Security Protocols Analysis

Internet Security - Farkas Reading This Class: Modelling and Analysis of Security Protocols: chapters 0.9-0.12 C. Meadows: Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends, http://citeseer.ist.psu.edu/meadows03formal.html Next class: Modelling and Analysis of Security Protocols: chapter 1 Internet Security - Farkas

What is Protocol Analysis Cryptographic Protocols Attackers’ capabilities Security? Hostile environment Vulnerabilities Weakness of cryptography Incorrect specifications Internet Security - Farkas

Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal Exchange secret keys Verify identity (authentication) Secure transaction processing Internet Security - Farkas

Emerging Properties of Protocols Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats Internet Security - Farkas

Attackers’ Capabilities Read traffic Modify traffic Delete traffic Perform cryptographic operations Control over network principals Internet Security - Farkas

Internet Security - Farkas Attacks Known attacks Can be picked up by careful inspection Nonintuitive attacks Not easily apparent May not depend on flaws or weaknesses of cryptographic algs. Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc. Internet Security - Farkas

Internet Security - Farkas Formal Methods Combination of a mathematical or logical model of a system and its requirements and Effective procedures for determining whether a proof that a system satisfies its requirements is correct. Can be automated! Internet Security - Farkas

Example: Needham-Schroeder Famous simple example (page 30-31) Protocol published and known for 10 years Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Subsequently rediscovered by every analysis method From: J. Mitchell Internet Security - Farkas

Needham-Schroeder Crypto Nonces Fresh, Random numbers Public-key cryptography Every agent A has Public encryption key Ka Private decryption key Ka-1 Main properties Everyone can encrypt message to A Only A can decrypt these messages From: J. Mitchell Internet Security - Farkas

Needham-Schroeder Key Exchange { A, NonceA } { NonceA, NonceB } { NonceB} Kb A B Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy. From: J. Mitchell Internet Security - Farkas

Needham Schroeder properties Responder correctly authenticated When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A Initiator correctly authenticated When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B Initiator Nonce secrecy When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce. Internet Security - Farkas From: J. Mitchell

Anomaly in Needham-Schroeder [Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { NA, NB } { A, NA } Evil agent E tricks honest A into revealing private key NB from B Ka Kb B Evil E can then fool B Internet Security - Farkas From: J. Mitchell

Requirements and Properties Authentication Authentication, Secrecy Trading Fairness Special applications (e.g., voting) Anonymity and Accountability Internet Security - Farkas

Internet Security - Farkas Security Analysis Understand system requirements Model System Attacker Evaluate security properties Under normal operation (no attacker) In the presence of attacker Security results: under given assumptions about system and about the capabilities of the attackers. Modeling decisions How powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks How much detail in underlying data types? Plaintext, ciphertext and keys atomic data or bit sequences Encryption and hash functions “perfect” cryptography algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N Internet Security - Farkas

Explicit intruder model Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error From: J. Mitchell Internet Security - Farkas

Protocol Analysis Spectrum Low High Sophistication of attacks Protocol complexity Murj  FDR NRL Athena Hand proofs Paulson Bolignano BAN logic Spi-calculus Poly-time calculus Model checking Symbolic methods (MSR) Protocol logic From: J. Mitchell Internet Security - Farkas

Analysis of Discrete Systems Properties of discrete systems Requirements Attackers Attack: sequence of finite set of operations Evaluate different paths an attacker may take State the environmental assumptions precisely Internet Security - Farkas

Internet Security - Farkas First Analysis Method Dolev-Yao Set of polynomial-time algorithms for deciding security of a restricted class of protocols First to develop formal model of environment in which Multiple executions of the protocol can be running concurrently Cryptographic algorithms considered as “black boxes” Includes intrudes model Tools based on Dolev-Yao NRL protocol analyzer Longley-Rigby tool Internet Security - Farkas

Internet Security - Farkas Model checking Two components Finite state system Specification of properties Exhaustive search the state space to determine security Internet Security - Farkas

Internet Security - Farkas Theorem Prover Theorems: properties of protocols Prove or check proofs automatically Could find flaws not detected by manual analysis Do not give counterexamples like the model checkers Internet Security - Farkas

Internet Security - Farkas Logic Burrows, Abadi, and Needham (BAN) logic Logic of belief Set of modal operators: describing the relationship of principal to data Set of possible beliefs Inference rules Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction) Internet Security - Farkas

Next week CSP