Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat...
Transcript of Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat...
![Page 1: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/1.jpg)
1/23
Security II - Cryptographic Protocols
Stefano Calzavara
Universita Ca’ Foscari Venezia
April 23, 2020
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 2: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/2.jpg)
2/23
Introduction
Cryptographic protocols are the foundations of many distributed systems
SSL / TLS to establish secure channels on the Web
Kerberos to authenticate network services
WPA2 to securely connect to Wifi networks
Complicated to prove correct:
conceptual flaws in the protocol design
implementation mistakes, which make a correct protocol insecure
(cryptographic breaches)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 3: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/3.jpg)
3/23
Threat Model
Protocol participants communicate on an untrusted network: everythingsent on the network can be read and modified by the attacker
Alice Oliver Bob
Pay Charlie 1000
Pay Oliver 2000
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 4: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/4.jpg)
4/23
Cryptography
We assume the use of perfect cryptography, that the attacker cannotbreach. Using symmetric crypto we can protect the exchange
Alice Oliver Bob
{Pay Charlie 1000}KAB
{Pay Charlie 1000}KAB
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 5: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/5.jpg)
5/23
Reflection Attack
Unfortunately, perfect cryptography is not enough for security!
Alice Oliver Bob
{Pay Charlie 1000}KAB
{Pay Charlie 1000}KAB
Solution: break symmetry by including the sender’s name in the message
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 6: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/6.jpg)
6/23
Replay Attack
Another example where perfect cryptography does not help...
Alice Oliver Bob
{Pay Charlie 1000}KAB
{Pay Charlie 1000}KAB
{Pay Charlie 1000}KAB
Solution: ensure freshness by including a timestamp / sequence number
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 7: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/7.jpg)
7/23
Challenge - Response
Timestamps and sequence numbers are not great for freshness
timestamps require the use of a global clock (synchronization?)
sequence numbers require the use of state information
Better solution: challenge-response protocols
Alice Bob
n
{Alice, Pay Charlie 1000, n}KAB
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 8: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/8.jpg)
8/23
Example: Needham - Schroeder Protocol
Goal: exchange nonces nA, nB to generate a symmetric key
Alice Bob
{B, nB}pk(KA)
{nB , nA}pk(KB )
{nA}pk(KA)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 9: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/9.jpg)
9/23
Breaking Needham - Schroeder
Alice Oliver Bob
{B, nB}pk(KO )
{B, nB}pk(KA)
{nB , nA}pk(KB )
{nB , nA}pk(KB )
{nA}pk(KO )
{nA}pk(KA)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 10: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/10.jpg)
10/23
Fixing Needham - Schroeder
Fix (Lowe): extend the second message with Alice’s identity
Alice Bob
{B, nB}pk(KA)
{A, nB , nA}pk(KB )
{nA}pk(KA)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 11: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/11.jpg)
11/23
Fixing Needham - Schroeder
Now Bob can spot that something went wrong...
Alice Oliver Bob
{B, nB}pk(KO )
{B, nB}pk(KA)
{A, nB , nA}pk(KB )
{A, nB , nA}pk(KB )
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 12: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/12.jpg)
12/23
Protocol Verification
Manual analysis is long, tedious and very error-prone
protocols run on distributed, concurrent systems
... which are supposed to satisfy complex security properties
... and are assumed to be under attack from the network
Luckily, there’s great support for automated verification nowadays
1 encode the protocol in an appropriate formalism, e.g., process calculi
2 express the intended security properties in the chosen formalism
3 push the button and get the results of the security analysis
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 13: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/13.jpg)
13/23
Process Calculi
Process calculus = tiny formalism to express distributed systems
Extensive literature in the area since 1980:
1980, CCS: focus on synchronization over channels
1989, pi-calculus: CCS + channel mobility
1997, spi-calculus: pi-calculus + simple cryptography
2001, applied pi-calculus: pi-calculus + arbitrary cryptography
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 14: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/14.jpg)
14/23
CCS
Ordering a pizza in CCS:
C , askpizza.pay .pizza
P , askpizza.pay .pizza
S , C | P
Small-step semantics:
S → pay .pizza | pay .pizza→ pizza | pizza→ 0 | 0
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 15: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/15.jpg)
15/23
Value-Passing CCS
Hey, let me choose my pizza!
C , askpizza〈margherita〉.pay〈5〉.pizza(x)
P , askpizza(x).pay(y).pizza〈x〉S , C | P
Small-step semantics:
S → pay〈5〉.pizza(x) | pay(y).pizza〈margherita〉→ pizza(x) | pizza〈margherita〉→ 0 | 0
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 16: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/16.jpg)
16/23
Non-Determinism
Multiple clients might induce confusion on pizza delivery...
