DOC PREVIEW
UT CS 395T - Great Papers in Computer Security

This preview shows page 1-2-3-25-26-27 out of 27 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 27 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S http://www.cs.utexas.edu/~shmat/courses/cs380s/Cryptographic Protocols Use cryptography to achieve some higher-level security objective • Authentication, confidentiality, integrity, key distribution or establishment… Examples: SSL/TLS, IPsec, Kerberos, SSH, 802.11b and 802.11i, Skype, S/MIME, hundreds of others • New protocols constantly proposed, standardized, implemented, and deployed slide 2Needham and Schroeder. “Using Encryption for Authentication in Large Networks of Computers” (CACM 1979) Initiated the field of cryptographic protocol design • Led to Kerberos, IPsec, SSL, and all modern protocols Observed the need for rigorous protocol analysis • “Protocols … are prone to extremely subtle errors that are unlikely to be detected in normal operation… The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area.” slide 3 Needham-Schroeder ProtocolsMany simple attacks against protocols have been discovered over the years • Even carefully designed, widely deployed protocols ...often years after the protocol has been deployed – Examples: SSL, SSH, 802.11b, GSM • Simple = attacks do not involve breaking crypto! Why is the problem difficult? • Concurrency + distributed participants + (often incorrect) use of cryptography • Active attackers in full control of communications • Implicit assumptions and goals behind protocols slide 4 Things Goes WrongM. Abadi and R. Needham Prudent Engineering Practice for Cryptographic Protocols (Oakland 1994)Design Principles (1) 1. Every message should say what it means 2. The conditions for a message to be acted on should be clearly set out 3. Mention the principal’s name explicitly in the message if it is essential to the meaning 4. Be clear as to why encryption is being done 5. Don’t assume a principal knows the content of encrypted material that is signed by that principal slide 6Design Principles (2) 6. Be clear on what properties you are assuming about nonces 7. Predictable quantities used for challenge-response should be protected from replay 8. Timestamps must take into account local clock variation and clock maintenance mechanisms 9. A key may have been used recently, yet be old slide 7Design Principles (3) 10. If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used 11. The protocol designer should know which trust relations his protocol depends on slide 8slide 9 NS Symmetric-Key Protocol Alice Bob {Kc, A}Kb Goal: A and B establish a fresh, shared, secret key Kc with the help of a trusted key server Trusted key server A, B, NonceA { NonceA, B, Kc, {Kc, A}Kb }Ka Ka Kb Ka, Kb {NonceB}Kc {NonceB-1}KcDenning-Sacco Attack Attacker recorded an old session and compromised session key Kx used in that session B now believes he shares a fresh secret Kx with A Moral: use timestamps to detect replay of old messages slide 10 Bob {Kx, A}Kb {NonceB}Kx {NonceB-1}KxG. Lowe Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR (TACAS 1996)A B A’s identity Fresh random number generated by A B’s reasoning: The only way to learn NonceB is to decrypt the second message Only A can decrypt second message Therefore, A is on the other end A is authenticated! Kb { NonceB} Ka { NonceA, NonceB } Kb { A, NonceA } Encrypted with B’s public key slide 12 A’s reasoning: The only person who could know NonceA is the person who decrypted the first message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated! NS Public-Key ProtocolWhat Does This Protocol Achieve? A B Kb { NonceB } Ka { NonceA, NonceB } Kb { A, NonceA }  Protocol aims to provide both authentication and secrecy  After this exchange, only A and B know NonceA and NonceB  they can be used to derive a shared key slide 13B can’t decrypt this message, but he can replay it A B { A, Na } Kc C { A, Na } Kb { Na, Nc } Ka { Na, Nc } Ka { Nc } Kb Evil participant B tricks honest A into revealing C’s nonce Nc C is convinced that he is talking to A! Evil B pretends that he is A Lowe’s Attack on NSPK slide 14A B { A, Na } Kc C { A, Na } Kb { Na, Nc } Ka { Na, Nc } Ka Abadi-Needham Principle #1 slide 15 Every message should say what it means Who sent this message?A B Kb { NonceB} Ka { NonceA, B, NonceB } Kb { A, NonceA } slide 16 Does this solve the problem? How? Lowe’s Fix to NSPKLessons of Lowe’s Attack Attacker is a legitimate protocol participant! Exploits participants’ reasoning to fool them • A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that the {Na,Nb}Ka message came from B • The attack does not rely on breaking cryptography! It is important to realize limitations of protocols • The attack requires that A willingly talk to adversary • In the original setting, each workstation is assumed to be well-behaved, and the protocol is correct! Discover attacks like this automatically? slide 17Analyzing Security Protocols Model protocol Model adversary Formally state security properties See if properties preserved under attack Result: under given assumptions about the system, no attack of a certain form will destroy specified properties • There is no “absolute” security slide 18Crypto Protocol Analysis Formal Models Computational Models Modal Logics Model Checking Game Theory Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Finite-state Checking Process Calculi … Symbolic Analysis Applied pi calculus BAN logic Finite processes, infinite attacker Finite processes, finite attacker Analysis Techniques slide 19Dolev-Yao Model (1983) Abstract, idealized model of cryptography • Treat cryptographic operations as abstract data types – Symmetric-key decryption: decrypt({M}K,K) = M – Public-key decryption: decrypt({M}PubKey(A), PrivKey(A)) = M Attacker is a nondeterministic process • Can intercept any message, decompose into parts • Decrypt if and only if it knows the correct key • Create new message from data it has observed Attacker cannot perform computational analysis • Cannot analyze actual


View Full Document

UT CS 395T - Great Papers in Computer Security

Documents in this Course
TERRA

TERRA

23 pages

OpenCL

OpenCL

15 pages

Byzantine

Byzantine

32 pages

Load more
Download Great Papers in Computer Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Great Papers in Computer Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Great Papers in Computer Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?