Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 813 Internet Security Cryptographic Protocol Analysis.

Published byFrederick Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 813 Internet Security Cryptographic Protocol Analysis."— Presentation transcript:

1 CSCE 813 Internet Security Cryptographic Protocol Analysis

2 Internet Security - Farkas2 Reading Assignment Reading: P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37, and section 0.8 http://www.computing.surrey.ac.uk/personal/st/S.Sch neider/books/MASP.pdf http://www.computing.surrey.ac.uk/personal/st/S.Sch neider/books/MASP.pdf

3 Internet Security - Farkas3 Protocol Sequence of interactions between entities to achieve a certain end Types of protocols: – Diplomatic – Communication – Graduation – Security – Etc.

4 Internet Security - Farkas4 Security Protocols Cryptographic protocols Services: secrecy, integrity, authentication, key exchange, non-repudiation, etc. Components: communicating parties (nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, insecure communication channel, etc.

5 Security Analysis Protocol analysis Cryptanalysis Internet Security - Farkas5 Performed independently Disjoint communities

6 Internet Security - Farkas6 Cryptographic Protocols Attackers’ capabilities Security? – Hostile environment Vulnerabilities – Weakness of cryptography – Incorrect specifications What is Protocol Analysis

7 Internet Security - Farkas7 Emerging Properties of Protocols Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats

8 Internet Security - Farkas8 Attackers’ Capabilities Read traffic Modify traffic Delete traffic Perform cryptographic operations Control over network principals

9 Internet Security - Farkas9 Attacks Known attacks – Can be picked up by careful inspection Nonintuitive attacks – Not easily apparent – May not depend on flaws or weaknesses of cryptographic algs. – Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc.

10 Type of Known Attacks Man-in-the-middle (see attack agains Diffie-Hellman key exchange) Reflection: bounces back a message at the agent to trick the originator to reveal correct response (symmetry of situation) Oracle: trick an honest agent to reveal a secret (exploits steps of the protocol) Replay: replay part of previous protocol steps Interleave: attacker contrives for 2 or more runs of the protocol to overlap (see following example) Internet Security - Farkas10

11 Internet Security - Farkas11 Example: Needham-Schroeder Famous simple example (page 30-31) – Protocol published and known for 10 years – Gavin Lowe discovered unintended property while preparing formal analysis using FDR system Subsequently rediscovered by every analysis method From: J. Mitchell

12 Internet Security - Farkas12 Needham-Schroeder Crypto Nonces – Fresh, Random numbers Public-key cryptography – Every agent A has Public encryption key Ka Private decryption key Ka -1 – Main properties Everyone can encrypt message to A Only A can decrypt these messages From: J. Mitchell

13 Internet Security - Farkas13 Needham-Schroeder Key Exchange { A, NonceA } { NonceA, NonceB } { NonceB} Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy. AB Kb From: J. Mitchell

14 Internet Security - Farkas14 Needham Schroeder properties Responder correctly authenticated – When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A Initiator correctly authenticated – When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B Initiator Nonce secrecy – When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce. From: J. Mitchell

15 Internet Security - Farkas15 Anomaly in Needham-Schroeder AE B { A, NA } { NA, NB } { NB } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key NB from B Evil E can then fool B [Lowe] From: J. Mitchell

16 Internet Security - Farkas16 Requirements and Properties Authentication – Authentication, Secrecy Trading – Fairness Special applications (e.g., voting) – Anonymity and Accountability Forward secrecy

17 Forward Secrecy Compromised key: permits the disclosure of the data encrypted by the compromised key. No additional keys can be generated from the compromised key. Perfect Forward Secrecy: compromise of a single key will permit access to only data protected by a single key Internet Security - Farkas17

18 Internet Security - Farkas18 Formal Methods Combination of a mathematical or logical model of a system and its requirements and Effective procedures for determining whether a proof that a system satisfies its requirements is correct. Can be automated!

19 Internet Security - Farkas19 Security Analysis Understand system requirements Model – System – Attacker Evaluate security properties – Under normal operation (no attacker) – In the presence of attacker Security results: under given assumptions about system and about the capabilities of the attackers.

20 Internet Security - Farkas20 Explicit intruder model Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error From: J. Mitchell

21 Internet Security - Farkas21 Protocol Analysis Spectrum LowHigh Low Sophistication of attacks Protocol complexity Mur  FDR  NRL  Athena  Hand proofs  Paulson  Bolignano  BAN logic  Spi-calculus  Poly-time calculus   Model checking Symbolic methods (MSR)  Protocol logic   From: J. Mitchell

22 Internet Security - Farkas22 First Analysis Method Dolev-Yao Set of polynomial-time algorithms for deciding security of a restricted class of protocols First to develop formal model of environment in which – Multiple executions of the protocol can be running concurrently – Cryptographic algorithms considered as “black boxes” – Includes intruder’s model Tools based on Dolev-Yao – NRL protocol analyzer – Longley-Rigby tool

23 Intruder’s Behaviour Kill a message Sniff a message Intercept the message Re-route a message Delay the delivery of the message Reorder the messages Replay the messages Fake a message Use encryption/decryption algorithms Internet Security - Farkas23

24 Internet Security - Farkas24 Model checking Two components – Finite state system – Specification of properties Exhaustive search the state space to determine security – Check whether all possible behaviors are permitted

25 Internet Security - Farkas25 Theorem Prover Theorems: properties of protocols Prove or check proofs automatically Could find flaws not detected by manual analysis Do not give counterexamples like the model checkers

26 Internet Security - Farkas26 Logic Burrows, Abadi, and Needham (BAN) logic Logic of belief Set of modal operators: describing the relationship of principal to data Set of possible beliefs Inference rules Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction)

27 Limitations of Formal Analysis Mathematical models are approximations to reality Hard to predict the intruder’s capabilities Complexity Internet Security - Farkas27

28 Evaluating a New Security Protocol Establish – how the protocol works – what security properties it is intended to provide – which threats have been considered Find obvious flaws Use formal methods to evaluate the protocol Internet Security - Farkas28

29 NEXT CLASS NETWORK ACCESS LAYER SECURITY Internet Security - Farkas29

Download ppt "CSCE 813 Internet Security Cryptographic Protocol Analysis."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
5 June 2002 - Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Similar presentations

Ads by Google