Cryptographic Protocols and Possible Attacks - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Cryptographic Protocols and Possible Attacks

Description:

... freshness flaw occurs in the symmetric-key protocol proposed by Needham-Shroeder: ... Needham and Shroeder have proposed a solution based on the use of nonces. ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 37
Provided by: alcorCo
Category:

less

Transcript and Presenter's Notes

Title: Cryptographic Protocols and Possible Attacks


1
Cryptographic Protocols andPossible Attacks
  • SOEN321- Information-Systems Security
  • Revision 1.1
  • Date November 25, 2004

2
Contents
  • Security Flaws in Cryptographic Protocols
  • Freshness Flaws
  • Oracle Flaws
  • Type Flaws
  • Implementation-Dependent Flaws
  • Elementary Flaws
  • Others

3
Security Flaws
  • A flaw is a protocol property that contradicts
    the security requirements.
  • A security flaw is a part of a program that can
    cause the system to violate its security
    requirements.
  • Finding security flaws, then, demands some
    knowledge of the system security requirements.
    These requirements vary according to the system
    and the application Landweher, Bull, McDermott
    and Choi.
  • The proof of a flaw is commonly known as an
    attack and it is generally presented as actions
    performed on the protocol.

4
Flow Types
  • Freshness
  • Oracle
  • Type
  • Implementation-Dependent
  • Others

5
Freshness Flaws
  • Freshness flaws appear when critical messages are
    used in the protocol without including freshness
    information such as nonces and/or timestamps.
  • This lack can be exploited by an intruder to do a
    masquerade by replaying messages belonging to
    previous runs.

6
Freshness Flaws
  • A classical example of a freshness flaw occurs in
    the symmetric-key protocol proposed by
    Needham-Shroeder
  • Message 1 A -gt S A,B,Na
  • Message 2 S -gt A Na,B, kab, kab,Akbs kas
  • Message 3 A -gt B kab,Akbs
  • Message 4 B -gt A Nbkab
  • Message 5 A -gt B Nb 1kab

7
Freshness Flaws (2)
  • This protocol aims to provide a mutual
    authentication between two principals A and B.
  • Each principal shares a secret key with a trusted
    server S.
  • This protocol was thought to be correct until
    1981 when the basic weakness was pointed out by
    Denning and Sacco.
  • The main problem of this protocol is that the
    principal playing the role B cannot detect
    whether the message kab,A sent by the principal
    playing the role A at step 3 has been recently
    created or not since it does not contain any
    freshness information.

8
Freshness Flaws (3)
  • Suppose, for example, that an intruder can
    compromise one previously distributed key kab
    (by using cryptanalysis for example) and it
    replays the appropriate message to the principal
    playing the role B in step 3.
  • In this case, the principal playing the role B
    will accept this key as a new one and it replays
    by the message Nbkab
  • Hence, the intruder can intercept this message
    and impersonate As reply by sending the message
    Nb 1kab

9
Freshness Flaws (4)
  • To fix this weakness, Denning and Sacco have
    proposed to add a timestamp to the messages used
    at step 2 and step 3
  • Message 1 A -gt S A,B,Na
  • Message 2 S -gt A T,Na,B, kab, kab,A,
    Tkbskas
  • Message 3 A -gt B kab,A, Tkbs
  • Message 4 B -gt A Nbkab
  • Message 5 A -gt B Nb 1kab
  • Needham and Shroeder have proposed a solution
    based on the use of nonces. The two proposed
    solutions seem to resolve the problem, however
    there is no correction proof for any one of those
    new versions.

10
Oracle Flaws
  • Oracle flaws occur when the cryptographic
    protocol dialog allows an adversary to know some
    secret information or to foretell the content of
    some encrypted messages.
  • Two subclasses of oracle flaws are distinguished
  • Single oracle flaws and,
  • Multi-role oracle flaws.

11
Single Oracle Flaws
  • It consists of oracle flaws that occur when the
    protocol does not allow principals to change
    their roles from one protocol run to another.
  • The most famous example of a single role oracle
    flaw was given by Rivest, Shamir, and Adelman. It
    consists of the following three-steps protocol
  • Message 1 A -gt B Mka
  • Message 2 B -gt A Mkakb
  • Message 3 A -gt B Mkb
  • We assume that the encrypting function is
    commutative i.e. Mkakb Mkbka

12
Single Oracle Flaws (2)
  • The goal of this protocol is to transfer secret
    messages from one principal to another without
    the help of a trusted server.
  • In step one, the principal playing the role A
    encrypts the messages M under its secret key ka
    (can be randomly generated) then sends the result
    to the principal playing the role B.
  • In the second step, the principal playing the
    role B encrypts the received message with its
    secret key kb and sends the result to the
    principal playing the role A.
  • Finally, the principal playing the role A
    decrypts the message Mkakb to obtain the
    message Mkb (this can be achieved under the
    commutative assumption) which is sent to the
    principal playing the role B.

13
Single Oracle Flaws (3)
  • This protocol can be attacked as follows
  • Message 1 A -gt I(B) Mka
  • Message 2 I(B) -gt A Mka
  • Message 3 A -gt I(B) M
  • At step one, the intruder intercepts the message
    Mka which is supposed to be sent to the
    principal playing the role B.
  • At step two, the intruder sends the intercepted
    message to the principal playing the role A as a
    Bs response.
  • Finally, the principal playing the role A
    decrypts the received message and sends the
    result (M) to the principal playing the role B.
  • However, the intruder intercepts this message
    hence, it learns the information that was
    supposed to be secret.

14
Multi-Role Oracle Flaws
  • Multi-role oracle flaws occur when the protocol
    assumptions allow principals to change their role
    from one run to another.
  • In this case, an intruder has more chance to
    attack the protocol.
  • In fact, the intruder can participate in many
    runs executed concurrently hence, messages of
    one run can be used to form messages that will be
    used in another run.

15
Multi-Role Oracle Flaws (2)
  • A good example of multi-roles oracle flaws is
  • Message 1 A -gt B Nakab
  • Message 2 B -gt A Na 1kab
  • The objective of this protocol is to convince the
    principal playing role A that the principal
    playing role B is operational.

16
Multi-Role Oracle Flaws (3)
  • At step one, the principal playing role A sends a
    challenge, the nonce Na encrypted using the key
    kab.
  • The principal playing role B can easily give a
    response (Na 1kb) to this challenge at step
    two since it knows the key kab.
  • This protocol can be attacked as follows
  • Message 1.1 A -gt I(B) Nakab
  • Message 2.1 I(B) -gt A Nakab
  • Message 2.2 A -gt I(B) Na 1kab
  • Message 1.2 I(B) -gt A Na 1kab
  • At step one of the first protocol run, the
    intruder intercepts the message Nakab and uses
    it as its own challenge in the first step of the
    second protocol run.

17
Multi-Role Oracle Flaws (4)
  • Therefore, it is not surprising that the
    principal playing the role A will answer by
    sending the message Na 1kab in step two of
    the second protocol run.
  • Furthermore, this message is also the necessary
    one to finish the first run.
  • Finally, the principal playing the role A is
    convinced that the principal playing the role B
    is operational, however this principal may not
    exist any longer in the system.

18
Type Flaws
  • The extraction of message components requires a
    full knowledge about their types.
  • In fact, a message is implemented in a concrete
    level as a sequence of bits, then to extract the
    value of the first component, for example, we
    need its type (length).
  • Such information can be implicit if the receiver
    has a previous knowledge about the messages
    components, their types and their positions.
  • Another solution is to represent types explicitly
    in the transmitted data structure.
  • In this case, the receiver does not need to know
    previously the types since it will find them
    embedded within the received message.

