1 / 26

Security Protocols Basic Notions

Security Protocols Basic Notions. Historical Solutions. Exchange of secret keys:. Nowadays:. E-commerce, E-banking, SoA,… Exchange of private / confidential data Encryption (privacy, confidentiality) Digital signature (integrity) Tasks Exchange of session keys (without horses !)

jerzy
Download Presentation

Security Protocols Basic Notions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security ProtocolsBasic Notions

  2. Historical Solutions Exchange of secret keys:

  3. Nowadays: • E-commerce, E-banking, SoA,… • Exchange of private / confidential data • Encryption (privacy, confidentiality) • Digital signature (integrity) • Tasks • Exchange of session keys (without horses !) • Authentication of princicals

  4. Basic Notions • A protocol consists of a set of rules (conventions) which determine the exchange of messages between two or more participants. • participants: users, processes machines, ... • called “principals” • Protocol steps n : A  B : M • “A sends M to B according to the n’ th protocol step.” A, B principals, M message • Messages may be structured: M = M1, ... , Mn

  5. Basic Notions • A protocol (specification) is a sequence of lines describing protocol steps: 1 : A1 B1 : M1 2 : A2 B2 : M2 . . • (informal) specification of the behavior of ordinary participants (principals) • hostile environment: errors, loss of confidentiality/integrity,delay • runs of the protocol: • arbitrary number of ordinary participants (instantiation of variables in the specification): have to obey the rules • attacker: may “interfere” with protocol steps

  6. Basic Notions • Cryptography • encryption of messages: n : A  B : MK • “M is encrypted using key K.” • for each K exists an “inverse” K-1 : K-1-1 = K • keys indexed by participants: KA public key of AKA,B symmetric key shared between A and B • for symmetric encryption : K-1 = K • for asymmetric systems (recall asymmetric schemes!) • K-1 private key : signatures • K public key: (asymmetric) encryption

  7. A Simple Protocol (in Detail) { A, NA }KB { NA , NB } KA { NB } KB B A • KB = pk(B) B’s public key, KB-1 = sk(B) B’s secret/private key • KA = pk(A) A’s public key, KA-1 = sk(A) A’s secret/private key • Needham-Schroeder Public Key Protocol

  8. Basic Notions • Nonces (N) • fresh data items • freshness: not used before (generated at a certain step) • only known by the participant (principal) who generates it (owner) • nonces indexed by owners NA • sometimes operations on nonces available • Timestamps (T) • used to measure time (t0, t1, t2, … ) • expiration of keys

  9. Basic Notions • Generation of messages: • Look at previous messages a principal has sent/received, interpret them according to the protocol specification, and generate an answer message according to the protocol specification. • Initial knowledge assumed. • Consider successful runs. • Interleaving with events generated by other principals (running the protocol) and events generated by an attacker • Problem: selection of messages to react to

  10. Basic Notions -- A Simple Protocol (ctd.) • The behavior of ordinary participants is given by the protocol specification. • The events have to be possible according to general rules. • Example : event corresponding to the first step of the protocol . .alice { alice, Nalice }Kbob bob • not necessarily the first event: protocol steps of other principals , events caused by the attacker

  11. A Simple Protocol (in Detail) • Specification 1 : A  B : { A, NA }KB • 2 : B  A : { NA , NB } KA • 3: A  B : { NB } KB • The specification defines a set of sequences of communication events (runs). • (up to now) presentation informal • but necessary to “play” with protocols (in an informal way)

  12. Basic Notions -- A Simple Protocol (ctd.) • Initial “knowledge” of Alice: • Alice wants to communicate with Bob (knows/holds Bob). • Alice expects certain answers (according to the protocol). • Alice knows the public key of Bob. • Alice knows her private key. • Alice is able to generate nonces (Nalice): Nalice has not appeared in the sequence before. Nalice cannot be generated by other participants.

  13. Basic Notions -- A Simple Protocol (ctd.) • Initial knowledge of Bob: • Bob expects certain messages. • Bob knows the public key of Alice. • Bob knows his own private key. • Bob is able to generate nonces (as above). • Bob has obtained (seen) a message : { alice, Nalice }Kbob • not modeled as an extra event here • The receiver has to be Bob. • Bob cannot see the actual sender. • Bob is able to decrypt the message. He does this in order to continue according to the rules of the protocol. • Bob (now) knows that Alice wants to communicate with him. • He generates an answer according to the rules of the protocol.

