1 / 26

Understanding the Needham-Schroeder Symmetric Key Protocol and Its Security Analysis

The Needham-Schroeder Symmetric Key Protocol is a critical cryptographic protocol for secure communication between two parties. This analysis explores key components, including message exchanges, nonce usage, and session key derivation, revealing how freshness mitigates replay attacks. The protocol's steps are outlined with informal explanations, detailing how spies may intercept messages and assess their implications on confidentiality and authenticity. Additionally, we delve into potential attacks, key loss scenarios, and the importance of trace properties to ensure secure execution between participants.

eze
Télécharger la présentation

Understanding the Needham-Schroeder Symmetric Key Protocol and Its Security Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some Properties (Lemmata) • In set notation: • parts(parts(H)) = parts(H) • analz(analz(H)) = analz(H) • synt(synt(H)) = synt(H) • parts(analz(H)) = analz(parts(H)) • parts(synt(H)) = parts(H)  synt(H) • analz(synt(H)) = analz(H)  synt(H)

  2. Example: Needham-Schroeder Symmetric Key • Needham Schroeder Symmetric Key Protocol: • 1: A  S : A, B, NA • 2: S  A : {NA , B, KAB, {KAB, A} KBS }KAS • 3: A  B : { KAB, A} KBS • 4: B  A : {NB} KAB5: A  B : {NB ,NB} KAB • Modification in the last line (step 5) : {NB ,NB} instead of {NB + 1}

  3. Step3: Needham-Schroeder Theory

  4. Step3: Needham-Schroeder Theory • Needham-Schroeder Traces rules for protocol steps attacker

  5. Line 1 Informally 1: A  S : A, B, NA • evs is an admissible trace, e.g. evs  nsch-sym, • A  B • NA is a fresh nonce, e.g. Nonce(NA)  used(evs), • A and B are not servers (friends or spy) • then: Says(A, S, [Agent(A), Agent(B), Nonce(NA)]) # evs  nsch-sym

  6. Step 3: Axiomatization of Line 1 has to be defined appropriately

  7. Line 2 Informally 2: S  A : {NA , B, KAB, {KAB, A} KBS }KAS • evs is an admissible trace, • KAB is a fresh session key, • Gets(S, [Agent(A), Agent(B), Nonce(NA)] )  evs, • then: Says(S, A, crypt( KAS, [Nonce(NA), B, KAB , crypt(KBS, [KAB, Agent(A)]) ] ) ) # evs 2 nsch-sym

  8. Step 3: Axiomatization of Line 2

  9. Line 3 Informally 3: A  B : { KAB, A} KBS • evs is an admissible trace, • Says(A, S, [Agent(A), Agent(B), Nonce(NA)]) 2 evs • Gets(A, crypt( KAS, [Nonce(NA), B, KAB , F ]))  evs, • then: Says(A, B, F) # evs  nsch-sym • F stands for the part of the message that cannot be decrypted by A.

  10. Step 3: Axiomatization of Line 3

  11. Line 4 Informally 4: B  A : {NB} KAB • evs is an admissible trace, • NB is a fresh nonce, • Gets(B, crypt(KBS, [KAB, Agent(A)]) )  evs, • then: Says(B, A, crypt(KAB, Nonce(NB)))# evs  nsch-sym

  12. Step 3: Axiomatization of Line 4

  13. Line 5 Informally 5: A  B : {NB ,NB} KAB • evs is an admissible trace, • Says(A, S, [Agent(A), Agent(B), Nonce(NA)] 2 evs • Says(A, B, F) 2 evs, • Gets(A, crypt( KAS, [Nonce(NA), B, KAB, F ]) )  evs, • Gets(A, crypt(KAB, Nonce(NB))) 2 evs • then: Says(A, B, crypt(KAB, [Nonce(NB), Nonce(NB)]) # evs  nsch-sym

  14. Step 3: Axiomatization of Line 5

  15. Step3 : Loosing Keys • "Oops" – rule: Participants might loose keys. • Keys they got during a protocol run. • Allows to analyse what happens in these cases. • Does everything break down? • In the example: Loss of KAB after the protocol run.

  16. Step3: Modeling of Attacks • "Fake" – rule: (spy can send messages at anytime) • if evs  nsch-sym, • X  synth(analz(spies(evs))), • then: Says(Spy, B, X) # evs  nsch-sym • spies(evs) : The set of messages the spy sees (knows).

  17. Step 3: Oops Rule • Binding (the loss of key) to the current run by the two nonces!

  18. Step3: Generic Protocol Events (Attacker) What does this mean? What the spy sees (knows)

  19. Step3: Knowledge of Participants • What (arbitrary) agents learn during execution of a protocol • main interest: knowledge of the spy The spy shares knowledge with bad agents.

  20. Step3: Knowledge of Participants

  21. Step3: Knowledge of Participants

  22. Step3: Initial Knowledge

  23. Step4: Properties of Traces: Confidentiality Informally • Confidentiality: • if evs  nsch-sym,Says(S, A, crypt( KAS, [Nonce(NA), B, KAB , crypt(KBS, [KAB, Agent(A)]) ] ) ) 2 evs, • A and B are not bad agents (Bad agents share theirknowledge with the spy.), • : Notes(spy, [Nonce(NA), Nonce(NB), KAB) 2 evs for some NB (The key was not lost by an oops event after the says event from above.) • then: : Key(KAB) 2 analz(spies(evs))

  24. Step4: Properties of Traces

  25. Step4: Properties of Traces • Authentification • if evs  nsch-sym, • Gets(A, crypt( KAS, [Nonce(NA), B, KAB , F ])) 2 evs, • Says(A,B,F) 2 evs, • Gets(A, crypt(KAB(Nonce(NB))) 2 evs, • : Notes(spy, Nonce(NA), Nonce(NB), Key(KAB)) 2 evs(No loss of keys) • A and B are not bad agents, • then Says(B, A, crypt(KAB, Nonce(NB))) 2 evs • From Gets to Says

  26. Step4: Properties of Traces

More Related