Providing solutions for more secure exchanges



Similar documents
How to prove security of communication protocols?

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Q: Why security protocols?

An Overview of Common Adversary Models

General Certificate of Education Advanced Level Examination June 2012

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Application Layer (1)

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Sun Management Center Change Manager Release Notes

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Introduction au BIM. ESEB Seyssinet-Pariset Economie de la construction contact@eseb.fr

SECURITY IN NETWORKS

HEALTH CARE DIRECTIVES ACT

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Cryptography and Network Security: Summary

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

What is network security?

Reconstruction d un modèle géométrique à partir d un maillage 3D issu d un scanner surfacique

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Chapter 7: Network security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Parallel Discrepancy-based Search

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Electronic Voting Protocol Analysis with the Inductive Method

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Cryptography & Digital Signatures

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Security: Focus of Control. Authentication

Modeling and verification of security protocols

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System

An Introduction to Cryptography as Applied to the Smart Grid

Information Security

Network Security Protocols

Future Entreprise. Jean-Dominique Meunier NEM Executive Director Nov. 23, 2009 FIA Stockholm

Introduction to Computer Security

Formal Modelling of Network Security Properties (Extended Abstract)

Elizabethtown Area School District French III

Public Key Encryption and Digital Signature: How do they work?

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Calcul parallèle avec R

Cryptography Lecture 8. Digital signatures, hash functions

EPREUVE D EXPRESSION ORALE. SAVOIR et SAVOIR-FAIRE

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

First-half 2012 Results. August 29 th, Jean-Paul AGON. Chairman and CEO

Archived Content. Contenu archivé

Solaris 10 Documentation README

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

CSCE 465 Computer & Network Security

Analysis of a Biometric Authentication Protocol for Signature Creation Application

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

VoteID 2011 Internet Voting System with Cast as Intended Verification

Personnalisez votre intérieur avec les revêtements imprimés ALYOS design

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Introduction ToIP/Asterisk Quelques applications Trixbox/FOP Autres distributions Conclusion. Asterisk et la ToIP. Projet tuteuré

Secure APIs and Simulationbased. Exposé thésard

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Langages Orientés Objet Java

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Le vote électronique : un défi pour la vérification formelle

Audit de sécurité avec Backtrack 5

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

A Search-Based Framework for Security Protocol Synthesis

First-half 2014 RESULTS. August 1 st, Jean-Paul AGON. Chairman and CEO

Lecture 9: Application of Cryptography

How to Formally Model Features of Network Security Protocols

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

An Introduction to Cryptography and Digital Signatures

Millier Dickinson Blais

Authentication requirement Authentication function MAC Hash function Security of

Outline. Digital signature. Symmetric-key Cryptography. Caesar cipher. Cryptography basics Digital signature

French Property Registering System: Evolution to a Numeric Format?

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Asymmetric cryptosystems fundamental problem: authentication of public keys

Keep in touch FINANCIAL COMMUNICATIONS. Thierry Prévot Group General Manager, Financial Communications & Strategic Prospective Analysis

10 mistakes not to make in France!

Table of Contents. Bibliografische Informationen digitalisiert durch

CSE/EE 461 Lecture 23

Lecture 6 - Cryptography

Open call for tenders n SCIC C4 2014/01

Sun StorEdge A5000 Installation Guide

CS 758: Cryptography / Network Security

Note concernant votre accord de souscription au service «Trusted Certificate Service» (TCS)

Internet Programming. Security

Electrical/Electronics

Archived Content. Contenu archivé

Chapter 16: Authentication in Distributed System

Évariste Galois and Solvable Permutation Groups

CERN EUROPEAN ORGANIZATION FOR NUCLEAR RESEARCH

Network Security. HIT Shimrit Tzur-David

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

The Concept of Trust in Network Security

mod_ssl Cryptographic Techniques

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

The Advantages of Automatic Protocol Creation

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Introduction to Cryptography

Altiris Patch Management Solution for Windows 7.6 from Symantec Third-Party Legal Notices

Transcription:

Providing solutions for more secure exchanges Stéphanie Delaune November 18, 2014 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 44

Cryptographic protocols Cryptographic protocols small programs designed to secure communication (various security goals) use cryptographic primitives (e.g. encryption, hash function,... ) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 2 / 44

