Title: Formal Methods for Security Protocols
1Formal Methods for Security Protocols
- Catuscia Palamidessi
- Penn State University, USA
2Security Protocols
- Contents of previous lecture
- A brief introduction to security protocols
- Distributed systems, insecure communication,
intruders - Aims and properties
- authentication, secrecy, integrity, anonymity,
etc. - Notation Message x-gt y data
- Example the Noedam-Schoeder SK protocol
- A very brief introduction to Cryptographic
methods - Symmetric and asymmetric cryptography
- one-way functions, door traps
- Vulnerabilities of Security protocols (just
started)
3Security Protocols Vulnerabilities
- Attack strategies
- Man-in-the middle
- The attacker interferes by intercepting the
message and possibly modifying it and/or
pretending to be one of the two parties.
4Security Protocols Vulnerabilities
- Attack strategy Man-in-the middle
- Example The Diffie-Hellman key establishment
scheme - This scheme is meant to establish a private key
between two parties. It is more straightforward
and requires neither a third party nor a
trap-door. - Chose a prime p and a primitive root r modulo p.
(primitive means that all numbers between 1 and p
can be generated by taking exponents of r modulo
p) - Alice chooses at random an integer x and sends
Bob the message - m1 rx(mod p)
- Bob chooses an integer y and sends Alice the
message - m2 ry(mod p)
- Alice calculates
- K1 m2x(mod p)
- Bob calculates
- K2 m1y(mod p)
- It is easy to prove that K1 K2. Hence Alice and
Bob can use K1 as a private key between
themselves. Note that Alice and Bob play a
symmetric role in the generation of the key. - Deriving x from m1 (and y from m2) is considered
to be intractable.
5Security Protocols Vulnerabilities
- The Diffie-Hellman key establishment scheme has
no way to ensure authentication. A
man-in-the-middle, Yves, could pretend to be Bob
and establish a shared key with Alice, thus
reading all the messages that Alice thinks she is
sending to Bob. The same he could do with Bob,
even at the same time.
6Security Protocols Vulnerabilities
- Replay
- The intruder monitors a (possibly partial) run of
the protocol and at some time reproduces
(replays) one or more of the messages.
7Security Protocols Vulnerabilities
- Example Let us consider what could happen to the
NSSK protocol (Needham-Schroeder-Secret-Key) if
we remove the nonce from A - Message 1 A -gt J A.B Message 2 J -gt A
B.kAB.kAB.A ServerKey(B) ServerKey(A)
Message 3 A -gt B kAB.A ServerKey(B)
Message 4 B -gt A nBkAB Message 5 A -gt
B nB - 1kAB - Suppose that Yves eventually succeeds to break
the key, so he now knows kAB. Presumably this
will have taken a long time, so kAB is not used
anymore by A and B. However, next time Alice
sends a request to Jeeves, Yves can intercept
Jeeves reply, and send back to Alice the message
- B.kAB.kAB.A ServerKey(B) ServerKey(A)
- So Alice will take the old key kAB as the key to
use in next conversation with Bob.
8Security Protocols Vulnerabilities
- In the original NSSK protocol this attack is not
possible - because A would recognize that the nonce is
different - from the one it sent.
- Note that the nonce is used as a sort of local
time stamp - The original NSSK protocol
- Message 1 A -gt J A.B.nA Message 2 J -gt
A nA.B.kAB.kAB.A ServerKey(B)
ServerKey(A) Message 3 A -gt B kAB.A
ServerKey(B) Message 4 B -gt A nBkAB
Message 5 A -gt B nB - 1kAB
9Security Protocols Vulnerabilities
- In the original NSSK protocol, however, a similar
attack is possible on the other partner B. In
fact, B has no way to establish the freshness of
the first message he sees (the 3 in the
protocol). So, Yves could intercept the message
from A to B, and send to B, instead, a previously
intercepted message kAB.A ServerKey(B) - Assuming that the intruder had time to discover
the previous key kAB, the communication from B
using this key is compromised -
- This attack was discovered by Denning and Sacco,
1981. (three years after it had been in use in
the Kerberos protocol) - A solution to this problem is to use timestamps.
So in message 3, also a timestamp (generated by
A or by J) should be sent, encrypted, to B. -
- Note Time stamps assume a global notion of
time. - The use of timestamps was introduced in the
Kerberos protocol so to avoid the problem above
10Security Protocols Vulnerabilities
- Alternatively, one could use nonces in a
different way, as with the Yahalom protocol - Message 1 A -gt B A.nA Message 2 B -gt J
B.A.nA.nBServerKey(B) - Message 3 J -gt A B.kAB.nA.nBServerKey(A)
A.kABServerKey(B) - Message 4 A -gt B A.kABServerKey(B).nBkA
B - In this protocol, both A and B get to inject
nonces before the request reaches Jeeves, so they
both get a handle on the freshness of the key
generated by Jeeves.
11Security Protocols Vulnerabilities
- Oracle
- The intruder tricks an agent into inadvertently
reveal some information, possibly by inducing him
to perform some steps of a protocol. - Interleave
- The intruder contrives for two or more runs of
the protocol to overlap
12Security Protocols Vulnerabilities
- Example of an attack to the Needham-Schroeder-Publ
ic-Key protocol which combines oracle and
interleaving techniques - The NSPK protocol (simplified version)
- Message 1 A -gt B A.nA PKB Message 2
B -gt A nA.nB PKA Message 3 A -gt B
nB PKB - At the end of the protocol, it would seems
reasonable to believe that - A and B know with whom they have been interacting
- A and B agree on the values of nA and nB
- No one else knows the values of nA and nB
13Security Protocols Vulnerabilities
- In fact, for many years the NSPK protocol (1981)
has been believed to satisfy those properties,
but in 1995 Gavin Lowe discovered the following
attack - here, Y(A) represents Y generating (resp.
receiving) the message, making it appear as
generated (resp. received) by A. - Message a.1 A -gt Y A.nA PKY
Message b.1 Y(A) -gt B A.nA PKB
Message b.2 B -gt Y(A) nA.nB PKA
Message a.2 Y -gt A nA.nB PKA
Message a.3 A -gt Y nB PKY
Message b.3 Y(A) -gt B nB PKB - Initially, Alice starts a protocol run with Yves
thinking that he is an honest agent. - At the end, Bob thinks that
- he has been communicating with Alice, while this
is not the case - he and Alice share exclusively nA and nB, while
this is not the case.
14Security Protocols Vulnerabilities
- It is actually relatively easy to fix the NSPK
protocol it - is sufficient to include the identity of the
responder - within the encrypted part of Message 2
- Message 1 A -gt B A.B. A.nA PKB
Message 2 B -gt A B.A.B.nA.nBPKA
Message 3 A -gt A A.B.nBPKB - This new protocol (called the Lowe-Needham-Schroed
er - protocol) has been proved correct by using
CSP/FDR - methods