Cryptographic Protocols Lecture 8

1
Cryptographic ProtocolsLecture 8
2
Reading Assignment

• Reading assignments for current lecture
• Required
• Pfleeger 2.8
• Recommended
• C. Meadows Formal Methods for Cryptographic
  Protocol Analysis Emerging Issues and Trends,
  http//citeseer.ist.psu.edu/meadows03formal.html
• Reading assignments for next class
• Required
• Pfleeger Ch 3
• Test 1 Chapters 1,2, and 3

3
Cryptographic Protocols

• Two or more parties
• Communication over insecure network
• Cryptography used to achieve goal
• Exchange secret keys
• Verify identity (authentication)
• Secure transaction processing

4
Emerging Properties of Protocols

• Greater interoperation
• Negotiation of policy
• Greater complexity
• Group-oriented protocols
• Emerging security threats

5
Protocols

• Good protocol characteristics
• Established in advance
• Mutually subscribed
• Unambiguous
• Complete

6
Symmetric-Key Distribution Symmetric-Key
Techniques

• Symmetric-Key without Server
• Symmetric-Key with Server

See previous lectures!
7
Symmetric-Key Distribution Public-Key Techniques

• Simple secret key distribution
• Secret key distribution with confidentiality and
  authentication
• Diffie-Hellman Key Exchange

8
Simple secret key distribution

• KE-S ID-S
• 2. E KE-S(Ksession)

Sender
Recipient
Vulnerable to active attack!
9
With confidentiality and authentication

• E KE-RN1ID-A
• 2. E KE-SN1N2
• 3. E KE-RN2
• 4. E KE-R E KD-S(Ksession)

Sender
Recipient
10
Diffie-Hellman Key Exchange

• Proposed in 1976
• First public key algorithm
• Allows group of users to agree on secret key over
  insecure channel
• Cannot be used to encrypt and decrypt messages

11
Diffie-Hellman Key Exchange

• Protocol for A and B want to agree on shared
  secret key
• A and B agree on two large numbers n and g, such
  that 1ltgltn
• A chooses random x and computes Xgx mod n and
  sends X to B
• B chooses random y and computes Ygy mod n and
  sends Y
• A computes k Yx mod n
• B computer k Xy mod n
• Note k k gyx mod n

12
Diffie-Hellman Key Exchange

• Requires no prior communication between A and B
• Security depends on difficulty of computing x
  given Xgx mod n
• Choices for g and n are critical both n and
  (n-1)/2 should be prime, n should be large
• Susceptible to intruder in the middle attack
  (active intruder)

13
Intruder in the Middle Attack
Intruder
John
Rose
Hi Rose, Im John.
Hi Rose, Im John.
Hi John, Im Rose.
Hi John, Im Rose.
Intruder and John Uses Diffie-Hellman To agree
on key K.
Intruder and Rose Uses Diffie-Hellman To agree on
key K.
K and K may be the same
14
Asymmetric-Key Exchange

• Without server
• Broadcasting
• Publicly available directory
• With server
• Public key distribution center
• Certificates

15
Public announcement
KE-J.S.
KE-J.S.
KE-J.S.
KE-J.S.
John Smith
KE-J.S.
KE-J.S.
Bad Uncontrolled distribution ? easy to
forge
16
Publicly available directory
Better but not Good enough ? Directory could Be
compromised
Public Key Directory
KE-J.S.
KE-M.R..
John Smith
Mary Rose
17
Public-key authority
Public-Key Authority
1. Request Time1
4. Request Time2
2. EKD-AuthKE-RRequestTime1
5. EKD-AuthKE-SRequestTime2
3. EKE-R(ID-SN1)
Sender
Recipient
6. EKE-S(N1N2)
7. EKE-R(N2)
18
Public-key certificates
Certificate Authority
KE-R
KE-S
C-SEKD-CAuthTime1,ID-S,KE-S
CREKD-CAuthTime2,ID-R,KE-R
1. C-S
Sender
Recipient
2. C-R
19
Certificates

