Verification of security protocols
Download
1 / 27

slides of day two. - PowerPoint PPT Presentation


  • 432 Views
  • Uploaded on

Verification of Security Protocols. Sandro Etalle [email protected] Outline. Day 2: Practice analysis of many flawed protocol... ...using the online demo Resources: The online tool, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'slides of day two.' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Verification of security protocols
Verification of Security Protocols

Sandro Etalle

[email protected]


Outline
Outline

  • Day 2: Practice

    • analysis of many flawed protocol...

    • ...using the online demo

  • Resources:

    • The online tool, reachable at

    • wwwes.cs.utwente.nl/24cqet

  • The Clark-Jacob library

    • http://citeseer.nj.nec.com/clark97survey.html

    • www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps


Security protocols the attacks
Security Protocols & the Attacks

  • Otway-Rees

    • Secrecy+type-flaw attack

  • Kao-chow

    • replay-attack

  • Woo-Lam

    • authentication+type flaw attack

  • NSL (as bonus protocol)

    • auth+type-flaw attack


Otway rees protocol
Otway-Rees Protocol

1. A->B : [M,A,B,[Na,M,A,B]+Kas]

2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs

3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs

4. B->A : [M,[Na,Kab]+Kas ]

  • Aim: key distribution using a trusted server.

  • Kab: short-term key.

    • Could be guessed.

  • Na and Nb serve as challenges.


Attack upon otway rees
Attack upon Otway-Rees

a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas]

a.4 e(B)->A : [M,A,B,[Na,M,A,B]+Kas]

  • Type flaw attack

    • A takes [M,A,B] to be the key

  • The intruder just replies the first message.

  • It is an authentication flaw.

  • It is also a secrecy flaw (the intruder knows the key, now).


Otway rees in the tool
Otway-Rees in the tool

initiator(A,B,Na,Nb,M,X,Kas,Kab,[

recv([A,B]), % for origination assumption

send([M,A,B,[Na,M,A,B]+Kas]]),

recv([M,[Na,Kab]+Kas]),

send(X+Kab)]). % another way of checking secrecy

responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT

recv([M,A,B,[Na,M,A,B]+Kas]),

send([[M,A,B,[Na,M,A,B]+Kas],

[Nb,M,A,B]+Kbs]),

recv([[M,Na,Kab]+Kas,

[Nb,Kab]+Kbs]),

send([M,[Na,Kab]+Kas]),

recv(X+Kab) ]).


Otway rees in the tool cont d
Otway-Rees in the tool cont’d

secrecy(N,[recv(N)]).

server(A,B,Na,Nb,M,X,Kas,Kab,[

recv([[M,A,B,[Na,M,A,B]+Kas]]],

[Nb,[M,[A,B]]]+Kbs]),

send([[M,[Na,Kab]]+Kas,

[Nb,Kab]+Kbs])]).


Scenario

One initiator is enough.

And the secrecy check.

We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server).

scenario([[sec1,St],[a,Sa1]]) :-

initiator(a,b,na,Nb,m,x,kas,Kab,Sa1),

secrecy(x, St).

initial_intruder_knowledge([a,b,e]).

has_to_finish([sec1]).

Scenario


The attack output
The Attack Output

Trace:

[a,recv([a,b])]

[a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])]

[a,recv([m,[na,[m,[a,b]]] + kas])]

[a,send(x + [m,[a,b]])]

[sec1,recv(x)]


Kao chow authentication protocol
Kao-Chow authentication Protocol

1. A->S : [A,B,Na]

2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs,

3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb]

4. A->B : Nb+Kab

  • Assumption: Kab is compromised


Attack upon kao chow
Attack upon Kao-Chow

a.1 A->S : [A,B,Na]

a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs

a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb]

a.4 A->B : Nb+Kab

b.2 e(S)->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs

b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’]

b.4 e(A)->B : Nb’+Kab


How it works
How it works

  • Two sessions.

  • First a normal session is carried out.

  • We assume the intruder “guesses” Kab.

    • This is something we have to implement manually.

  • In a second session, the intruder can impersonate both A and the server S.


Kao chow in the tool
Kao-Chow in the tool

initiator(A,B,Na,Nb,Kas,Kab,Kbs,[

recv([A,B]), % for origination assumption

send([A,[B,Na]]),

recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]),

send(Nb+Kab)

]).

responder(A,B,Na,Nb,M,Kab,Kbs,[

recv([M, ([A,[B,[Na,Kab]]]+Kbs)]), %M because he cannot decipher it

send([M, [ Na+Kab, Nb ]]),

recv(Nb+Kab),

send(Kab) % we model that the key kab was compromised...

]).


Scenario1

scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :-

initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1),

responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1),

responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2),

server(a,b,Na3,kas,kab,kbs,Ss1).

initial_intruder_knowledge([a,b,e]).

has_to_finish([a2,a3]).

Scenario

  • session consisting of: initiator, two responders, one server.

  • any larger session will do.

  • If both responders can finish there is certainly an attack.


