Formal Methods for Security Protocols by tae66661

VIEWS: 0 PAGES: 14

									          Formal Methods for
           Security Protocols
                Catuscia Palamidessi
             Penn State University, USA



6 June 2002 - Lecture 2   TU Dresden - Ws on Proof Theory and Computation   1
                          Security Protocols
Contents of previous lecture:
      • A brief introduction to security protocols
            • Distributed systems, insecure communication, intruders
            • Aims and properties
                  • authentication, secrecy, integrity, anonymity, etc.
            • Notation Message # x-> y data
            • Example: the Noedam-Schoeder SK protocol


      • A very brief introduction to Cryptographic methods
            • Symmetric and asymmetric cryptography
                  • one-way functions, door traps


      • Vulnerabilities of Security protocols (just started)
5 June 2002 - Lecture 1        TU Dresden - Ws on Proof Theory and Computation   2
     Security Protocols Vulnerabilities

Attack strategies
      • Man-in-the middle
            • The attacker interferes by
              intercepting the message and
              possibly modifying it and/or
              pretending to be one of the two
              parties.


5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   3
     Security Protocols Vulnerabilities
 Attack strategy Man-in-the middle
    Example: The Diffie-Hellman key establishment scheme
      •   This scheme is meant to establish a private key between two parties. It is
          more straightforward and requires neither a third party nor a trap-door.

      •   Chose a prime p and a primitive root r modulo p. (primitive means that all
          numbers between 1 and p can be generated by taking exponents of r modulo p)
      •   Alice chooses at random an integer x and sends Bob the message
             m1 = rx(mod p)
      •   Bob chooses an integer y and sends Alice the message
             m2 = ry(mod p)
      •   Alice calculates
              K1 = m2x(mod p)
      •   Bob calculates
              K2 = m1y(mod p)
      •   It is easy to prove that K1 = K2. Hence Alice and Bob can use K1 as a private
          key between themselves. Note that Alice and Bob play a symmetric role in the
          generation of the key.
      •   Deriving x from m1 (and y from m2) is considered to be intractable.

5 June 2002 - Lecture 1       TU Dresden - Ws on Proof Theory and Computation          4
     Security Protocols Vulnerabilities
      • The Diffie-Hellman key establishment
        scheme has no way to ensure
        authentication. A man-in-the-middle,
        Yves, could pretend to be Bob and
        establish a shared key with Alice, thus
        reading all the messages that Alice thinks
        she is sending to Bob. The same he could
        do with Bob, even at the same time.



5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   5
     Security Protocols Vulnerabilities

 Replay
      • The intruder monitors a (possibly partial)
        run of the protocol and at some time
        reproduces (replays) one or more of the
        messages.




5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   6
     Security Protocols Vulnerabilities
    Example: Let us consider what could happen to the NSSK
     protocol (Needham-Schroeder-Secret-Key) if we remove the
     nonce from A

          Message 1         A -> J   :    A.B
          Message 2         J -> A    :   {B.kAB.{kAB.A} ServerKey(B) }ServerKey(A)
          Message 3         A -> B   :    {kAB.A} ServerKey(B)
          Message 4         B -> A   :    {nB}kAB
          Message 5         A -> B   :    {nB - 1}kAB

    Suppose that Yves eventually succeeds to break the key, so he
     now knows kAB. Presumably this will have taken a long time, so kAB
     is not used anymore by A and B. However, next time Alice sends a
     request to Jeeves, Yves can intercept Jeeves’ reply, and send
     back to Alice the message
                          {B.kAB.{kAB.A} ServerKey(B) }   ServerKey(A)


     So Alice will take the old key kAB as the key to use in next
     conversation with Bob.
5 June 2002 - Lecture 1             TU Dresden - Ws on Proof Theory and Computation   7
     Security Protocols Vulnerabilities
In the original NSSK protocol this attack is not possible
because A would recognize that the nonce is different
from the one it sent.

