# Formal Methods for Security Protocols by tae66661

VIEWS: 0 PAGES: 14

• pg 1
```									          Formal Methods for
Security Protocols
Catuscia Palamidessi
Penn State University, USA

6 June 2002 - Lecture 2   TU Dresden - Ws on Proof Theory and Computation   1
Security Protocols
Contents of previous lecture:
• A brief introduction to security protocols
• Distributed systems, insecure communication, intruders
• Aims and properties
• authentication, secrecy, integrity, anonymity, etc.
• Notation Message # x-> y data
• Example: the Noedam-Schoeder SK protocol

• A very brief introduction to Cryptographic methods
• Symmetric and asymmetric cryptography
• one-way functions, door traps

• Vulnerabilities of Security protocols (just started)
5 June 2002 - Lecture 1        TU Dresden - Ws on Proof Theory and Computation   2
Security Protocols Vulnerabilities

Attack strategies
• Man-in-the middle
• The attacker interferes by
intercepting the message and
possibly modifying it and/or
pretending to be one of the two
parties.

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   3
Security Protocols Vulnerabilities
 Attack strategy Man-in-the middle
    Example: The Diffie-Hellman key establishment scheme
•   This scheme is meant to establish a private key between two parties. It is
more straightforward and requires neither a third party nor a trap-door.

•   Chose a prime p and a primitive root r modulo p. (primitive means that all
numbers between 1 and p can be generated by taking exponents of r modulo p)
•   Alice chooses at random an integer x and sends Bob the message
m1 = rx(mod p)
•   Bob chooses an integer y and sends Alice the message
m2 = ry(mod p)
•   Alice calculates
K1 = m2x(mod p)
•   Bob calculates
K2 = m1y(mod p)
•   It is easy to prove that K1 = K2. Hence Alice and Bob can use K1 as a private
key between themselves. Note that Alice and Bob play a symmetric role in the
generation of the key.
•   Deriving x from m1 (and y from m2) is considered to be intractable.

5 June 2002 - Lecture 1       TU Dresden - Ws on Proof Theory and Computation          4
Security Protocols Vulnerabilities
• The Diffie-Hellman key establishment
scheme has no way to ensure
authentication. A man-in-the-middle,
Yves, could pretend to be Bob and
establish a shared key with Alice, thus
reading all the messages that Alice thinks
she is sending to Bob. The same he could
do with Bob, even at the same time.

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   5
Security Protocols Vulnerabilities

 Replay
• The intruder monitors a (possibly partial)
run of the protocol and at some time
reproduces (replays) one or more of the
messages.

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   6
Security Protocols Vulnerabilities
    Example: Let us consider what could happen to the NSSK
protocol (Needham-Schroeder-Secret-Key) if we remove the
nonce from A

Message 1         A -> J   :    A.B
Message 2         J -> A    :   {B.kAB.{kAB.A} ServerKey(B) }ServerKey(A)
Message 3         A -> B   :    {kAB.A} ServerKey(B)
Message 4         B -> A   :    {nB}kAB
Message 5         A -> B   :    {nB - 1}kAB

    Suppose that Yves eventually succeeds to break the key, so he
now knows kAB. Presumably this will have taken a long time, so kAB
is not used anymore by A and B. However, next time Alice sends a
request to Jeeves, Yves can intercept Jeeves’ reply, and send
back to Alice the message
{B.kAB.{kAB.A} ServerKey(B) }   ServerKey(A)

So Alice will take the old key kAB as the key to use in next
conversation with Bob.
5 June 2002 - Lecture 1             TU Dresden - Ws on Proof Theory and Computation   7
Security Protocols Vulnerabilities
In the original NSSK protocol this attack is not possible
because A would recognize that the nonce is different
from the one it sent.

Note that the nonce is used as a sort of local time stamp

The original NSSK protocol
Message       1      A -> J   :    A.B.nA
Message       2      J -> A    :   {nA.B.kAB.{kAB.A} ServerKey(B) }ServerKey(A)
Message       3      A -> B   :    {kAB.A} ServerKey(B)