Cryptographic protocols Cryptographic protocols small programs designed to secure communication (various security goals) use cryptographic primitives (e.g. encryption, hash function,... ) The network is unsecure! Communications take place over a public network like the Internet. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 2 / 44

Cryptographic protocols Cryptographic protocols small programs designed to secure communication (various security goals) use cryptographic primitives (e.g. encryption, hash function,... ) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 2 / 44

Security properties Secrecy: May an intruder learn some secret message between two honest participants? Authentication: Is the agent Alice really talking to Bob? Fairness: Alice and Bob want to sign a contract. Alice initiates the protocol. May Bob obtain some advantage? Privacy: Alice participate to an election. May a participant learn something about the vote of Alice? Non-repudiation: Alice sends a message to Bob. Alice cannot later deny having sent this message. Bob cannot deny having received the message.... Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 3 / 44

Cryptographic primitives Cryptographic primitives Algorithms that are frequently used to build computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 4 / 44

Cryptographic primitives Cryptographic primitives Algorithms that are frequently used to build computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions. Symmetric encryption encryption decryption Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 4 / 44

Cryptographic primitives Cryptographic primitives Algorithms that are frequently used to build computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions. Asymmetric encryption encryption decryption public key private key Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 4 / 44

Symmetric vs. asymmetric encryption Symmetric encryption efficient in practice, agents have to share a secret key trusted third party, distribution key protocol Asymmetric encryption not efficient in practice, agents do not have to share a secret often used in establishment key protocols authentication of public keys (certificate) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 5 / 44

Digital signature: How does it work? signature verification private key public key similar to public key encryption everyone knows the key to verify the signature (public key) the key used to sign a message has to be private (private key) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 6 / 44

Properties and applications Properties the signature has to authenticate the signer the signature belongs to one particular document the signed document can not be modified afterwards Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 7 / 44

Properties and applications Properties the signature has to authenticate the signer the signature belongs to one particular document the signed document can not be modified afterwards Applications certificate to authenticate a public key contract signing protocols E-voting protocols (blind signature) allows someone to sign without knowing the message he is signing. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 7 / 44

Hash function: What is it? Hash function It is a reproducible method of turning some kind of data into a (relatively) small number that may serve as a digital "fingerprint" of the data (again substitutions and permutations). Examples: MD5, SHA-1 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 8 / 44

Properties and Applications Properties deterministic function one-way function: there is no practical way to retrieve m from hash(m) collision resistant: difficult to find m 1 and m 2 such that m 1 m 2 and hash(m 1 ) = hash(m 2 ) Some applications to improve efficiency: we can sign hash(m) instead of m use to guarantee the integrity of a message checksum to detect errors Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 9 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 10 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 11 / 44

Carte bancaire La carte bleue est protégée par un grand nombre public dont on ne connait pas la factorisation. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 12 / 44

Carte bancaire La carte bleue est protégée par un grand nombre public dont on ne connait pas la factorisation. Nombre de 96 chiffres 213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 12 / 44

Carte bancaire La carte bleue est protégée par un grand nombre public dont on ne connait pas la factorisation. Nombre de 96 chiffres 213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999 Affaire Serge Humpich (1997) il factorise ce nombre de 96 chiffres et conçoit de fausses cartes bleues (les YesCard ). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 12 / 44

Carte bancaire La carte bleue est protégée par un grand nombre public dont on ne connait pas la factorisation. Nombre de 96 chiffres 213598703592091008239502270499962879705109534182641740644252 4165008583957746445088405009430865999 Affaire Serge Humpich (1997) il factorise ce nombre de 96 chiffres et conçoit de fausses cartes bleues (les YesCard ). Depuis, le nombre utilisé pour sécuriser les cartes bancaires comportent 232 chiffres. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 12 / 44

Example: credit card payment The client Cl puts his credit card C in the terminal T. The merchant enters the amount M of the sale. The terminal authenticates the credit card. The client enters his PIN. If M 100e, then in 20% of cases, The terminal contacts the bank B. The banks gives its authorisation. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 13 / 44

More details the Bank B, the Client Cl, the Credit Card C and the Terminal T Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 14 / 44

More details the Bank B, the Client Cl, the Credit Card C and the Terminal T Bank a private signature key priv(b) a public key to verify a signature pub(b) a secret key shared with the credit card K CB Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 14 / 44

