Outline More Security Protocols CS 239 Computer Security February 4, 2004

Similar documents
Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline Key Management CS 239 Computer Security February 9, 2004

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Session key establishment protocols

Session key establishment protocols

SEMINAR REPORT ON BAN LOGIC

Authentication Handshakes

CSC 474/574 Information Systems Security

Applied Cryptography Basic Protocols

Elements of Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Applied Cryptography and Computer Security CSE 664 Spring 2017

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Security protocols and their verification. Mark Ryan University of Birmingham

Logic of Authentication

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

What did we talk about last time? Public key cryptography A little number theory

Security Handshake Pitfalls

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

User Authentication Protocols Week 7

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Chapter 9: Key Management

User Authentication Protocols

Lecture 1: Course Introduction

Security Handshake Pitfalls

Logics of authentication

Security Handshake Pitfalls

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CS Protocol Design. Prof. Clarkson Spring 2017

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Checksums

1 Defining Message authentication

Robbing the Bank with a Theorem Prover

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture 8 - Message Authentication Codes

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

CSE BAN Logic Presentation

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Computer Networks & Security 2016/2017

1 Identification protocols

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CS3235 Seventh set of lecture slides

6. Security Handshake Pitfalls Contents

Mechanising BAN Kerberos by the Inductive Method

Formal Methods for Assuring Security of Computer Networks

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

KEY EXCHANGE AUTHENTICATION AUTHENTICATION AND KEY... ANALYSIS OF AUTHENTICATION... MULTIPLE-KEY PUBLIC-KEY... 68

Agreement in Distributed Systems CS 188 Distributed Systems February 19, 2015

Uses of Cryptography

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Simple Security Protocols

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

EEC-682/782 Computer Networks I

CPSC 467b: Cryptography and Computer Security

Spring 2010: CS419 Computer Security

Lecture 1: Perfect Security

CS Protocols. Prof. Clarkson Spring 2016

Formal Methods for Security Protocols

Grenzen der Kryptographie

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Network Security. Chapter 7 Cryptographic Protocols

Cryptographic Protocols 1

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Data Security and Privacy. Topic 14: Authentication and Key Establishment

1 Achieving IND-CPA security

CS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol

CS530 Authentication

CS61A Lecture #39: Cryptography

Fair exchange and non-repudiation protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 111. Operating Systems Peter Reiher

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Lecture 4: Authentication Protocols

Security Handshake Pitfalls

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Digital Signatures. Secure Digest Functions

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Session Key Distribution

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

1 A Tale of Two Lovers

CS 161 Computer Security

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Crypto Background & Concepts SGX Software Attestation

CS 361S - Network Security and Privacy Spring Homework #1

Lecture 10, Zero Knowledge Proofs, Secure Computation

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

CS 494/594 Computer and Network Security

Transcription:

Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication Usually the first requires the second Not much good to be sure the key is a secret if you don t know who you re sharing it with How can we achieve both goals? In a single protocol With relatively few messages Needham-Schroeder Key Exchange Uses symmetric cryptography equires a trusted authority Who takes care of generating the new key More complicated than some protocols we ve seen Page 3 Page 4 Needham-Schroeder, Step 1 What s the Point of A? A,, A A is nonce chosen by for this invocation of the protocol A random number Not used as a key, so quality of s random number generator not too important Helps defend against replay attacks Page 5 Page 6 1

A Needham-Schroeder, Step 2 E KA ( A,,, E KB (,)) What s all this stuff for? Including A prevents replay Including prevents attacker from replacing s identity Including the encrypted message for ensures that message can t be replaced Page 7 Needham-Schroeder, Step 3 E KB (,) So we re done, right? Wrong! KS Page 8 B Needham-Schroeder, Step 4 E KS ( B ) B B Needham-Schroeder, Step 5 E KS ( B -1) Now we re done! B B -1 Page 9 Page 10 What s All This Extra Stuff For? knows she s K K E KB (,) B A talking to K S said she was Can Can said he was E KA ( A,,, jump in later? jump in later? knows he s talking No, only No, all later E KB (,)) to could read the messages will use key package, which created doesn t know Page 11 What s All This Extra Stuff For? What about those random numbers? Page 12 2

