# The Agent Based Crypto Protocol

## Presentation on theme: "The Agent Based Crypto Protocol"— Presentation transcript:

The Agent Based Crypto Protocol
The ABC-Protocol by Jordan Hind MSE Presentation 2

Agenda A brief coverage of some “crypto-stuffs” How the protocol works
Formal Methods with Spin Strand Space Formal Methods Introduction CAPSL and CIL Strand Space analysis in Prolog Program Architecture and the Formal Methods with USE/OCL Odds and ends.

Crypto Intro In the ABC-Protocol we'll divide cryptography into 3 sections Public Key Authentication Symmetric Cryptography

Public Key Elliptical Curve Diffie-Hellman (ECDH)
Diffie-Hellman like key exchange between two hosts within the field of an finite elliptical curve. Everyone knows the curve GF(p). Anyone can know the random point F on that curve. Two hosts (A and B) have a “private key” thats never shared. The private key is really just a randomly picked point on that curve. Lets call that Ak and Bk. Each host will multiply their key by point F, the result is their “public key”. Lets call this Ap and Bp. The shared secret key is constructed by one host multiplying its secret key against the other hosts public key (and vice versa).

As An Equation Bk * AP = Bk * ( Ak * F) = (Bk * Ak ) * F = Ak ( Bk * F ) = Ak * BP Each host can calcluate Bk * Ak without knowing the other hosts private key. The security of this is based on it being difficult to calculate Ak even if given F and Ap.

Benefits Much more efficient by being able to use smaller numbers.
256 bit ECC numbers compared to 2048 or 3072 FFC numbers for the similar level of security.

Authentication ABC-Protocol uses a very simple authentication scheme, a shared secret. Both hosts know a shared secret, each host proves to the other it knows the secret without transmitting it. We do this using a crypographic hash.

Hash A hash is a function that takes an arbitrary length input and produced a standard length output. h(a) -> b h(a|b|c) -> d |b| == |d|

A Cryptographic hash has two properties we are relying on.
A cryptographic hash is one-way. h(a|b) = d h(d) != (a|b), a or b A cryptographic hash is “difficult” to duplicate (hard to find two inputs with the same output). h(a) = d h(x) != d If either of these fails to be true then the security of the protocol will fail. Chose a hash wisely, update when needed.

Symmetric Cryptography
Uses 1 key 2 way function

How to use a cipher Some uses of a cipher are more correct than others. The easiest use of a cipher is Electronic Code Book. E(Key, Data1) -> ouput1 E(Key, Data2) -> output2 If Data1 and Data2 match then outpu1 and output2 match. If you use ECB for agents, an attacker can replay commands! The only mode we will talk about that ABC-Protocol doesn't use.

Cipher Block Chaining Reuses output from previous block's encryption.

Counter Mode CTR mode encrypts a nonce and a counter to create S
XOR S against the message M (limited by the block size of the cipher)

Advanced Modes The ABC-Protocol uses an advanced mode called EAX.
Originated in 2004 Introduced as a patent-free and public domain option from U of California (Davis, Berkely and San Diego) EAX integrates the MAC and the Mode. Whats a MAC ?

Message Authentication Code
MAC – proves (relatively) that each packet in a stream is from a host that authenticated. Each packet with a MAC is authenticated. Most MAC's, such as HMAC, are hash schemes. By hashing the packet in some manner with a key and constants they prove the packet was unchanged. Having nothing to do with the encryption of data, they are only authentication.

OMAC One-key MAC Uses a CBC cipher mode, discarding the output of each encryption except the last which is the Tag. All packets in a transmission use the same key

EAX

Why EAX ? I thought it would be cool to implement
No decrypt function needed in the cipher, only in the mode. No encodings Tightly coupled authentication and encryption.

Imported Functions Libraries by other people that I'd like to use.
An Elliptical Curve Library Probably curve25519 (Dan Bernstein) Public domain Highly optimized (limited to x86) AES Submissions for the Ciphers Serpent Most secure of the AES submissions RijnDael AES winner. Fastest of the AES candidates. Hash Any public domain SHA-2 implementation. PRNG Any public domain PRNG with suffient entropy.

The Protocol

The Protocol cont. 1 A starts by sending a “Greet” packet.
Contains its ECDH public key and a nonce B responds with a GreetAck A then computes the ECDH key and then performs a hash of the ECDH key, the shared secret, and B's nonce. B will perform this computation to check A's. A can only reach the correct value if it knows the secret. The secret cannot be recovered from the hash, even if an attacker could solve the ECDH key.

The Protocol cont. 2 Upon receiving A's authentication, B also computes the ECDH key. B then performs the same compuation and compares it to A's value. If A sent the correct value, it has proven its identity to B. B hashes the ECDH key, the shared secret and A's nonce and sends this to A to authenticate itself to A. A recieves B's authentication, performs the computation and validates that A knows the shared secret.

The Protocol cont. 3 Both hosts have now authenticated. They both now build a symmetric key. Symmetric Key = EncryptWithTheCipher(sharedSecret, (hash(nonce2, sharedsecret, ECDH computed Key, nonce1)). Provides Forward Secrecy.

SPIN SPIN modeling tool is used in CIS 725
2 models were done using the spin tool A base protocol model. Used to identify channel states. Used to identify problems with broadcast. A security model Implemented an attacker node which sends valid packets into a session in progress. Used for identifying protocol defences (as opposed to cryptographic defences) and using the state to defend against these attacks.

Proving Security NRL Protocol Analyzer BRUTUS Which led me to...
From the early 90's. Commonly used, lots of research papers. At the time, I couldn't find it. BRUTUS From Carnegie Mellon in the last 90's. Several related research papers. The author told me in correspondance that “Brutus never made it past the prototype” Which led me to...

Strand Space Methods Originated from Mitre in 2000
Breaks a protocol down into a series of events which occur from one host. For example Host A sends packet 1 Host A receives packet 3 Host A sends a value to a CA Host A receives CA reply This is a strand ( a nonsensical one) Not particularly well documented, more of a research area than a tool. Spent extensive time working on CAPSL, a round about way into Strand Space analysis.

CAPSL Common Authentication Protocol Specification Language
A macro based specification tool. Equiped with predefined concepts of: Encryption, hashing, public key, etc. Concepts of Secrecy and Authentication Example CAPSL VARIABLES A, B: PKUser; Apub, Bpub: Skey, FRESH, CRYPTO; Na, Nb: Nonce, FRESH, CRYPTO; MESSAGES A -> B: {Na,Apub}; B -> A: {Nb,Bpub}; Apost = kas(kap(Bpub),Apub); tempFieldA =buildAuth(Nb,Apost,SharedSecret); hashFieldA = sha(tempFieldA);

CIL CAPSL is converted into CIL using a translator (cil.java)
CAPSL Intermediate Lanaguage CIL is a generic language (and its hideous). The idea is that CIL is easily convereted into other model checking languages such as prolog and maude. The CAPSL/CIL model is then checked in those model checkers with extra environment files. I would say this is poorly documented.

CIL is then converted... CIL is converted into Prolog
Whats left is supposed to be the protocols strands. Doesnt work well. For example in CAPSL goals are defined. They are in the cil, but are stripped out of the strand. The strands are defined, but need more work to run. Define “bundles” to run the strands.

Checking the Protocol in Prolog
Load in an environment named csolve, which contains a strand for an attacker (e). Run the strands specifying the search. The output is a stack trace. Frankly, this doesnt work very well. The solver returns a yes or no, answering the question of wether the condition specified in the search was reached. I think it always returns yes.

Jeeeez, are we ever going to talk about program architecture?
Yes. After an initial UML diagram in visio, a move to USE was made. USE was used to design entire architecture. Simplified instantiations of sending and receiving secure connections were made.

Two designs follow... The first design was a projected or forcasted.
The second design was based on the experience in coding the proof-of-concept architecture code. Basically, reductions in complexity were found. The functions are more precise

UML

What do the classes do? Class: ABCP
Purpose: The ABCP class is the primary interface for the end developer. Class: Protocol Driver Purpose: Used to interface between the network sockets and the protocol. It also tracks protocol state. Class: SubDriver Purpose: A driver class for the protocol layers. This is the staging ground for outgoing packets to be built in or incoming packets to be processed in. on layer of the protocol.

Classes Cont. Class: NetworkWrapper
Purpose: Manages Network sockets and network functions. Class: Session Encryption Purpose: Manages the session layer of the protocol. Class: ECDHWrapper Purpose: Manages the Elliptical Curve functions (probably an imported library) Class: Nonce Purpose: Constructs Nonces. Class: PRNGWrapper Purpose: Manages the pseudo random number generator (probably an imported library).

Classes cont. Class: DataEncryption
Purpose: Manages the data encryption layer of the protocol. Runs the mode and OMAC functions. Class: Cipher Purpose: Used to abstract the third party libraries used as ciphers. Runs the cipher's encrypt function. Class: Auth Purpose: Manages the authentication process and protocol layer. Will also manage a list of hosts and thier keys. Used to create keys. Class: HashWrapper Purpose: used to abstract a single interface over any third party hash libraries used.

Formal Inspections I took a different direction than others...
I asked two senior developers and two senior security professionals to look at my project so far and give me their honest criticisms. (two that filled out the form have their forms linked on the site) The biggest item, testing, came from one of the developers. Its not on the checklist and only came about from talking to the inspectors about the project.

Testing Automated unit testing of key functions.
Tests of Use-Cases listed in 3.1 of the Vision document Transfer data. Transfer burst. Transfer commands. Broadcast. And just for fun, pit the ABC-protocol against SSH protocol (openSSH) to compare data transfer rates.

Architecture Proof of Concept
Only a Windows prototype this time. Which is difficult to demo as I only have one windows box. We'll demo it by using netcat to interface with it. Or we can run it against itself (but then we cant see any network traffic!)

Download ppt "The Agent Based Crypto Protocol"

Similar presentations