Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design and Analysis of Security Protocols Vitaly Shmatikov CS 395T

Published byAnthony Piers Walton Modified over 8 years ago

Similar presentations

Presentation on theme: "Design and Analysis of Security Protocols Vitaly Shmatikov CS 395T"— Presentation transcript:

1 Design and Analysis of Security Protocols Vitaly Shmatikov CS 395T http://www.cs.utexas.edu/~shmat/courses/cs395t_fall04/

2 Course Logistics uLectures Monday, Wednesday 3:30-5pm Project presentations in the last two weeks uThis is a project course The best way to understand security is by getting your hands dirty There will be one short homework and one read-and- present a research paper assignment Most of your work will be project, writeup and in-class presentation Please enroll!

3 Grading uHomework: 10% uRead and present a research paper: 15% uProject: 75% Projects are best done individually Two-person teams are Ok, but talk to me first Project proposal due around 5 th week of the course –More details later I’ll provide a list of potential project ideas, but don’t hesitate to propose your own

4 Computer Security Cryptographic primitives Protocols and policies Implementation Building blocks Blueprints Systems Algorithmic number theory Computational complexity RSA, DSS, SHA-1… SSL, IPSec, access control… Firewalls, intrusion detection…

5 Class Poll uCryptography? Public-key and symmetric encryption, digital signatures, cryptographic hash, random-number generators? Computational complexity? uSystems security? Buffer overflows, Web security, sandboxing, firewalls, denial of service? uFormal methods and verification? Model checking, theorem proving? … this course doesn’t require any of these

6 Security Protocols uThe focus of this course is on secure communications… Two or more parties Communication over insecure network Cryptography used to achieve some goal –Exchange secret keys, verify identity, pay for a service… u…and formal analysis techniques for security Analyze protocol design assuming cryptography, implementation, underlying OS are correct uLater in the course will talk about privacy protection in databases and trusted computing

7 Correctness vs Security uProgram or system correctness: program satisfies specification For reasonable input, get reasonable output uProgram or system security: program properties preserved in face of attack For unreasonable input, output not completely disastrous uMain differences Active interference from adversary Refinement techniques may fail –Abstraction is very difficult to achieve in security: what if the adversary operates below your level of abstraction?

8 Security Analysis ŒModel system Model adversary ŽIdentify security properties See if properties preserved under attack uResult Under given assumptions about system, no attack of a certain form will destroy specified properties There is no “absolute” security Theme #1: there are many notions of what it means for a protocol to be “secure” Theme #2: there are many ways of looking for security flaws

9 Theme #1: Protocols and Properties uAuthentication Needham-Schroeder, Kerberos uKey establishment SSL/TLS, IPSec protocols (IKE, JFK, IKEv2) uSecure group protocols Group Diffie-Hellman, CLIQUES, key trees and graphs uAnonymity MIX, Onion routing, Mixmaster and Mixminion uElectronic payments, wireless security, fair exchange, privacy… Some of these are excellent topics for a project or the paper-reading assignment

10 Theme #2: Formal Analysis Methods uFocus on special-purpose security applications Some techniques are very different from those used in hardware verification In all cases, the main difficulty is modeling the attacker uSimple, mechanical models of the attacker uNo cryptanalysis! In this course, we’ll assume that cryptography is perfect Search for design flaws, not cryptographic attacks uWe’ll talk about the relationship between formal and cryptographic models late in the course

11 Variety of Tools and Techniques uExplicit finite-state checking Mur j model checker There will be a small homework! uInfinite-state symbolic model checking SRI constraint solver uProcess algebras Applied pi-calculus Secrecy Authentication Authorization uProbabilistic model checking PRISM probabilistic model checker Anonymity uGame-based verification MOCHA model checker Fairness

12 Example: Needham-Schroeder uVery (in)famous example Appeared in a 1979 paper Goal: authentication in a network of workstations In 1995, Gavin Lowe discovered unintended property while preparing formal analysis using FDR system uBackground: public-key cryptography Every agent A has a key pair Ka, Ka -1 Everybody knows public key Ka and can encrypt messages to A with it (we’ll use {m} Ka notation) Only A knows secret key Ka -1, therefore, only A can decrypt messages encrypted with Ka

13 A’s reasoning: The only person who could know NonceA is the person who decrypted 1 st message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated! Needham-Schroeder Public-Key Protocol AB A’s identityFresh random number generated by A B’s reasoning: The only way to learn NonceB is to decrypt 2 nd message Only A can decrypt 2 nd message Therefore, A is on the other end A is authenticated! Kb { NonceB} Ka { NonceA, NonceB } Kb { A, NonceA }

14 What Does This Protocol Achieve? AB Kb { NonceB} Ka { NonceA, NonceB } Kb { A, NonceA } uProtocol aims to provide both authentication and secrecy uAfter this the exchange, only A and B know Na and Nb uNa and Nb can be used to derive a shared key

15 B can’t decrypt this message, but he can replay it Anomaly in Needham-Schroeder AB { A, Na } Kc C { A, Na } Kb { Na, Nc } Ka { Na, Nc } Ka { Nc } Kb Evil agent B tricks honest A into revealing C’s private value Nc C is convinced that he is talking to A! [published by Lowe] Evil B pretends that he is A

16 Lessons of Needham-Schroeder uClassic man-in-the-middle attack uExploits participants’ reasoning to fool them –A is correct that B must have decrypted {A,Na} Kb message, but this does not mean that {Na,Nb} Ka message came from B –The attack has nothing to do with cryptography! uIt is important to realize limitations of protocols The attack requires that A willingly talk to adversary In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct! uWouldn’t it be great if one could discover attacks like this automatically?

