Providing solutions for more secure exchanges

(1)

Providing solutions for more secure exchanges

Stéphanie Delaune

(2)

Cryptographic protocols

small programs designed to secure

communication (various security goals)

use cryptographic primitives (e.g. encryption, hash function, . . . )

(3)

Cryptographic protocols

The network is unsecure!

(4)

Cryptographic protocols

(5)

Security properties

Secrecy: May an intruder learn some secret message between two honest participants?

Authentication: Is the agentAlice really talking toBob?

Fairness: Alice andBobwant to sign a contract. Alice initiates the

protocol. MayBobobtain some advantage?

Privacy: Alice participate to an election. May a participant learn

something about the vote of Alice?

Non-repudiation: Alice sends a message toBob. Alicecannot later

deny having sent this message. Bobcannot deny having received the

message. ...

(6)

Cryptographic primitives

Algorithms that are frequently used to build computer security systems.

These routines include, but are not limited to, one-way hash functions and

(7)

Cryptographic primitives

encryption functions.

Symmetric encryption

(8)

Cryptographic primitives

encryption functions.

Asymmetric encryption

encryption decryption

(9)

Symmetric vs. asymmetric encryption

Symmetric encryption efficient in practice,

agents have to share a secret key

−→ trusted third party, distribution key protocol

Asymmetric encryption not efficient in practice,

agents do not have to share a secret

−→ often used in establishment key protocols

(10)

Digital signature: How does it work?

signature verification

private key public key

similar to public key encryption

everyone knows the key to verify the signature (publickey)

(11)

Properties and applications

Properties

the signature has toauthenticatethe signer

the signature “ belongs to “oneparticular document

(12)

Properties and applications

Properties

the signature has toauthenticatethe signer

the signature “ belongs to “oneparticular document

the signed document can not be modified afterwards

Applications

certificate to authenticate a public key contract signing protocols

E-voting protocols (blind signature)

(13)

Hash function: What is it?

Hash function

It is a reproducible method of turning some kind of data into a (relatively)

small number that may serve as a digital"fingerprint" of the data (again substitutions and permutations).

(14)

Properties and Applications

Properties

deterministic function

one-way function: there is no practical way to retrievem from

hash(m)

collision resistant: difficult to findm1 andm2 such that m16=m2 and

hash(m1)=hash(m2) Some applications

to improve efficiency: we can sign hash(m) instead of m

use to guarantee the integrity of a message

(15)

Outline of the talk

1 Introduction

2 Some examples of security protocols

Credit Card payment

Needham Schroeder protocol

3 How can we verify them?

How protocols can be attacked? How protocols can be proved secure?

(16)

Outline of the talk

1 Introduction

Credit Card payment

(17)

Carte bancaire

La carte bleue est protégée par un grand

nombre public dont on ne connait pas la

(18)

Carte bancaire

fac-torisation.

Nombre de 96 chiffres

213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999

(19)

Carte bancaire

fac-torisation.

213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999

Affaire Serge Humpich (1997)

il factorise ce nombre de 96 chiffres et conçoit de fausses cartes bleues (les “ YesCard”).

(20)

Carte bancaire

fac-torisation.

213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999

Affaire Serge Humpich (1997)

il factorise ce nombre de 96 chiffres et conçoit de fausses cartes bleues (les “ YesCard”).

−→ Depuis, le nombre utilisé pour sécuriser les cartes bancaires

(21)

Example: credit card payment

TheclientCl puts his credit cardC in the

terminalT.

Themerchant enters the amountM of the sale.

Theterminal authenticates thecredit card. Thecliententers his PIN.

IfM ≥100e_{, then in 20% of cases,}

Theterminalcontacts thebankB. Thebanksgives its authorisation.

