Final Exam 90 minutes Date: TOTAL: 90 points

Transcription

1 F.Autreau J. Dreier P.Lafourcade Y. Lakhnech JL. Roch Final Exam 90 minutes Date: TOTAL: 90 points Security models 1st Semester 2012/2013 J. Dreier P. Lafourcade Y. Lakhnech Notice: the number of points corresponds approximatively to the number of minutes needed for solving an exercise. Exercise 1 (Acces Control (10 points)) A computing system consists of 4 users and 4 files, which are labelled according to the following table: Labels Users Files high User1 File1 medium User2 File2 low User3 File3 normal User4 File4 Where the labels are ordered as follows: high > medium > low > normal. The system allows two operations: {read, write}; i.e. a user can either read from a file or write to a file. 1. (5 points) Let the labels be security clearances (for users) and classifications (for files). (1 point) Recall Bell-LaPadula Model. (4 points) Create an access control matrix of the system following the Bell- LaPadula Model. 2. (5 points) Let the labels be integrity levels (for users and files). (1 point) Recall Biba Model. (4 points) Create an access control matrix of the system following the Biba Model.

2 1. BLP File1 File2 File3 File4 User1 read, write read read read User2 write read, write read read User3 write write write, read read User4 write write write read, write 2. Biba File1 File2 File3 File4 User1 write, read write write write User2 read read, write write write User3 read read read,write write User4 read read read read,write Exercise 2 (Acces-Control (10 points)) Alice can read and write to the file filex.sys, can read the file filey.sys, and can execute the file filez.sys. Bob can read and write to filey.sys, and cannot access filez.sys or filex.sys. 1. (4 points) Write the associated acces control matrix? 2. (3 points) Write a set of access control lists for this situation. Which list is associated with which file? 3. (3 points) Write a set of capability lists for this situation. With what is each list associated? 1. Build an access control matrix, and then from there you can derive the ACL and capabilities. r: read; w: write; x: execute 2. ACL (filex.sys) = {(Alice, {r,w})}; filex.sys filey.sys filez.sys Alice r,w r x Bob r,w ACL (filey.sys) = {(Alice, {r}), (Bob, {r,w})}; ACL(filez.sys) = {(Alice, {x})} 3. CAP(Alice) = {(filex.sys,{r,w}), (filey.sys, {r}), (filez.sys, {x})}; CAP(Bob) = {(filey.sys,{r,w})}

3 Exercise 3 (Diffie-Hellman (15 points)) 1. (5 points) Recall the Diffie-Hellman key echange protocol. 2. (5 points) Explain the attack on this protocol. 3. (5 points) We consider the following modified version of Diffie-Hellman key echange protocol, where H is a public hash function: Alice and Bob agree on a finite cyclic group G and a generating element g in G. We will write the group G multiplicatively. Alice picks two random natural numbers a and N a. Alice sends the triple (g a, N a, H(N a, g a )) to Bob. Bob picks two random natural numbers b and N b. Bob sends the triple (g b, N b, H(N b, g b )) to Alice. Alice computes (g b ) a. Bob computes (g a ) b. This modified version is it secure? 1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. We will write the group G multiplicatively. Alice picks a random natural number a and sends g a to Bob. Bob picks a random natural number b and sends g b to Alice. Alice computes (g b ) a. Bob computes (g a ) b. 2. Man in the middle attack is possible: Alice sends g a Mallory sneds g m to Bob Bob computes the key (g m ) b and send g b Mallory sends g m to Alice Alice has a key g am to talk with Bob but indead she is talking to Mallory. Bob has a key g bm to talk with Alice but indead she is talking to Mallory. Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa. 3. The same attack works, the hash does not improve the scheme. Alice sends g a, N a, H(N a, g a ) Mallory sneds g m, N m, H(N m, g m ) to Bob

4 Bob computes the key (g m ) b and send g b, N b, H(N b, g b ) Mallory sends g m, N m, H(N m, g m ) to Alice Alice has a key g am to talk with Bob but indead she is talking to Mallory. Bob has a key g bm to talk with Alice but indead she is talking to Mallory. Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa. Exercise 4 (Square CDH (15 points)) 1. (1 point) Compute (a + b) (3 points) Recall the Computational Diffie-Hellman (CDH) assumption. 3. (4 + 7 = 11 points ) We define the S-CDH problem as follows: on input g, g x, computing g (x2). Prove that S-CDH CDH. Prove that S-CDH CDH. 1. Computational Diffie-Hellman (CDH): On input g, g x, g y, computing g xy. 2. SCDH CDH. Given an adversary A who can breaks CDH (On input g, g x, g y, computing g xy ). Then A can break SCDH given g, g x, g x as input of CDH. 3. SCDH CDH. Given an adversary A who can breaks SCDH (On input g, g x, computing g x2 ). Then A can break CDH by the following way: Given g, g x, g y, can we compute g xy. With g x and g y we get α 1 = g x2 and α 2 = g y2 using SCDH. Knowing g x and g y we can give to A g x+y to obtain β = g (x+y)2. We can obtain g 2xy dividing β by the product of α 1 and α 2. Exercise 5 (Passive Dolev Yao (30 points)) We consider the classical Dolev-Yao deduction system. considering exclusive-or operator (xor), denoted by. We add the following rule for (Xor) T x T y T x y Of course we need to make all our deductions modulo the equational theory of the xor. Note that this operator is a binary operator. It means that all terms are in normal form, for example the term x y z y is reduced to x z.

