Security Analysis of Network Protocols

About This Presentation

Title:

Security Analysis of Network Protocols

Description:

1. First visit: http://www-cse.ucsd.edu/users/mihir/crypto-topic ... Download Cygwin. Need to include g , make, gcc packages. Look under the Devel' heading ... – PowerPoint PPT presentation

Number of Views:35

Avg rating:3.0/5.0

Slides: 18

Provided by: JohnCMi

Learn more at: https://web.stanford.edu

Category:

more less

Transcript and Presenter's Notes

Title: Security Analysis of Network Protocols

1
Security Analysis of Network Protocols
CS 259
Mukund Sundararajan
http//www.stanford.edu/class/cs259/
2
How to write a crypto paper?

1. First visit http//www-cse.ucsd.edu/users/mihi
r/crypto-topic-generator.html
2. Click on the button
3. Be Inspired
Fortunately, we dont need to know what those
papers, if written, may contain

3
Today

Getting Murphi to work on Windows
A close look at the NS implementation in Murphi
Cryptography for CS259
The cryptography of SSL
Newsgroup su.class.cs259

4
Murphi on Windows

Download Cygwin
Need to include g, make, gcc packages
Look under the Devel heading
Follow instructions in the Readme file located
in the src directory
Make the murphi compiler in the src directory
Set up a link
Edit homework Makefile

5
Needham Schroeder in Murphi

Walk through code sections
Data types
State variables
Transitions, invariants
Initial state
The strong attacker model
Perfect cryptography
Intercept all messages on the network
Insert, reorder, delete messages

6
Murphi Syntax

Invariants are a special kind of rule
Rulesets allow concise specification of
transition rules
Scalarsets allow us to exploit symmetry the
inherent symmetry in some situations to make
model checking efficient
Multisets are similar to scalarsets but are
modifiable at runtime, use a choose to index.
Union data types allow us to refer to many
scalarsets at once

7
Weak intruder model

Part (b) of the 3rd question on HW1
Consider an intruder who can only receive
messages destined to it.
Does the attack on initiator correctly
authenticated still work?
Need to undo optimizations

8
Anomaly in Needham-Schroeder
Lowe
A, NA
Ke
A
E
NA, NB
Ka
NB
Ke
A, NA
NA, NB
Evil agent E tricks honest A into
revealing private key NB from B
Kb
Ka
B
Evil E can then fool B
9
(No Transcript)
10
Nonce

'number used once'
To prevent against replay attacks

11
Symmetric Key Algorithm

Encryption
Input plain-text, key, Output cipher text
Decryption
Input encrypted message, key, Output plain text
Needs to be reversible
Insecure if following is computationally feasible
Can decipher plaintext without key
Can produce cipher text without key
Can deduce key from cipher text

12
Asymmetric Encryption

Encryption
Input plain-text, public-key, Output cipher
text
Decryption
Input encrypted message, private-key, Output
plain text
Needs to be reversible
Insecure if following is computationally feasible
Can decipher plaintext without private key
Can deduce private key from cipher text or public
key

13
Digital Signatures

Signature algorithm
Input m, private key, Output Signature
Verification algorithm
Input Signature, public key, Output Boolean
Authentication
Integrity
Non-repudiation

14
Cryptographic Hashes

Input message, Output digest
Insecure if following is computationally
feasible
Preimage resistance finding a message that
matches a given digest
Collision resistance finding "collisions",
wherein two different messages have the same
message digest
Second Preimage resistance given an input m, it
must be hard to find different m that hashes to
the same value

15
MACs

Integrity Authenticity
Input Key, Message, Output Message
Authentication Code
Verification algorithm
Uses cryptographic hashes or symmetric key crypto
Attacker must not be able to find two messages M,
M that produce the same MAC under an unknown key
given an oracle that MACs messages
Key holder may find collisions
Differ from signatures they are symmetric

16
Diffie-Hellman exchange