Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Similar documents
Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Applied Cryptography Basic Protocols

Spring 2010: CS419 Computer Security

Security protocols and their verification. Mark Ryan University of Birmingham

Datasäkerhetsmetoder föreläsning 7

Lecture 1: Course Introduction

CS Protocol Design. Prof. Clarkson Spring 2017

Grenzen der Kryptographie

Cryptographic Protocols 1

Security Handshake Pitfalls

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

What did we talk about last time? Public key cryptography A little number theory

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 15: Cryptographic algorithms

Lecture 4: Authentication Protocols

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Security (NetSec)

Security Handshake Pitfalls

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Logic of Authentication

Authentication Protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Authentication Part IV NOTE: Part IV includes all of Part III!

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Elements of Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Verification of security protocols introduction

T Cryptography and Data Security

Cryptographic Checksums

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Security Handshake Pitfalls

UNIT - IV Cryptographic Hash Function 31.1

Session key establishment protocols

Session key establishment protocols

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CSE BAN Logic Presentation

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Computer Networks & Security 2016/2017

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

CS Protocols. Prof. Clarkson Spring 2016

Lecture 19: cryptographic algorithms

User Authentication Protocols

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

CIS 4360 Secure Computer Systems Applied Cryptography

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Fall 2010/Lecture 32 1

Chapter 9: Key Management

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

CS Computer Networks 1: Authentication

Lecture 9. Authentication & Key Distribution

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Formal Methods for Assuring Security of Computer Networks

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

SEMINAR REPORT ON BAN LOGIC

Outline More Security Protocols CS 239 Computer Security February 4, 2004

User Authentication Protocols Week 7

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Key Establishment and Authentication Protocols EECE 412

Applied Cryptography and Computer Security CSE 664 Spring 2017

AIT 682: Network and Systems Security

Course Administration

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Introduction to Security

A novel stateless authentication protocol

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Exercises with solutions, Set 3

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Symmetric Encryption

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Information Security CS 526

Advanced Cryptography 1st Semester Symmetric Encryption

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Authentication Handshakes

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Lecture 7 - Applied Cryptography

CSC 474/574 Information Systems Security

Session Key Distribution

Digital Signatures. Secure Digest Functions

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Trusted Intermediaries

AIT 682: Network and Systems Security

CPSC 467b: Cryptography and Computer Security

Security protocols. Security protocols are concerned with properties such as authenticity and secrecy.

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Transcription:

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI

This Course This course will primarily teaching you: How to design your own secure communication protocols. How to analyse protocols and look for faults. How to use automatic tools to help you do this. Secondary skills: Know which protocols to use for which jobs. Improve your system design skills.

Course Outline This Lecture: How we model protocols Types of encryption used. Lecture 2: Types of attacks on protocols Good protocol design Homework ( 1/6 of total score).

Lecture 3: Verifying protocols using BAN logic. Lecture 4: Automatically verifying protocols. Homework ( 1/6 of total score) Lecture 5: Course Outline Anonymity protocols.

Course Outline Lecture 6: Verifying probabilistic protocols in PRISM Lecture 7: Fair exchange & Zero knowledge Lecture 8 to Lecture 10 Short students presentations ( 2/3 of total score ) Lecture 11 Summary

Sources Take notes if you want but you will get handouts with all the important details and the slides, handouts, papers, homework and links will be available at: http://homepages.cwi.nl/~chothia/teaching

This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: A high level overview the to cryptography Symmetric key encryption, public key encryptions and signing Abstract equation for modelling encryption

A Simple Protocol A sends message M to B : A M B written as: A B : M

Rules We write down protocols as a list of messages sent between principals, e.g. 1. A B : Hello 2. B A : Offer 3. A B : Accept

A Simple Protocol A M B Message M can be read by the attacker

A Simple Protocol A B M Even now!

Rule The attacker can read all the messages sent across the network.

Encryption We can keep our data safe by using encryption: A { M } Kab B A B : { M } Kab

Rule We can use Encryption {M} K, E K (M) Signing Sign K (M), S K (M), MAC K (M) Hashing #(M), Hash(M) We assume that these are prefect cannot be broken by brute force.

Encryption M is now secret A { M } Kab B but the protocol is not safe

Replay Attack A 1: { Pay Elvis 5 } Kab B 1) A B : { Pay Eve 5 } Kab

Replay Attack A 1: { Pay Elvis 5 } Kab B E 2: { Pay Elvis 5 } Kab 1) A B : { Pay Eve 5 } Kab 2) E B : { Pay Eve 5 } Kab

Rule The attacker can repeat any message it see.

A Nonce 1. A A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab B 1. A B : A 2. B A : { N a } Kab 3. A B : { N a + 1 } Kab, { Pay Elvis 5 } Kab

Rule We can generate nonces. This is a new random values. If you generate a new nonce for a session you know that all future messages with that include that nonce are part of the same session.

A Nonce 1. A A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 4. A B 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay Bob 5 } Kab

A Nonce 1. A A 2. { N a } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 4. A B 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay Bob 5 } Kab E 6. {N a2 + 1} Kab, { Pay Elvis 5 } Kab

Rule The attacker can run multiple rounds of the protocol. The attacker can break up messages, invent new values, keys, nonces,.. combine any of these into new message.

A Better Protocol 1. A A 2. { N a } Kab 3. {N a, Pay Elvis 5 } Kab B 1. A B : A, N a 2. B A : { N a } Kab 3. A B : {N a, Pay Elvis 5 } Kab

Key Establishment Protocol This was easy because A and B shared a key. Often the principals do not share a key, in which case we need a Key Establishment Protocol. This usually involves a Trust Third Party who has a shared key with each party.

The Needham-Schroeder Public Key Protocol A famous authentication protocol 1. A B : E B ( N a, A ) 2. B A : E A ( N a, N b ) 3. A B : E B ( N b ) N a and N b can then be used to generate a symmetric key

An Attack Against the Needham-Schroeder Protocol The attack acts as a man-in-the-middle: 1. A C : E C ( N a, A ) 1`. C(A) B : E A ( N a, A ) 2`. B C(A) : E A ( N a, N b ) 2. C A : E A ( N a, N b ) 3. A C : E C ( N b ) 3`. C(A) B : E B ( N b )

The Corrected Version A very simple fix: 1. A B : E B ( N a, A ) 2. B A : E A ( N a, N b ) 3. A B : E B ( N b )

The Corrected Version A very simple fix: 1. A B : E B ( N a, A ) 2. B A : E A ( N a, N b, B) 3. A B : E B ( N b )

Rule The attacker can act as a participant of the protocol.... (sometimes)

Kerberos A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH,... 1. A S : A,B,N A 2. S A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} KBS 3. A B : {A,T A } K AB,{K AB,A,L,..} KBS 4. B A : {T A +1} K AB

Kerberos A and S share the key K AS and B and S share K AS Both A and B trust S to generate a new key for them: K AB N is a nonce, T is a timestamp and L is an expiration time. 1. A S : A,B,N A 2. S A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} KBS 3. A B : {A,T A } K AB,{K AB,A,L,..} KBS 4. B A : {T A +1} K AB

Sources For lectures 1 & 2 the the primary reference material is the handouts. This information is covered in more depth in Paper: Prudent Engineering Practices for Cryptographic Protocols (by Abadi & Needham) Book: Protocols for Authentication and Key Establishment (by Boyd & Mathuria) there are copies in the library.

This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: A high level overview of cryptography Symmetric key encryption, public key encryptions and signing Abstract equation for modelling encryption

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback