Cryptographic Protocols and Possible Attacks

1
Cryptographic Protocols andPossible Attacks

• SOEN321- Information-Systems Security
• Revision 1.1
• Date November 25, 2004

2
Contents

• Security Flaws in Cryptographic Protocols
• Freshness Flaws
• Oracle Flaws
• Type Flaws
• Implementation-Dependent Flaws
• Elementary Flaws
• Others

3
Security Flaws

• A flaw is a protocol property that contradicts
  the security requirements.
• A security flaw is a part of a program that can
  cause the system to violate its security
  requirements.
• Finding security flaws, then, demands some
  knowledge of the system security requirements.
  These requirements vary according to the system
  and the application Landweher, Bull, McDermott
  and Choi.
• The proof of a flaw is commonly known as an
  attack and it is generally presented as actions
  performed on the protocol.

4
Flow Types

• Freshness
• Oracle
• Type
• Implementation-Dependent
• Others

5
Freshness Flaws

• Freshness flaws appear when critical messages are
  used in the protocol without including freshness
  information such as nonces and/or timestamps.
• This lack can be exploited by an intruder to do a
  masquerade by replaying messages belonging to
  previous runs.

6
Freshness Flaws

• A classical example of a freshness flaw occurs in
  the symmetric-key protocol proposed by
  Needham-Shroeder
• Message 1 A -gt S A,B,Na
• Message 2 S -gt A Na,B, kab, kab,Akbs kas
• Message 3 A -gt B kab,Akbs
• Message 4 B -gt A Nbkab
• Message 5 A -gt B Nb 1kab

7
Freshness Flaws (2)

• This protocol aims to provide a mutual
  authentication between two principals A and B.
• Each principal shares a secret key with a trusted
  server S.
• This protocol was thought to be correct until
  1981 when the basic weakness was pointed out by
  Denning and Sacco.
• The main problem of this protocol is that the
  principal playing the role B cannot detect
  whether the message kab,A sent by the principal
  playing the role A at step 3 has been recently
  created or not since it does not contain any
  freshness information.

8
Freshness Flaws (3)

• Suppose, for example, that an intruder can
  compromise one previously distributed key kab
  (by using cryptanalysis for example) and it
  replays the appropriate message to the principal
  playing the role B in step 3.
• In this case, the principal playing the role B
  will accept this key as a new one and it replays
  by the message Nbkab
• Hence, the intruder can intercept this message
  and impersonate As reply by sending the message
  Nb 1kab

9
Freshness Flaws (4)

• To fix this weakness, Denning and Sacco have
  proposed to add a timestamp to the messages used
  at step 2 and step 3
• Message 1 A -gt S A,B,Na
• Message 2 S -gt A T,Na,B, kab, kab,A,
  Tkbskas
• Message 3 A -gt B kab,A, Tkbs
• Message 4 B -gt A Nbkab
• Message 5 A -gt B Nb 1kab
• Needham and Shroeder have proposed a solution
  based on the use of nonces. The two proposed
  solutions seem to resolve the problem, however
  there is no correction proof for any one of those
  new versions.

10
Oracle Flaws

• Oracle flaws occur when the cryptographic
  protocol dialog allows an adversary to know some
  secret information or to foretell the content of
  some encrypted messages.
• Two subclasses of oracle flaws are distinguished
• Single oracle flaws and,
• Multi-role oracle flaws.

11
Single Oracle Flaws

• It consists of oracle flaws that occur when the
  protocol does not allow principals to change
  their roles from one protocol run to another.
• The most famous example of a single role oracle
  flaw was given by Rivest, Shamir, and Adelman. It
  consists of the following three-steps protocol
• Message 1 A -gt B Mka
• Message 2 B -gt A Mkakb
• Message 3 A -gt B Mkb
• We assume that the encrypting function is
  commutative i.e. Mkakb Mkbka

12
Single Oracle Flaws (2)

• The goal of this protocol is to transfer secret
  messages from one principal to another without
  the help of a trusted server.
• In step one, the principal playing the role A
  encrypts the messages M under its secret key ka
  (can be randomly generated) then sends the result
  to the principal playing the role B.
• In the second step, the principal playing the
  role B encrypts the received message with its
  secret key kb and sends the result to the
  principal playing the role A.
• Finally, the principal playing the role A
  decrypts the message Mkakb to obtain the
  message Mkb (this can be achieved under the
  commutative assumption) which is sent to the
  principal playing the role B.

13
Single Oracle Flaws (3)

• This protocol can be attacked as follows
• Message 1 A -gt I(B) Mka
• Message 2 I(B) -gt A Mka
• Message 3 A -gt I(B) M
• At step one, the intruder intercepts the message
  Mka which is supposed to be sent to the
  principal playing the role B.
• At step two, the intruder sends the intercepted
  message to the principal playing the role A as a
  Bs response.
• Finally, the principal playing the role A
  decrypts the received message and sends the
  result (M) to the principal playing the role B.
• However, the intruder intercepts this message
  hence, it learns the information that was
  supposed to be secret.

