Q: Why security protocols?



Similar documents
Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Chapter 16: Authentication in Distributed System

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Chapter 7 Transport-Level Security

Security: Focus of Control. Authentication

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Chapter 17. Transport-Level Security

Modeling and verification of security protocols

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Client Server Registration Protocol

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security Essentials Chapter 5

Network Security. HIT Shimrit Tzur-David

Cryptography and Network Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Transport Level Security

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Cornerstones of Security

Chapter 7: Network security

CSCE 465 Computer & Network Security

CS 758: Cryptography / Network Security

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Lukasz Pater CMMS Administrator and Developer

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Information Security Basic Concepts

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Authentication Applications

Introduction to Cryptography

Lecture 9 - Network Security TDTS (ht1)

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

What is network security?

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Computer Networks - CS132/EECS148 - Spring

Three attacks in SSL protocol and their solutions

Formal Methods in Security Protocols Analysis

TELE 301 Network Management. Lecture 18: Network Security

Content Teaching Academy at James Madison University

Chapter 10. Network Security

Chapter 15 User Authentication

Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

Module 7 Security CS655! 7-1!

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

SECURITY IN NETWORKS

Computer Networks. Secure Systems

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

TLS and SRTP for Skype Connect. Technical Datasheet

Computer and Network Security. Outline

A Search-Based Framework for Security Protocol Synthesis

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

VPN Lesson 2: VPN Implementation. Summary

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Transport Layer Security Protocols

Security vulnerabilities in the Internet and possible solutions

Chapter 8. Network Security

Network Security #10. Overview. Encryption Authentication Message integrity Key distribution & Certificates Secure Socket Layer (SSL) IPsec

CIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

How To Understand And Understand The Security Of A Key Infrastructure

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

How To Protect Your Data From Attack

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

CS 356 Lecture 28 Internet Authentication. Spring 2013

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Security Goals Services

Communication Systems SSL

Criteria for web application security check. Version

Lecture 10: Communications Security

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Sync Security and Privacy Brief

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

IP Security. Ola Flygt Växjö University, Sweden

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Authentication Application

7.1. Remote Access Connection

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

1. a. Define the properties of a one-way hash function. (6 marks)

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Transcription:

Security Protocols

Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2

Security Protocols are out there Confidentiality Authentication

Example: HTTPS (HTTP + TLS) Security for web services HTTP over TLS (transport layer security) Provides: Authentication server Confidentiality, integrity, authenticity communication First negotiate algorithms to use ciphers (e.g. RSA), key exchange (e.g. Diffie- Hellman), MACs (e.g. MD5) 4

Example: HTTPS (HTTP + TLS) Server sends public key certificate (X.509) Can contact CA to verify. Unknown/untrusted CA s (e.g. self signed (root)-certificates)... Client creates random nr used to create session key Further communication can be encrypted/authenticated using session key 5

Example (2): SSH Secure shell remotely log onto server Tunnelling (e.g. X11 connections, TCP ports) SFTP, SCP for file transfers. Creates a secure channel Transport Layer; similar to TLS User authentication Layer Password Public key others (interactive, external (e.g. kerberos), etc.) 6

Example (3): WS-Security (WSS) (OASIS standard) Security for Web services Goal: Secure SOAP message exchange Mechanisms to construct protocols Not fixed protocol Single message security But end-to-end (e.g. across multiple services Building blocks E.g. how to encode kerberos ticket in SOAP. 7

Example (4): Kerberos (More Later Lecture) Trusted Third Party Authentication protocol Authentication server (S) is TTP Shares secret (key) with user Alice wants to use service Bob Client sends request to server A=>S: A, B, T exp, N A Server returns encrypted `ticket : S=>A: {K AB, B, T exp, N A } KAS, {K AB, A, T exp } KBS S=>A: {K AB, B, T exp, N A, {K AB, A, T exp } KBS } KAS Client Contacts Service Bob: A=>B: { checksum, timestamp } KAB, {K AB, A, T exp } KBS 8

Q: Security protocols can t prevent? Alice Bob A: Identity theft (eg. via phishing scam, Computer taken over by virus, ) 9

What is a security protocol? Message exchange between several parties Uses (mainly) symmetric or public key crypto Typical goals: Confidentiality. Who can read it? Authentication. Who sent it? Integrity Has it been altered? Anonymity Who could ve sent it? Non-Repudiation. Can deny usage?.

