Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Protocols Vitaly Shmatikov CS 6431. Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality,

Published byDwight Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Protocols Vitaly Shmatikov CS 6431. Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality,"— Presentation transcript:

1 Security Protocols Vitaly Shmatikov CS 6431

2 Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality, integrity, key distribution or establishment, payment…  Examples: SSL/TLS, IPsec, Kerberos, SSH, 802.11b and 802.11i, Skype, hundreds of others New protocols constantly proposed, standardized, implemented, and deployed  Critical component of modern Web and mobile applications slide 2

3  Needham and Schroeder. “Using Encryption for Authentication in Large Networks of Computers” (CACM 1979)  Initiated the field of cryptographic protocol design Led to Kerberos, IPsec, SSL, and all modern protocols  Observed the need for rigorous protocol analysis “Protocols … are prone to extremely subtle errors that are unlikely to be detected in normal operation… The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area.” slide 3 Needham-Schroeder Protocols

4  Many simple attacks against protocols have been discovered over the years Even carefully designed, widely deployed protocols... often years after the protocol has been deployed –Examples: SSL, SSH, 802.11b, GSM Simple = attacks do not involve breaking crypto!  Why is the problem difficult? Concurrency + distributed participants + (often incorrect) use of cryptography Active attackers in full control of communications Implicit assumptions and goals behind protocols slide 4 Things Goes Wrong

5 Design Principles (1) 1. Every message should say what it means 2. The conditions for a message to be acted on should be clearly set out 3. Mention the principal’s name explicitly in the message if it is essential to the meaning 4. Be clear as to why encryption is being done 5. Don’t assume a principal knows the content of encrypted material that is signed by that principal slide 5 [Abadi and Needham. “Prudent Engineering Practice for Cryptographic Protocols ”. Oakland 1994]

6 Design Principles (2) 6. Be clear on what properties you are assuming about nonces 7. Predictable quantities used for challenge- response should be protected from replay 8. Timestamps must take into account local clock variation and clock maintenance mechanisms 9. A key may have been used recently, yet be old slide 6 [Abadi and Needham]

7 Design Principles (3) 10. If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used 11. The protocol designer should know which trust relations his protocol depends on slide 7 [Abadi and Needham]

8 slide 8 NS Symmetric-Key Protocol AliceBob {Kc, A} Kb  Goal: A and B establish a fresh, shared, secret key Kc with the help of a trusted key server Trusted key server A, B, NonceA { NonceA, B, Kc, {Kc, A} Kb } Ka Ka Kb Ka, Kb {NonceB} Kc {NonceB-1} Kc

9 Denning-Sacco Attack  Attacker recorded an old session and compromised session key Kx used in that session  B now believes he shares a fresh secret Kx with A  Moral: use timestamps to detect replay of old messages slide 9 Bob {Kx, A}Kb {NonceB} Kx {NonceB-1} Kx

10 AB A’s identityFresh random number generated by A B’s reasoning: The only way to learn NonceB is to decrypt the second message Only A can decrypt second message Therefore, A is on the other end A is authenticated! Kb { NonceB} Ka { NonceA, NonceB } Kb { A, NonceA } Encrypted with B’s public key slide 10 A’s reasoning: The only person who could know NonceA is the person who decrypted the first message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated! NS Public-Key Protocol

11 What Does This Protocol Achieve? AB Kb { NonceB } Ka { NonceA, NonceB } Kb { A, NonceA }  Protocol aims to provide both authentication and secrecy  After this exchange, only A and B know NonceA and NonceB  they can be used to derive a shared key slide 11

12 B can’t decrypt this message, but he can replay it AB { A, Na } Kc C { A, Na } Kb { Na, Nc } Ka { Na, Nc } Ka { Nc } Kb Evil participant B tricks honest A into revealing C’s nonce Nc C is convinced that he is talking to A! Evil B pretends that he is A Lowe’s Attack on NSPK slide 12 [Lowe. “Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR”. TACAS 1996]

13 AB { A, Na } Kc C { A, Na } Kb { Na, Nc } Ka { Na, Nc } Ka Abadi-Needham Principle #1 slide 13 Every message should say what it means Who sent this message?

14 AB Kb { NonceB} Ka { NonceA, B, NonceB } Kb { A, NonceA } slide 14 Does this solve the problem? How? Lowe’s Fix to NSPK

15 Lessons of Lowe’s Attack  Attacker is a legitimate protocol participant!  Exploits participants’ reasoning to fool them A is correct that B must have decrypted {A,Na} Kb message, but this does not mean that the {Na,Nb} Ka message came from B The attack does not rely on breaking cryptography!  It is important to realize limitations of protocols The attack requires that A willingly talk to adversary In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct!  Discover attacks like this automatically? slide 15

16 slide 16 Cashier-as-a-Service PayPal, Amazon Payments, Google Checkout, etc. Web store Shopper communication about the order communication about the payment Joint decision: is an order appropriately paid? [Wang et al. “How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores”. Oakland 2011]