• Guarantees the validity of the information
• Establishing trust
• Public key and user identity are bound together,
  then signed by someone trusted
• Need digital signature

20
Digital Signature

• Need the same effect as a real signature
• Un-forgeable
• Authentic
• Non-alterable
• Not reusable

21
Digital signature

• Direct digital signature public-key cryptography
  based
• Arbitrated digital signature
• Conventional encryption
• Arbiter sees message
• Arbiter does not see message
• Public-key based
• Arbiter does not see message

22
Digital Signatures in RSA
Insecure channel
Sign
Verify
Plaintext
Signed plaintext
Plaintext
Encryption Alg.
Decryption Alg.
Recipient
Sender
Ss public key
Ss private key
(need reliable channel)
23
Non-repudiation

• Requires notarized signature, involving a third
  party
• Large system hierarchies of notarization

24
Voting System

• Goal to establish the intent of the voter, and
  transfer that intent to the vote counter
• Assumptions
• Vote is open and everyone can monitor it
• Requirements
• Anonymous
• Scalable (speed, efficiency)
• Auditable
• Accurate
• Need to focus on accuracy and availability

25
Protocol Analysis
26
What is Protocol Analysis

• Cryptographic Protocols
• Attackers capabilities
• Security?
• Hostile environment
• Vulnerabilities
• Weakness of cryptography
• Incorrect specifications

27
Attackers Capabilities

• Read traffic
• Modify traffic
• Delete traffic
• Perform cryptographic operations
• Control over network principals

28
Attacks

• Known attacks
• Can be picked up by careful inspection
• Nonintuitive attacks
• Not easily apparent
• May not depend on flaws or weaknesses of
  cryptographic algs.
• Use variety of methods, e.g., statistical
  analysis, subtle properties of crypto algs., etc.

29
Formal Methods

• Combination of a mathematical or logical model of
  a system and its requirements and
• Effective procedures for determining whether a
  proof that a system satisfies its requirements is
  correct.

Can be automated!
30
Example Needham-Schroeder

• Famous simple example
• Protocol published and known for 10 years
• Gavin Lowe discovered unintended property while
  preparing formal analysis using FDR system
• Subsequently rediscovered by every analysis method

From J. Mitchell
31
Needham-Schroeder Crypto

• Nonces
• Fresh, Random numbers
• Public-key cryptography
• Every agent A has
• Public encryption key Ke-a
• Private decryption key Kd-a
• Main properties
• Everyone can encrypt message to A
• Only A can decrypt these messages

From J. Mitchell
32
Needham-Schroeder Key Exchange

• A, NonceA
• NonceA, NonceB
• NonceB

Ke-b
A
B
Ke-a
Ke-b
On execution of the protocol, A and B are
guaranteed mutual authentication and secrecy.
From J. Mitchell
33
Needham Schroeder properties

• Responder correctly authenticated
• When initiator A completes the protocol
  apparently with Honest responder B, it must be
  that B thinks he ran the protocol with A
• Initiator correctly authenticated
• When responder B completes the protocol
  apparently with Honest initiator A, it must be
  that A thinks she ran the protocol with B
• Initiator Nonce secrecy
• When honest initiator completes the protocol with
  honest peer, intruder does not know initiators
  nonce.

From J. Mitchell
34
Anomaly in Needham-Schroeder
Lowe
A, NA
Ke-c
A
C
NA, NB
Ke-a
NB
Ke-c
A, NA
NA, NB
Evil agent C tricks honest A into
revealing private key NB from B
Ke-b
Ke-a
B
Evil C can then fool B
From J. Mitchell
35
Security Analysis

• Understand system requirements
• Model
• System
• Attacker
• Evaluate security properties
• Under normal operation (no attacker)
• In the presence of attacker
• Security results under given assumptions about
  system and about the capabilities of the
  attackers.

36
Explicit intruder model
Informal Protocol Description
Intruder Model
Formal Protocol
Analysis Tool
Find error
From J. Mitchell
37
Protocol Analysis Spectrum
From J. Mitchell
38
Next class
Software Security vs. Security Software