Wrestling between Safeguard and Attack

1
Wrestling between Safeguard and Attack

• --- An example for security flaws

2
It is so easy to be flawed in cryptography!

• Cryptographic algorithms, protocols, and Systems
  usually contain security flaws.
• How can we deal with flaws? Fix them.
• But the fixed versions may again contain flaws.
• In this lecture, we show an example of
  attack-fix-attack-fix-

3
Preliminaries Starting from Encryption
Encryption
00111010001001 11110100001010
Encryption key
Hello, how are you?
Decryption key
(Cleartext)
(Ciphertext)
Decryption
4
Private Key versus Public Key

• Private (Symmetric) Key Cryptosystem
• Encryption key Decryption Key
• Public (Asymmetric) Key Cryptosystem
• Encryption Key ? Decryption Key
• Encryption key often called public key
• Decryption key often called private key.
• Note the difference between private key
  cryptosystem and private key.

5
Typical Use of Public Key Cryptosystem

• Each party has a pair of private/public key.
• Public key is well-known.
• Others use this key to encrypt message sent to
  this party.
• Private key is only known by this party.
• This party uses it to decrypt the received
  messages.
• All other parties do not know this private key,
  and thus cant decrypt this partys received
  messages.

6
Notations for Encryption/Decryption

• We use A(x) to denote the application of
  algorithm A to input x.
• Thus E(k,m) denotes encrypting cleartext m with
  encryption algorithm E and encryption key k.
• Similarly, D(k,C) denotes decrypting ciphertext C
  with decryption algorithm D and encryption key k.

7
More Notations and Assumptions

• For simplicity, we often write mk in stead of
  E(k,m).
• We assume
• Without knowing decryption key, one cannot learn
  anything about m from mk .
• One cannot learn anything about the decryption
  key from mk (and from k in a public key
  cryptosystem).
• Recall the decryption key is k in a private key
  cryptosystem and it is the corresponding private
  key in a public key cryptosystem.

8
Security Model Dolev-Yao

• Besides the preliminary knowledge, we need to
  know the security model before talking about the
  example.
• We use the well-known Dolev-Yao model.

9
Dolev-Yao Model (1)

• The adversary can do the following things
• Obtain any message passing through the network.
• Is a legitimate user of the network and thus can
  initiate a conversation with any other user.
• Have opportunity of receiving messages.
• Impersonate others to send mssages.

10
Dolev-Yao Model (2)

• The adversary cant do the following things
• Guess a random number chosen from a sufficiently
  large space (i.e., the random number generator is
  good).
• Control or read each honest participants
  computer (i.e., the local computer is
  trustworthy).

11
Our Example Problem Authenticated Key Setup

• Participants Alice, Bob, and Trent.
• Trent is trustworthy.
• Shared Key
• KAT by Alice and Trent
• KBT by Bob and Trent.
• Goal a new key shared between Alice and Bob.

12
Protocol 0

• Alice pick K.
• Alice ? Trent Alice, Bob,
• Trent decrypt to get K.
• Trent ? Bob Alice, Bob,
• Bob decrypt to get K.
• Bob ? Alice Hello, Alice, Im BobK

13
Bad Feature of Protocol 0

• Alice decides the shared key K.
• Bob may not be happy with that.
• Since Trent is trustworthy, we would rather let
  Trent generate K.

14
Protocol 1

• Alice ? Trent Alice, Bob
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K.
• Alice ? Bob Trent, Alice,
• Bob decrypt to get K.
• Bob ? Alice Hello, Alice, Im BobK

15
Attack on Protocol 1

• Malice (the bad guy) can intercept messages and
  play as the man in the middle
• Alice ? Trent (intercepted by Malice) Alice, Bob
• Malice impersonates Alice ? Trent Alice, Malice
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K.
• Alice ? Bob (intercepted by Malice) Trent,
  Alice,
• Malice decrypt to get K.
• Malice impersonates Bob ? Alice Hello, Alice,
  Im BobK

Result Alice believes Malice is Bob!
16
Whats wrong with protocol 1?

• There is no protection on the Bob in the first
  message from Alice to Trent.
• So it is easy for Malice to replace it with
  Malice.
• What if Alice encrypts Bob in this message?
• Then Malice cant replace Bob in this way.

17
Protocol 2

• Alice ? Trent Alice,
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K.
• Alice ? Bob Trent, Alice,
• Bob decrypt to get K.
• Bob ? Alice Hello, Alice, Im BobK

18
Attack on Protocol 2

• Suppose Malice intercepts
  from a previous run of the protocol between Alice
  and Malice.
• Alice ? Trent (intercepted by Malice) Alice,
• Malice impersonates Alice ? Trent Alice,
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K.
• Alice ? Bob (intercepted by Malice) Trent,
  Alice,
• Malice decrypt to get K.
• Malice impersonates Bob ? Alice Hello, Alice,
  Im BobK

Rest is similar to Attack on Protocol 1
Result Alice believes Malice is Bob!
19
Whats wrong with Protocol 2?

