Security attacksSecurity attacks

- confidentiality: only authorized parties have read access to information- integrity: only authorized parties have write access to information- availability: authorized access to information when needed- authenticity: identity claims (user, message source) can be verified- non-repudiation: message exchange can be proved by sender and receiver- authorization: information / system / resource access control

Security servicesSecurity services

Secret-key cryptographySecret-key cryptography

Public-key cryptographyPublic-key cryptography

Encryption modesEncryption modes

Electronic Code Book

mode (ECB)

Output Feedback

mode (OFB)

Hash functionHash function

SignatureSignature

What is CSP?What is CSP?

CSP (Communicating Sequential Processes) is a CSP (Communicating Sequential Processes) is a notation for describing systems of parallel notation for describing systems of parallel agents that communicate by passing messages.agents that communicate by passing messages.

CSP is a notation for describing CSP is a notation for describing interactioninteraction

CSP - Basic Building BlocksCSP - Basic Building Blocks

Visible Events and Visible Events and Internal Action Internal Action

Basic OperatorsBasic Operators

ParallelismParallelism

Advanced ConstructsAdvanced Constructs HidingHiding RenamingRenaming

StopStop the process that does nothingthe process that does nothing

event prefixevent prefix

event prefix choiceevent prefix choice

input prefix choiceinput prefix choice

choice between two processeschoice between two processes

general choicegeneral choice

PP ПП QQ nondeterministic choicenondeterministic choice

∏ ∏ SS general nondeterministic choicegeneral nondeterministic choice

lockstep parallellockstep parallel

synchronizing parallelsynchronizing parallel

interface parallelinterface parallel

general interleavinggeneral interleaving

event hidingevent hiding

process relational renamingprocess relational renaming

successful terminationsuccessful termination

sequential compositionsequential composition

recursive definitionrecursive definition

Pa PAx :?

PAxc :?

QP

S

QP ||

QP YX ||

S|||

QPX||

XP \

RP

Skip

QP;

)(QFP

Process BehaviorProcess Behavior

Deadlocks, Livelocks, NondeterminismDeadlocks, Livelocks, Nondeterminism

Traces model of CSPTraces model of CSP

RecursionRecursion

Time: Timed CSP or Time: Timed CSP or tock tock EventEvent

Modeling security protocols in Modeling security protocols in CSPCSP

Security protocols work through the interaction of a number Security protocols work through the interaction of a number of processes in parallel that send each other messagesof processes in parallel that send each other messages..

We describe how this is done, concentrating specifically on We describe how this is done, concentrating specifically on how protocol models can be built that allow us to probe for how protocol models can be built that allow us to probe for security flaws.security flaws.

We will study more precisely the Yahalom protocol:We will study more precisely the Yahalom protocol:

The three participants A, B and S respectively perform:The three participants A, B and S respectively perform:

An initiator process equipped with only one An initiator process equipped with only one nonce and using server S is:nonce and using server S is:

The responder role has a similar program (again, The responder role has a similar program (again, assuming it has just one nonce to use)assuming it has just one nonce to use)

The server process definition can be expressed as The server process definition can be expressed as follows:follows:

To model the risky world of communication, we add an To model the risky world of communication, we add an intruder process into the network:intruder process into the network:

The only source of knowledge of the intruder is what he The only source of knowledge of the intruder is what he observes being communicated, and that he can only observes being communicated, and that he can only decrypt an encrypted message if he has the appropriate decrypt an encrypted message if he has the appropriate key.key.

An intruder process can, at any stage, An intruder process can, at any stage, perform any action that is perform any action that is cryptographically justifiable:cryptographically justifiable:

Overhear and/or block messages that one agent sends Overhear and/or block messages that one agent sends to another, including servers.to another, including servers.

Generate any message that can be built on the basis Generate any message that can be built on the basis of what the intruder has heard, knew initially, or might of what the intruder has heard, knew initially, or might legitimately have made up.legitimately have made up.

