170 likes | 298 Vues
CS 259. Security Analysis of Network Protocols. Mukund Sundararajan. http://www.stanford.edu/class/cs259/. How to write a crypto paper?. 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html 2. Click on the button 3. Be Inspired
E N D
CS 259 Security Analysis of Network Protocols Mukund Sundararajan http://www.stanford.edu/class/cs259/
How to write a crypto paper? • 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html • 2. Click on the button • 3. Be Inspired • Fortunately, we don’t need to know what those papers, if written, may contain
Today • Getting Murphi to work on Windows • A close look at the NS implementation in Murphi • Cryptography for CS259 • The cryptography of SSL • Newsgroup: su.class.cs259
Murphi on Windows • Download Cygwin • Need to include g++, make, gcc packages • Look under the ‘Devel’ heading • Follow instructions in the Readme file located in the src directory • Make the murphi compiler in the src directory • Set up a link • Edit homework Makefile
Needham Schroeder in Murphi • Walk through code sections • Data types • State variables • Transitions, invariants • Initial state • The strong attacker model • Perfect cryptography • Intercept all messages on the network • Insert, reorder, delete messages
Murphi Syntax • Invariants are a special kind of rule • Rulesets allow concise specification of transition rules • Scalarsets allow us to exploit symmetry the inherent symmetry in some situations to make model checking efficient • Multisets are similar to scalarsets but are modifiable at runtime, use a ‘choose’ to index. • Union data types allow us to refer to many scalarsets at once
Weak intruder model [Part (b) of the 3rd question on HW#1] • Consider an intruder who can only receive messages destined to it. • Does the attack on “initiator correctly authenticated” still work? • Need to undo optimizations
[Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { A, NA } { NA, NB } Evil agent E tricks honest A into revealing private key NB from B Kb Ka B Evil E can then fool B
Nonce • 'number used once' • To prevent against replay attacks
Symmetric Key Algorithm • Encryption • Input: plain-text, key, Output: cipher text • Decryption • Input: encrypted message, key, Output: plain text • Needs to be reversible • Insecure if following is computationally feasible • Can decipher plaintext without key • Can produce cipher text without key • Can deduce key from cipher text
Asymmetric Encryption • Encryption • Input: plain-text, public-key, Output: cipher text • Decryption • Input: encrypted message, private-key, Output: plain text • Needs to be reversible • Insecure if following is computationally feasible • Can decipher plaintext without private key • Can deduce private key from cipher text or public key
Digital Signatures • Signature algorithm • Input: m, private key, Output: Signature • Verification algorithm • Input: Signature, public key, Output: Boolean • Authentication • Integrity • Non-repudiation
Cryptographic Hashes • Input: message, Output: digest • Insecure if following is computationally feasible: • Preimage resistance: finding a message that matches a given digest • Collision resistance: finding "collisions", wherein two different messages have the same message digest • Second Preimage resistance: given an input m, it must be hard to find different m’ that hashes to the same value
MAC’s • Integrity + Authenticity • Input: Key, Message, Output: Message Authentication Code • Verification algorithm • Uses cryptographic hashes or symmetric key crypto • Attacker must not be able to find two messages M, M’ that produce the same MAC under an unknown key given an oracle that MAC’s messages • Key holder may find collisions • Differ from signatures: they are symmetric
Diffie-Hellman exchange • A picks a nonce x, generates Gx, sends it to B • B picks a nonce y, generates Gy, sends it to A • Both generate Gxy locally • Gxy is a shared secret • Secure by ‘Hardness of discrete logarithm’
Exercises • How do scalarsets and multisets improve the efficiency of model-checking? • What is the relationship between the three properties of cryptographic hashes? • Read the definition of a message authentication code in Wikipedia