Network Security and Internet Protocols

Transcription

1 Network Security and Internet Protocols Luca Viganò Dipartimento di Informatica Università di Verona Sicurezza delle Reti A.A. 12/13 Lecture 5 Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 1 / 96

2 Table of Contents 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 2 / 96

3 Outline Layered security and security protocols 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 3 / 96

4 Outline Layered security and security protocols Motivation: layered communication in computer networks 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 4 / 96

5 Layered security and security protocols Motivation: layered communication in computer networks Motivation How can cryptographic primitives be combined so that the result has properties that the individual building blocks lack? Examples we have seen: Public keys may be distributed in the clear, but this requires message authentication. Diffie-Hellman creates shared keys out of nothing, but also requires message authentication. Digital signatures guarantee message authentication, but not the timeliness of the message. Protocols essential to developing networked services and new applications. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 5 / 96

6 Layered security and security protocols Internet Security Protocols The world is distributed: Our basic infrastructures are increasingly based on networked information systems. Business, finance, communication, energy distribution, transportation, entertainment... Motivation: layered communication in computer networks Charlie Alice! Transfer $100 to account X Bob@Bank! Alice: Transfer carried out Alice Bob How does Bob know that he is really speaking with Alice? How does Bob know Alice just said it? Confidentiality, integrity, accountability, non-repudiation, privacy...? Solutions involve protocols like IPSEC, KERBEROS, SSH, SSL, SET, PGP... We ll consider underlying ideas and some example protocols. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 6 / 96

7 Layered security and security protocols Motivation: layered communication in computer networks A step back : Computer networks Physically: a collection of segments that transmit bit streams. Examples: wire between two nodes or multi-access links like a LAN (e.g. Ethernet, token rings, packet radio networks). Logically: a communication medium between principals. Example: client communicates to server. A secure channel is yet another abstraction. Other abstractions may concern availability, privacy of communication partners, etc. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 7 / 96

8 Layered security and security protocols Layered communication in networks Motivation: layered communication in computer networks Logical functionality built in layered way. Application communication reliable transport between nodes unreliable transport across links and switches packet transportation across single links builds upon builds upon builds upon TCP/IP protocol reference model Application Transport/session Network (Internet) Link (Interface) Telnet, FTP, HTTP, RPC, SMTP, SET,... TCP, UDP IP, ICMP,... Network interface & device drivers (IEEE 802.x, PPP, SLIP) Alternative model (OSI) with three additional layers: presentation, physical, and transport/session distinction. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 8 / 96

9 Layered security and security protocols Layered communication (II) Motivation: layered communication in computer networks Application Transport Network Link Application Transport Network Link ith layer of one node communicates with ith layer of different node, each using services provided by their lower layers. Headers/trailers added to (or stripped from) packets as they traverse the protocol stack. Layers are an abstraction. Reality is usually rather different. TCP/IP model developed by practitioners in parallel to ISO/OSI. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 9 / 96

10 Layered security and security protocols Motivation: layered communication in computer networks Internet security Internet: Confederation of networks using TCP/IP protocols. No global domain of trust. Different subnetworks may (or may not) be trustworthy. 15+ hops for a packet from source to destination is common. Problem: how do we secure communication/applications? One possibility: secure applications over insecure channels. Example: Use of PGP to encrypt/sign mail. Example: Kerberos is typically implemented and supported by different applications. Requires kerberized applications. Solutions involve also other protocols: SSH, SSL, IPSEC, SET,... We will consider underlying ideas and a few example protocols. Note that securing other layers is also possible. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 10 / 96

11 Definitions Layered security and security protocols Motivation: layered communication in computer networks A protocol consists of a set of rules (conventions) that determine the exchange of messages between two or more principals. In short, a distributed algorithm with emphasis on communication. Security (or cryptographic) protocols use cryptographic mechanisms to achieve security objectives. Examples: Entity or message authentication, key establishment, integrity, timeliness, fair exchange, non-repudiation,... Small recipes, but nontrivial to design and understand. Analogous to programming Satan s computer. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 11 / 96

12 Outline Building a key establishment protocol 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 12 / 96

13 Building a key establishment protocol Building a key establishment protocol (1) An attempt to design a good protocol (from first principles). First step: establish the communications architecture. We choose here one common scenario from several alternatives: A set of users, any 2 of whom may wish to establish a new session key for use in subsequent communications. N.B.: successful completion of key establishment (& entity authentication) is only the beginning of a secure communications session: once a new key has been established, its use comes in protecting the data to be communicated with whatever cryptographic mechanisms are chosen. To this end, users interact with a trusted server. N.B.: The server is trusted not to engage in any other activity that will deliberately compromise the users security, and to generate the new key and to do so in such a way that it is sufficiently random to prevent an attacker gaining useful information about it. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 13 / 96

14 Building a key establishment protocol Building a key establishment protocol (2) Hence, protocol involves 3 principals (a.k.a. agents, parties...): Alice (A), Bob (B), and the trusted Server (S). A and B are often also called protocol initiator and responder. Role of S: generate the new session key K AB (= K BA ) and transport it to A and B. Aims of the protocol: At the end of the protocol, K AB should be known to both A and B, but to no other parties with the possible exception of S. A and B should know that K AB is newly generated. Formalization questions (that we will consider later): How do we formalize the protocol steps and goals? How do we formalize knowledge, secrecy, newly,...? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 14 / 96

15 Building a key establishment protocol Building a key establishment protocol (3) A first attempt: a protocol that consists of 3 messages. GFED S 1. A, B 2. K AB C 89:;?>=< { A 3. K AB, A 89:;,2?>=< B 1 A contacts S by sending the identities of the 2 parties who are going to share the session key. 2 S sends the key K AB to A. 3 A passes K AB on to B. N.B.: K AB does contain any information about A and B, but is simply a name for the bit-string representing the session key. Before we examine the (lack of) security of this protocol, note that this is a significantly incomplete protocol specification. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 15 / 96

