CSCE 813 Internet SecurityCSCE 813 Internet SecurityCryptographic Protocol AnalysisCryptographic Protocol Analysis
Internet Security - Farkas 2
Reading AssignmentReading Assignment
Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysisof Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8 http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf
Internet Security - Farkas 3
ProtocolProtocolSequence of interactions between entities to
achieve a certain endTypes of protocols:
– Diplomatic– Communication– Graduation– Security– Etc.
Internet Security - Farkas 4
Security ProtocolsSecurity Protocols
Cryptographic protocolsServices: secrecy, integrity, authentication,
key exchange, non-repudiation, etc.Components: communicating parties
(nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.
Security AnalysisSecurity Analysis
Protocol analysisCryptanalysis
Internet Security - Farkas 5
Performed independentlyDisjoint communities
Internet Security - Farkas 6
Cryptographic ProtocolsAttackers’ capabilitiesSecurity?
– Hostile environment
Vulnerabilities– Weakness of cryptography– Incorrect specifications
What is Protocol AnalysisWhat is Protocol Analysis
Internet Security - Farkas 7
Emerging Properties of ProtocolsEmerging Properties of Protocols
Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats
Internet Security - Farkas 8
Attackers’ CapabilitiesAttackers’ Capabilities
Read trafficModify trafficDelete trafficPerform cryptographic operationsControl over network principals
Internet Security - Farkas 9
AttacksAttacks
Known attacks – Can be picked up by careful inspection
Nonintuitive attacks– Not easily apparent– May not depend on flaws or weaknesses of
cryptographic algs. – Use variety of methods, e.g., statistical analysis,
subtle properties of crypto algs., etc.
Type of Known AttacksType of Known Attacks
Man-in-the-middle (see attack agains Diffie-Hellman key exchange)
Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation)
Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol)
Replay: replay part of previous protocol steps Interleave: attacker contrives for 2 or more runs of the
protocol to overlap (see following example)
Internet Security - Farkas 10
Internet Security - Farkas 11
Example: Needham-SchroederExample: Needham-Schroeder
Famous simple example (page 30-31)– Protocol published and known for 10 years– Gavin Lowe discovered unintended property while
preparing formal analysis using FDR system
Subsequently rediscovered by every analysis method
From: J. Mitchell
Internet Security - Farkas 12
Needham-Schroeder CryptoNeedham-Schroeder Crypto
Nonces – Fresh, Random numbers
Public-key cryptography – Every agent A has
Public encryption key Ka Private decryption key Ka-1
– Main properties Everyone can encrypt message to A Only A can decrypt these messages
From: J. Mitchell
Internet Security - Farkas 13
Needham-Schroeder Key ExchangeNeedham-Schroeder Key Exchange
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}
Ka
Kb
On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.
A B
Kb
From: J. Mitchell
Internet Security - Farkas 14
Needham Schroeder properties Needham Schroeder properties
Responder correctly authenticated– When initiator A completes the protocol apparently with
Honest responder B, it must be that B thinks he ran the protocol with A
Initiator correctly authenticated– When responder B completes the protocol apparently with
Honest initiator A, it must be that A thinks she ran the protocol with B
Initiator Nonce secrecy– When honest initiator completes the protocol with honest peer,
intruder does not know initiators nonce.
From: J. Mitchell
Internet Security - Farkas 15
Anomaly in Needham-SchroederAnomaly in Needham-Schroeder
A E
B
{ A, NA }
{ A, NA }{ NA, NB }
{ NA, NB }
{ NB }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key NB from B
Evil E can then fool B
[Lowe]
From: J. Mitchell
Internet Security - Farkas 16
Requirements and PropertiesRequirements and Properties
Authentication – Authentication, Secrecy
Trading– Fairness
Special applications (e.g., voting) – Anonymity and Accountability
Forward secrecy
Forward SecrecyForward Secrecy
Compromised key: permits the disclosure of the data encrypted by the compromised key.
No additional keys can be generated from the compromised key.
Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key
Internet Security - Farkas 17
Internet Security - Farkas 18
Formal MethodsFormal Methods
Combination of a mathematical or logical model of a system and its requirements and
Effective procedures for determining whether a proof that a system satisfies its requirements is correct.
Can be automated!Can be automated!
Internet Security - Farkas 19
Security AnalysisSecurity Analysis Understand system requirements Model
– System – Attacker
Evaluate security properties– Under normal operation (no attacker)– In the presence of attacker
Security results: under given assumptions about system and about the capabilities of the attackers.
Internet Security - Farkas 20
Explicit intruder modelExplicit intruder model
Intruder Model
AnalysisTool
Formal Protocol
Informal Protocol
Description
Find error
From: J. Mitchell
Internet Security - Farkas 21
Protocol Analysis SpectrumProtocol Analysis Spectrum
Low High
Hig
hL
owSo
ph
isti
cati
on
of
atta
ck
s
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
Bolignano
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Symbolic methods (MSR)
Protocol logic
From: J. Mitchell
Internet Security - Farkas 22
First Analysis MethodFirst Analysis Method Dolev-Yao Set of polynomial-time algorithms for deciding
security of a restricted class of protocols First to develop formal model of environment in
which– Multiple executions of the protocol can be running
concurrently– Cryptographic algorithms considered as “black boxes”– Includes intruder’s model
Tools based on Dolev-Yao– NRL protocol analyzer– Longley-Rigby tool
Intruder’s BehaviourIntruder’s Behaviour Kill a message Sniff a message Intercept the message Re-route a message Delay the delivery of the message Reorder the messages Replay the messages Fake a message Use encryption/decryption algorithms
Internet Security - Farkas 23
Internet Security - Farkas 24
Model checkingModel checking
Two components– Finite state system– Specification of properties
Exhaustive search the state space to determine security– Check whether all possible behaviors are
permitted
Internet Security - Farkas 25
Theorem ProverTheorem Prover
Theorems: properties of protocolsProve or check proofs automaticallyCould find flaws not detected by manual
analysisDo not give counterexamples like the model
checkers
Internet Security - Farkas 26
LogicLogic
Burrows, Abadi, and Needham (BAN) logic Logic of belief Set of modal operators: describing the relationship
of principal to data Set of possible beliefs Inference rules Seems to be promising but weaker than state
exploration tools and theorem proving (higher level abstraction)
Limitations of Formal AnalysisLimitations of Formal Analysis
Mathematical models are approximations to reality
Hard to predict the intruder’s capabilitiesComplexity
Internet Security - Farkas 27
Evaluating a New Security Evaluating a New Security ProtocolProtocol
Establish – how the protocol works – what security properties it is intended to
provide – which threats have been considered
Find obvious flawsUse formal methods to evaluate the
protocolInternet Security - Farkas 28
NEXT CLASSNEXT CLASSNETWORK ACCESS LAYER NETWORK ACCESS LAYER SECURITYSECURITY
Internet Security - Farkas 29