1. CS259: Security Analysis of Network Protocols Winter 2008 Project Presentations 2 Day 2 – Feb. 21, 2008

2. HIPAA Anthony Ho, Sharada Sundaram with Adam Barth, John Mitchell, Steve Nguyen, Nicole Taheri

3. More HIPAA Background Covered entity Protected Health Information Administrative Simplification provisions 164.502 Uses and disclosure of Protected Health Information. (This talks about rules of PHI disclosure depending on the type of data, its uses, the end user, the covered entity, the person whose data it is, etc.)‏

4. 164.502 Standard Disclosure Minimum Necessary De-Identified Information Disclosure Disclosure to Business Associates Personal representatives Whistle blowers

5. Prolog Facts Rules Queries Prolog is declarative. Given a set of facts and rules, deduce if queries hold.

6. Plan Translate 164.502 portion of HIPAA that regulates the distribution of protected health information into a set of Prolog rules Model the Hospital's environment and different Agents. (Ex Scrubs)‏ Write queries to test properties of model

7. Covered Entity Business Associates Patient Parents Minors Relatives Public Release

8. Example HIPAA LAW: 164.502.a.1 (ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; PROLOG TRANSLATION: permitted_by_164_502_a_1_ii(A):- satisfy_164_502_a_1_ii(A), permitted_by_164_506(A). satisfy_164_502_a_1_ii(A):- has_purpose(A, healthcare); has_purpose(A, payment); has_purpose(A, treatment).

9. Properties Develop a set of queries that will individually test each clause of the law implemented. Verify that no unauthorized person gains access to the Medical records of any patient. Test the answers produced for existing HIPAA lawsuits. Rational Reconstruction

10. Challenges Difficult for engineers to interpret law What do we model? How much detail should we model? Is it complete? Is there a strategy for a patient to get his questions answered? Is one translation better than other?

11. Analysis of Remote Attestation Lavina Jain Jayesh Vyas

12. Hardware CRTM BIOS OS Application Reset PCR Extend PCR with BIOS image Extend PCR with OS image Pre - boot Remote Attestation (Recap) Integrity of kernel, applications, libraries, files Dynamic/Run-time measurements Post - boot TPM PCR Hardware Keys Measurement list (ML) Kernel Client/Attestator Server/ Challenger Remote Attestation Trusted Third Party (AIK) EK AIK Credential Auth Validate

13. Integrity Management Architecture (IMA) Kernel Hooks (Measurement Agents) Kernel Hardware CRTM BIOS PCR_Extend(BIOS) Measurement list InsmodLoader/bin/sh, /bin/perl PCR TPM Reset PCR Boot Up PCR_Extend(OS) PCR_Extend Update

14. Remote Attestation Protocol Client/Attestator Ver (Sig AIK (PCR, N), AIK pub ) = true/false TPM PCR Keys Attestation service Challenger 1. 160-bit Nonce, N 2. Quote Request 3. Quote Response 4. Integrity Response 5. Integrity Validation { Sig AIK (PCR, N), ML, AIK pub, AIK cert } N Sig AIK (PCR, N) - Validate AIK pub and AIK cert - Verify Signature - Verify freshness of Nonce - Match HASH(ML) against PCR - Validate measurement list, ML Assumption: A secure session is set up between the client and the server.

15. Threat Model and Security Properties 1.Replay Attack: A malicious attesting system can replay old values of measurements and PCR Quote that correspond to a valid platform (before the system was corrupted). Protection – Fresh Nonce. 2.Masquerading: An attacker can send measurement list and PCR Quote of another valid system. Protection – Nonce and signature. Can an attacker learn any nonce and corresponding signature pair? 3.Tampering: An attacker may tamper with measurement list: modify, truncate. Protection: SIG (PCR) 4.Malicious measurement agent: may report and extend incorrect integrity values. Protection: Measure and validate integrity of measurement agent. 5.A malicious application may be loaded on the client after the remote attestation protocol completes. 6.The order in which the following 3 operations are performed of may have an effect on integrity. - reporting hash value to PCR. - storing it in kernel measurement list. - executing the process which is being measured. 7.Hardware attacks: Reset PCR, and store new value corresponding to modified measurement list. 8.Analysis of protocol: Significance of Nonce, keys (EK, AIK), and certificates. 9.Tool to analyze the protocol: Murphi

16. Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin

17. Trusted computing Developed by TCG –Applications Secure Input and Output Sealed Storage Remote Attestation –Main Component Trusted Platform Module

18. Trusted Platform Module (TPM) A microcontroller that stores keys, passwords and digital certificates. Typically is affixed to the motherboard of a PC These secrets inside the TPM are secure from external software attacks/physical theft.

19. Remote Attestation Remote Attestation allows the system containing the TPM to prove a particular set of software and configurations to an interested verifier. Problem: If the TPM is widely used then there are concerns for Privacy and Availability. DAA tries to solve those issues

20. Direct Anonymous Attestation Direct – Doesn’t require highly available Privacy CA Anonymous - Based on the Camenisch- Lysyanskaya Group Signature Schema without anonymity revocation Attestation - Interactive protocol between the verifier and the host containing the TPM

21. Players Issuer – authenticates TPM and generates DAA Credential (zero-knowledge proof of TPM secret) TPM – stores the secret and DAA Credential signed by Issuer, together with Host generated DAA signatures Host – generate DAA signatures for Verifier Verifier – authenticates Host as containing some authentic TPM authenticated and authorized by Issuer; requests DAA signature PKI – not part of DAA protocol but assumed

22. Primitives Conventional RSA encryption PseudonymBase Pseudonym(f, bsn) Blind(f, nonce) DAA-Credential (f) DAA-Signature (m, DAA-Credential, bsn)