16 Building a key establishment protocol Building a key establishment protocol GFED S 1. A, B 2. K AB? 89:;?>=< z A 3. K AB, A 89:;,2?>=< B Only messages passed in a successful protocol run are specified. No description of what happens in the case that a message of the wrong format is received or that no message is received at all. This is standard for security protocols, while in specifying ordinary communication protocols it is common to include this information (as it is essential to prove basic functional properties). No specification of internal actions of principals. Internal actions are fairly obvious for many protocols (e.g. to calculate what is required to output the next message), but for other protocols there are numerous alternatives and the choice can have security-critical relevance. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 16 / 96

17 Building a key establishment protocol Building a key establishment protocol GFED S 1. A, B 2. K AB? 89:;?>=< z A 3. K AB, A 89:;,2?>=< B Implicit assumption: A and B know that the received messages are part of the protocol. It is common to omit such details which would be required for a networked computer to be able to track the progress of a particular protocol run. This may include details of which key should be used to decrypt a received message which has been encrypted. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 17 / 96

18 Building a key establishment protocol Building a key establishment protocol GFED S 1. A, B 2. K AB? 89:;?>=< z A 3. K AB, A Despite the obvious limitations associated with specifying protocols by showing only the messages of a successful run, it remains the most popular method of describing security protocols. But there are many works that have addressed these problems to disambiguate the notation. More in the following weeks. An equivalent representation: Alice&Bob notation: 1. A! S : A, B 2. S! A : K AB 3. A! B : K AB, A but note that sender/receiver names A! B are not part of the message and it is not the case that messages automatically reach their destination securely. 89:;,2?>=< B Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 18 / 96

19 Building a key establishment protocol Building a key establishment protocol (7) Problem with this GFED S 1. A, B 2. K AB? 89:;?>=< z A 3. K AB, A 89:;,2?>=< B Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 19 / 96

20 Building a key establishment protocol Building a key establishment protocol GFED S 1. A, B 2. K AB? 89:;?>=< z A 3. K AB, A Problem with this protocol? The session key K AB must be transported to A and B but to no other parties. A realistic assumption in typical communication systems such as the Internet and corporate networks: 89:;,2?>=< B Security Assumption 1 The adversary is able to eavesdrop on all messages sent in a security protocol. If this possibility can be discounted, then there is probably no need to apply security at all. ) Use a cryptographic algorithm and associated keys. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 19 / 96

21 Building a key establishment protocol Building a key establishment protocol (8) Second attempt: assume that S GFED S initially shares a secret key with each user of the system: K 1. A, B AS with A, K BS with B, 2. {K AB } KAS, {K AB } KBS and encrypts message 2. C 89:;?>=< { A 3. {K AB } KBS, A 89:;,2?>=< B Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 20 / 96

22 Building a key establishment protocol Building a key establishment protocol (8) Second attempt: assume that S initially shares a secret key with each user of the system: K AS with A, K BS with B, and encrypts message 2. Problems with protocol? Eavesdropping? GFED S 1. A, B 2. {K AB } KAS, {K AB } KBS C 89:;?>=< { A 3. {K AB } KBS, A 89:;,2?>=< B Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 20 / 96

23 Building a key establishment protocol Building a key establishment protocol (8) Second attempt: assume that S initially shares a secret key with each user of the system: K AS with A, K BS with B, and encrypts message 2. Problems with protocol? Eavesdropping? No. Perfect cryptography assumption GFED S 1. A, B 2. {K AB } KAS, {K AB } KBS C 89:;?>=< { A 3. {K AB } KBS, A Encrypted messages may only be read by the legitimate recipients who have the keys required to decrypt... While an understanding of cryptographic algorithms is essential for the correct design of protocols, the details of the algorithms are often irrelevant and are frequently avoided during both protocol design and analysis. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 20 / 96 89:;,2?>=< B

24 Building a key establishment protocol Building a key establishment protocol (9) Problem is not that the protocol gives away the secret key K AB, but that the information about who else has K AB is not protected. GFED S 1. A, B 2. {K AB } KAS, {K AB } KBS C 89:;?>=< { A 3. {K AB } KBS, A Adversary could not only be able to eavesdrop on messages sent, but also to capture messages and alter them. Security Assumption 2 The adversary is able to alter all messages sent in a security protocol using any information available. He can also re-route any message to any other principal (or just intercept them). This includes the ability to generate and insert completely new messages. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 21 / 96 89:;,2?>=< B

25 Building a key establishment protocol Building a key establishment protocol (10) In other words: the adversary has complete control of the channel(s) over which protocol messages flow. The adversary has complete control over the network. In contrast to ordinary communication protocols, in security protocols there is an unknown and unpredictable principal involved. Although there may be no more than 4 or 5 messages involved in a legitimate run of the protocol, there are an infinite number of variations in which the adversary participates. These variations have an unbounded number of messages and each must satisfy the protocol s security requirements. The protocol can then be attacked as follows: Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 22 / 96

26 2, Building a key establishment protocol Building a key establishment protocol (11) GFED S 1. A, B 2. {K AB } KAS, {K AB } KBS < 89:;?>=< A y 3. {K AB } KBS, GFED C 3 0. {K AB } KBS, D 89:;,2?>=< B The adversary C simply intercepts the message from A to B and substitutes D s identity for A (where D could be any identity including C s own). =) B believes that he is sharing the key with D, whereas in fact he is sharing it with A. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 23 / 96

27 2, Building a key establishment protocol Building a key establishment protocol (12) GFED S 1. A, B 2. {K AB } KAS, {K AB } KBS < 89:;?>=< A y 3. {K AB } KBS, GFED C 3 0. {K AB } KBS, D 89:;,2?>=< B The result of this attack will depend on the scenario in which the protocol is used, but may include such actions as B giving away information to A which should have been shared only with D. Although C does not obtain K AB, we can still regard the protocol as broken since it does not satisfy the requirement that the users should know who else knows the session key. But there is also another (more serious) attack: Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 24 / 96

28 rl 2, 2, Building a key establishment protocol Building a key establishment protocol (13) {{{{{{{{{{{{{{{{{{{{{{{ GFED C {{{{{{{{{{{{{{{{{{{{{{{ 1. A, B 2 0. {K AC } KAS, {K AC } KCS { ; 89:;?>=< A x { 3. {K AC } KCS, A 1 0. A,C 2. {K AC } KAS, {K AC } GFED GFED S C alters the message from A to S so that S encrypts the key K AC with C s key, K CS, instead of with B s key. Since A cannot distinguish between encrypted messages meant for other principals she will not detect the alteration. Note also that K AC is simply a formal name for the bit-string representing the session key, so it will be accepted by A. C intercepts the message from A intended for B so that B will not detect any anomaly. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 25 / 96

