Csce 813 internet security cryptographic protocol analysis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

CSCE 813 Internet Security Cryptographic Protocol Analysis PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on
  • Presentation posted in: General

CSCE 813 Internet Security Cryptographic Protocol Analysis. Reading Assignment. Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

Download Presentation

CSCE 813 Internet Security Cryptographic Protocol Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Csce 813 internet security cryptographic protocol analysis

CSCE 813 Internet SecurityCryptographic Protocol Analysis


Csce 813 internet security cryptographic protocol analysis

Reading Assignment

Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8 http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf

Internet Security - Farkas


Protocol

Protocol

  • Sequence of interactions between entities to achieve a certain end

  • Types of protocols:

    • Diplomatic

    • Communication

    • Graduation

    • Security

    • Etc.

Internet Security - Farkas


Security protocols

Security Protocols

  • Cryptographic protocols

  • Services: secrecy, integrity, authentication, key exchange, non-repudiation, etc.

  • Components: communicating parties (nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.

Internet Security - Farkas


Security analysis

Security Analysis

Performed independently

Disjoint communities

Protocol analysis

Cryptanalysis

Internet Security - Farkas


What is protocol analysis

What is Protocol Analysis

  • Cryptographic Protocols

  • Attackers’ capabilities

  • Security?

    • Hostile environment

  • Vulnerabilities

    • Weakness of cryptography

    • Incorrect specifications

Internet Security - Farkas


Emerging properties of protocols

Emerging Properties of Protocols

  • Greater interoperation

  • Negotiation of policy

  • Greater complexity

  • Group-oriented protocols

  • Emerging security threats

Internet Security - Farkas


Attackers capabilities

Attackers’ Capabilities

  • Read traffic

  • Modify traffic

  • Delete traffic

  • Perform cryptographic operations

  • Control over network principals

Internet Security - Farkas


Attacks

Attacks

  • Known attacks

    • Can be picked up by careful inspection

  • Nonintuitive attacks

    • Not easily apparent

    • May not depend on flaws or weaknesses of cryptographic algs.

    • Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc.

Internet Security - Farkas


Type of known attacks

Type of Known Attacks

Man-in-the-middle (see attack agains Diffie-Hellman key exchange)

Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation)

Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol)

Replay: replay part of previous protocol steps

Interleave: attacker contrives for 2 or more runs of the protocol to overlap (see following example)

Internet Security - Farkas


Example needham schroeder

Example: Needham-Schroeder

  • Famous simple example (page 30-31)

    • Protocol published and known for 10 years

    • Gavin Lowe discovered unintended property while preparing formal analysis using FDR system

  • Subsequently rediscovered by every analysis method

From: J. Mitchell

Internet Security - Farkas


Needham schroeder crypto

Needham-Schroeder Crypto

  • Nonces

    • Fresh, Random numbers

  • Public-key cryptography

    • Every agent A has

      • Public encryption key Ka

      • Private decryption key Ka-1

    • Main properties

      • Everyone can encrypt message to A

      • Only A can decrypt these messages

From: J. Mitchell

Internet Security - Farkas


Needham schroeder key exchange

Needham-Schroeder Key Exchange

{A, NonceA}

{NonceA, NonceB }

{ NonceB}

Kb

A

B

Ka

Kb

On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

From: J. Mitchell

Internet Security - Farkas


Needham schroeder properties

Needham Schroeder properties

  • Responder correctly authenticated

    • When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A

  • Initiator correctly authenticated

    • When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B

  • Initiator Nonce secrecy

    • When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce.

Internet Security - Farkas

From: J. Mitchell


Anomaly in needham schroeder

[Lowe]

Anomaly in Needham-Schroeder

{ A, NA }

Ke

A

E

{ NA, NB }

Ka

{ NB }

Ke

{ A, NA }

{ NA, NB }

Evil agent E tricks

honest A into revealing

private key NB from B

Kb

Ka

B

Evil E can then fool B

Internet Security - Farkas

From: J. Mitchell


Requirements and properties

Requirements and Properties

  • Authentication

    • Authentication, Secrecy

  • Trading

    • Fairness

  • Special applications (e.g., voting)

    • Anonymity and Accountability

  • Forward secrecy

Internet Security - Farkas


Forward secrecy

Forward Secrecy

Compromised key: permits the disclosure of the data encrypted by the compromised key.

No additional keys can be generated from the compromised key.

Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key

Internet Security - Farkas


Formal methods

Formal Methods

  • Combination of a mathematical or logical model of a system and its requirements and

  • Effective procedures for determining whether a proof that a system satisfies its requirements is correct.

Can be automated!

Internet Security - Farkas


Security analysis1

Security Analysis

  • Understand system requirements

  • Model

    • System

    • Attacker

  • Evaluate security properties

    • Under normal operation (no attacker)

    • In the presence of attacker

  • Security results: under given assumptions about system and about the capabilities of the attackers.

Internet Security - Farkas


Explicit intruder model

Explicit intruder model

Informal

Protocol

Description

Formal

Protocol

Intruder

Model

Analysis

Tool

Find error

From: J. Mitchell

Internet Security - Farkas


Csce 813 internet security cryptographic protocol analysis

Hand proofs

High

Poly-time calculus

Symbolic methods (MSR)

Spi-calculus

Sophistication of attacks

Athena

Paulson

NRL

Bolignano

BAN logic

Low

Model checking

Protocol logic

FDR

Murj

Low

High

Protocol complexity

Protocol Analysis Spectrum

From: J. Mitchell

Internet Security - Farkas


First analysis method

First Analysis Method

  • Dolev-Yao

  • Set of polynomial-time algorithms for deciding security of a restricted class of protocols

  • First to develop formal model of environment in which

    • Multiple executions of the protocol can be running concurrently

    • Cryptographic algorithms considered as “black boxes”

    • Includes intruder’s model

  • Tools based on Dolev-Yao

    • NRL protocol analyzer

    • Longley-Rigby tool

Internet Security - Farkas


Intruder s behaviour

Intruder’s Behaviour

Kill a message

Sniff a message

Intercept the message

Re-route a message

Delay the delivery of the message

Reorder the messages

Replay the messages

Fake a message

Use encryption/decryption algorithms

Internet Security - Farkas


Model checking

Model checking

  • Two components

    • Finite state system

    • Specification of properties

  • Exhaustive search the state space to determine security

    • Check whether all possible behaviors are permitted

Internet Security - Farkas


Theorem prover

Theorem Prover

  • Theorems: properties of protocols

  • Prove or check proofs automatically

  • Could find flaws not detected by manual analysis

  • Do not give counterexamples like the model checkers

Internet Security - Farkas


Logic

Logic

  • Burrows, Abadi, and Needham (BAN) logic

  • Logic of belief

  • Set of modal operators: describing the relationship of principal to data

  • Set of possible beliefs

  • Inference rules

  • Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction)

Internet Security - Farkas


Limitations of formal analysis

Limitations of Formal Analysis

Mathematical models are approximations to reality

Hard to predict the intruder’s capabilities

Complexity

Internet Security - Farkas


Evaluating a new security protocol

Evaluating a New Security Protocol

  • Establish

    • how the protocol works

    • what security properties it is intended to provide

    • which threats have been considered

  • Find obvious flaws

  • Use formal methods to evaluate the protocol

Internet Security - Farkas


Next class network access layer security

Next ClassNetwork Access Layer Security

Internet Security - Farkas


  • Login