Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication Usually the first requires the second Not much good to be sure the key is a secret if you don t know who you re sharing it with How can we achieve both goals? In a single protocol With relatively few messages Needham-Schroeder Key Exchange Uses symmetric cryptography equires a trusted authority Who takes care of generating the new key More complicated than some protocols we ve seen Page 3 Page 4 Needham-Schroeder, Step 1 What s the Point of A? A,, A A is nonce chosen by for this invocation of the protocol A random number Not used as a key, so quality of s random number generator not too important Helps defend against replay attacks Page 5 Page 6 1
A Needham-Schroeder, Step 2 E KA ( A,,, E KB (,)) What s all this stuff for? Including A prevents replay Including prevents attacker from replacing s identity Including the encrypted message for ensures that message can t be replaced Page 7 Needham-Schroeder, Step 3 E KB (,) So we re done, right? Wrong! KS Page 8 B Needham-Schroeder, Step 4 E KS ( B ) B B Needham-Schroeder, Step 5 E KS ( B -1) Now we re done! B B -1 Page 9 Page 10 What s All This Extra Stuff For? knows she s K K E KB (,) B A talking to K S said she was Can Can said he was E KA ( A,,, jump in later? jump in later? knows he s talking No, only No, all later E KB (,)) to could read the messages will use key package, which created doesn t know Page 11 What s All This Extra Stuff For? What about those random numbers? Page 12 2
Causes Problems and do something likes watches the messages they send to do so wants to make them do it again Can replay the conversation? Let s try it without the random numbers Waits For His Chance E KA (,, K A E KB (,)), Page 13 Page 14 What Will Do Now? The message could only have been created by It properly indicates she wants to talk to It contains a perfectly plausible key will probably go ahead with the protocol Page 15 The Protocol Continues steps aside for a bit E KB (,) With no random keys, we re done Page 16 So What s the Problem and agree is their key They both know the key definitely created the key for them Nobody else has the key But... Page 17 Steps Back Into the Picture E KS (Old message 2) can replay and s old conversation E KS (Old message 1) It s using the current key, so and will accept it Page 18 3
How Do the andom Numbers Help? s random number assures her that the reply from is fresh But why does need another random number? Page 19 Why Also Needs a andom Number Let s say doesn t want to talk to E KB (,) But wants to think wants to talk Page 20 So What? So, Everything s Fine, ight? E KS (Old message 1) can now play back an old message from to And will have no reason to be suspicious s random number exchange assured Not if any key ever gets divulged Once is divulged, can forge s response to s challenge And convince that he s talking to when he s really talking to him that really wanted to talk Page 21 Page 22 Cracks an Old Key E KS ( B ) E KB KS (K ( S B,) - 1) B B - 1 enlists 10,000 computers belonging to 10,000 grandmothers to crack Unfortunately, knows So can answer s challenge Page 23 Timestamps in Security Protocols One method of handling this kind of problem is timestamps Proper use of timestamps can limit the time during which an exposed key is dangerous But timestamps have their own problems Page 24 4
Using Timestamps in the Needham-Schroeder Protocol The trusted authority includes timestamps in his encrypted messages to and Based on a global clock When or decrypts, if the timestamp is too old, abort the protocol Page 25 Using Timestamps to Defeat E KB (,,T X ) E KB (,,T X ) T X << T now T now Now checks T X against his clock So, fearing replay, discards And s attack is foiled T X Page 26 Problems With Using Timestamps They require a globally synchronized set of clocks Hard to obtain, often Attacks on clocks become important They leave a window of vulnerability The Suppress-eplay Attack Assume two participants in a security protocol Using timestamps to avoid replay problems If the sender s clock is ahead of the receiver s, attacker can intercept message And replay later, when receiver s clock still allows it Page 27 Page 28 Handling Clock Problems 1). ely on clocks that are fairly synchronized and hard to tamper Perhaps GPS signals 2). Make all comparisons against the same clock So no two clocks need to be synchronized Page 29 Neuman-Stubblebine Protocol, Step 1, A A What does know? Someone claiming to be wants to talk securely A Page 30 5
A Neuman-Stubblebine Protocol, Step 2 knows thinks wants to talk to him But does she, B, E KB (, A,T B ), A,T B A B T B Neuman-Stubblebine Protocol, Step 3 really? Page 31 Page 32 A, A,,T B E KA (, A,,T B ), knows: E KB (,,T B ), B 1. heard her message 2. created a new key, A,T B B T B Neuman-Stubblebine Protocol, Step 4 E KB (,,T B ), B E KB (,,T B ), E KS ( B ) B guarantees knows T B guarantees it s a fresh session checks B and T B B B T B T B Page 33 What Has the Protocol Achieved? and share a key They know the key was generated by knows this key matches her recent request for a key knows this key matches s recent request and s agreement Page 34 What Has the Timestamp Done For and? knows that the whole agreement is timely Since the only timestamp originated with his clock, no danger of suppressreplay attacks What Else Can You Do With Security Protocols? Secret splitting and secret sharing Fair coin flips and other games Simultaneous contract signing Secure elections Zero knowledge proofs off-line Lots of other neat stuff Page 35 Page 36 6