29 rl 2, 2, Building a key establishment protocol Building a key establishment protocol (14) {{{{{{{{{{{{{{{{{{{{{{{ GFED C {{{{{{{{{{{{{{{{{{{{{{{ 1. A, B 2 0. {K AC } KAS, {K AC } KCS { ; 89:;?>=< A x { 3. {K AC } KCS, A 1 0. A,C 2. {K AC } KAS, {K AC } GFED GFED S Hence, A will believe that the protocol has been successfully completed with B whereas C knows K AC and so can masquerade as B as well as learn all information that A sends intended for B. In contrast to the previous attack, this one will succeed if C is a legitimate system user known to S, which is a realistic assumption: Security Assumption 3 The adversary may be a legitimate protocol participant (an insider), or an external party (an outsider), or a combination of both. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 26 / 96

30 Building a key establishment protocol Building a key establishment protocol (15) To overcome this attack, the names of the principals who are to share K AB need to be bound cryptographically to the key. Neither of 2 previous attacks succeeds on the following protocol: {{{{{{{{{{{{{{{{{{{{{{{ GFED S {{{{{{{{{{{{{{{{{{{{{{{ 1. A, B 2. {K AB, B} KAS, {K AB, A} KBS { ; 89:;?>=< A x { 89:;,2?>=< B 3. {K AB, A} KBS The protocol has improved to the point where an adversary is unable to attack it by eavesdropping or altering the messages sent between honest parties. However, even now the protocol is not good enough to provide security on normal operating conditions. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 27 / 96

31 Building a key establishment protocol Building a key establishment protocol (16) The problem stems from the difference in quality between the long-term key-encrypting keys shared initially with S, and the session keys K AB generated for each protocol run. Reasons for using session keys: They are expected to be vulnerable to attack (by cryptanalysis). Communications in different sessions should be separated. In particular, it should not be possible to replay messages from previous sessions. A whole class of attacks becomes possible when old keys (or other security-relevant data) may be replayed in a subsequent session. Security Assumption 4 The adversary is able to obtain the value of the session key K AB used in any sufficiently old previous run of the protocol. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 28 / 96

32 Building a key establishment protocol Building a key establishment protocol (17) {{{{{{{{{{{{{{{{{{{{{{{ ;8C89:;?>=< {{{{{{{{{{{{{{{{{{{{{{{ C 1. A, B 2. {KAB 0, B} K, {K AS AB 0, A} K BS { ; 89:;?>=< A x { 89:;,2?>=< B 3. {KAB 0, A} K BS C intercepts message from A to S (who plays no part in this run). Replay: K 0 AB is an old key used by A and B in a previous session. By Security Assumption 1, C can be expected to know the encrypted messages via which K 0 AB was transported to A and B. By Security Assumption 4, C can be expected to know the value of K 0 AB. Thus, when A completes the protocol with B, C is able to decrypt subsequent information encrypted with K 0 AB or insert or alter messages whose integrity is protected by K 0 AB. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 29 / 96

33 Building a key establishment protocol Building a key establishment protocol (18) GFED C 1. A, B 2. {KAB 0, B} K AS, {KAB 0, A} K BS C 89:;?>=< { A 89:;,2?>=< B 3. {KAB 0, A} K BS The replay attack can still be regarded as successful even if C has not obtained the value of K 0 AB. C has succeeded in making A and B accept an old session key! The attack allows C to replay messages protected by K 0 AB which were sent in the previous session. Of course: provided that A and B don t check the key! Principals don t think but just follow the protocol. Various techniques may be used to allow principals to check that session keys have not been replayed, e.g. the challenge response method: A nonce ( a number used only once ) is a random value generated by one principal and returned to that principal to show that a message is newly generated. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 30 / 96

34 rl Building a key establishment protocol Building a key establishment protocol (19) GFED S 1. A, B, N A 2. {K AB, B, N A, {K AB, A} KBS } KAS C 89:;?>=< { A 89:;?>=<,2 B 3. {K AB, A} KBS 4. {N B } KAB,2 5. {N B 1} KAB A sends her nonce N A to S with the request for a new key. If this same value is received with the session key, then A can deduce that the key has not been replayed. This deduction will be valid as long as session key and nonce are bound together cryptographically in such a way that only S could have formed such a message. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 31 / 96

35 rl Building a key establishment protocol Building a key establishment protocol (20) GFED S 1. A, B, N A 2. {K AB, B, N A, {K AB, A} KBS } KAS C 89:;?>=< { A 89:;?>=<,2 B 3. {K AB, A} KBS 4. {N B} KAB 5. {N B 1} KAB,2 N.B.: N A is just a number! There is nothing in N A that identifies who has created it. Hence, we will also write NA or even better N 1 or N1. If the encrypted key for B is included in the encrypted part of A s message, then A can gain assurance that it is fresh. It is tempting to believe that A may pass this assurance on to B in an extra handshake: B generates a nonce N B and sends it to A protected by K AB itself. A uses K AB to send a reply to B ( 1 to avoid replay of message 4). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 32 / 96

36 rl Building a key establishment protocol Building a key establishment protocol (21) GFED S 1. A, B, N A 2. {K AB, B, N A, {K AB, A} KBS } KAS C 89:;?>=< { A 89:;?>=<,2 B 3. {K AB, A} KBS 4. {N B} KAB 5. {N B 1} KAB,2 This is actually one of the most celebrated security protocols. Published by Needham and Schroeder in 1978, it has been the basis for a whole class of related protocols. Unfortunately, this protocol by Needham & Schroeder is vulnerable to an almost equally celebrated attack due to Denning and Sacco. The argument we used to justify the protocol design is flawed. Problem is assumption that only A will be able to form a correct reply to message 4 from B. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 33 / 96

