Embed Size (px)
Citation preview
08 Mai 2014!Security Protocols: Modelling and Verification!Prof. Indrumator - Cătălin Bîrjoveanu "
Duduman Bogdan Vlad!
1
TLS/SSL (Analysis)
Overview1. Introduction to the SSL / TLS protocol!
• Widely deployed, “real-world” security protocol!
• Well-understood, with detailed specifications!
• Good benchmark for analysis techniques!
2. Protocol analysis!
• //Starting with the RFC describing the protocol!
3. Tools
What is TLS/SSL?❖ Standard for Internet security!❖ “The primary goal of the TLS protocol is to provide privacy
and data integrity between two communicating applications ”!❖ In practice, used to protect information transmitted between
browsers and Web servers!❖ Based on Secure Sockets Layers protocol, ver 3.0!
• Same protocol design, different algorithms!❖ Deployed in nearly every web browser
SSL / TLS in the Real World
TCP/IP - TLS/SSL (1)
TCP/IP - TLS/SSL (2)
TLS (Transport Layer Security)❖ Provides a layer between TCP and
Application !❖ Itself a layered protocol:
Handshake over Record !❖ Record (sub)protocol!
❖ provides a private and reliable connection!
❖ Handshake (sub)protocol!❖ authenticates one or both parties,
negotiates security parameters!❖ establishes secret connection keys
for the Record protocol
TCP/IP - TLS/SSL (2)
History of the Protocol ❖ SSL 1.0!
❖ Netscape completed the design in early 1994 (Internally used)!❖ Data integrity protection!❖ RC4 allowed adversary to make predictable changes to the plaint text!❖ Vulnerable to replay attacks!
❖ SSL 2.0!❖ End of 1994, also has several problems!❖ Handshake protection - MITM undetected!!❖ Vulnerable to length extension attacks
History of the Protocol ❖ SSL 3.0!
❖ fixed previous attacks!❖ Netscape and Paul Kocher, 1996!❖ Taher Elgamal - inventor of SSL!
❖ TLS 1.0!❖ Internet standard based on SSL 3.0, 1999 !❖ RFC2246 (≈SSL3)
History of the Protocol
❖ TLS 1.1!
❖ 2006!
❖ RFC4346!
❖ TLS 1.2!
❖ 2008!
❖ RFC5246
Public-Key Encryption, CA & MITM
❖ “Symmetric” encryption!❖ Share secret key!❖ Hundred of peoples to
communicate?!❖ Distance
Key
Key
Them
You
Public-Key Encryption, CA & MITM
❖ Solution: public-key encryption!
❖ Share public key with whole world!
❖ No known practical way to gain the private key from pkey
Public-Key Encryption, CA & MITM
❖ Visiting first time “https”!❖ Browser create a random
private key A !❖ Generates corresponding
public key A(blue)
Public-Key Encryption, CA & MITM
❖ Server generate a random private key A !
❖ Session key established!❖ Intruder (MITM) ?!
Public-Key Encryption, CA & MITM
❖ MITM stops the communication!
❖ MITM create his own private key (red B)!
❖ Server doesn’t know if is the browser
Public-Key Encryption, CA & MITM
❖ MITM has the same session key (red key)!
❖ How to solve? !❖ Server and Browser can send
there public key and compare!
❖ what if MITM knows about that - he has the session key
Public-Key Encryption, CA & MITM
❖ Certificate Authority solves the problems!
❖ There is a single CA - Symantec (VeriSign)!❖ FedEx - Federal Express -
encryption key H!❖ MITM has the public key CA!❖ What browser and server can
do?
Public-Key Encryption, CA & MITM
❖ Server encrypts public key A with certificate key H!
❖ Browser do the same using the built-in CA
Public-Key Encryption, CA & MITM
❖ CA compares the 2 public keys!
❖ CA sends reply to them!
❖ What if MITM appear?!❖ the browser will
not be able to decrypt (key random R)
Obtaining an SSL Certificate
❖ XYZ Inc., intends to secure their customer checkout process, account management, and internal employee correspondence on their website, xyz.com.
❖ Steps:
1. XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated.
2. XYZ goes to a trusted, third party Certificate Authority, such as Trustwave . Trustwave takes the certificate signing request and validates XYZ in a two step process. Trustwave validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records.
3. When the validation process is complete, Trustwave gives XYZ a new public key (certificate) encrypted with Trustwave's private key.
4. XYZ installs the certificate on their webserver(s).
How Customers Communicate with the Server using SSL
Steps: 1. A customer makes a connection to xyz.com on an SSL port, typically 443. This
connection is denoted with https instead of http. 2. xyz.com sends back its public key to the customer. Once customer receives it, his/
her browser decides if it is alright to proceed. 3. The xyz.com public key must NOT be expired 4. The xyz.com public key must be for xyz.com only 5. The client must have the public key for Trustwave installed in their browser
certificate store. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust that they are really communicating with XYZ, Inc.
How Customers Communicate with the Server using SSL
!7. If the customer decides to trust the certificate, then the customer will be sent to
xyz.com his/her public key. 8.xyz.com will next create a unique hash and encrypt it using both the customer's
public key and xyz.com's private key, and send this back to the client. 9.Customer's browser will decrypt the hash. This process shows that the xyz.com
sent the hash and only the customer is able to read it. 10.Customer and website can now securely exchange information!
