October 7, 2003Serguei A. Mokhov, 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision:

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Security Key Management
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography Basic (cont)
Cryptographic Technologies
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Cryptography and Network Security
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
Formal Analysis of Security Protocols Dr. Changyu Dong
A Survey of Authentication Protocol Literature: Version 1.0 Written by John Clark and Jeremy Jacob Presented by Brian Sierawski.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Cryptographic Hash Functions and Protocol Analysis
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
9.2 SECURE CHANNELS Medisetty Swathy.
Formal Methods for Security Protocols
Presentation transcript:

October 7, 2003Serguei A. Mokhov, 1 Cryptographic Protocols and Possible Attacks SOEN321- Information-Systems Security Revision: 1.1 Date: November 25, 2004

October 7, 2003Serguei A. Mokhov, 2 Contents Security Flaws in Cryptographic Protocols –Freshness Flaws –Oracle Flaws –Type Flaws –Implementation-Dependent Flaws –Elementary Flaws –Others

October 7, 2003Serguei A. Mokhov, 3 Security Flaws A flaw is a protocol property that contradicts the security requirements. A security flaw is a part of a program that can cause the system to violate its security requirements. Finding security flaws, then, demands some knowledge of the system security requirements. These requirements vary according to the system and the application [Landweher, Bull, McDermott and Choi]. The proof of a flaw is commonly known as an “attack” and it is generally presented as actions performed on the protocol.

October 7, 2003Serguei A. Mokhov, 4 Flow Types Freshness Oracle Type Implementation-Dependent Others…

October 7, 2003Serguei A. Mokhov, 5 Freshness Flaws Freshness flaws appear when critical messages are used in the protocol without including freshness information such as nonces and/or timestamps. This lack can be exploited by an intruder to do a masquerade by replaying messages belonging to previous runs.

October 7, 2003Serguei A. Mokhov, 6 Freshness Flaws A classical example of a freshness flaw occurs in the symmetric-key protocol proposed by Needham-Shroeder: –Message 1A -> S : A,B,N a –Message 2S -> A : {N a,B, k ab, {k ab,A}k bs }k as –Message 3A -> B : {k ab,A}k bs –Message 4B -> A : {N b }k ab –Message 5A -> B : {N b + 1}k ab

October 7, 2003Serguei A. Mokhov, 7 Freshness Flaws (2) This protocol aims to provide a mutual authentication between two principals A and B. Each principal shares a secret key with a trusted server S. This protocol was thought to be correct until 1981 when the basic weakness was pointed out by Denning and Sacco. The main problem of this protocol is that the principal playing the role B cannot detect whether the message {k ab,A} sent by the principal playing the role A at step 3 has been recently created or not since it does not contain any freshness information.

October 7, 2003Serguei A. Mokhov, 8 Freshness Flaws (3) Suppose, for example, that an intruder can compromise one previously distributed key k’ ab (by using cryptanalysis for example) and it replays the appropriate message to the principal playing the role B in step 3. In this case, the principal playing the role B will accept this key as a new one and it replays by the message {N b }k’ ab Hence, the intruder can intercept this message and impersonate A ’s reply by sending the message {N b + 1}k’ ab

October 7, 2003Serguei A. Mokhov, 9 Freshness Flaws (4) To fix this weakness, Denning and Sacco have proposed to add a timestamp to the messages used at step 2 and step 3: –Message 1 A -> S : A,B,N a –Message 2 S -> A : {T,N a,B, k ab, {k ab,A, T}k bs }k as –Message 3 A -> B : {k ab,A, T}k bs –Message 4 B -> A : {N b }k ab –Message 5 A -> B : {N b + 1}k ab Needham and Shroeder have proposed a solution based on the use of nonces. The two proposed solutions seem to resolve the problem, however there is no correction proof for any one of those new versions.

October 7, 2003Serguei A. Mokhov, 10 Oracle Flaws Oracle flaws occur when the cryptographic protocol dialog allows an adversary to know some secret information or to foretell the content of some encrypted messages. Two subclasses of oracle flaws are distinguished: –Single oracle flaws and, –Multi-role oracle flaws.

