Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analysis of Network Protocols

Published byPercival Ellis Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Analysis of Network Protocols"— Presentation transcript:

1 Security Analysis of Network Protocols
CS 259 Security Analysis of Network Protocols Prof.John Mitchell Mukund Sundararajan (CA)

2 Course Staff Prof. John Mitchell Mukund Sundararajan (CA)
Out of Town, Back Thursday Mukund Sundararajan (CA) John for a day Your CA otherwise Phone: (650)  

3 Course organization Lectures This is a project course Please enroll!
Tues, Thurs for approx first six weeks of quarter Project presentations in 3 stages This is a project course There may be one or two short homeworks Most of your work will be project and presentation Typically done in teams Please enroll!

4 SCPD Students Everything you need is on the class website
You need to be able to access the /usr/class/cs259 directory Project presentations If you are in town, come and present If you are elsewhere, we will try and work something out Project report Recorded video On the Phone

5 Today Basics of formal analysis of security protocols CS259 Website
What is protocol analysis? Needham Schroeder and the Murj model checker CS259 Website Tools Past Projects, Project Suggestions HW#1 out today, due 24th Jan

6 Protocol / System Properties
Network Authentiction and privacy Authentication, Secrecy E.g. Kerberos, SSL, WEP E- Commerce Fair exchange Voting Anonymity with Accountability Policy Specifications Privacy , Access Control Adherence to policy

7 Characteristics of Security
Program or System Correctness Program satisfies specification For reasonable input, get reasonable output Program or System Security Program properties preserved in face of attack For unreasonable input, output not completely disastrous Main differences Active interference from adversary Distributed nature of programs

8 Cryptographic Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal Exchange secret keys Verify identity (authentication) Class poll: Public-key encryption, symmetric-key encryption, CBC, hash, signature, key generation, random-number generators

9 Factoring Computer Security
Cryptography (CS 255) Encryption, signatures, cryptographic hash, … Security mechanisms (CS 259) Access control policy Network protocols Implementation (CS 155) Cryptographic library Code implementing mechanisms Reference monitor and TCB Protocol Runs under OS, uses program library, network protocol stack Analyze protocols, assuming crypto, implementation, OS correct

10 Security Analysis Model system Model adversary
Identify security properties See if properties preserved under attack Result No “absolute security” Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

11 Important Modeling Decisions
How powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks How much detail in underlying data types? Plaintext, ciphertext and keys atomic data or bit sequences Encryption and hash functions “perfect” cryptography algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N

12 Protocol Attacks Kerberos [Scederov et. Al.]
Public key version - lack of identity in message causes authentication failure WLAN i [He , Mitchell] Lack of authentication in msg causes dos vulnerability Proved correct using PCL [ Datta , Derek, Sundararajan] GDOI [meadows – Pavlovic] Authorization failure SSL [Mitchell – Shmatikov] Version roll-back attack, authenticator confusion between main and resumption protocol Needham-Schroeder [Lowe] We saw this today; more in the homework

13 Many more – this is just a small sample
Other approaches Exhaustive finite-state analysis FDR, based on CSP [Lowe, Roscoe, Schneider, …] Search using symbolic representation of states Meadows: NRL Analyzer, Millen: Interrogator Prove protocol correct PCL by Datta-Derek-Mitchell- Pavlovic Paulson’s “Inductive method”, others in HOL, PVS, … MITRE -- Strand spaces Process calculus approach: Abadi-Gordon spi-calculus, applied pi-calculus, … Type-checking method: Gordon and Jeffreys, … Many more – this is just a small sample

14 Explicit intruder model
Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error

15 Example: Needham-Schroeder
Famous simple example Protocol published and known for 10 years Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Subsequently rediscovered by every analysis method Today is our turn!

16 Needham-Schroeder Crypto
Nonces Fresh, Random numbers Public-key cryptography Every agent A has Public encryption key Ka Private decryption key Ka-1 Main properties Everyone can encrypt message to A Only A can decrypt these messages

17 Needham-Schroeder Key Exchange
{ A, NonceA } { NonceA, NonceB } { NonceB} Kb A B Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy.

18 Needham Schroeder properties
Responder correctly authenticated When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A Initiator correctly authenticated When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B Initiator Nonce secrecy When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce.

