Get documents about "Modelling and Analysing Security Protocol: Lecture 1
Document Sample
Modelling and Analysing of
Security Protocol: Lecture 2
Cryptology for Protocols
Analysis
Tom Chothia
CWI
Today
• You just saw:
– Simple notation for protocols
– Modelling “rules”
– Needham-Schroeder and Kerberos protocols
• Now:
– The different uses of encryption
– Symmetric key encryption, public key encryptions
and signing
– Abstract equation for modelling encryption
Encryption
• Encryption has many uses in security
protocol: not just hiding information.
• A high level “equational” view of
cryptography is best for analysis
protocol.
Caesar Cipher
• One of the first codes was used by Julius
Caesar.
• The Caesar Cipher replaces each letter of the
alphabet with one three to the right, i.e.
– a becomes d,
– b becomes e,
– ....
– z becomes c.
ROT13
• The Caesar Cipher is in use today as ROT13,
which rotates the letters 13 places.
• It is used to make information hard to read
i.e.,
– “What happens in the last Harry Potter book?
Urezvbar qvrf ng gur raq.”
• New Paradigm Resources Group mistakenly
used it to encrypt their e-books worth $3000.
Using a Key
• These ciphers are easy to break because
as soon as you know the scheme you
can decrypt the message.
• Modern encryption schemes use a “key”.
• The scheme is public but it produces
different results for each key.
Using a Key
• For instance we can use the Caesar cipher
rotating “n” rotations.
• But only 26 possible keys so you can just try
them all (breaking the cipher is 26 times
harder without the key).
• A better scheme replaces each letter with an
other letter. Here there are 26! ≈ 4 x 1026
Frequency analysis
• While hard to break by brute force,
replacing each letter with another is
each to break using frequency analysis.
• Frequency analysis counts the number
of times each symbol occurs and tries to
draw conclusions.
Frequency Analysis
picture for wikipedia GNU
The Enigma Machine
• Encryption got serious in the run up to
World War 2.
• The Enigma Machine is better
demonstrated than described.
Block Ciphers
• Modern ciphers work on blocks of plain text,
not just a single symbol.
• They are made up of a series of
permutations and substitutions repeated
on each block.
• The key controls the exact nature of the
permutations and substitutions.
Advanced Encryption
Standard ( AES )
• AES is a state-of-the-art block cipher.
• It works on blocks of 128-bits.
• It generates 10 round keys from a single 128-
bit key.
• It uses one permutation: ShiftRows and three
substitutions SubBytes, MixColumns,
AddRoundKey.
Modulo Arithmetic
• Arithmetic modulo “n” means that you count
up to “n” then loop back to 0
• i.e., 0,1,2,...,n,0,1,2,...,n,0,1,2,...
• a mod b = r for largest whole number k
such that a = b.k + r
• e.g. 9 mod 4 = 1 because 9 = 2.4 +1
SubBytes
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
b1,2
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
• The “SubByte” is a fixed substitution
based on matrix multiplication, one byte
at a type.
ShiftRows
no change
a0,0 a0,1 a0,2 a0,3 a a a a
b0,0 b0,1 b0,2 b0,3
1 to the left
a1,0 a1,1 a1,2 a1,3 a1,1 a1,2 a1,3 a1,0
b1,0 b1,1 b1,2 b1,3
2 to the left
a2,0 a2,1 a2,2 a2,3 a2,2 a2,3 a2,0 a2,1
b2,0 b2,1 b2,2 b2,3
3 to the left
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
a3,3 a3,0 a3,1 a3,2
• “ShiftRows” moves the
– 2nd row one byte to the left,
– the 3rd row two bytes
– and the 4th row 3 bytes.
MixColumn
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
0,2
a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
b2,2
a3,0 a3,1 a a3,3 b3,0 b3,1 b3,2 b3,3
b3,2
3,2
• “MixColumn” is a substitution of each column
such that:
(a0.x3 +a1.x2 + a2.x + a3) x (a0.x3+a1.x2+a2.x+a3)
mod (x4+1) = ( b0.x3 + b1.x2 + b2.x + b3 )
AddRoundKey
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 xor with key b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
• “AddRoundKey” xor’s the block with the 128-
bit round key (which was generated from the
main key).
– bi,j = ai,j xor ki,j
AES
• AES encrypts data by first generating the
round keys from the main key
• Then 9 rounds of:
1. SubBytes
2. ShiftRows
3. MixColumns
4. AddRoundKey
• Finally:
1. SubBytes
2. ShiftRows
3. AddRoundKey
Equations
• Including the details of AES in our model
would make it impossible to work with so we
assume that the encryption scheme just
works.
