Formal Methods for Security Protocols - PowerPoint PPT Presentation

About This Presentation
Title:

Formal Methods for Security Protocols

Description:

... referred to as intruders, spies, enemies, attackers, evesdroppers, penetrators. ... e and n are made public, while p, q and d are kept secret. ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 17
Provided by: catu151
Learn more at: http://www.cse.msu.edu
Category:

less

Transcript and Presenter's Notes

Title: Formal Methods for Security Protocols


1
Formal Methods for Security Protocols
  • Catuscia Palamidessi
  • Penn State University, USA

2
Plan of the lectures
  • A brief overview of Security Protocols
  • A very brief overview of Cryptographic Methods
  • A brief overview of Concurrency Theory
  • Specification and Verification of SP
  • The CSP/FDR approach
  • Examples
  • Modeling secrecy
  • Modeling authentication
  • The Needham-Schroeder PK protocol
  • Modeling anonymity
  • The spi calculus approach
  • Examples
  • Model checking unbounded systems

3
Security Protocols
  • Aka Cryptographic Protocols
  • Goals
  • Security services across a distributed system
  • Establishing session keys between partners
  • Authentication of agents and nodes
  • Ensuring secrecy
  • Ensuring integrity
  • Ensuring anonymity
  • ...

4
Security Protocols
  • How they work
  • Exchange of messages between nodes
  • May involve a trusted third party
  • Use of various cryptographic mechanisms
  • Symmetric / asymmetric encryption
  • Hash functions
  • Digital signatures
  • ...
  • Hostile environment
  • Agents deliberately trying to undermine the
    protocol. In literature such hostile agents are
    also referred to as intruders, spies, enemies,
    attackers, evesdroppers, penetrators.

5
Security Protocols
  • Example The Needham-Schroeder Secret-Key (NSSK)
    protocol
  • One of the earliest protocols
  • Basis of the Kerberos authentication and
    authorization system
  • It uses purely symmetric encryption algorithms
  • Purpose Enable two parties (Alice and Bob) to
    establish a secure channel of communication with
    the help of a trusted server (Jeeves)
  • We assume that Alice and Bob share private,
    long-term keys with Jeeves so each of them is
    able to communicate securely with Jeeves
  • Questions
  • Why do we want a direct secure channel between
    Alice and Bob?
  • Jeeves would become a bottleneck and a possible
    point of failure
  • Communication along a very secure, long-term key
    is expensive
  • Alice and Bob may not want to reveal their
    secrets to Jeeves
  • Why don't we provide upfront a private long-term
    key for every pair of agents which may wish to
    communicate?
  • N2 keys required
  • many keys may not be needed
  • the number of agents may change dynamically
  • long-term keys are more vulnerable or more
    expensive

6
Security Protocols
  • Notation
  • Message n   x -gt y    data
  • in the n-th step agent x dispatches a message
    data to agent y
  • nx
  • a nonce generated by agent x. A nonce is a fresh,
    unique, unpredictable number
  • datak
  • the value data encrypted with key k
  • m.n
  • text m followed by (concatenated with) text n

7
Security Protocols
  • Example The NSSK protocol
  • Alice (A) and Bob (B) establish a secure channel
    with the help of Jeeves (J)
  • Message 1   A -gt J    A.B.nA
  • Message 2   J -gt A nA.B.kAB.kAB.AServerKey(B)
    ServerKey(A)
  • Message 3   A -gt B    kAB.AServerKey(B)
  • Message 4   B -gt A    nBkAB
  • Message 5   A -gt B    nB - 1kAB
  • At the end A and B share a new key kAB generated
    by J

8
Security Properties
  • To say that it a protocol is "secure" or
    "correct" does not mean anything. It is always
    necessary to specify exactly the properties that
    a security protocol is supposed to satisfy and
    the precise assumptions on the possible threats.
  • Secrecy
  • Secrecy properties can have various degrees of
    strength. E.g.
  • (Strongest) Intruders cannot deduce anything
    about the activities of Bob and Alice
  • (Weaker, but usually sufficient in practice) An
    intruder can see that Alice is sending a message
    to Bob, and maybe even have an idea of how long
    it is, but cannot decrypt the message.
  • Weaker properties are usually easier to implement
    and to analyze
  • Question does the NSSK protocol satisfy the
    strongest property?
  • No, only the weaker one.