19
Type Flaws (2)
  • Type flaws occur when an adversary can induce the
    receiver to infer message component types which
    are different from their real one.
  • The Andrew Secure RPC (From Andrew File System)
    Protocol, presented below, provides a good
    example for this class of flaws.
  • Message 1 A -gt B A, Nakab
  • Message 2 B -gt A Na 1,Nbkab
  • Message 3 A -gt B Nb 1kab
  • Message 4 B -gt A kab,Nbkab

20
Type Flaws (3)
  • In step one, the principal playing the role A
    sends its identity and a challenge Nakab to
    indicate to the principal playing the role B that
    it wishes to communicate with it.
  • At the second step, the principal playing the
    role B sends the message Na 1,Nbkab which is
    a challenge to the principal playing the role A.
  • At step three, the principal playing the role A
    replies to the challenge of the principal playing
    the role B by sending the message Nb 1kab.
  • At the last step, the principal playing the role
    B creates a session key kab, concatenates it
    with Nb, an identifier for a future
    communication, encrypts the result with the key
    kab and sends it to principal playing the role A.

21
Type Flaws (4)
  • Suppose that nonces and keys have the same length
    (x bits).
  • This protocol can be attacked as follows
  • an intruder I can intercept the message
    Na1,Nbkab sent at the second step and send it
    in step four as Bs reply.
  • In this case, the principal playing the role A
    will consider the value of Na 1 as the value of
    the key kab.

22
Type Flaws (5)
  • The complete attack is
  • Message 1 A -gt B A, Nakab
  • Message 2 B -gt A Na 1,Nbkab
  • Message 3 A -gt B Nb 1kab
  • Message 4 I(B) -gt A Na 1,Nbkab

23
Binding Flaws
  • In public key cryptography, it would be
    catastrophic if a principal misjudges the key of
    another.
  • In fact, a public key is used to send secret
    information, since only the principal having the
    appropriate private key can decrypt the encrypted
    message.
  • However, if, for example, an intruder I having a
    public key ki can convince a principal A that Bs
    public key is ki, then the intruder can read all
    secret messages (encrypted by ki) coming from A
    and going to B.
  • To avoid such a flaw, a veritable binding between
    agents and public keys must be established.

24
Binding Flaws (2)
  • In general, with a distributed systems, a trusted
    server takes in charge the key distribution task.
  • Each principal uses an authentication protocol to
    get public keys of other principals from the
    server.
  • However, if the authentication protocol is not
    carefully designed, binding flaws can take place.

25
Binding Flaws (3)
  • A good illustrative example of this class of
    flaws is given hereafter
  • Message 1 A -gt S A,B,Na
  • Message 2 S -gt A S, S,A,Na, kbks-1
  • Here, the principal playing the role A wishes to
    know the public key of the principal playing the
    role B with the help of the trusted server S.
  • At step one, the principal playing the role A
    sends its identity, the identity of the principal
    playing the role B and a nonce Na to the server
    S.
  • In step two, the server replies by a message
    containing its identity, As identity, the nonce
    Na (to ensure the freshness of the message) and
    the public key of the principal playing the role
    B.
  • All these components are concatenated and
    encrypted under Ss private key (signature)
    allowing the principal playing the role A to be
    sure about the origin of the message.

26
Binding Flaws (4)
  • As shown by Hwang and Chen, this protocol can be
    attacked as follows
  • Message 1.1 A -gt I(S) A,B,Na
  • Message 2.1 I(A) -gt S A, I,Na
  • Message 2.2 S -gt I(A) S, S,A,Na, kiks-1
  • Message 1.2 I(S) -gt A S, S,A,Na, kiks-1
  • At step one of the first protocol run, the
    intruder I intercepts the message A,B,Na,
    substitutes the identity of B by its identity and
    sends the result as the first message of a new
    run of the protocol (Message 2.1).
  • At step 2.2, the server replies by a message
    containing Is public key, since it thinks that
    the principal playing the role A is asking for
    this public key.
  • Finally, the intruder replays Ss message to the
    principal playing the role A. Thus, a binding
    flaw occurs, since the principal playing the role
    A thinks that the public key of the principal
    playing the role B is ki.

27
Binding Flaws (5)
  • To avoid this flaw, Hwang and Chen proposed the
    following modification
  • Message 1 A -gt S A,B,Na
  • Message 2 S -gt A S, S,A,Na,B, kbks-1

28
Repudiation Flaws
  • We say that a cryptographic protocol contains a
    repudiation flaw if at least one principal is
    able to deny its participation in any run of this
    protocol.
  • A popular example of this category of flaws was
    given by the coin-flip protocol proposed by
    Toussaint.
  • This protocol can be used by two principals to
    toss a coin over a phone as follows
  • B sends his choice of Heads or Tails to A.
  • A
  • chooses a key ka.
  • sends the message ka, Headska , ka, Tailska
    to B.
  • B chooses arbitrary one of ka, Headska and ka,
    Tailska and sends his choice, say X, to A.

29
Repudiation Flaws (2)
  • A decrypts X, compares the result with Bs
    initial choice and sends the key ka to B.
  • B decrypts X and compares the result with his
    initial choice.
  • The probability that the principal A wins is
    equal to Bs one (1/2) as is shown by Toussaint.
  • However, in this protocol, the result of the game
    is known by A before B.
  • Then, if the principal A discovers that he has
    lost, he can abort the protocol at step four and
    never reveal the key ka to B at the last step.
  • In other terms, the principal A can deny his
    participation in this protocol run and a
    repudiation flaw occurs.

30
Implementation-Dependent Flaws
  • Cryptosystems used within cryptographic protocols
    are supposed to be perfect, modulo a set of
    properties containing at least integrity and
    confidentiality.
  • However, some examples show that these conditions
    are not sufficient for some protocols, because
    their security can be severely affected by the
    implementation approach adopted for cryptographic
    functions.
  • The interaction between cryptosystems and
    cryptographic protocols did not have the chance
    to be deeply studied and it is still an open area
    of research.
  • However, it is clear that speaking about the
    security of a protocol combination with respect
    to a specific cryptosystem is better then
    speaking about the security of a protocol in
    absolute.

31
Implementation-Dependent Flaws (2)
  • To be convinced by the severity of this problem
    let us see the example proposed by Massey as
    shown below
  • Message 1 A -gt B Mka
  • Message 2 B -gt A Mkakb
  • Message 3 A -gt B Mkb
  • Suppose that we use the XOR function to cipher
    messages.
  • Hence, if k is a key and M is a message,
    encrypting M under k turns to do the simple
    following operation Mk M ? k.
  • Since k ? k 0 (0 ? 0 0 and 1 ? 1 0 ), the
    deciphering transformation is performed by using
    the same operation Mkk M ? k ? k M.

32
Implementation-Dependent Flaws (3)
  • The intent of this protocol is to transmit a
    secret message M from a principal playing the
    role A to a principal playing the role B.
  • However, if we compute the XOR of the three
    messages used in this protocol
  • (Mka ? Mkakb ? Mkb),
  • then the result is M (the message which is
    supposed to be secret).

33
Other Flaws
  • Elementary Flaws
  • Some cryptographic protocols provide only a
    marginal protection against an adversary. In
    general, this category of protocols is breakable
    with a little effort.
  • A little protection or a non-protection of a
    protocol leads in almost all the cases to
    so-called elementary flaws.
  • A simple example of these flaws can be given by
    the following protocol
  • Message 1 A -gt B Na, kabka-1
  • Message 2 B -gt A Nakab

34
Other Flaws (2)
  • Password Guessing Flaws
  • Password guessing flaws occur if it is easy to an
    adversary to guess some secret key.
  • An intruder can do an exhaustive search in a word
    space smaller than the whole key space to look
    for keys that are not randomly selected.
  • This category of flaws is independent from the
    protocol design but it is related to
    cryptographic techniques used to generate keys.

35
Other Flaws (3)
  • Calculi Flaws
  • Normally, after receiving a message, the receiver
    does some verification in order to know if this
    received message is the good expected one or not.
  • However, if these computations are not completed
    or they are not correctly done, then a calculi
    flaw could arise.

36
References
  • Dr. Mourad Debbabi
  • http//www.ciise.concordia.ca/debbabi/inse7100.ht
    ml
Write a Comment
User Comments (0)
About PowerShow.com