Chapter 8 Network Security (some reviews and security protocols)
Security Analysis of Network Protocols
description
Transcript of Security Analysis of Network Protocols
![Page 1: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/1.jpg)
Security Analysis of Network Protocols
Vitaly ShmatikovSRI
CS 259
http://www.stanford.edu/class/cs259/
John Mitchell
Stanford
![Page 2: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/2.jpg)
Course organization
Lectures• Tues, Thurs for approx first six weeks of quarter • Project presentations last three weeks
This is a project course• There may be one or two short homeworks• Most of your work will be project and presentation
Please enroll!
![Page 3: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/3.jpg)
Computer Security
Cryptography• Encryption, signatures, cryptographic hash, …
Security mechanisms• Access control policy• Network protocols
Implementation• Cryptographic library• Code implementing mechanisms
– Reference monitor and TCB– Protocol
• Runs under OS, uses program library, network protocol stack
Analyze protocols, assuming crypto, implementation, OS correct
![Page 4: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/4.jpg)
Cryptographic Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal
• Exchange secret keys• Verify identity (authentication)
Class poll: Public-key encryption, symmetric-key encryption, CBC,
hash, signature, key generation, random-number generators
![Page 5: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/5.jpg)
Correctness vs Security
Program or System Correctness• Program satisfies specification
– For reasonable input, get reasonable output
Program or System Security• Program properties preserved in face of attack
– For unreasonable input, output not completely disastrous
Main differences• Active interference from adversary• Refinement techniques may fail
![Page 6: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/6.jpg)
Security Analysis
Model system Model adversary Identify security properties See if properties preserved under attack
Result• No “absolute security”• Security means: under given assumptions
about system, no attack of a certain form will destroy specified properties.
![Page 7: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/7.jpg)
Important Modeling Decisions
How powerful is the adversary?• Simple replay of previous messages• Block messages; Decompose, reassemble and resend• Statistical analysis, partial info from network traffic• Timing attacks
How much detail in underlying data types?• Plaintext, ciphertext and keys
– atomic data or bit sequences
• Encryption and hash functions– “perfect” cryptography– algebraic properties: encr(x*y) = encr(x) * encr(y) for
RSA encrypt(k,msg) = msgk mod N
![Page 8: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/8.jpg)
This has been our research area
Automated nondeterministic finite-state analysis• General paper, Oakland conference, 1997 [JM, …]
• Efficiency for large state spaces, 1998 [VS, …]
• Analysis of SSL, 1998-99 [VS, JM, …]
• Analysis of fair exchange protocols, 2000 [VS, JM, …]
Automated probabilistic analysis• Analysis of probabilistic contract signing, 2004 [VS, …]
• Analysis of an anonymity system, 2004 [VS, …]
Beyond finite-state analysis• Decision procedures for unbounded # of runs• Proof methods, assuming idealized cryptography• Beyond idealized cryptography
Many others have worked on these topics too …
![Page 9: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/9.jpg)
Some other projects and tools
Exhaustive finite-state analysis• FDR, based on CSP [Lowe, Roscoe, Schneider,
…]
Search using symbolic representation of states• Meadows: NRL Analyzer, Millen: Interrogator
Prove protocol correct • Paulson’s “Inductive method”, others in HOL, PVS,
…• MITRE -- Strand spaces• Process calculus approach: Abadi-Gordon spi-
calculus, applied pi-calculus, …• Type-checking method: Gordon and Jeffreys, …
Many more – this is just a small sample
![Page 10: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/10.jpg)
Example: Needham-Schroeder
Famous simple example• Protocol published and known for 10 years• Gavin Lowe discovered unintended property while
preparing formal analysis using FDR system
Background: Public-key cryptography • Every agent A has
– Public encryption key Ka
– Private decryption key Ka-1
• Main properties– Everyone can encrypt message to A– Only A can decrypt these messages
![Page 11: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/11.jpg)
Needham-Schroeder Key Exchange
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}
Ka
Kb
Result: A and B share two private numbers not known to any observer without Ka-1, Kb
-1
A B
Kb
![Page 12: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/12.jpg)
Anomaly in Needham-Schroeder
A E
B
{ A, NA }
{ A, NA }{ NA, NB }
{ NA, NB }
{ NB }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key NB from B
Evil E can then fool B
[Lowe]
![Page 13: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/13.jpg)
Explicit Intruder Method
Intruder Model
AnalysisTool
Formal Protocol
Informal Protocol
Description
Find error
![Page 14: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/14.jpg)
Mur[Dill et al.]