(22)

More details

(23)

More details

the BankB , the Client Cl, the Credit CardC and the TerminalT

Bank

aprivate signature key – priv(B)

apublickey to verify a signature – pub(B)

(24)

More details

Bank

asecret key shared with the credit card – KCB Credit Card

someData: name of the cardholder, expiry date ...

a signature of the Data–{hash(Data)}priv(B)

(25)

More details

Bank

asecret key shared with the credit card – KCB Credit Card

someData: name of the cardholder, expiry date ...

a signature of the Data–{hash(Data)}priv(B)

asecret key shared with the bank – KCB Terminal

(26)

Payment protocol

the terminal T reads the credit card C:

(27)

Payment protocol

1. C → T : Data,{hash(Data)}_priv₍_B₎

the terminal T asks the code:

2. T → Cl : code?

3. Cl → C : 1234

(28)

Payment protocol

1. C → T : Data,{hash(Data)}_priv₍_B₎

the terminal T asks the code:

2. T → Cl : code?

3. Cl → C : 1234

4. C → T : ok

the terminal T requests authorisation the bankB:

5. T → B: auth? 6. B → T : 4528965874123 7. T → C : 4528965874123 8. C → T : {4528965874123}KCB 9. T → B: {4528965874123}KCB 10. B → T : ok

(29)

Faille sur la carte bleue

Initialement la sécurité été assurée par :

cartes difficilement réplicables, secret des clefs et du protocole.

(30)

Faille sur la carte bleue

Initialement la sécurité été assurée par :

cartes difficilement réplicables, secret des clefs et du protocole.

Mais il y a des failles !

faillecryptographique: les clefs de 320 bits ne sont plus sûres, faillelogique : pas de lien entre le code secret à 4 chiffres et l’authentification,

faillematériel : réplicabilité des cartes.

(31)

La « YesCard »: Comment ca marche ?

Faille logique

1.C →T :Data,{hash(Data)}_priv₍B)

2.T →Cl :code?

3.Cl →C :1234

(32)

La « YesCard »: Comment ca marche ?

Faille logique

2.T →Cl :code?

3.Cl →C′ :2345

(33)

La « YesCard »: Comment ca marche ?

Faille logique

2.T →Cl :code?

3.Cl →C′ :2345

4.C′ →T :ok

Remarque : il y a toujours quelqu’un à débiter.

(34)

La « YesCard »: Comment ca marche ?

Faille logique

2.T →Cl :code?

3.Cl →C′ :2345

4.C′ →T :ok

Remarque : il y a toujours quelqu’un à débiter.

→ ajout d’un faux chiffrement sur une fausse carte (Serge Humpich).

1.C′ →T :XXX,{hash(XXX)}_priv₍B) 2.T →Cl :code?

3.Cl →C′ :0000

(35)

Outline of the talk

1 Introduction

Credit Card payment

(36)

Needham-Schroeder’s Protocol (1978)

• A → B: {hA,Nai}pub(B) B → A: {hNa,Nbi}pub(A)

(37)

Needham-Schroeder’s Protocol (1978)

A → B: {hA,Nai}pub(B)

• B → A: {hNa,Nbi}pub(A) A → B: {Nb}pub(B)

(38)

Needham-Schroeder’s Protocol (1978)

B → A: {hNa,Nbi}pub(A)

(39)

Needham-Schroeder’s Protocol (1978)

(40)

Needham-Schroeder’s Protocol (1978)

• A → B: {Nb}pub(B)

Questions

IsNb secret between Aand B ?

(41)

Needham-Schroeder’s Protocol (1978)

• A → B: {Nb}pub(B)

Questions

IsNb secret between Aand B ?

WhenB receives{Nb}_pub₍B), does this message really comes fromA?

Attack

(42)

Example: Man in the middle attack

AgentA Intruder I Agent B

Attack

involving2 sessions inparallel, anhonest agent has to initiatea session withI.