Act as a regular agent: the intruder will have all Act as a regular agent: the intruder will have all information that regular agents would have.information that regular agents would have.

We want runs between our two agents to We want runs between our two agents to be secure even if there are other agents be secure even if there are other agents around who are corrupted.around who are corrupted.

Expressing Protocol GoalsExpressing Protocol Goals

Protocols are designed to achieve particular security properties in the presence of particular kinds and levels of threat.

We will concentrate on secrecy and authentication properties. Other properties, like anonymity and non-repudiation, will also be discussed.

If a particular data item m is intended to be secret at If a particular data item m is intended to be secret at the end of the protocol run, then a message the end of the protocol run, then a message Claim_secret will be inserted at the end of the Claim_secret will be inserted at the end of the description of the protocol run.description of the protocol run.

The secrecy property will state that the intruder The secrecy property will state that the intruder cannot obtain m during a run of the protocol.cannot obtain m during a run of the protocol.

SecrecySecrecy

AuthenticationAuthentication

Verification of an entity’s claimed identityVerification of an entity’s claimed identity Commit.b.aCommit.b.a ~ Agent ~ Agent bb has completed a protocol run, apparently with has completed a protocol run, apparently with aa Running.a.bRunning.a.b ~ Agent ~ Agent aa is following a protocol run, apparently with is following a protocol run, apparently with bb

If If Running.a.bRunning.a.b must always have occurred by the must always have occurred by the time the time the Commit.b.aCommit.b.a event is performed, then event is performed, then authentication of authentication of a a toto b b is achieved is achieved

In addition to simple signals, authentication events can include additional information ds (nonces, keys, etc..)

Authentication SchemesAuthentication Schemes

1.1. AgentAgent bb requires that the other agent requires that the other agent aa is alive and is alive and has not failed.has not failed.

This is ensured if This is ensured if Commit.b.a.dsCommit.b.a.ds provide evidence simply that provide evidence simply that aa has has participated in some recent communication. Any data participated in some recent communication. Any data dsds will will suffice.suffice.

2.2. Agent Agent b b might require authentication in a run in might require authentication in a run in which which aa took took bb to be the other participant. to be the other participant.

In this case In this case Commit.b.a.dsCommit.b.a.ds will guarantee it given that will guarantee it given that Running.a.b.ds’Running.a.b.ds’ occurred previously, although occurred previously, although ds ds and and ds’ds’ need not need not to be the same information.to be the same information.

3.3. Agent Agent bb might require that might require that a a be authenticated to be authenticated to have participated with have participated with b b in one particular run. in one particular run.

This time a sequence of events is required, similar to that required This time a sequence of events is required, similar to that required by the previous example, though both events must agree on some by the previous example, though both events must agree on some information.information.

Modeling: Trace Modeling: Trace SpecificationSpecification

We need to express the We need to express the requirementrequirement

Event Event e e precedes event precedes event dd

We can use a trace specificationWe can use a trace specification'in ' tretrdtr

Modeling Yahalom (1)Modeling Yahalom (1)

Authentication of initiator to responderAuthentication of initiator to responder Case 3 ~ Stricter AuthenticationCase 3 ~ Stricter Authentication

Nonces (nNonces (naa, n, nbb)) Cryptographic Key (kCryptographic Key (kabab))

abba

abba

knnabResponderCommitsignal

knnbaInitiatorRunningsignalHonesta

....._.

precedes ....._.

Modeling Yahalom (2)Modeling Yahalom (2)

CSP SpecificationCSP SpecificationProvided that the initiator is honest, Provided that the initiator is honest, we guarantee authentication given we guarantee authentication given that the that the dsds information matches in the information matches in the scheme signals.scheme signals.

The The Running_initiatorRunning_initiator event correctly event correctly precedes the precedes the Commit_Responder Commit_Responder event and it event and it is also correctly performed after all the is also correctly performed after all the necessary information has been sent back necessary information has been sent back and forth and is thus available to both and forth and is thus available to both parties.parties.

