csce 813 internet security cryptographic protocol analysis
Download
Skip this Video
Download Presentation
CSCE 813 Internet Security Cryptographic Protocol Analysis

Loading in 2 Seconds...

play fullscreen
1 / 29

CSCE 813 Internet Security Cryptographic Protocol Analysis - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

CSCE 813 Internet Security Cryptographic Protocol Analysis. Reading Assignment. Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CSCE 813 Internet Security Cryptographic Protocol Analysis' - yaholo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
Reading Assignment

Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis

of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8 http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf

Internet Security - Farkas

protocol
Protocol
  • Sequence of interactions between entities to achieve a certain end
  • Types of protocols:
    • Diplomatic
    • Communication
    • Graduation
    • Security
    • Etc.

Internet Security - Farkas

security protocols
Security Protocols
  • Cryptographic protocols
  • Services: secrecy, integrity, authentication, key exchange, non-repudiation, etc.
  • Components: communicating parties (nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.

Internet Security - Farkas

security analysis
Security Analysis

Performed independently

Disjoint communities

Protocol analysis

Cryptanalysis

Internet Security - Farkas

what is protocol analysis
What is Protocol Analysis
  • Cryptographic Protocols
  • Attackers’ capabilities
  • Security?
    • Hostile environment
  • Vulnerabilities
    • Weakness of cryptography
    • Incorrect specifications

Internet Security - Farkas

emerging properties of protocols
Emerging Properties of Protocols
  • Greater interoperation
  • Negotiation of policy
  • Greater complexity
  • Group-oriented protocols
  • Emerging security threats

Internet Security - Farkas

attackers capabilities
Attackers’ Capabilities
  • Read traffic
  • Modify traffic
  • Delete traffic
  • Perform cryptographic operations
  • Control over network principals

Internet Security - Farkas

attacks
Attacks
  • Known attacks
    • Can be picked up by careful inspection
  • Nonintuitive attacks
    • Not easily apparent
    • May not depend on flaws or weaknesses of cryptographic algs.
    • Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc.

Internet Security - Farkas

type of known attacks
Type of Known Attacks

Man-in-the-middle (see attack agains Diffie-Hellman key exchange)

Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation)

Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol)

Replay: replay part of previous protocol steps

Interleave: attacker contrives for 2 or more runs of the protocol to overlap (see following example)

Internet Security - Farkas

example needham schroeder
Example: Needham-Schroeder
  • Famous simple example (page 30-31)
    • Protocol published and known for 10 years
    • Gavin Lowe discovered unintended property while preparing formal analysis using FDR system
  • Subsequently rediscovered by every analysis method

From: J. Mitchell

Internet Security - Farkas

needham schroeder crypto
Needham-Schroeder Crypto
  • Nonces
    • Fresh, Random numbers
  • Public-key cryptography
    • Every agent A has
      • Public encryption key Ka
      • Private decryption key Ka-1
    • Main properties
      • Everyone can encrypt message to A
      • Only A can decrypt these messages

From: J. Mitchell

Internet Security - Farkas

needham schroeder key exchange
Needham-Schroeder Key Exchange

{A, NonceA}

{NonceA, NonceB }

{ NonceB}

Kb

A

B

Ka

Kb

On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

From: J. Mitchell

Internet Security - Farkas

needham schroeder properties
Needham Schroeder properties
  • Responder correctly authenticated
    • When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A
  • Initiator correctly authenticated
    • When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B
  • Initiator Nonce secrecy
    • When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce.

Internet Security - Farkas

From: J. Mitchell

anomaly in needham schroeder
[Lowe]Anomaly in Needham-Schroeder

{ A, NA }

Ke

A

E

{ NA, NB }

Ka

{ NB }

Ke

{ A, NA }

{ NA, NB }

Evil agent E tricks

honest A into revealing

private key NB from B

Kb

Ka

B

Evil E can then fool B

Internet Security - Farkas

From: J. Mitchell

requirements and properties
Requirements and Properties
  • Authentication
    • Authentication, Secrecy
  • Trading
    • Fairness
  • Special applications (e.g., voting)
    • Anonymity and Accountability
  • Forward secrecy

Internet Security - Farkas

forward secrecy
Forward Secrecy

Compromised key: permits the disclosure of the data encrypted by the compromised key.

No additional keys can be generated from the compromised key.

Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key

Internet Security - Farkas

formal methods
Formal Methods
  • Combination of a mathematical or logical model of a system and its requirements and
  • Effective procedures for determining whether a proof that a system satisfies its requirements is correct.

Can be automated!

Internet Security - Farkas

security analysis1
Security Analysis
  • Understand system requirements
  • Model
    • System
    • Attacker
  • Evaluate security properties
    • Under normal operation (no attacker)
    • In the presence of attacker
  • Security results: under given assumptions about system and about the capabilities of the attackers.

Internet Security - Farkas

explicit intruder model
Explicit intruder model

Informal

Protocol

Description

Formal

Protocol

Intruder

Model

Analysis

Tool

Find error

From: J. Mitchell

Internet Security - Farkas

slide21
Hand proofs

High

Poly-time calculus

Symbolic methods (MSR)

Spi-calculus

Sophistication of attacks

Athena

Paulson

NRL

Bolignano

BAN logic

Low

Model checking

Protocol logic

FDR

Murj

Low

High

Protocol complexity

Protocol Analysis Spectrum

From: J. Mitchell

Internet Security - Farkas

first analysis method
First Analysis Method
  • Dolev-Yao
  • Set of polynomial-time algorithms for deciding security of a restricted class of protocols
  • First to develop formal model of environment in which
    • Multiple executions of the protocol can be running concurrently
    • Cryptographic algorithms considered as “black boxes”
    • Includes intruder’s model
  • Tools based on Dolev-Yao
    • NRL protocol analyzer
    • Longley-Rigby tool

Internet Security - Farkas

intruder s behaviour
Intruder’s Behaviour

Kill a message

Sniff a message

Intercept the message

Re-route a message

Delay the delivery of the message

Reorder the messages

Replay the messages

Fake a message

Use encryption/decryption algorithms

Internet Security - Farkas

model checking
Model checking
  • Two components
    • Finite state system
    • Specification of properties
  • Exhaustive search the state space to determine security
    • Check whether all possible behaviors are permitted

Internet Security - Farkas

theorem prover
Theorem Prover
  • Theorems: properties of protocols
  • Prove or check proofs automatically
  • Could find flaws not detected by manual analysis
  • Do not give counterexamples like the model checkers

Internet Security - Farkas

logic
Logic
  • Burrows, Abadi, and Needham (BAN) logic
  • Logic of belief
  • Set of modal operators: describing the relationship of principal to data
  • Set of possible beliefs
  • Inference rules
  • Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction)

Internet Security - Farkas

limitations of formal analysis
Limitations of Formal Analysis

Mathematical models are approximations to reality

Hard to predict the intruder’s capabilities

Complexity

Internet Security - Farkas

evaluating a new security protocol
Evaluating a New Security Protocol
  • Establish
    • how the protocol works
    • what security properties it is intended to provide
    • which threats have been considered
  • Find obvious flaws
  • Use formal methods to evaluate the protocol

Internet Security - Farkas

next class network access layer security
Next ClassNetwork Access Layer Security

Internet Security - Farkas

ad