October 7, 2003Serguei A. Mokhov, 11 Single Oracle Flaws It consists of oracle flaws that occur when the protocol does not allow principals to change their roles from one protocol run to another. The most famous example of a single role oracle flaw was given by Rivest, Shamir, and Adelman. It consists of the following three-steps protocol: –Message 1 A -> B : {M}k a –Message 2 B -> A : {{M}k a }k b –Message 3 A -> B : {M}k b We assume that the encrypting function is commutative i.e. {{M}k a }k b ={{M}k b }k a

October 7, 2003Serguei A. Mokhov, 12 Single Oracle Flaws (2) The goal of this protocol is to transfer secret messages from one principal to another without the help of a trusted server. In step one, the principal playing the role A encrypts the messages M under its secret key k a (can be randomly generated) then sends the result to the principal playing the role B. In the second step, the principal playing the role B encrypts the received message with its secret key k b and sends the result to the principal playing the role A. Finally, the principal playing the role A decrypts the message {{M}k a }k b to obtain the message {M}k b (this can be achieved under the commutative assumption) which is sent to the principal playing the role B.

October 7, 2003Serguei A. Mokhov, 13 Single Oracle Flaws (3) This protocol can be attacked as follows: –Message 1 A -> I(B) : {M}k a –Message 2 I(B) -> A : {M}k a –Message 3 A -> I(B) : M At step one, the intruder intercepts the message {M}k a which is supposed to be sent to the principal playing the role B. At step two, the intruder sends the intercepted message to the principal playing the role A as a B ’s response. Finally, the principal playing the role A decrypts the received message and sends the result ( M ) to the principal playing the role B. However, the intruder intercepts this message; hence, it learns the information that was supposed to be secret.

October 7, 2003Serguei A. Mokhov, 14 Multi-Role Oracle Flaws Multi-role oracle flaws occur when the protocol assumptions allow principals to change their role from one run to another. In this case, an intruder has more chance to attack the protocol. In fact, the intruder can participate in many runs executed concurrently; hence, messages of one run can be used to form messages that will be used in another run.

October 7, 2003Serguei A. Mokhov, 15 Multi-Role Oracle Flaws (2) A good example of multi-roles oracle flaws is: –Message 1 A -> B : {N a }k ab –Message 2 B -> A : {N a + 1}k ab The objective of this protocol is to convince the principal playing role A that the principal playing role B is operational.

October 7, 2003Serguei A. Mokhov, 16 Multi-Role Oracle Flaws (3) At step one, the principal playing role A sends a challenge, the nonce N a encrypted using the key k ab. The principal playing role B can easily give a response ( {N a +1}k b ) to this challenge at step two since it knows the key k ab. This protocol can be attacked as follows: –Message 1.1 A -> I(B) : {N a }k ab –Message 2.1 I(B) -> A : {N a }k ab –Message 2.2 A -> I(B) : {N a + 1}k ab –Message 1.2 I(B) -> A : {N a + 1}k ab At step one of the first protocol run, the intruder intercepts the message {N a }k ab and uses it as its own challenge in the first step of the second protocol run.

October 7, 2003Serguei A. Mokhov, 17 Multi-Role Oracle Flaws (4) Therefore, it is not surprising that the principal playing the role A will answer by sending the message {N a + 1}k ab in step two of the second protocol run. Furthermore, this message is also the necessary one to finish the first run. Finally, the principal playing the role A is convinced that the principal playing the role B is operational, however this principal may not exist any longer in the system.

October 7, 2003Serguei A. Mokhov, 18 Type Flaws The extraction of message components requires a full knowledge about their types. In fact, a message is implemented in a concrete level as a sequence of bits, then to extract the value of the first component, for example, we need its type (length). Such information can be implicit if the receiver has a previous knowledge about the message’s components, their types and their positions. Another solution is to represent types explicitly in the transmitted data structure. In this case, the receiver does not need to know previously the types since it will find them embedded within the received message.