37 rl rl Building a key establishment protocol Building a key establishment protocol (22) GFED S 1. A, B, N A 2. {K AB, B, N A, {K AB, A} KBS } KAS C 89:;?>=< { A 89:;?>=<,2 B 3. {K AB, A} KBS 4. {N B} KAB 5. {N B 1} KAB,2 Since the adversary C can be expected to know the value of an old session key, this assumption is unrealistic. C masquerades as A and thus persuades B to use old key K 0 AB GFED C 89:;?>=<,2 B 3. {KAB 0, A} K BS 4. {N B } K 0 AB,2 5. {N B 1} K 0 AB Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 34 / 96

38 rl Building a key establishment protocol Building a key establishment protocol (23) A different approach: throw away the assumption that it is inconvenient for both B and A to send their challenges to GFED S 2. A, B, N A, N B 3. {K AB, B, N A } KAS, {K AB, A, N B } KBS? 89:;?>=< z A 89:;?>=< B 1. B, N B,2 4. {K AB, A, N B } KBS Protocol is now initiated by B who sends his nonce N B first to A. A adds her nonce N A and sends both to S, who is now able to return K AB in separate messages for A and B, which can each be verified as fresh by their respective recipients. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 35 / 96

39 rl Building a key establishment protocol Building a key establishment protocol (24) GFED S 2. A, B, N A, N B 3. {K AB, B, N A} KAS, {K AB, A, N B} KBS C 89:;?>=< { A 89:;?>=< B 1. B, N B,2 4. {K AB, A, N B} KBS It may seem that we have achieved more than the previous protocol using fewer messages, but in fact... Before (slide building... (18) ), A could verify not only that the key is new and known only by A, B, and S, but also that B has in fact received the key. This property of key confirmation is achieved due to B s use of the key in message 4, assuming that {N B } KAB cannot be formed without knowledge of K AB. In our final protocol, neither A nor B can deduce at the end of a successful protocol run that the other has actually received K AB. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 36 / 96

40 rl Building a key establishment protocol Building a key establishment protocol (25) GFED S 2. A, B, N1 N2 3. {K AB, B, N1} KAS, {K AB, A, N2} KBS C 89:;?>=< { A 89:;?>=< B 1. B, N2,2 4. {K AB, A, N2} KBS This protocol avoids all the attacks that we have seen so far, as long as the cryptographic algorithm used provides the properties of both confidentiality and integrity, and the server S acts correctly. It would be rash to claim that this protocol is secure before giving a precise meaning to that term! The security of a protocol must always be considered relative to its goals. Hence, we need means to formalize protocols and goals (and attacks). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 37 / 96

41 Building a key establishment protocol Summary: Messages Message constructors are: Names: A, B or Alice, Bob,.... Keys: K and inverse keys K 1 (for signing, not decryption) Encryption: {M} K. Encryption with A s public key: {M} KA. Signing: {M} K 1. Signing with A s private key: {M} K 1. A Symmetric keys: {M} KAB. Nonces: NA, N1,... fresh data items used for challenge/response. N.B.: sometimes subscripts are used, e.g. N A, but it does not mean that principals can find out that N A is related to (e.g. was generated by) A. Timestamps: T. Denote time, e.g. used for key expiration. Message concatenation: {M 1, M 2 }. Example: {A, T 1, K AB } KB. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 38 / 96

42 Building a key establishment protocol Summary: Communication Fundamental event is communication between principals. A! B : {A, T 1, K AB } KB A and B name roles. Can be instantiated by any principal playing in the role. Communication is asynchronous (depending on semantic model). Sender/receiver names A! B are not part of the message. Protocol specifies actions of principals. Equivalently, protocol defines a set of event sequences (traces). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 39 / 96

43 Building a key establishment protocol Summary: Protocols A typical protocol description combines prose, data type specifications, various kinds of diagrams, ad hoc notations, and message sequences like 1. A! B : {N1, A} KB 2. B! A : {N1, N2} KA 3. A! B : {N2} KB They often include informal statements concerning the properties of the protocol and why they should hold. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 40 / 96

44 Building a key establishment protocol Summary: Protocols (cont.) What does a message A! B : M actually mean? We assume that an intruder can interpose a computer in all communication paths, and thus can alter or copy parts of messages, replay messages, or emit false material. We also assume that each principal has a secure environment in which to compute such as is provided by a personal computer... Needham and Schroeder In what follows, we shall be more formal about our assumptions. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 41 / 96

45 An example: Needham-Schroeder Public Key protocol Outline 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 42 / 96

46 An example: Needham-Schroeder Public Key protocol An authentication protocol The Needham-Schroeder Public Key protocol (NSPK): 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Here is an instance (a protocol run): {17,Alice} K Bob {17,41} K Alice {41} K Bob Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 43 / 96

47 An example: Needham-Schroeder Public Key protocol How the protocol is executed 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Each principal executes a protocol automaton, e.g. Alice in role A. State s 1 : Generate nonce NAlice, pair it with name, and encrypt with K Bob. Send {NAlice, Alice} KBob to Bob. Goto state s 2. State s 2 : Receive message C and decrypt it: M = D K 1 (C). Alice If M is not of the form {NAlice, X} for some nonce X, then goto reject state else goto state s 3. State s 3 :... State reject: terminate with failure. N.B.: principals can be engaged in multiple runs (= multiple automata). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 44 / 96

48 An example: Needham-Schroeder Public Key protocol Assumptions and goals Assumptions (for principals): Implicit (or explicit) prerequisites. Principals know their private keys and public keys of others. Principals can generate nonces. Goals: What the protocol should achieve. E.g. Authenticate messages, binding them to their originator. Theses: Ensure timeliness of messages (recent, fresh,...). Guarantee secrecy of certain items (e.g. generated keys). A protocol without clear goals (and assumptions) is useless. A protocol without a proof of correctness is probably wrong. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 45 / 96

49 An example: Needham-Schroeder Public Key protocol Assumptions: attacker How do we model the attacker? Possibilities: He knows the protocol but cannot break cryptography. (Standard: perfect encryption.) He is passive but overhears all communications. He is active and can intercept and generate messages. Transfer $20 to Diane ; Transfer $10,000 to Charlie He might even be one of the principals running the protocol! A friend s just an enemy in disguise. You can t trust nobody. (Charles Dickens, Oliver Twist) Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 46 / 96