9
Security Properties
  • Authentication of origin
  • If Bob receives a message that claims to be
    originated by Alice, then Alice should have sent
    it.
  • There may be various additional requirements
  • The message was intended
  • The message was sent within a certain time
  • Each message is received only once
  • ...
  • Entity authentication
  • Bob and Alice are sure of each other identities
  • Integrity
  • (Strongest) Intruders should not be able to
    corrupt messages
  • (Weaker, but usually sufficient in practice)
    Corruption of messages can be always detected by
    the legitimate partners

10
Security Properties
  • Authenticated key exchange
  • If Alice receives a key K which she thinks is
    private between herself and Bob, then it must be
    the case that K is known only to Alice and Bob
    (plus, possibly, to a third trusted party)
  • Non-repudiation
  • If Bob receives a message sent by Alice, then it
    must be possible to prove that Alice has indeed
    sent the message (even if she tries to deny it).
    Question Why Alice may want to deny it?
  • Fairness
  • Avoid that one of the parties ends the protocol
    part-way through in order to gain some unfair
    advantage over the other party.
  • Question What kind of advantage could the
    party gain?
  • Anonymity
  • We need to know that a certain action has been
    performed but no one should know which agent has
    performed it (except of course the agent itself)
  • Question What could be an example?

11
Cryptographic Methods
  • Two kinds
  • Symmetric cryptography (aka Secret-key)
  • Asymmetric cryptography (aka Public-key)
  • Symmetric cryptography
  • It requires that the two parties both know the
    same key. Each party can do both encryption and
    decryption.
  • The first method to be discovered and used
  • Until the advent of asymmetric cryptography, the
    governments and security agencies were rather
    protective about research done in this field.
    Public research and publications on this topic
    were not encouraged

12
Cryptographic Methods
  • Symmetric methods
  • Transposition text reshuffling
  • Substitution text substituted with other text
  • Stream Each symbol of the text is encrypted
    individually
  • Block More than one symbol at the time are
    encrypted

13
Cryptographic Methods
  • An example of block cipher The Playfair cipher
  • The letters of the alphabet are arranged in a
    table, and scrambled according to some rule. To
    encipher a pair of letters we first situate them
    in the table, then we take the pair of letters at
    the opposite corners.
  • In the example represented in the table below,
    the rule for scrambling is the placement of the
    world DISLEXIA at the beginning of the table, and
    consequent shift of all other letters.
  • For example, the pair PL is encrypted as QS.
  • ---
  • D YS LE
  • X IA BC
  • F GH KM
  • N OP QR
  • ---
  • T U V W Z
  • The Playfair cipher is simple, in the sense that
    the function AxA -gt AxA is constant.

14
Cryptographic Methods
  • Asymmetric cryptography
  • Introduced in 1976 by Diffie and Hellman.
    Actually, it was invented slightly earlier by
    researchers at the GCHQ (Government
    Communications Headquarters), but the idea was
    not made public.
  • It allows two parties to establish a shared
    secret by using only open communication channels.
  • Basic idea every agent A has two keys
  • PK Public key, publicly known
  • SK Secret (or private) key, known only by the
    agent Whoever wants to send a
  • message M to A, it will encrypt it by using PK,
    then send the result of the
  • encryption, M PK, to A. A will then decrypt it
    by using SK. Let M PKSK be
  • the final result. The following property must
    hold
  •   M PKSK M
  • In some scheme, like RSA (Rivest, Shamir and
    Adleman), also the reverse holds
  • M SKPK M
  • Note (a) implies that PK is injective and (b)
    implies that PK is injective.
  • How to make sure that SK is really secret? Idea
  • Use one-way functions
  • One-way function are easy to calculate in one
    direction, but intractable
  • in the other direction.

15
Cryptographic Methods
  • Example
  • Let p, q be prime. Calculating the product n pq
    is easy, while calculating p and q given n is
    thought to be intractable
  • Given an element of a finite field r, and a
    number m, calculating n rm is easy, while
    calculuating m given r and n is thought to be
    intractable.
  • So, we could use a one-way function f as the
    public key
  • Encrypt apply f to the message.
  • Decrypt apply the inverse of f to the encrypted
    message
  • Question This alone wouldn't work. Why?
  • Idea Use a trap-door Given a one-way function
    f, a trap-door is an information that makes it
    easy to calculate the inverse of f.
  • Of course the trap-door relative to a secret key
    should be known only by the agent who owns the
    secret key.
  • The trap-door should be hard to discover just
    from the knowledge of the encryption algorithm.

16
Cryptographic Methods
  • Example The RSA algorithm (Rivlest, Shamir,
    Adleman)
  • Choose two large primes p an q and calculate
    their product
  • n pq
  • Choose an integer e with the feature of being
    relatively prime to
  • (p-1)(q-1)
  • Choose an integer d with the property that
  • ed 1 (mod (p-1)(q-1))
  • Using Fermat's Little theorem, we know that
  • med m (mod n)
  • e and n are made public, while p, q and d are
    kept secret.
  • Encryption given a message (number) m lt n,
    compute
  • c me(mod n)
  • Decryption given an encrypted message c, compute
    cd. By the Fermat's Little theorem, we have
  • cd med m (mod n)
  • To derive p and q (and hence d) from n is
    believed to be intractable.
Write a Comment
User Comments (0)
About PowerShow.com