This Course. Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Course Outline. Course Outline.

Transcription

1 Modelling and nalysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication protocols. How to analyse protocols and look for faults. How to use automatic tools to help you do this. Secondary skills: Know which protocols to use for which jobs. Improve your system design skills. Course Outline This Lecture: How we model protocols Types of encryption used. Lecture 2: Types of attacks on protocols Good protocol design Homework ( 1/6 of total score). Course Outline Lecture 3: Verifying protocols using N logic. Lecture 4: utomatically verifying protocols. Homework ( 1/6 of total score) Lecture 5: nonymity protocols. Course Outline Lecture 6: Verifying probabilistic protocols in PRISM Lecture 7: Fair exchange & Zero knowledge Lecture 8 to Lecture 10 Short students presentations ( 2/3 of total score ) Lecture 11 Summary Sources Take notes if you want but you will get handouts with all the important details and the slides, handouts, papers, homework and links will be available at: 1

2 This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: high level overview the to cryptography Symmetric key encryption, public key encryptions and signing bstract equation for modelling encryption Simple Protocol sends message M to : M written as: : M s Simple Protocol We write down protocols as a list of messages sent between principals, e.g. 1. : Hello 2. : Offer 3. : ccept M Message M can be read by the attacker Simple Protocol M The attacker can read all the messages sent across the network. Even now! 2

3 Encryption We can keep our data safe by using encryption: : { M } Kab { M } Kab We can use Encryption {M} K, E K (M) Signing Sign K (M), S K (M), MC K (M) Hashing #(M), Hash(M) We assume that these are prefect cannot be broken by brute force. Encryption Replay ttack M is now secret 1: { Pay Elvis 5 } Kab { M } Kab but the protocol is not safe 1) : { Pay Eve 5 } Kab Replay ttack 1: { Pay Elvis 5 } Kab The attacker can repeat any message it see. E 2: { Pay Elvis 5 } Kab 1) : { Pay Eve 5 } Kab 2) E : { Pay Eve 5 } Kab 3

4 Nonce {N a + 1} Kab, { Pay Elvis 5 } Kab We can generate nonces. This is a new random values. 1. : 2. : { N a } Kab 3. : { N a + 1 } Kab, { Pay Elvis 5 } Kab If you generate a new nonce for a session you know that all future messages with that include that nonce are part of the same session. 1. Nonce 1. Nonce 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab { N a2 } Kab 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay ob 5 } Kab 6. {N a2 + 1} Kab, { Pay ob 5 } Kab E 6. {N a2 + 1} Kab, { Pay Elvis 5 } Kab The attacker can run multiple rounds of the protocol. The attacker can break up messages, invent new values, keys, nonces,.. combine any of these into new message. etter Protocol :, N a 2. : { N a } Kab 3. {N a, Pay Elvis 5 } Kab 3. : {N a, Pay Elvis 5 } Kab 4

5 Key Establishment Protocol This was easy because and shared a key. Often the principals do not share a key, in which case we need a Key Establishment Protocol. This usually involves a Trust Third Party who has a shared key with each party. The Needham-Schroeder Public Key Protocol famous authentication protocol 1. : E ( N a, ) 2. : E ( N a, N b ) 3. : E ( N b ) N a and N b can then be used to generate a symmetric key n ttack gainst the Needham-Schroeder Protocol The attack acts as a man-in-the-middle: 1. C : E C ( N a, ) 1`. C() : E ( N a, ) 2`. C() : E ( N a, N b ) 2. C : E ( N a, N b ) 3. C : E C ( N b ) 3`. C() : E ( N b ) The Corrected Version very simple fix: 1. : E ( N a, ) 2. : E ( N a, N b ) 3. : E ( N b ) The Corrected Version very simple fix: 1. : E ( N a, ) 2. : E ( N a, N b, ) 3. : E ( N b ) The attacker can act as a participant of the protocol.... (sometimes) 5

6 Kerberos protocol for key establishment and authentication used in Windows, MacOS, pache, OpenSSH,... Kerberos and S share the key K S and and S share K S oth and trust S to generate a new key for them: K N is a nonce, T is a timestamp and L is an expiration time. 1. S :,,N 2. S : {K,,L,N,..} K S,{K,,L,..} KS 3. : {,T } K,{K,,L,..} KS 4. : {T +1} K 1. S :,,N 2. S : {K,,L,N,..} K S,{K,,L,..} KS 3. : {,T } K,{K,,L,..} KS 4. : {T +1} K Sources For lectures 1 & 2 the the primary reference material is the handouts. This information is covered in more depth in Paper: Prudent Engineering Practices for Cryptographic Protocols (by badi & Needham) ook: Protocols for uthentication and Key Establishment (by oyd & Mathuria) there are copies in the library. This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: high level overview of cryptography Symmetric key encryption, public key encryptions and signing bstract equation for modelling encryption 6