1 / 34

Introduction to Protocol Specification and Verification in Information Assurance

This module focuses on the fundamentals of protocol specification and verification within the context of information assurance. Key topics include cryptographic basics such as symmetric and public key cryptography, types of protocols, and security properties. The lectures will cover the taxonomy of flaws and attacks on protocols, specification strategies, and methods of protocol analysis. Understanding these elements is crucial for designing secure communication systems in today's digital age.

maya
Télécharger la présentation

Introduction to Protocol Specification and Verification in Information Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1 of M2 (This work is supported in part by NSF) Dr. Verma

  2. Contents of M2 • Cryptographic basics • Types of Protocols • Security properties • Taxonomy of Flaws and Attacks • Specification of Protocols • Specification of properties • Protocol analysis Dr. Verma

  3. Cryptographic Basics • General principles • Sender, receiver, plaintext, ciphertext, encryption, decryption, etc. • Symmetric key (or secret key) cryptography • Public key (or asymmetric) cryptography • One-way hash algorithms All of these were covered in module M1 ? Dr. Verma

  4. Cryptographic Basics (contd.) • Sender – one who sends • Receiver – one who receives • Plaintext – message to be sent, • Notation: P or M • Ciphertext – encoding of P or M, • Notation: C Dr. Verma

  5. Cryptographic Basics (Contd.) • Encryption – the process of disguising a message to hide its contents • Notation: E(M) = C • Decryption – the process of decoding C to recover M • Notation: D(C) = M • Basic Identity: D(E(M)) = M Dr. Verma

  6. Cryptographic Basics (contd.) • Cryptography – the art and science of keeping messages secure • Cryptographic algorithm – function used for encryption and decryption. • Restricted (secret) or Unrestricted (published) our focus • Unrestricted – based on a key K. EK and DK. The key for encryption and decryption can be different. Dr. Verma

  7. Cryptographic Basics (contd.) • Symmetric key cryptography – encryption key can be computed from the decryption key or vice versa. • Special case: the two keys are the same. • Key(s) must be kept secret! • Public key cryptography – encryption key is public the decryption key is not. • Decryption key should be hard to compute from the encryption key! Dr. Verma

  8. Cryptographic Basics (contd.) • One-way functions – functions that are easy to compute but hard to invert • Computing f(x), given x, is easy • Computing x, given f(x), is hard This sounds easy, but we have no proof that such functions exist! We will pretend they do. • Trapdoor one-way functions – one-way functions such that • Computing x, given f(x) and some y, is easy Dr. Verma

  9. Cryptographic Basics (contd.) • Notation: 1-way for one-way • 1-way hash functions – A hash function that is also a 1-way function. • A good 1-way hash function is also collision-free. • Security of a 1-way hash function is its 1-wayness. Dr. Verma

  10. pro·to·colPronunc… (…) n. 1. • The forms of ceremony and etiquette observed by diplomats and heads of state. • A code of correct conduct: safety protocols; academic protocol. 2. The first copy of a treaty or other such document before its ratification. 3. A preliminary draft or record of a transaction. 4. The plan for a course of medical treatment or for a scientific experiment. 5. Computer Science. A standard procedure for regulating data transmission between computers. Dr. Verma

  11. Protocols • Protocol – a series of steps involving two or more parties to accomplish a task. • Must be unambiguous • Must be complete in some sense (specified action for lots of possible situations). • Each step is either a computation or a message • Parties may distrust each other Dr. Verma

  12. Types of Protocols • Our protocols are cryptographic – use cryptography for preventing eavesdropping, cheating, etc. • Goal of the protocol is beyond secrecy. • Examples: simultaneously sign a contract, convince one another of their identity, etc. • Protocols can be classified in many ways • According to: parties involved, the purpose, the environment, etc. Dr. Verma

  13. Classification by Parties • Arbitrated protocols • Adjudicated protocols • Self-enforcing protocols Dr. Verma

  14. Arbitrated Protocols • Arbitrated protocols – have an arbitrator, a disinterested third party trusted to complete a protocol. • Easier if parties are face to face. • Over computer networks this results in delay and overheads. • Arbitrator becomes a bottleneck. • Scaling issues. • Arbitrator is vulnerable. Dr. Verma

  15. Adjudicated Protocols • Adjudicated protocols – A two stage protocol with: • A nonarbitrated subprotocol • An arbitrated subprotocol executed only in exceptional circumstances – a dispute. • This kind of arbitrator is called adjudicator • Adjudicator only called in to judge fair execution of protocol. Detects cheating rather than preventing. • Good adjudicated protocol – adjudicator should be able to determine cheater’s identity Dr. Verma

  16. Self-enforcing Protocols • Self-enforcing protocols – protocol itself guarantees fairness. • No arbitrator or adjudicator – if one party cheats, the others detect the cheating. • Best type of protocol. • Do not exist for every situation. • Exercise: Find a situation for which there are no self-enforcing protocols. Dr. Verma

