Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
Modelling and Analysing of Security Protocol: Lecture 2 Cryptology for Protocols Analysis Tom Chothia CWI.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Chapter 2 Protocols Controlling communications of principals in systems.
Alice and Bob’s Revenge? AliceBob Elvis. If there is a protocol If there is a protocol then there must be a shortest protocol 1.Alice  Bob : ??? 2.Bob.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Key Distribution CS 470 Introduction to Applied Cryptography
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Strong Password Protocols
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Formal Analysis of Security Protocols Dr. Changyu Dong
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Key Management Celia Li Computer Science and Engineering York University.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.
Digital Signatures, Message Digest and Authentication Week-9.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1 Authentication Celia Li Computer Science and Engineering York University.
CS480 Cryptography and Information Security
Message Security, User Authentication, and Key Management
“You have zero privacy anyway, get over it”
Presentation transcript:

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI

Last Lecture Part 1: –Simple notion for protocols –Modelling “rules” –Needham-Schroeder and Kerberos protocols Part 2: –A high level overview the to cryptography –Symmetric key Encryption, public key encryptions and signing –Abstract equation for modelling encryption

The Needham-Schroeder Protocol An (in) famous authentication protocol 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b ) N a and N b can then be used to generate a symmetric key

An Attack Against the Needham-Schroeder Protocol The attack acts as a man in the middle: 1. A  C : E C ( N a, A ) 1`. C(A)  B : E A ( N a, A ) 2`. B  C(A) : E A ( N a, N b ) 2. C  A : E A ( N a, N b ) 3. A  C : E C ( N b ) 3`. C(A)  B : E B ( N b )

The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b )

The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b, B) 3. A  B : E B ( N b )

Today: First Lecture: Goals for security protocol –To know if a protocol is secure you must know what is aims to achieve. –Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles –Common types of attacks on protocols –Good design principles for protocol.

Is This An Attack? The Needham-Schroeder key establishment protocol is the bases for Kerberos A and B use the trusted 3rd party S to establish a key K ab : 1.A  S : A, B, N a 2.S  A : { N a, B, K ab, {K ab, A } Kbs } Kas 3.A  B : { K ab, A } Kbs 4.B  A : { N b } Kab 5.A  B : { N b + 1 } Kab

Is This An Attack? A forces B to use an old key: A  S : A, B, N a S  A : { N a, B, K ab, {oldK ab, A } Kbs } Kas A  B : { oldK ab, A } Kbs 4. B  A : { N b } oldKab 5. A  B : { N b + 1 } oldKab

What is a Protocol Trying to Achieve? We MUST be clear about what we are trying to do with a protocol: Security –If we can securely establish a fresh key then secure transfer of data is easy. Key establishment –Yes, but we saw the problem in the last example Authentication –Again we have to be exact.

Some Key Establishment Goals Key Freshness: the key established is new –either from some trusted 3rd party –or because it uses a new nonce. Key Exclusivity: the key is only known to the principals in the protocol. Good Key: the key is both fresh and exclusive

A Hierarchy of Goals Fresh KeyKey Exclusivity Good Key

A Good Key is Not Enough A “Good Key” provides a secure communication channel but we have no idea who is on the other end of the channel. We need authentication as well.

Authentication Goals The most simple: Far-end Operative: A knows that “B” is currently active: –For instance B might have signed a nonce generated by A e.g. 1.A  B : N a 2.B  A : Sign B ( N a )

Authentication Goals and Once Authentication: A knows that B wishes to communicate with A –For instance, B might have the name A in a message e.g. 1.B  A : Sign B ( A )

Entity Authentication Both of these together give: Entity Authentication: A knows that B is currently active and wants to communicate with A. e.g. 1.A  B : N a 2.B  A : Sign B ( A, N a )

A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication

Key Confirmation A common goal is: Key Confirmation of A to B is provided if –B can be sure that “K” is a good key to communicate with A –and that A knows “K”.

A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication Key Confirmation

The Highest Goal Mutual Belief in Key: is provided for B only if –“K” is a good key with A –A believes that “K” is a good key for “B” –and A wishes to communicate with B using “K”

A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication Key Confirmation Mutual Belief in Key

Example: Diffie-Hellman The Diffie-Hellman is a widely used key agreement protocol. It relies on some number theory: –a mod b = n where  m s.t. a = m.b + n The protocol uses two public parameters –generator “g” (often 160 bits long) –prime “p” (often 1024 bits long)

Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : t A 2.B  A : t B A calculates “t B r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : p, g, t A 2.B  A : t B A calculates “t A r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

Diffie-Hellman An observer cannot work out r A and r B from t A and t B therefore the attacker cannot calculate the key The values of “g” and “p” must be big enough to make it intractable to try all possible combinations. So we have a “Good Key” but know nothing about the participants. We did not need to share any keys at the start, therefore this is a very powerful protocol.

Station-to-Station Protocol The Station-to-Station (STS) protocol adds authentication: 1.A  B : t A 2.B  A : t B, { Sign B (t A, t B ) } Kab 3.A  B : { Sign A (t A, t B ) } Kab

Station-to-Station Protocol 1.A  B : A, B, t A 2.B  A : B, A, t B, { Sign B (t A, t B ) } Kab 3.A  B : A, B, { Sign A (t A, t B ) } Kab Good Key: as before Key Key Confirmation: A knows that B knows the K ab.

Attack on Mutual Belief 1.A  E(B) : A, B, t A 1’. E  B : E, B, t A 2’. B  E : B,E,t B,{Sign B (t A,t B )} Kab 2. E(B)  A : B,A,t B,{Sign B (t A,t B )} Kab 3. A  E(B) : A, B, { Sign A (t A, t B ) } Kab

What does STS provide? Attacker E does NOT learn the key. B does not accept the key. But A does accept the key. This can be fixed by changing line 2 to: 2. B  A : t B, { A, Sign B (t A, t B ) } Kab This is not done because this attack does not pose a real risk. In this case Key Confirmation is enough.

Very Important Homework: Whenever you do something secure over the Internet (i.e., logon remotely, check your bank balance, pay a bill), think about the protocol used. Is the communication secure? Have you established a key? Is it fresh? Think about who has been authenticated: Have you been authenticated? Has the computer you’re talking to?

Today: First Lecture: Goals for security protocol –To know if a protocol is secure you must know what is aims to achieve. –Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles –Common types of attacks on protocols –Good design principles for protocol.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.