A →B : {hA,Nai}pub(B)

B →A : {hNa,Nbi}pub(A)

(43)

Example: Man in the middle attack

{hA,Nai}pub(I) {hA,Nai}pub(B)

(44)

Example: Man in the middle attack

{hA,Nai}pub(I) {hA,Nai}pub(B) {hNa,Nbi}pub(A) {hNa,Nbi}pub(A) A →B : {hA,Nai}pub(B) B →A : {hNa,Nbi}pub(A) A →B : {Nb}pub(B)

(45)

Example: Man in the middle attack

{hA,Nai}pub(I) {hA,Nai}pub(B) {hNa,Nbi}pub(A) {hNa,Nbi}pub(A) {Nb}pub(I) {Nb}pub(B) A →B : {hA,Nai}pub(B) B →A : {hNa,Nbi}pub(A) A →B : {Nb}pub(B)

(46)

Example: Man in the middle attack

{hA,Nai}pub(I) {hA,Nai}pub(B)

{hNa,Nbi}pub(A)

{Nb}pub(I) {Nb}pub(B)

Attack

the intruder knowsNb,

WhenBfinishes his session

(apparently withA),A has

never talked withB.

(47)

Outline of the talk

1 Introduction

Credit Card payment

(48)

La recherche au LSV

(49)

La recherche au LSV

−→ accroitre notre confiance dans les logiciels critiques

logiciel: texte relativement long écrit dans un langage spécifique et

qui sera exécuté par un ordinateur

critique: une défaillance peut avoir desconséquences désastreuses en termes humains ou économiques

(50)

Difficultés et enjeux de la vérification de programmes

−→ une petite modification (quelques caractères) peut le transformer

complètement.

Un besoin crucial de vérification

pour des raisons économiques

−→ Ariane 5, carte bancaire, . . .

mais parfois il y a aussi des vies humaines en jeu

−→ la machine Therac-25 dans les années 80

−→ logiciels embarqués dans les voitures, les avions, . . .

enjeux démocratiques

(51)

Comment fait-on ?

Tests

à la main ou génération automatique;

(52)

Comment fait-on ?

Tests

vérification d’un nombre finide cas.

(53)

Comment fait-on ?

Tests

vérification d’un nombre finide cas.

∞ ∞ ∞ Accéder à l’infini: un rêve impossible ? ∞ ∞ ∞

Vérification (preuves formelles)

−→ preuves mathématiques

à la main ou à l’aide d’ordinateur; vérification detous les cas possibles; plus difficile.

(54)

Comment vérifier ces programmes ?

(55)

Comment vérifier ces programmes ?

Les mathématiques et l’informatique à la rescousse !

Notre but:

1 _{faire des preuves mathématiques rigoureuses,}

2 d’une façon automatique.

(56)

Comment vérifier ces programmes ?

Les mathématiques et l’informatique à la rescousse !

Notre but:

1 _{faire des preuves mathématiques rigoureuses,}

2 d’une façon automatique.

“Construire une machine à détecter les bugs”

1936: une telle machine n’existe pas (Alan Turing)

... même dans le cas particulier des protocoles cryp-tographiques.

(57)

Mais alors, que faisons nous ?

(58)

Mais alors, que faisons nous ?

Le problème n’apas de solution....

(59)

Mais alors, que faisons nous ?

mais seulement dans lecas général

Différentes pistes:

(60)

Mais alors, que faisons nous ?

mais seulement dans lecas général

Différentes pistes:

résoudre le problème dans de nombreux cas intéressants,

proposer des procédures approchées,

Exemple: si le vérificateur répond “oui” alors le logiciel estsûr, sinon on ne peut rien dire

(61)

Outline of the talk

1 Introduction

Credit Card payment

(62)

Cryptographic protocols vs (classical) programs

Some specificities:

protocol are executed in anhostile envrionment

−→ a powerful attacker who controls the communication network

unbounded number of sessions running concurrently thecryptographic primitives play an important role

(63)

How cryptographic protocols can be attacked?

Breaking encryption Logical attack

Ciphertext-only attack, Known-plaintext attack, . . .

