Csce 813 internet security cryptographic protocol analysis
1 / 29

CSCE 813 Internet Security Cryptographic Protocol Analysis - PowerPoint PPT Presentation

  • Uploaded on

CSCE 813 Internet Security Cryptographic Protocol Analysis. Reading Assignment. Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' CSCE 813 Internet Security Cryptographic Protocol Analysis' - yaholo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Csce 813 internet security cryptographic protocol analysis

CSCE 813 Internet SecurityCryptographic Protocol Analysis

Reading Assignment

Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8

Internet Security - Farkas


  • Sequence of interactions between entities to achieve a certain end

  • Types of protocols:

    • Diplomatic

    • Communication

    • Graduation

    • Security

    • Etc.

Internet Security - Farkas

Security protocols
Security Protocols

  • Cryptographic protocols

  • Services: secrecy, integrity, authentication, key exchange, non-repudiation, etc.

  • Components: communicating parties (nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.

Internet Security - Farkas

Security analysis
Security Analysis

Performed independently

Disjoint communities

Protocol analysis


Internet Security - Farkas

What is protocol analysis
What is Protocol Analysis

  • Cryptographic Protocols

  • Attackers’ capabilities

  • Security?

    • Hostile environment

  • Vulnerabilities

    • Weakness of cryptography

    • Incorrect specifications

Internet Security - Farkas

Emerging properties of protocols
Emerging Properties of Protocols

  • Greater interoperation

  • Negotiation of policy

  • Greater complexity

  • Group-oriented protocols

  • Emerging security threats

Internet Security - Farkas

Attackers capabilities
Attackers’ Capabilities

  • Read traffic

  • Modify traffic

  • Delete traffic

  • Perform cryptographic operations

  • Control over network principals

Internet Security - Farkas


  • Known attacks

    • Can be picked up by careful inspection

  • Nonintuitive attacks

    • Not easily apparent

    • May not depend on flaws or weaknesses of cryptographic algs.

    • Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc.

Internet Security - Farkas

Type of known attacks
Type of Known Attacks

Man-in-the-middle (see attack agains Diffie-Hellman key exchange)

Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation)

Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol)

Replay: replay part of previous protocol steps

Interleave: attacker contrives for 2 or more runs of the protocol to overlap (see following example)

Internet Security - Farkas

Example needham schroeder
Example: Needham-Schroeder

  • Famous simple example (page 30-31)

    • Protocol published and known for 10 years

    • Gavin Lowe discovered unintended property while preparing formal analysis using FDR system

  • Subsequently rediscovered by every analysis method

From: J. Mitchell

Internet Security - Farkas

Needham schroeder crypto
Needham-Schroeder Crypto

  • Nonces

    • Fresh, Random numbers

  • Public-key cryptography

    • Every agent A has

      • Public encryption key Ka

      • Private decryption key Ka-1

    • Main properties

      • Everyone can encrypt message to A

      • Only A can decrypt these messages

From: J. Mitchell

Internet Security - Farkas

Needham schroeder key exchange
Needham-Schroeder Key Exchange

{A, NonceA}

{NonceA, NonceB }

{ NonceB}






On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

From: J. Mitchell

Internet Security - Farkas

Needham schroeder properties
Needham Schroeder properties

  • Responder correctly authenticated

    • When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A

  • Initiator correctly authenticated

    • When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B

  • Initiator Nonce secrecy

    • When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce.

Internet Security - Farkas

From: J. Mitchell

Anomaly in needham schroeder


Anomaly in Needham-Schroeder

{ A, NA }




{ NA, NB }


{ NB }


{ A, NA }

{ NA, NB }

Evil agent E tricks

honest A into revealing

private key NB from B




Evil E can then fool B

Internet Security - Farkas

From: J. Mitchell

Requirements and properties
Requirements and Properties

  • Authentication

    • Authentication, Secrecy

  • Trading

    • Fairness

  • Special applications (e.g., voting)

    • Anonymity and Accountability

  • Forward secrecy

Internet Security - Farkas

Forward secrecy
Forward Secrecy

Compromised key: permits the disclosure of the data encrypted by the compromised key.

No additional keys can be generated from the compromised key.

Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key

Internet Security - Farkas

Formal methods
Formal Methods

  • Combination of a mathematical or logical model of a system and its requirements and

  • Effective procedures for determining whether a proof that a system satisfies its requirements is correct.

Can be automated!

Internet Security - Farkas

Security analysis1
Security Analysis

  • Understand system requirements

  • Model

    • System

    • Attacker

  • Evaluate security properties

    • Under normal operation (no attacker)

    • In the presence of attacker

  • Security results: under given assumptions about system and about the capabilities of the attackers.

Internet Security - Farkas

Explicit intruder model
Explicit intruder model










Find error

From: J. Mitchell

Internet Security - Farkas

Hand proofs


Poly-time calculus

Symbolic methods (MSR)


Sophistication of attacks





BAN logic


Model checking

Protocol logic





Protocol complexity

Protocol Analysis Spectrum

From: J. Mitchell

Internet Security - Farkas

First analysis method
First Analysis Method

  • Dolev-Yao

  • Set of polynomial-time algorithms for deciding security of a restricted class of protocols

  • First to develop formal model of environment in which

    • Multiple executions of the protocol can be running concurrently

    • Cryptographic algorithms considered as “black boxes”

    • Includes intruder’s model

  • Tools based on Dolev-Yao

    • NRL protocol analyzer

    • Longley-Rigby tool

Internet Security - Farkas

Intruder s behaviour
Intruder’s Behaviour

Kill a message

Sniff a message

Intercept the message

Re-route a message

Delay the delivery of the message

Reorder the messages

Replay the messages

Fake a message

Use encryption/decryption algorithms

Internet Security - Farkas

Model checking
Model checking

  • Two components

    • Finite state system

    • Specification of properties

  • Exhaustive search the state space to determine security

    • Check whether all possible behaviors are permitted

Internet Security - Farkas

Theorem prover
Theorem Prover

  • Theorems: properties of protocols

  • Prove or check proofs automatically

  • Could find flaws not detected by manual analysis

  • Do not give counterexamples like the model checkers

Internet Security - Farkas


  • Burrows, Abadi, and Needham (BAN) logic

  • Logic of belief

  • Set of modal operators: describing the relationship of principal to data

  • Set of possible beliefs

  • Inference rules

  • Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction)

Internet Security - Farkas

Limitations of formal analysis
Limitations of Formal Analysis

Mathematical models are approximations to reality

Hard to predict the intruder’s capabilities


Internet Security - Farkas

Evaluating a new security protocol
Evaluating a New Security Protocol

  • Establish

    • how the protocol works

    • what security properties it is intended to provide

    • which threats have been considered

  • Find obvious flaws

  • Use formal methods to evaluate the protocol

Internet Security - Farkas

Next class network access layer security
Next ClassNetwork Access Layer Security

Internet Security - Farkas