Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
![Page 1: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/1.jpg)
Modelling and Analysing of Security Protocol: Lecture 3
Protocol Goals
Tom Chothia
CWI
![Page 2: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/2.jpg)
Last Lecture
• Part 1:– Simple notion for protocols– Modelling “rules”– Needham-Schroeder and Kerberos protocols
• Part 2:– A high level overview the to cryptography– Symmetric key Encryption, public key encryptions
and signing– Abstract equation for modelling encryption
![Page 3: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/3.jpg)
The Needham-Schroeder Protocol
An (in) famous authentication protocol
1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )
Na and Nb can then be used to generate a
symmetric key
![Page 4: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/4.jpg)
An Attack Against the Needham-Schroeder ProtocolThe attack acts as a man in the middle:
1. A C : EC( Na, A )
1`. C(A) B : EA( Na, A )
2`. B C(A) : EA( Na, Nb )
2. C A : EA( Na, Nb )
3. A C : EC( Nb )
3`. C(A) B : EB( Nb )
![Page 5: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/5.jpg)
The Corrected Version
A very simple fix:
1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )
![Page 6: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/6.jpg)
The Corrected Version
A very simple fix:
1. A B : EB( Na, A )
2. B A : EA( Na, Nb, B)
3. A B : EB( Nb )
![Page 7: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/7.jpg)
Today:
• First Lecture: Goals for security protocol– To know if a protocol is secure you must
know what is aims to achieve. – Example: Diffie-Hellman & STS Protocol.
• Second Part: Attacks and Principles– Common types of attacks on protocols– Good design principles for protocol.
![Page 8: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/8.jpg)
Is This An Attack?
The Needham-Schroeder key establishment protocolis the bases for Kerberos• A and B use the trusted 3rd party S to establish a key
Kab:
1. A S : A, B, Na
2. S A : { Na , B, Kab, {Kab , A }Kbs }Kas
3. A B : { Kab , A }Kbs
4. B A : { Nb }Kab
5. A B : { Nb + 1 }Kab
![Page 9: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/9.jpg)
Is This An Attack?
A forces B to use an old key:
-999. A S : A, B, Na
-998. S A : { Na , B, Kab, {oldKab , A }Kbs }Kas
.....
.....
3. A B : { oldKab , A }Kbs
4. B A : { Nb }oldKab
5. A B : { Nb + 1 }oldKab
![Page 10: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/10.jpg)
What is a Protocol Trying to Achieve?
We MUST be clear about what we are trying to do with a protocol:
• Security– If we can securely establish a fresh key then secure
transfer of data is easy.
• Key establishment– Yes, but we saw the problem in the last example
• Authentication– Again we have to be exact.
![Page 11: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/11.jpg)
Some Key Establishment Goals
• Key Freshness: the key established is new– either from some trusted 3rd party– or because it uses a new nonce.
• Key Exclusivity: the key is only known to the principals in the protocol.
• Good Key: the key is both fresh and exclusive
![Page 12: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/12.jpg)
A Hierarchy of Goals
Fresh Key Key Exclusivity
Good Key
![Page 13: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/13.jpg)
A Good Key is Not Enough
• A “Good Key” provides a secure communication channel....
... but we have no idea who is on the other end of the channel.
• We need authentication as well.
![Page 14: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/14.jpg)
Authentication Goals
The most simple:
• Far-end Operative: A knows that “B” is currently active:
– For instance B might have signed a nonce generated by A e.g.
• A B : Na
• B A : SignB ( Na )
![Page 15: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/15.jpg)
Authentication Goals
and
• Once Authentication: A knows that B wishes to communicate with A
– For instance, B might have the name A in a message e.g.
1. B A : SignB ( A )
![Page 16: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/16.jpg)
Entity Authentication
Both of these together give:
• Entity Authentication: A knows that B is currently active and wants to communicate with A.
e.g.
• A B : Na
• B A : SignB ( A, Na )
![Page 17: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/17.jpg)
A Hierarchy of Goals
Fresh Key Key ExclusivityFar-end
OperativeOnce
Authenticated
Good Key
EntityAuthentication
![Page 18: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/18.jpg)
Key Confirmation
A common goal is:
• Key Confirmation of A to B is provided if – B can be sure that “K” is a good key to
communicate with A – and that A knows “K”.
