introduction to security protocols · 2019-11-28 · security protocols - p. 28/40 authentication...
Post on 24-Jun-2020
27 Views
Preview:
TRANSCRIPT
Security Protocols - p. 1/40
Introduction to Security Protocols
Ton van Deursen
Security Protocols - p. 2/40
Goals
This lecture will teach you the . . .
■ Basics of security protocol analysis■ Classic examples
(secrecy protocols, Needham-Schroeder protocol)■ Standard terminology
(Dolev-Yao adversary, perfect cryptography)■ Currently active research areas
Security Protocols - p. 3/40
Protocols
A protocol is a series of steps carried out by two or more entities.
Ex: HTTP, TCP, SMTP
Security Protocols - p. 3/40
Protocols
A protocol is a series of steps carried out by two or more entities.
Ex: HTTP, TCP, SMTP
A security protocol is a protocol that runs in an untrustedenvironment and tries to achieve a security goal.
Academic examples Industrial examples
Needham-Schroeder-Lowe KerberosDiffie Hellman key exchange SSL/TLSPAKE IPSec
Security Protocols - p. 4/40
Protocols
Communication protocols usually assume:
■ Trusted channels: No hostile agents have access to thecommunication medium to interfere with the protocol.
■ Honest participants: All agents participate in the protocolcooperate to achieve the protocol goal.
Security Protocols - p. 5/40
Security protocols
Security protocols usually assume:
■ Untrusted channels: Hostile agents that do not participate in theprotocol have access to the communication medium.
■ Dishonest participants: Hostile agents that claim to be honest,but try to prevent the security goals from being achieved.
Security Protocols - p. 6/40
Security Protocols
Security protocols are about Alice and Bob.
Security Protocols - p. 6/40
Security Protocols
Security protocols are about Alice and Bob.
Hi, I’m Alice
Prove it!
Here’s the proof!
Security Protocols - p. 7/40
Security Protocols
Their enemy is called Eve.
Security Protocols - p. 7/40
Security Protocols
Their enemy is called Eve.
Hi, I’m Alice
Prove it!
Here’s the proof!
Security Protocols - p. 8/40
Security Protocols
Alice & Bob notation Message sequence charts
A → B: A
B → A: {NB}pk(A)
A → B: {NB}pk(B)
A BA
nonce NB{NB}pk(A)
{NB}pk(B)
Security Protocols - p. 9/40
Protocol verification
Computational verification model (simulation based)
■ Manual proofs of security properties in an ad-hoc proof model.■ Proof models are often game based.■ Proofs are done by reduction to known hard problems (e.g.
discrete log, factorization).
Symbolic verification model (formal-methods based)
■ Find attacks by exhibiting all possible behavior (traces) of aprotocol.
■ Can be combined with other techniques for correctness proofs.
Security Protocols - p. 10/40
Protocol verification
Computational verification model (simulation based)
■ Manual proofs of security properties in an ad-hoc proof model.■ Proof models are often game based.■ Proofs are done by reduction to known hard problems (e.g.
discrete log, factorization).
Symbolic verification model (formal-methods based)
■ Find attacks by exhibiting all possible behavior (traces) of aprotocol.
■ Can be combined with other techniques for correctness proofs.
Security Protocols - p. 11/40
Symbolic verification
Symbolic verification . . .
■ abstracts away from cryptographic details: cryptography isperfect.
■ does not consider implementation flaws or side-channel attacks.
Security Protocols - p. 11/40
Symbolic verification
Symbolic verification . . .
■ abstracts away from cryptographic details: cryptography isperfect.
■ does not consider implementation flaws or side-channel attacks.
Needham-Schroeder protocol:
■ Designed in 1978.■ Proven correct/secure in 1989.■ Flaw found in 1996.
Security Protocols - p. 12/40
Protocol specification
An agent is an entity capable of action, such as a computer or aprocess.
A role is a specification of the behavior of an agent.
A protocol is a collection of zero or more roles.