Initiator(a,na) =

env?b:Agent send.a.b.a.na

Initiatora Responderb

a.na

b.{a.na.nb}ServerKey(b)

{b.kab.na.nb}ServerKey(a).{a.kab}ServerKey(b)

Run_Init.a.b.na.nb.kab

{a.kab}ServerKey(b).{nb}kab

Com_Resp.b.a.na.nb.kab

),,,,(}.{...

....._.

.}....{.. )(

baabkb

abba

aServerKeybaab

nnkbaSessionnmbasend

knnbaInitiatorRunningsignal

mnnkbaJreceive

ab

TmNoncesnKeyk

[]

Responder(b,nb) =

),,,,(

....._.

}.{}..{..

}...{...

....

)(

)(

baab

abba

kbbServerKeyab

bServerKeyba

a

nnkabSession

knnabResponderCommitsignal

nkabareceive

nnabJbsend

nabareceive

abNoncenAgentaKeyk

[]

Modeling Yahalom (3)Modeling Yahalom (3)

Authentication of responder to initiatorAuthentication of responder to initiator Case 2 ~ Looser AuthenticationCase 2 ~ Looser Authentication

Nonces (nNonces (naa, n, nbb) ~ Required) ~ Required Cryptographic Key (kCryptographic Key (kabab) ~ Non required) ~ Non required

abba

ba

knnbaInitiatorCommitsignal

nnabResponderRunningsignalHonestb

....._.

precedes ...._.

Modeling Yahalom (4)Modeling Yahalom (4)

CSP SpecificationCSP SpecificationProvided that the responder is honest, any commitment should establish that a corresponding Provided that the responder is honest, any commitment should establish that a corresponding Running Running event has previously occurred. This assurance is event has previously occurred. This assurance is independent of the key that the independent of the key that the initiator has committed to, but it does require agreement on the nonces.initiator has committed to, but it does require agreement on the nonces.

Once again, the Once again, the Commit Commit signal must occur at the very end of the run of the protocol, although, this signal must occur at the very end of the run of the protocol, although, this time the time the Running Running event may occur right after the first signal, since the two events must only agree event may occur right after the first signal, since the two events must only agree on the nonces, given that non the nonces, given that naa is available after the first message is sent, while n is available after the first message is sent, while nbb is picked by the is picked by the responder. As a consequence of such a situation, responder. As a consequence of such a situation, a a has a weaker authentication than has a weaker authentication than b, b, in the in the sense that the protocol does not provide any guarantees to sense that the protocol does not provide any guarantees to a a that that bb will ever obtains the key, and will ever obtains the key, and so authentication does not rely upon concordance of the cryptographic key. so authentication does not rely upon concordance of the cryptographic key.

),,,,(

....._.

}.{...

.}....{.. )(

baab

abba

kb

aServerKeybaab

nnkbaSession

knnbaInitiatorCommitsignal

nmbasend

mnnkbaJreceive

ab

Initiator(a,na) =

env?b:Agent send.a.b.a.na

TmNoncesnKeyk

[]

),,,,(

}.{}..{..

}...{...

...._.

....

)(

)(

baab

kbbServerKeyab

bServerKeyba

ba

a

nnkbaSession

nkabareceive

nnabJbsend

nnabResponderRunningsignal

nabareceive

ab

TmNoncesnKeyk

[]

Responder(b,nb) =

Non-repudiationNon-repudiation

It satisfies the need of sending and receiving messages It satisfies the need of sending and receiving messages providing the parties involved with providing the parties involved with evidenceevidence so that neither so that neither of them can successfully deny at a later time that the of them can successfully deny at a later time that the communication has effectively taken place as agreed. communication has effectively taken place as agreed.

Evidence is often in the form of signed messages, which Evidence is often in the form of signed messages, which provides guarantees concerning their originator. provides guarantees concerning their originator.

Non repudiation might also provide mechanisms to Non repudiation might also provide mechanisms to guarantee fairness. guarantee fairness.