October 7, 2003Serguei A. Mokhov, 19 Type Flaws (2) Type flaws occur when an adversary can induce the receiver to infer message component types which are different from their real one. The Andrew Secure RPC (From Andrew File System) Protocol, presented below, provides a good example for this class of flaws. –Message 1 A -> B : A, {N a }k ab –Message 2 B -> A : {N a + 1,N b }k ab –Message 3 A -> B : {N b + 1}k ab –Message 4 B -> A : {k’ ab,N’ b }k ab

October 7, 2003Serguei A. Mokhov, 20 Type Flaws (3) In step one, the principal playing the role A sends its identity and a challenge {N a }k ab to indicate to the principal playing the role B that it wishes to communicate with it. At the second step, the principal playing the role B sends the message {N a + 1,N b }k ab which is a challenge to the principal playing the role A. At step three, the principal playing the role A replies to the challenge of the principal playing the role B by sending the message {N b + 1}k ab. At the last step, the principal playing the role B creates a session key k’ ab, concatenates it with N’ b, an identifier for a future communication, encrypts the result with the key k ab and sends it to principal playing the role A.

October 7, 2003Serguei A. Mokhov, 21 Type Flaws (4) Suppose that nonces and keys have the same length ( x bits). This protocol can be attacked as follows: –an intruder I can intercept the message {N a +1,N b }k ab sent at the second step and send it in step four as B ’s reply. –In this case, the principal playing the role A will consider the value of N a + 1 as the value of the key k ab.

October 7, 2003Serguei A. Mokhov, 22 Type Flaws (5) The complete attack is: –Message 1 A -> B : A, {N a }k ab –Message 2 B -> A : {N a + 1,N b }k ab –Message 3 A -> B : {N b + 1}k ab –Message 4 I(B) -> A : {N a + 1,N b }k ab

October 7, 2003Serguei A. Mokhov, 23 Binding Flaws In public key cryptography, it would be catastrophic if a principal misjudges the key of another. In fact, a public key is used to send secret information, since only the principal having the appropriate private key can decrypt the encrypted message. However, if, for example, an intruder I having a public key k i can convince a principal A that B ’s public key is k i, then the intruder can read all secret messages (encrypted by k i ) coming from A and going to B. To avoid such a flaw, a veritable binding between agents and public keys must be established.

October 7, 2003Serguei A. Mokhov, 24 Binding Flaws (2) In general, with a distributed systems, a trusted server takes in charge the key distribution task. Each principal uses an authentication protocol to get public keys of other principals from the server. However, if the authentication protocol is not carefully designed, binding flaws can take place.

October 7, 2003Serguei A. Mokhov, 25 Binding Flaws (3) A good illustrative example of this class of flaws is given hereafter: –Message 1 A -> S : A,B,N a –Message 2 S -> A : S, {S,A,N a, k b }k s -1 Here, the principal playing the role A wishes to know the public key of the principal playing the role B with the help of the trusted server S. At step one, the principal playing the role A sends its identity, the identity of the principal playing the role B and a nonce N a to the server S. In step two, the server replies by a message containing its identity, A ’s identity, the nonce N a (to ensure the freshness of the message) and the public key of the principal playing the role B. All these components are concatenated and encrypted under S ’s private key (signature) allowing the principal playing the role A to be sure about the origin of the message.

October 7, 2003Serguei A. Mokhov, 26 Binding Flaws (4) As shown by Hwang and Chen, this protocol can be attacked as follows: –Message 1.1 A -> I(S) : A,B,N a –Message 2.1 I(A) -> S : A, I,N a –Message 2.2 S -> I(A) : S, {S,A,N a, k i }k s -1 –Message 1.2 I(S) -> A : S, {S,A,N a, k i }k s -1 At step one of the first protocol run, the intruder I intercepts the message “ A,B,N a ”, substitutes the identity of B by its identity and sends the result as the first message of a new run of the protocol ( Message 2.1 ). At step 2.2, the server replies by a message containing I ’s public key, since it thinks that the principal playing the role A is asking for this public key. Finally, the intruder replays S ’s message to the principal playing the role A. Thus, a binding flaw occurs, since the principal playing the role A thinks that the public key of the principal playing the role B is ki.

