the agent based crypto protocol the abc-protocol by jordan hind mse presentation 2
TRANSCRIPT
The Agent Based Crypto Protocol
The ABC-Protocolby
Jordan Hind
MSE Presentation 2
Agenda
● A brief coverage of some “crypto-stuffs”● How the protocol works● Formal Methods with Spin● Strand Space Formal Methods
Introduction CAPSL and CIL Strand Space analysis in Prolog
● Program Architecture and the Formal Methods with USE/OCL
● Odds and ends.
Crypto Intro
● In the ABC-Protocol we'll divide cryptography into 3 sections
Public Key
Authentication
Symmetric Cryptography
Public Key
● Elliptical Curve Diffie-Hellman (ECDH) Diffie-Hellman like key exchange between two
hosts within the field of an finite elliptical curve. ● Everyone knows the curve GF(p). ● Anyone can know the random point F on that curve.● Two hosts (A and B) have a “private key” thats
never shared. The private key is really just a randomly picked point on that curve. Lets call that Ak and Bk.
● Each host will multiply their key by point F, the result is their “public key”. Lets call this Ap and Bp.
● The shared secret key is constructed by one host multiplying its secret key against the other hosts public key (and vice versa).
As An Equation
● Bk * AP = Bk * ( Ak * F) = (Bk * Ak ) * F = Ak ( Bk * F ) = Ak * BP
● Each host can calcluate Bk * Ak without knowing the other hosts private key.
● The security of this is based on it being difficult to calculate Ak even if given F and Ap.
Benefits
● Much more efficient by being able to use smaller numbers.
● 256 bit ECC numbers compared to 2048 or 3072 FFC numbers for the similar level of security.
Authentication
● ABC-Protocol uses a very simple authentication scheme, a shared secret.
● Both hosts know a shared secret, each host proves to the other it knows the secret without transmitting it.
● We do this using a crypographic hash.
Hash
● A hash is a function that takes an arbitrary length input and produced a standard length output. h(a) -> b h(a|b|c) -> d |b| == |d|
● A Cryptographic hash has two properties we are relying on. A cryptographic hash is one-way.
● h(a|b) = d h(d) != (a|b), a or b A cryptographic hash is “difficult” to duplicate
(hard to find two inputs with the same output).● h(a) = d h(x) != d
● If either of these fails to be true then the security of the protocol will fail. Chose a hash wisely, update when needed.
Symmetric Cryptography
● Uses 1 key● 2 way function
How to use a cipher● Some uses of a cipher are more correct
than others. The easiest use of a cipher is Electronic Code
Book. E(Key, Data1) -> ouput1 E(Key, Data2) -> output2
If Data1 and Data2 match then outpu1 and output2 match.
● If you use ECB for agents, an attacker can replay commands!
● The only mode we will talk about that ABC-Protocol doesn't use.
Cipher Block Chaining
● Reuses output from previous block's encryption.
Counter Mode
● CTR mode encrypts a nonce and a counter to create S
● XOR S against the message M (limited by the block size of the cipher)
Advanced Modes
● The ABC-Protocol uses an advanced mode called EAX. Originated in 2004 Introduced as a patent-free and public domain
option from U of California (Davis, Berkely and San Diego)
● EAX integrates the MAC and the Mode. Whats a MAC ?
Message Authentication Code
● MAC – proves (relatively) that each packet in a stream is from a host that authenticated. Each packet with a MAC is authenticated.
● Most MAC's, such as HMAC, are hash schemes. By hashing the packet in some manner with a
key and constants they prove the packet was unchanged.
Having nothing to do with the encryption of data, they are only authentication.
OMAC
● One-key MAC Uses a CBC cipher mode, discarding the
output of each encryption except the last which is the Tag.
All packets in a transmission use the same key
EAX
●
Why EAX ?
● I thought it would be cool to implement
● No decrypt function needed in the cipher, only in the mode.
● No encodings
● Tightly coupled authentication and encryption.
Imported Functions● Libraries by other people that I'd like to use.
An Elliptical Curve Library● Probably curve25519 (Dan Bernstein)
Public domain Highly optimized (limited to x86)
AES Submissions for the Ciphers● Serpent
Most secure of the AES submissions● RijnDael
AES winner. Fastest of the AES candidates.
Hash● Any public domain SHA-2 implementation.
PRNG● Any public domain PRNG with suffient entropy.
The Protocol
● http://www.hick.org/~jhind/phase2/ABC-Protocol.jpg
The Protocol cont. 1● A starts by sending a “Greet” packet.
Contains its ECDH public key and a nonce● B responds with a GreetAck
Contains its ECDH public key and a nonce● A then computes the ECDH key and then
performs a hash of the ECDH key, the shared secret, and B's nonce. B will perform this computation to check A's. A can only reach the correct value if it knows
the secret. The secret cannot be recovered from the hash,
even if an attacker could solve the ECDH key.
The Protocol cont. 2
● Upon receiving A's authentication, B also computes the ECDH key. B then performs the same compuation and compares it to A's value. If A sent the correct value, it has proven its identity to B.
● B hashes the ECDH key, the shared secret and A's nonce and sends this to A to authenticate itself to A.
● A recieves B's authentication, performs the computation and validates that A knows the shared secret.
