Verifying Second-Level Security Protocols



Similar documents
Chap. 1: Introduction

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

Electronic Voting Protocol Analysis with the Inductive Method

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

How To Ensure Correctness Of Data In The Cloud

Content Teaching Academy at James Madison University

Overview. SSL Cryptography Overview CHAPTER 1

A Survey on Optimistic Fair Digital Signature Exchange Protocols

IY2760/CS3760: Part 6. IY2760: Part 6

Table: Security Services (X.800)

Information Security Basic Concepts

Bitmessage: A Peer to Peer Message Authentication and Delivery System

Den Gode Webservice - Security Analysis

Computer-Assisted Verification of a Protocol for Certified

User Manual. For. Digitally Signing of your application

Study for Automatically Analysing Non-repudiation

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Information Security

Cryptography and Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Lecture II : Communication Security Services

Application Security: Threats and Architecture

Server-Assisted Generation of a Strong Secret from a Password

Notes on Network Security - Introduction

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Chapter 17. Transport-Level Security

SecureMessageRecoveryandBatchVerificationusingDigitalSignature

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Secure Frequently Asked Questions

Secure Data Transfer

Message authentication and. digital signatures

CHAPTER THREE, Network Services Management Framework

The Secure Sockets Layer (SSL)

Formal Modelling of Network Security Properties (Extended Abstract)

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Chapter 7: Network security

SSLPost Electronic Document Signing

RightFax Internet Connector Frequently Asked Questions

Transport Layer Security (TLS) About TLS

Authentication Application

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

Using PI to Exchange PGP Encrypted Files in a B2B Scenario

Chapter 6 Electronic Mail Security

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Using EMV Cards to Protect E-commerce Transactions

Internet Programming. Security

Using etoken for Securing s Using Outlook and Outlook Express

Brainloop Cloud Security

Asymmetric cryptosystems fundamental problem: authentication of public keys

Principles of Network Security

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Network Security - ISA 656 Security

Examining Proxies to Mitigate Pervasive Surveillance

CPSC 467b: Cryptography and Computer Security

Web Security Considerations

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Information System Security

Sync Security and Privacy Brief

Network Security. A Quick Overview. Joshua Hill josh-web@untruth.org

Cryptography and Network Security Chapter 1

Design and Implementation of an Inline Certified Service

Protocol Rollback and Network Security

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

documents Supplier handbook - Introduction to Digital Signature - Rome, January 2012

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Key Management and Distribution

CoSign for 21CFR Part 11 Compliance

COSC 472 Network Security

Network Security Part II: Standards

Computational Soundness of Symbolic Security and Implicit Complexity

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Secure Reactive Systems

A Digital Signature Scheme in Web-based Negotiation Support System

SSL A discussion of the Secure Socket Layer

Secure Client Applications

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Cryptography and Network Security

Network Security Essentials Chapter 7

Let SDN Be Your Eyes: Secure Forensics in Data Center Networks

Manual Spamfilter Version: 1.1 Date:

SIP and VoIP 1 / 44. SIP and VoIP

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Vulnerabilità dei protocolli SSL/TLS

IBX Business Network Platform Information Security Controls Document Classification [Public]

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Ciphermail S/MIME Setup Guide

Client Server Registration Protocol

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Transcription:

Verifying Second-Level Security Protocols G.Bella, C.Longo, L.C.Paulson UNIVERSITÀ di CATANIA Dipartimento di Matematica e Informatica Proc. of TPHOLs 2003, these days in Rome Certified e-mail delivery Hmm, must send him an e-mail but in such a way that he can t claim I didn t OK, I ll send it using that certified e-mail protocol Then I ll get a receipt when he sees the message! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 2

Certified e-mail delivery Hmm, an e-mail from her what a weird protocol though damn it! It means she now has a receipt that I have read her message! At least she couldn t get that receipt until I opened her email! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 3 Goals in distributed systems Complex security goals: certified e-mail, contract-signing, non-repudiation, delegation Basic security goals: confidentiality, authentication, integrity. Basic communication goals: routing, transmission of raw byte streams Different goals require different kinds of protocol. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 4