Message       4      B -> A   :    {nB}kAB
Message       5      A -> B   :    {nB - 1}kAB

5 June 2002 - Lecture 1             TU Dresden - Ws on Proof Theory and Computation    8
Security Protocols Vulnerabilities
    In the original NSSK protocol, however, a similar attack is possible on
the other partner B. In fact, B has no way to establish the freshness of
the first message he sees (the #3 in the protocol). So, Yves could
intercept the message from A to B, and send to B, instead, a previously
intercepted message {kAB.A} ServerKey(B)

Assuming that the intruder had time to discover the previous key kAB,
the communication from B using this key is compromised

This attack was discovered by Denning and Sacco, 1981. (three years
after it had been in use in the Kerberos protocol)

A solution to this problem is to use timestamps. So in message #3, also a
timestamp (generated by A or by J) should be sent, encrypted, to B.

Note: Time stamps assume a global notion of time.
    The use of timestamps was introduced in the Kerberos protocol so to
avoid the problem above

5 June 2002 - Lecture 1    TU Dresden - Ws on Proof Theory and Computation   9
Security Protocols Vulnerabilities
 Alternatively, one could use nonces in a
different way, as with the Yahalom protocol:

Message         1   A -> B : A.nA
Message         2   B -> J : B.{A.nA.nB}ServerKey(B)
Message         3   J -> A : {B.kAB.nA.nB}ServerKey(A) {A.kAB}ServerKey(B)
Message         4   A -> B : {A.kAB}ServerKey(B).{nB}kAB

In this protocol, both A and B get to inject nonces
before the request reaches Jeeves, so they both get a
handle on the freshness of the key generated by
Jeeves.

5 June 2002 - Lecture 1           TU Dresden - Ws on Proof Theory and Computation      10
Security Protocols Vulnerabilities
 Oracle
• The intruder tricks an agent into
possibly by inducing him to perform some
steps of a protocol.

 Interleave
• The intruder contrives for two or more runs
of the protocol to overlap

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   11
Security Protocols Vulnerabilities
 Example of an attack to the Needham-Schroeder-
Public-Key protocol which combines oracle and
interleaving techniques

The NSPK protocol (simplified version)

Message 1 A -> B : { A.nA }PKB
Message 2 B -> A : { nA.nB }PKA
Message 3 A -> B : { nB }PKB

 At the end of the protocol, it would seems reasonable
to believe that:
• A and B know with whom they have been interacting
• A and B agree on the values of nA and nB
• No one else knows the values of nA and nB

5 June 2002 - Lecture 1   TU Dresden - Ws on Proof Theory and Computation   12
Security Protocols Vulnerabilities
    In fact, for many years the NSPK protocol (1981) has been
believed to satisfy those properties, but in 1995 Gavin Lowe
discovered the following attack:
•   here, Y(A) represents Y generating (resp. receiving) the message,
making it appear as generated (resp. received) by A.

Message a.1      A -> Y       :    { A.nA }PKY
Message b.1      Y(A) -> B    :    { A.nA }PKB
Message b.2      B -> Y(A)     :   { nA.nB }PKA
Message a.2      Y -> A        :    { nA.nB }PKA
Message a.3      A -> Y        :    { nB }PKY
Message b.3      Y(A) -> B     :   { nB }PKB

•   Initially, Alice starts a protocol run with Yves thinking that he is an
honest agent.
•   At the end, Bob thinks that
•   he has been communicating with Alice, while this is not the case
•   he and Alice share exclusively nA and nB, while this is not the case.

5 June 2002 - Lecture 1         TU Dresden - Ws on Proof Theory and Computation         13
Security Protocols Vulnerabilities
It is actually relatively easy to fix the NSPK protocol: it
is sufficient to include the identity of the responder
within the encrypted part of Message 2

Message 1       A -> B : A.B.{ A.nA }PKB
Message 2       B -> A : B.A.{B.nA.nB}PKA
Message 3       A -> A : A.B.{nB}PKB

This new protocol (called the Lowe-Needham-Schroeder
protocol) has been proved correct by using CSP/FDR
methods

5 June 2002 - Lecture 1    TU Dresden - Ws on Proof Theory and Computation   14

```
To top