Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell."— Presentation transcript:

1 An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell

2 Roadmap uNetwork protocol examples uAre industrial protocols secure? Case studies of industry standards uResearch state-of-the-art Fully automated bug-finding tools Methods for proving absence of bugs –Protocol Composition Logic Modular proof-techniques Cryptographic soundness uConclusions and Future Work

3 Many Protocols uAuthentication Kerberos uKey Exchange SSL/TLS handshake, IKE, JFK, IKEv2, uWireless and mobile computing Mobile IP, WEP, 802.11i, 802.16e, Wi-Fi uElectronic commerce Contract signing, SET, electronic cash, …

4 Supplicant UnAuth/UnAssoc 802.1X Blocked No Key 802.11 Association 802.11i Wireless Authentication MSK EAP/802.1X/RADIUS Authentication 4-Way Handshake Group Key Handshake Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Widely used in wireless LANs

5 TLS protocol layer over TCP/IP Network interface Transport (TCP) Physical layer Internet (IP) Applicationtelnet httpftp nntp SSL/TLS Widely used on internet

6 IKE sub-protocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Used in corporate Virtual Private Networks

7 Kerberos Protocol Client KAS TGS Server AS-REQ AS-REP TGS-REQ TGS-REP AP-REQ AP-REP Used for network authentication Running example in this talk

8 Roadmap uNetwork protocol examples uAre industrial protocols secure? Case studies of industry standards uResearch state-of-the-art Fully automated bug-finding tools Methods for proving absence of bugs –Protocol Composition Logic Modular proof-techniques Cryptographic soundness uConclusions and Future Work

9 Microsoft Security Bulletin MS05-042 Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587) Published: August 9, 2005 Affected Software: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition

10 Kerberos Error uFormal analysis of Kerberos 5 Several steps –Detailed core protocol –Cross-realm authentication –Public-key extensions to Kerberos uAttack on PKINIT Breaks association of client request and the response Prevents full authentication and confidentiality uFormal verification of fixes preventing attack Close, ongoing interactions with IETF WG I. Cervesato, A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad

11 Public-Key Kerberos uExtend basic Kerberos 5 to use PKI Change first round to avoid long-term shared keys Originally motivated by security –If KDC is compromised, don’t need to regenerate shared keys –Avoid use of password-derived keys Current emphasis on administrative convenience –Avoid need to register in advance of using Kerberized services uThis extension is called PKINIT Current version is PKINIT-29 Attack found in PKINIT-25; fixed in PKINIT-27 Included in Windows and Linux (called Heimdal) Implementation developed by CableLabs (for cable boxes)

12 C C I I K K Cert C, [t C, n 2 ] skC, C, T, n 1 Cert I, [t C, n 2 ] skI, I, T, n 1 {[k, n 2 ] skK } pkC, C, TGT, {AK, …} k Principal P has secret key skP, public key pkP {msg} key is encryption of msg with key [msg] key is signature over msg with key {[k, n 2 ] skK } pkI, I, TGT, {AK, …} k I I I knows fresh keys k and AK C receives K’s signature over k,n 2 and assumes k, AK, etc., were generated for C (not I) Attack

13 Fix Adopted in pk-init-27 uThe KDC signs k, cksum (instead of k, n 2 ) –k is replyKey –cksum is checksum over AS-REQ –Easier to implement than signing C, k, n 2 uFormal proof: this guarantees authentication Assume checksum is preimage resistant Assume KDC’s signature keys are secret

14 Attacks on Industry Standards uIKE [Meadows; 1999] Reflection attack; fix adopted by IETF WG uIEEE 802.11i [He, Mitchell; 2004] DoS attack; fix adopted by IEEE WG uGDOI [Meadows, Pavlovic; 2004] Composition attack; fix adopted by IETF WG uKerberos V5 [Scedrov et al; 2005] Identity misbinding attack; fix adopted by IETF WG; Windows update released by Microsoft Identified using logical methods

15 Roadmap uNetwork protocol examples uAre industrial protocols secure? Case studies of industry standards uSecurity analysis state-of-the-art Fully automated bug-finding tools Methods for proving absence of bugs –Protocol Composition Logic Modular proof-techniques Cryptographic soundness uConclusions and Future Work

16 Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) Kerbe ros authentication -Complete control over network -Perfect crypto ~40 line axiomatic proof

17 Automated Finite-State Analysis uDefine finite-state system Bound on number of steps Finite number of participants Nondeterministic adversary with finite options uPose correctness condition Authentication, secrecy, fairness, abuse-freeness uExhaustive search using “verification” tool Error in finite approximation  Error in protocol No error in finite approximation  ??? uExample SSL analysis with 3 clients and 2 servers

18 Bug-finding Tools and Case Studies uMurphi model-checking of protocols Generic model-checker developed by David Dill’s group at Stanford Method for security protocol analysis developed by Mitchell, Shmatikov et al (1997-) Many case studies including SSL, 802.11i Tool and case studies available at http://cs259.stanford.edu http://cs259.stanford.edu uMany other fully automated tools AVISPA project, SRI constraint solver, … uReady for industrial use

19 Roadmap uNetwork protocol examples uAre industrial protocols secure? Case studies of industry standards uSecurity analysis state-of-the-art Fully automated bug-finding tools Methods for proving absence of bugs –Protocol Composition Logic Modular proof-techniques Cryptographic soundness uConclusions and Future Work