(64)

Casser le chiffrement RSA

Les challenges RSA

défis lancés par le laboratoire RSA Security

(65)

Casser le chiffrement RSA

Les challenges RSA

récompenses importantes offertes

RSA-576 174 chiffres réussi 2003

RSA-704 212 chiffres non résolu−30 000 dollars

... .. ...

(66)

Casser le chiffrement RSA

Les challenges RSA

récompenses importantes offertes

... .. ...

(67)

Logical attack - What is it?

Logical attacks

can be mounted even assuming perfectcryptography,

֒→ replay attack,man-in-the middle attack, . . .

are numerous, see SPORE, Security Protocols Open REpository

֒→ http://www.lsv.ens-cachan.fr/spore/ subtle andhard to detect by “eyeballing” the protocol

Examples:

man in the middleattacks: e.g. Needham Schroeder protocol;

replay attacks: electronic passport protocol (French version), electronic voting protocol (e.g. Helios).

(68)

Outline of the talk

1 Introduction

Credit Card payment

(69)

Cryptographic models

Main features:

Messages are bitstrings

Protocols are programs that exchange messages

Realalgorithms for cryptographic primitives

Powerful attacker: any probabilisitic polynomial time Turing machine

(70)

Cryptographic models

Main features:

Messages are bitstrings

Realalgorithms for cryptographic primitives

Powerful attacker: any probabilisitic polynomial time Turing machine

−→ quite realisticmodel

Advantage: Clear and quite strong security guarantee

(71)

Symbolic models

Main features:

Messages are abstracted by terms (abstract objects)

Cryptographic primitives are abstracted by function symbols

Idealized attacker: in particular, we have to describe what he can do.

(72)

Symbolic models

Main features:

Messages are abstracted by terms (abstract objects)

Cryptographic primitives are abstracted by function symbols

Idealized attacker: in particular, we have to describe what he can do.

−→ very abstractmodel

Advantage: Security proofs are easier to do and they can be mechanized

(73)

Link between the two models

Computational soundness

Computational soundness aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models.

−→ Seminal paper: Abadi & Rogaway, 2001

Many other papers have been obtained in this area.

(74)

Symbolic model

Messages are abstracted by terms

pairing hm1,m2i,

symmetric senc(m,k) and public key encryption aenc(m,pub(A)),

(75)

Symbolic model

pairing hm1,m2i,

signature sign(m,priv(A)).

Presence of an idealized attacker

mayread,interceptandsend messages,

maybuild new messages followingdeduction rules

(76)

Symbolic model

pairing hm1,m2i,

signature sign(m,priv(A)).

Presence of an idealized attacker

mayread,interceptandsend messages,

maybuild new messages followingdeduction rules

(symbolic manipulation on terms).

Examples:

m k

senc(m,k)

senc(m,k) k

m

aenc(m,pub(a)) priv(a)

(77)

Difficulties of the verification

Presence of an attacker ...

(78)

Difficulties of the verification

who controls the communication network:

mayread every message sent on the network

(79)

Difficulties of the verification

mayintercept andsend new messages

who has deduction capabilities

encryption, decryption if he knows the decryption key, pairing, projection

(80)

Difficulties of the verification

(81)

Difficulties of the verification

(82)

Secrecy problem in presence of a passive attacker

Intruder deduction problem for a fixed inference system I

Input: a finite set of ground terms T (the knowledge of the

attacker) and a ground terms (the secret),

(83)

Secrecy problem in presence of a passive attacker

Output: Iss deducible from T in I?

Example: T ={senc(s₁,k₁); senc(s₂,k₂); hk₁,k₂i} ands =hs₁,s₂i.

x y hx,yi hx,yi x hx,yi y x y senc(x,y) senc(x,y) y x

(84)

Secrecy problem in presence of a passive attacker

Output: Iss deducible from T in I?

