1 / 23

Security Protocols Analysis

Security Protocols Analysis. Reading. This Class: Modelling and Analysis of Security Protocols: chapters 0.9-0.12 C. Meadows: Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends, http://citeseer.ist.psu.edu/meadows03formal.html Next class:

teegan-cunningham
Télécharger la présentation

Security Protocols Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security ProtocolsAnalysis

  2. Reading • This Class: • Modelling and Analysis of Security Protocols: chapters 0.9-0.12 • C. Meadows: Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends, http://citeseer.ist.psu.edu/meadows03formal.html • Next class: • Modelling and Analysis of Security Protocols: chapter 1 Internet Security - Farkas

  3. What is Protocol Analysis • Cryptographic Protocols • Attackers’ capabilities • Security? • Hostile environment • Vulnerabilities • Weakness of cryptography • Incorrect specifications Internet Security - Farkas

  4. Cryptographic Protocols • Two or more parties • Communication over insecure network • Cryptography used to achieve goal • Exchange secret keys • Verify identity (authentication) • Secure transaction processing Internet Security - Farkas

  5. Emerging Properties of Protocols • Greater interoperation • Negotiation of policy • Greater complexity • Group-oriented protocols • Emerging security threats Internet Security - Farkas

  6. Attackers’ Capabilities • Read traffic • Modify traffic • Delete traffic • Perform cryptographic operations • Control over network principals Internet Security - Farkas

  7. Attacks • Known attacks • Can be picked up by careful inspection • Nonintuitive attacks • Not easily apparent • May not depend on flaws or weaknesses of cryptographic algs. • Use variety of methods, e.g., statistical analysis, subtle properties of crypto algs., etc. Internet Security - Farkas

  8. Formal Methods • Combination of a mathematical or logical model of a system and its requirements and • Effective procedures for determining whether a proof that a system satisfies its requirements is correct. Can be automated! Internet Security - Farkas

  9. Example: Needham-Schroeder • Famous simple example (page 30-31) • Protocol published and known for 10 years • Gavin Lowe discovered unintended property while preparing formal analysis using FDR system • Subsequently rediscovered by every analysis method From: J. Mitchell Internet Security - Farkas

  10. Needham-Schroeder Crypto • Nonces • Fresh, Random numbers • Public-key cryptography • Every agent A has • Public encryption key Ka • Private decryption key Ka-1 • Main properties • Everyone can encrypt message to A • Only A can decrypt these messages From: J. Mitchell Internet Security - Farkas

  11. Needham-Schroeder Key Exchange {A, NonceA} {NonceA, NonceB } { NonceB} Kb A B Ka Kb On execution of the protocol, A and B are guaranteed mutual authentication and secrecy. From: J. Mitchell Internet Security - Farkas

  12. Needham Schroeder properties • Responder correctly authenticated • When initiator A completes the protocol apparently with Honest responder B, it must be that B thinks he ran the protocol with A • Initiator correctly authenticated • When responder B completes the protocol apparently with Honest initiator A, it must be that A thinks she ran the protocol with B • Initiator Nonce secrecy • When honest initiator completes the protocol with honest peer, intruder does not know initiators nonce. Internet Security - Farkas From: J. Mitchell

  13. [Lowe] Anomaly in Needham-Schroeder { A, NA } Ke A E { NA, NB } Ka { NB } Ke { A, NA } { NA, NB } Evil agent E tricks honest A into revealing private key NB from B Kb Ka B Evil E can then fool B Internet Security - Farkas From: J. Mitchell

  14. Requirements and Properties • Authentication • Authentication, Secrecy • Trading • Fairness • Special applications (e.g., voting) • Anonymity and Accountability Internet Security - Farkas

  15. Security Analysis • Understand system requirements • Model • System • Attacker • Evaluate security properties • Under normal operation (no attacker) • In the presence of attacker • Security results: under given assumptions about system and about the capabilities of the attackers. Internet Security - Farkas

  16. Explicit intruder model Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error From: J. Mitchell Internet Security - Farkas

  17. Hand proofs  High    Poly-time calculus Symbolic methods (MSR) Spi-calculus  Sophistication of attacks Athena  Paulson    NRL  Bolignano BAN logic   Low Model checking Protocol logic   FDR Murj Low High Protocol complexity Protocol Analysis Spectrum From: J. Mitchell Internet Security - Farkas

  18. Analysis of Discrete Systems • Properties of discrete systems • Requirements • Attackers • Attack: sequence of finite set of operations • Evaluate different paths an attacker may take • State the environmental assumptions precisely Internet Security - Farkas

  19. First Analysis Method • Dolev-Yao • Set of polynomial-time algorithms for deciding security of a restricted class of protocols • First to develop formal model of environment in which • Multiple executions of the protocol can be running concurrently • Cryptographic algorithms considered as “black boxes” • Includes intrudes model • Tools based on Dolev-Yao • NRL protocol analyzer • Longley-Rigby tool Internet Security - Farkas

  20. Model checking • Two components • Finite state system • Specification of properties • Exhaustive search the state space to determine security Internet Security - Farkas

  21. Theorem Prover • Theorems: properties of protocols • Prove or check proofs automatically • Could find flaws not detected by manual analysis • Do not give counterexamples like the model checkers Internet Security - Farkas

  22. Logic • Burrows, Abadi, and Needham (BAN) logic • Logic of belief • Set of modal operators: describing the relationship of principal to data • Set of possible beliefs • Inference rules • Seems to be promising but weaker than state exploration tools and theorem proving (higher level abstraction) Internet Security - Farkas

  23. Next weekCSP

More Related