1 / 27

Verification of Security Protocols

Verification of Security Protocols. Sandro Etalle etalle@cs.utwente.nl. Outline. Day 2: Practice analysis of many flawed protocol... ...using the online demo Resources: The online tool, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library

niveditha
Télécharger la présentation

Verification of Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Verification of Security Protocols Sandro Etalle etalle@cs.utwente.nl

  2. Outline • Day 2: Practice • analysis of many flawed protocol... • ...using the online demo • Resources: • The online tool, reachable at • wwwes.cs.utwente.nl/24cqet • The Clark-Jacob library • http://citeseer.nj.nec.com/clark97survey.html • www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps

  3. Security Protocols & the Attacks • Otway-Rees • Secrecy+type-flaw attack • Kao-chow • replay-attack • Woo-Lam • authentication+type flaw attack • NSL (as bonus protocol) • auth+type-flaw attack

  4. Otway-Rees Protocol 1. A->B : [M,A,B,[Na,M,A,B]+Kas] 2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B->A : [M,[Na,Kab]+Kas ] • Aim: key distribution using a trusted server. • Kab: short-term key. • Could be guessed. • Na and Nb serve as challenges.

  5. Attack upon Otway-Rees a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas] a.4 e(B)->A : [M,A,B,[Na,M,A,B]+Kas] • Type flaw attack • A takes [M,A,B] to be the key • The intruder just replies the first message. • It is an authentication flaw. • It is also a secrecy flaw (the intruder knows the key, now).

  6. Otway-Rees in the tool initiator(A,B,Na,Nb,M,X,Kas,Kab,[ recv([A,B]), % for origination assumption send([M,A,B,[Na,M,A,B]+Kas]]), recv([M,[Na,Kab]+Kas]), send(X+Kab)]). % another way of checking secrecy responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT recv([M,A,B,[Na,M,A,B]+Kas]), send([[M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs]), recv([[M,Na,Kab]+Kas, [Nb,Kab]+Kbs]), send([M,[Na,Kab]+Kas]), recv(X+Kab) ]).

  7. Otway-Rees in the tool cont’d secrecy(N,[recv(N)]). server(A,B,Na,Nb,M,X,Kas,Kab,[ recv([[M,A,B,[Na,M,A,B]+Kas]]], [Nb,[M,[A,B]]]+Kbs]), send([[M,[Na,Kab]]+Kas, [Nb,Kab]+Kbs])]).

  8. One initiator is enough. And the secrecy check. We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server). scenario([[sec1,St],[a,Sa1]]) :- initiator(a,b,na,Nb,m,x,kas,Kab,Sa1), secrecy(x, St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]). Scenario

  9. The Attack Output Trace: [a,recv([a,b])] [a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])] [a,recv([m,[na,[m,[a,b]]] + kas])] [a,send(x + [m,[a,b]])] [sec1,recv(x)]

  10. Kao-Chow authentication Protocol 1. A->S : [A,B,Na] 2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs, 3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] 4. A->B : Nb+Kab • Assumption: Kab is compromised

  11. Attack upon Kao-Chow a.1 A->S : [A,B,Na] a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] a.4 A->B : Nb+Kab b.2 e(S)->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’] b.4 e(A)->B : Nb’+Kab

  12. How it works • Two sessions. • First a normal session is carried out. • We assume the intruder “guesses” Kab. • This is something we have to implement manually. • In a second session, the intruder can impersonate both A and the server S.

  13. Kao-Chow in the tool initiator(A,B,Na,Nb,Kas,Kab,Kbs,[ recv([A,B]), % for origination assumption send([A,[B,Na]]), recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]), send(Nb+Kab) ]). responder(A,B,Na,Nb,M,Kab,Kbs,[ recv([M, ([A,[B,[Na,Kab]]]+Kbs)]), %M because he cannot decipher it send([M, [ Na+Kab, Nb ]]), recv(Nb+Kab), send(Kab) % we model that the key kab was compromised... ]).

  14. scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :- initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1), responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1), responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2), server(a,b,Na3,kas,kab,kbs,Ss1). initial_intruder_knowledge([a,b,e]). has_to_finish([a2,a3]). Scenario • session consisting of: initiator, two responders, one server. • any larger session will do. • If both responders can finish there is certainly an attack.

