This Course. Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Course Outline. Course Outline.



Similar documents
Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

Q: Why security protocols?

Chapter 16: Authentication in Distributed System

APPLYING FORMAL METHODS TO CRYPTOGRAPHIC PROTOCOL ANALYSIS: EMERGING ISSUES AND TRENDS

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Modeling and verification of security protocols

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

CSCI 454/554 Computer and Network Security. Final Exam Review

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Part II: Standards

Computer Security. Programming Language Methods in Computer Security. Plan. Orientation. Part I. Personal POPL timeline. How did I get here?

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Authentication Types. Password-based Authentication. Off-Line Password Guessing

An Overview of Common Adversary Models

Message authentication and. digital signatures

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

How To Use Kerberos

Cryptography and Network Security Chapter 14

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

1. a. Define the properties of a one-way hash function. (6 marks)

Authentication requirement Authentication function MAC Hash function Security of

Key Management and Distribution

Principles of Network Security

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

Key Management and Distribution

Cryptography and Key Management Basics

Kerberos. Login via Password. Keys in Kerberos

Lab 7. Answer. Figure 1

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Network Security

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Cryprography and Network Security, PART II: Key Exchange Protocols

Authentication Applications

Transport Level Security

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

SCADA System Security, Complexity, and Security Proof

Web Security Considerations

True False questions (25 points + 5 points extra credit)

Lecture 9: Application of Cryptography

Cryptography and Network Security: Summary

SSL/TLS: The Ugly Truth

Module 7 Security CS655! 7-1!

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Chapter 14. Key management and Distribution. Symmetric Key Distribution Using Symmetric Encryption

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security. HIT Shimrit Tzur-David

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Attestation and Authentication Protocols Using the TPM

CSE/EE 461 Lecture 23

Key Management and Distribution

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Chapter 8. Network Security

VoteID 2011 Internet Voting System with Cast as Intended Verification

TLS and SRTP for Skype Connect. Technical Datasheet

Introduction to Computer Security

Message Authentication Codes

The Secure Sockets Layer (SSL)

Security: Focus of Control. Authentication

Chapter 15 User Authentication

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

CSCE 465 Computer & Network Security

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring Nitesh Saxena Polytechnic University

SSL A discussion of the Secure Socket Layer

ICOM 5018 Network Security and Cryptography

2 Protocol Analysis, Composability and Computation

CIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

ECE 428 Network Security

CS 361S - Network Security and Privacy Spring Homework #1

Introduction to Network Security Key Management and Distribution

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Application Layer (1)

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Authentication Applications

TABLE OF CONTENTS INTRODUCTORY THE FOUNDATION OF E & M. 4. E-Commerce & M-Commerce Technologies. (c) Internet Based Research Approaches.

Transcription:

Modelling and nalysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication protocols. How to analyse protocols and look for faults. How to use automatic tools to help you do this. Secondary skills: Know which protocols to use for which jobs. Improve your system design skills. Course Outline This Lecture: How we model protocols Types of encryption used. Lecture 2: Types of attacks on protocols Good protocol design Homework ( 1/6 of total score). Course Outline Lecture 3: Verifying protocols using N logic. Lecture 4: utomatically verifying protocols. Homework ( 1/6 of total score) Lecture 5: nonymity protocols. Course Outline Lecture 6: Verifying probabilistic protocols in PRISM Lecture 7: Fair exchange & Zero knowledge Lecture 8 to Lecture 10 Short students presentations ( 2/3 of total score ) Lecture 11 Summary Sources Take notes if you want but you will get handouts with all the important details and the slides, handouts, papers, homework and links will be available at: http://homepages.cwi.nl/~chothia/teaching 1

This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: high level overview the to cryptography Symmetric key encryption, public key encryptions and signing bstract equation for modelling encryption Simple Protocol sends message M to : M written as: : M s Simple Protocol We write down protocols as a list of messages sent between principals, e.g. 1. : Hello 2. : Offer 3. : ccept M Message M can be read by the attacker Simple Protocol M The attacker can read all the messages sent across the network. Even now! 2

