]).

And the secrecy check.

We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server).

scenario([[sec1,St],[a,Sa1]]) :-

initiator(a,b,na,Nb,m,x,kas,Kab,Sa1),

secrecy(x, St).

initial_intruder_knowledge([a,b,e]).

has_to_finish([sec1]).

ScenarioThe Attack Output

Trace:

[a,recv([a,b])]

[a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])]

[a,recv([m,[na,[m,[a,b]]] + kas])]

[a,send(x + [m,[a,b]])]

[sec1,recv(x)]

Kao-Chow authentication Protocol

1. A->S : [A,B,Na]

2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs,

3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb]

4. A->B : Nb+Kab

- Assumption: Kab is compromised

Attack upon Kao-Chow

a.1 A->S : [A,B,Na]

a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs

a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb]

a.4 A->B : Nb+Kab

b.2 e(S)->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs

b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’]

b.4 e(A)->B : Nb’+Kab

How it works

- Two sessions.
- First a normal session is carried out.
- We assume the intruder “guesses” Kab.
- This is something we have to implement manually.

- In a second session, the intruder can impersonate both A and the server S.

Kao-Chow in the tool

initiator(A,B,Na,Nb,Kas,Kab,Kbs,[

recv([A,B]), % for origination assumption

send([A,[B,Na]]),

recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]),

send(Nb+Kab)

]).

responder(A,B,Na,Nb,M,Kab,Kbs,[

recv([M, ([A,[B,[Na,Kab]]]+Kbs)]), %M because he cannot decipher it

send([M, [ Na+Kab, Nb ]]),

recv(Nb+Kab),

send(Kab) % we model that the key kab was compromised...

]).

scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :-

initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1),

responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1),

responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2),

server(a,b,Na3,kas,kab,kbs,Ss1).

initial_intruder_knowledge([a,b,e]).

has_to_finish([a2,a3]).

Scenario- session consisting of: initiator, two responders, one server.
- any larger session will do.
- If both responders can finish there is certainly an attack.

The Attack Output

Trace:

[a1,recv([a,b])]

[a1,send([a,[b,na]])]

[s1,recv([a,[b,na]])]

[s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])]

[a2,recv([_h381,[a,[b,[na,kab]]] + kbs])] % a variable here

[a2,send([_h381,[na + kab,nb1]])]

[a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])]

[a1,send(nb1 + kab)]

[a2,recv(nb1 + kab)]

[a2,send(kab)]

[a3,recv([_h433,[a,[b,[na,kab]]] + kbs])]

[a3,send([_h433,[na + kab,nb2]])]

[a3,recv(nb2 + kab)]

[a3,send(kab)]

Woo-Lam Mutual Authentication Protocol

1. A->B : [A,Na]

2. B->A : [B,Nb]

3. A->B : [A,B,Na,Nb]+Kas

4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs

5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs

6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab

7. A->B: Nb+Kab

Attack upon Woo-Lam

a.1 e(A)->B : [A,B]

a.2 B->e(A) : [B,Nb]

a.3 e(A)->B : [A,B,B,Nb]+Kes

a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs

b.1 e(A)->B : [A,Nb]

b.2 B->e(A) : [B,Nb' ]

b.3 e(A)->B : [A,B,Nb,Nb' ]+Kes

b.4 B->e(S) : [A,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs

a.5 e(S)->B: [B,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs

a.6 B->e(A): [B,B,Nb,Nb' ]+Kes,[ B,Nb]+Nb'

a.7 e(A)->B: Nb+Nb'

Comments

- There is one complete session and one incomplete session.
- Which agents do we actually have to implement to find this attack?

responder(A,B,Na,Nb,Kab,Kas,Kbs,[

recv([A,B]), % for origination assumption

recv([A,Na]),

send([B,Nb]),

recv([A,[B,[Na,Nb]]]+Kas),

send([([A,[B,[Na,Nb]]]+Kas),

([A,[B,[Na,Nb]]]+Kbs) ]),

recv([([B,[Na,[Nb,Kab]]]+Kas),

([A,[Na,[Nb,Kab]]]+Kbs) ]),

send([([B,[Na,[Nb,Kab]]]+Kas),

([Na,Nb]+Kab) ]),

recv(Nb+Kab)

]).

One Responder will do:Woo-Lam in the Toolscenario([[b1,Sb1],[b2,Sb2]]) :-

responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1),

responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2).

initial_intruder_knowledge([a,b,e]).

has_to_finish([b1]).

The definition of the responder is sufficient, but we need two responders here.

If one of the two finishes, there is certainly an attack.

RULE: if a role can finish when no corresponding role is defined we are in certainly presence of an authentication problem.

ScenarioThe Attack Output (after 30s!)

Trace:

[b1,recv([a,b])]

[b1,recv([a,b])]

[b1,send([b,nb1])]

[b1,recv([a,[b,[b,nb1]]] + _h97)]

[b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])]

[b2,recv([a,b])]

[b2,recv([a,nb1])]

[b2,send([b,nb2])]

[b2,recv([a,[b,[nb1,nb2]]] + _h97)]

[b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])]

[b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])]

[b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])]

[b1,recv(nb1 + nb2)]

Exercises

- Explain the attack in the Woo-Lam protocol.
- Say why it is a type flaw attack.
- Implement and find the flaw of the Needham-Schroeder with Conventional keys (see Clark-Jacob Survey).
- Implement and find the flaw of the Yahalom protocol (see Clark-Jacob Survey).
- Write a small article over how to find security bugs in protocols using the COProVe tool.

2. B->A : [Na,Nb,B]*pk(A)

3. A->B : Nb*pk(B)

Corrected version of the other one.

Still contains an (unrealistic) flaw

Extra: Needham-Schroeder-Lowe Protocola.1' e(A)->B : [A,e]*pk(B)

a.2 B->e(A) : [e,Nb,B]*pk(A)

b.1 e->A : [e, [Nb,B] ]*pk(A)

b.2 A->e: [[Nb,B], Na' ,A] *pk(e)

Message a.2 is passed as b.1.

Notice that a.2 has three fields, while b.1 has two.

It is a type flaw attack.

Rather unrealistic.

Attack upon NSLNSL in the tool

initiator(A,B,Na,Nb,[

recv([A,B]), % for origination assumption

send([A,Na]*pk(B)),

recv([Na,[Nb,B]]*pk(A)),

send(Nb*pk(B))

]).

responder(A,B,Na,Nb,[

recv([A,Na]*pk(B)),

send([Na,[Nb,B]]*pk(A)),

recv(Nb*pk(B))

]).

secrecy(N,[recv(N)]).

Scenario

scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):-

initiator(a,b,na,Nb,Sa),

responder(a,b,Na,nb,Sb),

initiator(A1,B1,na2,Nb2,Sa2),

responder(A2,B2,Na2,nb2,Sb2),

secrecy(nb,St).

initial_intruder_knowledge([a,b,e]).

has_to_finish([sec1]).

NSL output

Trace:

[a1,recv([a,b])]

[a1,send([a,na] * pk(b))]

[a2,recv([a,e] * pk(b))]

[a2,send([e,[nb,b]] * pk(a))]

[a3,recv([_h414,e])]

[a3,send([_h414,na2] * pk(e))]

[a3,recv([na2,[_h416,e]] * pk(_h414))]

[a3,send(_h416 * pk(e))]

[b1,recv([e,[nb,b]] * pk(a))]

[b1,send([[nb,b],[nb2,a]] * pk(e))]

[a2,recv(nb * pk(b))]

[b1,recv(nb2 * pk(a))]

[sec1,recv(nb)]

Download Presentation

Connecting to Server..