challenges for information security theory
TRANSCRIPT
Challenges for information security theory
R. Ramanujam
The Institute of Mathematical Sciences, Chennai, India
Your email account
◮ Do you have an account on some public email facility ?
◮ How do you login to such an account ?
◮ You give user name and password. Why ?
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Sending secrets
◮ How does A send a secret x to B on a public channel ?
◮ A locks x in a box, sends the box across to B .
◮ Assume that locks are unbreakable, and that for everylock, there exists a unique key that opens it.
◮ The secret reaches B securely.
◮ But the key is with A; by assumption, B cannot open it.
◮ Should A send the key in another locked box !?
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
One-way functions
◮ Given x , finding f (x) is easy to compute.
◮ Given y , finding f −1(y) is hard.
◮ Easy / hard in what sense ?
◮ The idea of trapdoor: helps to find the inverse.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Secrets without cryptography
◮ Seven cards numbered 1 to 7 are distributed among threepeople, say A, B, C.
◮ A gets three cards, B gets three and C gets the last.
◮ They have to talk in public, tell the truth, exchange anymessages.
◮ At the end, A should know all of B’s cards and vice versa,but for each of the six cards, C should be uncertainwhether A has it or B.
◮ Is such a protocol possible at all ?
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Zero knowledge proofs
◮ Children A and B are looking at a ”Spot Arjun” puzzle.
◮ A has seen it, would like to convince that she has, butwithout revealing to B the location of Arjun.
◮ Is this possible ?
◮ These are called zero knowledge proofs.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Key establishment
◮ A and B wish to generate a session key to be usedsubsequently. The need a protocol to establish a new keyKAB .
◮ Assume that a reliable, trustworthy key server S exists.
◮ At the end of the protocol, KAB should be known to bothA and B but to nobody else, except perhaps S .
◮ Both A and B should know that KAB is newly generated.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
First attempt
◮ Here is a protocol:1. A → S : A, B
2. S → A : KAB
3. A → B : KAB , A
◮ Remarks about notation:
◮ No internal actions are specified.◮ Only the communications in successful runs are specified.◮ It is assumed that A and B understand that these are
protocol messages.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Insecurity in it
◮ Confidentiality is compromised.
◮ Security Assumption: The adversary can eavesdrop on allmessages sent on public channels.
◮ Pragmatic assumption: Assume that the server has aninitial shared key with every principal in the system.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Second attempt
◮ 1. A → S : A, B
2. S → A : {KAB}KAS, {KAB}KBS
3. A → B : {KAB}KBS, A
◮ The notation {x}k denotes a message x encrypted withkey k .
◮ It does not matter which encryption algorithm is used.
◮ We make the perfect encryption assumption.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
An attack
◮ Security Assumption: The adversary can also capturemessages, alter them at will, reroute them (but cannotbreak encryption).
◮ Here is the attack:1. A → S : A, B
2. S → A : {KAB}KAS, {KAB}KBS
3. A → B(I ) : {KAB}KBS, A
3’. (I )C → B : {KAB}KBS, C
◮ Now B believes that he is sharing a key with C, whereashe is actually sharing it with A.
◮ Some secrets meant only for A can be leaked to C.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Another attack
◮ In the attack we saw, I does not get hold of KAB . Here isone where he does.
◮ 1. A → S(I ) : A, B
1’. I → S : A, I
2. S → I : {KAI}KAS, {KAI}KIS
2’. (I )S → A : {KAI}KAS, {KAI}KIS
3. A → B(I ) : {KAI}KIS, A
◮ A believes that the protocol is completed with B, andhence I can masquerade as B.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Insiders
◮ In the attack we saw, I could have been a legitimate userknown to S.
◮ Security Assumption: The adversary may be a legitimateparticipant in the protocol (insider), or an external party,or a combination of both.
◮ In fact, security threats from insiders are more of aproblem than from outsiders, in many systems.
◮ Typically referred to as the “person in the middle” attack.
◮ Solution ?
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Another attempt
◮ Bind keys to agent names.
◮ 1. A → S : A, B
2. S → A : {KAB , B}KAS, {KAB , A}KBS
3. A → B : {KAB , A}KBS
◮ It can be checked that neither of the attacks consideredearlier are possible any longer.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Replay
◮ The generated key is supposed to be new !
◮ Security Assumption: The adversary may be able toobtain the value of the session key K ′
ABused in any
sufficiently old earlier run of the protocol.
◮ A replay attack:1. A → S(I ) : A, B
2. (I )S → A : {K ′
AB, B}KAS
, {K ′
AB, A}KBS
3. A → B : {K ′
AB, A}KBS
◮ Note that I need not actually have the value of K ′
ABbut
simply replay the earlier message, forcing A and B toaccept an old, dated key.
◮ Now I can replay an earlier (legitimate) message, whichcan be, say: “Deposit Rs 1 lakh into I’s account” !
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Nonces
◮ How do we ensure that old keys are not replayed ?
◮ A generates a new random value NA called nonce.
◮ A starts the protocol by sending a nonce NA. If by theend of the protocol, the same value returns, she knowsthat the key has not been replayed.
◮ What about B ? He generates his own nonce as well.
◮ This is typically called a challenge - response technique.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Needham - Schroeder
◮ We now have the following version of the protocol:1. A → S : A, B , NA
2. S → A : {KAB , B , NA, {KAB , A}KBS}KAS
3. A → B : {KAB , A}KBS
4. B → A : {NB}KAB
5. A → B : {NB + 1}KAB
◮ This is the famous Needham - Schroeder protocol, 1978.
