Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-349 Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "15-349 Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols."— Presentation transcript:

1 15-349 Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols

2 2 Where we are  Course intro  Cryptography  Intro to crypto  Modern crypto  Symmetric encryption  Asymmetric encryption  Beyond encryption  Cryptographic protocols  Attacking protocols  Program/OS security & trust  Networks security  Beyond technology

3 3 Outline  What an attacker can do  The Dolev-Yao model  The computational model  Attacks  Man-in-the-middle attacks  Replay attacks  Type-flaw attacks  Other common attacks  Getting protocols right  Design principles  Formal verification “Cryptography is not broken, it is circumvented” [Shamir]

4 4 Attacks Almost all previous protocols have flaws!  Intruder can break secrecy of the channel  Intruder can break authentication

5 5 Lowe’s Attack on NS-PK (Exchanges with S have been omitted) AIB {A,n A } k I {n A,n B } k A {A,n A } k B Public data k A, k B, k I {n B } k I {n B } k B Attack discovered 17 years after protocol was published A  B: {A,n A } k B B  A: {n A,n B } k A A  B: {n B } k B NS-PK [3-5]

6 6 Man-In-The-Middle Attack  A wants to talk to B  I has replaced k B with k I in S’s database  I acts as a key translator  In the end  A thinks to be talking to B, but she is talking to I  B thinks to be talking to A, but he is talking to I  A really wants to talk to I  I cheats and acts as key translator  In the end  A knows she talking to I  B thinks to be talking to A, but he is talking to I

7 7 What happened?  Protocol assumptions were not specified  Intruder is (also) a principal  What are the intruder’s capabilities anyway?  Initial knowledge of principals  Meaning of notation  Who can access what? How?  Protocol goals were not specified  Failure of mutual authentication …  … but A has authenticated I  Many people do not agree that this is an attack!

8 8 Protocol Specifications Describe what the protocol does  For doing implementation  For doing verification  3 aspects  Assumptions  Initial knowledge  Maintained state  Environment  Intruder  Messages exchanged  Goals Assumptions Message exchange Goals icationication S p e c i f

9 9 The Dolev-Yao Intruder Idealized attacker model  Attacker has full control of the network  Intercept / Emit messages  Decrypt / Encrypt with known key  Split / Form pairs  Look up public information  Generate fresh data  Not fully realistic but convenient

10 10 The Computational Attacker  Messages are sequences of bits  Account for cryptographic primitives  Statistical analysis  … … in polynomial time  Attacker modeled as  a probabilistic polynomial-time Turing machine  Shown to be equivalent to Dolev-Yao attacker in many cases

11 11 Lowe’s Fix to NS-PK  Goals  Mutual authentication  Freshness of nonces  Secrecy of nonces AB {A,n A } k B {n A,n B,B} k A {n B } k B Public data k A, k B  Assumptions  Dolev-Yao intruder  I is a principal  Principals know public data  Public data is correct  Private keys uncompromised

12 12 Millen’s Attack on NSL A  B: {A,n A } k B B  A: {n A,n B,B} k A A  B: {n B } k B A IB “Unlikely type violation” Confusion 2: pair/nonce {n B,B,n A,A} k I {I,n B,B} k A {A,I} k B Confusion 1: name/nonce {n B } k B B is fooled! Needham-Schroeder-Lowe

13 13 Type-Flaw Attacks  Functionalities seen as “types”  Names  Nonces  Keys, …  Violation  Recipient accepts message as valid …  … but imposes different interpretation on bit sequence than sender  Type flaw/confusion attack  Intruder manipulates message  Principal led to misuse data

14 14 The Dolev-Yao Model of Security An abstraction for reasoning about protocols  Not to be confused with the Dolev-Yao intruder … although related  Data are atomic constants  No bits  Subject to symbolic manipulations  Tension between type violations and Dolev-Yao model kAkA 01001011010…

15 15 The Dolev-Yao Model of Security  Symbolic data  Black-box cryptography  Partially abstract data access  Found in most protocol analysis tools Tractability  No guessing of keys kAkA  No bits 01001011010…  Knowledge soup AkAkA kBkB S

16 16 Perfect Cryptography  k -1 is needed to decrypt {m} k  k -1 is just k for shared key ciphers  No collisions  {m 1 } k A = {m 2 } k B iff m 1 = m 2 and k A = k B  {m} k = n never  {m} k = (m 1 m 2 ) never Relaxed to handle type violations

17 17 Some Other Common Attacks  Freshness  I forces stale data in challenge-response  Parallel session  I combines messages from different sessions  Binding  I subverts the public database  Encapsulation  I uses another principal for encryption or decryption  Cipher-dependent  I exploits properties of cryptographic algorithms used  … and many more