• When analysing protocols we need a formal
way of writing down how it works.
• We use constructor and destructor functions.
– Constructor build up data structures.
– Destructor functions break down data structures
Equations
• For example we can mode AES encryption with two
functions:
encrypt(m,k) decrypt(m,k)
• The constructor function “encrypt(m,k)” is the same
as writing { m }k.
• The destructor function “decrypt(m,k)” can return the
data m if the keys match:
decrypt( encrypt(m,k), k ) = m
Probabilistic Encryption
• These equations tell us that you cannot find
“m” without the key “k” but:
encrypt(m,k) = encrypt(m’,k’) iff m=m’ /\ k=k’
• Probabilistic encryption schemes use random
elements to make every encryption different.
• We model this with:
{ m }k means encrypt(m,r,k) for random r
decrypt( encrypt(m,r,k), k ) = m
The Key Problem
• These encryption schemes work well.
AES is effectively unbreakable with a
“long enough key”.
• The problem is how do you get the key
in the first place?
Public Key Encryption
• Public key encryption helps (but doesn’t
solve) this problem.
• The idea of public key encryption is that you
have two keys:
– one for encryption
– and another for decryption.
• The encryption key is made public, the
decryption key is always secret.
RSA
• RSA is the most popular public key cipher.
• It uses two large primes p & q.
We set n = p.q and o(n) = (p-1)(q-1)
• And we pick random
– e such that 1 ≤ e ≤ o(n) and e and o(n) are co-prime.
– d such that d.e mod o(n) = 1
The public key is (e,n) and the private key is (d,n)
RSA
• To encrypt a message, turn it into numbers
“m” that are less than “n”
• The encrypt as cipher text c do:
c = me mod n
• To decrypt a cipher text c as a message m do:
m = cd mod n
Public Key Equations
• We can formulate this using the functions:
• pub(sk)
• encrypt(m,sk)
• decrypt(m,pk)
decrypt( encrypt (m, pub(sk)), sk) = m
This tells us everything we need to know about
public key encryption for checking protocols.
Public Key Equations
• Another formulation could be:
• pub(seed) pri(seed)
• encrypt(m,sk)
• decrypt(m,pk)
decrypt( encrypt (m, pub(seed) ), pri(seed) ) = m
decrypt( encrypt (m, pri(seed) ), pub(seed) ) = m
Now you cannot learn the public key from the private
key and either key can decrypt the other.
Signatures
Encrypting with a private key can work as
signing. Anyone that has my public key can
check that it was me that signed a message.
Treating encryption and signing in the same
way can lead to confusion, so authentication
is handled separately, using the functions
“auth”, “sign”, “pub” and “value”:
• auth ( sign (m, k) , pub(k) ) = m
• message ( sign(m, k) ) = m
Secure Hash
• A hash is a short “unique” code generated
from a message. It is very hard to find a
message with the same hash as another
message.
• We model this with a singe function hash(m).
– hash(m) = hash(m’) iff m = m’
• So given “m” and a hash “h” we can test is
“hash(m) = h”
The Uses of Encryption
1) Keep data secret
– Only the holders of the key can read the
encrypted data
2) Authentication
– The encrypted message must have come from
someone who had the key.
3) Binding:
– The attacker cannot break up an encrypted
message
The Uses of Encryption in
Kerberos
1. A S : A,B,NA
2. S A : {KAB,B,L,NA}KAS,{KAB,A,L}KBS
3. A B : {A,TA}KAB,{KAB,A,L}KBS
4. B A : {TA+1 }KAB
• Keeping data secret: encryption keeps KAB
secret from an outside observer.
The Uses of Encryption in
Kerberos
1. A S : A,B,NA
2. S A : {KAB,B,L,NA}KAS, {KAB,A,L}KBS
3. A B : {A,TA}KAB, {KAB,A,L}KBS
4. B A : {TA+1 }KAB
• Authentication: encryption with the key KBS
lets B know that the message came from S
The Uses of Encryption in
Kerberos
1. A S : A,B,NA
2. S A : {KAB,B,L,NA}KAS, {KAB,A,L}KBS
3. A B : {A,TA}KAB, {KAB,A,L}KBS
4. B A : {TA+1 }KAB
• Binding: encryption bind the key KAB to the
nonce NA therefore A knows that KAB is fresh.
Encryption: Conclusion
• We assume encryption always works but we
still need to know some details e.g.
– Does the same message encrypted twice look the
same both times?
• Simple equations are good at doing this. You
should keep them in mind when designing /
analysing protocol.
• It is very, very important to know exactly why
encryption is used.
Next Time
• Different types of attacks on protocols
• The goals a protocol might have.
• Good design principles.