The attack output1
The Attack Output

Trace:

[a1,recv([a,b])]

[a1,send([a,[b,na]])]

[s1,recv([a,[b,na]])]

[s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])]

[a2,recv([_h381,[a,[b,[na,kab]]] + kbs])] % a variable here

[a2,send([_h381,[na + kab,nb1]])]

[a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])]

[a1,send(nb1 + kab)]

[a2,recv(nb1 + kab)]

[a2,send(kab)]

[a3,recv([_h433,[a,[b,[na,kab]]] + kbs])]

[a3,send([_h433,[na + kab,nb2]])]

[a3,recv(nb2 + kab)]

[a3,send(kab)]


Woo lam mutual authentication protocol
Woo-Lam Mutual Authentication Protocol

1. A->B : [A,Na]

2. B->A : [B,Nb]

3. A->B : [A,B,Na,Nb]+Kas

4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs

5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs

6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab

7. A->B: Nb+Kab


Attack upon woo lam
Attack upon Woo-Lam

a.1 e(A)->B : [A,B]

a.2 B->e(A) : [B,Nb]

a.3 e(A)->B : [A,B,B,Nb]+Kes

a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs

b.1 e(A)->B : [A,Nb]

b.2 B->e(A) : [B,Nb' ]

b.3 e(A)->B : [A,B,Nb,Nb' ]+Kes

b.4 B->e(S) : [A,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs

a.5 e(S)->B: [B,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs

a.6 B->e(A): [B,B,Nb,Nb' ]+Kes,[ B,Nb]+Nb'

a.7 e(A)->B: Nb+Nb'


Comments
Comments

  • There is one complete session and one incomplete session.

  • Which agents do we actually have to implement to find this attack?


One responder will do woo lam in the tool

responder(A,B,Na,Nb,Kab,Kas,Kbs,[

recv([A,B]), % for origination assumption

recv([A,Na]),

send([B,Nb]),

recv([A,[B,[Na,Nb]]]+Kas),

send([([A,[B,[Na,Nb]]]+Kas),

([A,[B,[Na,Nb]]]+Kbs) ]),

recv([([B,[Na,[Nb,Kab]]]+Kas),

([A,[Na,[Nb,Kab]]]+Kbs) ]),

send([([B,[Na,[Nb,Kab]]]+Kas),

([Na,Nb]+Kab) ]),

recv(Nb+Kab)

]).

One Responder will do:Woo-Lam in the Tool


Scenario2

scenario([[b1,Sb1],[b2,Sb2]]) :-

responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1),

responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2).

initial_intruder_knowledge([a,b,e]).

has_to_finish([b1]).

The definition of the responder is sufficient, but we need two responders here.

If one of the two finishes, there is certainly an attack.

RULE: if a role can finish when no corresponding role is defined we are in certainly presence of an authentication problem.

Scenario


The attack output after 30s
The Attack Output (after 30s!)

Trace:

[b1,recv([a,b])]

[b1,recv([a,b])]

[b1,send([b,nb1])]

[b1,recv([a,[b,[b,nb1]]] + _h97)]

[b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])]

[b2,recv([a,b])]

[b2,recv([a,nb1])]

[b2,send([b,nb2])]

[b2,recv([a,[b,[nb1,nb2]]] + _h97)]

[b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])]

[b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])]

[b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])]

[b1,recv(nb1 + nb2)]


Exercises
Exercises

  • Explain the attack in the Woo-Lam protocol.

  • Say why it is a type flaw attack.

  • Implement and find the flaw of the Needham-Schroeder with Conventional keys (see Clark-Jacob Survey).

  • Implement and find the flaw of the Yahalom protocol (see Clark-Jacob Survey).

  • Write a small article over how to find security bugs in protocols using the COProVe tool.


Extra needham schroeder lowe protocol

1. A->B : [A,Na]*pk(B)

2. B->A : [Na,Nb,B]*pk(A)

3. A->B : Nb*pk(B)

Corrected version of the other one.

Still contains an (unrealistic) flaw

Extra: Needham-Schroeder-Lowe Protocol


Attack upon nsl

a.1 A->e(B) : [A,Na]*pk(B)

a.1' e(A)->B : [A,e]*pk(B)

a.2 B->e(A) : [e,Nb,B]*pk(A)

b.1 e->A : [e, [Nb,B] ]*pk(A)

b.2 A->e: [[Nb,B], Na' ,A] *pk(e)

Message a.2 is passed as b.1.

Notice that a.2 has three fields, while b.1 has two.

It is a type flaw attack.

Rather unrealistic.

Attack upon NSL


Nsl in the tool
NSL in the tool

initiator(A,B,Na,Nb,[

recv([A,B]), % for origination assumption

send([A,Na]*pk(B)),

recv([Na,[Nb,B]]*pk(A)),

send(Nb*pk(B))

]).

responder(A,B,Na,Nb,[

recv([A,Na]*pk(B)),

send([Na,[Nb,B]]*pk(A)),

recv(Nb*pk(B))

]).

secrecy(N,[recv(N)]).


Scenario3
Scenario

scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):-

initiator(a,b,na,Nb,Sa),

responder(a,b,Na,nb,Sb),

initiator(A1,B1,na2,Nb2,Sa2),

responder(A2,B2,Na2,nb2,Sb2),

secrecy(nb,St).

initial_intruder_knowledge([a,b,e]).

has_to_finish([sec1]).


Nsl output
NSL output

Trace:

[a1,recv([a,b])]

[a1,send([a,na] * pk(b))]

[a2,recv([a,e] * pk(b))]

[a2,send([e,[nb,b]] * pk(a))]

[a3,recv([_h414,e])]

[a3,send([_h414,na2] * pk(e))]

[a3,recv([na2,[_h416,e]] * pk(_h414))]

[a3,send(_h416 * pk(e))]

[b1,recv([e,[nb,b]] * pk(a))]

[b1,send([[nb,b],[nb2,a]] * pk(e))]

[a2,recv(nb * pk(b))]

[b1,recv(nb2 * pk(a))]

[sec1,recv(nb)]


ad