Cryptographic Protocols For Privacy Enhanced Identity Management
Cryptographic Protocols and Network Securitysiva/talks/sndt05.pdf · E-Voting Protocols...
Transcript of Cryptographic Protocols and Network Securitysiva/talks/sndt05.pdf · E-Voting Protocols...
Some Puzzles Internet Security Overview Need For Formal Methods
Cryptographic Protocols and Network Security
G. Sivakumar
Computer Science and EngineeringIIT Bombay
1 Some Puzzles
2 Internet Security Overview
3 Need For Formal Methods
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Paper, Scissors, Rock Game
Goal
How to play over Internet? Using email, say?
Solution?
You mail me your choice. I’ll reply with mine.
Coin Toss
Simpler Version of problem?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Paper, Scissors, Rock Game
Goal
How to play over Internet? Using email, say?
Solution?
You mail me your choice. I’ll reply with mine.
Coin Toss
Simpler Version of problem?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Paper, Scissors, Rock Game
Goal
How to play over Internet? Using email, say?
Solution?
You mail me your choice. I’ll reply with mine.
Coin Toss
Simpler Version of problem?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Sharing a Dosa
Goal
All should get equal share of dosa. No envy factor. No trustedumpire.
Solution?
2 people case is easy- you cut, i choose!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Sharing a Dosa
Goal
All should get equal share of dosa. No envy factor. No trustedumpire.
Solution?
2 people case is easy- you cut, i choose!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Sharing a Secret
Safety in numbers. Do not trust any one (or few) person(s).Real World Examples
Pirates sharing a treasure map.
Who can authorize launching a missile?
From Computer Domain
Secure Storage (Archival)
Distributed storage of Logs
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Online Voting Protocols
Are we ready for elections via Internet?
George Bush (Nov 2000, dimpled chads)
Pervez Musharaf (April 2002)
Maharashtra (Oct 13, 2004)
E-Voting Protocols Requirements
No loss of votes already cast (reliability)
No forging of votes (authentication)
No modification of votes cast (integrity)
No multiple voting
No vote secrecy violation (privacy)
No vulnerability to vote coercion
No vulnerability to vote selling or trading protocols (voter isan adversary)
No loss of ability to cast and accept more votes (availability,no denial of service)
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Other Desirable Properties
must not only be correct and secure, but also be seen to be so byskeptical (but educated and honest) outsiders.
Auditability:Failure or procedural error can be detected and corrected,especially the loss of votes.
Verifiability: Should be able to prove
My vote was countedAll boothes were countedThe number of votes in each booth is the same as the numberof people who votedNo one I know who is ineligible to vote did soNo one voted twice...
without violating anonymity, privacy etc.Zero Knowledge Proofs
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Security Requirements
Informal statements (formal is much harder)
Confidentiality Protection from disclosure to unauthorized persons
Integrity Assurance that information has not been modifiedunauthorizedly.
Authentication Assurance of identity of originator of information.
Non-Repudiation Originator cannot deny sending the message.
Availability Not able to use system or communicate when desired.
Anonymity/Pseudonomity For applications like voting, instructorevaluation.
Traffic Analysis Should not even know who is communicating withwhom. Why?
Emerging Applications Online Voting, Auctions (more later)
And all this with postcards (IP datagrams)!G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Internet’s Growth and Charter
Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Internet’s Dream
Why should a fridge be on Internet?
Will security considerations make this a nightmare?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
What are Cyber crimes?
Against People
Cyber Stalking and Harrassment(Child) Pornography
Against Property
CrackingVirus and SpamSoftware/Entertainment Piracy
Cyber Terrorism!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Security Concerns
Match the following!Problems Attackers
Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers
Credit card number theft Organized crimeOn-line scams Foreign espionage agents
Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groupsSpam E-mails Information warfare
Reading private files ...Surveillance ...
Crackers vs. Hackers
Note how much resources available to attackers.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Cyber Terrorism?
Some examples from http://cybercrimes.net/
1989: Legion of Doom group took over the BellSouth telephonesystem, tapped phone lines, re-routed calls, ...
1996: A white supremacist movement took out a Massachusettsinternet service provider
1997: A cracker disabled the computer system of an airport controltower at the Worcester, Mass. Airport.
1997: a hacker in Sweden jammed the 911 emergency telephonesystem all throughout west-central Florida.
1998: NASA, Navy, and Defence Department computers wereattacked.