• It is not clear in the messages who are the
  participants of this protocol.
• In our attack, Trent thinks Alice is trying to
  talk with Malice, but Alice thinks she is trying
  to talk with Bob.
• Can we make this clear?
• Yes, we can add the protocol participants to some
  cleartexts to avoid such attacks.

20
Protocol 3

• Alice ? Trent Alice, Bob
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K check
  Bobs ID.
• Alice ? Bob Trent,
• Bob decrypt to get K check
  Alices ID.
• Bob ? Alice Hello, Alice, Im BobK

21
Attacks on Protocols 1 2 no longer work for
Protocol 3

• Alice ? Trent (intercepted by Malice) Alice, Bob
• Malice impersonates Alice ? Trent Alice, Malice
• Trent pick K.
• Trent ? Alice ,
• Alice decrypt to get K check
  Bobs ID
• Detect cheating!

22
Attack on Protocol 3

• Suppose Malice intercepts
  ,
• from a previous run of the protocol between Alice
  and Bob.
• Alice ? Trent Alice, Bob
• Trent pick K.
• Trent ? Alice (intercepted by Malice)
  ,
• Malice impersonates Trent ? Alice
  ,
• Alice decrypt to get K check
  Bobs ID.
• Alice ? Bob Trent,
• Bob decrypt to get K check
  Alices ID.
• Bob ? Alice Hello, Alice, Im BobK

Result Alice and Bob are using an old key K !
23
Replay Attack

• Such an attack that replays old messages from
  previous runs of the protocol is called a message
  replay attack.
• Message replay attack is a frequently used
  technique to break cryptographic protocols.

24
Preventing Replay

• We can add a nonce to the message.
• The nonce is a fresh random number.
• The reply to this message also contains the
  nonce (or something derived from the nonce).
• Therefore, the nonce identifies the session.
• A message from previous session can be detected
  by checking the nonce.

25
Protocol 4 (Needham-Schroeder Symmetric Key
Authentication)

• Alice pick nonce NA.
• Alice ? Trent Alice, Bob, NA
• Trent pick K.
• Trent ? Alice
• Alice decrypt
  to get K check Bobs ID and NA.
• Alice ? Bob Trent,
• Bob decrypt to get K check
  Alices ID.
• Bobpick nonce NB.
• Bob ? Alice NB, Im BobK
• Alice ? Bob NB-1, Im AliceK

26
Attack on Protocol 4
Suppose Malice intercepts from a
previous session between Alice and Bob suppose
Malice knows the old key K.

• Alice pick nonce NA.
• Alice ? Trent Alice, Bob, NA
• Trent pick K.
• Trent ? Alice
• Alice decrypt
  to get K check Bobs ID
  and NA.
• Alice ? Bob (intercepted by Malice) Trent,
• Malice Block the communication between Alice and
  Bob for ever.
• Malice impersonates Alice ? Bob Trent,
• Bob decrypt to get K check
  Alices ID.
• Bobpick nonce NB.
• Bob ? Alice (intercepted by Malice) NB, Im
  BobK
• Malice impersonates Alice ? Bob NB-1, Im
  AliceK

27
Result of Attack

• Malice can impersonate Alice!
• The Needham-Schroeder symmetric key
  authentication protocol is a very famous
  protocol, widely applied in practice.
• But this attack was found 3 years after the
  protocol was published.

28
Whats wrong with Protocol 4?

• Use of nonce cant fully prevent replay attack.
• A stronger measure against replay is timestamp.
• Include the current time when sending a message.
• Check the time difference between sending and
  receiving when receiving a message.
• Old messages are easily detected.

29
Protocol 5 (Denning-Sacco Protocol)

• Alice ? Trent Alice, Bob
• Trent pick K.
• Trent ? Alice
• Alice decrypt
  to get K check Bobs ID and timestamp T.
• Alice ? Bob Trent,
• Bob decrypt to get K check
  Alices ID and timestamp T.
• Bob ? Alice NB, Im BobK
• Alice ? Bob NB-1, Im AliceK

30
Problem with Protocol 5

• The use of timestamp is simple and effective.
  However, it requires all participants to have
  access to a fully synchronous clock.
• Synchronizing clocks in a distributed system is
  non-trivial.
• It becomes even harder when certain parties are
  malicious.

31
Conclusion

• Security flaws always accompany implicit
  assumptions that do not necessarily hold.
• For example, the attack on Needham-Schroeder is
  invalid if all previous keys are kept private
  but we cant really make sure all previous keys
  are kept private.
• We need to be extremely careful when designing
  cryptographic protocols.