Authentication with a secret Identify by sending secret E.g. garage door remote control Problems: Reveals secret, Can be replayed Challenge-response Prove you have a secret without revealing it Guarantee freshness Challenge: a fresh nonce Response: Encryption of nonce proves possession of key... or at least: key used. 11

Authentication on a network Challenge-response vulnerable to relay attack: A challenges C C passes challenge on to B and returns Bs response On network never directly talking to B Routers, ISPs, Different Authentication property B is currently active and participating in the (same) protocol. Relay above is not considered an attack; 1 C is (correctly behaving) part of network between A,B 1) Recall discussion security model 12

Motivation (formal) analysis Security Protocols are difficult to do right! Security protocols are three line programs that people still manage to get wrong (Roger Needham) (Famous) Example: NS created in 1978, flaw found in 1995. Using formal methods! 13

What can do? Total network control: See all exchanged messages Delete, alter, inject and redirect messages Initiate new communications (has a valid identity) Reuse messages from past sessions Usually known as formal attacker, Dolev-Yao. Good for automatic verification: Finite participants, infinite messages -> decidable Infinite participants -> undecidable 14

What cannot do... Break strong crypto Break hard problems (factor long primes, etc.) Guess pseudo-random values (eg. nonces) Get other identities (identity theft) Time messages & statistical traffic analysis (eg. Timing attacks) Alternative: Computational attacker attacker = (prob) Turing machine running in poly-time 15

Attacker model (Dolev-Yao) All communication through attacker Attacker builds knowledge (AK) Sending message adds it to AK Derivation of other knowledge Attacker can send messages in AK Only way to advance honest agents Clearly not for availability analysis. 16

Attacker Knowledge in Dolev-Yao Sending message adds it to AK Derivation of other knowledge compose messages; m, m in AK => < m, m > in AK decompose messages; <m, m > in AK => m, m in AK decrypt if key known; { m }k and k in AK => m in AK encrypt with known key; m and k in AK => { m }k in AK AK infinite symbolic representations most-general unifiers. 17

Designing Security Protocols

A simple protocol A->B : mail Let s add confidentiality : A->B : encrypt mail with pk(b) Let s add authentication : A->B : encrypt mail with pk(b), sign with sk(a) Still not good?: Replay protection Session keys? 19

Example: Design of an authentication protocol in 3 steps Goal: Alice wants to authenticate herself to Bob over the internet The informal dialog: Hi, I m Alice Privacy warning! (stay tuned) Prove It! Here s the proof 20

Design of a protocol 2/3 We implement the dialog using publickey encryption and nonces A->B : A Hi, I m Alice B->A : Nb encrypted w/ pk(a) Prove It! A->B : Nb Here s the proof 21

Design of a protocol 3/3 What is needed if we also want to exchange a secret session key? A->B : A B->A : Nb encrypted w/ pk(a) A->B : Nb encrypted w/ pk(b) Hi, I m Alice Prove It! Here s the proof 22

Designing correct protocols is difficult! A->B : A B->A : Nb encrypted w/ pk(a) A->B : Nb encrypted w/ pk(b) Hi, I m Alice Prove It! Here s the proof Q : Are we completely sure that this protocol is secure?, Ie each time that Alice and Bob finish the execution, A is really who she says she is? Is Nb secret? 23

What can go wrong A->I : A I(A) 1 ->B : A B->A : Nb encrypted w/ pk(a) Prove It! Hi, I m Alice Hi, I m Alice I->A : Nb encrypted w/ pk(a) Prove It! A->I : Nb encrypted w/ pk(i) Here s the proof I(A)->B: Nb encrypted w/ pk(b) Here s the proof Meet the infamous man-in-the-middle attack!: Now I has succesfully impersonated A wrt B! Moreover, I knows Nb 1) I `pretending to be A. The (A) is only informative; `I(A) exactly the same as `I. 24

Not an attack: A->I : A I->B : A B->I : Nb encrypted w/ pk(a) Prove It! Hi, I m Alice Hi, I m Alice I->A : Nb encrypted w/ pk(a) Prove It! A->I : Nb encrypted w/ pk(b) Here s the proof I->B: Nb encrypted w/ pk(b) Here s the proof Here I is just being a faithful network. Notice the subtle but essential difference. 25

The patch A->B : A B->A : Nb,B encrypted w/ pk(a) A->B : Nb encrypted w/ pk(b) Hi, I m Alice Prove It! Here s the proof Q AGAIN: Are we completely sure that this protocol is secure? We need the aid of formal verification! 26

