Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Published byAlfred Ansley Modified over 9 years ago

Similar presentations

Presentation on theme: "Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI."— Presentation transcript:

1 Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI

2 This Lecture Quick introduction to Prolog A protocol as Prolog rules From Prolog to ProVerif Checking secrecy BREAK Writing protocols in the pi-calculus From secrecy to authenticity Examples: Diffie-Hellmen, STS & SKEME

3 The Pi-calculus A mini language for writing protocols (and any other concurrent processes) process P ::= in (channel, message);P |out (channel, message);P | let a = T in P | new n;P | P | Q |! P | 0

4 The Pi-calculus Firewall process = ! ( in (168.42.12.5, packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) )

5 Pi-calculus Semantics The Key Rules: in (channel, var);P | out(channel,value)  P [ value/var ] !P  P | !P P | new a;Q  new a; ( P | Q) iff a not in P The last rule means that: out (a,b) | new a; in (a,x) -\ 

6 The Pi-calculus reduction ! Firewall_process |out( 168.42.12.5, ( 80, (get, index.html) ) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

7 Apply the !P  P | !P rule ! Firewall process | ( in (168.42.12.5, packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) ) |out( 168.42.12.5, ( 80, (get, index.html) ) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

8 Apply the COMM rule ! Firewall process | let (port_no,payload) = (80,(get, index.html) in if port_no = 80 then out (to_server,payload) ) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

9 Apply the LET rule ! Firewall process | if 80 = 80 then out (to_server, (get, index.html)) ) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

10 Apply the IF rule ! Firewall process | out (to_server,(get, index.html)) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

11 Apply the !P  P | !P rule ! Firewall process | ( in (168.42.12.5, packet ); let (port_no,payload) = packet in if port_no = 80 then out (to_server,payload) ) | out (to_server,(get, index.html)) | out( 168.42.12.5, ( 22, login_ssh) |out( 192.64.12.5, ( 80, (get, index.html) )

12 Apply the COMM & LET rules ! Firewall process | if 22 = 80 then out (to_server, login_ssh) ) | out (to_server,(get, index.html)) |out( 192.64.12.5, ( 80, (get, index.html) )

13 Apply the IF rules ! Firewall process | out (to_server,(get, index.html)) |out( 192.64.12.5, ( 80, (get, index.html) )

14 The Applied Pi-calculus The Applied Pi-calculus extends the pi- calculus with equations...... and we saw what you can do with equations in Lecture 2. It also adds frames “{ M/x }” to get track of what the environment knows. See the paper “Mobile Values, New Names and Secure Communication” for more info.

15 Example: Diffie-Hellman The Diffie-Hellman is a widely used key agreement protocol. It relies on some number theory: –a mod b = n where  m s.t. a = m.b + n The protocol uses two public parameters –generator “g” (often 160 bits long) –prime “p” (often 1024 bits long)

16 Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : t A 2.B  A : t B A calculates “t B r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

17 Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : p, g, t A 2.B  A : t B A calculates “t A r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

18 Diffie-Hellman An observer cannot work out r A and r B from t A and t B therefore the attacker cannot calculate the key The values of “g” and “p” must be big enough to make it intractable to try all possible combinations. So we have a “Good Key” but know nothing about the participants. We did not need to share any keys at the start, therefore this is a very powerful protocol.

19 Station-to-Station Protocol The Station-to-Station (STS) protocol adds authentication: 1.A  B : t A 2.B  A : t B, { Sign B (t A, t B ) } Kab 3.A  B : { Sign A (t A, t B ) } Kab

20 ProVerif Demo.

21 The Needham-Schroeder Public Key Protocol A famous authentication protocol 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b ) N a and N b can then be used to generate a symmetric key

22 Needham-Schroeder in the Applied Pi-calculus equations: fun pk/1. fun encrypt/2. reduc decrypt(encrypt(x,pk(y)),y) = x. A = new Na; out (channel, encrypt( (Na, pk(skA)),pk(skB) ); in (channel, message); let (Nx,Nb) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( Nb, pk(Bs) )

23 Needham-Schroeder in the Applied Pi-calculus equations: fun pk/1. fun encrypt/2. reduc decrypt(encrypt(x,pk(y)),y) = x. A = new Na; out (channel, encrypt( (Na, pk(skA)),pk(skB) ); in (channel, message); let (=Na,Nb) = decrypt( message, skA ) in out channel encrypt( Nb, pk(Bs) )

24 Needham-Schroeder in the Applied Pi-calculus B =in (channel, message1); let (Nx,pkA) = decrypt ( message, skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then...

25 We must let the attacker pick who A talks to. A = in(talk_to, pkB); new Na; out (channel, encrypt( (Na,pkA) pkB ); in (channel, message); let (Nx,N) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( N, pkB )

26 Likewise for B B =in(talk_to, pkA) in (channel, message1); let (Nx,=pkA) = decrypt ( message, skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then...

27 Correspondence Assertions We don’t really want to check secrecy. We want to check correspondence. We add events, and require implications between events.

28 Adding A “begin” Assertions A = in(talk_to, pkB); event begin(pk(skA),pkB); new Na; out (channel, encrypt( (Na,pk(skA)) pkB ); in (channel, message); let (Nx,N) = decrypt( message, skA ) in if Nx = Na then out channel encrypt( N, pkB )

29 Adding an “end” Assertions B =in(talk_to, pkA) in (channel, message1); let (Nx,=pkA) = decrypt (message,skB) in new Nb; out channel encrypt( (Nx,Nb), pkA ); in (channel, message2); let Ny = decrypt (message2, skB) in if (Ny = Nb) then event end(pkA,pk(skB))

30 Correctness We now check than “end (A,B)” can happen if and only if “begin (A,B)” happened first.

31 Correctness We now check than “end (A,B)” can happen if and only if “begin (A,B)” happened first. This can be done by replacing everything after “begin(A,B)” with 0, then checking that “end(A,B)” stays secret.

32 ProVerif Demo.

33 The SKEME Protocol A better Diffie-Hellman from IBM. See handout.

34 ProVerif Demo.

35 This Lecture Quick introduction to Prolog A protocol as Prolog rules From Prolog to ProVerif Checking secrecy BREAK Writing protocols in the pi-calculus From secrecy to authenticity Examples: Diffie-Hellmen, STS & SKEME

36 Assessment You will get your homework back next week. And a new homework that involves BAN and ProVerif. TRY THEM OUT THIS WEEK.

37 Assessment From the 29th onwards you will be giving 20 mins presentations. You can formalise and verify a protocol (hard). or present a state-of-the-art research paper on security protocol (suggestions will be put on the website next week). Aim: show that you know what your talking about when it comes to security protocols. Try to find a paper you enjoy.

Download ppt "Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
Secure Mobile IP Communication

Secure Mobile IP Communication
CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie

CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie
Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.

Similar presentations

Ads by Google