Security protocols and their verification. Mark Ryan University of Birmingham

Similar documents
Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Computer Networks & Security 2016/2017

Lecture 1: Course Introduction

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Session key establishment protocols

Applied Cryptography Basic Protocols

Session key establishment protocols

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Elements of Security

Authentication Handshakes

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

CSC 474/574 Information Systems Security

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Lecture 4: Authentication Protocols

Outline More Security Protocols CS 239 Computer Security February 4, 2004

User Authentication Protocols Week 7

Spring 2010: CS419 Computer Security

School of Computer Science

Fall 2010/Lecture 32 1

Security Handshake Pitfalls

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Security Handshake Pitfalls

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Security and Internet Protocols

What did we talk about last time? Public key cryptography A little number theory

Network Security (NetSec)

Cryptographic Protocols 1

Grenzen der Kryptographie

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

User Authentication Protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Lecture 9. Authentication & Key Distribution

Cryptographic Checksums

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

SPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Real-time protocol. Chapter 16: Real-Time Communication Security

Session Key Distribution

Verification of security protocols introduction

CS Protocols. Prof. Clarkson Spring 2016

Security Handshake Pitfalls

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Network Security. Chapter 7 Cryptographic Protocols

CS 494/594 Computer and Network Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Applied Cryptography Protocol Building Blocks

Information Security CS 526

CSE BAN Logic Presentation

Datasäkerhetsmetoder föreläsning 7

6. Security Handshake Pitfalls Contents

CS Protocol Design. Prof. Clarkson Spring 2017

Key Establishment and Authentication Protocols EECE 412

Security: Focus of Control. Authentication

Formally defining NFC M-coupon requirements, with a case study

1 Identification protocols

Chapter 9: Key Management

Formal Methods for Security Protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

A Remote Biometric Authentication Protocol for Online Banking

Crypto meets Web Security: Certificates and SSL/TLS

EEC-682/782 Computer Networks I

Computer Security module

Security: Focus of Control

Combined CPV-TLV Security Protocol Verifier

A Short SPAN+AVISPA Tutorial

Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

Crypto Background & Concepts SGX Software Attestation

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Principles of Security Part 4: Authentication protocols Sections 1 and 2

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Applied Cryptography and Computer Security CSE 664 Spring 2017

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Network Security Chapter 8

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

(More) cryptographic protocols

Overview of Authentication Systems

Lecture 15: Cryptographic algorithms

Outline Key Management CS 239 Computer Security February 9, 2004

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Distributed Systems Principles and Paradigms

Lecture 19: cryptographic algorithms

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Transcription:

Security protocols and their verification Mark Ryan University of Birmingham

Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash protocols

Alice and Bob Alice and Bob want to communicate with each other over an in secure medium, e.g., the internet. But first, they need to Authenticate each other: they want to be sure they are talking to each other, not to an imposter Agree a secret key: they want to encrypt their conversation, for privacy and integrity. Alice and Bob might be humans, but they might also be: a web browser and a web server; a mobile phone and the network operator; etc.

Security protocols Alice and Bob will engage in an exchange of messages (= a protocol) which will result in each of them Having authenticated each other Having established a shared secret key which they can use to encrypt their subsequent conversation (a session key). The protocol may involve a trusted third party (TTP).

Security protocols A security protocol (or cryptographic protocol) is a protocol that performs a security-related function and applies cryptographic methods. Most cryptographic protocols incorporate at least some of these aspects: Use of cryptographic functions Entity authentication Construction of shared secret(s), useful for establishing a secret key Secured application-level data transport Non-repudiation guarantees

Authentication Authentication between humans How can your bank know that an instruction to pay money to X from your account is actually coming from you? Authentication between devices How can the mobile phone network know that C instructions apparently coming from your phone are actually from your phone? Authentication between programs How can your browser establish that the server at the other end is really and not a look-alike web site designed to defraud you?

Protocols A protocol is an agreed way, or convention, for two or more parties to achieve a goal. It fixes the number and format of the messages between the parties. These rules are known to all of the participants. Example: Wide Mouth Frog It assumes that A and B have access to a trusted third party S, and that they each share a symmetric encryption key with S: The key between A and S: The key between B and S: K BS

Wide Mouth Frog A S B A, T A, K AB, B T S, K AB, A K BS

Wide Moth Frog - remarks Good things Thanks to the encryption, an evesdropper cannot get access to the secret key K AB invented by Alice. Thanks to the timestamps, the server and Bob can detect if messages they are receiving are old. Bad things The protocol relies on timestamps to ensure freshness of messages. This assumes a global clock. KAB is completely determined by A. This assumes A is competent, e.g. to generate random numbers. In spite of this, S gets to know the value of K AB.

Otway-Rees A M, A, B, M, A, B, B S M, A, B, M, A, B,, M, A, B, N B K BS M,, K AB, N B, K AB Checks message K BS M,, K AB

Otway-Rees -- remarks M is a session identifier. Good things S generates the session key, instead of one of the participants A,B S still has to deal only with one of the participants Bad things S has quite a lot of work to do: decrypting twice, checking the message format, inventing key, encrypting twice. This makes it vulnerable to Denial of Service attacks. An intruder could interfere with the protocol so that A and B get different keys!

Attack resulting in different keys A B S I M,A,B, M,A,B, M, A, B, M, A, B,, M, A, B, N B K BS M,, K, N B, K K BS X M,,K M, A, B, M, A, B,, M, A, B, N B K BS M,, K ', N B, K ' K BS M,,K '

Assumptions and rules of protocol design The Dolev-Yao model : the attacker Can read messages Can block messages Can generate fake messages Can read/generate encrypted messages if s/he has the key Knows the protocol being used. (This may not be obvious if A and B are humans, but it is obvious if A is a web server and B a browser.) The attacker cannot read/generate encrypted messages if s/he doesn't have the key. (Thus, we assume the crypto is unbreakable.)

Assumptions and rules contd. When we use a trusted third party (TTP), we should avoid overloading it: It should not have to remember state (e.g., remember nonces, keep lists of used keys, etc.) Preferably, it should deal with only one of the participants Otherwise, we make it vulnerable to denial of service attacks.

Celebrated case The third protocol introduced in this lecture is the Needham-Schroeder public key authentication protocol, introduced in 1978. The protocol consists of three parts. In two of the parts, A and B are each obtaining the other one's public key from a server S. In the other part, they echange nonces which are intended to be used to set up a secret session key. A serious flaw in the protocol's third part was found by Gavin Lowe in 1995.

Needham-Schroeder PK A A, B S B K B, B S 1, A K B B, A K A, A S 1, N B K A N B, A K B

Needham-Schroeder PK, A in essence B, A K B, N B K A N B, A K B

Needham-Schroeder PK attack A, A K I I B, A K B, N B K A, N B K A N B K I N B K B

NS PK attack The attack: A has engaged in a session with I, & is aware of that. I has engaged in a session with B, but B thinks he is talking to A. B is duped. Example: A=you, I=dodgy retailer, B=your bank The solution is very simple: Replace the message, N B K A with, N B, B K A

Conclusions Security protocols are short, but very hard to get right. This makes them ideal for formal analysis One has to be clear about what the goals of a security protocol are. And about the attacker model Next lectures: Fair exchange protocols Electronic voting protocols Digital cash protocols

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback