INternet SECURITY and Cryptographic Protocolssiva/talks/aset-talk.pdfRFC 2196 Site Security Handbook...
47
Home Page Title Page Contents Page 1 of 47 Go Back Full Screen Close Quit INternet SECURITY and Cryptographic Protocols G. Sivakumar Computer Science Department Indian Institute of Technology, Bombay Mumbai 400076, India [email protected] Outline of Talk • Internet Security Overview [20 mins] – Requirements, Vulnerabilities, Threats – Cryptography (sine qua non!) • Security Protocols [15 mins] – Session Keys (Diffie-Hellman) – Authentication (Needham-Schroeder) • Formal Methods for Security Protocols [15 mins] – Survey of Approaches and Tools
Transcript of INternet SECURITY and Cryptographic Protocolssiva/talks/aset-talk.pdfRFC 2196 Site Security Handbook...
Home Page
Title Page
Contents
JJ II
J I
Page 1 of 47
Go Back
Full Screen
Close
Quit
INternet SECURITY andCryptographic Protocols
G. SivakumarComputer Science Department
Indian Institute of Technology, BombayMumbai 400076, India
Outline of Talk
• Internet Security Overview[20 mins]
– Requirements, Vulnerabilities, Threats
– Cryptography (sine qua non!)
• Security Protocols[15 mins]
– Session Keys (Diffie-Hellman)
– Authentication (Needham-Schroeder)
• Formal Methods for Security Protocols[15 mins]
– Survey of Approaches and Tools
• Emerging Issues and Q&A
Home Page
Title Page
Contents
JJ II
J I
Page 2 of 47
Go Back
Full Screen
Close
Quit
Scope of Talk
Any topic can bereducedto one’s area of expertise!
Home Page
Title Page
Contents
JJ II
J I
Page 3 of 47
Go Back
Full Screen
Close
Quit
Internet’s Growth andCharter
InformationAnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone
Home Page
Title Page
Contents
JJ II
J I
Page 4 of 47
Go Back
Full Screen
Close
Quit
Security Concerns onInternet
Sample problems
• Highly contagious viruses
• Defacing web pages
• Credit card number theft
• On-line scams
• Intellectual property theft
• Wiping out data
• Denial of service
• Spam E-mails
• Reading private files
• Surveillance
Home Page
Title Page
Contents
JJ II
J I
Page 5 of 47
Go Back
Full Screen
Close
Quit
Who are the attackers?• Unintended blunders
• Hackers driven by technical challenge
• Disgruntled employees or customers
• Petty criminals
• Organized crime
• Organized terror groups
• Foreign espionage agents
• Information warfare
Home Page
Title Page
Contents
JJ II
J I
Page 6 of 47
Go Back
Full Screen
Close
Quit
Recent Top 10 AttacksSeewww.securityfocus.comandwww.sans.orgfor more details
1. Nimda Worm (IIS/MIME bugs)
2. Code Red Worm (Buffer Overflow)
3. Code Red II Worm
4. Spam Mail (Open Relays/Formmail)
5. CGI Attacks
6. SubSeven Trojan
7. Microsoft FrontPage Attacks
8. DNS Attacks
9. FTP Attacks
10. SSH CRC-32 Compensation Detection Attack
How may are reallyInternet’sfault?
Home Page
Title Page
Contents
JJ II
J I
Page 7 of 47
Go Back
Full Screen
Close
Quit
Effect of Nimda, Code Red
Like blamingairplanesfor SARS!
Home Page
Title Page
Contents
JJ II
J I
Page 8 of 47
Go Back
Full Screen
Close
Quit
Vulnerabilities andExposures
A nomenclature(and database) for indexing vulnerabilites. Critical to evaluatevarious approaches/tools. Seecve.mitre.org.
Home Page
Title Page
Contents
JJ II
J I
Page 9 of 47
Go Back
Full Screen
Close
Quit
What is a ComputerNetwork?
Home Page
Title Page
Contents
JJ II
J I
Page 10 of 47
Go Back
Full Screen
Close
Quit
So, what’s Internet?• A bottom-up collection (interconnection) of networks
• TCP/IP is theonly common factor
• Bureaucracy-free, reliable, cheap
• Decentralized, democratic, chaotic
• Internet Society (www.isoc.org)
• Internet Engineering Task Force (www.ietf.org)
Home Page
Title Page
Contents
JJ II
J I
Page 11 of 47
Go Back
Full Screen
Close
Quit
Why is Internet Vulnerable?Quick overview of how Internet works.
Home Page
Title Page
Contents
JJ II
J I
Page 12 of 47
Go Back
Full Screen
Close
Quit
Yahoo DDoS attack• Caused traffic to Yahoo to zoom to 100s of Mbps
• Broke the capacity of machines at Yahoo and its ISPs
• Internet Control Message Protocol (ICMP) normally used for good pur-poses.
• Ping used to check “are you alive?’
Home Page
Title Page
Contents
JJ II
J I
Page 13 of 47
Go Back
Full Screen
Close
Quit
Yahoo DDoS attack
Home Page
Title Page
Contents
JJ II
J I
Page 14 of 47
Go Back
Full Screen
Close
Quit
Vulnerabilities• Application Security
– Buggy code
– Buffer Overflows
• Host/OS Security
– Server side (multi-user/application)
– Client side (virus)
• Transmission Security
Home Page
Title Page
Contents
JJ II
J I
Page 15 of 47
Go Back
Full Screen
Close
Quit
Security RequirementsInformal statements (formal is much harder)
• ConfidentialityProtection from disclosure to unauthorized persons
• IntegrityAssurance that information has not been modified unauthorizedly.
• AuthenticationAssurance of identity of originator of information.
• Non-RepudiationOriginator cannot deny sending the message.
• Availability Not able to use system or communicate when desired.
• Anonymity/PseudonomityFor applications like voting, instructor evalua-tion.
• Traffic AnalysisShould not even know who is communicating with whom.Why?
And all this with postcards (IP datagrams)!
Home Page
Title Page
Contents
JJ II
J I
Page 16 of 47
Go Back
Full Screen
Close
Quit
Network SecurityMechanisms
Home Page
Title Page
Contents
JJ II
J I
Page 17 of 47
Go Back
Full Screen
Close
Quit
RFC 2196 Site SecurityHandbook
Guidelines for any organization joining Internet
1. Risk Assessment (Assets/Threats)
2. Security Policies
3. Security Architecture and Services
• Firewalls, VPN, Encryption, ...
• Authentication
• Confidentiality, Integrity
• Authorization and Access Control
• Backups
4. Usage Monitorig and Auditing
5. Intrusion/Attack Detection
6. Security Incident Handling
No silver bulletor one timefix!Eternal Vigilance is the price of liberty.
Home Page
Title Page
Contents
JJ II
J I
Page 18 of 47
Go Back
Full Screen
Close
Quit
Cryptography and DataSecurity
• sine qua non[without this nothing :-]
What are cryptographic protocols?
Home Page
Title Page
Contents
JJ II
J I
Page 19 of 47
Go Back
Full Screen
Close
Quit
Symmetric/Private-KeyAlgorithms
Home Page
Title Page
Contents
JJ II
J I
Page 20 of 47
Go Back
Full Screen
Close
Quit
Asymmetric/Public-KeyAlgorithms
• Keys are duals (lock with one, unlock with other)
• Cannot infer one from other easily
• How to encrypt? How to sign?
• Why not use only this? Why session keys?
Home Page
Title Page
Contents
JJ II
J I
Page 21 of 47
Go Back
Full Screen
Close
Quit
One way Functions
Mathematical Equivalents
• Factoring large numbers (product of 2 large primes)
• Discrete Logarithms
Home Page
Title Page
Contents
JJ II
J I
Page 22 of 47
Go Back
Full Screen
Close
Quit
One-way Functions• Computingf(x) = y is easy.
• Eg. y = 4x mod 13 (If x is 3, y is —?)
n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10... ... ...
• Note: need not work with numbers bigger than 13 at all!
• But given y = 11, finding suitable x is not easy!
• Can do by brute-force (try all possibilities!)
• No method that ismuch better known yet!
Home Page
Title Page
Contents
JJ II
J I
Page 23 of 47
Go Back
Full Screen
Close
Quit
Motivation for Session keysCombine Symmetric (fast) and Asymmetric (very slow) Methods using session(ephemeral) keys for the following additional reasons.
• Limit available cipher text(under a fixed key) for cryptanalytic attack;
• Limit exposurewith respect to both time period and quantity of data, in theevent of (session) key compromise;
• Avoid long-term storageof a large number of distinct secret keys (in thecase where one terminal communicates with a large number of others), bycreating keys only when actually required;
• Create independence across communicationssessions or applications. Noreplay attacks.