◮ Denning and Sacco found an attack in 1986.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
The attack and its fix
◮ A replay attack:3’. (I )A → B : {K ′
AB, A}KBS
4. B → A(I ) : {NB}K ′
AB
5. (I )A → B : {NB + 1}K ′
AB
◮ The fix is quite simple:1. B → A : B , NB
2. A → S : A, B , NA, NB
3. S → A : {KAB , B , NA}KAS, {KAB , A, NB}KBS
4. A → B : {KAB , A, NB}KBS
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Are we done?
◮ Is this protocol secure ? Can we prove it secure ?
◮ Yes, but this takes a great deal of effort and machinery.
◮ Note that it still achieves less. At the end of the run,neither A nor B can actually deduce that the other hasactually received KAB !
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Infrastructure
The architecture of a security protocol crucially depends on:
◮ Existing cryptographic keys (shared, public)
◮ Key generation mechanisms
◮ Nonce generation mechanisms
◮ Number of users
◮ Number of multisessions concurrently active
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Security properties
◮ Confidentiality: Data is available only to those authorizedto obtain it.
◮ Integrity: Data has not been altered by unauthorisedentities.
◮ Authentication: Data has indeed originated from thepurported sender.
◮ Non-repudiation: Entities cannot deny sending data theyhave committed to.
◮ Freshness: Nonces are unguessable, and never re-used.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Attacks
◮ Eavesdropping
◮ Modification
◮ Replay
◮ Preplay
◮ Denial of service
◮ Type flaws
◮ Cryptanalysis
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Contract signing
◮ Two parties agree on the contract text
◮ Each will sign if the other will.
◮ Physical solution is easy: sit at a table.
◮ Over a network ?
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Why is this difficult ?
◮ Cannot trust communication channels. (Intruder mayblock or insert messages.)
◮ Cannot trust the other party in the protocol !Public key certificate does not certify honesty.
◮ Even if a trustworthy judge exists, she may become acommunication bottleneck.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Optimistic contract signing
◮ A tells B : “I am going to sign the contract”
◮ B tells A: “I am going to sign the contract”
◮ A sends her signature to B
◮ B sends his signature to A
A judge may declare contract binding if given first twomessages.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Requirements
◮ Fairness: If A cannot obtain a contract, B should not beable to obtain a contract either, and vice versa.If A cannot get a deed for the house, B should not beable to collect A’s money.
◮ No advantage: No party may solely determine theoutcome of the protocol.At no stage should A be able to decide by herself whetherthe house is sold or not.
◮ No provable advantage: No party may prove that it cansolely determine the outcome of the protocol.B should not be able to show A’s offer to C and convinceC to pay more.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Negative result
◮ Dishonest party has advantage in any fixed-roundoptimistic fair exchange protocol.
◮ Dishonest party always has a strategy to reach a state
where it can unilaterally force an outcome.◮ Similar to impossibility result for distributed consensus.◮ Cryptography cannot help.
◮ Need a trusted party for every transaction: bad news fore-commerce (or maybe good news !?).
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Electronic voting
◮ Secrecy: Every voter’s choice should be private, andothers should not be able to figure out how she voted.
◮ Individual verifiability: Each voter should be able to checkwhether her vote has been counted properly.
◮ Universal verifiability: It should be possible to checkwhether every voter’s vote has been counted properly.
◮ Fairness: Voters do not have any knowledge of thedistribution of votes until the tallies are finally announced.
◮ Receipt-freeness: No voter has any means of proving toanother that he has voted in a particular manner.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Receipt-freeness
◮ A problem characteristic of elections, and an importantone.
◮ Lack of receipt-freeness (that is, the presence of areceipt) allows vote buying and coercion which has thepotential to drastically affect the election process.
◮ When a receipt exists, it could be constructed in anymanner that convinces the sceptical second party.
◮ Demonstrating that no such way exists is highlydemanding, and is seen as a significant challenge toformal models.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Protocol structure
◮ Three kinds of agents: voters are one kind.
◮ Administrators know the voters’ identity, but cannot seethe votes, and their job is to check voters’ eligibility tovote.
◮ Talliers see the votes, but not the voters’ identities, andtheir job is to count votes for each candidate andannounce the result.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Homomorphic encryption
◮ Based on Adi Shamir’s secret sharing technique.
◮ Voters split their votes into several shares which theysend to different administrators.
◮ Unless many administrators collude, it is difficult toreconstruct the vote.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Blind signature
◮ Voter sends an encrypted vote {t}k to the administrator.
◮ The administrator A cannot decrypt the vote, but checksthe voter’s eligibility, “blindly” signs the message andreturns {tA}k to the voter.
◮ The voter, who generated k , can strip it off from {tA}k
obtaining tA, which is the vote t duly attested by A.
◮ Now the voter sends tA anonymously to the tallier.
◮ The tallier verifies the attestation, and gets the vote t
(while not knowing the origin).
ICAC’09 Cauvery College, Tiruchi – August 8, 2009
Summary
◮ Security protocols are difficult to design and analyse, bugshard to attack.
◮ We need a development methodology which would alwaysgenerate provably correct protocols.
◮ We need automaated tools for discovering attacks.
◮ Our main contribution: we identify subclasses of securityprotocols for which it is possible to automatically verifymany security properties.
ICAC’09 Cauvery College, Tiruchi – August 8, 2009