![Page 19: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/19.jpg)
A Hierarchy of Goals
Fresh Key Key ExclusivityFar-end
OperativeOnce
Authenticated
Good Key
EntityAuthentication
Key Confirmation
![Page 20: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/20.jpg)
The Highest Goal
• Mutual Belief in Key: is provided for B only if – “K” is a good key with A– A believes that “K” is a good key for “B” – and A wishes to communicate with B using “K”
![Page 21: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/21.jpg)
A Hierarchy of Goals
Fresh Key Key ExclusivityFar-end
OperativeOnce
Authenticated
Good Key
EntityAuthentication
Key Confirmation
Mutual Belief in Key
![Page 22: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/22.jpg)
Example: Diffie-Hellman
• The Diffie-Hellman is a widely used key agreement protocol.
• It relies on some number theory:– a mod b = n where m s.t. a = m.b + n
• The protocol uses two public parameters– generator “g” (often 160 bits long)– prime “p” (often 1024 bits long)
![Page 23: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/23.jpg)
Diffie-Hellman
• A and B pick random numbers rA and rB and calculate “tA = grA mod p” and “tB = grB mod p”
• The protocol just exchanges these numbers:• A B : tA
• B A : tB
• A calculates “tBrA mod p” and B “tA rB mod p”
this is the key:
– K = grArB mod p
![Page 24: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/24.jpg)
Diffie-Hellman
• A and B pick random numbers rA and rB and calculate “tA = grA mod p” and “tB = grB mod p”
• The protocol just exchanges these numbers:• A B : p, g, tA
• B A : tB
• A calculates “tArA mod p” and B “tA rB mod p”
this is the key:
– K = grArB mod p
![Page 25: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/25.jpg)
Diffie-Hellman
• An observer cannot work out rA and rB from tA and tB therefore the attacker cannot calculate the key
• The values of “g” and “p” must be big enough to make it intractable to try all possible combinations.
• So we have a “Good Key” but know nothing about the participants.
• We did not need to share any keys at the start, therefore this is a very powerful protocol.
![Page 26: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/26.jpg)
Station-to-Station Protocol
• The Station-to-Station (STS) protocol adds authentication:
1. A B : tA
2. B A : tB , { SignB(tA, tB ) }Kab
3. A B : { SignA(tA, tB ) }Kab
![Page 27: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/27.jpg)
Station-to-Station Protocol
1. A B : A, B, tA 2. B A : B, A, tB , { SignB(tA, tB ) }Kab
3. A B : A, B, { SignA(tA, tB ) }Kab
1. Good Key: as before Key
2. Key Confirmation: A knows that B knows the Kab.
![Page 28: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/28.jpg)
Attack on Mutual Belief
1. A E(B) : A, B, tA
1’. E B : E, B, tA
2’. B E : B,E,tB,
{SignB(tA,tB)}Kab
2. E(B) A : B,A,tB,{SignB(tA,tB)}Kab
3. A E(B) : A, B, { SignA(tA, tB ) }Kab
![Page 29: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/29.jpg)
What does STS provide?
• Attacker E does NOT learn the key.• B does not accept the key.• But A does accept the key.
This can be fixed by changing line 2 to:
2. B A : tB , { A, SignB(tA, tB ) }Kab This is not done because this attack does not pose a
real risk.
In this case Key Confirmation is enough.
![Page 30: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/30.jpg)
Very Important Homework:
• Whenever you do something secure over the Internet (i.e., logon remotely, check your bank balance, pay a bill), think about the protocol used.
Is the communication secure? • Have you established a key? Is it fresh?Think about who has been authenticated:• Have you been authenticated?• Has the computer you’re talking to?
![Page 31: Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d375503460f94a109b7/html5/thumbnails/31.jpg)
Today:
• First Lecture: Goals for security protocol– To know if a protocol is secure you must know
what is aims to achieve. – Example: Diffie-Hellman & STS Protocol.
• Second Part: Attacks and Principles– Common types of attacks on protocols– Good design principles for protocol.