How to establish session keys over insecure medium where adversary is listen-ing to everything?Can be done even without any public key!Randomizationto rescue (like inCSMA/CD of Ethernet).
Home Page
Title Page
Contents
JJ II
J I
Page 24 of 47
Go Back
Full Screen
Close
Quit
Diffie-Hellman KeyEstablishment Protocol
Home Page
Title Page
Contents
JJ II
J I
Page 25 of 47
Go Back
Full Screen
Close
Quit
Man-in-the-middle attack
• Authentication was missing!
• Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).
• Yes, but different attack possible.
Home Page
Title Page
Contents
JJ II
J I
Page 26 of 47
Go Back
Full Screen
Close
Quit
Needham-SchroederProtocol
Home Page
Title Page
Contents
JJ II
J I
Page 27 of 47
Go Back
Full Screen
Close
Quit
Attack by Lowe (1995)
Home Page
Title Page
Contents
JJ II
J I
Page 28 of 47
Go Back
Full Screen
Close
Quit
Why Are Security ProtocolsOften Wrong?
They aretrivial programs built from simple primitives,BUT, they are compli-cated by
• concurrency
• a hostile environment
– a bad user controls the network
– Concern: active attacks masquerading, replay, man-in-middle, etc.
• vague specifications
– we have to guess what is wanted
• Ill-defined concepts
Protocol flaws rather than cryptosystem weaknesses
Home Page
Title Page
Contents
JJ II
J I
Page 29 of 47
Go Back
Full Screen
Close
Quit
Need for Formal MethodsCountermeasure: formal design and analysis
• Formal Modelling and Specification of Protocol
Abstract encryption model, formal specification
• Specification of Required Properties
• Verification of Properties
Inductive proofs, state-space search, authentication logics
• Generation of Counter-Example
Analysis can find flaws, suggest improvements, prove conditional correct-ness
Home Page
Title Page
Contents
JJ II
J I
Page 30 of 47
Go Back
Full Screen
Close
Quit
Various Approaches• Inference Construction
Express the assumptions and goals as statements in a symbolic notation.Transform the protocol steps into symbolic notation. Apply a set of deduc-tion rules.BAN Logic
• Attack Construction
Model a protocol with a collection of rules for transforming and reducingalgebraic expressions representing messages. Construct probable attacksets based on the algebraic properties of the protocols algorithms.NRLProtocol Analyzer
• Proof Construction
Express protocol in ahigher-order logic and formally prove properties ofthe protocol.Strand Spaces, HoL, Coq
Home Page
Title Page
Contents
JJ II
J I
Page 31 of 47
Go Back
Full Screen
Close
Quit
Formal ApproachesOverview
Why so many approaches? Who will win?When all you have is a hammer, everything looks like a nail!
Home Page
Title Page
Contents
JJ II
J I
Page 32 of 47
Go Back
Full Screen
Close
Quit
Tools for Security Analysisand Verification
Home Page
Title Page
Contents
JJ II
J I
Page 33 of 47
Go Back
Full Screen
Close
Quit
Specification of ProtocolCommon Authentication Protocol Specification Languagehttp://www.csl.sri.com/users/millen/capsl/
• High-level message-list based language with abstract encryption operators
PROTOCOL Short;IMPORTS ClientServer;VARIABLESA,S: PKUser;N: Nonce, FRESH, CRYPTO;ASSUMPTIONSHOLDS A: S;MESSAGESA -> S: A,{A,N}SK(A);S -> A: {S,N}PK(A);GOALSSECRET N: A, S;END;
Home Page
Title Page
Contents
JJ II
J I
Page 34 of 47
Go Back
Full Screen
Close
Quit
Emerging Picture
Home Page
Title Page
Contents
JJ II
J I
Page 35 of 47
Go Back
Full Screen
Close
Quit
Equational LogicStandard example (Group Theory)
0 + x = x−(x) + x = 0
(x + y) + z = x + (y + z)
Equational logic (“replace equals by equals”)
x = 0 + x = (−0 + 0) + x = − 0 + (0 + x) = − 0 + x
Validity: Is−0 = 0? Is−(−(x)) = x? (for allx)?Satisfiability: Is therex such thatx + x = 0?Formal definition ofterm, substitution, matching, unification skipped!We can give an “efficient”decisionprocedure for validity and asemi-decisionprocedure for satisfiability if we can find aconvergent (canonical) rewritesystemequivalent to the above equations.
