Formal Methods for Security Protocols - PowerPoint PPT Presentation

About This Presentation
Title:

Formal Methods for Security Protocols

Description:

A brief introduction to security protocols ... satisfy those properties, but in 1995 Gavin Lowe discovered the following attack: ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 15
Provided by: catu1
Category:

less

Transcript and Presenter's Notes

Title: Formal Methods for Security Protocols


1
Formal Methods for Security Protocols
  • Catuscia Palamidessi
  • Penn State University, USA

2
Security Protocols
  • Contents of previous lecture
  • A brief introduction to security protocols
  • Distributed systems, insecure communication,
    intruders
  • Aims and properties
  • authentication, secrecy, integrity, anonymity,
    etc.
  • Notation Message x-gt y data
  • Example the Noedam-Schoeder SK protocol
  • A very brief introduction to Cryptographic
    methods
  • Symmetric and asymmetric cryptography
  • one-way functions, door traps
  • Vulnerabilities of Security protocols (just
    started)

3
Security Protocols Vulnerabilities
  • Attack strategies
  • Man-in-the middle
  • The attacker interferes by intercepting the
    message and possibly modifying it and/or
    pretending to be one of the two parties.

4
Security Protocols Vulnerabilities
  • Attack strategy Man-in-the middle
  • Example The Diffie-Hellman key establishment
    scheme
  • This scheme is meant to establish a private key
    between two parties. It is more straightforward
    and requires neither a third party nor a
    trap-door.
  • Chose a prime p and a primitive root r modulo p.
    (primitive means that all numbers between 1 and p
    can be generated by taking exponents of r modulo
    p)
  • Alice chooses at random an integer x and sends
    Bob the message
  • m1 rx(mod p)
  • Bob chooses an integer y and sends Alice the
    message
  • m2 ry(mod p)
  • Alice calculates
  • K1 m2x(mod p)
  • Bob calculates
  • K2 m1y(mod p)
  • It is easy to prove that K1 K2. Hence Alice and
    Bob can use K1 as a private key between
    themselves. Note that Alice and Bob play a
    symmetric role in the generation of the key.
  • Deriving x from m1 (and y from m2) is considered
    to be intractable.

5
Security Protocols Vulnerabilities
  • The Diffie-Hellman key establishment scheme has
    no way to ensure authentication. A
    man-in-the-middle, Yves, could pretend to be Bob
    and establish a shared key with Alice, thus
    reading all the messages that Alice thinks she is
    sending to Bob. The same he could do with Bob,
    even at the same time.

6
Security Protocols Vulnerabilities
  • Replay
  • The intruder monitors a (possibly partial) run of
    the protocol and at some time reproduces
    (replays) one or more of the messages.

7
Security Protocols Vulnerabilities
  • Example Let us consider what could happen to the
    NSSK protocol (Needham-Schroeder-Secret-Key) if
    we remove the nonce from A
  • Message 1   A -gt J    A.B Message 2   J -gt A
      B.kAB.kAB.A ServerKey(B) ServerKey(A)
    Message 3   A -gt B    kAB.A ServerKey(B)
    Message 4   B -gt A    nBkAB Message 5   A -gt
    B    nB - 1kAB
  • Suppose that Yves eventually succeeds to break
    the key, so he now knows kAB. Presumably this
    will have taken a long time, so kAB is not used
    anymore by A and B. However, next time Alice
    sends a request to Jeeves, Yves can intercept
    Jeeves reply, and send back to Alice the message
  • B.kAB.kAB.A ServerKey(B) ServerKey(A)
  • So Alice will take the old key kAB as the key to
    use in next conversation with Bob.