Tools1.! Security Protocol Analysis!
❖ Scyther ❖ Scyther-proof ❖ Tamarin prover
2.! Access Control!❖ FPL
3.! Static Security Analysis!❖ FAST
4.! Protocol Testing!❖ SecFuzz
5.! Specification synthesis!❖ Mid-point synthesis
6.! Monitoring!❖ MonPoly
7! Isabelle/HOL frameworks!
❖ ProtoVeriPhy ❖ Developing Security Protocols by
Refinement ❖ Verification of IBM 4765's
Persistent Memory Manager 8. Avispa!9. ProVerif
The Scyther Tool
❖ Tool for the formal analysis of security protocols !❖ it is assumed that all cryptographic functions are
perfect: the adversary learns nothing from an encrypted message unless he knows the decryption key.!
❖ Description of a protocol in the spdl language !❖ based on the operational semantics !
❖ spdl (Security Protocol Description Language)
The Scyther Tool
❖ Analysis of infinite sets of traces in terms of patterns!❖ Support for multi-protocol analysis!❖ Assist in the analysis of classes of attacks and possible
protocol behaviours, or to prove correctness for an unbounded number of protocol sessions.!
❖ Can optionally output the proof tree (by using the backend).!❖ The tool provides useful results even in the case that no
attack is found
The Scyther Tool
❖ ProVerif or the Avispa tools have shown to be effective at finding attacks on protocols (Avispa) or establishing correctness of protocols (ProVerif).!
❖ Scyther offer verification, falsification, and the analysis of security protocols.!
❖ Performance
Installation Scyther Tool
❖ Scyther can be downloaded from the following website:!
❖ http://users.ox.ac.uk/~coml0529/scyther/ !
❖ Installation instruction are included in the downloadable Scyther archives. Scyther is available for the Windows, Linux and Mac OS platforms.
Scyther Input File
❖ A minimal input file:!!
protocol ExampleProtocol(I,R) {! role I { };! role R { };!};
Input Language❖ Main purpose of the language is to describe protocols, which are defined by a set
of roles.!❖ Protocol definition takes as a parameter a sequence of roles, which are then
defined within its body.!❖ Roles - are sequences of events, i. e., declarations, send, receive, or claim events.!❖ Security protocols rely on generating random values. Can be specified by
declaring them inside a role definition using the fresh declaration.!❖ role X(...) {!❖ fresh Na: Nonce;!❖ send_1(X,Y,Na);!❖ }
Input Language❖ To receive a nonce into a variable with name Na, we specify:!
❖ role Y(...) {!❖ var Na: Nonce;!❖ recv_1(X,Y,Na);!❖ }!
❖ Local declaration!❖ Two terms can combined into a term pair: we write (x,y)!❖ Symmetric keys: { ni }kir!❖ Asymmetric keys: { ni } pk(I)
Input Language
❖ Hash functions are essentially encryptions with a function, of which the inverse is not known by anybody:!❖ global declaration: hashfunction H1!❖ how are used: H1(ni);!
❖ Types: Agent, Function, Nonce, Ticket!❖ You can define a new type: user type!❖ Recv and Send events mark receiving and sending a message!
Input Language❖ Claim events are used in role specifications to model intended security
properties. For example, the following claim event models that Ni is meant to be secret!❖ claim(I, Secret, Ni);!
❖ Claim types:!❖ Secret!❖ SKR, echivalent to Secret but additionally mark the parameter term as a
session-key!
❖ Alive - Aliveness (of all roles) !
❖ Weakagree - Weak agreement (of all roles)
Input Language❖ Claim types:!
❖ Nisynch (Authentification Property, Non-injective Synchronisation)!
❖ Niagree (Authentification Property, Non-injective Agreement)!
❖ Reachable!
❖ when this claim is verified, Scyther will check whether this claim can be reached at all. It is true iff there exists a trace in which this claim occurs. This can be useful to check if there is no obvious error in the protocol specification, and is in fact inserted when the --check mode of Scyther is used.!
❖ Empty!
❖ this claim will not be verified, but simply ignored. It is only useful when Scyther is used!
–
It’s time to see TLS on Scyther Tool
Simplified TLS key transport protocol ❖ Protocol 4.24 is a simplified version of one possible protocol which
transports the 'pre- master secret', PMK, from the client A to the server B"
❖ Session key Kab is calculated as Kab = MACpmk(Na,Nb)"
❖ TLS protocol specifies that four different session keys must be derived from the pre-master secret: one for encryption and one for data integrity (MAC calculation) in each direction. !
Simplified TLS key transport protocol ❖ Message sequences Mess_Seq1, Mess_Seq2 and Mess_Seq3 consist of
hashes of the sequence of all previous exchanged messages up to that point using a hash function H.!
❖ Mess_Seq1 = H(Na, Nb, Eb(PMK)).!
Bibliografie1. Protocols for Authentication and Key Establishment - C.Boyd, A.Mathuria!
2. Operational Semantics of Security Protocols - Cas Cremers and Sjouke Mauw, Eindhoven University of Technology, Department of Mathematics and Computer Science!
3. How SSL works!
4. Security Tools!
5. Scyther Manual!
6. http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https-bindings-on-iis.aspx!
7. http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Secure_Socket_Layer.html
