Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

Published byJalynn Bursell Modified over 10 years ago

Similar presentations

Presentation on theme: "University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle"— Presentation transcript:

1 University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle etalle@cs.utwente.nl

2 University of Twente The Netherlands Centre for Telematics and Information Technology Outline  Day 2: Practice analysis of many flawed protocol......using the online demo  Resources: The online tool, reachable at wwwes.cs.utwente.nl/24cqet  The Clark-Jacob library http://citeseer.nj.nec.com/clark97survey.html www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps

3 University of Twente The Netherlands Centre for Telematics and Information Technology Security Protocols & the Attacks Otway-Rees Secrecy+type-flaw attack Kao-chow replay-attack Woo-Lam authentication+type flaw attack NSL (as bonus protocol) auth+type-flaw attack

4 University of Twente The Netherlands Centre for Telematics and Information Technology Otway-Rees Protocol 1. A->B : [M,A,B,[Na,M,A,B]+Kas] 2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B->A : [M,[Na,Kab]+Kas ]  Aim: key distribution using a trusted server.  Kab: short-term key. Could be guessed.  Na and Nb serve as challenges.

5 University of Twente The Netherlands Centre for Telematics and Information Technology Attack upon Otway-Rees a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas] a.4 e(B)->A : [M,A,B,[Na,M,A,B]+Kas]  Type flaw attack A takes [M,A,B] to be the key  The intruder just replies the first message.  It is an authentication flaw.  It is also a secrecy flaw (the intruder knows the key, now).

6 University of Twente The Netherlands Centre for Telematics and Information Technology Otway-Rees in the tool initiator(A,B,Na,Nb,M,X,Kas,Kab,[ recv([A,B]), % for origination assumption send([M,A,B,[Na,M,A,B]+Kas]]), recv([M,[Na,Kab]+Kas]), send(X+Kab)]). % another way of checking secrecy responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT recv([M,A,B,[Na,M,A,B]+Kas]), send([[M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs]), recv([[M,Na,Kab]+Kas, [Nb,Kab]+Kbs]), send([M,[Na,Kab]+Kas]), recv(X+Kab) ]).

7 University of Twente The Netherlands Centre for Telematics and Information Technology Otway-Rees in the tool cont’d secrecy(N,[recv(N)]). server(A,B,Na,Nb,M,X,Kas,Kab,[ recv([[M,A,B,[Na,M,A,B]+Kas]]], [Nb,[M,[A,B]]]+Kbs]), send([[M,[Na,Kab]]+Kas, [Nb,Kab]+Kbs])]).

8 University of Twente The Netherlands Centre for Telematics and Information Technology Scenario  One initiator is enough.  And the secrecy check.  We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server). scenario([[sec1,St],[a,Sa1]]) :- initiator(a,b,na,Nb,m,x,kas,Kab,Sa1), secrecy(x, St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]).

9 University of Twente The Netherlands Centre for Telematics and Information Technology The Attack Output Trace: [a,recv([a,b])] [a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])] [a,recv([m,[na,[m,[a,b]]] + kas])] [a,send(x + [m,[a,b]])] [sec1,recv(x)]

10 University of Twente The Netherlands Centre for Telematics and Information Technology Kao-Chow authentication Protocol 1. A->S : [A,B,Na] 2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs, 3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] 4. A->B : Nb+Kab  Assumption: Kab is compromised

11 University of Twente The Netherlands Centre for Telematics and Information Technology Attack upon Kao-Chow a.1 A->S : [A,B,Na] a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] a.4 A->B : Nb+Kab b.2 e(S)->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’] b.4 e(A)->B : Nb’+Kab

12 University of Twente The Netherlands Centre for Telematics and Information Technology How it works  Two sessions.  First a normal session is carried out.  We assume the intruder “guesses” Kab. This is something we have to implement manually.  In a second session, the intruder can impersonate both A and the server S.

13 University of Twente The Netherlands Centre for Telematics and Information Technology Kao-Chow in the tool initiator(A,B,Na,Nb,Kas,Kab,Kbs,[ recv([A,B]), % for origination assumption send([A,[B,Na]]), recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]), send(Nb+Kab) ]). responder(A,B,Na,Nb,M,Kab,Kbs,[ recv([M, ([A,[B,[Na,Kab]]]+Kbs)]), %M because he cannot decipher it send([M, [ Na+Kab, Nb ]]), recv(Nb+Kab), send(Kab) % we model that the key kab was compromised... ]).

14 University of Twente The Netherlands Centre for Telematics and Information Technology Scenario scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :- initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1), responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1), responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2), server(a,b,Na3,kas,kab,kbs,Ss1). initial_intruder_knowledge([a,b,e]). has_to_finish([a2,a3]). session consisting of: initiator, two responders, one server. any larger session will do. If both responders can finish there is certainly an attack.

15 University of Twente The Netherlands Centre for Telematics and Information Technology The Attack Output Trace: [a1,recv([a,b])] [a1,send([a,[b,na]])] [s1,recv([a,[b,na]])] [s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])] [a2,recv([_h381,[a,[b,[na,kab]]] + kbs])] % a variable here [a2,send([_h381,[na + kab,nb1]])] [a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])] [a1,send(nb1 + kab)] [a2,recv(nb1 + kab)] [a2,send(kab)] [a3,recv([_h433,[a,[b,[na,kab]]] + kbs])] [a3,send([_h433,[na + kab,nb2]])] [a3,recv(nb2 + kab)] [a3,send(kab)]

16 University of Twente The Netherlands Centre for Telematics and Information Technology Woo-Lam Mutual Authentication Protocol 1. A->B : [A,Na] 2. B->A : [B,Nb] 3. A->B : [A,B,Na,Nb]+Kas 4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs 5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs 6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab 7. A->B: Nb+Kab

