Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Authentication John C. Mitchell Stanford University CS 99j.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Network Security Chapter Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Chapter 21 Distributed System Security Copyright © 2008.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Computer and Network Security - Message Digests, Kerberos, PKI –
Lecture 5.1: Message Authentication Codes, and Key Distribution
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Network Security and It’s Issues
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Computer Communication & Networks
Presentation transcript:

Analysis of Security Protocols (I) John C. Mitchell Stanford University

My Second Marktoberdorf School l Fun playing volleyball, swimming, hiking l Review German vocabulary  Alt, Pils, Dunkel, Weizen, Dunkel Weizen  wegabschneider (trail-off-cutter) l Seen some ‘96 students at conferences l What else should I remember?

Computer Security l Protect information  Store user passwords in a form that prevents anyone from reading them  Transmit information like credit card numbers in a way that prevents others from intercepting them l Protect system integrity  Keep others from deleting your files  Keep downloaded code (such as Java applets) from modifying important data  Reject mail messages that contain viruses l Maintain privacy

Correctness vs Security l Program or System Correctness  Program satisfies specification  For reasonable input, get reasonable output l Program or System Security  Program resists attack  For unreasonable input, output not completely disastrous  Secure system might not be correct l Main technical differences  Active interference from environment  Refinement techniques may fail

Outline of these lectures l Introduction to security protocols  Issues in security, protocol examples and flaws l Overview of cryptography l Formal presentation of protocols and intruder l Automated finite-state analysis l A probabilistic, poly-time framework

Tractable program analysis l Goal: tools and techniques to solve useful problems l Caveat: need to be realistic program complexity complexity of property to verify May be possible Intractable

Security Protocols l Transmit information across network l Keep important information secret l Communicate with those you know and trust l Typical handshake protocols  3-7 steps  2-5 parties  client, server, key distribution service, …  lead to shared secret key for data transfer

Example: Secure Sockets Layer

Establishing Secure Communication l Parties use SSL protocol to  Choose encryption scheme, e.g.  40-bit international encryption with 2 keys  120-bit domestic encryption with 2 keys  choose among versions of specific scheme  Agree on shared secret key  Secret key more efficient than public key Avoid known-plaintext attack  Minimize reuse of hard-to-establish public key

Some security objectives l Secrecy  Info not revealed l Authentication  Know identity of individual or site l Data integrity  Msg not altered l Message Authentication  Know source of msg l Receipt  Know msg received l Access control l Revocation l Anonymity l Non-repudiation

Example Protocols l Challenge response  Mechanism for freshness l Needham-Schroeder Public Key  Use public-key crypto to generate shared secret l Kerberos  Simplified version w/o timestamps or nonces  Idea of sending encrypted “tickets” l SSL (briefly) l Diffie-Hellman key exchange

Timeliness in Communication l Assume Alice and Bob share a private encryption key K l Alice wants to know if Bob is on network l Possible protocol:  Alice  Bob: { “Hi Bob. Still there?” } K  Bob  Alice: { “I am here?” } K l What’s wrong with this?

Challenge-Response l Alice wants to know if Bob is still there  Send “fresh” number n, Bob returns f(n)  nonce = number used once  This avoids reply by malicious 3rd party l Protocol  Alice  Bob: { nonce } K  Bob  Alice: { nonce+1 } K l Does this work?

Needham-Schroeder Key Exchange { A, Nonce a } { Nonce a, Nonce b } { Nonce b } KaKa KbKb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB KbKb

Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } KeKe KbKb KaKa KaKa KeKe Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe]

TMN Cell Phone Protocol a N a b b K K s s S B A B, {N } A B {N } A {N }

TMN Replay Attack SBA B, {N a } Ks A A, {N b } Ks B, {N b } Na SDC D, {N c } Ks C C, {N b } Ks D, {N b } Nc REPLAY

Kerberos l Client requests key from KDC  C  KDC : C, TGS l KDC returns private key and ticket  KDC  C : {K s1 } Kc {C, K s1 } Ktgs l Client sends name and ticket to TGS  C  TGS : {C} Ks1, {C, K s1 } Ktgs, S l TCS returns private key and ticket  TGS  C : {K s2 } Kc {C, K s2 } Ks l Client contacts server  C  S : {C} Ks1, {C, K s1 } Ks

Secure Socket Layer (SSL) l Three goals  Negotiate specific encryption scheme  Possible “version attack”  Authenticate client and server  Appeal to “signature authority”  Use public key to transmit secret key Several underlying primitives: public key, signature scheme, hash function, private key

Handshake Protocol Description ClientHello C  S C, Ver C, Suite C, N C S C Ver S, Suite S, N S, S, K S + ServerHello S  C Ver S, Suite S, N S, sign CA { S, K S + } ClientVerify C  S sign CA {C, V C } + { Ver C, Secret C } + N S sign C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash(Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } (Change to negotiated cipher) N S ServerFinished S  C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + S + Master(N C, N S, Secret C ) + Pad 1 )) } N S ClientFinished C  S { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } SKSSKS S Master(N C, N S, Secret C )

Diffie-Hellman Key Exchange l Number-theoretic assumption  Given three numbers p, g, g a mod p, no efficient algorithm for computing a  Belief: adversary cannot find a until “too late” l Protocol (assumes public prime p, generator g)  Alice  Bob: g a mod p  Bob  Alice: g b mod p l Consequence  Alice and Bob know g ab mod p, no one else does  Works on telephone, not general network. Why?