Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L....
Transcript of Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L....
![Page 1: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/1.jpg)
Cryptographic protocols
Myrto ArapinisSchool of Informatics
University of Edinburgh
October 20, 2016
1 / 19
![Page 2: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/2.jpg)
Context
Applications exchanging sensitive data over a public network:
I eBanking,
I eCommerce,
I eVoting,
I ePassports,
I Mobile phones,
I . . .
A malicious agent can:
I record, alter, delete, insert, redirect, reorder, and reuse past orcurrent messages, and inject new messages−→ the network is the attacker
I control dishonest participants
2 / 19
![Page 3: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/3.jpg)
Context
Applications exchanging sensitive data over a public network:
I eBanking,
I eCommerce,
I eVoting,
I ePassports,
I Mobile phones,
I . . .
A malicious agent can:
I record, alter, delete, insert, redirect, reorder, and reuse past orcurrent messages, and inject new messages−→ the network is the attacker
I control dishonest participants
2 / 19
![Page 4: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/4.jpg)
The attacker controls the network (1)
3 / 19
![Page 5: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/5.jpg)
The attacker controls the network (2)
4 / 19
![Page 6: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/6.jpg)
The attacker controls the network (3)
5 / 19
![Page 7: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/7.jpg)
All messages can be intercepted by an attacker (1)
6 / 19
![Page 8: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/8.jpg)
All messages can be intercepted by an attacker (2)
An attacker can intercept packets, but also alter, forge new, andinject packets
7 / 19
![Page 9: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/9.jpg)
All messages can be intercepted by an attacker (2)
An attacker can intercept packets, but also alter, forge new, andinject packets
7 / 19
![Page 10: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/10.jpg)
More complex systems needed...
e=E(KE ,Transfer 100 AC on Amazon’s account)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→m=MAC(KM ,E(KE ,Transfer 100 AC on Amazon’s account))
Replay attack
(e,m)−−−→
(e,m)−−−→...
(e,m)−−−→
8 / 19
![Page 11: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/11.jpg)
More complex systems needed...
e=E(KE ,Transfer 100 AC on Amazon’s account)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→m=MAC(KM ,E(KE ,Transfer 100 AC on Amazon’s account))
Replay attack
(e,m)−−−→
(e,m)−−−→...
(e,m)−−−→
8 / 19
![Page 12: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/12.jpg)
More complex systems needed...
e=E(KE ,Transfer 100 AC on Amazon’s account)−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→m=MAC(KM ,E(KE ,Transfer 100 AC on Amazon’s account))
Replay attack
(e,m)−−−→
(e,m)−−−→...
(e,m)−−−→
8 / 19
![Page 13: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/13.jpg)
... to achieve more complex properties
I Confidentiality: Some information should never be revealed tounauthorised entities.
I Integrity: Data should not be altered in an unauthorisedmanner since the time it was created, transmitted or stored byan authorised source.
I Authentication: Ability to know with certainty the identity ofan communicating entity.
I Anonymity: The identity of the author of an action (e.g.sending a message) should not be revealed.
I Unlinkability: An attacker should not be able to deducewhether different services are delivered to the same user
I Non-repudiation: The author of an action should not be ableto deny having triggered this action.
I . . .9 / 19
![Page 14: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/14.jpg)
Cryptographic protocols
Cryptographic protocols
Programs relying on cryptographic primitives and whose goal is theestablishment of “secure” communications.
But!
Many exploitable errors are due not to design errors in theprimitives, but to the way they are used, i.e. bad protocol designand buggy or not careful enough implementation
10 / 19
![Page 15: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/15.jpg)
Cryptographic protocols
Cryptographic protocols
Programs relying on cryptographic primitives and whose goal is theestablishment of “secure” communications.
But!
Many exploitable errors are due not to design errors in theprimitives, but to the way they are used, i.e. bad protocol designand buggy or not careful enough implementation
10 / 19
![Page 16: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/16.jpg)
Numerous deployed protocols are flawed :(
Needham-Schroeder protocol - G. Lowe, ”An attack on theNeedham-Schroeder public-key authentication protocol”
Kerberos protocol - I. Cervesato, A. D. Jaggard, A. Scedrov, J.Tsay, and C. Walstad, ”Breaking and fixing public-key kerberos”
Single-Sign-On protocol - A. Armando, R. Carbone, L.Compagna, J. Cuellar, and M. L. Tobarra, ”Formal analysis ofSAML 2.0 web browser single sign-on: breaking the SAML-basedsingle sign-on for google apps”
PKCS#11 API - M. Bortolozzo, M. Centenaro, R. Focardi, andG. Steel, ”Attacking and fixing PKCS#11 security tokens”
BAC protocol - T. Chothia, and V. Smirnov, ”A traceabilityattack against e-passports”
AKA protocol - M. Arapinis, L. Mancini, E. Ritter, and M. Ryan,”New privacy issues in mobile telephony: fix and verification”
. . .11 / 19
![Page 17: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/17.jpg)
And end up in the news :(
12 / 19
![Page 18: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/18.jpg)
Logical attacks
Many of these attacks do not even break the crypto primitives!!
