Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI."— Presentation transcript:

1 Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI

2 This Course This course will primarily teaching you: –How to design your own secure communication protocols. –How to analyse protocols and look for faults. –How to use automatic tools to help you do this. Secondary skills: –Know which protocols to use for which jobs. –Improve your system design skills.

3 Course Outline This Lecture: –How we model protocols –Types of encryption used. Lecture 2: –Types of attacks on protocols –Good protocol design –Homework ( 1/6 of total score).

4 Lecture 3: –Verifying protocols using BAN logic. Lecture 4: –Automatically verifying protocols. –Homework ( 1/6 of total score) Lecture 5: –Anonymity protocols. Course Outline

5 Lecture 6: –Verifying probabilistic protocols in PRISM Lecture 7: –Fair exchange & Zero knowledge Lecture 8 to Lecture 10 –Short students presentations ( 2/3 of total score ) Lecture 11 –Summary Course Outline

6 Sources Take notes if you want but you will get handouts with all the important details and the slides, handouts, papers, homework and links will be available at: http://homepages.cwi.nl/~chothia/Teaching

7 This Lecture Part 1: –Simple notation for protocols –Modelling “rules” –Needham-Schroeder and Kerberos protocols Part 2: –A high level overview the to cryptography –Symmetric key encryption, public key encryptions and signing –Abstract equation for modelling encryption

8 “A” sends message “M” to “B”: written as: A  B : M A Simple Protocol AB M

9 Rules We write down protocols as a list of messages sent between “principals”, e.g. 1. A  B : “Hello” 2. B  A : “Offer” 3. A  B : “Accept”

10 A Simple Protocol AB M Message “M” can be read by the attacker

11 A Simple Protocol AB M Even now!

12 Rule The attacker can read all the messages sent across the network.

13 Encryption We can keep our data safe by using encryption: AB { M } Kab A  B : { M } Kab

14 Rule We can use –Encryption {M} K, E K (M) –Signing Sign K (M), S K (M), MAC K (M) –Hashing #(M), Hash(M) We assume that these are prefect –cannot be broken by brute force.

15 Encryption “M” is now secret AB { M } Kab but the protocol is not safe

16 Replay Attack AB 1: { Pay Elvis €5 } Kab 1) A  B : { Pay Eve €5 } Kab

17 Replay Attack AB 1: { Pay Elvis €5 } Kab 1) A  B : { Pay Eve €5 } Kab 2) E  B : { Pay Eve €5 } Kab E 2: { Pay Elvis €5 } Kab

18 Rule The attacker can repeat any message it see.

19 A Nonce AB 1. A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis €5 } Kab 1. A  B : A 2. B  A : { N a } Kab 3. A  B : { N a + 1 } Kab, { Pay Elvis €5 } Kab

20 Rule We can generate nonces. This is a new random values. If you generate a new nonce for a session you know that all future messages with that include that nonce are part of the same session.

21 A Nonce AB 1. A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis €5 } Kab 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay Bob €5 } Kab 4. A

22 A Nonce AB 1. A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis €5 } Kab E 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay Bob €5 } Kab 4. A { Pay Elvis €5 } Kab 6’. {N a2 + 1} Kab,

23 Rule The attacker can run multiple rounds of the protocol. The attacker can –break up messages, –invent new values, keys, nonces,.. –combine any of these into new message.

24 A Better Protocol AB 1. A 2. { N a } Kab 3. {N a, Pay Elvis €5 } Kab 1. A  B : A, N a 2. B  A : { N a } Kab 3. A  B : {N a, Pay Elvis €5 } Kab

25 Key Establishment Protocol This was easy because A and B shared a key. Often the principals do not share a key, in which case we need a “Key Establishment Protocol”. This usually involves a “Trust Third Party” who has a shared key with each party.

26 The Needham-Schroeder Public Key Protocol A famous authentication protocol 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b ) N a and N b can then be used to generate a symmetric key

27 An Attack Against the Needham-Schroeder Protocol The attack acts as a man-in-the-middle: 1. A  C : E C ( N a, A ) 1`. C(A)  B : E A ( N a, A ) 2`. B  C(A) : E A ( N a, N b ) 2. C  A : E A ( N a, N b ) 3. A  C : E C ( N b ) 3`. C(A)  B : E B ( N b )

28 The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b )

29 The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b, B) 3. A  B : E B ( N b )

30 Rule The attacker can act as a participant of the protocol.... (sometimes)

31 Kerberos A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH,... 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS 3.A  B : {A,T A } K AB,{K AB,A,L,..} K BS 4.B  A : {T A +1} K AB

32 Kerberos A and S share the key K AS and B and S share K AS Both A and B trust S to generate a new key for them: K AB N is a nonce, T is a timestamp and L is an expiration time. 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS 3.A  B : {A,T A } K AB,{K AB,A,L,..} K BS 4.B  A : {T A +1} K AB

33 Sources For lectures 1 & 2 the the primary reference material is the handouts. This information is covered in more depth in –Paper: “Prudent Engineering Practices for Cryptographic Protocols” (by Abadi & Needham) –Book: “Protocols for Authentication and Key Establishment” (by Boyd & Mathuria) there are copies in the library.

34 This Lecture Part 1: –Simple notation for protocols –Modelling “rules” –Needham-Schroeder and Kerberos protocols Part 2: –A high level overview of cryptography –Symmetric key encryption, public key encryptions and signing –Abstract equation for modelling encryption

Download ppt "Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Security Key Management

Computer Security Key Management
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
G22.3250-001 Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

G Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

Similar presentations

Ads by Google