Formal Methods for Security Protocols - PowerPoint PPT Presentation

1 / 14

About This Presentation

Title:

Formal Methods for Security Protocols

Description:

Number of Views:82

Avg rating:3.0/5.0

Slides: 15

Provided by: catu1

Category:

more less

Transcript and Presenter's Notes

Title: Formal Methods for Security Protocols

1
Formal Methods for Security Protocols

2
Security Protocols

3
Security Protocols Vulnerabilities

Attack strategies
Man-in-the middle
The attacker interferes by intercepting the
message and possibly modifying it and/or
pretending to be one of the two parties.

4
Security Protocols Vulnerabilities

Attack strategy Man-in-the middle
Example The Diffie-Hellman key establishment
scheme
This scheme is meant to establish a private key
between two parties. It is more straightforward
and requires neither a third party nor a
trap-door.
Chose a prime p and a primitive root r modulo p.
(primitive means that all numbers between 1 and p
can be generated by taking exponents of r modulo
p)
Alice chooses at random an integer x and sends
Bob the message
m1 rx(mod p)
Bob chooses an integer y and sends Alice the
message
m2 ry(mod p)
Alice calculates
K1 m2x(mod p)
Bob calculates
K2 m1y(mod p)
It is easy to prove that K1 K2. Hence Alice and
Bob can use K1 as a private key between
themselves. Note that Alice and Bob play a
symmetric role in the generation of the key.
Deriving x from m1 (and y from m2) is considered
to be intractable.

5
Security Protocols Vulnerabilities

6
Security Protocols Vulnerabilities

Replay
The intruder monitors a (possibly partial) run of
the protocol and at some time reproduces
(replays) one or more of the messages.

7
Security Protocols Vulnerabilities

Example Let us consider what could happen to the
NSSK protocol (Needham-Schroeder-Secret-Key) if
we remove the nonce from A
Message 1 A -gt J    A.B Message 2 J -gt A
B.kAB.kAB.A ServerKey(B) ServerKey(A)
Message 3 A -gt B    kAB.A ServerKey(B)
Message 4 B -gt A    nBkAB Message 5 A -gt
B    nB - 1kAB
Suppose that Yves eventually succeeds to break
the key, so he now knows kAB. Presumably this
will have taken a long time, so kAB is not used
anymore by A and B. However, next time Alice
sends a request to Jeeves, Yves can intercept
Jeeves reply, and send back to Alice the message
B.kAB.kAB.A ServerKey(B) ServerKey(A)
So Alice will take the old key kAB as the key to
use in next conversation with Bob.

8
Security Protocols Vulnerabilities

In the original NSSK protocol this attack is not
possible
because A would recognize that the nonce is
different
from the one it sent.
Note that the nonce is used as a sort of local
time stamp
The original NSSK protocol
Message 1 A -gt J    A.B.nA Message 2 J -gt
A nA.B.kAB.kAB.A ServerKey(B)
ServerKey(A) Message 3 A -gt B    kAB.A
ServerKey(B) Message 4 B -gt A    nBkAB
Message 5 A -gt B    nB - 1kAB

9
Security Protocols Vulnerabilities

In the original NSSK protocol, however, a similar
attack is possible on the other partner B. In
fact, B has no way to establish the freshness of
the first message he sees (the 3 in the
protocol). So, Yves could intercept the message
from A to B, and send to B, instead, a previously
intercepted message kAB.A ServerKey(B)
Assuming that the intruder had time to discover
the previous key kAB, the communication from B
using this key is compromised
This attack was discovered by Denning and Sacco,
1981. (three years after it had been in use in
the Kerberos protocol)
A solution to this problem is to use timestamps.
So in message 3, also a timestamp (generated by
A or by J) should be sent, encrypted, to B.
Note Time stamps assume a global notion of
time.
The use of timestamps was introduced in the
Kerberos protocol so to avoid the problem above

10
Security Protocols Vulnerabilities

Alternatively, one could use nonces in a
different way, as with the Yahalom protocol
Message 1 A -gt B A.nA Message 2 B -gt J
B.A.nA.nBServerKey(B)
Message 3 J -gt A B.kAB.nA.nBServerKey(A)
A.kABServerKey(B)
Message 4 A -gt B A.kABServerKey(B).nBkA
B
In this protocol, both A and B get to inject
nonces before the request reaches Jeeves, so they
both get a handle on the freshness of the key
generated by Jeeves.

11
Security Protocols Vulnerabilities

Oracle
The intruder tricks an agent into inadvertently
reveal some information, possibly by inducing him
to perform some steps of a protocol.
Interleave
The intruder contrives for two or more runs of
the protocol to overlap

12
Security Protocols Vulnerabilities

Example of an attack to the Needham-Schroeder-Publ
ic-Key protocol which combines oracle and
interleaving techniques
The NSPK protocol (simplified version)
Message 1 A -gt B A.nA PKB Message 2
B -gt A nA.nB PKA Message 3 A -gt B
nB PKB
At the end of the protocol, it would seems
reasonable to believe that
A and B know with whom they have been interacting
A and B agree on the values of nA and nB
No one else knows the values of nA and nB

13
Security Protocols Vulnerabilities

In fact, for many years the NSPK protocol (1981)
has been believed to satisfy those properties,
but in 1995 Gavin Lowe discovered the following
attack
here, Y(A) represents Y generating (resp.
receiving) the message, making it appear as
generated (resp. received) by A.
Message a.1    A -gt Y A.nA PKY
Message b.1 Y(A) -gt B A.nA PKB
Message b.2   B -gt Y(A) nA.nB PKA
Message a.2   Y -gt A nA.nB PKA
Message a.3   A -gt Y nB PKY
Message b.3 Y(A) -gt B nB PKB
Initially, Alice starts a protocol run with Yves
thinking that he is an honest agent.
At the end, Bob thinks that
he has been communicating with Alice, while this
is not the case
he and Alice share exclusively nA and nB, while
this is not the case.

14
Security Protocols Vulnerabilities

It is actually relatively easy to fix the NSPK
protocol it
is sufficient to include the identity of the
responder
within the encrypted part of Message 2
Message 1    A -gt B A.B. A.nA PKB
Message 2    B -gt A B.A.B.nA.nBPKA
Message 3    A -gt A A.B.nBPKB
This new protocol (called the Lowe-Needham-Schroed
er
protocol) has been proved correct by using
CSP/FDR
methods