Causes Problems and do something likes watches the messages they send to do so wants to make them do it again Can replay the conversation? Let s try it without the random numbers Waits For His Chance E KA (,, K A E KB (,)), Page 13 Page 14 What Will Do Now? The message could only have been created by It properly indicates she wants to talk to It contains a perfectly plausible key will probably go ahead with the protocol Page 15 The Protocol Continues steps aside for a bit E KB (,) With no random keys, we re done Page 16 So What s the Problem and agree is their key They both know the key definitely created the key for them Nobody else has the key But... Page 17 Steps Back Into the Picture E KS (Old message 2) can replay and s old conversation E KS (Old message 1) It s using the current key, so and will accept it Page 18 3

How Do the andom Numbers Help? s random number assures her that the reply from is fresh But why does need another random number? Page 19 Why Also Needs a andom Number Let s say doesn t want to talk to E KB (,) But wants to think wants to talk Page 20 So What? So, Everything s Fine, ight? E KS (Old message 1) can now play back an old message from to And will have no reason to be suspicious s random number exchange assured Not if any key ever gets divulged Once is divulged, can forge s response to s challenge And convince that he s talking to when he s really talking to him that really wanted to talk Page 21 Page 22 Cracks an Old Key E KS ( B ) E KB KS (K ( S B,) - 1) B B - 1 enlists 10,000 computers belonging to 10,000 grandmothers to crack Unfortunately, knows So can answer s challenge Page 23 Timestamps in Security Protocols One method of handling this kind of problem is timestamps Proper use of timestamps can limit the time during which an exposed key is dangerous But timestamps have their own problems Page 24 4

Using Timestamps in the Needham-Schroeder Protocol The trusted authority includes timestamps in his encrypted messages to and Based on a global clock When or decrypts, if the timestamp is too old, abort the protocol Page 25 Using Timestamps to Defeat E KB (,,T X ) E KB (,,T X ) T X << T now T now Now checks T X against his clock So, fearing replay, discards And s attack is foiled T X Page 26 Problems With Using Timestamps They require a globally synchronized set of clocks Hard to obtain, often Attacks on clocks become important They leave a window of vulnerability The Suppress-eplay Attack Assume two participants in a security protocol Using timestamps to avoid replay problems If the sender s clock is ahead of the receiver s, attacker can intercept message And replay later, when receiver s clock still allows it Page 27 Page 28 Handling Clock Problems 1). ely on clocks that are fairly synchronized and hard to tamper Perhaps GPS signals 2). Make all comparisons against the same clock So no two clocks need to be synchronized Page 29 Neuman-Stubblebine Protocol, Step 1, A A What does know? Someone claiming to be wants to talk securely A Page 30 5

A Neuman-Stubblebine Protocol, Step 2 knows thinks wants to talk to him But does she, B, E KB (, A,T B ), A,T B A B T B Neuman-Stubblebine Protocol, Step 3 really? Page 31 Page 32 A, A,,T B E KA (, A,,T B ), knows: E KB (,,T B ), B 1. heard her message 2. created a new key, A,T B B T B Neuman-Stubblebine Protocol, Step 4 E KB (,,T B ), B E KB (,,T B ), E KS ( B ) B guarantees knows T B guarantees it s a fresh session checks B and T B B B T B T B Page 33 What Has the Protocol Achieved? and share a key They know the key was generated by knows this key matches her recent request for a key knows this key matches s recent request and s agreement Page 34 What Has the Timestamp Done For and? knows that the whole agreement is timely Since the only timestamp originated with his clock, no danger of suppressreplay attacks What Else Can You Do With Security Protocols? Secret splitting and secret sharing Fair coin flips and other games Simultaneous contract signing Secure elections Zero knowledge proofs off-line Lots of other neat stuff Page 35 Page 36 6

Secret Splitting and Secret Sharing What if we have a secret that we need to recover later? We need to have it in other people s hands But we don t want anyone to be able to tell the secret Secret Splitting Divide the secret among two or more people They can combine to retrieve the secret But neither can guess the secret themselves Page 37 Page 38 Secret Splitting Example ecovering the Secret S S S? S S=? M wants to share secret M M` Page 39 Page 40 What If We Want To Do This Securely? What cryptographic steps would we perform to ensure security? That only and have secret components That they have components of the real secret What about ensuring that and both learn the secret if either does? Secret Sharing Say we have three participants,, Carol Can we arrange that: None of them know the secret alone Any pair of them can produce the secret Yes, using various secret sharing protocols Page 41 Page 42 7