  17. Protocol Classification by Aim • Key-exchange protocols • Authentication protocols • Authentication and Key exchange protocols • Electronic Commerce protocols • … Dr. Verma

  18. Key Exchange Protocols • Goal is to distribute keys for secure sessions, channels, communication, etc. • Classical key exchange protocols • TMN • Symmetric Needham-Schroeder • Denning-Sacco • Deployed Protocols • Kerberos IV • SSL/TLS Dr. Verma

  19. The TMN Protocol (1990) (Tatebayashi-Matsuzaki-Newman) • Suitable for networks, mobile computing. • Symmetric. Trusted Server S. • Parties don’t have long term keys. • Randomly chosen keys KA , KB , etc. • Standard encryption function E(.), invertible only by server. • Vernam encryption function V(., .) • V(M, V(M, N)) = N Dr. Verma

  20. The TMN Protocol • A S : A, S, B, E(KA) • S B : S, B, A • B S : B, S, A, E(KB) • S A : S, A, B, V(KA , KB) • A extracts KB from message 4. • Parties should agree on the session key chosen by B. Dr. Verma

  21. An Implementation of TMN • n = p.q, p, q are primes • E(x) = x3 mod n • S knows the 2 prime factors of n • V(x , y) = x exclusive-or y Protocol looks good, but has big flaws! Dr. Verma

  22. Authentication Protocols • Authentication protocols – for authentication of parties (principals) • Authentication – assurance of who you are talking to • Examples of specific aims: • To make sure that those obtaining a session key are who they say they are • Make sure that the principal you think has the key does have it. Dr. Verma

  23. Authentication Protocols • Passwords or shared keys typically used by system administrators • Authentication can be a byproduct of a key-exchange protocol • Some authentication protocols • Feige-Fiat-Shamir (1987) • Guillou-Quisquater (1988) • Schnorr (1989) Dr. Verma

  24. Guillou-Quisquater Protocol • Smart-cards and other applications • Alice wants to prove her identity, bit string J, to Victor • Public information: exponent v, and a number n • (n = p.q, p and q primes) • Private key: B, with JBv = 1 (mod n) Dr. Verma

  25. Guillou-Quisquater Protocol • A V : J P wants to prove that this J is hers • A V: T = rv mod n (1 < r < n - 1, r random) • V A: d (0 < d < v – 1, d random) • A V: D = rBd mod n • V computes T’ = DvJd mod n. If T = T’ (mod n), authentication succeeds. Dr. Verma

  26. 3 Important Concepts • Security • Privacy • Reliability Dr. Verma

  27. Security • Security – the control of information. • Ensures that: • Authorized parties are properly authenticated • Their messages are sent through a network unaltered. • In a secure system the origin, content and intended recipients of a message can be ensured. • Security is not privacy. Dr. Verma

  28. Privacy • Privacy – the subject of information can control the information. • Privacy requires security, but security is not sufficient. • Security may preclude privacy! (by assuring that the subjects of information have neither control nor knowledge of the uses of that information) Dr. Verma

  29. Reliability • Reliability – provide certainty in the presence of network failures, memory losses and adversaries. • Reliability and security are interdependent. • Reliability is not security. Reliable protocols on unsecure servers provide reliable services to attackers as well as authentic users. • Reliable electronic commerce requires fail-proof transactions. Dr. Verma

  30. Security Properties • Authentication – receiver of a message should be able to ascertain its origin. • An intruder should not be able to masquerade as someone else. • Implemented using shared information or ability to prove unique information (PINs and passwords). • Secrecy – confidentiality. If a message is confidential it can be read only by intended recipients. • Eavesdropping is difficult or useless Dr. Verma

  31. Security Properties (contd.) • Integrity – receiver of a message can verify that it has not been modified in transit. • Integrity alone is not security. • Availability – a system must be available • availability can be compromised by malicious hackers, network failures or commercial espionage. • Nonrepudiation – a party cannot reasonably claim not to have taken an action. • Example: sender falsely denies sending a message. Dr. Verma

  32. Reliability Properties • Atomicity – indivisibility. An atomic transaction either fails completely or succeeds completely. • Consistency – all relevant parties agree on critical facts of the exchange. • Isolation – result of a set of overlapping transactions must be serializable • Durability – a transaction can recover to its last consistent state. Dr. Verma

  33. Other Properties Other properties may also be needed. For example, in Electronic Commerce • Certified Delivery • Goods Atomicity • Etc. are also required. Dr. Verma

  34. Primary References • Bruce Schneier, Applied Cryptography • Linda Jean Camp, Privacy and Reliability in Electronic Commerce, PhD dissertation, CMU Dr. Verma

More Related