More details the Bank B, the Client Cl, the Credit Card C and the Terminal T Bank a private signature key priv(b) a public key to verify a signature pub(b) a secret key shared with the credit card K CB Credit Card some Data: name of the cardholder, expiry date... a signature of the Data {hash(data)} priv(b) a secret key shared with the bank K CB Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 14 / 44

More details the Bank B, the Client Cl, the Credit Card C and the Terminal T Bank a private signature key priv(b) a public key to verify a signature pub(b) a secret key shared with the credit card K CB Credit Card some Data: name of the cardholder, expiry date... a signature of the Data {hash(data)} priv(b) a secret key shared with the bank K CB Terminal the public key of the bank pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 14 / 44

Payment protocol the terminal T reads the credit card C: 1. C T : Data, {hash(data)} priv(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 15 / 44

Payment protocol the terminal T reads the credit card C: the terminal T asks the code: 1. C T : Data, {hash(data)} priv(b) 2. T Cl : code? 3. Cl C : 1234 4. C T : ok Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 15 / 44

Payment protocol the terminal T reads the credit card C: the terminal T asks the code: 1. C T : Data, {hash(data)} priv(b) 2. T Cl : code? 3. Cl C : 1234 4. C T : ok the terminal T requests authorisation the bank B: 5. T B : auth? 6. B T : 4528965874123 7. T C : 4528965874123 8. C T : {4528965874123} KCB 9. T B : {4528965874123} KCB 10. B T : ok Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 15 / 44

Faille sur la carte bleue Initialement la sécurité été assurée par : cartes difficilement réplicables, secret des clefs et du protocole. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 16 / 44

Faille sur la carte bleue Initialement la sécurité été assurée par : cartes difficilement réplicables, secret des clefs et du protocole. Mais il y a des failles! faille cryptographique : les clefs de 320 bits ne sont plus sûres, faille logique : pas de lien entre le code secret à 4 chiffres et l authentification, faille matériel : réplicabilité des cartes. YesCard fabriquées par Serge Humpich (1997). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 16 / 44

La «YesCard»: Comment ca marche? Faille logique 1.C T : Data, {hash(data)} priv(b) 2.T Cl : code? 3.Cl C : 1234 4.C T : ok Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 17 / 44

La «YesCard»: Comment ca marche? Faille logique 1.C T : Data, {hash(data)} priv(b) 2.T Cl : code? 3.Cl C : 2345 4.C T : ok Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 17 / 44

La «YesCard»: Comment ca marche? Faille logique 1.C T : Data, {hash(data)} priv(b) 2.T Cl : code? 3.Cl C : 2345 4.C T : ok Remarque : il y a toujours quelqu un à débiter. ajout d un faux chiffrement sur une fausse carte (Serge Humpich). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 17 / 44

La «YesCard»: Comment ca marche? Faille logique 1.C T : Data, {hash(data)} priv(b) 2.T Cl : code? 3.Cl C : 2345 4.C T : ok Remarque : il y a toujours quelqu un à débiter. ajout d un faux chiffrement sur une fausse carte (Serge Humpich). 1.C T : XXX, {hash(xxx)} priv(b) 2.T Cl : code? 3.Cl C : 0000 4.C T : ok Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 17 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 18 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A? Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Needham-Schroeder s Protocol (1978) A B : { A, N a } pub(b) B A : { N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A? Attack An attack was found 17 years after its publication! [Lowe 96] Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 19 / 44

Example: Man in the middle attack Agent A Intruder I Agent B Attack involving 2 sessions in parallel, an honest agent has to initiate a session with I. A B B A A B : { A, N a } pub(b) : { N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 20 / 44

Example: Man in the middle attack { A, N a } pub(i) { A, N a } pub(b) Agent A Intruder I Agent B A B B A A B : { A, N a } pub(b) : { N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 20 / 44

Example: Man in the middle attack { A, N a } pub(i) { N a, N b } pub(a) { A, N a } pub(b) { N a, N b } pub(a) Agent A Intruder I Agent B A B B A A B : { A, N a } pub(b) : { N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 20 / 44