Patch stops the attack: A->I : A Hi, I m Alice I(A)->B : A Hi, I m Alice B->A : Nb,B encrypted w/ pk(a) Prove It to B! I->A : Nb,B encrypted w/ pk(a) Prove It to B! A?? was expecting I not B (A stops protocol) 27

Examples of Security Protocols

EX1: Needham-Schroeder (1978) A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B) Some notation msg*k: asymmetric encryption Na, Nb: nonces A, B: Agents (Alice and Bob) pk(a): public key of A 29

Goals of NS A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B) Mutual Authentication of A and B Exchange two secrets can be used to form a key 30

What can go wrong in NS A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B) Attack: A -> I: [A,Na]*pk(I) I(A) -> B: [A,Na]*pk(B) B-> A: [Na,Nb]*pk(A) A->I : [Nb]*pk(I) I(A)->B : [Nb]*pk(B) Breaks: Secrecy (Na and Nb are disclosed) Authentication B thinks he is talking to A, while he is talking to I I is the intruder. 31

The Patch A->B : [A,Na]*pk(B) B->A : [Na,Nb,B]*pk(A) A->B : [Nb]*pk(B) Patch proposed by Lowe, the new protocol is known then as Needham-Schroeder- Lowe (NSL) 32

Authentication via hash-chains Alice generates a secret Na Get h n (Na) to S securely Login send: A->S : h s (Na) s initially n-1, decrease after use Upon receipt, S hashes h s (Na) to obtain a match One-wayness of hash function h gives security Lamport in 81 33

What about privacy? Cont d A possible patch: A->B : A encrypted w/ pk(b) B->A : Nb,B encrypted w/ pk(a) A->B : Nb encrypted w/ pk(b) Here, I can deduce B s intentions: I->B : A encrypted w/ pk(b) B->A : Nb,B encrypted w/ pk(a) 34

Private Authentication Protocol Due to Abadi (2002): 1. A->B : hello, [ hello,na,pk(a)] * pk(b) if B wants to talk to A: 2. B->A : ack, [ ack,na,nb,pk(b)] * pk(a) otherwise, send a decoy message: 2. B->A : ack,[n] * K No traffic analysis but vulnerable to timing attacks! 35

Otway-Rees Protocol 1. A->B : M,A,B,[Na,M,A,B]+Kas 2. B->S : M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S->B : M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B->A : M,[Na,Kab]+Kas Aim: key distribution using trusted server Kab: short-term key Could be guessed. Na and Nb serve as challenges. 36

Attack upon Otway-Rees a.1 A->e(B) : M,A,B,[Na,M,A,B]+Kas a.4 e(b)->a : M,[Na,M,A,B]+Kas (A expects: M,[Na, Kab ]+Kas) Type flaw attack A takes [M,A,B] to be the key Authentication failure Secrecy failure The intruder just replies part of first message 37

Needham-Schroeder-Lowe 1. A->B : [A,Na]*pk(B) 2. B->A : [Na,Nb,B]*pk(A) 3. A->B : Nb*pk(B) Still (unrealistic) attack possible 38

Type flaw attack upon NSL a.1 A->I(B) : [A,Na]*pk(B) a.1' I(A)->B : [A,I]*pk(B) a.2 B->e(A) : [I,Nb,B]*pk(A) b.1 I->A : [I, [Nb,B] ]*pk(a) b.2 A->I: [[Nb,B], Na',A] *pk(i) Intruder intercepts session (a), then also starts new session (b) with Alice. Message a.2 is passed as b.1. Notice that a.2 has three fields, while b.1 has two In b.2 I learns Nb. Rather unrealistic A would need to accept [Nb, B] as a nounce B would have to accept I as a nounce 39

Running multiple protocols 2 `good protocols may not combine: Basic challenge response: A -> B: [na] encrypted with pk{b} B -> A: na Combined with any protocol which uses pk{b} for secrecy is problem Signing + Pk encryption with RSA Analyze protocols together, use different keys for different protocols 40

Dolev-Yao vs computational Computational seen as more secure; less assumptions Much more difficult to work with Line of recent research: correctness Dolev-Yao in comp setting.... 41

Conclusions Finding Flaws is not Easy! Analysis difficult to do by hand One can use Belief logics (e.g. BAN logic). Theorem Proving. Model Checking and alike. 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information