1. Security Analysis of Network Protocols
CS 259
Security Analysis of Network Protocols
Mukund Sundararajan

2. How to write a crypto paper?
1. First visit:
2. Click on the button
3. Be Inspired
Fortunately, we don’t need to know what those papers, if written, may contain

3. Today Getting Murphi to work on Windows
A close look at the NS implementation in Murphi
Cryptography for CS259
The cryptography of SSL
Newsgroup: su.class.cs259

4. Murphi on Windows Download Cygwin
Need to include g++, make, gcc packages
Look under the ‘Devel’ heading
Follow instructions in the Readme file located in the src directory
Make the murphi compiler in the src directory
Set up a link
Edit homework Makefile

5. Needham Schroeder in Murphi
Walk through code sections
Data types
State variables
Transitions, invariants
Initial state
The strong attacker model
Perfect cryptography
Intercept all messages on the network
Insert, reorder, delete messages

6. Murphi Syntax Invariants are a special kind of rule
Rulesets allow concise specification of transition rules
Scalarsets allow us to exploit symmetry the inherent symmetry in some situations to make model checking efficient
Multisets are similar to scalarsets but are modifiable at runtime, use a ‘choose’ to index.
Union data types allow us to refer to many scalarsets at once

7. Weak intruder model [Part (b) of the 3rd question on HW#1]
Consider an intruder who can only receive messages destined to it.
Does the attack on “initiator correctly authenticated” still work?
Need to undo optimizations

8. Anomaly in Needham-Schroeder
[Lowe]
Anomaly in Needham-Schroeder
{ A, NA } Ke A E
{ NA, NB } Ka
{ NB } Ke
{ NA, NB }
{ A, NA }
Evil agent E tricks
honest A into revealing
private key NB from B Ka Kb B
Evil E can then fool B

10. Nonce
'number used once'
To prevent against replay attacks

11. Symmetric Key Algorithm
Encryption
Input: plain-text, key, Output: cipher text
Decryption
Input: encrypted message, key, Output: plain text
Needs to be reversible
Insecure if following is computationally feasible
Can decipher plaintext without key
Can produce cipher text without key
Can deduce key from cipher text

12. Asymmetric Encryption
Input: plain-text, public-key, Output: cipher text
Decryption
Input: encrypted message, private-key, Output: plain text
Needs to be reversible
Insecure if following is computationally feasible
Can decipher plaintext without private key
Can deduce private key from cipher text or public key

13. Digital Signatures Signature algorithm Verification algorithm
Input: m, private key, Output: Signature
Verification algorithm
Input: Signature, public key, Output: Boolean
Authentication
Integrity
Non-repudiation

14. Cryptographic Hashes Input: message, Output: digest
Insecure if following is computationally feasible:
Preimage resistance: finding a message that matches a given digest
Collision resistance: finding "collisions", wherein two different messages have the same message digest
Second Preimage resistance: given an input m, it must be hard to find different m’ that hashes to the same value

15. MAC’s Integrity + Authenticity
Input: Key, Message, Output: Message Authentication Code
Verification algorithm
Uses cryptographic hashes or symmetric key crypto
Attacker must not be able to find two messages M, M’ that produce the same MAC under an unknown key given an oracle that MAC’s messages
Key holder may find collisions
Differ from signatures: they are symmetric

16. Diffie-Hellman exchange
A picks a nonce x, generates Gx, sends it to B
B picks a nonce y, generates Gy, sends it to A
Both generate Gxy locally
Gxy is a shared secret
Secure by ‘Hardness of discrete logarithm’

17. Exercises
How do scalarsets and multisets improve the efficiency of model-checking?
What is the relationship between the three properties of cryptographic hashes?
Read the definition of a message authentication code in Wikipedia