17 Important Modeling Decisions uHow powerful is the adversary? Simple replay of previous messages Decompose into pieces, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks uHow much detail in underlying data types? Plaintext, ciphertext and keys –Atomic data or bit sequences? Encryption and hash functions –Perfect (“black-box”) cryptography –Algebraic properties: encr(x+y) = encr(x) * encr(y) for RSA because encrypt(k,msg) = msg k mod N

18 Fundamental Tradeoff uFormal models are abstract and greatly simplified Components modeled as finite-state machines Cryptographic functions modeled as abstract data types Security property stated as unreachability of “bad” state uFormal models are tractable… Lots of verification methods, many automated u …but not necessarily sound Proofs in the abstract model are subject to simplifying assumptions which ignore some of attacker’s capabilities u Attack in the formal model implies actual attack

19 Explicit Intruder Method Intruder model Analysis Tool Formal specification Informal protocol description Find error RFC, IETF draft, research paper… Set of rules describing what attacker can do

20 Mur j [Dill et al.] uDescribe finite-state system State variables with initial values Transition rules for each protocol participant Communication by shared variables uSpecify security condition as a state invariant Predicate over state variables that must be true in every state reachable by the protocol uAutomatic exhaustive state enumeration Can use hash table to avoid repeating states uResearch and industrial protocol verification

21 Making the Model Finite uTwo sources of infinite behavior Many instances of participants, multiple runs Message space or data space may be infinite uFinite approximation Assume finite number of participants –For example, 2 clients, 2 servers –Mur j is scalable: can choose system size parameters Assume finite message space –Represent random numbers by constants r1, r2, r3, … –Do not allow encrypt(encrypt(encrypt(…)))

22 Applying Mur j to Security Protocols uFormulate the protocol Define a datatype for each message format Describe finite-state behavior of each participant –If received message M3, then create message M4, deposit it in the network buffer, and go to state WAIT Describe security condition as state invariant uAdd adversary Full control over the “network” (shared buffer) Nondeterministic choice of actions –Intercept a message and split it into parts; remember parts –Generate new messages from observed data and initial knowledge (e.g., public keys) Mur  will try all possible combinations

23 Needham-Schroeder in Mur j (1) const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

24 Needham-Schroeder in Mur j (2) MessageType : enum { -- types of messages M_NonceAddress, -- {Na, A}Kb nonce and addr M_NonceNonce, -- {Na,Nb}Ka two nonces M_Nonce -- {Nb}Kb one nonce }; Message : record source: AgentId; -- source of message dest: AgentId; -- intended destination of msg key: AgentId; -- key used for encryption mType: MessageType; -- type of message nonce1: AgentId; -- nonce1 nonce2: AgentId; -- nonce2 OR sender id OR empty end;

25 Needham-Schroeder in Mur j (3) -- intruder i sends recorded message ruleset i: IntruderId do -- arbitrary choice of choose j: int[i].messages do -- recorded message ruleset k: AgentId do -- destination rule "intruder sends recorded message" !ismember(k, IntruderId) & -- not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end;

26 Try Playing With Mur j  You’ll need to use Mur j for your first homework uThe input language is easy to understand, but ask me if you are having problems Simple IF… THEN… guarded commands Attacker is nondeterministic, not sequential  Local Mur j installation is in /projects/shmat/Murphi3.1 Some security examples are in /projects/shmat/Murphi3.1/ex/secur Needham-Schroeder, SSL (ignore rule priorities!)

27 Start Thinking About the Project uI’ll post a list of ideas soon uFour ways to go about it Use one of the tools we’ll discuss in class to analyze an existing or proposed protocol –Learn to read an RFC –Check out reference materials on the class website Extend a tool to handle a new class of properties Do a theoretical project –Example: algorithmic properties of verification techniques; relationship between cryptographic and formal models Invent something of your own (but talk to me first!)

28 Some Ideas uE-commerce protocols Micropayment schemes, secure electronic transactions uWireless security Ad-hoc routing, WiFi security, location security uTrusted Computing Base / Palladium uElectronic voting uGroup key management protocols uAnonymity networks uCensorship-resistant Web publishing uChoose something that interests you!

29 Watch This Space uAlready contains pointers to several tools, some with online demos uI’ll be constantly adding new references uStart poking around in protocol libraries Clark-Jacob survey is a good start http://www.cs.utexas.edu/~shmat/courses/cs395t_fall04/

Download ppt "Design and Analysis of Security Protocols Vitaly Shmatikov CS 395T"

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Model Checking for Security Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
Cryptography and Network Security

Cryptography and Network Security
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Authentication John C. Mitchell Stanford University CS 99j.

Authentication John C. Mitchell Stanford University CS 99j.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Similar presentations

Ads by Google