This Course. Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Course Outline. Course Outline.

Modelling and Analysing of

Security Protocol: Lecture 1

Introductions to Modelling

Protocols

Tom Chothia

CWI

This Course

• This course will primarily teaching you:

– How to design your own secure communication protocols.

– How to analyse protocols and look for faults. – How to use automatic tools to help you do this.

• Secondary skills:

– Know which protocols to use for which jobs. – Improve your system design skills.

Course Outline

• This Lecture:

– How we model protocols – Types of encryption used.

• Lecture 2:

– Types of attacks on protocols – Good protocol design

– Homework ( 1/6 of total score).

• Lecture 3:

– Verifying protocols using BAN logic.

• Lecture 4:

– Automatically verifying protocols. – Homework ( 1/6 of total score)

• Lecture 5:

– Anonymity protocols.

Course Outline

• Lecture 6:

– Verifying probabilistic protocols in PRISM

• Lecture 7:

– Fair exchange & Zero knowledge

• Lecture 8 to Lecture 10

– Short students presentations ( 2/3 of total score )

• Lecture 11

– Summary

Course Outline

Sources

Take notes if you want but you will get handouts with all the important details and the slides, handouts, papers, homework

and links will be available at:

This Lecture

• Part 1:

– Simple notation for protocols – Modelling “rules”

– Needham-Schroeder and Kerberos protocols

• Part 2:

– A high level overview the to cryptography – Symmetric key encryption, public key encryptions

and signing

– Abstract equation for modelling encryption

“A” sends message “M” to “B”:

written as:

A → B : M

A Simple Protocol

A

M

B

Rules

• We write down protocols as a list of

messages sent between “principals”,

e.g.

1. A → B : “Hello”

2. B → A : “Offer”

3. A → B : “Accept”

A Simple Protocol

A

M

B

Message “M” can be read by the attacker

A Simple Protocol

A

B

M

Even now!

Rule

• The attacker can read all the

messages sent across the

network.

Encryption

• We can keep our data safe by using

encryption:

A

{ M }

B

A

B : { M }

Rule

• We can use

– Signing SignK(M), SK(M), MACK(M) – Hashing #(M), Hash(M)

• We assume that these are prefect

– cannot be broken by brute force.

Encryption

“M” is now secret

A

{ M }

B

but the protocol is not safe

Replay Attack

A

B

1: { Pay Elvis €5 }Kab

1) A

B : {

}

Replay Attack

A

B

1: { Pay Elvis €5 }Kab

1) A

B : {

}

E

Kab

Rule

• The attacker can repeat any message

it see.

A Nonce

A

B

1. A 2. { Na }Kab

3. {Na + 1}Kab , { Pay Elvis €5 }Kab

1. A → B : A 2. B → A : { Na }Kab

3. A → B : { Na + 1 }Kab , { Pay Elvis €5 }Kab

Rule

• We can generate nonces.

• This is a new random values.

• If you generate a new nonce for a

session you know that all future

messages with that include that nonce

are part of the same session.

A Nonce

A

B

1. A 2. { Na }Kab

3. {Na + 1}Kab , { Pay Elvis €5 }Kab

5. { Na2 }Kab

6. {Na2 + 1}Kab , { Pay Bob €5 }Kab

4. A

A Nonce

A

B

1. A 2. { Na }Kab

3. {Na + 1}Kab , { Pay Elvis €5 }Kab

E

6. {Na2 + 1}Kab ,

{ Pay Bob €5 }Kab

4. A

{ Pay Elvis €5 }Kab

6’. {Na2 + 1}Kab ,

Rule

• The attacker can run multiple rounds of the protocol.

• The attacker can

– break up messages,

– invent new values, keys, nonces,.. – combine any of these into new message.

A Better Protocol

A

B

1. A 2. { Na }Kab

3. {Na , Pay Elvis €5 }Kab

1. A → B : A, Na 2. B → A : { Na }Kab

Key Establishment Protocol

• This was easy because A and B shared a key.

• Often the principals do not share a key, in which case we need a “Key Establishment Protocol”.

• This usually involves a “Trust Third Party” who has a shared key with each party.

The Needham-Schroeder

Public Key Protocol

A famous authentication protocol 1. A → B : EB( Na, A )

2. B → A : EA( Na, Nb ) 3. A → B : EB( Nb )

Na and Nb can then be used to generate a symmetric key

An Attack Against the

Needham-Schroeder Protocol

The attack acts as a man-in-the-middle: 1. A → C : EC( Na, A ) 1`. C(A) → B : EA( Na, A ) 2`. B → C(A) : EA( Na, Nb ) 2. C → A : EA( Na, Nb ) 3. A → C : EC( Nb ) 3`. C(A) → B : EB( Nb )

The Corrected Version

A very simple fix:

1. A → B : E

( N

, A )

2. B → A : E

( N

, N

)

3. A → B : E

( N

)

The Corrected Version

A very simple fix:

1. A → B : E

( N

, A )

2. B → A : E

( N

, N

, B)

3. A → B : E

( N

)

Rule

• The attacker can act as a participant of

the protocol.

Kerberos

A protocol for key establishment and

authentication used in Windows,

MacOS, Apache, OpenSSH, ...

1. A → S : A,B,N

2. S → A : {K

,B,L,N

,..}

,{K

,A,L,..}

3. A → B : {A,T

}

,{K

,A,L,..}

4. B → A : {T

+1}

Kerberos

A and S share the key KAS and B and S share KAS

Both A and B trust S to generate a new key for them: KAB

N is a nonce, T is a timestamp and L is an expiration time.

1. A → S : A,B,N

2. S → A : {K

,B,L,N

,..}

,{K

,A,L,..}

3. A → B : {A,T

}

,{K

,A,L,..}

4. B → A : {T

+1}

Sources

• For lectures 1 & 2 the the primary reference material is the handouts.

• This information is covered in more depth in

– Paper: “Prudent Engineering Practices for Cryptographic Protocols” (by Abadi & Needham) – Book: “Protocols for Authentication and Key

Establishment” (by Boyd & Mathuria) there are copies in the library.

This Lecture

• Part 1:

– Simple notation for protocols – Modelling “rules”

– Needham-Schroeder and Kerberos protocols

• Part 2:

– A high level overview of cryptography

– Symmetric key encryption, public key encryptions and signing