Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of Security Protocols (I) John C. Mitchell Stanford University."— Presentation transcript:

1 Analysis of Security Protocols (I) John C. Mitchell Stanford University

2 My Second Marktoberdorf School l Fun playing volleyball, swimming, hiking l Review German vocabulary  Alt, Pils, Dunkel, Weizen, Dunkel Weizen  wegabschneider (trail-off-cutter) l Seen some ‘96 students at conferences l What else should I remember?

3 Computer Security l Protect information  Store user passwords in a form that prevents anyone from reading them  Transmit information like credit card numbers in a way that prevents others from intercepting them l Protect system integrity  Keep others from deleting your files  Keep downloaded code (such as Java applets) from modifying important data  Reject mail messages that contain viruses l Maintain privacy

4 Correctness vs Security l Program or System Correctness  Program satisfies specification  For reasonable input, get reasonable output l Program or System Security  Program resists attack  For unreasonable input, output not completely disastrous  Secure system might not be correct l Main technical differences  Active interference from environment  Refinement techniques may fail

5 Outline of these lectures l Introduction to security protocols  Issues in security, protocol examples and flaws l Overview of cryptography l Formal presentation of protocols and intruder l Automated finite-state analysis l A probabilistic, poly-time framework

6 Tractable program analysis l Goal: tools and techniques to solve useful problems l Caveat: need to be realistic program complexity complexity of property to verify May be possible Intractable

7 Security Protocols l Transmit information across network l Keep important information secret l Communicate with those you know and trust l Typical handshake protocols  3-7 steps  2-5 parties  client, server, key distribution service, …  lead to shared secret key for data transfer

8 Example: Secure Sockets Layer

9 Establishing Secure Communication l Parties use SSL protocol to  Choose encryption scheme, e.g.  40-bit international encryption with 2 keys  120-bit domestic encryption with 2 keys  choose among versions of specific scheme  Agree on shared secret key  Secret key more efficient than public key Avoid known-plaintext attack  Minimize reuse of hard-to-establish public key 40 120

10

11

12 Some security objectives l Secrecy  Info not revealed l Authentication  Know identity of individual or site l Data integrity  Msg not altered l Message Authentication  Know source of msg l Receipt  Know msg received l Access control l Revocation l Anonymity l Non-repudiation

13 Example Protocols l Challenge response  Mechanism for freshness l Needham-Schroeder Public Key  Use public-key crypto to generate shared secret l Kerberos  Simplified version w/o timestamps or nonces  Idea of sending encrypted “tickets” l SSL (briefly) l Diffie-Hellman key exchange

14 Timeliness in Communication l Assume Alice and Bob share a private encryption key K l Alice wants to know if Bob is on network l Possible protocol:  Alice  Bob: { “Hi Bob. Still there?” } K  Bob  Alice: { “I am here?” } K l What’s wrong with this?

15 Challenge-Response l Alice wants to know if Bob is still there  Send “fresh” number n, Bob returns f(n)  nonce = number used once  This avoids reply by malicious 3rd party l Protocol  Alice  Bob: { nonce } K  Bob  Alice: { nonce+1 } K l Does this work?

16 Needham-Schroeder Key Exchange { A, Nonce a } { Nonce a, Nonce b } { Nonce b } KaKa KbKb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB KbKb

17 Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } KeKe KbKb KaKa KaKa KeKe Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe]

18 TMN Cell Phone Protocol a N a b b K K s s S B A B, {N } A B {N } A {N }

19 TMN Replay Attack SBA B, {N a } Ks A A, {N b } Ks B, {N b } Na SDC D, {N c } Ks C C, {N b } Ks D, {N b } Nc REPLAY

20 Kerberos l Client requests key from KDC  C  KDC : C, TGS l KDC returns private key and ticket  KDC  C : {K s1 } Kc {C, K s1 } Ktgs l Client sends name and ticket to TGS  C  TGS : {C} Ks1, {C, K s1 } Ktgs, S l TCS returns private key and ticket  TGS  C : {K s2 } Kc {C, K s2 } Ks l Client contacts server  C  S : {C} Ks1, {C, K s1 } Ks

21 Secure Socket Layer (SSL) l Three goals  Negotiate specific encryption scheme  Possible “version attack”  Authenticate client and server  Appeal to “signature authority”  Use public key to transmit secret key Several underlying primitives: public key, signature scheme, hash function, private key

22 Handshake Protocol Description ClientHello C  S C, Ver C, Suite C, N C S C Ver S, Suite S, N S, S, K S + ServerHello S  C Ver S, Suite S, N S, sign CA { S, K S + } ClientVerify C  S sign CA {C, V C } + { Ver C, Secret C } + N S sign C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash(Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } (Change to negotiated cipher) N S ServerFinished S  C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + S + Master(N C, N S, Secret C ) + Pad 1 )) } N S ClientFinished C  S { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } SKSSKS S Master(N C, N S, Secret C )

23 Diffie-Hellman Key Exchange l Number-theoretic assumption  Given three numbers p, g, g a mod p, no efficient algorithm for computing a  Belief: adversary cannot find a until “too late” l Protocol (assumes public prime p, generator g)  Alice  Bob: g a mod p  Bob  Alice: g b mod p l Consequence  Alice and Bob know g ab mod p, no one else does  Works on telephone, not general network. Why?

Download ppt "Analysis of Security Protocols (I) John C. Mitchell Stanford University."

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security --- 2 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Similar presentations

Ads by Google