Security Protocols - p. 13/40
Messages
Messages are constructed by a term algebra:
A ⊂ Term Atomic messagesx, y ∈ Term ⇒ (x, y) ∈ Term Pairingx ∈ Term ⇒ h(x) ∈ Term Hashingx, y ∈ Term ⇒ {x}y ∈ Term Encryptionx ∈ Term ⇒ x−1 ∈ Term Inverse
Security Protocols - p. 14/40
Adversary
Adversary’s powers consist of:
■ his ability to manipulate messages■ his ability to control the communication between agents
Security Protocols - p. 15/40
Inference
K ⊢ m: “the message m can be derived from the knowledge setK”.
t ∈ K ⇒ K ⊢ t
K ⊢ t1 ∧ K ⊢ t2 ⇒ K ⊢ (t1, t2)
K ⊢ (t1, t2) ⇒ K ⊢ t1 ∧ K ⊢ t2
K ⊢ t1 ∧ K ⊢ t2 ⇒ K ⊢ {t1}t2
K ⊢ {t1}t2 ∧ K ⊢ t−12 ⇒ K ⊢ t1
K ⊢ t ⇒ K ⊢ h(t)
These rules satisfy the perfect cryptography assumption.
Security Protocols - p. 16/40
Dolev-Yao intruder
A Dolev-Yao intruder can . . .
■ construct messages using the inference rules■ eavesdrop on messages■ delay or block messages■ forge and inject messages■ employ malicious agents in the system
Security Protocols - p. 16/40
Dolev-Yao intruder
A Dolev-Yao intruder can . . .
■ construct messages using the inference rules■ eavesdrop on messages■ delay or block messages■ forge and inject messages■ employ malicious agents in the system
In essence, a Dolev-Yao intruder can do everything exceptbreaking cryptography.
Security Protocols - p. 17/40
Secrecy protocols (1)
Definition (Secrecy). A term t is secret for an agent A in role R if and only ifwhenever A executes R and believes to be communicating with honest agents,t will not be inferable from the adversary’s knowledge.
Security Protocols - p. 17/40
Secrecy protocols (1)
Definition (Secrecy). A term t is secret for an agent A in role R if and only ifwhenever A executes R and believes to be communicating with honest agents,t will not be inferable from the adversary’s knowledge.
■ Secrecy is a local property.■ Secrecy can only be considered in case all alleged
communication partners are honest.
Security Protocols - p. 18/40
Secrecy protocols (2)
pk(B)
A
sk(B), pk(B)
B
nonce n
A, {n}pk(B)
secret n secret n
Security Protocols - p. 19/40
Secrecy protocols (3)
pk(B), sk(B)
A
sk(B), pk(A)
B
nonce n
A, {n}pk(B), B
B, {n}pk(A), A
secret n
Security Protocols - p. 20/40
Secrecy protocols (4)
pk(b), sk(a)
a
sk(b), pk(a), pk(e)
b
pk(b), sk(e)
e
nonce n
a, {n}pk(b), b
b, {n}pk(a), a
e, {n}pk(b), b
b, {n}pk(e), e
secret n
Security Protocols - p. 21/40
Secrecy protocols (5)
Exercise: find an attack on the secrecy claim in the followingprotocol:
k
A
k
B
nonce n
nonce m{m}k, {n}k
n
secret m
Security Protocols - p. 22/40
Secrecy protocols (6)
Exercise: find an attack on the secrecy claim in the followingprotocol:
A B
nonce na nonce nb
nonce m
na ⊕ m
nb ⊕ na ⊕ m
nb ⊕ m
secret m
Security Protocols - p. 23/40
Authentication protocols (1)
An authentication protocol provides assurance of the identity ofthe communicating party in a protocol.
Security Protocols - p. 23/40
Authentication protocols (1)
An authentication protocol provides assurance of the identity ofthe communicating party in a protocol.
k
A
k
Bk
Security Protocols - p. 24/40
Authentication protocols (2)
An authentication protocol provides assurance of the identity ofthe communicating party in a protocol.
k
A
k
B{A}k
Security Protocols - p. 24/40
Authentication protocols (2)
An authentication protocol provides assurance of the identity ofthe communicating party in a protocol.
k
A
k
B{A}k
Definition. (aliveness) A protocol guarantees to an agent a in role A alivenessof an agent b in role B if, whenever a completes a run of role A, believing to becommunicating with b, then b has previously been running the protocol.