Example: Man in the middle attack { A, N a } pub(i) { N a, N b } pub(a) { A, N a } pub(b) { N a, N b } pub(a) {N b } pub(i) {N b } pub(b) Agent A Intruder I Agent B A B B A A B : { A, N a } pub(b) : { N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 20 / 44

Example: Man in the middle attack { A, N a } pub(i) { N a, N b } pub(a) { A, N a } pub(b) { N a, N b } pub(a) {N b } pub(i) {N b } pub(b) Agent A Intruder I Agent B Attack the intruder knows N b, When B finishes his session (apparently with A), A has never talked with B. A B B A A B : { A, N a } pub(b) : { N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 20 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 21 / 44

La recherche au LSV accroitre notre confiance dans les logiciels critiques Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 22 / 44

La recherche au LSV accroitre notre confiance dans les logiciels critiques logiciel: texte relativement long écrit dans un langage spécifique et qui sera exécuté par un ordinateur critique: une défaillance peut avoir des conséquences désastreuses en termes humains ou économiques Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 22 / 44

Difficultés et enjeux de la vérification de programmes une petite modification (quelques caractères) peut le transformer complètement. Un besoin crucial de vérification pour des raisons économiques Ariane 5, carte bancaire,... mais parfois il y a aussi des vies humaines en jeu la machine Therac-25 dans les années 80 logiciels embarqués dans les voitures, les avions,... enjeux démocratiques vote électronique Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 23 / 44

Comment fait-on? Tests à la main ou génération automatique; vérification d un nombre fini de cas. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 24 / 44

Comment fait-on? Tests à la main ou génération automatique; vérification d un nombre fini de cas. Accéder à l infini: un rêve impossible? Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 24 / 44

Comment fait-on? Tests à la main ou génération automatique; vérification d un nombre fini de cas. Accéder à l infini: un rêve impossible? Vérification (preuves formelles) preuves mathématiques à la main ou à l aide d ordinateur; vérification de tous les cas possibles; plus difficile. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 24 / 44

Comment vérifier ces programmes? Les mathématiques et l informatique à la rescousse! Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 25 / 44

Comment vérifier ces programmes? Les mathématiques et l informatique à la rescousse! Notre but: 1 faire des preuves mathématiques rigoureuses, 2 d une façon automatique. Construire une machine à détecter les bugs Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 25 / 44

Comment vérifier ces programmes? Les mathématiques et l informatique à la rescousse! Notre but: 1 faire des preuves mathématiques rigoureuses, 2 d une façon automatique. Construire une machine à détecter les bugs 1936: une telle machine n existe pas (Alan Turing)... même dans le cas particulier des protocoles cryptographiques. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 25 / 44

Mais alors, que faisons nous? Le problème n a pas de solution... Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 26 / 44

Mais alors, que faisons nous? Le problème n a pas de solution... mais seulement dans le cas général Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 26 / 44

Mais alors, que faisons nous? Le problème n a pas de solution... mais seulement dans le cas général Différentes pistes: résoudre le problème dans de nombreux cas intéressants, Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 26 / 44

Mais alors, que faisons nous? Le problème n a pas de solution... mais seulement dans le cas général Différentes pistes: résoudre le problème dans de nombreux cas intéressants, proposer des procédures approchées, Exemple: si le vérificateur répond oui alors le logiciel est sûr, sinon on ne peut rien dire Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 26 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 27 / 44

Cryptographic protocols vs (classical) programs Some specificities: protocol are executed in an hostile envrionment a powerful attacker who controls the communication network unbounded number of sessions running concurrently the cryptographic primitives play an important role we have to take them into account. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 28 / 44

How cryptographic protocols can be attacked? Breaking encryption Logical attack Ciphertext-only attack, Known-plaintext attack,... Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 29 / 44

Casser le chiffrement RSA Les challenges RSA défis lancés par le laboratoire RSA Security récompenses importantes offertes Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 30 / 44

Casser le chiffrement RSA Les challenges RSA défis lancés par le laboratoire RSA Security récompenses importantes offertes RSA-576 174 chiffres réussi 2003 RSA-640 193 chiffres réussi 2005 RSA-704 212 chiffres non résolu 30 000 dollars........ RSA-2048 617 chiffres non résolu 200 000 dollars Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 30 / 44

