Security Analysis of Network Protocols - PowerPoint PPT Presentation

About This Presentation
Title:

Security Analysis of Network Protocols

Description:

1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic ... Download Cygwin. Need to include g , make, gcc packages. Look under the Devel' heading ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 18
Provided by: JohnCMi
Learn more at: https://web.stanford.edu
Category:

less

Transcript and Presenter's Notes

Title: Security Analysis of Network Protocols


1
Security Analysis of Network Protocols
CS 259
Mukund Sundararajan
http//www.stanford.edu/class/cs259/
2
How to write a crypto paper?
  • 1. First visit http//www-cse.ucsd.edu/users/mihi
    r/crypto-topic-generator.html
  • 2. Click on the button
  • 3. Be Inspired
  • Fortunately, we dont need to know what those
    papers, if written, may contain

3
Today
  • Getting Murphi to work on Windows
  • A close look at the NS implementation in Murphi
  • Cryptography for CS259
  • The cryptography of SSL
  • Newsgroup su.class.cs259

4
Murphi on Windows
  • Download Cygwin
  • Need to include g, make, gcc packages
  • Look under the Devel heading
  • Follow instructions in the Readme file located
    in the src directory
  • Make the murphi compiler in the src directory
  • Set up a link
  • Edit homework Makefile

5
Needham Schroeder in Murphi
  • Walk through code sections
  • Data types
  • State variables
  • Transitions, invariants
  • Initial state
  • The strong attacker model
  • Perfect cryptography
  • Intercept all messages on the network
  • Insert, reorder, delete messages

6
Murphi Syntax
  • Invariants are a special kind of rule
  • Rulesets allow concise specification of
    transition rules
  • Scalarsets allow us to exploit symmetry the
    inherent symmetry in some situations to make
    model checking efficient
  • Multisets are similar to scalarsets but are
    modifiable at runtime, use a choose to index.
  • Union data types allow us to refer to many
    scalarsets at once

7
Weak intruder model
  • Part (b) of the 3rd question on HW1
  • Consider an intruder who can only receive
    messages destined to it.
  • Does the attack on initiator correctly
    authenticated still work?
  • Need to undo optimizations

8
Anomaly in Needham-Schroeder
Lowe
A, NA
Ke
A
E
NA, NB
Ka
NB
Ke
A, NA
NA, NB
Evil agent E tricks honest A into
revealing private key NB from B
Kb
Ka
B
Evil E can then fool B
9
(No Transcript)
10
Nonce
  • 'number used once'
  • To prevent against replay attacks

11
Symmetric Key Algorithm
  • Encryption
  • Input plain-text, key, Output cipher text
  • Decryption
  • Input encrypted message, key, Output plain text
  • Needs to be reversible
  • Insecure if following is computationally feasible
  • Can decipher plaintext without key
  • Can produce cipher text without key
  • Can deduce key from cipher text

12
Asymmetric Encryption
  • Encryption
  • Input plain-text, public-key, Output cipher
    text
  • Decryption
  • Input encrypted message, private-key, Output
    plain text
  • Needs to be reversible
  • Insecure if following is computationally feasible
  • Can decipher plaintext without private key
  • Can deduce private key from cipher text or public
    key

13
Digital Signatures
  • Signature algorithm
  • Input m, private key, Output Signature
  • Verification algorithm
  • Input Signature, public key, Output Boolean
  • Authentication
  • Integrity
  • Non-repudiation

14
Cryptographic Hashes
  • Input message, Output digest
  • Insecure if following is computationally
    feasible
  • Preimage resistance finding a message that
    matches a given digest
  • Collision resistance finding "collisions",
    wherein two different messages have the same
    message digest
  • Second Preimage resistance given an input m, it
    must be hard to find different m that hashes to
    the same value

15
MACs
  • Integrity Authenticity
  • Input Key, Message, Output Message
    Authentication Code
  • Verification algorithm
  • Uses cryptographic hashes or symmetric key crypto
  • Attacker must not be able to find two messages M,
    M that produce the same MAC under an unknown key
    given an oracle that MACs messages
  • Key holder may find collisions
  • Differ from signatures they are symmetric

16
Diffie-Hellman exchange
  • A picks a nonce x, generates Gx, sends it to B
  • B picks a nonce y, generates Gy, sends it to A
  • Both generate Gxy locally
  • Gxy is a shared secret
  • Secure by Hardness of discrete logarithm

17
Exercises
  • How do scalarsets and multisets improve the
    efficiency of model-checking?
  • What is the relationship between the three
    properties of cryptographic hashes?
  • Read the definition of a message authentication
    code in Wikipedia
Write a Comment
User Comments (0)
About PowerShow.com