50 An example: Needham-Schroeder Public Key protocol Standard attacker model The attacker is active. Namely: He can intercept and read all messages. He can decompose messages into their parts. But cryptography is secure: decryption requires inverse keys. He can build new messages with the different constructors. He can send messages at any time. The Dolev-Yao attacker (or intruder) model: very strong assumptions about the attacker =) correct protocols function in a very large range of environments. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 47 / 96

51 An example: Needham-Schroeder Public Key protocol The Needham-Schroeder Public Key Protocol (NSPK) 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Goal: mutual authentication. Translation: This is Alice and I have chosen a nonce NA. Here is your nonce NA. Since I could read it, I must be Bob. I also have a challenge NB for you. You sent me NB. Since only Alice can read this and I sent it back, you must be Alice. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 48 / 96

52 An example: Needham-Schroeder Public Key protocol The Needham-Schroeder Public Key Protocol (NSPK) 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Goal: mutual authentication. Translation: This is Alice and I have chosen a nonce NA. Here is your nonce NA. Since I could read it, I must be Bob. I also have a challenge NB for you. You sent me NB. Since only Alice can read this and I sent it back, you must be Alice. NSPK proposed in 1970s and used for decades, until... Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 48 / 96

53 An example: Needham-Schroeder Public Key protocol The Needham-Schroeder Public Key Protocol (NSPK) 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Goal: mutual authentication. Translation: This is Alice and I have chosen a nonce NA. Here is your nonce NA. Since I could read it, I must be Bob. I also have a challenge NB for you. You sent me NB. Since only Alice can read this and I sent it back, you must be Alice. NSPK proposed in 1970s and used for decades, until... Protocols are typically small and convincing... Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 48 / 96

54 An example: Needham-Schroeder Public Key protocol The Needham-Schroeder Public Key Protocol (NSPK) 1. A! B : {NA, A} KB 2. B! A : {NA, NB} KA 3. A! B : {NB} KB Goal: mutual authentication. Translation: This is Alice and I have chosen a nonce NA. Here is your nonce NA. Since I could read it, I must be Bob. I also have a challenge NB for you. You sent me NB. Since only Alice can read this and I sent it back, you must be Alice. NSPK proposed in 1970s and used for decades, until... Protocols are typically small and convincing... and often wrong! Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 48 / 96

55 An example: Needham-Schroeder Public Key protocol How to at least tie against a Chess Grandmaster Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 49 / 96

56 An example: Needham-Schroeder Public Key protocol How to at least tie against a Chess Grandmaster Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 49 / 96

57 An example: Needham-Schroeder Public Key protocol Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y Y! X : {N1, N2} KX X! Y : {N2} KY NSPK #1 NSPK #2 Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

58 An example: Needham-Schroeder Public Key protocol X! Y : {N1, X} KY Y! X : {N1, N2} KX X! Y : {N2} KY Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y NSPK #1 NSPK #2 { NA,A} KC Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

59 An example: Needham-Schroeder Public Key protocol X! Y : {N1, X} KY Y! X : {N1, N2} KX X! Y : {N2} KY Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y NSPK #1 NSPK #2 { NA,A} KC { NA,A} KB Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

60 An example: Needham-Schroeder Public Key protocol Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y Y! X : {N1, N2} KX X! Y : {N2} KY NSPK #1 NSPK #2 { NA,A} KC { NA,A} KB { } NA,NB K A Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

61 An example: Needham-Schroeder Public Key protocol Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y Y! X : {N1, N2} KX X! Y : {N2} KY NSPK #1 NSPK #2 { NA,A} KC { NA,A} KB { NA,NB} K A { } NA,NB K A Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

62 An example: Needham-Schroeder Public Key protocol Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y Y! X : {N1, N2} KX X! Y : {N2} KY NSPK #1 NSPK #2 { NA,A} KC { NA,A} KB { NA,NB} K A { } NA,NB K A { NB } K C Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

63 An example: Needham-Schroeder Public Key protocol Man-in-the-middle attack on the NSPK X! Y : {N1, X} K Y Y! X : {N1, N2} KX X! Y : {N2} KY NSPK #1 NSPK #2 { NA,A} KC { NA,A} KB { NA,NB} K A { } NA,NB K A { NB } K { } C NB KB B believes he is speaking with A! Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 50 / 96

64 An example: Needham-Schroeder Public Key protocol What went wrong? Problem in step 2: B! A : {NA, NB} KA Agent B should also give his name: {NA, NB, B} KA. The improved version is called NSL protocol. Is the protocol now correct????? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 51 / 96

65 An example: Needham-Schroeder Public Key protocol The NSL Protocol X! Y : {N1, X} KY Y! X : {N1, N2, Y } KX X! Y : {N2} KY NSL #1 NSL #2 Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 52 / 96

66 An example: Needham-Schroeder Public Key protocol The NSL Protocol X! Y : {N1, X} KY Y! X : {N1, N2, Y } KX X! Y : {N2} KY NSL #1 NSL #2 { NA,A} KC Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 52 / 96

67 An example: Needham-Schroeder Public Key protocol The NSL Protocol X! Y : {N1, X} KY Y! X : {N1, N2, Y } KX X! Y : {N2} KY NSL #1 NSL #2 { NA,A} KC { NA,A} KB Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 52 / 96

68 An example: Needham-Schroeder Public Key protocol The NSL Protocol X! Y : {N1, X} KY Y! X : {N1, N2, Y } KX X! Y : {N2} KY NSL #1 NSL #2 { NA,A} KC { NA,A} KB { NA,NB,B} KA Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 52 / 96

69 An example: Needham-Schroeder Public Key protocol The NSL Protocol X! Y : {N1, X} KY Y! X : {N1, N2, Y } KX X! Y : {N2} KY NSL #1 NSL #2 { NA,A} KC { NA,A} KB { NA,NB,B} KA { NA,NB,B} KA A aborts the protocol execution! (or ignores the message) Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 52 / 96