A hierarchy of protocols complex security protocols classical security protocols transport protocols verified! verified! 0 th -level first-level second-level verified?? Each protocol relies upon underlying protocols. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 5 A hierarchy of protocols complex security protocols (second-level security protocols) classical security protocols (first-level security protocols) transport protocols (0 th -level protocols) verified! verified! verified?? 0 th -level first-level second-level Each protocol relies upon underlying protocols. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 6

Definition relies upon goals A second-level security protocol is: a protocol that assumes the goals of underlying authentication protocols in order to achieve its own goals. Essentially carbon-copied from actual protocol designs. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 7 Protocol Hierarchy? It entirely depends on design. Hierarchical (third level) How to verify? CE SCE SSL SSL CE SCE Flat (first level) Verified! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 8

Certified e-mail (Abadi et al.) Abbreviations: Steps: This is a second-level protocol: it refers to SSL. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 9 How the protocol works Sender S sends the message, encrypted using a session key, to recipient R. If R wants to proceed, R asks the Trusted Third Party (TTP) for the key. The TTP releases the key to R and simultaneously gives a receipt to S. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 10

Verifying second-level protocols Shmatikov and Mitchell have model-checked a contract-signing protocol Abadi and Blanchet have verified the certified e-mail protocol using Blanchet s verifier Creese et al. advance that a DY attacker may be exaggerated in ubiquitous environments (FAST 2003) G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 11 Our contribution Identify the concept of second-level protocols Enrich our inductive approach to 1. model the goals of first-level protocols 2. adapt Dolev-Yao s threat model 3. express and verify the protocol goals G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 12

Primitive events -Asends message X to B -Breceives message X from network -Astores message X as an internal state change Fine for first-level protocols. And for second-level? G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 13 Basic operators G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 14

Specifying a protocol inductively Protocol DAP G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 15 1. Modelling underlying goals Authentication: allow references to sender by event, otherwise forbidden. Reception event naturally hides sender. Confidentiality: use followed by. Reception is not guaranteed in general. Guaranteed delivery: impose introduction of reception event. If also confidential, impose. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 16

Modelling authentication Allow receiver s explicit reference to sender: G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 17 Modelling confidentiality Just replaced events?! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 18

YES: look at knows G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 19 Modelling Guaranteed Delivery Combination of conf. and g.d. simpler to model than just G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 20

2. Adapting the threat model What s the threat model for second-level protocols?? Simply Dolev-Yao, assuming that the firstlevel protocol works. The Spy can also use the protocol. The formalisation of the goals just shown yields this threat model naturally. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 21 Example: formalising message 2 Query/response mechanism between sender and receiver. Hides a Hash of receiver s pwd. R sends message to TTP on channel that is SSL protected and delivery guaranteed. The message magically reaches TTP. Threat model: Spy sees message received by R but not that noted by TTP. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 22

3. Modelling the new goals Consider an e-mail m, its delivery receipt d, a sender S, an intended recipient R. Goals of certified e-mail delivery (abstract version): Must be made precise given a specific protocol. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 23 Example: sender s guarantee 1 Session key available to Spy (receiver might be Spy). Even then, S gets his receipt! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 24

Example: sender s guarantee 2 Receiver gets session key legitimately (receiver might be Spy). Even then, S gets his receipt! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 25 Guarantees proved also for receiver The receiver will get the key if the sender s receipt exists The receiver (who may be the Spy) does not get the key until the sender gets his receipt Minor: if neither peer is compromised, then the protocol keeps session key secure G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 26

Differences from earlier proofs Distrust of peer, who may be dishonest Spy s knowledge no longer the main issue: new reasoning methods needed Issues in the modelling of secure channels G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 27 Found anomaly Receiver initiates from step 2, quoting arbitrary sender and building two identical hashes Session succeds and sender gets receipt about email he never sent Caused by absent authentication of sender with TTP. Solution: insert sender s password into certificate S2TTP. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 28

Found anomaly 2 Receiver claims that email was sent years ago, hence irrelevant Receiver may be truthful or not: problem either way Solution: TTP include timestamp in delivery receipt. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 29 Conclusions Second-level protocols are not difficult to verify The use of logic lets us express security properties abstractly and naturally A general-purpose proof tool (Isabelle) lets us modify the model without resorting to programming Abadi et al. s email protocol verified Proof scripts available G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information