No party should ever – at anytime – have the evidence that they No party should ever – at anytime – have the evidence that they require without the other party also having the required evidence.require without the other party also having the required evidence.

Non repudiation (2)Non repudiation (2)

Non-repudiation properties are expressed in a Non-repudiation properties are expressed in a similar way to authenticationsimilar way to authentication The occurrence of some event guarantees that some previous message The occurrence of some event guarantees that some previous message

was sent. The provision of a certain piece of evidence should guarantee was sent. The provision of a certain piece of evidence should guarantee that a particular message was previously sent by a particular party.that a particular message was previously sent by a particular party.

The main objective of a non-repudiation protocol The main objective of a non-repudiation protocol is thus that of creating the evidence for the is thus that of creating the evidence for the parties involved. parties involved. 1.1. Correctness will be concerned with the suitability of the evidence.Correctness will be concerned with the suitability of the evidence.2.2. Analysis will need to take into consideration the fact that each party Analysis will need to take into consideration the fact that each party

might have acted not in compliance with the protocol. might have acted not in compliance with the protocol.

So each party is modeled almost as an intruder.So each party is modeled almost as an intruder.

Non repudiation (3)Non repudiation (3)

If each agent involved in the protocol is able to fire an event of the If each agent involved in the protocol is able to fire an event of the form form evidence.a.mevidence.a.m for an agent for an agent aa and a message and a message mm, the non-, the non-repudiation property for the agent repudiation property for the agent a a is modeled asis modeled as

evidence.a.m evidence.a.m in in tr => b tr => b sentsent m’m’

Agent Agent b b is not required to be acting in compliance with the is not required to be acting in compliance with the protocol so protocol so a a cannot be guaranteed that message cannot be guaranteed that message m’m’ was actually was actually sent by sent by bb as a well-formed, complete message in accordance with as a well-formed, complete message in accordance with the protocol specifications. The non-repudiation property, though, the protocol specifications. The non-repudiation property, though, guarantees guarantees aa that that m’m’ was somehow issued by was somehow issued by bb..

So, the So, the sentsent predicate is actually defined as follows: predicate is actually defined as follows:

a a sentsent mm = (E) = (E) M M : : Fact Fact ; ; b b :: Agent Agent ( (send.a.b.Msend.a.b.M in in tr & Mtr & M containscontains mm))

AnonimityAnonimity

It is an unusual property for security protocols to It is an unusual property for security protocols to ensure, since it’s mostly required by malicious ensure, since it’s mostly required by malicious actions rather than well-formed secured actions rather than well-formed secured communication protocols. communication protocols.

Its main objective is that of protecting the identity Its main objective is that of protecting the identity of agents with respect to particular events or of agents with respect to particular events or messages. messages. The messages need not to be protected. The messages need not to be protected. The model includes and separates between The model includes and separates between two different two different

entitiesentities::1.1. the identity of the agents who sent a message the identity of the agents who sent a message 2.2. the content of the message itself. the content of the message itself.

Anonimity (2)Anonimity (2)

A data item that could have originated from one agent A data item that could have originated from one agent could equally have been produced by any other. could equally have been produced by any other. We define a set We define a set AnonuserAnonuser

Includes all users whose identities should be masked. Includes all users whose identities should be masked.

Then, the set of messages we wish to confuse for a given piece Then, the set of messages we wish to confuse for a given piece of information of information xx is given by the set A is given by the set A

A = {A = {a.x a.x | a €| a € Anonusers} Anonusers}

In the CSP – model, one will provide anonymity on the set A In the CSP – model, one will provide anonymity on the set A if if any arbitrary permutation of the events in A, applied to all the any arbitrary permutation of the events in A, applied to all the

traces of the system, for every occurrence of the set, traces of the system, for every occurrence of the set, does does not change the consistence and the identity of the not change the consistence and the identity of the traces of the Anonusers agentstraces of the Anonusers agents