20 Proving Security of Protocols uCryptographic reductions More realistic model involving probabilistic polynomial time attackers Difficult to scale to industrial protocols uSymbolic methods and proof tools NRL Protocol Analyzer, Paulson’s Inductive Method, Process calculi, Specialized protocol logics, MSR (see http://cs259.stanford.edu )http://cs259.stanford.edu 2 challenges: –Scale to industrial protocols: modular analysis desired –Use cryptographic model instead of idealized symbolic model Progress on challenges in last 5 years

21 Our Result uProtocol Composition Logic (PCL): Unbounded number of sessions (vs. model-checking) Short high-level proofs: 2-3 pages Sound wrt –symbolic model –computational cryptography model Modular proof techniques [DMP01, DDMP03, …, RDDM06] Focus today

22 PCL Results: Industrial Protocols uIEEE 802.11i [IEEE Standards; 2004] [HSDDM05] uTLS/SSL [RFC 2246] is a component (Attack using model-checking; fix adopted by WG) uGDOI Secure Group Communication [RFC 3547] [MP04] (Attack using PCL; fix adopted by IETF WG) uKerberos V5 [IETF ID; 2004] [CMP05,RDDM06] uMobile IPv6 [RFC 3775] in progress [RDM06] uIKE/JFK family uIKEv2 [IETF ID;2004] in progress [RDM06] Except Kerberos, results currently apply only to symbolic model

23 Kerberos Stage 1 Programs C KAS C, T, n {AKey, n, T}K_CK, {AKey, C} K_AT Client1 = (C, K, T)[ new n; send C, K, {C, T, n}; receive K, C, {AKey, n, T}K_CK, TGT ] KAS = (K)[ receive C, K, {C, T, n}; new AKey; send K, C, {AKey, n, T}K_CK, {AKey, C}K_AT ] A protocol is a set of programs, one for each role

24 PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | … uFormulas  ::= a | Indist(P,t) | GoodKeyAgainst(X, k) | Honest(N) |  |  1   2 |  x  | a < a | … uModal formula  [ actions ] P  uExamples secret indistinguishable from random –( X  A  X  B)  Indist(X, secret) Specifying secrecy

25 Kerberos Stage 1 Property uClient guarantee true [ Client1(C, T, K) ] C Honest(C, T, K)  (GoodKeyAgainst(X, AKey)  X  {C, T, K} ) uKey usable for encryption

26 Complexity-theoretic semantics uQ |=  if  adversary A  distinguisher D  negligible function f  n 0  n > n 0 s.t. [[  ]](T,D,f) T(Q,A,n) |[[  ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces [DDMST05]

27 PCL: Proof System uProperty of signature: Honest(X)  Verifies(Y, m, X)  Signed(X, m) uSoundness proof: uAssume axiom not valid  A  D  negligible f  n0  n > n0 s.t. [[  ]](T, D, f(n))|/|T| < 1 –f(n) uConstruct attacker A’ that uses A, D to break CMA- secure signature scheme uStandard cryptographic reduction [DDMST05, DDMW06]

28 Inductive Secrecy Adversary Generate s Enc with k 0 Dec with k 1 Enc with k 2 Dec with k’ Pick a nonce s and set of keys K = {k 0, k 1, k 2 } Terms explicitly containing s are encrypted by a key in K before sending out. New terms obtained through decryption by a key in K are re-encrypted by a key in K before sending out by an honest principal. Secretive(s, K) [RDDM06]

29 Inductive Secrecy  “Good” Keys u Secrecy axiom Secretive(s, K)  GoodInit(s, K)  GoodKeyFor(s, K) uRead If –protocol is “secretive” –nonce-generator is honest –key-holders are honest then –the key generated from the nonce is a “good” key (usable for encryption)  Soundness proof is by reduction to a multi- party IND-CCA game [BBM00]  One-time effort

30 CPCL analysis of Kerberos V5 u Kerberos has a staged architecture First stage generates a nonce and sends it encrypted Second stage uses this nonce as a key to encrypt another nonce. Third stage uses the nonce exchanged in the second stage to encrypt other terms u We prove “GoodKey”-ness of both the nonces assuming encryption scheme is IND-CCA u Authentication properties proved assuming encryption scheme is INT-CTXT secure uModular proofs (including PKINIT) using composition theorems uResult by Boldyreva et al showing that encryption scheme provides required properties

31 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

32 Conclusions uPractical protocols may contain errors Automated methods find bugs that humans overlook uVariety of tools Model checking can find errors Proof method can show correctness –with respect to specific model of execution and attack uModular analysis is a challenge uClosing gap between logical analysis and cryptography Symbolic model supports useful analysis –Tools, case studies, high-level proofs Computational model more informative –Includes probability, complexity –Does not require strong cryptographic assumptions –More accurately reflects realistic attack Two approaches can be combined –Several current projects and approaches [BPW, MW, Blan, CH, …] –One example: computational semantics for symbolic protocol logic uResearch area coming of age Interactions with and impact on industry

33 Thanks! Questions?

Download ppt "An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell."

Similar presentations

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.

Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
15-349 Recitation Introduction to Computer and Network Security Iliano Cervesato 18 September 2008 – Breaking and Fixing Public-Key Kerberos Joint work.

Recitation Introduction to Computer and Network Security Iliano Cervesato 18 September 2008 – Breaking and Fixing Public-Key Kerberos Joint work.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.

Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Similar presentations

Ads by Google