COSC 6397 Information Assurance

1
COSC 6397 Information Assurance

• Module M2 Protocol Specification and
  Verification
• University of Houston
• Rakesh Verma
• Lecture 1 of M2
• (This work is supported in part by NSF)

2
Contents of M2

• Cryptographic basics
• Types of Protocols
• Security properties
• Taxonomy of Flaws and Attacks
• Specification of Protocols
• Specification of properties
• Protocol analysis

3
Cryptographic Basics

• General principles
• Sender, receiver, plaintext, ciphertext,
  encryption, decryption, etc.
• Symmetric key (or secret key) cryptography
• Public key (or asymmetric) cryptography
• One-way hash algorithms
• All of these were covered in module M1
• ?

4
Cryptographic Basics (contd.)

• Sender one who sends
• Receiver one who receives
• Plaintext message to be sent,
• Notation P or M
• Ciphertext encoding of P or M,
• Notation C

5
Cryptographic Basics (Contd.)

• Encryption the process of disguising a message
  to hide its contents
• Notation E(M) C
• Decryption the process of decoding C to recover
  M
• Notation D(C) M
• Basic Identity D(E(M)) M

6
Cryptographic Basics (contd.)

• Cryptography the art and science of keeping
  messages secure
• Cryptographic algorithm function used for
  encryption and decryption.
• Restricted (secret) or Unrestricted (published)
  our focus
• Unrestricted based on a key K. EK and DK. The
  key for encryption and decryption can be
  different.

7
Cryptographic Basics (contd.)

• Symmetric key cryptography encryption key can
  be computed from the decryption key or vice
  versa.
• Special case the two keys are the same.
• Key(s) must be kept secret!
• Public key cryptography encryption key is
  public the decryption key is not.
• Decryption key should be hard to compute from the
  encryption key!

8
Cryptographic Basics (contd.)

• One-way functions functions that are easy to
  compute but hard to invert
• Computing f(x), given x, is easy
• Computing x, given f(x), is hard
• This sounds easy, but we have no proof that such
  functions exist! We will pretend they do.
• Trapdoor one-way functions one-way functions
  such that
• Computing x, given f(x) and some y, is easy

9
Cryptographic Basics (contd.)

• Notation 1-way for one-way
• 1-way hash functions A hash function that is
  also a 1-way function.
• A good 1-way hash function is also
  collision-free.
• Security of a 1-way hash function is its
  1-wayness.

10
protocol Pronunc () n.

• 1.
• The forms of ceremony and etiquette observed by
  diplomats and heads of state.
• A code of correct conduct safety protocols
  academic protocol.
• 2. The first copy of a treaty or other such
  document before its ratification.
• 3. A preliminary draft or record of a
  transaction.
• 4. The plan for a course of medical treatment or
  for a scientific experiment.
• 5. Computer Science. A standard procedure for
  regulating data transmission between computers.

11
Protocols

• Protocol a series of steps involving two or
  more parties to accomplish a task.
• Must be unambiguous
• Must be complete in some sense (specified action
  for lots of possible situations).
• Each step is either a computation or a message
• Parties may distrust each other

12
Types of Protocols

• Our protocols are cryptographic use
  cryptography for preventing eavesdropping,
  cheating, etc.
• Goal of the protocol is beyond secrecy.
• Examples simultaneously sign a contract,
  convince one another of their identity, etc.
• Protocols can be classified in many ways
• According to parties involved, the purpose, the
  environment, etc.

13
Classification by Parties

• Arbitrated protocols
• Adjudicated protocols
• Self-enforcing protocols

14
Arbitrated Protocols

• Arbitrated protocols have an arbitrator, a
  disinterested third party trusted to complete a
  protocol.
• Easier if parties are face to face.
• Over computer networks this results in delay and
  overheads.
• Arbitrator becomes a bottleneck.
• Scaling issues.
• Arbitrator is vulnerable.

15
Adjudicated Protocols

• Adjudicated protocols A two stage protocol
  with
• A nonarbitrated subprotocol
• An arbitrated subprotocol executed only in
  exceptional circumstances a dispute.
• This kind of arbitrator is called adjudicator
• Adjudicator only called in to judge fair
  execution of protocol. Detects cheating rather
  than preventing.
• Good adjudicated protocol adjudicator should be
  able to determine cheaters identity

16
Self-enforcing Protocols

• Self-enforcing protocols protocol itself
  guarantees fairness.
• No arbitrator or adjudicator if one party
  cheats, the others detect the cheating.
• Best type of protocol.
• Do not exist for every situation.
• Exercise Find a situation for which there are no
  self-enforcing protocols.

