Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI."— Presentation transcript:

1 Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI

2 Last Lecture Part 1: –Simple notion for protocols –Modelling “rules” –Needham-Schroeder and Kerberos protocols Part 2: –A high level overview the to cryptography –Symmetric key Encryption, public key encryptions and signing –Abstract equation for modelling encryption

3 The Needham-Schroeder Protocol An (in) famous authentication protocol 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b ) N a and N b can then be used to generate a symmetric key

4 An Attack Against the Needham-Schroeder Protocol The attack acts as a man in the middle: 1. A  C : E C ( N a, A ) 1`. C(A)  B : E A ( N a, A ) 2`. B  C(A) : E A ( N a, N b ) 2. C  A : E A ( N a, N b ) 3. A  C : E C ( N b ) 3`. C(A)  B : E B ( N b )

5 The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b ) 3. A  B : E B ( N b )

6 The Corrected Version A very simple fix: 1. A  B : E B ( N a, A ) 2. B  A : E A ( N a, N b, B) 3. A  B : E B ( N b )

7 Today: First Lecture: Goals for security protocol –To know if a protocol is secure you must know what is aims to achieve. –Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles –Common types of attacks on protocols –Good design principles for protocol.

8 Is This An Attack? The Needham-Schroeder key establishment protocol is the bases for Kerberos A and B use the trusted 3rd party S to establish a key K ab : 1.A  S : A, B, N a 2.S  A : { N a, B, K ab, {K ab, A } Kbs } Kas 3.A  B : { K ab, A } Kbs 4.B  A : { N b } Kab 5.A  B : { N b + 1 } Kab

9 Is This An Attack? A forces B to use an old key: -999. A  S : A, B, N a -998. S  A : { N a, B, K ab, {oldK ab, A } Kbs } Kas..... 3. A  B : { oldK ab, A } Kbs 4. B  A : { N b } oldKab 5. A  B : { N b + 1 } oldKab

10 What is a Protocol Trying to Achieve? We MUST be clear about what we are trying to do with a protocol: Security –If we can securely establish a fresh key then secure transfer of data is easy. Key establishment –Yes, but we saw the problem in the last example Authentication –Again we have to be exact.

11 Some Key Establishment Goals Key Freshness: the key established is new –either from some trusted 3rd party –or because it uses a new nonce. Key Exclusivity: the key is only known to the principals in the protocol. Good Key: the key is both fresh and exclusive

12 A Hierarchy of Goals Fresh KeyKey Exclusivity Good Key

13 A Good Key is Not Enough A “Good Key” provides a secure communication channel....... but we have no idea who is on the other end of the channel. We need authentication as well.

14 Authentication Goals The most simple: Far-end Operative: A knows that “B” is currently active: –For instance B might have signed a nonce generated by A e.g. 1.A  B : N a 2.B  A : Sign B ( N a )

15 Authentication Goals and Once Authentication: A knows that B wishes to communicate with A –For instance, B might have the name A in a message e.g. 1.B  A : Sign B ( A )

16 Entity Authentication Both of these together give: Entity Authentication: A knows that B is currently active and wants to communicate with A. e.g. 1.A  B : N a 2.B  A : Sign B ( A, N a )

17 A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication

18 Key Confirmation A common goal is: Key Confirmation of A to B is provided if –B can be sure that “K” is a good key to communicate with A –and that A knows “K”.

19 A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication Key Confirmation

20 The Highest Goal Mutual Belief in Key: is provided for B only if –“K” is a good key with A –A believes that “K” is a good key for “B” –and A wishes to communicate with B using “K”

21 A Hierarchy of Goals Fresh KeyKey Exclusivity Far-end Operative Once Authenticated Good Key Entity Authentication Key Confirmation Mutual Belief in Key

22 Example: Diffie-Hellman The Diffie-Hellman is a widely used key agreement protocol. It relies on some number theory: –a mod b = n where  m s.t. a = m.b + n The protocol uses two public parameters –generator “g” (often 160 bits long) –prime “p” (often 1024 bits long)

23 Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : t A 2.B  A : t B A calculates “t B r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

24 Diffie-Hellman A and B pick random numbers r A and r B and calculate “t A = g r A mod p” and “t B = g r B mod p” The protocol just exchanges these numbers: 1.A  B : p, g, t A 2.B  A : t B A calculates “t A r A mod p” and B “t A r B mod p” this is the key: –K = g r A r B mod p

25 Diffie-Hellman An observer cannot work out r A and r B from t A and t B therefore the attacker cannot calculate the key The values of “g” and “p” must be big enough to make it intractable to try all possible combinations. So we have a “Good Key” but know nothing about the participants. We did not need to share any keys at the start, therefore this is a very powerful protocol.

26 Station-to-Station Protocol The Station-to-Station (STS) protocol adds authentication: 1.A  B : t A 2.B  A : t B, { Sign B (t A, t B ) } Kab 3.A  B : { Sign A (t A, t B ) } Kab

27 Station-to-Station Protocol 1.A  B : A, B, t A 2.B  A : B, A, t B, { Sign B (t A, t B ) } Kab 3.A  B : A, B, { Sign A (t A, t B ) } Kab Good Key: as before Key Key Confirmation: A knows that B knows the K ab.

28 Attack on Mutual Belief 1.A  E(B) : A, B, t A 1’. E  B : E, B, t A 2’. B  E : B,E,t B,{Sign B (t A,t B )} Kab 2. E(B)  A : B,A,t B,{Sign B (t A,t B )} Kab 3. A  E(B) : A, B, { Sign A (t A, t B ) } Kab

29 What does STS provide? Attacker E does NOT learn the key. B does not accept the key. But A does accept the key. This can be fixed by changing line 2 to: 2. B  A : t B, { A, Sign B (t A, t B ) } Kab This is not done because this attack does not pose a real risk. In this case Key Confirmation is enough.

30 Very Important Homework: Whenever you do something secure over the Internet (i.e., logon remotely, check your bank balance, pay a bill), think about the protocol used. Is the communication secure? Have you established a key? Is it fresh? Think about who has been authenticated: Have you been authenticated? Has the computer you’re talking to?

31 Today: First Lecture: Goals for security protocol –To know if a protocol is secure you must know what is aims to achieve. –Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles –Common types of attacks on protocols –Good design principles for protocol.

Download ppt "Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.

Similar presentations

Ads by Google