Home Page
Title Page
Contents
JJ II
J I
Page 36 of 47
Go Back
Full Screen
Close
Quit
Rewrite SystemsA rule is an “oriented” equation (one-way replacement).Numbers are built from constructors (0, s) and some functions+, ∗, fact, gcd aredefinedas follows.
0 + x → xs(x) + y → s(x + y)
0 ∗ x → 0s(x) ∗ y → y + (x ∗ y)fact(0) → s(0)
fact(s(x)) → s(x) ∗ fact(x)gcd(0, x) → x
gcd(x, x + y) → gcd(x, y)
Derivations and Normal Forms
s(0) + (0 ∗ s(0)) → s(0) + 0 → s(0 + 0) → s(0)
Is definition ofgcdcomplete?
• Can wesimplify gcd(s2(0), s4(0))?
• We need matching modulo+
• How aboutgcd(s4(0), s2(0))?
• We needcommutativity of gcd.
Home Page
Title Page
Contents
JJ II
J I
Page 37 of 47
Go Back
Full Screen
Close
Quit
Equational Programming(First-order) Functional Programming
• Evaluatefact(s2(0) ∗ s3(0))
• Matching is the parameter-passing mechanism for applying rules.
• No backtracking if definition isconfluent.
Logic Programing
• Solvex ∗ y = s4(0)
• Enumerateall answers:{x 7→ s(0), y 7→ s4(0)}, {x 7→ s2(0), y 7→s2(0)}, ...
• Unification is the parameter passing mechanism.
• Backtracking needed for completeness!
“Efficient” methods for the above are possible when the rewrite system hasuseful properties oftermination andconfluence.
Home Page
Title Page
Contents
JJ II
J I
Page 38 of 47
Go Back
Full Screen
Close
Quit
Data Types using RewriteSystems
Quite easy to model and reason about many data types.nil and· constructorsfor list, empty andpush constructors for stack.
top(push(x, y)) → xpop(push(x, y)) → yappend(nil, Z) → Z
append(X · Y, Z) → X · append(Y, Z)rev(nil) → nil
rev(X · Y ) → append(rev(Y ), X · nil)
Are properties such asassociativity of append orrev(rev(X)) = X valid?(Equational proofs exist?).No! These areInductiveproperties.
Home Page
Title Page
Contents
JJ II
J I
Page 39 of 47
Go Back
Full Screen
Close
Quit
Inductive Properties andProofs
Example of series summation
ssum(0) → 0ssum(s(x)) → s(x) + ssum(x)
Can we proves2(0) ∗ ssum(x) = s(x) ∗ x
Anecdote aboutRamanujan
ans = 1 + 2 + ... + nans = n + (n-1) + ... + 1
2 * ans = n * (n+1)
Two methods for automating
• Structural Inductionusingcover sets
– Base Case (0)
– Inductive Case (s(x))
• Inductionless Induction
Add “inductive theorem” as a rule and check if we can generate acontra-diction (equality between different constructors such as0 = 1).
Home Page
Title Page
Contents
JJ II
J I
Page 40 of 47
Go Back
Full Screen
Close
Quit
RRL (Rewrite RuleLaboratory)
• A theorem prover written in Lisp.
• Initial version (1984)- Deepak Kapur and G. Sivakumar
• Hantao Zhang (U. of Iowa) added many major components.
Features of RRL
• A Rewrite Rule Based Prover for Equational and Inductive Reasoning
• Formulas as Terminating Rewrite Rules
• Conditional rewriting and Normalization
• Conditions discharged using Decision procedures and Rewriting (Contex-tual Rewriting )
• Heuristics for Induction Schemes, Generalization, Backtracking (CoverSet induction method)
• Alternative Proof Attempts, Automatic Lemma generation, Backtracking
Home Page
Title Page
Contents
JJ II
J I
Page 41 of 47
Go Back
Full Screen
Close
Quit
Translating Finite StateSystems
Very basic idea.
status(sys(S0), a · X)→status(sys(S1) , X)status(sys(S1) , b · X)→status(sys(S2) , X)status(sys(S0) , c · X)→status(sys(S2) , X)Note: sys(...) can easily capture the “state” (possibly infinite) of the systemand use many data types (counters, lists, stacks, sorted queues etc.)