19 Anomaly in Needham-Schroeder
[Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { NA, NB } { A, NA } Evil agent E tricks honest A into revealing private key NB from B Ka Kb B Evil E can then fool B

20 Murj [Dill et al.] Describe finite-state system
State variables with initial values Transition rules Communication by shared variables Scalable: choose system size parameters Automatic exhaustive state enumeration Space limit: hash table to avoid repeating states Research and industrial protocol verification

21 Limitations of Finite State Methods
Two sources of infinite behavior Many instances of participants, multiple runs Message space or data space may be infinite Finite approximation Assume finite participants Example: 2 clients, 2 servers Assume finite message space Represent random numbers by r1, r2, r3, … Do not allow encrypt(encrypt(encrypt(…)))

22 Applying Murj to security protocols
Formulate protocol Model initiator, responder state machines Model n/w as a shared variable Model properties using invariants Add adversary Control over “network” Possible actions Intercept any message Remember parts of messages Generate new messages, using observed data and initial knowledge (e.g. public keys)

23 Modeling Message Structure, N/W
Message : record source: AgentId; source of message dest: AgentId; intended destination of msg key: AgentId; key used for encryption mType: MessageType; -- type of message nonce1: AgentId; nonce1 nonce2: AgentId; nonce2 OR sender id OR empty end; var net: multiset[NetworkSize] of Message; state variable for for n/w

24 Modeling Protocol Actions (3)
ruleset i: InitiatorId do ruleset j: AgentId do rule 20 "initiator starts protocol (step 3)" ini[i].state = I_SLEEP & multisetcount (l:net, true) < NetworkSize ==> var outM: Message; -- outgoing message begin undefine outM; outM.source := i; outM.dest := j; outM.key := j; outM.mType := M_NonceAddress; outM.nonce1 := i; outM.nonce2 := i; multisetadd (outM,net); ini[i].state :=I_WAIT; ini[i].responder := j; end; end;end;

25 Modeling Properties invariant "responder correctly authenticated"
forall i: InitiatorId do ini[i].state = I_COMMIT & ismember(ini[i].responder, ResponderId) -> res[ini[i].responder].initiator = i & ( res[ini[i].responder].state = R_WAIT | res[ini[i].responder].state = R_COMMIT ) end;

26 Adversary Model Formalize “knowledge” Optimization
initial data observed message fields results of simple computations Optimization only generate messages that others read time-consuming to hand simplify Possibility: automatic generation

27 Modeling the attacker (3)
-- intruder i sends recorded message ruleset i: IntruderId do arbitrary choice of choose j: int[i].messages do recorded message ruleset k: AgentId do destination rule "intruder sends recorded message" !ismember(k, IntruderId) & not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end; end; end;

28 Needham-Schroeder in Murj (1)
const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

29 Run of Needham-Schroeder
Find error after 1.7 seconds exploration Output: trace leading to error state Murj times after correcting error:

30 Homework #1 Investigate the NS flaw and the fixed Needham Schroeder Lowe protocol Investigate conditions under which attack succeeds: adversary power, initiator behavior and crypto Due 24th Find a partner by the end of the week If you can’t, then tell us SCPD students, same guidelines

31 Limitations System size with current methods Adversary model
2-6 participants Kerberos: 2 clients, 2 servers, 1 KDC, 1 TGS 3-6 steps in protocol May need to optimize adversary Adversary model Cannot model randomized attack Do not model adversary running time

32 State Reduction on N-S Protocol

33 Security Protocols in Mur
Standard “benchmark” protocols Needham-Schroeder, TMN, … Kerberos Study of Secure Sockets Layer (SSL) Versions 2.0 and 3.0 of handshake protocol Include protocol resumption Tool optimization Additional protocols Contract-signing Wireless networking … ADD YOUR PROJECT HERE …

34 Plan for this course Protocols Tools Projects
Authentication, key establishment, assembling protocols together (TLS ?), fairness exchange, … Tools Finite-state and probabilistic model checking, constraint-solving, process calculus, temporal logic, proof systems, game theoretic methods, polynomial time … Projects Choose a protocol or other security mechanism Choose a tool or method and carry out analysis Hard part: formulating security requirements

35 Tools (CS259 web site) Tools Murphi PRISM MOCHA
Finite-state tool developed by David Dill’s group at Stanford PRISM Probabilistic model checker, University of Birmingham MOCHA Alur and Henzinger; now consortium Constraint solver using prolog Shmatikov and Millen Isabelle Theorem prover developed by Larry Paulson in Cambridge, UK A number of case studies available on line PCL Logic for Security Protocols developed at Stanford

36 Project Ideas (CS259 web site)
Wireless networking protocols DoS issues VoIP Privacy , authentication, DoS issues, Billing fraud SIP, H.323, Skype etc. Password based authentication protocols For TLS and in other settings Privacy Policies HIPAA Fair exchange protocols, voting protocols Browse 2004 projects Browse Vitaly Shmatikov’s courses Any system you find cool!

37 Hope you enjoy the course
John will lecture for a few weeks to get started Case studies are the best way to learn this topic Sections will deal with tools For the first month or so Choose a project that interests you !!! If you have another idea, come talk with us Can build or extend a tool, or paper study if you prefer

Download ppt "Security Analysis of Network Protocols"

Similar presentations

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Model Checking for Security Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Model Checking for Security Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005.

Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005.
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.

Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.

Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.

Similar presentations

Ads by Google