Prudent Engineering practice for cryptographic protocol

1
Prudent Engineering practicefor cryptographic
protocol
2
Summary

• a list of hints for designing good protocol
• not theory involved just engeneering-art
• Basics
• Naming
• Encryption
• Timeliness
• Encodings
• Trust

3
Basics

• Principle 1
• every message should say what it means the
  interpratation should depend only on its content
• Principle 2
• the conditions for a message to be acted upon
  should be clearly set out so that someone
  reviewing a design may see wheter they are
  acceptable or not
• obvious observation protocol MUST not leak
  private values

4
Naming

• Principle 3
• if the identity of a principal is essential to
  the meaning of a message it is prudent to mention
  the principal names explicitely in the message

5
Examples for naming issue

• A?S A,B
• S?A CA,CB
• A?B CA,CB, Kab,TaKprivAKpubB
• possible risk
• B?C CA,CC, Kab,TaKprivAKpubC
• C can accept this message and start sending
  messages to A encrypted with Kab
• a possible solution is to explicit the name of
  the principals
  A?B CA,CB, A,B,Kab,TaKprivAKpubB

6
Another example

• Authentication protocol at the end B must be
  convinced that A correctly reply to the challenge
• A?B A
• B?A Nb
• A?B NbKas
• B?S A, NbKas Kbs
• S?B NbKbs
• protocol flawed (fix S?B A,NbKbs)

7

• Attack with C impersonating A (B want to talk
  with A and C at the same time, A off-line)
• message 1 C?B A
• message 1 C?B C
• message 2 B?A Nb
• message 2 B?C Nb
• message 3 C?B NbKcs
• message 3 C?B NbKcs
• message 4 B?S A,NbKcsKbs
• message 4 B?S C,NbKcsKbs
• message 5 S?B NbKbs
• message 5 S?B NbKbs

8
SSL

• A?B KabKpubB
• B?A NbKab
• A?B CA,NbKprivAKab
• fix A?B CA,A,B,Kab,NbKprivAKab

9
Use of encryption

• preserve confidentiality the principal that has
  the right key can assume that the message was
  intended for himself
• provide authenticity (extreme case encrypt a
  null message of a time-stamp to show that a key
  is known)
• binding toghether parts of message X,YK is
  different from XK, YK
• provide random number

10
Principle 4

• be clear about why encryption is done. Its not
  cheap, its not a guarantee
• A?S A,B
• S?A Ts,L,Kab,B,Ts,L,Kab,AKbsKas
• A?B Ts,L,Kab,AKbs , A,TaKab
• B?A Ta1Kab

11
Principle 5

• when a principal signs encrypted data it should
  not be inferred that he knows the content of the
  message.
• A?B A, Ta,Na,B,Xa,YaKpubBKprivA
• no guarantee that A actually knows Ya
• A?B A, XKpubB, H(X)KprivA
• no guarantee that A actually knows X( e.g., X
  could a password for authentication)

12
Principle 6, Timeliness

• be clear what properties you are assuming about
  nonces. What may do for ensuring temporal
  succession may do not for assuring association

13
Otway-Rees

• A?B M,A,B,Na,M,A,BKas
• B?S M,A,B,Na,M,A,BKas , Nb,M,A,BKbs
• S?B M, Na,KabKas , Nb,KabKbs
• B?A M,Na,KabKas
• the two nonces Na and Nb must be encrypted
  because they serve as a secure reference to the
  identity of the parties thw nonces are not only
  for timeliness but also substitutes the name

14
Improved protocol

• A?B A,B,Na
• B?S A,B,Na,Nb
• S?B Na,A,B,KabKas , Nb,A,B, KabKbs B?A
  Na,A,B,KabKas

15
Simplyfing a protocol

• A?B A
• B?A Nb
• A?B NbKas
• B?S A,B, NbKas
• S?B A,NbKbs
• purpose of encryption of message 4 was binding
  two parts of the message
• Nb provides only a proof of freshness
• modifying message 5 the encryption is no more
  necessary

16
Principle 7

• the use of a predictable quantity can serve in
  guaranteeing freshness, but it should be
  protected so that an intruder cannot simulate a
  challenge and later replay a response
• A?S A, Na
• S?A Ts, Na Kas
• the protocol doesnt work if Na is predictable
  you need also to encrypt Na

17
Principle 8

• if timestamps are used as freshness guarantees by
  reference to absolute time, then the difference
  between local clocks must be much less than the
  allowable age of a message demeed to be valid.
  Furthermore, the time maintenance mechanism
  everywhwere becomes part of the TCB.

18
Principle 9

• A key may have been used recently for example to
  encrypt a nonce, yet be quite old, and possibly
  compromised. Recent use does not make the key
  look any better than it would otherwise.

19

• A?S A,B,Na
• S?A Na , B, Kab, Kab, AKbsKas
• A?B Kab, AKbs
• B?A NbKab
• A?B Nb1Kab
• messages 4 and 5 not provide any guarantees about
  freshness of Kab
• use of timpestamps or B send a nonce to S

20
Principle 10

• If an encoding is used to present the meaning of
  a message, then it should be possible to tell
  which encoding is used. When the encoding is
  protocol dipendent, it should be possible to
  deduce that message belongs to this protocol, and
  in fact to a particular run of the protocol, and
  to know its number in the protocol

21
Principle 11

• the protocol designer should know which trust
  relations his protocol depends on , and why the
  dependence is necessary. The reasons for
  aprticular trust relations being acceptable
  should be explicit thought they will be founded
  on judgement and policy rather than logic