Home Page
Title Page
Contents
JJ II
J I
Page 42 of 47
Go Back
Full Screen
Close
Quit
Mutual Exclusion(Readers/Writers)
Parameters
• list of active readers (xrd),
• list of active writers (xwr),
• queue of waiting readers (xrdQ),
• the queue of waiting writers (xwQ).
sys(xrd, xwr, xrdQ, xwQ) denotes the system.Input could be a string of requestsrb(xt1) · wb(xt2) · rb(xt3)... · nilread-begin request forxt1 time units, next a write-begin request forxt2 timeunits and so on. Thexti are numbers.Sample Rule
status(sys(xrd, nil, xrdQ, xwQ), rb(t1) ·X) →
status(sys(insert(rb(t1), xrd), nil, xrdQ, xwQ), X)
Home Page
Title Page
Contents
JJ II
J I
Page 43 of 47
Go Back
Full Screen
Close
Quit
Property CorrespondenceRewrite System Prop. Relationship Protocol PropertySufficient Completeness ⇐⇒ CompletenessSufficient Completeness =⇒ ProgressTermination =⇒ BoundednessNon-termination =⇒ Unbounded or No ProgressConfluence ⇐⇒ Confluency
Example applications
• Alternating-bit protocol
• Authentication protocols
• Distributed control systems
• ...
Ongoing work atCentre for Formal Design and Verification of Software(CFDVS)http://www.cfdvs.iitb.ac.in/
Home Page
Title Page
Contents
JJ II
J I
Page 44 of 47
Go Back
Full Screen
Close
Quit
Emerging ChallengesOpen Problems (Meadows 2000)
• Growth in ProtocolComplexity
– Needham-Schroeder (1978): 6 pages
– TLS: 80 pages
– SET: 5 main sub-protocols, 3 manuals, nearly 1000 pages
• Open Ended(group messaging- number of principals/fields not known)
• Denial of service(fail-stop protocols)
• Anonymous comm.(voting, auction– more in next slide)
• Over Abstraction(attack on particular methods)
• Composability
• Practical acceptabilityof formal methods.
Home Page
Title Page
Contents
JJ II
J I
Page 45 of 47
Go Back
Full Screen
Close
Quit
Online VotingAre we ready for elections via Internet?
• George Bush(Nov 2000, dimpled chads)
• Pervez Musharaf(April 2002)
E-Voting Protocols Requirements
• No loss of votes already cast (reliability)
• No forging of votes (authentication)
• No modification of votes cast (integrity)
• No multiple voting
• No vote secrecy violation (privacy)
• No vulnerability to vote coercion
• No vulnerability to vote selling or trading protocols (voter is an adversary)
• No loss of ability to cast and accept more votes (availability, no denial ofservice)
Home Page
Title Page
Contents
JJ II
J I
Page 46 of 47
Go Back
Full Screen
Close
Quit
Other Desirable PropertiesMust not only be correct and secure, but also be seen to be so by skepticaloutsiders.
• Auditability:
Failure or procedural error can be detected and corrected, especially theloss of votes.
• Verifiability: Should be able to prove
– My vote was counted
– All precincts were counted
– The number of votes in each precinct is the same as the number ofpeople who voted
– No one I know who is ineligible to vote did so
– No one voted twice
– Etc.
without violating anonymity, privacy etc.Zero Knowledge ProofsChallenge Puzzle: Spy-vs-Spy
Home Page
Title Page
Contents
JJ II
J I
Page 47 of 47
Go Back
Full Screen
Close
Quit
ReferencesOnly a sample. See these for more.
• D. Dolev and A. Yao, “On the security of public-key protocols,” IEEETransactions on Information Theory, 2(29), 1983”.
• Burrows and Abadi and Needham “A Logic of Authentication,” Proceed-ings of the Royal Society, Volume 426, Number 1871, 1989.
• Needham R M and Scroeder M. D, “Using encryption for authentication inlarge networks of computers” Communications of the ACM, 1978, 993–999, December.
• A. D. Rubin and P. Honeyman, “Formal Methods for the Analysis of Au-thentication Protocols” CITI Technical Report 93-7, 1993 (available at cite-seer.nj.nec.com/rubin93formal.html)
• Levente Buttyan, “Formal methods in the design of crypto-graphic protocols (state of the art)”, 1999 (available at cite-seer.nj.nec.com/buttyan99formal.html)
• Catherine Meadows, “Open Issues in Formal Methods forCryptographic Protocol Analysis”, 2001 (available at cite-seer.nj.nec.com/meadows00open.html)