  15. The Attack Output Trace: [a1,recv([a,b])] [a1,send([a,[b,na]])] [s1,recv([a,[b,na]])] [s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])] [a2,recv([_h381,[a,[b,[na,kab]]] + kbs])] % a variable here [a2,send([_h381,[na + kab,nb1]])] [a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])] [a1,send(nb1 + kab)] [a2,recv(nb1 + kab)] [a2,send(kab)] [a3,recv([_h433,[a,[b,[na,kab]]] + kbs])] [a3,send([_h433,[na + kab,nb2]])] [a3,recv(nb2 + kab)] [a3,send(kab)]

  16. Woo-Lam Mutual Authentication Protocol 1. A->B : [A,Na] 2. B->A : [B,Nb] 3. A->B : [A,B,Na,Nb]+Kas 4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs 5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs 6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab 7. A->B: Nb+Kab

  17. Attack upon Woo-Lam a.1 e(A)->B : [A,B] a.2 B->e(A) : [B,Nb] a.3 e(A)->B : [A,B,B,Nb]+Kes a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs b.1 e(A)->B : [A,Nb] b.2 B->e(A) : [B,Nb' ] b.3 e(A)->B : [A,B,Nb,Nb' ]+Kes b.4 B->e(S) : [A,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.5 e(S)->B: [B,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.6 B->e(A): [B,B,Nb,Nb' ]+Kes,[ B,Nb]+Nb' a.7 e(A)->B: Nb+Nb'

  18. Comments • There is one complete session and one incomplete session. • Which agents do we actually have to implement to find this attack?

  19. responder(A,B,Na,Nb,Kab,Kas,Kbs,[ recv([A,B]), % for origination assumption recv([A,Na]), send([B,Nb]), recv([A,[B,[Na,Nb]]]+Kas), send([([A,[B,[Na,Nb]]]+Kas), ([A,[B,[Na,Nb]]]+Kbs) ]), recv([([B,[Na,[Nb,Kab]]]+Kas), ([A,[Na,[Nb,Kab]]]+Kbs) ]), send([([B,[Na,[Nb,Kab]]]+Kas), ([Na,Nb]+Kab) ]), recv(Nb+Kab) ]). One Responder will do:Woo-Lam in the Tool

  20. scenario([[b1,Sb1],[b2,Sb2]]) :- responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1), responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2). initial_intruder_knowledge([a,b,e]). has_to_finish([b1]). The definition of the responder is sufficient, but we need two responders here. If one of the two finishes, there is certainly an attack. RULE: if a role can finish when no corresponding role is defined we are in certainly presence of an authentication problem. Scenario

  21. The Attack Output (after 30s!) Trace: [b1,recv([a,b])] [b1,recv([a,b])] [b1,send([b,nb1])] [b1,recv([a,[b,[b,nb1]]] + _h97)] [b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])] [b2,recv([a,b])] [b2,recv([a,nb1])] [b2,send([b,nb2])] [b2,recv([a,[b,[nb1,nb2]]] + _h97)] [b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])] [b1,recv(nb1 + nb2)]

  22. Exercises • Explain the attack in the Woo-Lam protocol. • Say why it is a type flaw attack. • Implement and find the flaw of the Needham-Schroeder with Conventional keys (see Clark-Jacob Survey). • Implement and find the flaw of the Yahalom protocol (see Clark-Jacob Survey). • Write a small article over how to find security bugs in protocols using the COProVe tool.

  23. 1. A->B : [A,Na]*pk(B) 2. B->A : [Na,Nb,B]*pk(A) 3. A->B : Nb*pk(B) Corrected version of the other one. Still contains an (unrealistic) flaw Extra: Needham-Schroeder-Lowe Protocol

  24. a.1 A->e(B) : [A,Na]*pk(B) a.1' e(A)->B : [A,e]*pk(B) a.2 B->e(A) : [e,Nb,B]*pk(A) b.1 e->A : [e, [Nb,B] ]*pk(A) b.2 A->e: [[Nb,B], Na' ,A] *pk(e) Message a.2 is passed as b.1. Notice that a.2 has three fields, while b.1 has two. It is a type flaw attack. Rather unrealistic. Attack upon NSL

  25. NSL in the tool initiator(A,B,Na,Nb,[ recv([A,B]), % for origination assumption send([A,Na]*pk(B)), recv([Na,[Nb,B]]*pk(A)), send(Nb*pk(B)) ]). responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,[Nb,B]]*pk(A)), recv(Nb*pk(B)) ]). secrecy(N,[recv(N)]).

  26. Scenario scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):- initiator(a,b,na,Nb,Sa), responder(a,b,Na,nb,Sb), initiator(A1,B1,na2,Nb2,Sa2), responder(A2,B2,Na2,nb2,Sb2), secrecy(nb,St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]).

  27. NSL output Trace: [a1,recv([a,b])] [a1,send([a,na] * pk(b))] [a2,recv([a,e] * pk(b))] [a2,send([e,[nb,b]] * pk(a))] [a3,recv([_h414,e])] [a3,send([_h414,na2] * pk(e))] [a3,recv([na2,[_h416,e]] * pk(_h414))] [a3,send(_h416 * pk(e))] [b1,recv([e,[nb,b]] * pk(a))] [b1,send([[nb,b],[nb2,a]] * pk(e))] [a2,recv(nb * pk(b))] [b1,recv(nb2 * pk(a))] [sec1,recv(nb)]

More Related