70 An example: Needham-Schroeder Public Key protocol What went wrong? Problem in step 2: B! A : {NA, NB} KA Agent B should also give his name: {NA, NB, B} KA. The improved version is called NSL protocol.? Is the protocol now correct???? Yes, it is secure against this attack but what about other kinds of attacks? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 53 / 96

71 An example: Needham-Schroeder Public Key protocol Let s take stock Even simple protocols can lead to complex situations. Informal analysis can easily miss the attacks. Formal analysis is required, automatic analysis is desirable. Formal analysis requires a formal model of the protocol and its goals. Side-question: Is Lowe s attack really an attack? If the goal of the protocol is secrecy or authentication then If the goal is only aliveness of the agents then Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 54 / 96

72 An example: Needham-Schroeder Public Key protocol Let s take stock Even simple protocols can lead to complex situations. Informal analysis can easily miss the attacks. Formal analysis is required, automatic analysis is desirable. Formal analysis requires a formal model of the protocol and its goals. Side-question: Is Lowe s attack really an attack? If the goal of the protocol is secrecy or authentication then yes. If the goal is only aliveness of the agents then Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 54 / 96

73 An example: Needham-Schroeder Public Key protocol Let s take stock Even simple protocols can lead to complex situations. Informal analysis can easily miss the attacks. Formal analysis is required, automatic analysis is desirable. Formal analysis requires a formal model of the protocol and its goals. Side-question: Is Lowe s attack really an attack? If the goal of the protocol is secrecy or authentication then yes. If the goal is only aliveness of the agents then no. Let s look again at Lowe s suggested fix for the NSPK. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 54 / 96

74 An example: Needham-Schroeder Public Key protocol Lowe s Fix for NSPK B should include his name in the reply to A: The attack is no longer possible: M1. A! S : A, B M2. S! A : {K B, B} K 1 S M3. A! B : {N A, A} KB M4. B! S : B, A M5. S! B : {K A, A} K 1 S M6. B! A : {N A, N B, B} KA M7. A! B : {N B } KB A { N A, A }K M M { N A, A }KB { N A, N B, B}KA B { N A, N B, M}K A Is the protocol now safe? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 55 / 96

75 An example: Needham-Schroeder Public Key protocol Lowe s Fix for NSPK (II) Protocol is still vulnerable to a type-flaw attack (Meadows 1996): S B M A { N A, A }K B B, A { A, K A }KS 1 { N A, N B, B }K A { N, N,B }K A B A A, N B,B { N B }KB And this is not the end of the story... Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 56 / 96

76 An example: Needham-Schroeder Public Key protocol What went wrong? (again) Problem in step 2: B! A : {NA, NB} KA Agent B should also give his name: {NA, NB, B} KA. The improved version is called NSL protocol.? Is the protocol now correct???? Yes, it is secure against this attack but what about other kinds of attacks? Use formal methods! Even more problematic: there are provably secure protocols that become insecure when combined with other protocols. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 57 / 96

77 Outline Examples of protocols and possible vulnerabilities 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 58 / 96

78 Outline Examples of protocols and possible vulnerabilities Kinds of attack 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 59 / 96

79 Examples of protocols and possible vulnerabilities Examples of kinds of attack Kinds of attack Man-in-the-middle (or parallel sessions) attack: A $ Z $ B. Replay (or freshness) attack: reuse parts of previous messages. Masquerading attack: pretend to be another principal, e.g. Z forges source address (e.g. present in network protocols), or Z convinces other principals that A s public key is K Z. Reflection attack send transmitted information back to originator. Oracle attack: take advantage of normal protocol responses as encryption and decryption services. Type flaw attack: substitute a different type of message field (e.g. a key vs. a name). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 60 / 96

80 Examples of protocols and possible vulnerabilities Kinds of attack Diffie-Hellman: man-in-the-middle attack Diffie-Hellman does not support the authenticity of the key agreed. Hence, it is subject also to a man-in-the-middle attack: A Z B A believes that she shares key K 1 = X AX Z mod q with B. B believes that he shares key K 2 = X BX Z mod q with A. Z can use these two keys to read and relay confidential communications between A and B, or to impersonate one of them to the other. Can be prevented by mutual authentication between A and B. Typically: add an exchange of digitally signed identification (ID) tokens. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 61 / 96

81 Examples of protocols and possible vulnerabilities Kinds of attack Diffie-Hellman with authentication steps Unauthenticated keys =) open to man-in-the-middle attacks: A Z B Defend by adding two authentication steps, where A and B exchange ID I and ID R, two digitally signed messages that bind half keys to the respective sender. May also be encrypted with computed DH key. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 62 / 96

82 Examples of protocols and possible vulnerabilities Kinds of attack Type flaw attacks A message consists of a sequence of submessages. Examples: a principal s name, a nonce, a key,... Messages sent as bit strings. No type information Type flaw is when A! B : M and B accepts M as valid but parses it differently. I.e., B interprets the bits differently than A. Let s consider a couple examples. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 63 / 96

83 Outline Examples of protocols and possible vulnerabilities Otway-Rees protocol 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 64 / 96

84 Examples of protocols and possible vulnerabilities The Otway-Rees protocol Otway-Rees protocol Server-based protocol providing authenticated key distribution (with key authentication and key freshness) but without entity authentication or key confirmation. M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! S : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. S! B : I, {N A, K AB } KAS, {N B, K AB } KBS M4. B! A : I, {N A, K AB } KAS where server keys already known and I is protocol run identifier (e.g., an integer). Why should(n t) it have the above properties? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 65 / 96

85 Examples of protocols and possible vulnerabilities Otway-Rees protocol Type flaw attack on the Otway-Rees protocol M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! S : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. S! B : I, {N A, K AB } KAS, {N B, K AB } KBS M4. B! A : I, {N A, K AB } KAS Suppose {I, A, B} = {K AB }, e.g., I is 32 bits, A and B are 16 bits, and K AB is 64 bits. I A Ciphertext K AB B Intended interpretation of sender Encryption Decryption Interpretation of receiver Attack 1 (Reflection/type-flaw): Z the attacker replays parts of message 1 as message 4 (omitting steps 2 and 3). M1. A! Z (B) : I, A, B, {N A, I, A, B} KAS M4. Z (B)! A : I, {N A, I, A, B} KAS Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 66 / 96

