Cryptographic Protocols and Network Security

Transcription

1 G. Sivakumar Computer Science and Engineering IIT Bombay 1 Some Puzzles 2 Internet Security Overview 3 Need For Formal Methods

2 Exchanging Secrets Goal A and B to agree on a secret number. But, C can listen to all their conversation. Solution? A tells B: I ll send you 3 numbers. Let s use their LCM as the key.

3 Exchanging Secrets Goal A and B to agree on a secret number. But, C can listen to all their conversation. Solution? A tells B: I ll send you 3 numbers. Let s use their LCM as the key.

4 Mutual Authentication Goal A and B to verify that both know the same secret number. No third party (intruder or umpire!) Solution? A tells B: I ll tell you first 2 digits, you tell me the last two...

5 Mutual Authentication Goal A and B to verify that both know the same secret number. No third party (intruder or umpire!) Solution? A tells B: I ll tell you first 2 digits, you tell me the last two...

6 Zero-Knowledge Proofs Goal A to prove to B that she knows how to solve the cube. Without actually revealing the solution! Solution? A tells B: Close your eyes, let me solve it...

7 Zero-Knowledge Proofs Goal A to prove to B that she knows how to solve the cube. Without actually revealing the solution! Solution? A tells B: Close your eyes, let me solve it...

8 Paper, Scissors, Rock Game Goal How to play over Internet? Using , say? Solution? You mail me your choice. I ll reply with mine. Coin Toss Simpler Version of problem?

9 Paper, Scissors, Rock Game Goal How to play over Internet? Using , say? Solution? You mail me your choice. I ll reply with mine. Coin Toss Simpler Version of problem?

10 Paper, Scissors, Rock Game Goal How to play over Internet? Using , say? Solution? You mail me your choice. I ll reply with mine. Coin Toss Simpler Version of problem?

11 Sharing a Dosa Goal All should get equal share of dosa. No envy factor. No trusted umpire. Solution? 2 people case is easy- you cut, i choose!

12 Sharing a Dosa Goal All should get equal share of dosa. No envy factor. No trusted umpire. Solution? 2 people case is easy- you cut, i choose!

13 Sharing a Secret Safety in numbers. Do not trust any one (or few) person(s). Real World Examples Pirates sharing a treasure map. Who can authorize launching a missile? From Computer Domain Secure Storage (Archival) Distributed storage of Logs

14 Online Voting Protocols Are we ready for elections via Internet? George Bush (Nov 2000, dimpled chads) Pervez Musharaf (April 2002) Maharashtra (Oct 13, 2004) E-Voting Protocols Requirements No loss of votes already cast (reliability) No forging of votes (authentication) No modification of votes cast (integrity) No multiple voting No vote secrecy violation (privacy) No vulnerability to vote coercion No vulnerability to vote selling or trading protocols (voter is an adversary) No loss of ability to cast and accept more votes (availability, no denial of service)

15 Other Desirable Properties must not only be correct and secure, but also be seen to be so by skeptical (but educated and honest) outsiders. Auditability: Failure or procedural error can be detected and corrected, especially the loss of votes. Verifiability: Should be able to prove My vote was counted All boothes were counted The number of votes in each booth is the same as the number of people who voted No one I know who is ineligible to vote did so No one voted twice... without violating anonymity, privacy etc. Zero Knowledge Proofs

16 Security Requirements Informal statements (formal is much harder) Confidentiality Protection from disclosure to unauthorized persons Integrity Assurance that information has not been modified unauthorizedly. Authentication Assurance of identity of originator of information. Non-Repudiation Originator cannot deny sending the message. Availability Not able to use system or communicate when desired. Anonymity/Pseudonomity For applications like voting, instructor evaluation. Traffic Analysis Should not even know who is communicating with whom. Why? Emerging Applications Online Voting, Auctions (more later) And all this with postcards (IP datagrams)!

17 Internet s Growth and Charter Information AnyTime, AnyWhere, AnyForm, AnyDevice,... WebTone like DialTone

18 Internet s Dream Why should a fridge be on Internet? Will security considerations make this a nightmare?

19 What are Cyber crimes? Against People Cyber Stalking and Harrassment (Child) Pornography Against Property Cracking Virus and Spam Software/Entertainment Piracy Cyber Terrorism!

20 Security Concerns Match the following! Problems Attackers Highly contagious viruses Unintended blunders Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge Wiping out data Petty criminals Denial of service Organized terror groups Spam s Information warfare Reading private files... Surveillance... Crackers vs. Hackers Note how much resources available to attackers.