14
Multi-Role Oracle Flaws

• Multi-role oracle flaws occur when the protocol
  assumptions allow principals to change their role
  from one run to another.
• In this case, an intruder has more chance to
  attack the protocol.
• In fact, the intruder can participate in many
  runs executed concurrently hence, messages of
  one run can be used to form messages that will be
  used in another run.

15
Multi-Role Oracle Flaws (2)

• A good example of multi-roles oracle flaws is
• Message 1 A -gt B Nakab
• Message 2 B -gt A Na 1kab
• The objective of this protocol is to convince the
  principal playing role A that the principal
  playing role B is operational.

16
Multi-Role Oracle Flaws (3)

• At step one, the principal playing role A sends a
  challenge, the nonce Na encrypted using the key
  kab.
• The principal playing role B can easily give a
  response (Na 1kb) to this challenge at step
  two since it knows the key kab.
• This protocol can be attacked as follows
• Message 1.1 A -gt I(B) Nakab
• Message 2.1 I(B) -gt A Nakab
• Message 2.2 A -gt I(B) Na 1kab
• Message 1.2 I(B) -gt A Na 1kab
• At step one of the first protocol run, the
  intruder intercepts the message Nakab and uses
  it as its own challenge in the first step of the
  second protocol run.

17
Multi-Role Oracle Flaws (4)

• Therefore, it is not surprising that the
  principal playing the role A will answer by
  sending the message Na 1kab in step two of
  the second protocol run.
• Furthermore, this message is also the necessary
  one to finish the first run.
• Finally, the principal playing the role A is
  convinced that the principal playing the role B
  is operational, however this principal may not
  exist any longer in the system.

18
Type Flaws

• The extraction of message components requires a
  full knowledge about their types.
• In fact, a message is implemented in a concrete
  level as a sequence of bits, then to extract the
  value of the first component, for example, we
  need its type (length).
• Such information can be implicit if the receiver
  has a previous knowledge about the messages
  components, their types and their positions.
• Another solution is to represent types explicitly
  in the transmitted data structure.
• In this case, the receiver does not need to know
  previously the types since it will find them
  embedded within the received message.

19
Type Flaws (2)

• Type flaws occur when an adversary can induce the
  receiver to infer message component types which
  are different from their real one.
• The Andrew Secure RPC (From Andrew File System)
  Protocol, presented below, provides a good
  example for this class of flaws.
• Message 1 A -gt B A, Nakab
• Message 2 B -gt A Na 1,Nbkab
• Message 3 A -gt B Nb 1kab
• Message 4 B -gt A kab,Nbkab

20
Type Flaws (3)

• In step one, the principal playing the role A
  sends its identity and a challenge Nakab to
  indicate to the principal playing the role B that
  it wishes to communicate with it.
• At the second step, the principal playing the
  role B sends the message Na 1,Nbkab which is
  a challenge to the principal playing the role A.
• At step three, the principal playing the role A
  replies to the challenge of the principal playing
  the role B by sending the message Nb 1kab.
• At the last step, the principal playing the role
  B creates a session key kab, concatenates it
  with Nb, an identifier for a future
  communication, encrypts the result with the key
  kab and sends it to principal playing the role A.

21
Type Flaws (4)

• Suppose that nonces and keys have the same length
  (x bits).
• This protocol can be attacked as follows
• an intruder I can intercept the message
  Na1,Nbkab sent at the second step and send it
  in step four as Bs reply.
• In this case, the principal playing the role A
  will consider the value of Na 1 as the value of
  the key kab.

22
Type Flaws (5)

• The complete attack is
• Message 1 A -gt B A, Nakab
• Message 2 B -gt A Na 1,Nbkab
• Message 3 A -gt B Nb 1kab
• Message 4 I(B) -gt A Na 1,Nbkab

23
Binding Flaws

• In public key cryptography, it would be
  catastrophic if a principal misjudges the key of
  another.
• In fact, a public key is used to send secret
  information, since only the principal having the
  appropriate private key can decrypt the encrypted
  message.
• However, if, for example, an intruder I having a
  public key ki can convince a principal A that Bs
  public key is ki, then the intruder can read all
  secret messages (encrypted by ki) coming from A
  and going to B.
• To avoid such a flaw, a veritable binding between
  agents and public keys must be established.

24
Binding Flaws (2)

• In general, with a distributed systems, a trusted
  server takes in charge the key distribution task.
  
• Each principal uses an authentication protocol to
  get public keys of other principals from the
  server.
• However, if the authentication protocol is not
  carefully designed, binding flaws can take place.

25
Binding Flaws (3)

• A good illustrative example of this class of
  flaws is given hereafter
• Message 1 A -gt S A,B,Na
• Message 2 S -gt A S, S,A,Na, kbks-1
• Here, the principal playing the role A wishes to
  know the public key of the principal playing the
  role B with the help of the trusted server S.
• At step one, the principal playing the role A
  sends its identity, the identity of the principal
  playing the role B and a nonce Na to the server
  S.
• In step two, the server replies by a message
  containing its identity, As identity, the nonce
  Na (to ensure the freshness of the message) and
  the public key of the principal playing the role
  B.
• All these components are concatenated and
  encrypted under Ss private key (signature)
  allowing the principal playing the role A to be
  sure about the origin of the message.