86 Examples of protocols and possible vulnerabilities Otway-Rees protocol Type flaw attack on the Otway-Rees protocol M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! S : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. S! B : I, {N A, K AB } KAS, {N B, K AB } KBS M4. B! A : I, {N A, K AB } KAS Suppose {I, A, B} = {K AB }, e.g., I is 32 bits, A and B are 16 bits, and K AB is 64 bits. I A Ciphertext K AB B Intended interpretation of sender Encryption Decryption Interpretation of receiver Attack 1 (Reflection/type-flaw): Z the attacker replays parts of message 1 as message 4 (omitting steps 2 and 3). M1. A! Z (B) : I, A, B, {N A, I, A, B} KAS M4. Z (B)! A : I, {N A, I, A, B} KAS A sees N A and wrongly accepts {I, A, B} as the session key. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 66 / 96

87 Examples of protocols and possible vulnerabilities Otway-Rees protocol Type flaw attack on the Otway-Rees protocol (cont.) M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! S : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. S! B : I, {N A, K AB } KAS, {N B, K AB } KBS M4. B! A : I, {N A, K AB } KAS Attack 2: Z can play the role of S in M2 and M3 by reflecting the encrypted components of M2 back to B. Namely: M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! Z (S) : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. Z (S)! B : I, {N A, I, A, B} KAS, {N B, I, A, B} KBS M4. B! A : I, {N A, I, A, B} KAS Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 67 / 96

88 Examples of protocols and possible vulnerabilities Otway-Rees protocol Type flaw attack on the Otway-Rees protocol (cont.) M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! S : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. S! B : I, {N A, K AB } KAS, {N B, K AB } KBS M4. B! A : I, {N A, K AB } KAS Attack 2: Z can play the role of S in M2 and M3 by reflecting the encrypted components of M2 back to B. Namely: M1. A! B : I, A, B, {N A, I, A, B} KAS M2. B! Z (S) : I, A, B, {N A, I, A, B} KAS, {N B, I, A, B} KBS M3. Z (S)! B : I, {N A, I, A, B} KAS, {N B, I, A, B} KBS M4. B! A : I, {N A, I, A, B} KAS ) A and B accept wrong key and Z can decrypt their subsequent communication! So key authentication (and secrecy) fails! How might we protect against this kind of attack? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 67 / 96

89 Outline Examples of protocols and possible vulnerabilities Andrew Secure RPC protocol 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 68 / 96

90 Examples of protocols and possible vulnerabilities The Andrew Secure RPC protocol Andrew Secure RPC protocol Goal: Exchange a fresh, authenticated, secret, shared key, between two principals sharing a symmetric key. M1. A! B : A, {N A } KAB M2. B! A : {N A + 1, N B } KAB M3. A! B : {N B + 1} KAB M4. B! A : {KAB 0, N0 B } K AB Establishes session key KAB 0 plus nonce N0 B (for a future session). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 69 / 96

91 Examples of protocols and possible vulnerabilities Andrew Secure RPC protocol Type flaw attack on Andrew Secure RPC protocol M1. A! B : A, {N A } KAB M1. A! B : A, {N A } KAB M2. B! A : {N A + 1, N B } KAB M2. B! A : {N A + 1, N B } KAB M3. A! B : {N B + 1} KAB M3. A! Z (B) : {N B + 1} KAB M4. B! A : {KAB 0, N0 B } K AB M4. Z (B)! A : {N A + 1, N B } KAB Assume: nonces and keys are represented as bit sequences of the N same length (e.g. 64 bits). N A+ 1 B Z can then record M2, intercept M3, and replay M2 as M Ciphertext K AB N B Intended interpretation of sender Encryption Decryption Interpretation of receiver A is fooled into accepting the nonce value N A + 1 as the new session key. This key is not authenticated. This attack doesn t violate secrecy though (cf. Otway-Rees). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 70 / 96

92 Outline Examples of protocols and possible vulnerabilities Key exchange with CA (Denning & Sacco) 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 71 / 96

93 Examples of protocols and possible vulnerabilities Key exchange with CA (Denning & Sacco) Key exchange with CA (Denning & Sacco) Explanations: A! S : A, B S! A : C A, C B A! B : C A, C B, {{T A, K AB } K 1 A S: Server for a certification authority. K AB : Secret session key. } KB K B : Public key of B, the intended communication partner. K 1 A : Signing with private key of A. C A, C B : Certificates for A and B (name, public key,...) T A : A timestamp generated by A. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 72 / 96

94 Examples of protocols and possible vulnerabilities Denning & Sacco (II) Key exchange with CA (Denning & Sacco) Intended purpose: K AB is only known to A and B (session key) B can be sure that it was sent by A: he can decrypt it using the public key K A. K A is bound to A by the certificate C A. A! S : A, B S! A : C A, C B A! B : C A, C B, {{T A, K AB } K 1 A B knows that the message was intended for him/her because his/her public key is used. A knows...? Timestamp may be used to limit use of session key. } KB Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 73 / 96

95 Examples of protocols and possible vulnerabilities Denning & Sacco (III) Key exchange with CA (Denning & Sacco) The attack A! S : A, B S! A : C A, C B A! B : C A, C B, {{T A, K AB } K 1 A } KB alice! zoe : C alice, C zoe, {{T alice, K alice zoe } K 1 alice} Kzoe zoe! bob : C alice, C bob, {{T alice, K alice zoe } K 1 alice} Kbob Bob believes that last message was sent by Alice When he later uses K alice zoe, Zoe can listen in. So key is neither authenticated nor secret! How can we defend against this man-in-the-middle attack? Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 74 / 96

96 Examples of protocols and possible vulnerabilities Denning & Sacco (III) Key exchange with CA (Denning & Sacco) The attack A! S : A, B S! A : C A, C B A! B : C A, C B, {{T A, K AB } K 1 A } KB alice! zoe : C alice, C zoe, {{T alice, K alice zoe } K 1 alice} Kzoe zoe! bob : C alice, C bob, {{T alice, K alice zoe } K 1 alice} Kbob Bob believes that last message was sent by Alice When he later uses K alice zoe, Zoe can listen in. So key is neither authenticated nor secret! How can we defend against this man-in-the-middle attack? Be explicit about purpose: name principals in last step. A! B : C A, C B, {{A, B, T A, K AB } K 1} KB A Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 74 / 96

