Download presentation
Presentation is loading. Please wait.
1
15-349 Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols
2
2 Where we are Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols Program/OS security & trust Networks security Beyond technology
3
3 Outline What an attacker can do The Dolev-Yao model The computational model Attacks Man-in-the-middle attacks Replay attacks Type-flaw attacks Other common attacks Getting protocols right Design principles Formal verification “Cryptography is not broken, it is circumvented” [Shamir]
4
4 Attacks Almost all previous protocols have flaws! Intruder can break secrecy of the channel Intruder can break authentication
5
5 Lowe’s Attack on NS-PK (Exchanges with S have been omitted) AIB {A,n A } k I {n A,n B } k A {A,n A } k B Public data k A, k B, k I {n B } k I {n B } k B Attack discovered 17 years after protocol was published A B: {A,n A } k B B A: {n A,n B } k A A B: {n B } k B NS-PK [3-5]
6
6 Man-In-The-Middle Attack A wants to talk to B I has replaced k B with k I in S’s database I acts as a key translator In the end A thinks to be talking to B, but she is talking to I B thinks to be talking to A, but he is talking to I A really wants to talk to I I cheats and acts as key translator In the end A knows she talking to I B thinks to be talking to A, but he is talking to I
7
7 What happened? Protocol assumptions were not specified Intruder is (also) a principal What are the intruder’s capabilities anyway? Initial knowledge of principals Meaning of notation Who can access what? How? Protocol goals were not specified Failure of mutual authentication … … but A has authenticated I Many people do not agree that this is an attack!
8
8 Protocol Specifications Describe what the protocol does For doing implementation For doing verification 3 aspects Assumptions Initial knowledge Maintained state Environment Intruder Messages exchanged Goals Assumptions Message exchange Goals icationication S p e c i f
9
9 The Dolev-Yao Intruder Idealized attacker model Attacker has full control of the network Intercept / Emit messages Decrypt / Encrypt with known key Split / Form pairs Look up public information Generate fresh data Not fully realistic but convenient
10
10 The Computational Attacker Messages are sequences of bits Account for cryptographic primitives Statistical analysis … … in polynomial time Attacker modeled as a probabilistic polynomial-time Turing machine Shown to be equivalent to Dolev-Yao attacker in many cases
11
11 Lowe’s Fix to NS-PK Goals Mutual authentication Freshness of nonces Secrecy of nonces AB {A,n A } k B {n A,n B,B} k A {n B } k B Public data k A, k B Assumptions Dolev-Yao intruder I is a principal Principals know public data Public data is correct Private keys uncompromised
12
12 Millen’s Attack on NSL A B: {A,n A } k B B A: {n A,n B,B} k A A B: {n B } k B A IB “Unlikely type violation” Confusion 2: pair/nonce {n B,B,n A,A} k I {I,n B,B} k A {A,I} k B Confusion 1: name/nonce {n B } k B B is fooled! Needham-Schroeder-Lowe
13
13 Type-Flaw Attacks Functionalities seen as “types” Names Nonces Keys, … Violation Recipient accepts message as valid … … but imposes different interpretation on bit sequence than sender Type flaw/confusion attack Intruder manipulates message Principal led to misuse data
14
14 The Dolev-Yao Model of Security An abstraction for reasoning about protocols Not to be confused with the Dolev-Yao intruder … although related Data are atomic constants No bits Subject to symbolic manipulations Tension between type violations and Dolev-Yao model kAkA 01001011010…
15
15 The Dolev-Yao Model of Security Symbolic data Black-box cryptography Partially abstract data access Found in most protocol analysis tools Tractability No guessing of keys kAkA No bits 01001011010… Knowledge soup AkAkA kBkB S
16
16 Perfect Cryptography k -1 is needed to decrypt {m} k k -1 is just k for shared key ciphers No collisions {m 1 } k A = {m 2 } k B iff m 1 = m 2 and k A = k B {m} k = n never {m} k = (m 1 m 2 ) never Relaxed to handle type violations
17
17 Some Other Common Attacks Freshness I forces stale data in challenge-response Parallel session I combines messages from different sessions Binding I subverts the public database Encapsulation I uses another principal for encryption or decryption Cipher-dependent I exploits properties of cryptographic algorithms used … and many more
