Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols

1
Modelling and Analysing of Security Protocol
Lecture 1Introductions to Modelling Protocols

• Tom Chothia
• CWI

2
This Course

• This course will primarily teaching you
• How to design your own secure communication
  protocols.
• How to analyse protocols and look for faults.
• How to use automatic tools to help you do this.
• Secondary skills
• Know which protocols to use for which jobs.
• Improve your system design skills.

3
Course Outline

• This Lecture
• How we model protocols
• Types of encryption used.
• Lecture 2
• Types of attacks on protocols
• Good protocol design
• Homework ( 1/6 of total score).

4

Course Outline

• Lecture 3
• Verifying protocols using BAN logic.
• Lecture 4
• Automatically verifying protocols.
• Homework ( 1/6 of total score)
• Lecture 5
• Anonymity protocols.

5

Course Outline

• Lecture 6
• Verifying probabilistic protocols in PRISM
• Lecture 7
• Fair exchange Zero knowledge
• Lecture 8 to Lecture 10
• Short students presentations ( 2/3 of total
  score )
• Lecture 11
• Summary

6
Sources

• Take notes if you want but you will get handouts
  with all the important details
• and the slides, handouts, papers, homework and
  links will be available at
• http//homepages.cwi.nl/chothia/Teaching

7
This Lecture

• Part 1
• Simple notation for protocols
• Modelling rules
• Needham-Schroeder and Kerberos protocols
• Part 2
• A high level overview the to cryptography
• Symmetric key encryption, public key encryptions
  and signing
• Abstract equation for modelling encryption

8
A Simple Protocol

• A sends message M to B
• written as
• A ? B M

A
B
M
9
Rules

• We write down protocols as a list of messages
  sent between principals, e.g.
• 1. A ? B Hello
• 2. B ? A Offer
• 3. A ? B Accept

10
A Simple Protocol
A
B
M
Message M can be read by the attacker
11
A Simple Protocol
A
B
M
Even now!
12
Rule

• The attacker can read all the messages sent
  across the network.

13
Encryption

• We can keep our data safe by using encryption

M Kab
A
B
A ? B M Kab
14
Rule

• We can use
• Encryption MK, EK(M)
• Signing SignK(M), SK(M), MACK(M)
• Hashing (M), Hash(M)
• We assume that these are prefect
• cannot be broken by brute force.

15
Encryption

• M is now secret

M Kab
A
B
but the protocol is not safe
16
Replay Attack
1 Pay Elvis 5 Kab
A
B
1) A ? B Pay Eve 5 Kab
17
Replay Attack
1 Pay Elvis 5 Kab
A
B
E
2 Pay Elvis 5 Kab
1) A ? B Pay Eve 5 Kab 2) E ? B Pay
Eve 5 Kab
18
Rule

• The attacker can repeat any message it see.

19
A Nonce
A
B

1. A ? B A

2. B ? A Na Kab

• 3. A ? B Na 1 Kab , Pay Elvis 5 Kab

20
Rule

• We can generate nonces.
• This is a new random values.
• If you generate a new nonce for a session you
  know that all future messages with that include
  that nonce are part of the same session.

21
A Nonce
1. A
A
B
2. Na Kab
3. Na 1Kab , Pay Elvis 5 Kab
4. A
5. Na2 Kab
6. Na2 1Kab , Pay Bob 5 Kab

22
A Nonce
1. A
A
B
2. Na Kab
3. Na 1Kab , Pay Elvis 5 Kab
4. A
5. Na2 Kab
E
6. Na2 1Kab , Pay Bob 5 Kab
6. Na2 1Kab ,

Pay Elvis 5 Kab
23
Rule

• The attacker can run multiple rounds of the
  protocol.
• The attacker can
• break up messages,
• invent new values, keys, nonces,..
• combine any of these into new message.

24
A Better Protocol
1. A
A
B
2. Na Kab
3. Na , Pay Elvis 5 Kab
1. A ? B A, Na 2. B ? A Na Kab 3. A ? B
Na, Pay Elvis 5 Kab

25
Key Establishment Protocol

• This was easy because A and B shared a key.
• Often the principals do not share a key, in which
  case we need a Key Establishment Protocol.
• This usually involves a Trust Third Party who
  has a shared key with each party.

26
The Needham-Schroeder Public Key Protocol

• A famous authentication protocol
• 1. A ? B EB( Na, A )
• 2. B ? A EA( Na, Nb )
• 3. A ? B EB( Nb )
• Na and Nb can then be used to generate a
  symmetric key

27
An Attack Against the Needham-Schroeder Protocol

• The attack acts as a man-in-the-middle
• 1. A ? C EC( Na, A )
• 1. C(A) ? B EA( Na, A )
• 2. B ? C(A) EA( Na, Nb )
• 2. C ? A EA( Na, Nb )
• 3. A ? C EC( Nb )
• 3. C(A) ? B EB( Nb )

28
The Corrected Version

• A very simple fix
• 1. A ? B EB( Na, A )
• 2. B ? A EA( Na, Nb )
• 3. A ? B EB( Nb )

29
The Corrected Version

• A very simple fix
• 1. A ? B EB( Na, A )
• 2. B ? A EA( Na, Nb, B)
• 3. A ? B EB( Nb )

30
Rule

• The attacker can act as a participant of the
  protocol.
• ... (sometimes)

31
Kerberos

• A protocol for key establishment and
  authentication used in Windows, MacOS, Apache,
  OpenSSH, ...
• A ??S A,B,NA
• S ??A KAB,B,L,NA,..KAS,KAB,A,L,..KBS
• A ??B A,TAKAB,KAB,A,L,..KBS
• B ??A TA1KAB

32
Kerberos

• A and S share the key KAS and B and S share KAS
• Both A and B trust S to generate a new key for
  them KAB
• N is a nonce, T is a timestamp and L is an
  expiration time.
• A ??S A,B,NA
• S ??A KAB,B,L,NA,..KAS,KAB,A,L,..KBS
• A ??B A,TAKAB,KAB,A,L,..KBS
• B ??A TA1KAB

33
Sources

• For lectures 1 2 the the primary reference
  material is the handouts.
• This information is covered in more depth in
• Paper Prudent Engineering Practices for
  Cryptographic Protocols (by Abadi Needham)
• Book Protocols for Authentication and Key
  Establishment (by Boyd Mathuria) there are
  copies in the library.

34
This Lecture

• Part 1
• Simple notation for protocols
• Modelling rules
• Needham-Schroeder and Kerberos protocols
• Part 2
• A high level overview of cryptography
• Symmetric key encryption, public key encryptions
  and signing
• Abstract equation for modelling encryption