2000: in Maroochy Shire, Australia, a disgruntled consultant hackedinto a waste management control system and released millions ofgallons of raw sewage on the town.
2001: Two post-graduate students cracked a bank system used bybanks and credit card companies to secure the personalidentification numbers of their customers accounts. [38]
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Emergency Response: http://www.cert-in.org.in/
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Internet Attacks Timeline
From training material at http://www.cert-in.org.in/G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Internet Attack Trends
From training material at http://www.cert-in.org.in/
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Indian IT Act 2000
Basic Legal Framework
Electronic documents, signatures as evidence
Cyber Crimes & Punishments
Secn 43: Damage to Computers/NetworkSecn 65: Tampering source codeSecn 66: “Hacking” (cracking)Secn 67: Obscenity (bazee.com!)Secn 69: Interception
Several Initiatives (PKI, CERT-IN, Cyber cells, ...)
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Cryptography and Data Security
sine qua non [without this nothing :-]
Historically who used first? (L & M)
Code Language in joint families!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
One way Functions
Mathematical Equivalents
Factoring large numbers (product of 2 large primes)
Discrete Logarithms
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
One-way Functions
Computing f(x) = y is easy.Eg. y = 4x mod 13 (If x is 3, y is —?)
n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10...
......
Note: need not work with numbers bigger than 13 at all!
But given y = 11, finding suitable x is not easy!
Can do by brute-force (try all possibilities!)
No method that is much better known yet!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Network Security Mechanism Layers
Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Motivation for Session keys
Combine Symmetric (fast) and Asymmetric (very slow) Methodsusing session (ephemeral) keys for the following additional reasons.
Limit available cipher text (under a fixed key) for cryptanalyticattack;
Limit exposure with respect to both time period and quantity ofdata, in the event of (session) key compromise;
Avoid long-term storage of a large number of distinct secret keys (inthe case where one terminal communicates with a large number ofothers), by creating keys only when actually required;
Create independence across communications sessions orapplications. No replay attacks.
How to establish session keys over insecure medium where adversary islistening to everything?
Can be done even without any public key! Randomization to rescue (like
in CSMA/CD of Ethernet).G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Diffie-Hellman Key Establishment Protocol
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Man-in-the-middle attack
Authentication was missing!
Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).
Yes, but different attack possible.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Needham-Schroeder Protocol
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Attack by Lowe (1995)
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Why Are Security Protocols Often Wrong?
They are trivial programs built from simple primitives, BUT, theyare complicated by
concurrency
a hostile environment
a bad user controls the networkConcern: active attacks masquerading, replay, man-in-middle,etc.
vague specifications
we have to guess what is wanted
Ill-defined concepts
Protocol flaws rather than cryptosystem weaknessesFormal Methods needed!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Need for Formal Methods
Countermeasure: formal design and analysis
Formal Modelling and Specification of ProtocolAbstract encryption model, formal specification
Specification of Required Properties
Verification of PropertiesInductive proofs, state-space search, authentication logics
Generation of Counter-ExampleAnalysis can find flaws, suggest improvements, proveconditional correctness
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Formal Approaches Overview
Why so many approaches?When all you have is a hammer, everything looks like a nail!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Specification of Protocol
Common Authentication Protocol Specification Languagehttp://www.csl.sri.com/users/millen/capsl/
High-level message-list based language with abstractencryption operators
A -> B: {A}K
Declarations:
strong typing and abstract data type extensionsinitialization, named expressionssecurity goals
Actions between messages: tests, assignments
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Emerging Picture
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
Tools for Security Analysis and Verification
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security
Some Puzzles Internet Security Overview Need For Formal Methods
References
Books
TCP/IP Illustrated by Richard Stevens, Vols 1-3,Addison-Wesley.Applied Cryptography - Protocols, Algorithms, and SourceCode in C by Bruce Schneier, Jon Wiley & Sons, Inc. 1996Cryptography and Network Security: Principles and Practiceby William Stallings (2nd Edition), Prentice Hall Press; 1998.Practical Unix and Internet Security, Simson Garfinkel andGene Spafford, O’Reilly and Associates, ISBN 1-56592-148-8.
Web sites
www.cerias.purdue.edu (Centre for Education and Research inInformation Assurance and Security)www.sans.org (System Administration, Audit, NetworkSecurity)cve.mitre.org (Common Vulnerabilities and Exposures)csrc.nist.gov (Computer Security Resources Clearinghouse)www.vtcif.telstra.com.au/info/security.html
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Cryptographic Protocols and Network Security