18 18 Freshness Attacks  I records exchange  Replays messages in subsequent run  k AB is a not fresh  But B does not know  Next messages over k AB are known to I A  S: A,B,n A S  A: {n A,B,k AB, {k,n A } k BS } k AS A  B: {k AB,A} k BS B  A: {n B } k AB A  B: {n B -1} k AB Needham-Schroeder Shared-Key IB {k AB,A} k BS {n’ B } k AB {n’ B -1} k AB I discovers k AB (normal run) I

19 19 Parallel Session Attacks  I combines messages from 2 sessions A  B: n’ A,T B  A: n’ B,{n’ A } k AB A  B: {n’ B } k AB where T = {A,k AB,t B } k BS IB n’ A,{A,k AB,t B } k BA n’ B,{n’ A } k A B n’ B,{A,k AB,t B } k BA n’’ B,{n’ B } k AB {n’ B } k AB Neuman-Stubblebine – phase II  B thinks he has authenticated A  A has not even participated

20 20 Binding Attacks  I overwrites replies from CA  I may also overwrite public tables A  S: A,B,n A S  A: S,[S,A,n A,k B ] k’ S AIS A,B,n A S,[S,A,n A,k I ] k’ S A,I,n A  I convinces A that B’s public key is k I

21 21 Encapsulation Attacks  I uses other principals as cryptographic oracles A  B: {B,m} k AS B  S: {B,m} k AS,A S  B: {m,A} k BS Davis-Swick A IB {B,(A,m)} k IS {(A,m),I} k BS {B,(A,m)} k IS,I {A,(m,I)} k BS S {A,(m,I)} k BS,B {(m,I),B} k AS  A believes message (m,I) comes from B  m may include key material

22 22 Cipher-Based Attacks  I exploits particular cipher in use  I exploits implementation of cipher A  S: A,B,n A S  A: {n A,B,k, {k AB,n A } k BS } k AS A  B: {k AB,A} k BS B  A: {n B } k AB A  B: {n B -1} k AB Needham-Schroeder Shared-Key AS A,B,n A {n A, B, k AB, {k AB, A} k BS } k AS {n A, B} k AS … …  Prefix of CBC is valid Here also  Parallel session  Type flaw

23 23 Black-Box Cryptography Another aspect of Dolev-Yao model  No first-class notion of ciphertext  {m} k is a term  m accessible in {m} k only if k is known  No guessing of bits  Bridging the gap between  cryptographic algorithms and  Dolev-Yao model Several proposal, no definite solution  Not covered in this course Most attacks are independent from details of cryptography

24 24 Further Issues  Mixing protocols  Protocols may appear safe in isolation  … but have nasty interactions when mixed  Several protocols coexist in a system  Composing protocols  In parallel  In sequence Modularity would help  Little composability

25 25 Getting Protocols Right  Testing  Not a solution!  Assumes statistical distribution of errors  Security is about worst-case scenario  Formal verification  Lots of progress in past 10 years  Dolev-Yao verification of industrial protocols  Computational verification of simple protocols  Attack-free construction  Rules-of-thumb  Formal criteria  A few automated tools

26 26 Design Principles [Abadi,Needham]  Aimed at  Avoiding many mistakes  Simplifying protocols  Simplifying formal analysis  Tested on many published examples  Works beyond authentication  Attempted  Formalizations  Automations

27 27 “Prudent Engineering Practice”  Every message should say what it means  Include identity of principal if important for meaning  See Needham-Schroeder Public Key  Be clear as to why encryption is being done  Encryption is not synonymous with security  Double encryption is no cause for optimism  Be clear about  trust relations protocol depends on  properties assumed about nonces  Good for freshness, not always association  A principal may not knows the contents of encrypted material he signed  … and a few more

28 28 In Summary [Abadi]  Be explicit  Include sufficient proof of freshness  Include sufficient names  Do not count on context  Use evident classifications  Do not send secret data on public channels  Distinguish secret input from public inputs  Secrets should be strong enough for data they protect  Do not expect attackers to obey rules  Cryptography does not imply security

29 29 Fail-Stop Protocols [Syverson] Tempering any message causes abort of the protocol  No further message sent  Authentication is automatic  Active attacker cannot force secret to be released  Extensible Fail-Stop Protocols  If appending message always yield fail-stop  Immune from replay  Closed w.r.t. sequential and parallel composition

30 30 Constructing a Fail-Stop Protocol  Each message contains header with  Identity of sender and receiver  Protocol identifier  Sequence number  Freshness identifier  Each message encrypted with shared key between sender and recipient  Honest principals  Follow protocol  Ignore unexpected messages  Halts if expected message does not arrive in time

Download ppt "15-349 Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols."

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Security Key Management

Computer Security Key Management
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Cryptography Basic (cont)

Cryptography Basic (cont)
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols.

Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Similar presentations

Ads by Google