17 nopCommerce + Amazon Simple Pay [Wang et al.] (and seller Mark) Jeff, I want to buy this DVD. Shopper Chuck Amazon (CaaS) Jeff Chuck, pay in Amazon with this signed letter: Dear Amazon, order#123 is $10, when it is paid, text me at 425-111-2222. [Jeff’s signature] Amazon, I want to pay with this letter Dear Amazon, order#123 is $10, when it is paid, text me at 425-111- 2222. [Jeff’s signature] [Mark’s signature] Hi, $10 has been paid for order#123. [Amazon’s signature] Great, I will ship order#123! Anyone can register an Amazon seller account, so can Chuck Purchase a $25 MasterCard gift card by cash, register under a fake address and phone number Create seller accounts in PayPal, Amazon and Google using the card Chuck’s trick Check out from Jeff, but pay to “Mark” (Chuck himself) Amazon tells Jeff that payment has been successful Jeff is confused, ships product slide 17

18 slide 18 Interspire + PayPal Express Message A redirects to store.com/finalizeOrder?[orderID1] store Session 1: pay for a cheap order (orderID1), but prevent the merchant from finalizing it by holding Message B Expensive order is checked out but the cheap one is paid! Message A Message B Message B calls store.com/finalizeOrder?[orderID1] store [orderID2] store store Session 2: place an expensive order (orderID2), but skip the payment step Message A Message A redirects to store.com/finalizeOrder?[orderID2] store store [Wang et al.]

19 slide 19 Side-Channel Leaks [Chen et al. “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow”. Oakland 2010] encrypted! privacy problems solved? Attacker can still see the number of packets, size of each packet, time between packets…

20  Search using encrypted Wi-Fi (WPA / WPA2)  Example: user types “l-i-s-t” on his laptop… slide 20 [Chen et al.] 821   910 822   931 823   995 824   1007 Query suggestion Consequence: any eavesdropper knows our search queries Attacker’s effort linear in the size of query Each additional letter of query… …different size of suggestion list

21  Entering health records By typing – auto-suggestion By mouse – a tree structure of elements  Finding a doctor Dropdown list slide 21 [Chen et al.] Online Medical Application 2000x reduction in ambiguityUniquely identify the specialty

22  Wizard-style questionnaire Tailor the questions based on previous inputs  Which forms you work on reveal filing status, big medical bills, adjusted gross income…  Knowing the state machine of the application the eavesdropper can infer sensitive information Especially by combining information learned from multiple state machines slide 22 [Chen et al.] Tax Preparation Application

23 slide 23 [Chen et al.] Child Credit State Machine Entry page of deductions & credits Summary of deductions & credits Full credit Not eligible Partial credit All transitions have unique traffic patterns Consult the IRS instruction: $1000 for each child Phase-out starting from $110,000. For every $1000 income, lose $50 credit.

24 slide 24 [Chen et al.] Student Loan Interest State Machine Entry page of deductions & credits Summary of deductions & credits Full credit Not eligible Partial credit Enter your paid interest Even worse, most decision procedures for credits/deductions have asymmetric paths: eligible – more questions, not eligible – no more questions

25 slide 25 [Chen et al.] Some Identifiable AGI Thresholds Disabled Credit $24999 Retirement Savings $53000 IRA Contribution $85000$105000 College Expense $116000 $115000 Student Loan Interest $145000 First-time Homebuyer Credit $150000 $170000 Earned Income Credit $41646 Child Credit $110000 Adoption Expense $174730 $214780 $130000 or $150000 or $170000 … $0

26 slide 26 [Chen et al.] Online Investments Which funds you invest in?  Each price history curve is a GIF image from MarketWatch Anyone in the world can get them from this website  Just compare the image sizes! Your investment allocation?  Can see the size of the pie chart, but hundreds of pie charts have the same image…

27 slide 27 [Chen et al.] Change Over Time Is Revealing!  800 charts  80 charts  8 charts 1 chart Size of day 1 Size of day 2; Prices of the day Size of day 3; Prices of the day Size of day 4; Prices of the day  80000 charts Financial institution updates your pie chart every day after market close. Mutual fund prices are public knowledge.

28  Still have the asymmetric path problem  Google’s responses are compressed, destination networks may or may not uncompress responses For example, Microsoft gateways uncompress and inspect Web traffic, but university does not Round before compression – university still sees distinguishable sizes; after compression – Microsoft does  Random padding is not appropriate If user checks several times, repeated random padding of the same responses quickly degrades effectiveness Images come from MarketWatch, not site itself slide 28 [Chen et al.] Rounding? Padding?

Download ppt "Security Protocols Vitaly Shmatikov CS 6431. Security Protocols  Use cryptography to achieve some higher-level security objective Authentication, confidentiality,"

Similar presentations

Rui Wang, XiaoFeng Wang and Kehuan Zhang Shuo Chen IEEE Symposium on Security and Privacy Oakland, California May 17 th, 2010.

Rui Wang, XiaoFeng Wang and Kehuan Zhang Shuo Chen IEEE Symposium on Security and Privacy Oakland, California May 17 th, 2010.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google