Security Protocols Luca Vigano Institut fu r Informatik Albert Ludwigs Universita t Freiburg www informatik uni freiburg de luca 01 03 02 Luca Vigano 1 Roadmap Introduction Definition and purpose of security protocols Security protocols for communication Security protocols in detail Terminology Types of protocols Some basic authentication protocols Attack examples Design principles Formal analysis An Introduction to IT Security 01 03 02 Luca Vigano 2 Networks are insecure The only really secure computer is an isolated turned off computer Spies attackers are everywhere Non encrypted communication allows for passive active attacks on messages hijacking of connections routing spoofing What I m talking about comes down to a more basic philosophical principle Don t trust nobody David Mamet House of Games Solution use security protocols based on cryptographic algorithms An Introduction to IT Security 01 03 02 Luca Vigano 3 A definition Protocol a series of steps involving two or more agents designed to accomplish a task Series of steps a fixed sequence of actions computing sending receiving from start to finish Designed to accomplish a task the protocol must achieve something specific Involving two or more agents At least two agents are required to complete the protocol One agent alone does not make a protocol e g he can perform a series of steps to accomplish a task like baking a cake but someone else must eat the cake to make it a protocol An Introduction to IT Security 01 03 02 Luca Vigano 4 The purpose of protocols In daily life informal protocols for almost everything Ordering goods on the phone playing poker voting in an election Everyone knows how to use them and they work reasonably well In computer networks formal protocols Not face to face hence security is in danger Formalization examine ways in which dishonest agents can subvert protocols and develop immune protocols Also abstraction platform independence An Introduction to IT Security 01 03 02 Luca Vigano 5 Ground rules Everyone involved in the protocol must know the protocol and all the steps to follow in advance agree to follow it The protocol must be unambiguous each step must be well defined complete there must be a specified action for every possible situation It must be impossible to do more or learn more than what is specified in the protocol An Introduction to IT Security 01 03 02 Luca Vigano 6 Security protocols for communication Goal secure communication between agents users computers processes Secrecy confidentiality who can receive read messages Authentication who is talking Key distribution distribute keys for private or authenticated communication Integrity non repudiation accountability anonymity unobservability Small programs often less than 10 messages Based on but independent of cryptographic algorithms which are well known and well established negotiated each side communicates its preferred ones replaced if broken An Introduction to IT Security 01 03 02 Luca Vigano 7 Security protocols for communication cont Agents cooperate by exchanging messages Luca Bank Pay DM 100 to Uwe Jendricke K 1 Luca Agents use the messages received together with modeling assumptions about the behavior of other agents to make decisions on how to act Should the Bank carry out the money transfer Should Luca believe that everything is alright after he receives Bank Luca We payed DM 100 to Uwe Jendricke K 1 Bank Decisions depend on what can be assumed of messages they received e g receiver wants to be sure that a received message has been created recently by the agent claiming to be sender agents must be able to detect when a message has been created or modified by a malicious agent agents must be able to detect when a message was issued some time ago or for a different purpose and is currently being replayed An Introduction to IT Security 01 03 02 Luca Vigano 8 Threats and attacks Perfect encryption is usually assumed no codebreaking Different types of attackers and attacks Active attacker assumed to have complete access to communication between agents knowledge of the protocols and of the cryptographic algorithms employed Passive attacker mainly eavesdropping Cheater one of the agents involved in the protocol Careless and compromized agents A friend s just an enemy in disguise You can t trust nobody Charles Dickens Oliver Twist Formal analysis and design model verify and improve protocols An Introduction to IT Security 01 03 02 Luca Vigano 9 Roadmap Introduction Definition and purpose of security protocols Security protocols for communication Security protocols in detail Terminology Types of protocols Some basic authentication protocols Attack examples Design principles Formal analysis An Introduction to IT Security 01 03 02 Luca Vigano 10 The players Dramatis personae Agents participants principals users Honest Alice and Bob and Carol and Dave Trent Trusted arbitrator Server Trusted server a k a Simon Dishonest Eve Eavesdropper Mallory Malicious active attacker An Introduction to IT Security 01 03 02 Luca Vigano 11 Types of protocols Arbitrated a disinterested arbitrator is trusted to complete the protocol Adjudicated additional arbitrated sub protocol is executed in case of dispute Self enforcing protocol constructed so that there cannot be any disputes An Introduction to IT Security 01 03 02 Luca Vigano 12 Arbitrated protocols Alice and Bob trust the disinterested arbitrator Trent to complete the protocol Trent Alice Bob Real world Trent is lawyer banker notary public who will do his part and is paid in any case Problems arbitrator is faceless is expensive causes delay is a bottleneck is a vulnerable point in the network An Introduction to IT Security 01 03 02 Luca Vigano 13 Adjudicated protocols An arbitrated protocol can be divided into two subprotocols non arbitrated protocol executed every time to complete protocol arbitrated protocol executed in case of dispute with adjudicator e g judge Alice Bob Trent After the fact Evidence Evidence Real world contract signing 1 1 1 2 1 3 2 1 2 2 2 3 Alice and Bob negotiate the terms of the contract Alice signs the contract Bob signs the contract Alice and Bob appear before a judge Alice and Bob each present their evidence The judge rules on the evidence An Introduction to IT Security 01 03 02 Luca Vigano 14 Self enforcing protocols Constructed so that there cannot be any disputes If Bob tries to cheat Alice immediately detects this and stops the protocol Alice Bob Best type of