security analysis of network protocols
DESCRIPTION
CS 259. Security Analysis of Network Protocols. Mukund Sundararajan. http://www.stanford.edu/class/cs259/. How to write a crypto paper?. 1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html 2. Click on the button 3. Be Inspired - PowerPoint PPT PresentationTRANSCRIPT
Security Analysis of Network Protocols
CS 259
http://www.stanford.edu/class/cs259/
Mukund Sundararajan
How to write a crypto paper?
1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic-generator.html
2. Click on the button 3. Be Inspired
Fortunately, we don’t need to know what those papers, if written, may contain
Today
Getting Murphi to work on Windows
A close look at the NS implementation in Murphi Cryptography for CS259
• The cryptography of SSL
Newsgroup: su.class.cs259
Murphi on Windows
Download Cygwin• Need to include g++, make, gcc packages• Look under the ‘Devel’ heading
Follow instructions in the Readme file located in the src directory• Make the murphi compiler in the src directory• Set up a link • Edit homework Makefile
Needham Schroeder in Murphi
Walk through code sections• Data types• State variables• Transitions, invariants• Initial state
The strong attacker model• Perfect cryptography• Intercept all messages on the network• Insert, reorder, delete messages
Murphi Syntax
Invariants are a special kind of rule Rulesets allow concise specification of
transition rules Scalarsets allow us to exploit symmetry the
inherent symmetry in some situations to make model checking efficient
Multisets are similar to scalarsets but are modifiable at runtime, use a ‘choose’ to index.
Union data types allow us to refer to many scalarsets at once
Weak intruder model
[Part (b) of the 3rd question on HW#1] Consider an intruder who can only receive
messages destined to it. Does the attack on “initiator correctly
authenticated” still work? Need to undo optimizations
Anomaly in Needham-Schroeder
A E
B
{ A, NA }
{ A, NA }{ NA, NB }
{ NA, NB }
{ NB }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key NB from B
Evil E can then fool B
[Lowe]
Handshake Protocol Structure
C
ClientHello
ServerHello, [Certificate],[ServerKeyExchange],[CertificateRequest],ServerHelloDone
S[Certificate],ClientKeyExchange,[CertificateVerify]
Finished
switch to negotiated cipher
Finished
switch to negotiated cipher
Nonce
'number used once' To prevent against replay attacks
Symmetric Key Algorithm
Encryption• Input: plain-text, key, Output: cipher text
Decryption• Input: encrypted message, key, Output: plain text
Needs to be reversible Insecure if following is computationally
feasible• Can decipher plaintext without key• Can produce cipher text without key• Can deduce key from cipher text
Asymmetric Encryption
Encryption• Input: plain-text, public-key, Output: cipher text
Decryption• Input: encrypted message, private-key, Output:
plain text
Needs to be reversible Insecure if following is computationally
feasible• Can decipher plaintext without private key• Can deduce private key from cipher text or public
key
Digital Signatures
Signature algorithm• Input: m, private key, Output: Signature
Verification algorithm• Input: Signature, public key, Output: Boolean
Authentication Integrity Non-repudiation
Cryptographic Hashes
Input: message, Output: digest Insecure if following is computationally
feasible:• Preimage resistance: finding a message that
matches a given digest • Collision resistance: finding "collisions",
wherein two different messages have the same message digest
• Second Preimage resistance: given an input m, it must be hard to find different m’ that hashes to the same value
MAC’s
Integrity + Authenticity• Input: Key, Message, Output: Message
Authentication Code• Verification algorithm
Uses cryptographic hashes or symmetric key crypto• Attacker must not be able to find two messages
M, M’ that produce the same MAC under an unknown key given an oracle that MAC’s messages
• Key holder may find collisions• Differ from signatures: they are symmetric
Diffie-Hellman exchange
A picks a nonce x, generates Gx, sends it to B
B picks a nonce y, generates Gy, sends it to A
Both generate Gxy locally Gxy is a shared secret Secure by ‘Hardness of discrete
logarithm’
Exercises
How do scalarsets and multisets improve the efficiency of model-checking?
What is the relationship between the three properties of cryptographic hashes?
Read the definition of a message authentication code in Wikipedia