Casser le chiffrement RSA Les challenges RSA défis lancés par le laboratoire RSA Security récompenses importantes offertes RSA-576 174 chiffres réussi 2003 RSA-640 193 chiffres réussi 2005 RSA-704 212 chiffres non résolu 30 000 dollars........ RSA-2048 617 chiffres non résolu 200 000 dollars Ces challenges ont été retirés en 2007! Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 30 / 44

Logical attack - What is it? Logical attacks can be mounted even assuming perfect cryptography, replay attack, man-in-the middle attack,... are numerous, see SPORE, Security Protocols Open REpository http://www.lsv.ens-cachan.fr/spore/ subtle and hard to detect by eyeballing the protocol Examples: man in the middle attacks: e.g. Needham Schroeder protocol; replay attacks: electronic passport protocol (French version), electronic voting protocol (e.g. Helios). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 31 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 32 / 44

Cryptographic models Main features: Messages are bitstrings Protocols are programs that exchange messages Real algorithms for cryptographic primitives Powerful attacker: any probabilisitic polynomial time Turing machine quite realistic model Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 33 / 44

Cryptographic models Main features: Messages are bitstrings Protocols are programs that exchange messages Real algorithms for cryptographic primitives Powerful attacker: any probabilisitic polynomial time Turing machine quite realistic model Advantage: Clear and quite strong security guarantee Drawback: Proofs are difficult, tedious and error-prone. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 33 / 44

Symbolic models Main features: Messages are abstracted by terms (abstract objects) Protocols are programs that exchange messages Cryptographic primitives are abstracted by function symbols Idealized attacker: in particular, we have to describe what he can do. very abstract model Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 34 / 44

Symbolic models Main features: Messages are abstracted by terms (abstract objects) Protocols are programs that exchange messages Cryptographic primitives are abstracted by function symbols Idealized attacker: in particular, we have to describe what he can do. very abstract model Advantage: Security proofs are easier to do and they can be mechanized Drawback: the security guarantees obtained are rather unclear. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 34 / 44

Link between the two models Computational soundness Computational soundness aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models. Seminal paper: Abadi & Rogaway, 2001 Many other papers have been obtained in this area. A survey is available [Cortier et al., JAR 2010] Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 35 / 44

Symbolic model Messages are abstracted by terms pairing m 1, m 2, symmetric senc(m, k) and public key encryption aenc(m, pub(a)), signature sign(m, priv(a)). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 36 / 44

Symbolic model Messages are abstracted by terms pairing m 1, m 2, symmetric senc(m, k) and public key encryption aenc(m, pub(a)), signature sign(m, priv(a)). Presence of an idealized attacker may read, intercept and send messages, may build new messages following deduction rules (symbolic manipulation on terms). Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 36 / 44

Symbolic model Messages are abstracted by terms pairing m 1, m 2, symmetric senc(m, k) and public key encryption aenc(m, pub(a)), signature sign(m, priv(a)). Presence of an idealized attacker may read, intercept and send messages, may build new messages following deduction rules (symbolic manipulation on terms). Examples: m k senc(m, k) k aenc(m, pub(a)) priv(a) senc(m, k) m m Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 36 / 44

Difficulties of the verification Presence of an attacker... Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 37 / 44

Difficulties of the verification Presence of an attacker... who controls the communication network: may read every message sent on the network may intercept and send new messages Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 37 / 44

Difficulties of the verification Presence of an attacker... who controls the communication network: may read every message sent on the network may intercept and send new messages who has deduction capabilities encryption, decryption if he knows the decryption key, pairing, projection Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 37 / 44

Difficulties of the verification Presence of an attacker... who controls the communication network: may read every message sent on the network may intercept and send new messages who has deduction capabilities encryption, decryption if he knows the decryption key, pairing, projection Secrecy problem for an unbounded number of sessions is undecidable. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 37 / 44

Difficulties of the verification Presence of an attacker... who controls the communication network: may read every message sent on the network may intercept and send new messages who has deduction capabilities encryption, decryption if he knows the decryption key, pairing, projection Secrecy problem for a fixed number of sessions is decidable. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 37 / 44

Secrecy problem in presence of a passive attacker Intruder deduction problem for a fixed inference system I Input: a finite set of ground terms T (the knowledge of the attacker) and a ground term s (the secret), Output: Is s deducible from T in I? Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 38 / 44

