(More) cryptographic protocols

Transcription

1 (More) cryptographic protocols Myrto Arapinis School of Informatics University of Edinburgh October 19, /24

2 Authentication and key agreement protocols 2/24

3 Authentication and key agreement Long-term keys should be used as little as possible to to reduce attack-srufarce The use of a key should be restricted to a specific purpose e.g. you shouldn t use the same RSA key both for encryption and signing Public key algorithms tend to be computationally more expensive than symmetric key algorithms Long-term keys are used to establish short-term session keys e.g. TLS over HTTP, AKA for 3G, BAC for epassports, etc. 3/24

4 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

5 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

6 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A aenc(pk B, N A,A ) [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

7 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A aenc(pk B, N A,A ) new N B [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

8 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A aenc(pk B, N A,A ) aenc(pk A, N A,N B ) new N B [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

9 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A aenc(pk B, N A,A ) aenc(pk A, N A,N B ) aenc(pk B, N B,A ) new N B [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

10 Needham-Schroeder Public Key (NSPK) NSPK: authentication and key agreement protocol A B new N A aenc(pk B, N A,A ) aenc(pk A, N A,N B ) aenc(pk B, N B,A ) new N B k AB h(n A,N B ) k AB h(n A,N B ) [N. Roger, M. Schroeder, Michael. Using encryption for authentication in large networks of computers. Communications of the ACM (December 1978)] 4/24

11 NSPK: security requirements Authentication: if Alice has completed the protocol, apparently with Bob, then Bob must also have completed the protocol with Alice. Authentication: If Bob has completed the protocol, apparently with Alice, then Alice must have completed the protocol with Bob. Confidentiality: Messages sent encrypted with the agreed key (k h(n A,NB)) remain secret. 5/24

12 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! 6/24

13 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

14 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

15 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk B, N A,A ) [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

16 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk B, N A,A ) new N B [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

17 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk B, N A,A ) aenc(pk A, N A,N B ) new N B [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

18 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk A, N A,N B ) aenc(pk B, N A,A ) aenc(pk A, N A,N B ) new N B [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

19 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk A, N A,N B ) aenc(pk I, N B,A ) aenc(pk B, N A,A ) aenc(pk A, N A,N B ) new N B [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

20 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk A, N A,N B ) aenc(pk I, N B,A ) aenc(pk B, N A,A ) aenc(pk A, N A,N B ) aenc(pk B, N B,A ) new N B [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

21 NSPK: Lowe s attack on authentication Attack found 17 years after the publication of the NS protocol!! A I B new N A aenc(pk I, N A,A ) aenc(pk A, N A,N B ) aenc(pk I, N B,A ) aenc(pk B, N A,A ) aenc(pk A, N A,N B ) new N B aenc(pk B, N B,A ) k AI h(n A,N B ) k AI h(n A,N B ) k AB h(n A,N B ) k AB h(n A,N B ) [G. Lowe. An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters (November 1995)] 6/24

22 NSPK: Lowe s fix The Needham-Schroeder-Lowe (NSL) protocol A B new N A aenc(pk B, N A,A ) aenc(pk A, N A, N B,B ) aenc(pk B, N B,A ) new N B k AB h(n A,N B ) k AB h(n A,N B ) 7/24

23 Forward secrecy The NSL protocol is secure against an attacker that controls the network. What if the Alice s and Bob s private keys get compromised? What if the government forces Alice and Bob to reveal their private keys? Can we still protect confidentiality? Forward secrecy A protocol ensures forward secrecy, if even if long-term keys are compromised, past sessions of the protocol are still kept confidential, and this even if an attacker actively interferred. 8/24

24 The Station-to-Station (StS) protocol A B 9/24

25 The Station-to-Station (StS) protocol A B pick p where p is a large prime and g a generator of Z p 9/24

26 The Station-to-Station (StS) protocol A B pick p x r Z p where p is a large prime and g a generator of Z p 9/24

27 The Station-to-Station (StS) protocol A B pick p x r Z p g, p, g x where p is a large prime and g a generator of Z p 9/24

