Verification of security protocols introduction

Similar documents
(More) cryptographic protocols

Cryptography (Overview)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Public Key Algorithms

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Encryption. INST 346, Section 0201 April 3, 2018

Grenzen der Kryptographie

What did we talk about last time? Public key cryptography A little number theory

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

PROTECTING CONVERSATIONS

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

APNIC elearning: Cryptography Basics

Cryptographic Systems

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Security in ECE Systems

Information Security CS 526

Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

Public Key Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Session key establishment protocols

Security: Cryptography

Session key establishment protocols

Spring 2010: CS419 Computer Security

Security protocols and their verification. Mark Ryan University of Birmingham

Some Stuff About Crypto

Introduction and Overview. Why CSCI 454/554?

Ref:

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Uzzah and the Ark of the Covenant

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

CSC 774 Network Security

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Verification of Security Protocols Part I. Fosad 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Cryptography Introduction

A simple approach of Peer-to-Peer E-Cash system

Key Exchange. Secure Software Systems

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

The Design of an Anonymous and a Fair Novel E-cash System

Cryptography and Network Security

Cryptography MIS

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

CSC 474/574 Information Systems Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Classical Cryptography. Thierry Sans

CS 332 Computer Networks Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computers and Security

EEC-484/584 Computer Networks

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography. Submitted to:- Ms Poonam Sharma Faculty, ABS,Manesar. Submitted by:- Hardeep Gaurav Jain

Network Security Chapter 8

2.1 Basic Cryptography Concepts

CCNA Security 1.1 Instructional Resource

CSC 474/574 Information Systems Security

Providing solutions for more secure exchanges

EEC-682/782 Computer Networks I

Public-key encipherment concept

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Public-key Cryptography: Theory and Practice

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Computer Security: Principles and Practice

Uses of Cryptography

Introduction to Cryptography

Advanced Cryptography 1st Semester Symmetric Encryption

Lecture 1: Perfect Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Public Key Algorithms

Chapter 9 Public Key Cryptography. WANG YANG

Key Establishment and Authentication Protocols EECE 412

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

BCA III Network security and Cryptography Examination-2016 Model Paper 1

UNIT - IV Cryptographic Hash Function 31.1

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

COMPLEXITY ACROSS DISCIPLINES

Network Security. Chapter 8. MYcsvtu Notes.

Cryptography. Intercepting Information Scenario 1. Tuesday, December 9, December 9, Wireless broadcasts information using radio signals

Applied Cryptography and Computer Security CSE 664 Spring 2017

CHAPTER 1 INTRODUCTION TO CRYPTOGRAPHY. Badran Awad Computer Department Palestine Technical college

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Computer Networks & Security 2016/2017

Chapter 9. Public Key Cryptography, RSA And Key Management

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

(2½ hours) Total Marks: 75

Transcription:

Verification of security protocols introduction Stéphanie Delaune CNRS & IRISA, Rennes, France Tuesday, November 14th, 2017

Cryptographic protocols everywhere! they aim at securing communications over public networks

A variety of security properties Secrecy: May an intruder learn some secret message exchanged between two honest participants? Authentication: Is the agent Alice really talking to Bob?

A variety of security properties Secrecy: May an intruder learn some secret message exchanged between two honest participants? Authentication: Is the agent Alice really talking to Bob? Anonymity: Is an attacker able to learn something about the identity of the participants who are communicating? Non-repudiation: Alice sends a message to Bob. Alice cannot later deny having sent this message. Bob cannot deny having received the message....

How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages

How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages

How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages Cryptographic: make use of cryptographic primitives Examples: symmetric encryption, asymmetric encryption, signature, hashes,...

What is a symmetric encryption scheme? Symmetric encryption encryption decryption

What is a symmetric encryption scheme? Symmetric encryption encryption decryption Example: This might be as simple as shifting each letter by a number of places in the alphabet (e.g. Caesar cipher) Today: DES (1977), AES (2000)

A famous example Enigma machine (1918-1945) electro-mechanical rotor cipher machines used by the German to encrypt during Wold War II permutations and substitutions A bit of history 1918: invention of the Enigma machine 1940: Battle of the Atlantic during which Alan Turing s Bombe was used to test Enigma settings. Everything about the breaking of the Enigma cipher systems remained secret until the mid-1970s.

What is an asymmetric encryption scheme? Asymmetric encryption encryption decryption public key private key

What is an asymmetric encryption scheme? Asymmetric encryption encryption decryption public key private key Examples: 1976: first system published by W. Diffie, and M. Hellman, 1977: RSA system published by R. Rivest, A. Shamir, and L. Adleman. their security relies on well-known mathematical problems (e.g. factorizing large numbers, computing discrete logarithms) Today: those systems are still in use Turing Award 2016

What is a signature scheme? Signature signature verification private key public key Example: The RSA cryptosystem (in fact, most public key cryptosystems) can be used as a signature scheme.

What is a hash function? Hash function It is a reproducible method of turning some kind of data into a (relatively) small number that may serve as a digital "fingerprint" of the data (again substitutions and permutations). Examples: MD5, SHA-1

How cryptographic protocols can be attacked?

How cryptographic protocols can be attacked? Logical attacks can be mounted even assuming perfect cryptography, replay attack, man-in-the middle attack,... subtle and hard to detect by eyeballing the protocol

How cryptographic protocols can be attacked? Logical attacks can be mounted even assuming perfect cryptography, replay attack, man-in-the middle attack,... subtle and hard to detect by eyeballing the protocol A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010

Example: Denning Sacco protocol (1981) aenc(sign(k AB, priv(a)), pub(b)) Is the Denning Sacco protocol a good key exchange protocol?

Example: Denning Sacco protocol (1981) aenc(sign(k AB, priv(a)), pub(b)) Is the Denning Sacco protocol a good key exchange protocol? No!

Example: Denning Sacco protocol (1981) aenc(sign(k AB, priv(a)), pub(b)) Is the Denning Sacco protocol a good key exchange protocol? No! Description of a possible attack: aenc(sign(k AC, priv(a)), pub(c))

Example: Denning Sacco protocol (1981) aenc(sign(k AB, priv(a)), pub(b)) Is the Denning Sacco protocol a good key exchange protocol? No! Description of a possible attack: aenc(sign(k AC, priv(a)), pub(c)) sign(k AC, priv(a)) k AC aenc(sign(k AC, priv(a)), pub(b))

Exercise We propose to fix the Denning-Sacco protocol as follows: Version 1 A B : aenc( A, B, sign(k, priv(a)), pub(b)) Version 2 A B : aenc(sign( A, B, k, priv(a)), pub(b)) Which version would you prefer to use?

Exercise We propose to fix the Denning-Sacco protocol as follows: Version 1 A B : aenc( A, B, sign(k, priv(a)), pub(b)) Version 2 A B : aenc(sign( A, B, k, priv(a)), pub(b)) Which version would you prefer to use? Version 2 Version 1 is still vulnerable to the aforementioned attack.

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b)

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b)

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b)

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b)

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A?

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A? Attack An attack was found 17 years after its publication! [Lowe 96]

Man in the middle attack Agent A Attacker C Agent B Attack involving 2 sessions in parallel, an honest agent has to initiate a session with C. A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b)

Man in the middle attack {A, N a } pub(c) {A, N a } pub(b) Agent A Attacker C Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b)

Man in the middle attack {A, N a } pub(c) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) Agent A Attacker C Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b)

Man in the middle attack {A, N a } pub(c) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) {N b } pub(c) {N b } pub(b) Agent A Attacker C Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b)

Man in the middle attack {A, N a } pub(c) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) {N b } pub(c) {N b } pub(b) Agent A Attacker C Agent B Attack the intruder knows N b, When B finishes his session (apparently with A), A has never talked with B. A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b)

Needham Schroeder Lowe protocol A fixed version of the Needham Schroeder public key protocol. A B B A A B : {A, N a } pub(b) : {N a, N b, B} pub(a) : {N b } pub(b) the responder s identity has been added to the second message

What about protocols used in real life?

Credit Card payment protocol Serge Humpich case Yescard (1997)

Credit Card payment protocol Serge Humpich case Yescard (1997) Step 1: A logical flaw in the protocol allows one to copy a card and to use it without knowing the PIN code. not a real problem, there is still a bank account to withdraw

Credit Card payment protocol Serge Humpich case Yescard (1997) Step 1: A logical flaw in the protocol allows one to copy a card and to use it without knowing the PIN code. not a real problem, there is still a bank account to withdraw Step 2: breaking encryption via factorisation of the following (96 digits) number: 213598703592091008239502270499962879705109534182 6417406442524165008583957746445088405009430865999 now, the number that is used is made of 232 digits

HTTPS connections Lots of bugs and attacks, with fixes every month

HTTPS connections Lots of bugs and attacks, with fixes every month FREAK attack discovered by Baraghavan et al (Feb. 2015) 1. a logical flaw that allows a man in the middle attacker to downgrade connections from strong RSA to export-grade RSA; 2. breaking encryption via factorisation of such a key can be easily done.

HTTPS connections Lots of bugs and attacks, with fixes every month FREAK attack discovered by Baraghavan et al (Feb. 2015) 1. a logical flaw that allows a man in the middle attacker to downgrade connections from strong RSA to export-grade RSA; 2. breaking encryption via factorisation of such a key can be easily done. export-grade were introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication.

Electronic passport studied in [Arapinis et al., 10] This is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture.

Electronic passport studied in [Arapinis et al., 10] This is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. Attack discovered by Chothia & Smirnov, 2010 a logical flaw introduced in the French implementation of the passport; an attacker can track a French passport, provided he has once witnessed a successful authentication

Logical attacks - How to detect them? Symbolic approach messages are represented by terms rather than bit-strings {m} k encryption of the message m with key k, m 1, m 2 pairing of messages m 1 and m 2,... attacker controls the network and can perform specific actions

Logical attacks - How to detect them? Symbolic approach messages are represented by terms rather than bit-strings {m} k encryption of the message m with key k, m 1, m 2 pairing of messages m 1 and m 2,... attacker controls the network and can perform specific actions Relevance of the approach numerous attacks have already been obtained, allows us to perform automatic verification soundness results w.r.t. to the computational model already exist, e.g. [Abadi & Rogaway 01]

Course program Vérification des protocoles cryptographiques Barbara Kordy: barbara.kordy@irisa.fr Stéphanie Delaune: stephanie.delaune@irisa.fr Part I: using Scyther (B. Kordy) Part II: using ProVerif (S. Delaune) Projet: Conception et analyse de protocoles cryptographiques Install Scyther and ProVerif as soon as possible! ProVerif: http://proverif.inria.fr Scyther: https://www.cs.ox.ac.uk/people/cas.cremers/scyther/

Evaluation 1. Un examen écrit de 2 heures (23 Janvier 2018 ou 25 Janvier 2018): note Examen. 2. Un projet ( 26 Janvier 2018): note Projet. Conception et analyse de protocoles cryptographiques Note finale: (2 Examen + Projet)/3

Planning of the lectures Salle: B02B-E208 (sauf séance du 28/11 en salle B12D i-59) 21 Novembre 10h15-12h15: S. Delaune 23 Novembre 16h15-18h15: B. Kordy 28 Novembre 10h15-12h15: B. Kordy 30 Novembre 16h15-18h15: B. Kordy 5 Décembre 10h15-12h15: B. Kordy 7 Décembre 16h15-18h15: B. Kordy 9 Janvier 10h15-12h15: S. Delaune 11 Janvier 16h15-18h15: S. Delaune 16 Janvier 10h15-12h15: S. Delaune 18 Janvier 16h15-18h15: S. Delaune http://people.irisa.fr/barbara.kordy/security_protocols/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback