Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom...
-
date post
21-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom...
![Page 1: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/1.jpg)
Modelling and Analysing of Security Protocol: Lecture 1
Introductions to Modelling Protocols
Tom Chothia
CWI
![Page 2: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/2.jpg)
This Course
• This course will primarily teaching you:– How to design your own secure communication
protocols.– How to analyse protocols and look for faults.– How to use automatic tools to help you do this.
• Secondary skills:– Know which protocols to use for which jobs.– Improve your system design skills.
![Page 3: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/3.jpg)
Course Outline
• This Lecture:– How we model protocols– Types of encryption used.
• Lecture 2:– Types of attacks on protocols– Good protocol design– Homework ( 1/6 of total score).
![Page 4: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/4.jpg)
• Lecture 3:– Verifying protocols using BAN logic.
• Lecture 4:– Automatically verifying protocols.– Homework ( 1/6 of total score)
• Lecture 5:– Anonymity protocols.
Course Outline
![Page 5: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/5.jpg)
• Lecture 6:– Verifying probabilistic protocols in PRISM
• Lecture 7: – Fair exchange & Zero knowledge
• Lecture 8 to Lecture 10– Short students presentations ( 2/3 of total score )
• Lecture 11– Summary
Course Outline
![Page 6: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/6.jpg)
Sources
Take notes if you want but you will get handouts with all the important details
and the slides, handouts, papers, homework and links will be available at:
http://homepages.cwi.nl/~chothia/Teaching
![Page 7: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/7.jpg)
This Lecture
• Part 1:– Simple notation for protocols– Modelling “rules”– Needham-Schroeder and Kerberos protocols
• Part 2:– A high level overview the to cryptography– Symmetric key encryption, public key encryptions
and signing– Abstract equation for modelling encryption
![Page 8: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/8.jpg)
“A” sends message “M” to “B”:
written as:
A B : M
A Simple Protocol
A B M
![Page 9: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/9.jpg)
Rules
• We write down protocols as a list of messages sent between “principals”, e.g.
1. A B : “Hello”2. B A : “Offer”3. A B : “Accept”
![Page 10: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/10.jpg)
A Simple Protocol
A B M
Message “M” can be read by the attacker
![Page 11: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/11.jpg)
A Simple Protocol
A BM
Even now!
![Page 12: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/12.jpg)
Rule
• The attacker can read all the messages sent across the network.
![Page 13: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/13.jpg)
Encryption
• We can keep our data safe by using encryption:
A B { M }Kab
A B : { M }Kab
![Page 14: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/14.jpg)
Rule
• We can use – Encryption {M}K, EK(M)
– Signing SignK(M), SK(M), MACK(M)
– Hashing #(M), Hash(M)
• We assume that these are prefect– cannot be broken by brute force.
![Page 15: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/15.jpg)
Encryption
“M” is now secret
A B { M }Kab
but the protocol is not safe
![Page 16: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/16.jpg)
Replay Attack
A B 1: { Pay Elvis €5 }Kab
1) A B : { Pay Eve €5 }Kab
![Page 17: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/17.jpg)
Replay Attack
A B 1: { Pay Elvis €5 }Kab
1) A B : { Pay Eve €5 }Kab
2) E B : { Pay Eve €5 }Kab
E 2: { Pay Elvis €5 }Kab
![Page 18: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/18.jpg)
Rule
• The attacker can repeat any message it see.
![Page 19: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/19.jpg)
A Nonce
A B
1. A
2. { Na }Kab
3. {Na + 1}Kab , { Pay Elvis €5 }Kab
1. A B : A
2. B A : { Na }Kab
3. A B : { Na + 1 }Kab , { Pay Elvis €5 }Kab
![Page 20: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/20.jpg)
Rule
• We can generate nonces.
• This is a new random values.
• If you generate a new nonce for a session you know that all future messages with that include that nonce are part of the same session.
![Page 21: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/21.jpg)
A Nonce
A B
1. A
2. { Na }Kab
3. {Na + 1}Kab , { Pay Elvis €5 }Kab
5. { Na2 }Kab
6. {Na2 + 1}Kab , { Pay Bob €5 }Kab
4. A
![Page 22: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/22.jpg)
A Nonce
A B
1. A
2. { Na }Kab
3. {Na + 1}Kab , { Pay Elvis €5 }Kab
E
5. { Na2 }Kab
6. {Na2 + 1}Kab , { Pay Bob €5 }Kab
4. A
{ Pay Elvis €5 }Kab
6’. {Na2 + 1}Kab ,
![Page 23: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/23.jpg)
Rule
• The attacker can run multiple rounds of the protocol.
• The attacker can – break up messages,– invent new values, keys, nonces,..– combine any of these into new message.
![Page 24: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/24.jpg)
A Better Protocol
A B
1. A
2. { Na }Kab
3. {Na , Pay Elvis €5 }Kab
1. A B : A, Na
2. B A : { Na }Kab
3. A B : {Na, Pay Elvis €5 }Kab
![Page 25: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/25.jpg)
Key Establishment Protocol
• This was easy because A and B shared a key.
• Often the principals do not share a key, in which case we need a “Key Establishment Protocol”.
• This usually involves a “Trust Third Party” who has a shared key with each party.
![Page 26: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/26.jpg)
The Needham-Schroeder Public Key Protocol
A famous authentication protocol
1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )
Na and Nb can then be used to generate a
symmetric key
![Page 27: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/27.jpg)
An Attack Against the Needham-Schroeder ProtocolThe attack acts as a man-in-the-middle:
1. A C : EC( Na, A )
1`. C(A) B : EA( Na, A )
2`. B C(A) : EA( Na, Nb )
2. C A : EA( Na, Nb )
3. A C : EC( Nb )
3`. C(A) B : EB( Nb )
![Page 28: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/28.jpg)
The Corrected Version
A very simple fix:
1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )
![Page 29: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/29.jpg)
The Corrected Version
A very simple fix:
1. A B : EB( Na, A )
2. B A : EA( Na, Nb, B)
3. A B : EB( Nb )
![Page 30: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/30.jpg)
Rule
• The attacker can act as a participant of the protocol.
... (sometimes)
![Page 31: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/31.jpg)
Kerberos
A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH, ...
1. A S : A,B,NA
2. S A : {KAB,B,L,NA,..}KAS,{KAB,A,L,..}KBS
3. A B : {A,TA}KAB,{KAB,A,L,..}KBS
4. B A : {TA+1}KAB
![Page 32: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/32.jpg)
Kerberos
A and S share the key KAS and B and S share KAS
Both A and B trust S to generate a new key for them: KAB
N is a nonce, T is a timestamp and L is an expiration time.
• A S : A,B,NA
• S A : {KAB,B,L,NA,..}KAS,{KAB,A,L,..}KBS
• A B : {A,TA}KAB,{KAB,A,L,..}KBS
• B A : {TA+1}KAB
![Page 33: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/33.jpg)
Sources
• For lectures 1 & 2 the the primary reference material is the handouts.
• This information is covered in more depth in
– Paper: “Prudent Engineering Practices for Cryptographic Protocols” (by Abadi & Needham)
– Book: “Protocols for Authentication and Key Establishment” (by Boyd & Mathuria) there are copies in the library.
![Page 34: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.](https://reader030.fdocuments.in/reader030/viewer/2022032704/56649d555503460f94a331a2/html5/thumbnails/34.jpg)
This Lecture
• Part 1:– Simple notation for protocols– Modelling “rules”– Needham-Schroeder and Kerberos protocols
• Part 2:– A high level overview of cryptography– Symmetric key encryption, public key encryptions
and signing– Abstract equation for modelling encryption