Describe finite-state system• State variables with initial values• Transition rules• Communication by shared variables
Scalable: choose system size parameters Automatic exhaustive state enumeration
• Space limit: hash table to avoid repeating states
Research and industrial protocol verification
![Page 15: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/15.jpg)
Finite-state methods
Two sources of infinite behavior• Many instances of participants, multiple runs• Message space or data space may be infinite
Finite approximation• Assume finite participants
– Example: 2 clients, 2 servers
• Assume finite message space– Represent random numbers by r1, r2, r3, …– Do not allow encrypt(encrypt(encrypt(…)))
![Page 16: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/16.jpg)
Verification vs Error Detection
Verification• Model system and attacker• Prove security properties
Error detection• Model system and attacker• Find attacks
![Page 17: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/17.jpg)
Applying Murto security protocols
Formulate protocol Add adversary
• Control over “network” (shared variables)
• Possible actions– Intercept any message– Remember parts of messages– Generate new messages, using observed data and
initial knowledge (e.g. public keys)
![Page 18: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/18.jpg)
Needham-Schroeder in Mur (1)
const
NumInitiators: 1; -- number of initiators
NumResponders: 1; -- number of responders
NumIntruders: 1; -- number of intruders
NetworkSize: 1; -- max. outstanding msgs in network
MaxKnowledge: 10; -- number msgs intruder can remember
type
InitiatorId: scalarset (NumInitiators);
ResponderId: scalarset (NumResponders);
IntruderId: scalarset (NumIntruders);
AgentId: union {InitiatorId, ResponderId, IntruderId};
![Page 19: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/19.jpg)
Needham-Schroeder in Mur (2)
MessageType : enum { -- types of messages
M_NonceAddress, -- {Na, A}Kb nonce and addr
M_NonceNonce, -- {Na,Nb}Ka two nonces
M_Nonce -- {Nb}Kb one nonce
};
Message : record
source: AgentId; -- source of message
dest: AgentId; -- intended destination of msg
key: AgentId; -- key used for encryption
mType: MessageType; -- type of message
nonce1: AgentId; -- nonce1
nonce2: AgentId; -- nonce2 OR sender id OR empty
end;
![Page 20: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/20.jpg)
Needham-Schroeder in Mur (3)
-- intruder i sends recorded message
ruleset i: IntruderId do -- arbitrary choice of
choose j: int[i].messages do -- recorded message
ruleset k: AgentId do -- destination
rule "intruder sends recorded message"
!ismember(k, IntruderId) & -- not to intruders
multisetcount (l:net, true) < NetworkSize
==>
var outM: Message;
begin
outM := int[i].messages[j];
outM.source := i;
outM.dest := k;
multisetadd (outM,net);
end; end; end; end;
![Page 21: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/21.jpg)
Adversary Model
Formalize “knowledge”• initial data• observed message fields• results of simple computations
Optimization• only generate messages that others read• time-consuming to hand simplify
Possibility: automatic generation
![Page 22: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/22.jpg)
example
number of sizeofini. res. int. network states time1 1 1 1 1706 3.1s1 1 1 2 40207 82.2s2 1 1 1 17277 43.1s2 2 1 1 514550 5761.1s
Run of Needham-Schroeder
Find error after 1.7 seconds exploration Output: trace leading to error state Mur times after correcting error:
![Page 23: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/23.jpg)
![Page 24: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/24.jpg)
Limitations
System size with current methods• 2-6 participants
Kerberos: 2 clients, 2 servers, 1 KDC, 1 TGS
• 3-6 steps in protocol• May need to optimize adversary
Adversary model • Cannot model randomized attack• Do not model adversary running time
![Page 25: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/25.jpg)
Security Protocols in Mur
Standard “benchmark” protocols• Needham-Schroeder, TMN, …• Kerberos
Study of Secure Sockets Layer (SSL)• Versions 2.0 and 3.0 of handshake protocol• Include protocol resumption
Tool optimization Additional protocols
• Contract-signing• Wireless networking … ADD YOUR PROJECT HERE …
![Page 26: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/26.jpg)
State Reduction on N-S Protocol
1706
17277
514550
980
6981
155709
58222
3263
1
10
100
1000
10000
100000
1000000
1 init
1 resp
2 init
1 resp
2 init
2 resp
Base: handoptimizationof model
CSFW:eliminatenet, maxknowledgeMergeintrud send,princ reply
![Page 27: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/27.jpg)
Plan for this course
Protocols• Authentication, key establishment, assembling
protocols together (TLS ?), fairness exchange, …
Tools• Finite-state and probabilistic model checking,
constraint-solving, process calculus, temporal logic, proof systems, game theory, polynomial time …
Projects• Choose a protocol or other security mechanism• Choose a tool or method and carry out analysis• Hard part: formulating security requirements
![Page 28: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/28.jpg)
Reference Material (CS259 web site)
Protocols• Clarke-Jacob survey• Use Google; learn to read an RFC
Tools• Murphi
– Finite-state tool developed by David Dill’s group at Stanford• PRISM
– Probabilistic model checker, University of Birmingham• MOCHA
– Alur and Henzinger; now consortium• Constraint solver using prolog
– Shmatikov and Millen• Isabelle
– Theorem prover developed by Larry Paulson in Cambridge, UK– A number of case studies available on line
![Page 29: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/29.jpg)
Hope you enjoy the course
We’ll lecture for a few weeks to get started• Case studies are the best way to learn this topic• Cathy Meadows guest lecture next Thursday
Choose a project that interests you !!!• If you have another idea, come talk with us• Can build or extend a tool, or paper study if you
prefer
![Page 30: Security Analysis of Network Protocols](https://reader035.fdocuments.us/reader035/viewer/2022062315/56814e2f550346895dbb9596/html5/thumbnails/30.jpg)
Protocols and other mechanisms
Secure electronic transactions (SET) or other e-commerce protocols
Onion routing or other privacy mechanism Firewall policies Electronic voting protocols Publius: censorship-resistant Web publishing Group key distribution protocols Census protocols Stream signing protocols: Analysis/verification/defense against MCI's network routing
scam • Apparently, MCI routed long-distance phone calls through
small local companies and Canada to avoid paying access charges to local carriers)
Wireless networking protocols