Secrecy problem in presence of a passive attacker Intruder deduction problem for a fixed inference system I Input: a finite set of ground terms T (the knowledge of the attacker) and a ground term s (the secret), Output: Is s deducible from T in I? Example: T = {senc(s 1, k 1 ); senc(s 2, k 2 ); k 1, k 2 } and s = s 1, s 2. x y x, y x, y x y senc(x, y) y x, y x y senc(x, y) x Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 38 / 44

Secrecy problem in presence of a passive attacker Intruder deduction problem for a fixed inference system I Input: a finite set of ground terms T (the knowledge of the attacker) and a ground term s (the secret), Output: Is s deducible from T in I? Example: T = {senc(s 1, k 1 ); senc(s 2, k 2 ); k 1, k 2 } and s = s 1, s 2. x y x, y x, y x y senc(x, y) y x, y x y senc(x, y) x Results The intruder deduction problem is decidable in PTIME for the inference system given above (and some others) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 38 / 44

Secrecy problem via constraint solving for a fixed number of sessions Protocol rules in(u 1 ); out(v 1 ) in(u 2 ); out(v 2 )... in(u n ); out(v n ) Constraint System? T 0 u1? C = T 0, v 1 u2...? T 0, v 1,.., v n s Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 39 / 44

Secrecy problem via constraint solving for a fixed number of sessions Protocol rules in(u 1 ); out(v 1 ) in(u 2 ); out(v 2 )... in(u n ); out(v n ) Constraint System? T 0 u1? C = T 0, v 1 u2...? T 0, v 1,.., v n s Solution of a constraint system in I A substitution σ such that for every T? u C, uσ is deducible from Tσ in I. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 39 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) out({ a, n a } pub(i) ) in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System T 0, {a, n a } pub(i) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System T 0, {a, n a } pub(i)? {ya, y na } pub(b) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System T 0, {a, n a } pub(i)? {ya, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System? T 0, {a, n a } pub(i) {ya, y na } pub(b)? T 0, {a, n a } pub(i), {y na, n b } pub(ya) {n a, x nb } pub(a) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System? T 0, {a, n a } pub(i) {ya, y na } pub(b)? T 0, {a, n a } pub(i), {y na, n b } pub(ya) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya), {x nb } pub(i) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System? T 0, {a, n a } pub(i) {ya, y na } pub(b)? T 0, {a, n a } pub(i), {y na, n b } pub(ya) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya), {x nb } pub(i)? nb Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Example: Needham-Schroeder s protocol A(a, I) and B(b) (running in parallel) 1 out({ a, n a } pub(i) ) 3 in({ n a, x nb } pub(a) ) ; out({x nb } pub(i) ) 2 in({ y a, y na } pub(b) ) ; out({ y na, n b } pub(ya)) Constraints System? T 0, {a, n a } pub(i) {ya, y na } pub(b)? T 0, {a, n a } pub(i), {y na, n b } pub(ya) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya), {x nb } pub(i)? nb Solution σ = {y a a, y na n a, x nb n b } Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 40 / 44

Decision procedure There exists an algorithm (actually a set of simplification rules) to decide whether such kind of constraint systems have a solution or not. Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 41 / 44

Decision procedure There exists an algorithm (actually a set of simplification rules) to decide whether such kind of constraint systems have a solution or not. Main idea of the procedure: C = { T0 u 1 T 0, v 1 u 2... T 0, v 1,.., v n u n+1 C 1 C 2 C 3 C 4 SOLVED Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 41 / 44

Outil de vérification AVISPA Outil disponible en ligne: http://www.avispa-project.org/ Projet Européen (France, Italie, Allemagne, Suisse) Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 42 / 44

Outline of the talk 1 Introduction 2 Some examples of security protocols Credit Card payment Needham Schroeder protocol 3 How can we verify them? How protocols can be attacked? How protocols can be proved secure? 4 Conclusion Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 43 / 44

Conclusion Cryptographic protocols numerous, various security goals can be attacked even if the primitives are secure http://www.lsv.ens-cachan.fr/spore/ How to verify them? modelling the protocol, the security properties manually /automatically the problem is undecidable in general (some tools exist) It remains a lot to do modelling security properties is a difficult task does a suitable E-voting protocol exist? take into account the algebraic properties of the primtives analyse the source code of the protocol instead of its specification Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 44 / 44

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information