Encryption We can keep our data safe by using encryption: : { M } Kab { M } Kab We can use Encryption {M} K, E K (M) Signing Sign K (M), S K (M), MC K (M) Hashing #(M), Hash(M) We assume that these are prefect cannot be broken by brute force. Encryption Replay ttack M is now secret 1: { Pay Elvis 5 } Kab { M } Kab but the protocol is not safe 1) : { Pay Eve 5 } Kab Replay ttack 1: { Pay Elvis 5 } Kab The attacker can repeat any message it see. E 2: { Pay Elvis 5 } Kab 1) : { Pay Eve 5 } Kab 2) E : { Pay Eve 5 } Kab 3

Nonce 1. 3. {N a + 1} Kab, { Pay Elvis 5 } Kab We can generate nonces. This is a new random values. 1. : 2. : { N a } Kab 3. : { N a + 1 } Kab, { Pay Elvis 5 } Kab If you generate a new nonce for a session you know that all future messages with that include that nonce are part of the same session. 1. Nonce 1. Nonce 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 3. {N a + 1} Kab, { Pay Elvis 5 } Kab 4. 4. 5. { N a2 } Kab 5. { N a2 } Kab 6. {N a2 + 1} Kab, { Pay ob 5 } Kab 6. {N a2 + 1} Kab, { Pay ob 5 } Kab E 6. {N a2 + 1} Kab, { Pay Elvis 5 } Kab The attacker can run multiple rounds of the protocol. The attacker can break up messages, invent new values, keys, nonces,.. combine any of these into new message. etter Protocol 1. 1. :, N a 2. : { N a } Kab 3. {N a, Pay Elvis 5 } Kab 3. : {N a, Pay Elvis 5 } Kab 4

Key Establishment Protocol This was easy because and shared a key. Often the principals do not share a key, in which case we need a Key Establishment Protocol. This usually involves a Trust Third Party who has a shared key with each party. The Needham-Schroeder Public Key Protocol famous authentication protocol 1. : E ( N a, ) 2. : E ( N a, N b ) 3. : E ( N b ) N a and N b can then be used to generate a symmetric key n ttack gainst the Needham-Schroeder Protocol The attack acts as a man-in-the-middle: 1. C : E C ( N a, ) 1`. C() : E ( N a, ) 2`. C() : E ( N a, N b ) 2. C : E ( N a, N b ) 3. C : E C ( N b ) 3`. C() : E ( N b ) The Corrected Version very simple fix: 1. : E ( N a, ) 2. : E ( N a, N b ) 3. : E ( N b ) The Corrected Version very simple fix: 1. : E ( N a, ) 2. : E ( N a, N b, ) 3. : E ( N b ) The attacker can act as a participant of the protocol.... (sometimes) 5

Kerberos protocol for key establishment and authentication used in Windows, MacOS, pache, OpenSSH,... Kerberos and S share the key K S and and S share K S oth and trust S to generate a new key for them: K N is a nonce, T is a timestamp and L is an expiration time. 1. S :,,N 2. S : {K,,L,N,..} K S,{K,,L,..} KS 3. : {,T } K,{K,,L,..} KS 4. : {T +1} K 1. S :,,N 2. S : {K,,L,N,..} K S,{K,,L,..} KS 3. : {,T } K,{K,,L,..} KS 4. : {T +1} K Sources For lectures 1 & 2 the the primary reference material is the handouts. This information is covered in more depth in Paper: Prudent Engineering Practices for Cryptographic Protocols (by badi & Needham) ook: Protocols for uthentication and Key Establishment (by oyd & Mathuria) there are copies in the library. This Lecture Part 1: Simple notation for protocols Modelling rules Needham-Schroeder and Kerberos protocols Part 2: high level overview of cryptography Symmetric key encryption, public key encryptions and signing bstract equation for modelling encryption 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information