Security Protocols - p. 25/40
Authentication protocols (3)
Protocols satisfying aliveness guarantee that the communicatingparty has sent a message in the past.
Security Protocols - p. 25/40
Authentication protocols (3)
Protocols satisfying aliveness guarantee that the communicatingparty has sent a message in the past.
pk(B)
A
sk(B)
B
nonce n
n
{n}sk(B)
r-alive B
Security Protocols - p. 25/40
Authentication protocols (3)
Protocols satisfying aliveness guarantee that the communicatingparty has sent a message in the past.
pk(B)
A
sk(B)
B
nonce n
n
{n}sk(B)
r-alive B
Definition. (recent aliveness) A protocol guarantees to an agent a in role A
recent aliveness of an agent b if, whenever a completes a run of role A, believingto be communicating with b, then b has been running the protocol during a’s run.
Security Protocols - p. 26/40
Authentication protocols (3)
Protocols satisfying recent aliveness guarantee that thecommunicating party has recently sent “a message”.
Security Protocols - p. 26/40
Authentication protocols (3)
Protocols satisfying recent aliveness guarantee that thecommunicating party has recently sent “a message”.
pk(Bob)A→Alice[Bob]
Alice
Eve(Dave)
Eve
sk(Bob)B→Bob[Dave]
Bob
nonce nn
n
{n}sk(Bob)
{n}sk(Bob)
r-alive Bob
Security Protocols - p. 27/40
Authentication protocols (3)
Definition. (weak agreement) A protocol guarantees to an agent a in role A
weak agreement of an agent b if, whenever a completes a run of role A,believing to be communicating with b, then■ b has been running the protocol believing to be communicating with a.
Security Protocols - p. 27/40
Authentication protocols (3)
Definition. (weak agreement) A protocol guarantees to an agent a in role A
weak agreement of an agent b if, whenever a completes a run of role A,believing to be communicating with b, then■ b has been running the protocol believing to be communicating with a.
sk(A), pk(A), pk(B)
A
sk(B), pk(B), pk(A)
B
nonce na
{A, na}pk(B)
{na}pk(A)
w-agree B
Security Protocols - p. 28/40
Authentication protocols (3)
Definition. (non-injective agreement) A protocol guarantees to an agent a inrole A non-injective agreement of an agent b if, whenever a completes a run ofrole A, believing to be communicating with b, then■ b has been running the protocol believing to be communicating with a and
■ a and b agree on the contents of all the messages exchanged
Security Protocols - p. 28/40
Authentication protocols (3)
Definition. (non-injective agreement) A protocol guarantees to an agent a inrole A non-injective agreement of an agent b if, whenever a completes a run ofrole A, believing to be communicating with b, then■ b has been running the protocol believing to be communicating with a and
■ a and b agree on the contents of all the messages exchanged
Definition. (agreement) A protocol guarantees to an agent a in role A
agreement of an agent b if, whenever a completes a run of role A, believing tobe communicating with b, then■ b has been running the protocol believing to be communicating with a,
■ a and b agree on the contents of all the messages exchanged, and
■ each run of A corresponds to a unique run of B.
Security Protocols - p. 29/40
Famous example: Needham-Schroeder
sk(A), pk(A), pk(B)
A
sk(B), pk(B), pk(A)
B
nonce na
{A, na}pk(B)
nonce nb
{na, nb}pk(A)
{na}pk(B)
agree B agree A
Security Protocols - p. 30/40
Famous example: Needham-Schroeder
sk(Alice),pk(Eve)A→Alice[Eve]
Alice
sk(Eve),pk(Bob),pk(Alice)B→Eve,A→Eve(Alice)
Eve
sk(Bob),pk(Alice)B→Bob[Alice]
Bob
nonce na
{Alice, na}pk(Eve)
{Alice, na}pk(Bob)
nonce nb
{na, nb}pk(Alice)
{na, nb}pk(Alice)
{nb}pk(Eve)
{nb}pk(Bob)
agree A
Security Protocols - p. 31/40
Famous example: Needham-Schroeder-Lowe
sk(A), pk(A), pk(B)
A
sk(B), pk(B), pk(A)
B
nonce na
{A, na}pk(B)
nonce nb
{na, nb, B}pk(A)
{nb}pk(A)
agree B agree A
Security Protocols - p. 32/40
Symbolic verification methods
Roughly three categories:
■ Based on epistemic logic, e.g. BAN logic.■ Based on theorem proving, e.g. Paulson’s inductive approach.■ Based on model checking, e.g. Scyther, Avispa, ProVerif.
