1 / 31

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals. Tom Chothia CWI. Last Lecture. Part 1: Simple notion for protocols Modelling “rules” Needham-Schroeder and Kerberos protocols Part 2: A high level overview the to cryptography

kinsey
Télécharger la présentation

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Modelling and Analysing of Security Protocol: Lecture 3Protocol Goals Tom Chothia CWI

  2. Last Lecture • Part 1: • Simple notion for protocols • Modelling “rules” • Needham-Schroeder and Kerberos protocols • Part 2: • A high level overview the to cryptography • Symmetric key Encryption, public key encryptions and signing • Abstract equation for modelling encryption

  3. The Needham-Schroeder Protocol An (in) famous authentication protocol 1. A  B : EB( Na, A ) 2. B  A : EA( Na, Nb ) 3. A  B : EB( Nb ) Na and Nb can then be used to generate a symmetric key

  4. An Attack Against the Needham-Schroeder Protocol The attack acts as a man in the middle: 1. A  C : EC( Na, A ) 1`. C(A)  B : EA( Na, A ) 2`. B  C(A) : EA( Na, Nb ) 2. C  A : EA( Na, Nb ) 3. A  C : EC( Nb ) 3`. C(A)  B : EB( Nb )

  5. The Corrected Version A very simple fix: 1. A  B : EB( Na, A ) 2. B  A : EA( Na, Nb ) 3. A  B : EB( Nb )

  6. The Corrected Version A very simple fix: 1. A  B : EB( Na, A ) 2. B  A : EA( Na, Nb, B) 3. A  B : EB( Nb )

  7. Today: • First Lecture: Goals for security protocol • To know if a protocol is secure you must know what is aims to achieve. • Example: Diffie-Hellman & STS Protocol. • Second Part: Attacks and Principles • Common types of attacks on protocols • Good design principles for protocol.

  8. Is This An Attack? The Needham-Schroeder key establishment protocol is the bases for Kerberos • A and B use the trusted 3rd party S to establish a key Kab: • A  S : A, B, Na • S  A : { Na , B, Kab, {Kab , A}Kbs }Kas • A  B : { Kab , A}Kbs • B  A : { Nb }Kab • A  B : { Nb + 1 }Kab

  9. Is This An Attack? A forces B to use an old key: -999. A  S : A, B, Na -998. S  A : { Na , B, Kab, {oldKab , A}Kbs }Kas ..... ..... 3. A  B : { oldKab , A}Kbs 4. B  A : { Nb }oldKab 5. A  B : { Nb + 1 }oldKab

  10. What is a Protocol Trying to Achieve? We MUST be clear about what we are trying to do with a protocol: • Security • If we can securely establish a fresh key then secure transfer of data is easy. • Key establishment • Yes, but we saw the problem in the last example • Authentication • Again we have to be exact.

  11. Some Key Establishment Goals • Key Freshness: the key established is new • either from some trusted 3rd party • or because it uses a new nonce. • Key Exclusivity: the key is only known to the principals in the protocol. • Good Key: the key is both fresh and exclusive

  12. A Hierarchy of Goals Good Key Fresh Key Key Exclusivity

  13. A Good Key is Not Enough • A “Good Key” provides a secure communication channel.... ... but we have no idea who is on the other end of the channel. • We need authentication as well.

  14. Authentication Goals The most simple: • Far-end Operative: A knows that “B” is currently active: • For instance B might have signed a nonce generated by A e.g. • A  B : Na • B  A : SignB ( Na )

  15. Authentication Goals and • Once Authentication: A knows that B wishes to communicate with A • For instance, B might have the name A in a message e.g. • B  A : SignB ( A)

  16. Entity Authentication Both of these together give: • Entity Authentication: A knows that B is currently active and wants to communicate with A. e.g. • A  B : Na • B  A : SignB ( A, Na )

  17. A Hierarchy of Goals Entity Authentication Good Key Fresh Key Key Exclusivity Far-end Operative Once Authenticated

  18. Key Confirmation A common goal is: • Key Confirmation of A to B is provided if • B can be sure that “K” is a good key to communicate with A • and that A knows “K”.

  19. A Hierarchy of Goals Key Confirmation Entity Authentication Good Key Fresh Key Key Exclusivity Far-end Operative Once Authenticated

  20. The Highest Goal • Mutual Belief in Key: is provided for B only if • “K” is a good key with A • A believes that “K” is a good key for “B” • and A wishes to communicate with B using “K”

  21. A Hierarchy of Goals Mutual Belief in Key Key Confirmation Entity Authentication Good Key Fresh Key Key Exclusivity Far-end Operative Once Authenticated

  22. Example: Diffie-Hellman • The Diffie-Hellman is a widely used key agreement protocol. • It relies on some number theory: • a mod b = n where m s.t. a = m.b + n • The protocol uses two public parameters • generator “g” (often 160 bits long) • prime “p” (often 1024 bits long)

  23. Diffie-Hellman • A and B pick random numbers rA and rB and calculate “tA = grA mod p” and “tB = grB mod p” • The protocol just exchanges these numbers: • A  B : tA • B  A : tB • A calculates “tBrA mod p” and B “tArB mod p” this is the key: • K = grArB mod p

  24. Diffie-Hellman • A and B pick random numbers rA and rB and calculate “tA = grA mod p” and “tB = grB mod p” • The protocol just exchanges these numbers: • A  B : p, g, tA • B  A : tB • A calculates “tArA mod p” and B “tArB mod p” this is the key: • K = grArB mod p

  25. Diffie-Hellman • An observer cannot work out rA and rB from tA and tB therefore the attacker cannot calculate the key • The values of “g” and “p” must be big enough to make it intractable to try all possible combinations. • So we have a “Good Key” but know nothing about the participants. • We did not need to share any keys at the start, therefore this is a very powerful protocol.

  26. Station-to-Station Protocol • The Station-to-Station (STS) protocol adds authentication: • A  B : tA • B  A : tB , { SignB(tA, tB ) }Kab • A  B : { SignA(tA, tB ) }Kab

  27. Station-to-Station Protocol • A  B : A, B, tA • B  A : B, A, tB , { SignB(tA, tB ) }Kab • A  B : A, B, { SignA(tA, tB ) }Kab • Good Key: as before Key • Key Confirmation: A knows that B knows the Kab.

  28. Attack on Mutual Belief • A  E(B) : A, B, tA 1’. E  B : E, B, tA 2’. B  E : B,E,tB,{SignB(tA,tB)}Kab 2. E(B) A : B,A,tB,{SignB(tA,tB)}Kab 3. A  E(B) : A, B, { SignA(tA, tB ) }Kab

  29. What does STS provide? • Attacker E does NOT learn the key. • B does not accept the key. • But A does accept the key. This can be fixed by changing line 2 to: 2. B  A : tB , { A, SignB(tA, tB ) }Kab This is not done because this attack does not pose a real risk. In this case Key Confirmation is enough.

  30. Very Important Homework: • Whenever you do something secure over the Internet (i.e., logon remotely, check your bank balance, pay a bill), think about the protocol used. Is the communication secure? • Have you established a key? Is it fresh? Think about who has been authenticated: • Have you been authenticated? • Has the computer you’re talking to?

  31. Today: • First Lecture: Goals for security protocol • To know if a protocol is secure you must know what is aims to achieve. • Example: Diffie-Hellman & STS Protocol. • Second Part: Attacks and Principles • Common types of attacks on protocols • Good design principles for protocol.

More Related