Example: T ={senc(s₁,k₁); senc(s₂,k₂); hk₁,k₂i} ands =hs₁,s₂i.

x y hx,yi hx,yi x hx,yi y x y senc(x,y) senc(x,y) y x Results

The intruder deduction problem is decidable in PTIME for the inference system given above (and some others)

(85)

Secrecy problem via constraint solving

−→ for a fixed number of sessions

Protocol rules in(u1); out(v1) in(u2); out(v2) . . . in(un); out(vn) Constraint System C=                T0 ? ⊢u1 T₀,v₁ ? ⊢u₂ ... T0,v1, ..,vn ? ⊢s

(86)

Secrecy problem via constraint solving

−→ for a fixed number of sessions

Protocol rules in(u1); out(v1) in(u2); out(v2) . . . in(un); out(vn) Constraint System C=                T0 ? ⊢u1 T₀,v₁ ? ⊢u₂ ... T0,v1, ..,vn ? ⊢s

Solution of a constraint system in I

A substitutionσ such that

(87)

Example: Needham-Schroeder’s protocol

A₍a_,I₎ _and B₍b₎ _{(running in parallel)}

out({ha,nai}pub(I))

in({hna,xnbi}pub(a)) ; out({xnb}pub(I))

(88)

Example: Needham-Schroeder’s protocol

1 out({ha,nai}_pub₍_I₎)

3 in({hna,xnbi}pub(a)) ; out({xnb}pub(I))

(89)

Example: Needham-Schroeder’s protocol

2 in({hya,ynai}pub(b)) ; out({hyna,nbi}pub(ya)) Constraints System

(90)

Example: Needham-Schroeder’s protocol

(91)

Example: Needham-Schroeder’s protocol

T0, {a,na}_pub₍_I₎ ?

(92)

Example: Needham-Schroeder’s protocol

T0, {a,na}_pub₍_I₎ ?

⊢ {ya,yna}pub(b) T0, {a,na}_pub₍I), {yna,nb}pub(ya)

(93)

Example: Needham-Schroeder’s protocol

2 in({hya,ynai}pub(b)) ; out({hyna,nbi}pub(ya)) Constraints System T0, {a,na}_pub₍_I₎ ? ⊢ {ya,yna}pub(b) T0, {a,na}_pub₍I), {yna,nb}pub(ya) ? ⊢ {na,xnb}pub(a)

(94)

Example: Needham-Schroeder’s protocol

2 in({hya,ynai}pub(b)) ; out({hyna,nbi}pub(ya)) Constraints System T0, {a,na}_pub₍_I₎ ? ⊢ {ya,yna}pub(b) T0, {a,na}_pub₍I), {yna,nb}pub(ya) ? ⊢ {na,xnb}pub(a) T0, {a,na}_pub₍_I₎, {yna,nb}pub(ya), {xnb}pub(I)

(95)

Example: Needham-Schroeder’s protocol

?

(96)

Example: Needham-Schroeder’s protocol

?

⊢ nb

(97)

Decision procedure

There exists an algorithm (actually a set of simplification rules) to decide whether such kind of constraint systems have a solution or not.

(98)

Decision procedure

There exists an algorithm (actually a set of simplification rules) to decide whether such kind of constraint systems have a solution or not.

Main idea of the procedure:

C= ( _T₀_u₁ T0,v1u2 ... T0,v1, ..,vnun+1 SOLVED ⊥ ⊥ C1 C2 C3 C4

(99)

Outil de vérification AVISPA

Outil disponible en ligne: http://www.avispa-project.org/

(100)

Outline of the talk

1 Introduction

Credit Card payment

(101)

Conclusion

numerous, various security goals

can be attackedeven if the primitives aresecure

−→ http://www.lsv.ens-cachan.fr/spore/ How to verify them?

modellingthe protocol, the security properties manually /automatically

−→ the problem isundecidable in general (some tools exist)

It remains a lot to do

modelling security properties is a difficult task

does a suitable E-voting protocol exist?

take into account the algebraic properties of the primtives