The Protocol cont. 3
● Both hosts have now authenticated. They both now build a symmetric key. Symmetric Key =
EncryptWithTheCipher(sharedSecret, (hash(nonce2, sharedsecret, ECDH computed Key, nonce1)).
● Provides Forward Secrecy.
SPIN
● SPIN modeling tool is used in CIS 725● 2 models were done using the spin tool
A base protocol model.● Used to identify channel states.● Used to identify problems with broadcast.
A security model● Implemented an attacker node which sends valid
packets into a session in progress.● Used for identifying protocol defences (as opposed
to cryptographic defences) and using the state to defend against these attacks.
●
Proving Security
● NRL Protocol Analyzer From the early 90's. Commonly used, lots of research papers. At the time, I couldn't find it.
● BRUTUS From Carnegie Mellon in the last 90's. Several related research papers. The author told me in correspondance that
“Brutus never made it past the prototype”● Which led me to...
Strand Space Methods● Originated from Mitre in 2000● Breaks a protocol down into a series of events which occur from one
host. For example
● Host A sends packet 1● Host A receives packet 3● Host A sends a value to a CA● Host A receives CA reply
This is a strand ( a nonsensical one)● Not particularly well documented, more of a research area than a tool.
● Spent extensive time working on CAPSL, a round about way into Strand Space analysis.
CAPSL● Common Authentication Protocol Specification Language
A macro based specification tool.● Equiped with predefined concepts of:
Encryption, hashing, public key, etc. Concepts of Secrecy and Authentication
● Example CAPSL● VARIABLES
A, B: PKUser; Apub, Bpub: Skey, FRESH, CRYPTO; Na, Nb: Nonce, FRESH, CRYPTO;
● MESSAGES A -> B: {Na,Apub}; B -> A: {Nb,Bpub};
● Apost = kas(kap(Bpub),Apub);● tempFieldA =buildAuth(Nb,Apost,SharedSecret);
● hashFieldA = sha(tempFieldA);
CIL● CAPSL is converted into CIL using a translator (cil.java)
CAPSL Intermediate Lanaguage CIL is a generic language (and its hideous). The idea is that CIL is easily convereted into other model
checking languages such as prolog and maude. The CAPSL/CIL model is then checked in those model checkers
with extra environment files.● I would say this is poorly documented.
CIL is then converted...
● CIL is converted into Prolog Whats left is supposed to be the protocols
strands.● Doesnt work well. For example in CAPSL goals are
defined. They are in the cil, but are stripped out of the strand.
The strands are defined, but need more work to run. Define “bundles” to run the strands.
Checking the Protocol in Prolog
● Load in an environment named csolve, which contains a strand for an attacker (e).
● Run the strands specifying the search.● The output is a stack trace.
● Frankly, this doesnt work very well. The solver returns a yes or no, answering the question of wether the condition specified in the search was reached. I think it always returns yes.
Jeeeez, are we ever going to talk about program
architecture?● Yes.● After an initial UML diagram in visio, a
move to USE was made.● USE was used to design entire
architecture. Simplified instantiations of sending and
receiving secure connections were made.
Two designs follow...
● The first design was a projected or forcasted.
● The second design was based on the experience in coding the proof-of-concept architecture code.
● Basically, reductions in complexity were found.
● The functions are more precise
UML
●
What do the classes do?● Class: ABCP● Purpose: The ABCP class is the primary interface for the end
developer.
● Class: Protocol Driver● Purpose: Used to interface between the network sockets and
the protocol. It also tracks protocol state.
● Class: SubDriver● Purpose: A driver class for the protocol layers. This is the
staging ground for outgoing packets to be built in or incoming packets to be processed in.
● on layer of the protocol.
Classes Cont.● Class: NetworkWrapper● Purpose: Manages Network sockets and network functions.
● Class: Session Encryption● Purpose: Manages the session layer of the protocol.
● Class: ECDHWrapper● Purpose: Manages the Elliptical Curve functions (probably an
imported library)
● Class: Nonce● Purpose: Constructs Nonces.
● Class: PRNGWrapper● Purpose: Manages the pseudo random number generator
(probably an imported library).
Classes cont.● Class: DataEncryption● Purpose: Manages the data encryption layer of the protocol.
Runs the mode and OMAC functions.● Class: Cipher● Purpose: Used to abstract the third party libraries used as
ciphers. Runs the cipher's encrypt function.
● Class: Auth● Purpose: Manages the authentication process and protocol
layer. Will also manage a list of hosts and thier keys. Used to create keys.
● Class: HashWrapper● Purpose: used to abstract a single interface over any third party
hash libraries used.
Formal Inspections
● I took a different direction than others...
● I asked two senior developers and two senior security professionals to look at my project so far and give me their honest criticisms. (two that filled out the form have their forms linked on the site)
● The biggest item, testing, came from one of the developers. Its not on the checklist and only came about from talking to the inspectors about the project.
Testing
● Automated unit testing of key functions.● Tests of Use-Cases listed in 3.1 of the
Vision document Transfer data. Transfer burst. Transfer commands. Broadcast.
● And just for fun, pit the ABC-protocol against SSH protocol (openSSH) to compare data transfer rates.
Architecture Proof of Concept● Only a Windows prototype this time.● Which is difficult to demo as I only have one windows box.
We'll demo it by using netcat to interface with it. Or we can run it against itself (but then we cant see any network
traffic!)