97 Outline Examples of protocols and possible vulnerabilities Example of binding attack 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 75 / 96

98 Examples of protocols and possible vulnerabilities Example of binding attack Example of binding attack The protocol admits a binding attack: M1. A! S : A, B, NA M2. S! A : S, {S, A, NA, K B } K 1 S M1.1. A! Z (S) : A, B, NA M2.1. Z (A)! S : A, Z, NA M2.2. S! Z (A) : S, {S, A, NA, K Z } K 1 S M1.2. Z (S)! A : S, {S, A, NA, K Z } K 1 S Fix: include the name of B in M2. M2. S! A : S, {S, A, NA, B, K B } K 1 S Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 76 / 96

99 Outline Examples of protocols and possible vulnerabilities Example of parallel sessions attack 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 77 / 96

100 Examples of protocols and possible vulnerabilities Example of parallel sessions attack The one-way authentication protocol Example of parallel sessions attack M1. A! B : {NA} KAB M2. B! A : {NA + 1} KAB admits a parallel sessions attack (with oracle ): M1.1. M2.1. M2.2. M1.2. A! Z (B) :{NA} KAB Z (B)! A : {NA} KAB A! Z (B) :{NA + 1} KAB Z (B)! A : {NA + 1} KAB A is forced to do work on behalf of the attacker: A acts as an oracle against herself, because she provides the correct answer to her own question. At very least, A believes then that B is operational, while B may no longer exist. Fix: add A s name to message M1. M1. A! B : {NA, A} KAB Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 78 / 96

101 Outline Examples of protocols and possible vulnerabilities Example of replay attack 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 79 / 96

102 Examples of protocols and possible vulnerabilities Example of replay attack Example of replay attack The Needham-Schroeder Shared Key Protocol M1. A! S : A, B, N1 M2. S! A : {N1, B, K AB, {K AB, A} KBS } KAS M3. A! B : {K AB, A} KBS M4. B! A : {N2} KAB M5. A! B : {N2 1} KAB admits a replay attack: there is no guarantee that M3. was created by S as part of the current protocol run! Suppose that a previously distributed key K 0 AB has been compromised and is known to attacker Z, who monitored the network when the corresponding protocol run was executed and recorded message M3. A! B : {K 0 AB, A} KBS Z can now fool B into accepting the key K 0 AB as new by: M3. Z (A)! B : {KAB, 0 A} KBS M4. B! Z (A) : {N2} K 0 AB M5. Z (A)! B : {N2 1} K 0 AB Fix: add timestamps in relevant messages (or, as Needham-Schroeder themselves suggested, add an extra handshake at the beginning of the protocol). Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 80 / 96

103 Examples of protocols and possible vulnerabilities Example of replay attack The present: security sensitive protocols H.323 MT V GK MRP V BE H BE MRP AuF compute DH: g x mod p 1.) GRQ( EPID, GKID, 0, CH1, T1, g x, HMACZZ(GRQ)) compute DH: g y mod p W:= g x g y 3.) 2.) RIP(...) AuthenticationRequest (GRQ(..), GKID, W, HMAC) 4.) 5.) 6.) 7.) K:= g xy mod p 13.) GCF(GKID, EPID, CH1, CH2, (T13), g y, HMACZZ(W), HMACZZ(GKID), HMACK(GCF)) K:= g xy mod p W:= g x g y 14.) RRQ(EPID, GKID, CH2, CH3, (T14), HMACK(RRQ)) 12.) 11.) 10.) 9.) 8.) AuthenticationConfirmation (HMAC ZZ(W), HMACZZ(GKID), HMAC) 15.) RCF(GKID, EPID, CH3, CH4, (T15), HMACK(RCF)) Examples: Mobility: Mobile IP, mobile QoS (hand-off), mobile multi-media. Session control: SIP, H323. Authentication: Kerberos variants, AAA, PANA, http-digest. Key agreement: Son-of-IKE. End-to-End and Peer-to-Peer scenarios: SIP, SOAP, geopriv. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 81 / 96

104 Outline Prudent engineering of security protocols 1 Layered security and security protocols Motivation: layered communication in computer networks 2 Building a key establishment protocol 3 An example: Needham-Schroeder Public Key protocol 4 Examples of protocols and possible vulnerabilities Kinds of attack Otway-Rees protocol Andrew Secure RPC protocol Key exchange with CA (Denning & Sacco) Example of binding attack Example of parallel sessions attack Example of replay attack 5 Prudent engineering of security protocols 6 Formal modeling and analysis of protocols: an introduction Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 82 / 96

105 Prudent engineering of security protocols Prudent engineering of security protocols Principles proposed by Abadi and Needham (1994, 1995): 1 Every message should say what it means. 2 The conditions for a message to be acted on should be stated. 3 Mention the principal s name explicitly in the message if it is essential to the meaning. 4 Be clear as to why encryption is being done. Confidentiality, message authentication, binding of messages, e.g, {X, Y } K 1 versus {X} K 1, {Y } K 1 5 Don t assume a principal knows the content of encrypted material that is signed by that principal. Example: (find replay attack) A! B : {M} KB, {h(m)} K 1 A Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 83 / 96

106 Prudent engineering of security protocols Prudent engineering (II) 6 Be clear on what properties you are assuming about nonces. 7 Predictable quantities used for challenge-response should be protected from replay. 8 Timestamps must take into account local clock variation and clock maintenance mechanisms. 9 A key may have been used recently, yet be old. 10 If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used. 11 The protocol designer should know which trust relations his protocol depends on. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 84 / 96

107 Prudent engineering of security protocols Prudent engineering (III) Good advice, but... Are you sure when you have followed all of them? Is the protocol guaranteed to be secure then? Is it optimal and/or minimal? Situation reminiscent of structured programming and Gotos Considered Harmful. Luca Viganò (Università di Verona) Network Security and Internet Protocols SdR A.A. 12/13, Lecture 5 85 / 96