17
Protocol Classification by Aim

• Key-exchange protocols
• Authentication protocols
• Authentication and Key exchange protocols
• Electronic Commerce protocols

18
Key Exchange Protocols

• Goal is to distribute keys for secure sessions,
  channels, communication, etc.
• Classical key exchange protocols
• TMN
• Symmetric Needham-Schroeder
• Denning-Sacco
• Deployed Protocols
• Kerberos IV
• SSL/TLS

19
The TMN Protocol (1990)

• (Tatebayashi-Matsuzaki-Newman)
• Suitable for networks, mobile computing.
• Symmetric. Trusted Server S.
• Parties dont have long term keys.
• Randomly chosen keys KA , KB , etc.
• Standard encryption function E(.), invertible
  only by server.
• Vernam encryption function V(., .)
• V(M, V(M, N)) N

20
The TMN Protocol

• A S A, S, B, E(KA)
• S B S, B, A
• B S B, S, A, E(KB)
• S A S, A, B, V(KA , KB)
• A extracts KB from message 4.
• Parties should agree on the session key chosen by
  B.

21
An Implementation of TMN

• n p.q, p, q are primes
• E(x) x3 mod n
• S knows the 2 prime factors of n
• V(x , y) x exclusive-or y
• Protocol looks good, but has big flaws!

22
Authentication Protocols

• Authentication protocols for authentication of
  parties (principals)
• Authentication assurance of who you are talking
  to
• Examples of specific aims
• To make sure that those obtaining a session key
  are who they say they are
• Make sure that the principal you think has the
  key does have it.

23
Authentication Protocols

• Passwords or shared keys typically used by system
  administrators
• Authentication can be a byproduct of a
  key-exchange protocol
• Some authentication protocols
• Feige-Fiat-Shamir (1987)
• Guillou-Quisquater (1988)
• Schnorr (1989)

24
Guillou-Quisquater Protocol

• Smart-cards and other applications
• Alice wants to prove her identity, bit string J,
  to Victor
• Public information exponent v, and a number n
• (n p.q, p and q primes)
• Private key B, with JBv 1 (mod n)

25
Guillou-Quisquater Protocol

• A V J
• P wants to prove that this J is hers
• A V T rv mod n (1 lt r lt n - 1, r random)
• V A d (0 lt d lt v 1, d random)
• A V D rBd mod n
• V computes T DvJd mod n. If T T (mod n),
  authentication succeeds.

26
3 Important Concepts

• Security
• Privacy
• Reliability

27
Security

• Security the control of information.
• Ensures that
• Authorized parties are properly authenticated
• Their messages are sent through a network
  unaltered.
• In a secure system the origin, content and
  intended recipients of a message can be ensured.
• Security is not privacy.

28
Privacy

• Privacy the subject of information can control
  the information.
• Privacy requires security, but security is not
  sufficient.
• Security may preclude privacy! (by assuring that
  the subjects of information have neither control
  nor knowledge of the uses of that information)

29
Reliability

• Reliability provide certainty in the presence
  of network failures, memory losses and
  adversaries.
• Reliability and security are interdependent.
• Reliability is not security. Reliable protocols
  on unsecure servers provide reliable services to
  attackers as well as authentic users.
• Reliable electronic commerce requires fail-proof
  transactions.

30
Security Properties

• Authentication receiver of a message should
  be able to ascertain its origin.
• An intruder should not be able to masquerade as
  someone else.
• Implemented using shared information or ability
  to prove unique information (PINs and passwords).
• Secrecy confidentiality. If a message is
  confidential it can be read only by intended
  recipients.
• Eavesdropping is difficult or useless

31
Security Properties (contd.)

• Integrity receiver of a message can verify that
  it has not been modified in transit.
• Integrity alone is not security.
• Availability a system must be available
• availability can be compromised by malicious
  hackers, network failures or commercial
  espionage.
• Nonrepudiation a party cannot reasonably claim
  not to have taken an action.
• Example sender falsely denies sending a message.

32
Reliability Properties

• Atomicity indivisibility. An atomic transaction
  either fails completely or succeeds completely.
• Consistency all relevant parties agree on
  critical facts of the exchange.
• Isolation result of a set of overlapping
  transactions must be serializable
• Durability a transaction can recover to its
  last consistent state.

33
Other Properties

• Other properties may also be needed.
• For example, in Electronic Commerce
• Certified Delivery
• Goods Atomicity
• Etc.
• are also required.

34
Primary References

• Bruce Schneier, Applied Cryptography
• Linda Jean Camp, Privacy and Reliability in
  Electronic Commerce, PhD dissertation, CMU