Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Protocols Analysis

Published byPauline Wells Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Protocols Analysis"— Presentation transcript:

1 Security Protocols Analysis

2 Internet Security - Farkas
Reading This Class: Modelling and Analysis of Security Protocols: chapters C. Meadows: Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends, Next class: Modelling and Analysis of Security Protocols: chapter 1 Internet Security - Farkas

3 What is Protocol Analysis
Cryptographic Protocols Attackers’ capabilities Security? Hostile environment Vulnerabilities Weakness of cryptography Incorrect specifications Internet Security - Farkas

4 Cryptographic Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal Exchange secret keys Verify identity (authentication) Secure transaction processing Internet Security - Farkas

5 Emerging Properties of Protocols
Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats Internet Security - Farkas

6 Attackers’ Capabilities
Read traffic Modify traffic Delete traffic Perform cryptographic operations Control over network principals Internet Security - Farkas

7 Internet Security - Farkas
Attacks Known attacks Can be picked up by careful inspection Nonintuitive attacks Not easily apparent May not depend on flaws or weaknesses of cryptographic algs. Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc. Internet Security - Farkas

8 Internet Security - Farkas
Formal Methods Combination of a mathematical or logical model of a system and its requirements and Effective procedures for determining whether a proof that a system satisfies its requirements is correct. Can be automated! Internet Security - Farkas

9 Example: Needham-Schroeder
Famous simple example (page 30-31) Protocol published and known for 10 years Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Subsequently rediscovered by every analysis method From: J. Mitchell Internet Security - Farkas

10 Needham-Schroeder Crypto
Nonces Fresh, Random numbers Public-key cryptography Every agent A has Public encryption key Ka Private decryption key Ka-1 Main properties Everyone can encrypt message to A Only A can decrypt these messages From: J. Mitchell Internet Security - Farkas

11 Needham-Schroeder Key Exchange
{ A, NonceA } { NonceA, NonceB } { NonceB} Kb A B Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy. From: J. Mitchell Internet Security - Farkas

12 Needham Schroeder properties
Responder correctly authenticated When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A Initiator correctly authenticated When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B Initiator Nonce secrecy When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce. Internet Security - Farkas From: J. Mitchell

13 Anomaly in Needham-Schroeder
[Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { NA, NB } { A, NA } Evil agent E tricks honest A into revealing private key NB from B Ka Kb B Evil E can then fool B Internet Security - Farkas From: J. Mitchell

14 Requirements and Properties
Authentication Authentication, Secrecy Trading Fairness Special applications (e.g., voting) Anonymity and Accountability Internet Security - Farkas

15 Internet Security - Farkas
Security Analysis Understand system requirements Model System Attacker Evaluate security properties Under normal operation (no attacker) In the presence of attacker Security results: under given assumptions about system and about the capabilities of the attackers. Modeling decisions How powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks How much detail in underlying data types? Plaintext, ciphertext and keys atomic data or bit sequences Encryption and hash functions “perfect” cryptography algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N Internet Security - Farkas

16 Explicit intruder model
Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error From: J. Mitchell Internet Security - Farkas

17 Protocol Analysis Spectrum
Low High Sophistication of attacks Protocol complexity Murj FDR NRL Athena Hand proofs Paulson Bolignano BAN logic Spi-calculus Poly-time calculus Model checking Symbolic methods (MSR) Protocol logic From: J. Mitchell Internet Security - Farkas

18 Analysis of Discrete Systems
Properties of discrete systems Requirements Attackers Attack: sequence of finite set of operations Evaluate different paths an attacker may take State the environmental assumptions precisely Internet Security - Farkas

19 Internet Security - Farkas
First Analysis Method Dolev-Yao Set of polynomial-time algorithms for deciding security of a restricted class of protocols First to develop formal model of environment in which Multiple executions of the protocol can be running concurrently Cryptographic algorithms considered as “black boxes” Includes intrudes model Tools based on Dolev-Yao NRL protocol analyzer Longley-Rigby tool Internet Security - Farkas

20 Internet Security - Farkas
Model checking Two components Finite state system Specification of properties Exhaustive search the state space to determine security Internet Security - Farkas

21 Internet Security - Farkas
Theorem Prover Theorems: properties of protocols Prove or check proofs automatically Could find flaws not detected by manual analysis Do not give counterexamples like the model checkers Internet Security - Farkas

22 Internet Security - Farkas
Logic Burrows, Abadi, and Needham (BAN) logic Logic of belief Set of modal operators: describing the relationship of principal to data Set of possible beliefs Inference rules Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction) Internet Security - Farkas

23 Next week CSP

Download ppt "Security Protocols Analysis"

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
5 June 2002 - Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Model Checking for Security Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005.

Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005.

Similar presentations

Ads by Google