Title: Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols
1Modelling and Analysing of Security Protocol
Lecture 1Introductions to Modelling Protocols
2This Course
- This course will primarily teaching you
- How to design your own secure communication
protocols. - How to analyse protocols and look for faults.
- How to use automatic tools to help you do this.
- Secondary skills
- Know which protocols to use for which jobs.
- Improve your system design skills.
3Course Outline
- This Lecture
- How we model protocols
- Types of encryption used.
- Lecture 2
- Types of attacks on protocols
- Good protocol design
- Homework ( 1/6 of total score).
4 Course Outline
- Lecture 3
- Verifying protocols using BAN logic.
- Lecture 4
- Automatically verifying protocols.
- Homework ( 1/6 of total score)
- Lecture 5
- Anonymity protocols.
5 Course Outline
- Lecture 6
- Verifying probabilistic protocols in PRISM
- Lecture 7
- Fair exchange Zero knowledge
- Lecture 8 to Lecture 10
- Short students presentations ( 2/3 of total
score ) - Lecture 11
- Summary
6Sources
- Take notes if you want but you will get handouts
with all the important details - and the slides, handouts, papers, homework and
links will be available at - http//homepages.cwi.nl/chothia/Teaching
7This Lecture
- Part 1
- Simple notation for protocols
- Modelling rules
- Needham-Schroeder and Kerberos protocols
- Part 2
- A high level overview the to cryptography
- Symmetric key encryption, public key encryptions
and signing - Abstract equation for modelling encryption
8A Simple Protocol
- A sends message M to B
- written as
- A ? B M
A
B
M
9Rules
- We write down protocols as a list of messages
sent between principals, e.g. - 1. A ? B Hello
- 2. B ? A Offer
- 3. A ? B Accept
10A Simple Protocol
A
B
M
Message M can be read by the attacker
11A Simple Protocol
A
B
M
Even now!
12Rule
- The attacker can read all the messages sent
across the network.
13Encryption
- We can keep our data safe by using encryption
M Kab
A
B
A ? B M Kab
14Rule
- We can use
- Encryption MK, EK(M)
- Signing SignK(M), SK(M), MACK(M)
- Hashing (M), Hash(M)
- We assume that these are prefect
- cannot be broken by brute force.
15Encryption
M Kab
A
B
but the protocol is not safe
16Replay Attack
1 Pay Elvis 5 Kab
A
B
1) A ? B Pay Eve 5 Kab
17Replay Attack
1 Pay Elvis 5 Kab
A
B
E
2 Pay Elvis 5 Kab
1) A ? B Pay Eve 5 Kab 2) E ? B Pay
Eve 5 Kab
18Rule
- The attacker can repeat any message it see.
19A Nonce
A
B
- A ? B A
2. B ? A Na Kab
- 3. A ? B Na 1 Kab , Pay Elvis 5 Kab
20Rule
- We can generate nonces.
- This is a new random values.
- If you generate a new nonce for a session you
know that all future messages with that include
that nonce are part of the same session.
21A Nonce
1. A
A
B
2. Na Kab
3. Na 1Kab , Pay Elvis 5 Kab
4. A
5. Na2 Kab
6. Na2 1Kab , Pay Bob 5 Kab
22A Nonce
1. A
A
B
2. Na Kab
3. Na 1Kab , Pay Elvis 5 Kab
4. A
5. Na2 Kab
E
6. Na2 1Kab , Pay Bob 5 Kab
6. Na2 1Kab ,
Pay Elvis 5 Kab
23Rule
- The attacker can run multiple rounds of the
protocol. - The attacker can
- break up messages,
- invent new values, keys, nonces,..
- combine any of these into new message.
24A Better Protocol
1. A
A
B
2. Na Kab
3. Na , Pay Elvis 5 Kab
1. A ? B A, Na 2. B ? A Na Kab 3. A ? B
Na, Pay Elvis 5 Kab
25Key Establishment Protocol
- This was easy because A and B shared a key.
- Often the principals do not share a key, in which
case we need a Key Establishment Protocol. - This usually involves a Trust Third Party who
has a shared key with each party.
26The Needham-Schroeder Public Key Protocol
- A famous authentication protocol
- 1. A ? B EB( Na, A )
- 2. B ? A EA( Na, Nb )
- 3. A ? B EB( Nb )
- Na and Nb can then be used to generate a
symmetric key
27An Attack Against the Needham-Schroeder Protocol
- The attack acts as a man-in-the-middle
- 1. A ? C EC( Na, A )
- 1. C(A) ? B EA( Na, A )
- 2. B ? C(A) EA( Na, Nb )
- 2. C ? A EA( Na, Nb )
- 3. A ? C EC( Nb )
- 3. C(A) ? B EB( Nb )
28The Corrected Version
- A very simple fix
- 1. A ? B EB( Na, A )
- 2. B ? A EA( Na, Nb )
- 3. A ? B EB( Nb )
29The Corrected Version
- A very simple fix
- 1. A ? B EB( Na, A )
- 2. B ? A EA( Na, Nb, B)
- 3. A ? B EB( Nb )
30Rule
- The attacker can act as a participant of the
protocol. - ... (sometimes)
31Kerberos
- A protocol for key establishment and
authentication used in Windows, MacOS, Apache,
OpenSSH, ... - A ??S A,B,NA
- S ??A KAB,B,L,NA,..KAS,KAB,A,L,..KBS
- A ??B A,TAKAB,KAB,A,L,..KBS
- B ??A TA1KAB
32Kerberos
- A and S share the key KAS and B and S share KAS
- Both A and B trust S to generate a new key for
them KAB - N is a nonce, T is a timestamp and L is an
expiration time. - A ??S A,B,NA
- S ??A KAB,B,L,NA,..KAS,KAB,A,L,..KBS
- A ??B A,TAKAB,KAB,A,L,..KBS
- B ??A TA1KAB
33Sources
- For lectures 1 2 the the primary reference
material is the handouts. - This information is covered in more depth in
- Paper Prudent Engineering Practices for
Cryptographic Protocols (by Abadi Needham) - Book Protocols for Authentication and Key
Establishment (by Boyd Mathuria) there are
copies in the library.
34This Lecture
- Part 1
- Simple notation for protocols
- Modelling rules
- Needham-Schroeder and Kerberos protocols
- Part 2
- A high level overview of cryptography
- Symmetric key encryption, public key encryptions
and signing - Abstract equation for modelling encryption