Bit Commitment wants to make a choice now And prove to what that choice was Without telling him the choice now How can be sure that isn t cheating? E KS Basic Bit Commitment b E KS (,b) E KS (,b) can t tell yet what bit chose E KS (,b) Since doesn t have E KS Page 43 Page 44 E KS Now Claims the Bit Was 1 b E KS (,b) b == 1 E KS E KS (,b) How does prove it? If b == 1, told the truth,b E KS Why Does This Work? can t learn what b was until tells him gives a cryptographic package that she can t change Since the package includes, can t generate two keys, one for 0 and the other for 1 Page 45 Page 46 Making This Work Over the Network What would we have to do if was hanging around trying to screw things up? What if we wanted to keep the value of b secret from? What if we wanted to ensure that couldn t replace s choice? Page 47 Fair Coin Flips Two participants cryptographically flip a coin Based on clever use of bit commitment Cut and choose Basic version assumes no interfering third party And no need for secrecy Similar approaches can work for other games of chance Page 48 8

Simultaneous Contract Signing and want to sign a contract But only if each is sure the other also signs Basic method uses an arbitrator Non-arbitrated cryptographic method uses probabilistic outcome Verifying Security Protocols Security protocols are obviously very complicated And any flaw in the protocol can be very expensive Thus, verifying their correctness is of great value How to do it? Page 49 Page 50 Basic Approaches to Verifying Protocols Use standard specification and verification languages and tools Use expert systems Use logics for the analysis of knowledge and beliefs Use formal methods based on algebraic term-rewriting properties of cryptography Using Standard Specification and Verification Tools Treat protocol as a computer program and prove its correctness The oldest approach Using Finite state machines First-order predicate calculus Specification languages Page 51 Page 52 Problems With the Approach Using Expert Systems Very laborious Worse, correctness isn t the same as security The correctness you prove may not have even considered the possibility of certain attacks Too many protocols that have been proven have had security problems Develop an expert system that knows a lot about security protocols un it against proposed protocols In particular, use the expert system to determine if the protocol can reach an undesirable state Such as exposing a secret key Page 53 Page 54 9

Problems With the Expert System Approach Good at identifying flaws Provided they are based on already known problems Not so good at proving correctness or security Or at uncovering flaws based on new attacks Using Belief and Knowledge Logics An increasingly popular approach Describe certain properties that a security protocol should have Use logic to demonstrate the presence (or absence) of those properties Page 55 Page 56 BAN Logic Sample BAN Logic Statements Named for its creators (Burrows, Abadi, and Needham) The most popular method of this kind Used to reason about authentication Not other aspects of security Allows reasoning about beliefs in protocols believes X. sees X. said X. X is fresh. Page 57 Page 58 Steps in Applying BAN Logic What Can BAN Logic Do? Convert protocol to an idealized form Add all assumptions about initial state Attach logical formulae to the statements Apply logical postulates to the assertions and assumptions to discover the beliefs of protocol parties Discover flaws in protocols Found flaws in Needham-Schroeder Discover redundancies In Needham-Schroeder, Kerberos, etc. Page 59 Page 60 10

Critiques of BAN Logic Using Algebraic Term-ewriting Modeling Methods Translations into idealized protocols may not reflect the real protocol Doesn t address all important security issues for protocols Some feel that BAN logic can deduce characteristics that are obviously false Model the protocol as an algebraic system Express the state of the participants knowledge about the protocol Analyze the attainability of certain states Page 61 Page 62 Use of These Methods Specialized Approaches NL Protocol Analyzer Has discovered flaws in several protocols A relatively new method Weakest link seems to be formalizing protocol into an algebraic system Page 63 Stubblebine & Gligor s method of modeling weak crypto checksums Found problems in Kerberos and Privacy- Enhanced Mail Not useful for other types of analysis Woo-Lam s approach for key distribution protocols Pfitzmann s method for digital signatures There are others Page 64 An Entirely Different Approach Instead of using formal methods to verify security protocols, Use them to develop such protocols Some early work done using this approach Not clear if it will be fruitful Page 65 Bottom Line on Security Protocol Analysis Has been successful in finding some problems No one believes existing methods can find all problems Some knowledgeable observers think no method will ever be able to find all problems So, a useful tool, but not a panacea esearch in this area continues Page 66 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback