Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham 11-15 April 2005 Steve Kremer.

Published byGertrude Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham 11-15 April 2005 Steve Kremer."— Presentation transcript:

1 Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham 11-15 April 2005 Steve Kremer INRIA, Cachan

2 Contents 1. Security protocols (this lecture) 2. Applied pi calculus and a tool called proverif 3. Fair exchange protocols 4. An electronic voting protocol and its analysis

3 Alice and Bob ● Alice and Bob want to communicate with each other over an in secure medium, e.g., the internet. ● But first, they need to – Authenticate each other: they want to be sure they are talking to each other, not to an imposter – Agree a secret key: they want to encrypt their conversation, for privacy and integrity. ● Alice and Bob might be humans, but they might also be: a web browser and a web server; a mobile phone and the network operator; etc.

4 Security protocols ● Alice and Bob will engage in an exchange of messages (= a protocol) which will result in each of them – Having authenticated each other – Having established a shared secret key which they can use to encrypt their subsequent conversation (a session key). ● The protocol may involve a trusted third party (TTP).

5 Security protocols A security protocol (or cryptographic protocol) is a protocol that performs a security-related function and applies cryptographic methods. Most cryptographic protocols incorporate at least some of these aspects: ● Use of cryptographic functions ● Entity authentication ● Construction of shared secret(s), useful for establishing a secret key ● Secured application-level data transport ● Non-repudiation guarantees

6 Authentication ● Authentication between humans – How can your bank know that an instruction to pay money to X from your account is actually coming from you? ● Authentication between devices – How can the mobile phone network know that instructions apparently coming from your phone are actually from your phone? ● Authentication between programs – How can your browser establish that the server at the other end is really “hsbc.co.uk” and not a look- alike web site designed to defraud you? C

7 Protocols ● A protocol is an agreed way, or convention, for two or more parties to achieve a goal. It fixes the number and format of the messages between the parties. These rules are known to all of the participants. ● Example: Wide Mouth Frog – It assumes that A and B have access to a trusted third party S, and that they each share a symmetric encryption key with S: ● The key between A and S: ● The key between B and S:

8 Wide Mouth Frog A S B

9 Wide Moth Frog - remarks ● Good things – Thanks to the encryption, an evesdropper cannot get access to the secret key K AB invented by Alice. – Thanks to the timestamps, the server and Bob can detect if messages they are receiving are old. ● Bad things – The protocol relies on timestamps to ensure freshness of messages. This assumes a global clock. – K AB is completely determined by A. This assumes A is competent, e.g. to generate random numbers. – In spite of this, S gets to know the value of K AB.

10 Otway-Rees A S B Checks message

11 Otway-Rees -- remarks ● M is a session identifier. ● Good things – S generates the session key, instead of one of the participants A,B – S still has to deal only with one of the participants ● Bad things – S has quite a lot of work to do: decrypting twice, checking the message format, inventing key, encrypting twice. This makes it vulnerable to Denial of Service attacks. – An intruder could interfere with the protocol so that A and B get different keys!

12 Attack resulting in different keys A S B I X

13 Assumptions and rules of protocol design ● The “Dolev-Yao model”: the attacker – Can read messages – Can block messages – Can generate fake messages – Can read/generate encrypted messages if s/he has the key – Knows the protocol being used. (This may not be obvious if A and B are humans, but it is obvious if A is a web server and B a browser.) ● The attacker cannot read/generate encrypted messages if s/he doesn't have the key. (Thus, we assume the crypto is unbreakable.)

14 Assumptions and rules contd. ● When we use a trusted third party (TTP), we should avoid overloading it: – It should not have to remember state (e.g., remember nonces, keep lists of used keys, etc.) – Preferably, it should deal with only one of the participants ● Otherwise, we make it vulnerable to denial of service attacks.

15 Celebrated case ● The third protocol introduced in this lecture is the Needham-Schroeder public key authentication protocol, introduced in 1978. – The protocol consists of three parts. ● In two of the parts, A and B are each obtaining the other one's public key from a server S. ● In the other part, they echange nonces which are intended to be used to set up a secret session key. ● A serious flaw in the protocol's third part was found by Gavin Lowe in 1995.

16 Needham-Schroeder PK A B S

17 Needham-Schroeder PK, in essence A B

18 Needham-Schroeder PK attack A B I

19 NS PK attack ● The attack: – A has engaged in a session with I, & is aware of that. – I has engaged in a session with B, but B thinks he is talking to A. B is duped. – Example: A=you, I=dodgy retailer, B=your bank ● The solution is very simple: – Replace the message with

20 Conclusions ● Security protocols are short, but very hard to get right. – This makes them ideal for formal analysis – One has to be clear about what the goals of a security protocol are. – And about the “attacker model” ● Next lectures: – Applied pi calculus and Proverif – Fair exchange protocols – An electronic voting protocol

Download ppt "Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham 11-15 April 2005 Steve Kremer."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication

Lecture 10: Mediated Authentication
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Cryptography and Network Security

Cryptography and Network Security
CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Computer Security Key Management

Computer Security Key Management
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Similar presentations

Ads by Google