28 The Station-to-Station (StS) protocol A B pick p x r Z p g, p, g x y r Z p where p is a large prime and g a generator of Z p 9/24

29 The Station-to-Station (StS) protocol A B pick p x r Z p g, p, g x g y,cert B,E(g yx,s(sk B,(g y,g x ))) y r Z p where p is a large prime and g a generator of Z p 9/24

30 The Station-to-Station (StS) protocol A B pick p x r Z p g, p, g x g y,cert B,E(g yx,s(sk B,(g y,g x ))) Cert A,E(g yx,s(sk A,(g x,g y ))) y r Z p where p is a large prime and g a generator of Z p 9/24

31 The Station-to-Station (StS) protocol A B pick p x r Z p g, p, g x g y,cert B,E(g yx,s(sk B,(g y,g x ))) Cert A,E(g yx,s(sk A,(g x,g y ))) y r Z p where p is a large prime and g a generator of Z p The StS ensures mutual authentication, key agreement, and forward secrecy 9/24

32 The Basic Access Control (BAC) protcol An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on the passport, a JPEG copy of the picture BAC: authentication and key agreement protocol implemented on e-passports 10/24

33 The Basic Access Control protocol (BAC) Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P 11/24

34 The Basic Access Control protocol (BAC) Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 12/24

35 The Basic Access Control protocol (BAC) Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 {N P,N R,K P } KE, MAC KM ({N P,N R,K P } KE ) 13/24

36 The Basic Access Control protocol (BAC) Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 {N P,N R,K P } KE, MAC KM ({N P,N R,K P } KE ) K seed = K P K R K seed = K P K R 14/24

37 The passport must reply to all received messages Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 If MAC check fails mac err 15/24

38 The passport must reply to all received messages Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 If MAC check succeeds If nonce check fails nce err 16/24

39 The passport must reply to all received messages Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) N R,K R R {0,1} 64 If MAC check succeeds If nonce check succeeds {N P,N R,K P } KE, MAC KM ({N P,N R,K P } KE ) 17/24

40 e-passports and privacy The BAC protocol provides mutual authentication, key agreement, and confidentiality of subsequent communication e-passports further aim at providing anonymity and unlinkability to their bearers Definition (ISO 15408) Anonymity ensures that a user may use of a resource or service without disclosing the user s identity. Definition (ISO 15408) Unlinkability ensures that a user may make multiple uses of a resource or service without other users being able to link these uses together. 18/24

41 Different implementations of the BAC protocol The ICAO e-passport standard doesn t specify what the error messages should be. Each nation has implemented its own version: French e-passport: mac err nce err French implementation allows an attacker to track a passport, provided he has once witnessed a successful authentication. British e-passport: mac err = nce err The British version of the BAC protocol satisfies unlinkability. [T. Chothia, V. Smirnov. A traceability attack against e-passports. 14th International Conference on Financial Cryptography and Data Security 2010.] 19/24

42 An attack on the French e-passport (part 1) The attacker eavesdrop on Alice using her passport Alice s Passport (K E,K M ) get challenge Reader (K E,K M ) N P,K P R {0,1} 64 N P N R,K R R {0,1} 64 M = {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) and records message M 20/24

43 An attack on the French e-passport (part 2)???? s Passport (K E,K M ) Attacker get challenge N P,K P R {0,1} 64 N P M = {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) 21/24

44 An attack on the French e-passport (part 2)???? s Passport (K E,K M ) Attacker get challenge N P,K P R {0,1} 64 N P M = {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) mac err MAC check failed K M K M???? is not Alice 22/24

45 An attack on the French e-passport (part 2)???? s Passport (K E,K M ) Attacker get challenge N P,K P R {0,1} 64 N P M = {N R,N P,K R } KE, MAC KM ({N R,N P,K R } KE ) nce err MAC check succeeded K M = K M???? is Alice 23/24

46 Timing attack: the failed MAC is rejected sooner UK, Greek, German passports return the same error in both situations, but still... [T. Chothia, V. Smirnov. A traceability attack against e-passports. 14th International Conference on Financial Cryptography and Data Security 2010.] 24/24