  14. Basic Notions -- A Simple Protocol (ctd.) • Example : event corresponding to the second step of the protocol . .alice { alice, Nalice }Kbob bob . .bob {Nalice, Nbob }Kalice alice • not necessarily the next event: protocol steps of other principals , events caused by the attacker

  15. Basic Notions -- A Simple Protocol (ctd.) • Alice has obtained (seen) a message : {Nalice, Nbob }Kalice • Alice cannot see the actual sender. • Alice is able to decrypt the message. • Alice sees her nonce (check performed) together with another data item. ) structure of messages • According to the rules of the protocol she interprets this item as a nonce generated by Bob. • She generates an answer according to the rules of the protocol and sends it to Bob, the person she wants to communicate with. • Note: there is no name mentioned in the message.

  16. Basic Notions -- A Simple Protocol (ctd.) • Example : event corresponding to the third step of the protocol . .alice { alice, Nalice }Kbob bob . .bob {Nalice, Nbob }Kalice alice . .alice { Nbob }Kbob bob . .

  17. Basic Notions - A Simple Protocol (ctd.) • Example : finalizing the protocol • Bob has obtained a message: { Nbob }Kbob • Bob is able todecrypt the message. • He finds a data item. • According to the rules of the protocol he checks: Is it the nonce (I sent to Alice)? • If the answer is yes, this protocol run was successful.

  18. A Simple Protocol { A, NA }KB { NA , NB } KA { NB } KB B A • Needham-Schroeder Public Key Protocol • Is this protocol secure ?

  19. How To Win Chess Against a Grandmaster

  20. Problems with Protocols • A man-in-the-middle attack:alice { alice, Nalice }Kchar charliecharlie { alice, Nalice }Kbob bob ( bob {Nalice, Nbob }Kalice alice )charlie {Nalice, Nbob }Kalice alicealice { Nbob }Kchar charliecharlie {Nbob }Kbob bob

  21. A Simple Protocol (in Detail) • Intended effect of each step: • Alice sends a secret (Nalice) to Bob (challenge). Bob knows Nalice. Anything else? • Bob sends Nalice back (response) together with a secret Nbob. Alice knows Nbob. Since Bob and only Bob is able to decrypt the first message and Nalice was Alice’s secret, it was Bob who answered. • Alice send back Nbob. As above Bob concludes that it was Alice who responded. • After a succesful run of the protocol the two nonces are shared only by Alice and Bob. The nonces can be used as keys for an authenticated secure communication. • Is this really true? No!!

  22. Problems with Protocols • What’s wrong with the protocol? • Bob believes that he is communicating with Alice. • Problem with second message specification: 2 : B  A : { NA , NB } KAinstantiation in the failed run:bob (charlie)  {Nalice, Nbob }Kalice alice • repair specification 2 : B  A : { B, NA , NB } KAinstantiation: bob {bob, Nalice, Nbob }Kalice alice

  23. Problems with Protocols • Why is this problem solved? • Trying the same attack:alice { alice, Nalice }Kchar charliecharlie { alice, Nalice }Kbob bobbob {bob, Nalice, Nbob }Kalice alicecharlie {bob, Nalice, Nbob }Kalice alice • Alice expects an answer from Charlie (and not from Bob).

  24. Faulty Security Protocols The more protocols … … the more bugs

  25. Problems with Protocols • SSL allows for the exchange of session keys on the web A previous version of the protocol: A  S : { A, KAS }KSS  A : { NS } KASA  S : { CA, { NS }K-1 A } KAS • Some explanations: • KAS intended to be the session key • S is the server • KS = pk(S) • K-1A = sk(A) , signature of A • CA certificate of A

  26. Problems with Protocols • Intended effect of each step: • A sends a session key KAS and her/his name. • S (server) sends a secret (challenge) encrypted by KAS . • A signs the challenge. • The server assumes that only A knows its private key. • Certificate issued by trusted party (certification authority): (name, public key , .... ) • Aim: authentication of client (A) to server (S). • Is the protocol correct ?

More Related