Security Protocols Analysis

1
Security ProtocolsAnalysis
2
Reading

• This Class
• Modelling and Analysis of Security Protocols
  chapters 0.9-0.12
• C. Meadows Formal Methods for Cryptographic
  Protocol Analysis Emerging Issues and Trends,
  http//citeseer.ist.psu.edu/meadows03formal.html
• Next class
• Modelling and Analysis of Security Protocols
  chapter 1

3
What is Protocol Analysis

• Cryptographic Protocols
• Attackers capabilities
• Security?
• Hostile environment
• Vulnerabilities
• Weakness of cryptography
• Incorrect specifications

4
Cryptographic Protocols

• Two or more parties
• Communication over insecure network
• Cryptography used to achieve goal
• Exchange secret keys
• Verify identity (authentication)
• Secure transaction processing

5
Emerging Properties of Protocols

• Greater interoperation
• Negotiation of policy
• Greater complexity
• Group-oriented protocols
• Emerging security threats

6
Attackers Capabilities

• Read traffic
• Modify traffic
• Delete traffic
• Perform cryptographic operations
• Control over network principals

7
Attacks

• Known attacks
• Can be picked up by careful inspection
• Nonintuitive attacks
• Not easily apparent
• May not depend on flaws or weaknesses of
  cryptographic algs.
• Use variety of methods, e.g., statistical
  analysis, subtle properties of crypto algs., etc.

8
Formal Methods

• Combination of a mathematical or logical model of
  a system and its requirements and
• Effective procedures for determining whether a
  proof that a system satisfies its requirements is
  correct.

Can be automated!
9
Example Needham-Schroeder

• Famous simple example (page 30-31)
• Protocol published and known for 10 years
• Gavin Lowe discovered unintended property while
  preparing formal analysis using FDR system
• Subsequently rediscovered by every analysis method

From J. Mitchell
10
Needham-Schroeder Crypto

• Nonces
• Fresh, Random numbers
• Public-key cryptography
• Every agent A has
• Public encryption key Ka
• Private decryption key Ka-1
• Main properties
• Everyone can encrypt message to A
• Only A can decrypt these messages

From J. Mitchell
11
Needham-Schroeder Key Exchange

• A, NonceA
• NonceA, NonceB
• NonceB

Kb
A
B
Ka
Kb
On execution of the protocol, A and B are
guaranteed mutual authentication and secrecy.
From J. Mitchell
12
Needham Schroeder properties

• Responder correctly authenticated
• When initiator A completes the protocol
  apparently with Honest responder B, it must be
  that B thinks he ran the protocol with A
• Initiator correctly authenticated
• When responder B completes the protocol
  apparently with Honest initiator A, it must be
  that A thinks she ran the protocol with B
• Initiator Nonce secrecy
• When honest initiator completes the protocol with
  honest peer, intruder does not know initiators
  nonce.

From J. Mitchell
13
Anomaly in Needham-Schroeder
Lowe
A, NA
Ke
A
E
NA, NB
Ka
NB
Ke
A, NA
NA, NB
Evil agent E tricks honest A into
revealing private key NB from B
Kb
Ka
B
Evil E can then fool B
From J. Mitchell
14
Requirements and Properties

• Authentication
• Authentication, Secrecy
• Trading
• Fairness
• Special applications (e.g., voting)
• Anonymity and Accountability

15
Security Analysis

• Understand system requirements
• Model
• System
• Attacker
• Evaluate security properties
• Under normal operation (no attacker)
• In the presence of attacker
• Security results under given assumptions about
  system and about the capabilities of the
  attackers.

16
Explicit intruder model
Informal Protocol Description
Intruder Model
Formal Protocol
Analysis Tool
Find error
From J. Mitchell
17
Protocol Analysis Spectrum
From J. Mitchell
18
Analysis of Discrete Systems

• Properties of discrete systems
• Requirements
• Attackers
• Attack sequence of finite set of operations
• Evaluate different paths an attacker may take
• State the environmental assumptions precisely

19
First Analysis Method

• Dolev-Yao
• Set of polynomial-time algorithms for deciding
  security of a restricted class of protocols
• First to develop formal model of environment in
  which
• Multiple executions of the protocol can be
  running concurrently
• Cryptographic algorithms considered as black
  boxes
• Includes intrudes model
• Tools based on Dolev-Yao
• NRL protocol analyzer
• Longley-Rigby tool

20
Model checking

• Two components
• Finite state system
• Specification of properties
• Exhaustive search the state space to determine
  security

21
Theorem Prover

• Theorems properties of protocols
• Prove or check proofs automatically
• Could find flaws not detected by manual analysis
• Do not give counterexamples like the model
  checkers

22
Logic

• Burrows, Abadi, and Needham (BAN) logic
• Logic of belief
• Set of modal operators describing the
  relationship of principal to data
• Set of possible beliefs
• Inference rules
• Seems to be promising but weaker than state
  exploration tools and theorem proving (higher
  level abstraction)

23
Next weekCSP