26
Binding Flaws (4)

• As shown by Hwang and Chen, this protocol can be
  attacked as follows
• Message 1.1 A -gt I(S) A,B,Na
• Message 2.1 I(A) -gt S A, I,Na
• Message 2.2 S -gt I(A) S, S,A,Na, kiks-1
• Message 1.2 I(S) -gt A S, S,A,Na, kiks-1
• At step one of the first protocol run, the
  intruder I intercepts the message A,B,Na,
  substitutes the identity of B by its identity and
  sends the result as the first message of a new
  run of the protocol (Message 2.1).
• At step 2.2, the server replies by a message
  containing Is public key, since it thinks that
  the principal playing the role A is asking for
  this public key.
• Finally, the intruder replays Ss message to the
  principal playing the role A. Thus, a binding
  flaw occurs, since the principal playing the role
  A thinks that the public key of the principal
  playing the role B is ki.

27
Binding Flaws (5)

• To avoid this flaw, Hwang and Chen proposed the
  following modification
• Message 1 A -gt S A,B,Na
• Message 2 S -gt A S, S,A,Na,B, kbks-1

28
Repudiation Flaws

• We say that a cryptographic protocol contains a
  repudiation flaw if at least one principal is
  able to deny its participation in any run of this
  protocol.
• A popular example of this category of flaws was
  given by the coin-flip protocol proposed by
  Toussaint.
• This protocol can be used by two principals to
  toss a coin over a phone as follows
• B sends his choice of Heads or Tails to A.
• A
• chooses a key ka.
• sends the message ka, Headska , ka, Tailska
  to B.
• B chooses arbitrary one of ka, Headska and ka,
  Tailska and sends his choice, say X, to A.

29
Repudiation Flaws (2)

• A decrypts X, compares the result with Bs
  initial choice and sends the key ka to B.
• B decrypts X and compares the result with his
  initial choice.
• The probability that the principal A wins is
  equal to Bs one (1/2) as is shown by Toussaint.
• However, in this protocol, the result of the game
  is known by A before B.
• Then, if the principal A discovers that he has
  lost, he can abort the protocol at step four and
  never reveal the key ka to B at the last step.
• In other terms, the principal A can deny his
  participation in this protocol run and a
  repudiation flaw occurs.

30
Implementation-Dependent Flaws

• Cryptosystems used within cryptographic protocols
  are supposed to be perfect, modulo a set of
  properties containing at least integrity and
  confidentiality.
• However, some examples show that these conditions
  are not sufficient for some protocols, because
  their security can be severely affected by the
  implementation approach adopted for cryptographic
  functions.
• The interaction between cryptosystems and
  cryptographic protocols did not have the chance
  to be deeply studied and it is still an open area
  of research.
• However, it is clear that speaking about the
  security of a protocol combination with respect
  to a specific cryptosystem is better then
  speaking about the security of a protocol in
  absolute.

31
Implementation-Dependent Flaws (2)

• To be convinced by the severity of this problem
  let us see the example proposed by Massey as
  shown below
• Message 1 A -gt B Mka
• Message 2 B -gt A Mkakb
• Message 3 A -gt B Mkb
• Suppose that we use the XOR function to cipher
  messages.
• Hence, if k is a key and M is a message,
  encrypting M under k turns to do the simple
  following operation Mk M ? k.
• Since k ? k 0 (0 ? 0 0 and 1 ? 1 0 ), the
  deciphering transformation is performed by using
  the same operation Mkk M ? k ? k M.

32
Implementation-Dependent Flaws (3)

• The intent of this protocol is to transmit a
  secret message M from a principal playing the
  role A to a principal playing the role B.
• However, if we compute the XOR of the three
  messages used in this protocol
• (Mka ? Mkakb ? Mkb),
• then the result is M (the message which is
  supposed to be secret).

33
Other Flaws

• Elementary Flaws
• Some cryptographic protocols provide only a
  marginal protection against an adversary. In
  general, this category of protocols is breakable
  with a little effort.
• A little protection or a non-protection of a
  protocol leads in almost all the cases to
  so-called elementary flaws.
• A simple example of these flaws can be given by
  the following protocol
• Message 1 A -gt B Na, kabka-1
• Message 2 B -gt A Nakab

34
Other Flaws (2)

• Password Guessing Flaws
• Password guessing flaws occur if it is easy to an
  adversary to guess some secret key.
• An intruder can do an exhaustive search in a word
  space smaller than the whole key space to look
  for keys that are not randomly selected.
• This category of flaws is independent from the
  protocol design but it is related to
  cryptographic techniques used to generate keys.

35
Other Flaws (3)

• Calculi Flaws
• Normally, after receiving a message, the receiver
  does some verification in order to know if this
  received message is the good expected one or not.
• However, if these computations are not completed
  or they are not correctly done, then a calculi
  flaw could arise.

36
References

• Dr. Mourad Debbabi
• http//www.ciise.concordia.ca/debbabi/inse7100.ht
  ml