Security Protocols - p. 33/40
Automatic verification
Model checking based approaches build traces to represent allpossible behavior of the system.
Security properties are verified on these traces.
Security Protocols - p. 34/40
Automatic verification
State:■ Active runs: P(Agent × Events)
■ Send buffer: P(Term)
■ Read buffer: P(Term)
■ Intruder knowledge: P(Term)
Security Protocols - p. 34/40
Automatic verification
State:■ Active runs: P(Agent × Events)
■ Send buffer: P(Term)
■ Read buffer: P(Term)
■ Intruder knowledge: P(Term)
Agent rules:■ Create: creates a new active run■ Send: advances a run by adding a message to the send buffer■ Read: advances a run by reading a message from the read
buffer
Security Protocols - p. 34/40
Automatic verification
State:■ Active runs: P(Agent × Events)
■ Send buffer: P(Term)
■ Read buffer: P(Term)
■ Intruder knowledge: P(Term)
Agent rules:■ Create: creates a new active run■ Send: advances a run by adding a message to the send buffer■ Read: advances a run by reading a message from the read
buffer
[send]a = (Ag, send(M) · Ev) ∈ A
〈A, S,R, I〉send(Ag,M)−−−−−−−→ 〈A\{a} ∪ {(Ag,Ev)}, S ∪ {M}, R, I〉
Security Protocols - p. 35/40
Automatic verification
State:■ Active runs: P(Agent × Events)
■ Send buffer: P(Term)
■ Read buffer: P(Term)
■ Intruder knowledge: P(Term)
Intruder rules:■ Transmit: Moves a message from the S to R.■ Eavesdrop: Moves a message from S to R and adds it to I
■ Block: Removes a message from R.■ Inject: Adds a message derivable from I to R.
[inject]I ⊢ M
〈A, S,R, I〉inject(M)−−−−−→ 〈A, S,R ∪ {M}, I〉
Security Protocols - p. 36/40
Automatic verification
Many sources of infiniteness:
■ Infinite number of agents■ Infinite number of sessions■ Infinite number of freshly generated messages■ Infinite number of constructable messages
Security Protocols - p. 36/40
Automatic verification
Many sources of infiniteness:
■ Infinite number of agents■ Infinite number of sessions■ Infinite number of freshly generated messages■ Infinite number of constructable messages
State-space reductions:
■ For secrecy protocols nonces do not have to be fresh■ For secrecy protocols 2 agents are enough, for authentication 3
agents■ For authentication protocols traces can be combined into trace
classes.
Security Protocols - p. 37/40
Active research areas (1)
Current research in security protocols focuses on:
■ protocol compositions,
Security Protocols - p. 38/40
Active research areas (2)
Current research in security protocols focuses on:
■ analysis of other types of properties- Voting: Coercion resistance/receipt freeness, individual
verifiability.- Fair exchange/contract signing: Fairness, abuse freeness.- Anonymity: Sender anonymity, receiver anonymity,
unlinkability.- PAKE: Absence of guessing attacks- RFID: Untraceability
Security Protocols - p. 39/40
Active research areas (3)
Current research in security protocols focuses on:
■ analysis of protocols with algebraic properties (XOR, DHexponentiation),
k
A
k
B
nonce nana
nonce nb
nb, h(na ⊕ nb ⊕ k)
r-alive(B)
Security Protocols - p. 40/40
Active research areas (4)
Current research in security protocols focuses on:
■ bridging the gap between the computational and the symbolicprotocol worlds.
S, pk(B)
A
S, pk(A)
B
nonce r{r, S}pk(A)
OK
untrac
Let yP = pk(A). The encryption {r, S}pk(A) could be implementedby the ElGamal encryption (rP, I + ryP ).
top related