Note that the nonce is used as a sort of local time stamp


The original NSSK protocol
     Message       1      A -> J   :    A.B.nA
     Message       2      J -> A    :   {nA.B.kAB.{kAB.A} ServerKey(B) }ServerKey(A)
     Message       3      A -> B   :    {kAB.A} ServerKey(B)
     Message       4      B -> A   :    {nB}kAB
     Message       5      A -> B   :    {nB - 1}kAB


5 June 2002 - Lecture 1             TU Dresden - Ws on Proof Theory and Computation    8
     Security Protocols Vulnerabilities
    In the original NSSK protocol, however, a similar attack is possible on
     the other partner B. In fact, B has no way to establish the freshness of
     the first message he sees (the #3 in the protocol). So, Yves could
     intercept the message from A to B, and send to B, instead, a previously
     intercepted message {kAB.A} ServerKey(B)

     Assuming that the intruder had time to discover the previous key kAB,
     the communication from B using this key is compromised

     This attack was discovered by Denning and Sacco, 1981. (three years
     after it had been in use in the Kerberos protocol)

     A solution to this problem is to use timestamps. So in message #3, also a
     timestamp (generated by A or by J) should be sent, encrypted, to B.

     Note: Time stamps assume a global notion of time.
    The use of timestamps was introduced in the Kerberos protocol so to
     avoid the problem above


5 June 2002 - Lecture 1    TU Dresden - Ws on Proof Theory and Computation   9
     Security Protocols Vulnerabilities
 Alternatively, one could use nonces in a
  different way, as with the Yahalom protocol:

          Message         1   A -> B : A.nA
          Message         2   B -> J : B.{A.nA.nB}ServerKey(B)
          Message         3   J -> A : {B.kAB.nA.nB}ServerKey(A) {A.kAB}ServerKey(B)
          Message         4   A -> B : {A.kAB}ServerKey(B).{nB}kAB


     In this protocol, both A and B get to inject nonces
     before the request reaches Jeeves, so they both get a
     handle on the freshness of the key generated by
     Jeeves.

5 June 2002 - Lecture 1           TU Dresden - Ws on Proof Theory and Computation      10
     Security Protocols Vulnerabilities
 Oracle
      • The intruder tricks an agent into
        inadvertently reveal some information,
        possibly by inducing him to perform some
        steps of a protocol.


 Interleave
      • The intruder contrives for two or more runs
        of the protocol to overlap


5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   11
     Security Protocols Vulnerabilities
 Example of an attack to the Needham-Schroeder-
  Public-Key protocol which combines oracle and
  interleaving techniques

          The NSPK protocol (simplified version)

          Message 1 A -> B : { A.nA }PKB
          Message 2 B -> A : { nA.nB }PKA
          Message 3 A -> B : { nB }PKB

 At the end of the protocol, it would seems reasonable
  to believe that:
      • A and B know with whom they have been interacting
      • A and B agree on the values of nA and nB
      • No one else knows the values of nA and nB

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   12
     Security Protocols Vulnerabilities
    In fact, for many years the NSPK protocol (1981) has been
     believed to satisfy those properties, but in 1995 Gavin Lowe
     discovered the following attack:
      •   here, Y(A) represents Y generating (resp. receiving) the message,
          making it appear as generated (resp. received) by A.

          Message a.1      A -> Y       :    { A.nA }PKY
          Message b.1      Y(A) -> B    :    { A.nA }PKB
          Message b.2      B -> Y(A)     :   { nA.nB }PKA
          Message a.2      Y -> A        :    { nA.nB }PKA
          Message a.3      A -> Y        :    { nB }PKY
          Message b.3      Y(A) -> B     :   { nB }PKB

      •   Initially, Alice starts a protocol run with Yves thinking that he is an
          honest agent.
      •   At the end, Bob thinks that
            •   he has been communicating with Alice, while this is not the case
            •   he and Alice share exclusively nA and nB, while this is not the case.

5 June 2002 - Lecture 1         TU Dresden - Ws on Proof Theory and Computation         13
     Security Protocols Vulnerabilities
It is actually relatively easy to fix the NSPK protocol: it
is sufficient to include the identity of the responder
within the encrypted part of Message 2

          Message 1       A -> B : A.B.{ A.nA }PKB
          Message 2       B -> A : B.A.{B.nA.nB}PKA
          Message 3       A -> A : A.B.{nB}PKB

This new protocol (called the Lowe-Needham-Schroeder
protocol) has been proved correct by using CSP/FDR
methods


5 June 2002 - Lecture 1    TU Dresden - Ws on Proof Theory and Computation   14

								
To top