8
Security Protocols Vulnerabilities
  • In the original NSSK protocol this attack is not
    possible
  • because A would recognize that the nonce is
    different
  • from the one it sent.
  • Note that the nonce is used as a sort of local
    time stamp
  • The original NSSK protocol
  • Message 1   A -gt J    A.B.nA Message 2   J -gt
    A   nA.B.kAB.kAB.A ServerKey(B)
    ServerKey(A) Message 3   A -gt B    kAB.A
    ServerKey(B) Message 4   B -gt A    nBkAB
    Message 5   A -gt B    nB - 1kAB

9
Security Protocols Vulnerabilities
  • In the original NSSK protocol, however, a similar
    attack is possible on the other partner B. In
    fact, B has no way to establish the freshness of
    the first message he sees (the 3 in the
    protocol). So, Yves could intercept the message
    from A to B, and send to B, instead, a previously
    intercepted message kAB.A ServerKey(B)
  • Assuming that the intruder had time to discover
    the previous key kAB, the communication from B
    using this key is compromised
  • This attack was discovered by Denning and Sacco,
    1981. (three years after it had been in use in
    the Kerberos protocol)
  • A solution to this problem is to use timestamps.
    So in message 3, also a timestamp (generated by
    A or by J) should be sent, encrypted, to B.
  • Note Time stamps assume a global notion of
    time.
  • The use of timestamps was introduced in the
    Kerberos protocol so to avoid the problem above

10
Security Protocols Vulnerabilities
  • Alternatively, one could use nonces in a
    different way, as with the Yahalom protocol
  • Message 1   A -gt B    A.nA Message 2   B -gt J
      B.A.nA.nBServerKey(B)
  • Message 3   J -gt A    B.kAB.nA.nBServerKey(A)
    A.kABServerKey(B)
  • Message 4   A -gt B    A.kABServerKey(B).nBkA
    B
  • In this protocol, both A and B get to inject
    nonces before the request reaches Jeeves, so they
    both get a handle on the freshness of the key
    generated by Jeeves.

11
Security Protocols Vulnerabilities
  • Oracle
  • The intruder tricks an agent into inadvertently
    reveal some information, possibly by inducing him
    to perform some steps of a protocol.
  • Interleave
  • The intruder contrives for two or more runs of
    the protocol to overlap

12
Security Protocols Vulnerabilities
  • Example of an attack to the Needham-Schroeder-Publ
    ic-Key protocol which combines oracle and
    interleaving techniques
  • The NSPK protocol (simplified version)
  • Message 1   A -gt B    A.nA PKB Message 2  
    B -gt A    nA.nB PKA Message 3   A -gt B   
    nB PKB
  • At the end of the protocol, it would seems
    reasonable to believe that
  • A and B know with whom they have been interacting
  • A and B agree on the values of nA and nB
  • No one else knows the values of nA and nB

13
Security Protocols Vulnerabilities
  • In fact, for many years the NSPK protocol (1981)
    has been believed to satisfy those properties,
    but in 1995 Gavin Lowe discovered the following
    attack
  • here, Y(A) represents Y generating (resp.
    receiving) the message, making it appear as
    generated (resp. received) by A.
  • Message a.1    A -gt Y     A.nA PKY
    Message b.1   Y(A) -gt B   A.nA PKB
    Message b.2   B -gt Y(A)     nA.nB PKA
    Message a.2   Y -gt A     nA.nB PKA
    Message a.3   A -gt Y     nB PKY
    Message b.3   Y(A) -gt B     nB PKB
  • Initially, Alice starts a protocol run with Yves
    thinking that he is an honest agent.
  • At the end, Bob thinks that
  • he has been communicating with Alice, while this
    is not the case
  • he and Alice share exclusively nA and nB, while
    this is not the case.

14
Security Protocols Vulnerabilities
  • It is actually relatively easy to fix the NSPK
    protocol it
  • is sufficient to include the identity of the
    responder
  • within the encrypted part of Message 2
  • Message 1    A -gt B     A.B. A.nA PKB
    Message 2    B -gt A    B.A.B.nA.nBPKA
    Message 3    A -gt A     A.B.nBPKB
  • This new protocol (called the Lowe-Needham-Schroed
    er
  • protocol) has been proved correct by using
    CSP/FDR
  • methods
Write a Comment
User Comments (0)
About PowerShow.com