Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
Secure Mobile IP Communication
CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie
Cryptography and Network Security Chapter 9
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Digital Signatures. Anononymity and the Internet.
Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Introduction to Modern Cryptography Homework assignments.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 2 Cryptology for Protocols Analysis Tom Chothia CWI.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Computer Science Public Key Management Lecture 5.
Public Key Model 8. Cryptography part 2.
Strong Password Protocols
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012.
Great Theoretical Ideas in Computer Science.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.
COEN 351 E-Commerce Security Essentials of Cryptography.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
COEN 351 E-Commerce Security
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
1 Number Theory and Advanced Cryptography 9. Authentication Protocols Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Elliptic Curve Cryptography (ECC)
Man in the Middle Attacks
Elliptic Curve Cryptography (ECC)
Efficient Short-Password Key Exchange (ESP-KE)
Diffie-Hellman key exchange/agreement algorithm
Formal Methods for Security Protocols
Secure Diffie-Hellman Algorithm
Lecture 6.2: Protocols - Authentication and Key Exchange II
“You have zero privacy anyway, get over it”
Presentation transcript:

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI

This Lecture Quick introduction to Prolog A protocol as Prolog rules From Prolog to ProVerif Checking secrecy BREAK Writing protocols in the pi-calculus From secrecy to authenticity Examples: Diffie-Hellmen, STS & SKEME

The Pi-calculus A mini language for writing protocols (and any other concurrent processes) process P ::= in (channel, message);P |out (channel, message);P | let a = T in P | new n;P | P | Q |! P | 0

The Pi-calculus Firewall process = ! ( in ( , packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) )

Pi-calculus Semantics The Key Rules: in (channel, var);P | out(channel,value)  P [ value/var ] !P  P | !P P | new a;Q  new a; ( P | Q) iff a not in P The last rule means that: out (a,b) | new a; in (a,x) -\ 

The Pi-calculus reduction ! Firewall_process |out( , ( 80, (get, index.html) ) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the !P  P | !P rule ! Firewall process | ( in ( , packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) ) |out( , ( 80, (get, index.html) ) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the COMM rule ! Firewall process | let (port_no,payload) = (80,(get, index.html) in if port_no = 80 then out (to_server,payload) ) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the LET rule ! Firewall process | if 80 = 80 then out (to_server, (get, index.html)) ) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the IF rule ! Firewall process | out (to_server,(get, index.html)) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the !P  P | !P rule ! Firewall process | ( in ( , packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) ) | out (to_server,(get, index.html)) | out( , ( 22, login_ssh) |out( , ( 80, (get, index.html) )

Apply the COMM & LET rules ! Firewall process | if 22 = 80 then out (to_server, login_ssh) ) | out (to_server,(get, index.html)) |out( , ( 80, (get, index.html) )

Apply the IF rules ! Firewall process | out (to_server,(get, index.html)) |out( , ( 80, (get, index.html) )

The Applied Pi-calculus The Applied Pi-calculus extends the pi- calculus with equations and we saw what you can do with equations in Lecture 2. It also adds frames “{ M/x }” to get track of what the environment knows. See the paper “Mobile Values, New Names and Secure Communication” for more info.

Example: Diffie-Hellman The Diffie-Hellman is a widely used key agreement protocol. It relies on some number theory: –a mod b = n where  m s.t. a = m.b + n The protocol uses two public parameters –generator “g” (often 160 bits long) –prime “p” (often 1024 bits long)

Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : t A 2.B  A : t B A calculates “t B r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : p, g, t A 2.B  A : t B A calculates “t A r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

Diffie-Hellman An observer cannot work out r A and r B from t A and t B therefore the attacker cannot calculate the key The values of “g” and “p” must be big enough to make it intractable to try all possible combinations. So we have a “Good Key” but know nothing about the participants. We did not need to share any keys at the start, therefore this is a very powerful protocol.

Station-to-Station Protocol The Station-to-Station (STS) protocol adds authentication: 1.A  B : t A 2.B  A : t B, { Sign B (t A, t B ) } Kab 3.A  B : { Sign A (t A, t B ) } Kab

ProVerif Demo.

The Needham-Schroeder Public Key Protocol A famous authentication protocol 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b ) N a and N b can then be used to generate a symmetric key

Needham-Schroeder in the Applied Pi-calculus equations: fun pk/1. fun encrypt/2. reduc decrypt(encrypt(x,pk(y)),y) = x. A = new Na; out (channel, encrypt( (Na, pk(skA)),pk(skB) ); in (channel, message); let (Nx,Nb) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( Nb, pk(Bs) )

Needham-Schroeder in the Applied Pi-calculus equations: fun pk/1. fun encrypt/2. reduc decrypt(encrypt(x,pk(y)),y) = x. A = new Na; out (channel, encrypt( (Na, pk(skA)),pk(skB) ); in (channel, message); let (=Na,Nb) = decrypt( message, skA ) in out channel encrypt( Nb, pk(Bs) )

Needham-Schroeder in the Applied Pi-calculus B =in (channel, message1); let (Nx,pkA) = decrypt ( message, skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then...

We must let the attacker pick who A talks to. A = in(talk_to, pkB); new Na; out (channel, encrypt( (Na,pkA) pkB ); in (channel, message); let (Nx,N) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( N, pkB )

Likewise for B B =in(talk_to, pkA) in (channel, message1); let (Nx,=pkA) = decrypt ( message, skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then...

Correspondence Assertions We don’t really want to check secrecy. We want to check correspondence. We add events, and require implications between events.

Adding A “begin” Assertions A = in(talk_to, pkB); event begin(pk(skA),pkB); new Na; out (channel, encrypt( (Na,pk(skA)) pkB ); in (channel, message); let (Nx,N) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( N, pkB )

Adding an “end” Assertions B =in(talk_to, pkA) in (channel, message1); let (Nx,=pkA) = decrypt (message,skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then event end(pkA,pk(skB))

Correctness We now check than “end (A,B)” can happen if and only if “begin (A,B)” happened first.

Correctness We now check than “end (A,B)” can happen if and only if “begin (A,B)” happened first. This can be done by replacing everything after “begin(A,B)” with 0, then checking that “end(A,B)” stays secret.

ProVerif Demo.

The SKEME Protocol A better Diffie-Hellman from IBM. See handout.

ProVerif Demo.

This Lecture Quick introduction to Prolog A protocol as Prolog rules From Prolog to ProVerif Checking secrecy BREAK Writing protocols in the pi-calculus From secrecy to authenticity Examples: Diffie-Hellmen, STS & SKEME

Assessment You will get your homework back next week. And a new homework that involves BAN and ProVerif. TRY THEM OUT THIS WEEK.

Assessment From the 29th onwards you will be giving 20 mins presentations. You can formalise and verify a protocol (hard). or present a state-of-the-art research paper on security protocol (suggestions will be put on the website next week). Aim: show that you know what your talking about when it comes to security protocols. Try to find a paper you enjoy.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.