Secret Splitting and Secret Sharing What if we have a secret that we need to recover later? We need to have it in other people s hands But we don t want anyone to be able to tell the secret Secret Splitting Divide the secret among two or more people They can combine to retrieve the secret But neither can guess the secret themselves Page 37 Page 38 Secret Splitting Example ecovering the Secret S S S? S S=? M wants to share secret M M` Page 39 Page 40 What If We Want To Do This Securely? What cryptographic steps would we perform to ensure security? That only and have secret components That they have components of the real secret What about ensuring that and both learn the secret if either does? Secret Sharing Say we have three participants,, Carol Can we arrange that: None of them know the secret alone Any pair of them can produce the secret Yes, using various secret sharing protocols Page 41 Page 42 7
Bit Commitment wants to make a choice now And prove to what that choice was Without telling him the choice now How can be sure that isn t cheating? E KS Basic Bit Commitment b E KS (,b) E KS (,b) can t tell yet what bit chose E KS (,b) Since doesn t have E KS Page 43 Page 44 E KS Now Claims the Bit Was 1 b E KS (,b) b == 1 E KS E KS (,b) How does prove it? If b == 1, told the truth,b E KS Why Does This Work? can t learn what b was until tells him gives a cryptographic package that she can t change Since the package includes, can t generate two keys, one for 0 and the other for 1 Page 45 Page 46 Making This Work Over the Network What would we have to do if was hanging around trying to screw things up? What if we wanted to keep the value of b secret from? What if we wanted to ensure that couldn t replace s choice? Page 47 Fair Coin Flips Two participants cryptographically flip a coin Based on clever use of bit commitment Cut and choose Basic version assumes no interfering third party And no need for secrecy Similar approaches can work for other games of chance Page 48 8
Simultaneous Contract Signing and want to sign a contract But only if each is sure the other also signs Basic method uses an arbitrator Non-arbitrated cryptographic method uses probabilistic outcome Verifying Security Protocols Security protocols are obviously very complicated And any flaw in the protocol can be very expensive Thus, verifying their correctness is of great value How to do it? Page 49 Page 50 Basic Approaches to Verifying Protocols Use standard specification and verification languages and tools Use expert systems Use logics for the analysis of knowledge and beliefs Use formal methods based on algebraic term-rewriting properties of cryptography Using Standard Specification and Verification Tools Treat protocol as a computer program and prove its correctness The oldest approach Using Finite state machines First-order predicate calculus Specification languages Page 51 Page 52 Problems With the Approach Using Expert Systems Very laborious Worse, correctness isn t the same as security The correctness you prove may not have even considered the possibility of certain attacks Too many protocols that have been proven have had security problems Develop an expert system that knows a lot about security protocols un it against proposed protocols In particular, use the expert system to determine if the protocol can reach an undesirable state Such as exposing a secret key Page 53 Page 54 9
Problems With the Expert System Approach Good at identifying flaws Provided they are based on already known problems Not so good at proving correctness or security Or at uncovering flaws based on new attacks Using Belief and Knowledge Logics An increasingly popular approach Describe certain properties that a security protocol should have Use logic to demonstrate the presence (or absence) of those properties Page 55 Page 56 BAN Logic Sample BAN Logic Statements Named for its creators (Burrows, Abadi, and Needham) The most popular method of this kind Used to reason about authentication Not other aspects of security Allows reasoning about beliefs in protocols believes X. sees X. said X. X is fresh. Page 57 Page 58 Steps in Applying BAN Logic What Can BAN Logic Do? Convert protocol to an idealized form Add all assumptions about initial state Attach logical formulae to the statements Apply logical postulates to the assertions and assumptions to discover the beliefs of protocol parties Discover flaws in protocols Found flaws in Needham-Schroeder Discover redundancies In Needham-Schroeder, Kerberos, etc. Page 59 Page 60 10
Critiques of BAN Logic Using Algebraic Term-ewriting Modeling Methods Translations into idealized protocols may not reflect the real protocol Doesn t address all important security issues for protocols Some feel that BAN logic can deduce characteristics that are obviously false Model the protocol as an algebraic system Express the state of the participants knowledge about the protocol Analyze the attainability of certain states Page 61 Page 62 Use of These Methods Specialized Approaches NL Protocol Analyzer Has discovered flaws in several protocols A relatively new method Weakest link seems to be formalizing protocol into an algebraic system Page 63 Stubblebine & Gligor s method of modeling weak crypto checksums Found problems in Kerberos and Privacy- Enhanced Mail Not useful for other types of analysis Woo-Lam s approach for key distribution protocols Pfitzmann s method for digital signatures There are others Page 64 An Entirely Different Approach Instead of using formal methods to verify security protocols, Use them to develop such protocols Some early work done using this approach Not clear if it will be fruitful Page 65 Bottom Line on Security Protocol Analysis Has been successful in finding some problems No one believes existing methods can find all problems Some knowledgeable observers think no method will ever be able to find all problems So, a useful tool, but not a panacea esearch in this area continues Page 66 11