1 / 17

Security Analysis of Network Protocols

CS 259. Security Analysis of Network Protocols. Mukund Sundararajan. http://www.stanford.edu/class/cs259/. How to write a crypto paper?. 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html 2. Click on the button 3. Be Inspired

Télécharger la présentation

Security Analysis of Network Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CS 259 Security Analysis of Network Protocols Mukund Sundararajan http://www.stanford.edu/class/cs259/

  2. How to write a crypto paper? • 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html • 2. Click on the button • 3. Be Inspired • Fortunately, we don’t need to know what those papers, if written, may contain

  3. Today • Getting Murphi to work on Windows • A close look at the NS implementation in Murphi • Cryptography for CS259 • The cryptography of SSL • Newsgroup: su.class.cs259

  4. Murphi on Windows • Download Cygwin • Need to include g++, make, gcc packages • Look under the ‘Devel’ heading • Follow instructions in the Readme file located in the src directory • Make the murphi compiler in the src directory • Set up a link • Edit homework Makefile

  5. Needham Schroeder in Murphi • Walk through code sections • Data types • State variables • Transitions, invariants • Initial state • The strong attacker model • Perfect cryptography • Intercept all messages on the network • Insert, reorder, delete messages

  6. Murphi Syntax • Invariants are a special kind of rule • Rulesets allow concise specification of transition rules • Scalarsets allow us to exploit symmetry the inherent symmetry in some situations to make model checking efficient • Multisets are similar to scalarsets but are modifiable at runtime, use a ‘choose’ to index. • Union data types allow us to refer to many scalarsets at once

  7. Weak intruder model [Part (b) of the 3rd question on HW#1] • Consider an intruder who can only receive messages destined to it. • Does the attack on “initiator correctly authenticated” still work? • Need to undo optimizations

  8. [Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { A, NA } { NA, NB } Evil agent E tricks honest A into revealing private key NB from B Kb Ka B Evil E can then fool B

  9. Nonce • 'number used once' • To prevent against replay attacks

  10. Symmetric Key Algorithm • Encryption • Input: plain-text, key, Output: cipher text • Decryption • Input: encrypted message, key, Output: plain text • Needs to be reversible • Insecure if following is computationally feasible • Can decipher plaintext without key • Can produce cipher text without key • Can deduce key from cipher text

  11. Asymmetric Encryption • Encryption • Input: plain-text, public-key, Output: cipher text • Decryption • Input: encrypted message, private-key, Output: plain text • Needs to be reversible • Insecure if following is computationally feasible • Can decipher plaintext without private key • Can deduce private key from cipher text or public key

  12. Digital Signatures • Signature algorithm • Input: m, private key, Output: Signature • Verification algorithm • Input: Signature, public key, Output: Boolean • Authentication • Integrity • Non-repudiation

  13. Cryptographic Hashes • Input: message, Output: digest • Insecure if following is computationally feasible: • Preimage resistance: finding a message that matches a given digest • Collision resistance: finding "collisions", wherein two different messages have the same message digest • Second Preimage resistance: given an input m, it must be hard to find different m’ that hashes to the same value

  14. MAC’s • Integrity + Authenticity • Input: Key, Message, Output: Message Authentication Code • Verification algorithm • Uses cryptographic hashes or symmetric key crypto • Attacker must not be able to find two messages M, M’ that produce the same MAC under an unknown key given an oracle that MAC’s messages • Key holder may find collisions • Differ from signatures: they are symmetric

  15. Diffie-Hellman exchange • A picks a nonce x, generates Gx, sends it to B • B picks a nonce y, generates Gy, sends it to A • Both generate Gxy locally • Gxy is a shared secret • Secure by ‘Hardness of discrete logarithm’

  16. Exercises • How do scalarsets and multisets improve the efficiency of model-checking? • What is the relationship between the three properties of cryptographic hashes? • Read the definition of a message authentication code in Wikipedia

More Related