Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005."— Presentation transcript:

1 Security Analysis of Network Protocols TECS Week Reference: http://www.stanford.edu/class/cs259/ John Mitchell Stanford 2005

2 Computer Security uCryptography Encryption, signatures, cryptographic hash, … uSecurity mechanisms Access control policy Network protocols uImplementation Cryptographic library Code implementing mechanisms –Reference monitor and TCB –Protocol Runs under OS, uses program library, network protocol stack Analyze protocols, assuming crypto, implementation, OS correct

3 Cryptographic Protocols uTwo or more parties uCommunication over insecure network uCryptography used to achieve goal Exchange secret keys Verify identity (authentication) JR Rao: Public-key encryption, symmetric-key encryption, CBC, hash, signature, key generation, random-number generators

4 Correctness vs Security uProgram or System Correctness Program satisfies specification –For reasonable input, get reasonable output uProgram or System Security Program properties preserved in face of attack –For unreasonable input, output not completely disastrous uMain differences Active interference from adversary Refinement techniques may fail –More functionality can be worse

5 Security Analysis uModel system uModel adversary uIdentify security properties uSee if properties are preserved under attack uResult No “absolute security” Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

6 Important Modeling Decisions uHow powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks uHow much detail in underlying data types? Plaintext, ciphertext and keys –atomic data or bit sequences Encryption and hash functions –“perfect” cryptography –algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msg k mod N

7 Protocol analysis spectrum LowHigh Low Modeling detail Protocol complexity Mur  FDR  NRL  Athena  Hand proofs  Paulson  Strand spaces  BAN logic  Spi-calculus  Poly-time calculus   Model checking Multiset rewriting with   Protocol logic  

8 Four “Stanford” approaches uFinite-state analysis Case studies: find errors, debug specifications uSymbolic execution model: Multiset rewriting Identify basic assumptions Study optimizations, prove correctness Complexity results uProcess calculus with probability and complexity More realistic intruder model Interaction between protocol and cryptography Equational specification and reasoning methods uProtocol logic Axiomatic system for modular proofs of protocol properties SRI, U Penn, U Texas, Kiel, INRIA, …

9 Some other projects and tools uExhaustive finite-state analysis FDR, based on CSP [Lowe, Roscoe, Schneider, …] uSearch using symbolic representation of states Meadows: NRL Analyzer, Millen: Interrogator uProve protocol correct Paulson’s “Inductive method”, others in HOL, PVS, … MITRE -- Strand spaces Process calculus approach: Abadi-Gordon spi- calculus, applied pi-calculus, … Type-checking method: Gordon and Jeffreys, … Many more – this is just a small sample

10 Example: Needham-Schroeder uFamous simple example Protocol published and known for 10 years Gavin Lowe discovered unintended property while preparing formal analysis using FDR system uBackground: Public-key cryptography Every agent A has –Public encryption key Ka –Private decryption key Ka -1 Main properties –Everyone can encrypt message to A –Only A can decrypt these messages

11 Needham-Schroeder Key Exchange { A, NonceA } { NonceA, NonceB } { NonceB} Ka Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb

12 Anomaly in Needham-Schroeder AE B { A, NA } { NA, NB } { NB } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key NB from B Evil E can then fool B [Lowe]

13 Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error

14 Run of protocol A B Initiate Respond C D Correct if no security violation in any run Attacker

15 Automated Finite-State Analysis uDefine finite-state system Bound on number of steps Finite number of participants Nondeterministic adversary with finite options uPose correctness condition Can be simple: authentication and secrecy Can be complex: contract signing uExhaustive search using “verification” tool Error in finite approximation  Error in protocol No error in finite approximation  ???

16 Finite-state methods uTwo sources of infinite behavior Many instances of participants, multiple runs Message space or data space may be infinite uFinite approximation Assume finite participants –Example: 2 clients, 2 servers Assume finite message space –Represent random numbers by r1, r2, r3, … –Do not allow unbounded encrypt(encrypt(encrypt(…)))

17 Mur j [Dill et al.] uDescribe finite-state system State variables with initial values Transition rules Communication by shared variables uScalable: choose system size parameters uAutomatic exhaustive state enumeration Space limit: hash table to avoid repeating states uResearch and industrial protocol verification

18 Applying Mur j to security protocols uFormulate protocol uAdd adversary Control over “network” (shared variables) Possible actions –Intercept any message –Remember parts of messages –Generate new messages, using observed data and initial knowledge (e.g. public keys)

19 Needham-Schroeder in Mur j (1) const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

20 Needham-Schroeder in Mur j (2) MessageType : enum { -- types of messages M_NonceAddress, -- {Na, A}Kb nonce and addr M_NonceNonce, -- {Na,Nb}Ka two nonces M_Nonce -- {Nb}Kb one nonce }; Message : record source: AgentId; -- source of message dest: AgentId; -- intended destination of msg key: AgentId; -- key used for encryption mType: MessageType; -- type of message nonce1: AgentId; -- nonce1 nonce2: AgentId; -- nonce2 OR sender id OR empty end;

21 Needham-Schroeder in Mur j (3) -- intruder i sends recorded message ruleset i: IntruderId do -- arbitrary choice of choose j: int[i].messages do -- recorded message ruleset k: AgentId do -- destination rule "intruder sends recorded message" !ismember(k, IntruderId) & -- not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end;

22 Adversary Model uFormalize “knowledge” initial data observed message fields results of simple computations uOptimization only generate messages that others read time-consuming to hand simplify uPossibility: automatic generation

23 Run of Needham-Schroeder uFind error after 1.7 seconds exploration uOutput: trace leading to error state  Mur j times after correcting error:

24

25 Limitations uSystem size with current methods 2-6 participants Kerberos: 2 clients, 2 servers, 1 KDC, 1 TGS 3-6 steps in protocol May need to optimize adversary uAdversary model Cannot model randomized attack Do not model adversary running time

26 Security Protocols in Mur  uStandard “benchmark” protocols Needham-Schroeder, TMN, … Kerberos uStudy of Secure Sockets Layer (SSL) Versions 2.0 and 3.0 of handshake protocol Include protocol resumption uTool optimization uAdditional protocols Contract-signing Wireless networking … ADD YOUR PROJECT HERE …

27 State Reduction on N-S Protocol

28 Plan for this course uProtocols Authentication, key establishment, assembling protocols together (TLS ?), fairness exchange, … uTools Finite-state and probabilistic model checking, constraint-solving, process calculus, temporal logic, proof systems, game theory, polynomial time … uProjects (You do this later on your own!) Choose a protocol or other security mechanism Choose a tool or method and carry out analysis Hard part: formulating security requirements

29 Reference Material (CS259 web site) uProtocols Clarke-Jacob survey Use Google; learn to read an RFC uTools Murphi –Finite-state tool developed by David Dill’s group at Stanford PRISM –Probabilistic model checker, University of Birmingham MOCHA –Alur and Henzinger; now consortium Constraint solver using prolog –Shmatikov and Millen Isabelle –Theorem prover developed by Larry Paulson in Cambridge, UK –A number of case studies available on line

Download ppt "Security Analysis of Network Protocols TECS Week Reference: John Mitchell Stanford 2005."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Model Checking for Security Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Analysis of Security Protocols (III) John C. Mitchell Stanford University.

Analysis of Security Protocols (III) John C. Mitchell Stanford University.
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Similar presentations

Ads by Google