5 1. (7 points) Consider the classical Dolev-Yao deduction system. We define the notion of simple proof: A proof P is simple if each node appears at most once in each branch of P. Prove that if P is a minimal proof of T u then P is a simple proof of T u. 2. (4 points) Give the 4 equations associated to the xor operator. 3. (4 points) We first extend naively the definition of syntactic subterm as follow. S(t) is the smallest set such that: t S(t) u, v S(t) u, v S(t) {u} v S(t) u, v S(t) u v S(t) u, v S(t) Compute the syntactic subterm of (a b) {b} c, {c} k 4. (7 points) Give an counter-example of a proof P of T w which is minimal and is not S-local (you can define T and w as you want). 5. (8 points) Propose an other definition of sub-term in order that your example is now S-local. Give the set of sub-term associated to T {w}. (Of course the proof of the S-locality is not asked) 1. Let us assume to the contrary that P is a non-simple proof of T u. Then there is a branch of P in which T v occurs twice. We can cut the derivation between these two occurrences and so get a smaller proof P, which is in contradiction to the minimality of P. 2. S( (a b) {b} c, {c} k ) = { (a b) {b} c, {c} k, (a b) {b} c, a b, a, b, {b} c, c, {c} k, k, } 3. T = {a b, b c, c d} and w = a d (Xor) (Xor) (A) a b T 0 T 0 a b T 0 a c (A) b c T 0 T 0 b c T 0 a d (A) c d T 0 T 0 c d a c S(T {w}) = T {w} {a, b, c, d} 4. You need to consider all possible xor of all elements of S(T {w}). Then from S(T {w}) = T {w} {a, b, c, d} you need to add the following subterms: a c and a d.

6 Exercise 6 (Tools (10 points) ONLY PRO) We consider the output of one tool studied during the lecture for a given protocol. 1. (1 points) Give the name of the tool used. 2. (4 points) Give the role of the two honest participants of this protocol. 3. (2 points) Explain the attack. 4. (3 points) Propose and explain a possible correction.

7

8 1. Scyther 2. const pk: Function; secret sk: Function; inversekeys (pk,sk); // Hash function: nobody knows the inverse const hash: Function; secret unhash: Function; inversekeys (hash,unhash); // User type declaration usertype Key; // Protocol description protocol protocol2(i,r) { role I { const ni: Nonce; var nr: Nonce; var kir: Key; send_1 (I,R, { ni,i }pk(r) ); read_2 (R,I, hash(ni),{nr }pk(i) ); send_3 (I,R, hash(nr,ni) ); claim_i2 (I, Nisynch ); claim_i3 (I, Secret, nr ); claim_i4 (I, Secret, ni ); } role R { var ni: Nonce; const nr: Nonce; const kir: Key; read_1 (I,R, { ni,i }pk(r) ); send_2 (R,I, hash(ni),{nr }pk(i) ); read_3 (I,R, hash(nr,ni) );

9 claim_r2 (R, Nisynch ); claim_r3 (R, Secret, nr ); claim_r4 (R, Secret, ni ); } } // An untrusted agent, with compromised key const e: Agent; untrusted e; compromised sk(e); 3. There is a problem of authentication, and secrecy. Intruder can learn the secret. 4. Correction: for instance add R in the encryption correct this attack. Exercise 7 (Tools (10 points) R ONLY) Here is the AVISPA code of a protocol role alice (A,B : agent, Ka,Kb : public_key, Snd,Rcv : channel (dy)) played_by A def= local State : nat, Na : message, Nb : text init State:=0 transition 1. State=0 /\ Rcv(start) = > State :=1 /\ Na :=new() /\ Snd({Na.A}_Kb) /\ witness(a,b,bob_alice_na,na ) /\ secret(na,na,{a,b}) 2. State=1 /\ Rcv({Nb.xor(Na,B)}_Ka) = > State :=2 /\ Snd({Nb }_Kb) /\ wrequest (A,B,alice_bob_nb,Nb ) end role role bob (B,A Kb,Ka : agent, : public_key,

10 Snd,Rcv : channel (dy)) played_by B def= local State : nat, Na : message, Nb : text init State:=0 transition 1. State=0 /\ Rcv({Na.A}_Kb) = > State :=1 /\ Nb :=new() /\ Snd({Nb.xor(Na,B)}_Ka) /\ witness(b,a,alice_bob_nb,nb ) /\ secret(nb,nb,{a,b}) 2. State=1 /\ Rcv({Nb}_Kb) = > State :=2 /\ wrequest(b,a,bob_alice_na,na) end role role session (A,B: agent, Ka, Kb: public_key, SND, RCV: channel(dy) ) def= composition alice(a,b,ka,kb,snd,rcv) /\ bob(b,a,kb,ka,snd,rcv) end role role environment() def= local Snd, Rcv: channel(dy) const a, b, i: agent, ka, kb, ki: public_key, na, nb, alice_bob_nb, bob_alice_na: protocol_id intruder_knowledge = {a,b,i,ka,kb,ki,inv(ki)} composition session(a,b,ka,kb,snd,rcv) /\ session(a,i,ka,ki,snd,rcv) end role goal

11 weak_authentication_on alice_bob_nb weak_authentication_on bob_alice_na secrecy_of na, nb end goal environment() 1. (3 points) Give an Alice and Bob description of the protocol and propose a relevant name for this protocol. 2. (3 points) Explain the properties that are verified. 3. (4 points) Give an attack on the protocol and explain it. 1. The protocol works has follows A B : {N A, A} KB B A : {N B, N A B} KP A A B : {N B } KP A 2. We have the following 4 properties encoded in the file: Secrecy of Na, Nb Authentication of Alice to Bob using N b Authentication of Bob to Alice using N a 3. The attack is the following: A I : {N A, A} KI I B : {N A B I, A} KB B I : {N B, N A I} KA I B : {N B, N A I} KA A I : {N B } KI I B : {N B } KB