C1 , askpizza〈margherita〉.pizza(x).eat1〈x〉C2 , askpizza〈pepperoni〉.pizza(x).eat2〈x〉P , !askpizza(x).pizza〈x〉S , C1 | C2 | P
Small step semantics:
S → pizza(x).eat1〈x〉 | pizza〈margherita〉 | C2 | P→ pizza(x).eat1〈x〉 | pizza〈margherita〉 |
pizza(x).eat2〈x〉 | pizza〈pepperoni〉 | P→ eat1〈pepperoni〉 | pizza〈margherita〉 | pizza(x).eat2〈x〉 | P→ eat1〈pepperoni〉 | eat2〈margherita〉 | P
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 17: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/17.jpg)
17/23
Pi-Calculus
Reliable home delivery of pizza!!!
C1 , (νh) (askpizza〈margherita, h〉.h(x).eat1〈x〉)C2 , (νh) (askpizza〈pepperoni , h〉.h(x).eat2〈x〉)P , !askpizza(x , y).y〈x〉S , C1 | C2 | P
Small-step semantics:
S → (νh) (h(x).eat1〈x〉 | h〈margherita〉) | C2 | P→ (νh) (h(x).eat1〈x〉 | h〈margherita〉) |
(νh) (h(x).eat2〈x〉 | h〈pepperoni〉) | P→ eat1〈margherita〉 | (νh) (h(x).eat2〈x〉 | h〈pepperoni〉) | P→ eat1〈margherita〉 | eat2〈pepperoni〉 | P
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 18: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/18.jpg)
18/23
Scope Extrusion
The restriction operator (νa)P creates a fresh name a which is local tothe scope of P
scope extrusion extends the scope of a to other processes
useful to model a selective release of secrets
formalized via structural equivalence ≡
(νa) (c〈a〉.a(x).0) | c(x).x〈k〉.0 ≡ (νa) (c〈a〉.a(x).0 | c(x).x〈k〉.0)→ (νa) (a(x).0 | a〈k〉.0)→ (νa) (0 | 0)≡ 0
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 19: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/19.jpg)
19/23
Applied Pi-Calculus
The applied pi-calculus exchanges constructed terms on channels
Terms M,N ::= x | c | f (M1, . . . ,Mn)Processes P,Q ::= M〈N〉.P
| M(x).P| 0| P | Q| !P| (νa)P| let x = g(M1, . . . ,Mn) in P else Q
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 20: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/20.jpg)
20/23
Equational Theory
Terms are subject to an equational theory which defines their semantics
fst(pair(M,N)) = Msnd(pair(M,N)) = N
sdec(senc(M,N),N) = M
dec(enc(M, pk(N)),N) = Mver(sign(M,N), pk(N)) = M
Equations are used to define the semantics of destructors (let)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 21: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/21.jpg)
21/23
Example: Needham - Schroeder Protocol
Alice Bob
{B, nB}pk(KA)
{nB , nA}pk(KB )
{nA}pk(KA)
A , a(x).let y = dec(x ,KA) in (νnA) b〈enc(pair(snd(y), nA), pk(KB))〉.a(z).let w = dec(z ,KA) in if w = nA then 0
B , (νnB) a〈enc(pair(b, nB), pk(KA))〉.b(x).let y = dec(x ,KB) inif fst(y) = nB then a〈enc(snd(y), pk(KA)〉
P , (νKA) (νKB) (A | B)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 22: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/22.jpg)
22/23
Modeling the Attacker
The attacker is implicitly modeled as an arbitrary process, which is run inparallel with the protocol
the attacker knows all the public names, i.e., those names which arenot bound by a restriction operator
restricted names are revealed to the attacker once they are sent onpublic channels
the attacker can exploit his knowledge to read/write on publicchannels and tamper with known cryptographic material
Previous case: P , (νKA) (νKB) (A | B | net〈pk(KA)〉 | net〈pk(KB)〉)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 23: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/23.jpg)
23/23
Example
Consider the following process:
(νs) (νb) (a〈pair(M, s)〉 | a(x).if snd(x) = s then b〈fst(x)〉)
Can this process ever output something different from M on b?
Yes, pick the attacker: a(y).a〈pair(N, snd(y))〉
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols
![Page 24: Security II - Cryptographic Protocols€¦ · Security II - Cryptographic Protocols. 3/23 Threat Model Protocol participants communicate on anuntrustednetwork: everything sent on](https://reader035.fdocuments.us/reader035/viewer/2022081402/5f0ce27d7e708231d4379c9a/html5/thumbnails/24.jpg)
23/23
Example
Consider the following process:
(νs) (νb) (a〈pair(M, s)〉 | a(x).if snd(x) = s then b〈fst(x)〉)
Can this process ever output something different from M on b?
Yes, pick the attacker: a(y).a〈pair(N, snd(y))〉
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Cryptographic Protocols