October 7, 2003Serguei A. Mokhov, 27 Binding Flaws (5) To avoid this flaw, Hwang and Chen proposed the following modification: –Message 1 A -> S : A,B,N a –Message 2 S -> A : S, {S,A,N a,B, k b }k s -1

October 7, 2003Serguei A. Mokhov, 28 Repudiation Flaws We say that a cryptographic protocol contains a repudiation flaw if at least one principal is able to deny its participation in any run of this protocol. A popular example of this category of flaws was given by the coin-flip protocol proposed by Toussaint. This protocol can be used by two principals to toss a coin over a “phone” as follows: –B sends his choice of Heads or Tails to A. –A chooses a key k a. sends the message {k a, Heads}k a, {k a, Tails}k a to B. –B chooses arbitrary one of {k a, Heads}k a and {k a, Tails}k a and sends his choice, say X, to A.

October 7, 2003Serguei A. Mokhov, 29 Repudiation Flaws (2) –A decrypts X, compares the result with B’s initial choice and sends the key k a to B. –B decrypts X and compares the result with his initial choice. The probability that the principal A wins is equal to B ’s one (1/2) as is shown by Toussaint. However, in this protocol, the result of the game is known by A before B. Then, if the principal A discovers that he has lost, he can abort the protocol at step four and never reveal the key k a to B at the last step. In other terms, the principal A can deny his participation in this protocol run and a repudiation flaw occurs.

October 7, 2003Serguei A. Mokhov, 30 Implementation-Dependent Flaws Cryptosystems used within cryptographic protocols are supposed to be perfect, modulo a set of properties containing at least integrity and confidentiality. However, some examples show that these conditions are not sufficient for some protocols, because their security can be severely affected by the implementation approach adopted for cryptographic functions. The interaction between cryptosystems and cryptographic protocols did not have the chance to be deeply studied and it is still an open area of research. However, it is clear that speaking about the security of a protocol combination with respect to a specific cryptosystem is better then speaking about the security of a protocol in absolute.

October 7, 2003Serguei A. Mokhov, 31 Implementation-Dependent Flaws (2) To be convinced by the severity of this problem let us see the example proposed by Massey as shown below: –Message 1 A -> B : {M}k a –Message 2 B -> A : {{M}k a }k b –Message 3 A -> B : {M}k b Suppose that we use the XOR function to cipher messages. Hence, if k is a key and M is a message, encrypting M under k turns to do the simple following operation: {M}k = M  k. Since k  k = 0 ( 0  0 = 0 and 1  1 = 0 ), the deciphering transformation is performed by using the same operation: {{M}k}k = M  k  k = M.

October 7, 2003Serguei A. Mokhov, 32 Implementation-Dependent Flaws (3) The intent of this protocol is to transmit a secret message M from a principal playing the role A to a principal playing the role B. However, if we compute the XOR of the three messages used in this protocol: –( {M}k a  {{M}k a }k b  {M}k b ), –then the result is M (the message which is supposed to be secret).

October 7, 2003Serguei A. Mokhov, 33 Other Flaws Elementary Flaws: –Some cryptographic protocols provide only a marginal protection against an adversary. In general, this category of protocols is breakable with a little effort. –A little protection or a non-protection of a protocol leads in almost all the cases to so-called elementary flaws. –A simple example of these flaws can be given by the following protocol: Message 1 A -> B : {N a, k ab }k a -1 Message 2 B -> A : {N a }k ab

October 7, 2003Serguei A. Mokhov, 34 Other Flaws (2) Password Guessing Flaws: –Password guessing flaws occur if it is easy to an adversary to guess some secret key. –An intruder can do an exhaustive search in a word space smaller than the whole key space to look for keys that are not randomly selected. –This category of flaws is independent from the protocol design but it is related to cryptographic techniques used to generate keys.

October 7, 2003Serguei A. Mokhov, 35 Other Flaws (3) Calculi Flaws: –Normally, after receiving a message, the receiver does some verification in order to know if this received message is the good expected one or not. –However, if these computations are not completed or they are not correctly done, then a calculi flaw could arise.

October 7, 2003Serguei A. Mokhov, 36 References Dr. Mourad Debbabi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.