Security Analysis of Network Protocols CS 259 Security Analysis of Network Protocols Mukund Sundararajan http://www.stanford.edu/class/cs259/

How to write a crypto paper? 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html 2. Click on the button 3. Be Inspired Fortunately, we don’t need to know what those papers, if written, may contain

Today Getting Murphi to work on Windows A close look at the NS implementation in Murphi Cryptography for CS259 The cryptography of SSL Newsgroup: su.class.cs259

Murphi on Windows Download Cygwin Need to include g++, make, gcc packages Look under the ‘Devel’ heading Follow instructions in the Readme file located in the src directory Make the murphi compiler in the src directory Set up a link Edit homework Makefile

Needham Schroeder in Murphi Walk through code sections Data types State variables Transitions, invariants Initial state The strong attacker model Perfect cryptography Intercept all messages on the network Insert, reorder, delete messages

Murphi Syntax Invariants are a special kind of rule Rulesets allow concise specification of transition rules Scalarsets allow us to exploit symmetry the inherent symmetry in some situations to make model checking efficient Multisets are similar to scalarsets but are modifiable at runtime, use a ‘choose’ to index. Union data types allow us to refer to many scalarsets at once

Weak intruder model [Part (b) of the 3rd question on HW#1] Consider an intruder who can only receive messages destined to it. Does the attack on “initiator correctly authenticated” still work? Need to undo optimizations

Anomaly in Needham-Schroeder [Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { NA, NB } { A, NA } Evil agent E tricks honest A into revealing private key NB from B Ka Kb B Evil E can then fool B

Nonce 'number used once' To prevent against replay attacks

Symmetric Key Algorithm Encryption Input: plain-text, key, Output: cipher text Decryption Input: encrypted message, key, Output: plain text Needs to be reversible Insecure if following is computationally feasible Can decipher plaintext without key Can produce cipher text without key Can deduce key from cipher text

Asymmetric Encryption Input: plain-text, public-key, Output: cipher text Decryption Input: encrypted message, private-key, Output: plain text Needs to be reversible Insecure if following is computationally feasible Can decipher plaintext without private key Can deduce private key from cipher text or public key

Digital Signatures Signature algorithm Verification algorithm Input: m, private key, Output: Signature Verification algorithm Input: Signature, public key, Output: Boolean Authentication Integrity Non-repudiation

Cryptographic Hashes Input: message, Output: digest Insecure if following is computationally feasible: Preimage resistance: finding a message that matches a given digest Collision resistance: finding "collisions", wherein two different messages have the same message digest Second Preimage resistance: given an input m, it must be hard to find different m’ that hashes to the same value

MAC’s Integrity + Authenticity Input: Key, Message, Output: Message Authentication Code Verification algorithm Uses cryptographic hashes or symmetric key crypto Attacker must not be able to find two messages M, M’ that produce the same MAC under an unknown key given an oracle that MAC’s messages Key holder may find collisions Differ from signatures: they are symmetric

Diffie-Hellman exchange A picks a nonce x, generates Gx, sends it to B B picks a nonce y, generates Gy, sends it to A Both generate Gxy locally Gxy is a shared secret Secure by ‘Hardness of discrete logarithm’

Exercises How do scalarsets and multisets improve the efficiency of model-checking? What is the relationship between the three properties of cryptographic hashes? Read the definition of a message authentication code in Wikipedia