6 June 2002 - Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Session 4 Asymmetric ciphers.
Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Key Distribution CS 470 Introduction to Applied Cryptography
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Lecture 6: Public Key Cryptography
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Cryptography Lecture 8 Stefan Dziembowski
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
COEN 351 E-Commerce Security Essentials of Cryptography.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Key Agreement Guilin Wang School of Computer Science 12 Nov
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Key Management Celia Li Computer Science and Engineering York University.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Introduction to Quantum Key Distribution
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
October 7, 2003Serguei A. Mokhov, 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
COEN 351 E-Commerce Security
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Chapter eight: Authentication Protocols 2013 Term 2.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Network Security and It’s Issues
Formal Methods for Security Protocols
Man in the Middle Attacks
Formal Methods for Security Protocols
Presentation transcript:

6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University, USA

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 2 Security Protocols Contents of previous lecture: A brief introduction to security protocols Distributed systems, insecure communication, intruders Aims and properties authentication, secrecy, integrity, anonymity, etc. Notation Message # x-> y data Example: the Noedam-Schoeder SK protocol A very brief introduction to Cryptographic methods Symmetric and asymmetric cryptography one-way functions, door traps Vulnerabilities of Security protocols (just started)

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 3 Security Protocols Vulnerabilities Attack strategies Man-in-the middle The attacker interferes by intercepting the message and possibly modifying it and/or pretending to be one of the two parties.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 4 Security Protocols Vulnerabilities  Attack strategy Man-in-the middle  Example: The Diffie-Hellman key establishment scheme This scheme is meant to establish a private key between two parties. It is more straightforward and requires neither a third party nor a trap-door. Chose a prime p and a primitive root r modulo p. (primitive means that all numbers between 1 and p can be generated by taking exponents of r modulo p) Alice chooses at random an integer x and sends Bob the message m 1 = r x (mod p) Bob chooses an integer y and sends Alice the message m 2 = r y (mod p) Alice calculates K 1 = m 2 x (mod p) Bob calculates K 2 = m 1 y (mod p) It is easy to prove that K 1 = K 2. Hence Alice and Bob can use K 1 as a private key between themselves. Note that Alice and Bob play a symmetric role in the generation of the key. Deriving x from m 1 (and y from m 2 ) is considered to be intractable.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 5 Security Protocols Vulnerabilities The Diffie-Hellman key establishment scheme has no way to ensure authentication. A man-in-the-middle, Yves, could pretend to be Bob and establish a shared key with Alice, thus reading all the messages that Alice thinks she is sending to Bob. The same he could do with Bob, even at the same time.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 6 Security Protocols Vulnerabilities  Replay The intruder monitors a (possibly partial) run of the protocol and at some time reproduces (replays) one or more of the messages.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 7 Security Protocols Vulnerabilities  Example: Let us consider what could happen to the NSSK protocol (Needham-Schroeder-Secret-Key) if we remove the nonce from A Message 1 A -> J : A.B Message 2 J -> A : {B.k AB.{k AB.A} ServerKey(B) } ServerKey(A) Message 3 A -> B : {k AB.A} ServerKey(B) Message 4 B -> A : {n B } k AB Message 5 A -> B : {n B - 1} k AB  Suppose that Yves eventually succeeds to break the key, so he now knows k AB. Presumably this will have taken a long time, so k AB is not used anymore by A and B. However, next time Alice sends a request to Jeeves, Yves can intercept Jeeves’ reply, and send back to Alice the message {B.k AB.{k AB.A} ServerKey(B) } ServerKey(A) So Alice will take the old key k AB as the key to use in next conversation with Bob.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 8 Security Protocols Vulnerabilities In the original NSSK protocol this attack is not possible because A would recognize that the nonce is different from the one it sent. Note that the nonce is used as a sort of local time stamp The original NSSK protocol Message 1 A -> J : A.B.n A Message 2 J -> A : {n A.B.k AB.{k AB.A} ServerKey(B) } ServerKey(A) Message 3 A -> B : {k AB.A} ServerKey(B) Message 4 B -> A : {n B } k AB Message 5 A -> B : {n B - 1} k AB

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 9 Security Protocols Vulnerabilities  In the original NSSK protocol, however, a similar attack is possible on the other partner B. In fact, B has no way to establish the freshness of the first message he sees (the #3 in the protocol). So, Yves could intercept the message from A to B, and send to B, instead, a previously intercepted message {k AB.A} ServerKey(B) Assuming that the intruder had time to discover the previous key k AB, the communication from B using this key is compromised This attack was discovered by Denning and Sacco, (three years after it had been in use in the Kerberos protocol) A solution to this problem is to use timestamps. So in message #3, also a timestamp (generated by A or by J) should be sent, encrypted, to B. Note: Time stamps assume a global notion of time.  The use of timestamps was introduced in the Kerberos protocol so to avoid the problem above

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 10 Security Protocols Vulnerabilities  Alternatively, one could use nonces in a different way, as with the Yahalom protocol : Message 1 A -> B : A.n A Message 2 B -> J : B.{A.n A.n B } ServerKey(B) Message 3 J -> A : {B.k AB.n A.n B } ServerKey(A) {A.k AB } ServerKey(B) Message 4 A -> B : {A.k AB } ServerKey(B). {n B } k AB In this protocol, both A and B get to inject nonces before the request reaches Jeeves, so they both get a handle on the freshness of the key generated by Jeeves.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 11 Security Protocols Vulnerabilities  Oracle The intruder tricks an agent into inadvertently reveal some information, possibly by inducing him to perform some steps of a protocol.  Interleave The intruder contrives for two or more runs of the protocol to overlap

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 12 Security Protocols Vulnerabilities  Example of an attack to the Needham-Schroeder- Public-Key protocol which combines oracle and interleaving techniques The NSPK protocol (simplified version) Message 1 A -> B : { A.n A } PK B Message 2 B -> A : { n A.n B } PK A Message 3 A -> B : { n B } PK B  At the end of the protocol, it would seems reasonable to believe that: A and B know with whom they have been interacting A and B agree on the values of n A and n B No one else knows the values of n A and n B

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 13 Security Protocols Vulnerabilities  In fact, for many years the NSPK protocol (1981) has been believed to satisfy those properties, but in 1995 Gavin Lowe discovered the following attack: here, Y(A) represents Y generating (resp. receiving) the message, making it appear as generated (resp. received) by A. Message a.1 A -> Y : { A.n A } PK Y Message b.1 Y(A) -> B : { A.n A } PK B Message b.2 B -> Y(A) : { n A.n B } PK A Message a.2 Y -> A : { n A.n B } PK A Message a.3 A -> Y : { n B } PK Y Message b.3 Y(A) -> B : { n B } PK B Initially, Alice starts a protocol run with Yves thinking that he is an honest agent. At the end, Bob thinks that he has been communicating with Alice, while this is not the case he and Alice share exclusively n A and n B, while this is not the case.

5 June Lecture 1 TU Dresden - Ws on Proof Theory and Computation 14 Security Protocols Vulnerabilities It is actually relatively easy to fix the NSPK protocol: it is sufficient to include the identity of the responder within the encrypted part of Message 2 Message 1 A -> B : A.B.{ A.n A } PK B Message 2 B -> A : B.A.{B.n A.n B } PK A Message 3 A -> A : A.B.{n B } PK B This new protocol (called the Lowe-Needham-Schroeder protocol) has been proved correct by using CSP/FDR methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.