13 / 19
![Page 19: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/19.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B A I
{pin: 3443}pkA−−−−−−−−−−−−→{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 20: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/20.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!
A B
A I
{pin: 3443}pkA−−−−−−−−−−−−→{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 21: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/21.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!
A B
A I
{pin: 3443}pkA−−−−−−−−−−−−→
{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 22: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/22.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!
A B
A I
{pin: 3443}pkA−−−−−−−−−−−−→
{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−
{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 23: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/23.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!
A B
A I
{pin: 3443}pkA−−−−−−−−−−−−→
{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−
{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→
{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 24: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/24.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B
A I
{pin: 3443}pkA−−−−−−−−−−−−→
{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−
{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→
{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 25: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/25.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B A I
{pin: 3443}pkA−−−−−−−−−−−−→
{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−
{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→
{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 26: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/26.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B A I
{pin: 3443}pkA−−−−−−−−−−−−→{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−
{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→
{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 27: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/27.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B A I
{pin: 3443}pkA−−−−−−−−−−−−→{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→
{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 28: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/28.jpg)
Example of a logical attack
Assume a commutative symmetric encryption scheme
{{m}k1}k2 = {{m}k2}k1
where {m}k denotes the encryption of message m under the key kExample: RSA
No authentication!A B A I
{pin: 3443}pkA−−−−−−−−−−−−→{pin: 3443}pkA−−−−−−−−−−−−→
{{pin: 3443}pkA}pkB←−−−−−−−−−−−−{{pin: 3443}pkA}pkI←−−−−−−−−−−−−
{pin: 3443}pkB−−−−−−−−−−−−→{pin: 3443}pkI−−−−−−−−−−−−→
since {{pin: 3443}pkA}pkB = {{pin: 3443}pkB}pkA by commutativity
14 / 19
![Page 29: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/29.jpg)
Authentication and key agreement protocols
15 / 19
![Page 30: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/30.jpg)
Authentication and key agreement
I Long-term keys should be used as little as possible to toreduce “attack-srufarce”
I The use of a key should be restricted to a specific purposee.g. you shouldn’t use the same RSA key both for encryptionand signing
I Public key algorithms tend to be computationally moreexpensive than symmetric key algorithms
Long-term keys are used to establish short-term session keyse.g. TLS over HTTP, AKA for 3G, BAC for epassports, etc.
16 / 19
![Page 31: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/31.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 32: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/32.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 33: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/33.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 34: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/34.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 35: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/35.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 36: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/36.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 37: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/37.jpg)
Needham-Schroeder Public Key (NSPK)
NSPK: authentication and key agreement protocol
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
[N. Roger, M. Schroeder, Michael. “Using encryption for authentication inlarge networks of computers”. Communications of the ACM (December 1978)]
17 / 19
![Page 38: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/38.jpg)
NSPK: security requirements
I Authentication: if Alice has completed the protocol,apparently with Bob, then Bob must also have completed theprotocol with Alice.
I Authentication: If Bob has completed the protocol, apparentlywith Alice, then Alice must have completed the protocol withBob.
I Confidentiality: Messages sent encrypted with the agreed key(k ← h(NA,NB)) remain secret.
18 / 19
![Page 39: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/39.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 40: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/40.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 41: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/41.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→
aenc(pkB ,〈NA,A〉)−−−−−−−−−−→new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 42: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/42.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 43: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/43.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 44: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/44.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 45: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/45.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−
aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→
kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 46: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/46.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 47: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/47.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→
kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 48: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/48.jpg)
NSPK: Lowe’s attack on authentication
Attack found 17 years after the publication of the NS protocol!!
A I B
new NA
aenc(pkI ,〈NA,A〉)−−−−−−−−−−→aenc(pkB ,〈NA,A〉)−−−−−−−−−−→
new NB
aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkA,〈NA,NB〉)←−−−−−−−−−−−aenc(pkI ,〈NB ,A〉)−−−−−−−−−−−→
aenc(pkB ,〈NB ,A〉)−−−−−−−−−−→kAI←h(NA,NB ) kAI←h(NA,NB ) kAB←h(NA,NB )
kAB←h(NA,NB )
[G. Lowe. “An attack on the Needham-Schroeder public key authenticationprotocol”. Information Processing Letters (November 1995)]
19 / 19
![Page 49: Myrto Arapinis School of Informatics University of Edinburgh · Compagna, J. Cuellar, and M. L. Tobarra, "Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based](https://reader035.fdocuments.us/reader035/viewer/2022062607/604a6b4ccf10da652908e81a/html5/thumbnails/49.jpg)
NSPK: Lowe’s fix
A B
new NA
aenc(pkB ,〈NA,A〉)−−−−−−−−−−−−−−−−−−→new NB
aenc(pkA,〈NA,〈NB ,B〉〉)←−−−−−−−−−−−−−−−−−−aenc(pkB ,〈NB ,A〉)−−−−−−−−−−−−−−−−−−→
kAB←h(NA,NB) kAB←h(NA,NB)
20 / 19