18
18 Freshness Attacks I records exchange Replays messages in subsequent run k AB is a not fresh But B does not know Next messages over k AB are known to I A S: A,B,n A S A: {n A,B,k AB, {k,n A } k BS } k AS A B: {k AB,A} k BS B A: {n B } k AB A B: {n B -1} k AB Needham-Schroeder Shared-Key IB {k AB,A} k BS {n’ B } k AB {n’ B -1} k AB I discovers k AB (normal run) I
19
19 Parallel Session Attacks I combines messages from 2 sessions A B: n’ A,T B A: n’ B,{n’ A } k AB A B: {n’ B } k AB where T = {A,k AB,t B } k BS IB n’ A,{A,k AB,t B } k BA n’ B,{n’ A } k A B n’ B,{A,k AB,t B } k BA n’’ B,{n’ B } k AB {n’ B } k AB Neuman-Stubblebine – phase II B thinks he has authenticated A A has not even participated
20
20 Binding Attacks I overwrites replies from CA I may also overwrite public tables A S: A,B,n A S A: S,[S,A,n A,k B ] k’ S AIS A,B,n A S,[S,A,n A,k I ] k’ S A,I,n A I convinces A that B’s public key is k I
21
21 Encapsulation Attacks I uses other principals as cryptographic oracles A B: {B,m} k AS B S: {B,m} k AS,A S B: {m,A} k BS Davis-Swick A IB {B,(A,m)} k IS {(A,m),I} k BS {B,(A,m)} k IS,I {A,(m,I)} k BS S {A,(m,I)} k BS,B {(m,I),B} k AS A believes message (m,I) comes from B m may include key material
22
22 Cipher-Based Attacks I exploits particular cipher in use I exploits implementation of cipher A S: A,B,n A S A: {n A,B,k, {k AB,n A } k BS } k AS A B: {k AB,A} k BS B A: {n B } k AB A B: {n B -1} k AB Needham-Schroeder Shared-Key AS A,B,n A {n A, B, k AB, {k AB, A} k BS } k AS {n A, B} k AS … … Prefix of CBC is valid Here also Parallel session Type flaw
23
23 Black-Box Cryptography Another aspect of Dolev-Yao model No first-class notion of ciphertext {m} k is a term m accessible in {m} k only if k is known No guessing of bits Bridging the gap between cryptographic algorithms and Dolev-Yao model Several proposal, no definite solution Not covered in this course Most attacks are independent from details of cryptography
24
24 Further Issues Mixing protocols Protocols may appear safe in isolation … but have nasty interactions when mixed Several protocols coexist in a system Composing protocols In parallel In sequence Modularity would help Little composability
25
25 Getting Protocols Right Testing Not a solution! Assumes statistical distribution of errors Security is about worst-case scenario Formal verification Lots of progress in past 10 years Dolev-Yao verification of industrial protocols Computational verification of simple protocols Attack-free construction Rules-of-thumb Formal criteria A few automated tools
26
26 Design Principles [Abadi,Needham] Aimed at Avoiding many mistakes Simplifying protocols Simplifying formal analysis Tested on many published examples Works beyond authentication Attempted Formalizations Automations
27
27 “Prudent Engineering Practice” Every message should say what it means Include identity of principal if important for meaning See Needham-Schroeder Public Key Be clear as to why encryption is being done Encryption is not synonymous with security Double encryption is no cause for optimism Be clear about trust relations protocol depends on properties assumed about nonces Good for freshness, not always association A principal may not knows the contents of encrypted material he signed … and a few more
28
28 In Summary [Abadi] Be explicit Include sufficient proof of freshness Include sufficient names Do not count on context Use evident classifications Do not send secret data on public channels Distinguish secret input from public inputs Secrets should be strong enough for data they protect Do not expect attackers to obey rules Cryptography does not imply security
29
29 Fail-Stop Protocols [Syverson] Tempering any message causes abort of the protocol No further message sent Authentication is automatic Active attacker cannot force secret to be released Extensible Fail-Stop Protocols If appending message always yield fail-stop Immune from replay Closed w.r.t. sequential and parallel composition
30
30 Constructing a Fail-Stop Protocol Each message contains header with Identity of sender and receiver Protocol identifier Sequence number Freshness identifier Each message encrypted with shared key between sender and recipient Honest principals Follow protocol Ignore unexpected messages Halts if expected message does not arrive in time
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.