21 Cyber Terrorism? Some examples from : Legion of Doom group took over the BellSouth telephone system, tapped phone lines, re-routed calls, : A white supremacist movement took out a Massachusetts internet service provider 1997: A cracker disabled the computer system of an airport control tower at the Worcester, Mass. Airport. 1997: a hacker in Sweden jammed the 911 emergency telephone system all throughout west-central Florida. 1998: NASA, Navy, and Defence Department computers were attacked. 2000: in Maroochy Shire, Australia, a disgruntled consultant hacked into a waste management control system and released millions of gallons of raw sewage on the town. 2001: Two post-graduate students cracked a bank system used by banks and credit card companies to secure the personal identification numbers of their customers accounts. [38]

22 Emergency Response:

23 Internet Attacks Timeline From training material at

24 Internet Attack Trends From training material at

25 Indian IT Act 2000 Basic Legal Framework Electronic documents, signatures as evidence Cyber Crimes & Punishments Secn 43: Damage to Computers/Network Secn 65: Tampering source code Secn 66: Hacking (cracking) Secn 67: Obscenity (bazee.com!) Secn 69: Interception Several Initiatives (PKI, CERT-IN, Cyber cells,...)

26 Security Mechanisms System Security: Nothing bad happens to my computers and equipment virus, trojan-horse, logic/time-bombs,... Network Security: Authentication Mechanisms you are who you say you are Access Control Firewalls, Proxies who can do what Data Security: for your eyes only Encryption, Digests, Signatures,...

27 Security Mechanisms System Security: Nothing bad happens to my computers and equipment virus, trojan-horse, logic/time-bombs,... Network Security: Authentication Mechanisms you are who you say you are Access Control Firewalls, Proxies who can do what Data Security: for your eyes only Encryption, Digests, Signatures,...

28 Security Mechanisms System Security: Nothing bad happens to my computers and equipment virus, trojan-horse, logic/time-bombs,... Network Security: Authentication Mechanisms you are who you say you are Access Control Firewalls, Proxies who can do what Data Security: for your eyes only Encryption, Digests, Signatures,...

29 Cryptography and Data Security sine qua non [without this nothing :-] Historically who used first? (L & M) Code Language in joint families!

30 One way Functions Mathematical Equivalents Factoring large numbers (product of 2 large primes) Discrete Logarithms

31 One-way Functions Computing f(x) = y is easy. Eg. y = 4 x mod 13 (If x is 3, y is?) n 4 n mod n mod Note: need not work with numbers bigger than 13 at all! But given y = 11, finding suitable x is not easy! Can do by brute-force (try all possibilities!) No method that is much better known yet!

32 Network Security Mechanism Layers Cryptograhphic Protocols underly all security mechanisms. Real Challenge to design good ones for key establishment, mutual authentication etc.

33 Motivation for Session keys Combine Symmetric (fast) and Asymmetric (very slow) Methods using session (ephemeral) keys for the following additional reasons. Limit available cipher text (under a fixed key) for cryptanalytic attack; Limit exposure with respect to both time period and quantity of data, in the event of (session) key compromise; Avoid long-term storage of a large number of distinct secret keys (in the case where one terminal communicates with a large number of others), by creating keys only when actually required; Create independence across communications sessions or applications. No replay attacks. How to establish session keys over insecure medium where adversary is listening to everything? Can be done even without any public key! Randomization to rescue (like in CSMA/CD of Ethernet).

34 Diffie-Hellman Key Establishment Protocol

35 Man-in-the-middle attack Authentication was missing! Can be solved if Kasparov and Anand know each other s public key (Needham-Schroeder). Yes, but different attack possible.

36 Needham-Schroeder Protocol

37 Attack by Lowe (1995)

38 Why Are Security Protocols Often Wrong? They are trivial programs built from simple primitives, BUT, they are complicated by concurrency a hostile environment a bad user controls the network Concern: active attacks masquerading, replay, man-in-middle, etc. vague specifications we have to guess what is wanted Ill-defined concepts Protocol flaws rather than cryptosystem weaknesses Formal Methods needed!

39 Need for Formal Methods Countermeasure: formal design and analysis Formal Modelling and Specification of Protocol Abstract encryption model, formal specification Specification of Required Properties Verification of Properties Inductive proofs, state-space search, authentication logics Generation of Counter-Example Analysis can find flaws, suggest improvements, prove conditional correctness

40 Formal Approaches Overview Why so many approaches? When all you have is a hammer, everything looks like a nail!

41 Specification of Protocol Common Authentication Protocol Specification Language High-level message-list based language with abstract encryption operators A -> B: {A}K Declarations: strong typing and abstract data type extensions initialization, named expressions security goals Actions between messages: tests, assignments

42 Emerging Picture

43 Tools for Security Analysis and Verification

44 References Books TCP/IP Illustrated by Richard Stevens, Vols 1-3, Addison-Wesley. Applied Cryptography - Protocols, Algorithms, and Source Code in C by Bruce Schneier, Jon Wiley & Sons, Inc Cryptography and Network Security: Principles and Practice by William Stallings (2nd Edition), Prentice Hall Press; Practical Unix and Internet Security, Simson Garfinkel and Gene Spafford, O Reilly and Associates, ISBN Web sites (Centre for Education and Research in Information Assurance and Security) (System Administration, Audit, Network Security) cve.mitre.org (Common Vulnerabilities and Exposures) csrc.nist.gov (Computer Security Resources Clearinghouse)