23. Join protocol Init: TPM generates secret f Outcome: If Issuer authorizes TPM, the latter obtains a non-interactive proof of the Issuer’s authorization (“DAA Credential”). Notes: –Channel is one-way authenticated channel but not encrypted! –TPM is not anonymous and uses its Endorsement Key to authenticate itself

24. Join protocol

25. Sign and Verify Init: TPM has a DAA-Credential Outcome: Verifier has Anonymous Signature on m generated by TPM Notes –TPM is anonymous and may use pseudonyms –Verifier decides whether or not to reuse pseudonyms

26. Sign and Verify Diagram

27. Tool Murphi –Known attacks appear to be good candidates for Murphi –Looking for similar attacks Approach –Model security primitives in messages by sending components they are generated from –Trust security primitives but look for unexpected use or parameter combinations

28. Adversary’s Capabilities Can intercept messages between any two players Can replay encrypted messages (or parts) even if it cannot decrypt them Can create security primitives from known data and insert them into messages

29. Security properties 1.Correctness 2.Anonymity 3.Unlinkability 4.Secrecy

30. Correctness Informally - An honest TPM is able to authenticate and attest. Formally - If a verifier completes the protocol for message m: –m was signed by an honest TPM using a DAA- Credential(f) and verifier’s basename; –DAA-Credential(f) was issued by an honest Issuer for the TPM and its f before signing message m. –TPM is not on the rogue list (blacklist)

31. Informally –Anonymity - A user transaction of an honest platform is anonymous, i.e., it cannot be linked with its Endorsement Key(EK). –Unlinkability - User transactions of an honest platform with different Verifiers are not linkable.

32. Unlinkability - formalized No data should appear in sign/verify protocol transcript so that it is a value of a deterministic 1-1 function M (f, AKV), which adversary can calculate, and which only depend on: –f – TPM secret –AKV – already known [by adversary] values (nonces, public keys etc) We will have to come up with good candidates for M and program them manually

33. Anonymity - formalized No data D1 should appear in sign/verify protocol transcript which depends only on TPM secret f and values known to adversary (such as nonces) No data D2 should appear in Join protocol transcript which depends only on TPM ID and values known to adversary So that there are two deterministic 1-1 functions M1 and M2: M1(D1)=M2(D2) that Adversary can calculate We will have to come up with good candidates for M1 and M2 and code each of them manually

34. Secrecy Given attacker’s capabilities, TPM secret f cannot be computed. Implied unforgeability (TPM has to be physically broken to extract f) A corrupt TPM’s secrets are in the rogue’s list

35. Attacks Carsten Rudolph DAA Attack on Anonymity –Use PK’ to tag a particular TPM Corrupt Administrators (Smyth, Ryan, Chen) attack on Anonymity –Same entity behaves as Issuer and Verifier, ie. Bsni = bsnv. Issues with Verifier’s Basenames –Adversary matches bsnv with a Verifier to find all TPMs it has attested. Issues with Rogue Tagging Feature in Join –Protocol checks for secret f against a Rogue List List is not verified (in the sign/verify protocol, it is) Corrupt TPM can generate new secret, f.

36. Pynchon Network Analysis Fred Wulff

37. PynGP 1.0 Nym Server Collator Client 12345

38. PynGP 2.0 Nym Server Collator Client 1234Validator

39. Attacks (Part 1) Suppose we can figure out a way to remove the crypto on the messages in the database. Can we remove information theoretic security? (i.e. can we get P(client = id_1) != P(client = id_2)?) Thoughts and extensions

40. Attacks (Part 2) Original Denial of Service Attack “Byzantine Postman” Provides detection but not solution Start with different sets of colluders Find out P(colluder being caught) Find out estimated time for communicartion

41. Attacks (Part 3) Short/Long Messages Does this mean compromising crypto compromises information theoretic security? How quickly?

42. Other Interesting Properties Given various starting parameters in PynGP 2.0, what’s the expected value for bandwidth used by the validator? What’s the maximum amount that a server can delay under the various protocols? What if we just pick a random subset of servers?

43. If I Have Way Too Much Time On My Hands Horribly complex PynGP 1.5 Depends on Shamir Secret Sharing, Paillier Crypto, multiple recovery methods. Check the same properties as 2.0. See if it does any better (vs. O(k) blow up). Check properties for what can break.

44. Tools PRISM APMC? (Approximate Probabilistic Model Checker) - continuous time, clusters, other interesting thing

45. 802.16g-2007 (WiMAX) (Management Plane Procedures and Services) Matt Bravo mbravo@stanford.edu Does one compromised base station compromise security for the whole network?

46. WiMAX Wireless broadband IEEE 802.16 aka WirelessMAN aka WirelessHUMAN Both fixed (like wifi) and mobile (like a cell phone) network specification I focus on the Network Control and Management System (NCMS)

47. Handoff Occurs when a mobile station (MS) is moving out of a base stations (BS) coverage For QoS, this should be seemless Target BS must receive the crypto information and authorization information from the serving BS

48. Handoffs come from everywhere! MS initiated Handoff NCMS initiated Handoff BS initiated Handoff “Fast Base Station Switching”

49. Now lets suppose... We compromise a single base station Can we gain the crypto info of any MS on the network? Can we eavesdrop on the connection? Can we disconnect the MS

50. Hypothesis Can grab crypto for any MS on the network (provided have the MAC) How to get a MAC address, is there a procedure for that? Should be some simply rules that an implementation can add to guard against this attack

51. Tools Implement in Murphi the procedures and the network Read the spec, implement procedures as needed Add additional fixes or rules to Murphi to fix holes that are found

52. Questions Please say questions and comments, I’ll hear them when I watch the lecture email me mbravo@stanford.edumbravo@stanford.edu call me 650-862-8756 no letters please :)