17 University of Twente The Netherlands Centre for Telematics and Information Technology Attack upon Woo-Lam Attack upon Woo-Lam a.1 e(A)->B : [A,B] a.2 B->e(A) : [B,Nb] a.3 e(A)->B : [A,B,B,Nb]+Kes a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs b.1 e(A)->B : [A,Nb] b.2 B->e(A) : [B,Nb' ] b.3 e(A)->B : [A,B,Nb,Nb' ]+Kes b.4 B->e(S) : [A,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.5 e(S)->B: [B,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.6 B->e(A): [B,B,Nb,Nb' ]+Kes,[ B,Nb]+Nb' a.7 e(A)->B: Nb+Nb'

18 University of Twente The Netherlands Centre for Telematics and Information Technology Comments  There is one complete session and one incomplete session.  Which agents do we actually have to implement to find this attack?

19 University of Twente The Netherlands Centre for Telematics and Information Technology One Responder will do: Woo-Lam in the Tool responder(A,B,Na,Nb,Kab,Kas,Kbs,[ recv([A,B]), % for origination assumption recv([A,Na]), send([B,Nb]), recv([A,[B,[Na,Nb]]]+Kas), send([([A,[B,[Na,Nb]]]+Kas), ([A,[B,[Na,Nb]]]+Kbs) ]), recv([([B,[Na,[Nb,Kab]]]+Kas), ([A,[Na,[Nb,Kab]]]+Kbs) ]), send([([B,[Na,[Nb,Kab]]]+Kas), ([Na,Nb]+Kab) ]), recv(Nb+Kab) ]).

20 University of Twente The Netherlands Centre for Telematics and Information Technology Scenario scenario([[b1,Sb1],[b2,Sb2]]) :- responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1), responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2). initial_intruder_knowledge([a,b,e]). has_to_finish([b1]).  The definition of the responder is sufficient, but we need two responders here.  If one of the two finishes, there is certainly an attack.  RULE: if a role can finish when no corresponding role is defined we are in certainly presence of an authentication problem.

21 University of Twente The Netherlands Centre for Telematics and Information Technology The Attack Output (after 30s!) Trace: [b1,recv([a,b])] [b1,send([b,nb1])] [b1,recv([a,[b,[b,nb1]]] + _h97)] [b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])] [b2,recv([a,b])] [b2,recv([a,nb1])] [b2,send([b,nb2])] [b2,recv([a,[b,[nb1,nb2]]] + _h97)] [b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])] [b1,recv(nb1 + nb2)]

22 University of Twente The Netherlands Centre for Telematics and Information Technology Exercises  Explain the attack in the Woo-Lam protocol.  Say why it is a type flaw attack.  Implement and find the flaw of the Needham- Schroeder with Conventional keys (see Clark- Jacob Survey).  Implement and find the flaw of the Yahalom protocol (see Clark-Jacob Survey).  Write a small article over how to find security bugs in protocols using the COProVe tool.

23 University of Twente The Netherlands Centre for Telematics and Information Technology Extra: Needham-Schroeder- Lowe Protocol 1. A->B : [A,Na]*pk(B) 2. B->A : [Na,Nb,B]*pk(A) 3. A->B : Nb*pk(B)  Corrected version of the other one.  Still contains an (unrealistic) flaw

24 University of Twente The Netherlands Centre for Telematics and Information Technology Attack upon NSL a.1 A->e(B) : [A,Na]*pk(B) a.1' e(A)->B : [A,e]*pk(B) a.2 B->e(A) : [e,Nb,B]*pk(A) b.1 e->A : [e, [Nb,B] ]*pk(A) b.2 A->e: [[Nb,B], Na',A] *pk(e)  Message a.2 is passed as b.1.  Notice that a.2 has three fields, while b.1 has two.  It is a type flaw attack.  Rather unrealistic.

25 University of Twente The Netherlands Centre for Telematics and Information Technology NSL in the tool initiator(A,B,Na,Nb,[ recv([A,B]), % for origination assumption send([A,Na]*pk(B)), recv([Na,[Nb,B]]*pk(A)), send(Nb*pk(B)) ]). responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,[Nb,B]]*pk(A)), recv(Nb*pk(B)) ]). secrecy(N,[recv(N)]).

26 University of Twente The Netherlands Centre for Telematics and Information Technology Scenario scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):- initiator(a,b,na,Nb,Sa), responder(a,b,Na,nb,Sb), initiator(A1,B1,na2,Nb2,Sa2), responder(A2,B2,Na2,nb2,Sb2), secrecy(nb,St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]).

27 University of Twente The Netherlands Centre for Telematics and Information Technology NSL output Trace: [a1,recv([a,b])] [a1,send([a,na] * pk(b))] [a2,recv([a,e] * pk(b))] [a2,send([e,[nb,b]] * pk(a))] [a3,recv([_h414,e])] [a3,send([_h414,na2] * pk(e))] [a3,recv([na2,[_h416,e]] * pk(_h414))] [a3,send(_h416 * pk(e))] [b1,recv([e,[nb,b]] * pk(a))] [b1,send([[nb,b],[nb2,a]] * pk(e))] [a2,recv(nb * pk(b))] [b1,recv(nb2 * pk(a))] [sec1,recv(nb)]

Download ppt "University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle"

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication

Lecture 10: Mediated Authentication
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Design, Analysis and Verification of Security Protocols Ricardo Corin.

University of Twente The Netherlands Centre for Telematics and Information Technology Design, Analysis and Verification of Security Protocols Ricardo Corin.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Similar presentations

Ads by Google