Security Protocols Analysis - PowerPoint PPT Presentation

About This Presentation
Title:

Security Protocols Analysis

Description:

Security Protocols Analysis – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 24
Provided by: stoi150
Learn more at: https://cs.gmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Security Protocols Analysis


1
Security ProtocolsAnalysis
2
Reading
  • This Class
  • Modelling and Analysis of Security Protocols
    chapters 0.9-0.12
  • C. Meadows Formal Methods for Cryptographic
    Protocol Analysis Emerging Issues and Trends,
    http//citeseer.ist.psu.edu/meadows03formal.html
  • Next class
  • Modelling and Analysis of Security Protocols
    chapter 1

3
What is Protocol Analysis
  • Cryptographic Protocols
  • Attackers capabilities
  • Security?
  • Hostile environment
  • Vulnerabilities
  • Weakness of cryptography
  • Incorrect specifications

4
Cryptographic Protocols
  • Two or more parties
  • Communication over insecure network
  • Cryptography used to achieve goal
  • Exchange secret keys
  • Verify identity (authentication)
  • Secure transaction processing

5
Emerging Properties of Protocols
  • Greater interoperation
  • Negotiation of policy
  • Greater complexity
  • Group-oriented protocols
  • Emerging security threats

6
Attackers Capabilities
  • Read traffic
  • Modify traffic
  • Delete traffic
  • Perform cryptographic operations
  • Control over network principals

7
Attacks
  • Known attacks
  • Can be picked up by careful inspection
  • Nonintuitive attacks
  • Not easily apparent
  • May not depend on flaws or weaknesses of
    cryptographic algs.
  • Use variety of methods, e.g., statistical
    analysis, subtle properties of crypto algs., etc.

8
Formal Methods
  • Combination of a mathematical or logical model of
    a system and its requirements and
  • Effective procedures for determining whether a
    proof that a system satisfies its requirements is
    correct.

Can be automated!
9
Example Needham-Schroeder
  • Famous simple example (page 30-31)
  • Protocol published and known for 10 years
  • Gavin Lowe discovered unintended property while
    preparing formal analysis using FDR system
  • Subsequently rediscovered by every analysis method

From J. Mitchell
10
Needham-Schroeder Crypto
  • Nonces
  • Fresh, Random numbers
  • Public-key cryptography
  • Every agent A has
  • Public encryption key Ka
  • Private decryption key Ka-1
  • Main properties
  • Everyone can encrypt message to A
  • Only A can decrypt these messages

From J. Mitchell
11
Needham-Schroeder Key Exchange
  • A, NonceA
  • NonceA, NonceB
  • NonceB

Kb
A
B
Ka
Kb
On execution of the protocol, A and B are
guaranteed mutual authentication and secrecy.
From J. Mitchell
12
Needham Schroeder properties
  • Responder correctly authenticated
  • When initiator A completes the protocol
    apparently with Honest responder B, it must be
    that B thinks he ran the protocol with A
  • Initiator correctly authenticated
  • When responder B completes the protocol
    apparently with Honest initiator A, it must be
    that A thinks she ran the protocol with B
  • Initiator Nonce secrecy
  • When honest initiator completes the protocol with
    honest peer, intruder does not know initiators
    nonce.

From J. Mitchell
13
Anomaly in Needham-Schroeder
Lowe
A, NA
Ke
A
E
NA, NB
Ka
NB
Ke
A, NA
NA, NB
Evil agent E tricks honest A into
revealing private key NB from B
Kb
Ka
B
Evil E can then fool B
From J. Mitchell
14
Requirements and Properties
  • Authentication
  • Authentication, Secrecy
  • Trading
  • Fairness
  • Special applications (e.g., voting)
  • Anonymity and Accountability

15
Security Analysis
  • Understand system requirements
  • Model
  • System
  • Attacker
  • Evaluate security properties
  • Under normal operation (no attacker)
  • In the presence of attacker
  • Security results under given assumptions about
    system and about the capabilities of the
    attackers.

16
Explicit intruder model
Informal Protocol Description
Intruder Model
Formal Protocol
Analysis Tool
Find error
From J. Mitchell
17
Protocol Analysis Spectrum
From J. Mitchell
18
Analysis of Discrete Systems
  • Properties of discrete systems
  • Requirements
  • Attackers
  • Attack sequence of finite set of operations
  • Evaluate different paths an attacker may take
  • State the environmental assumptions precisely

19
First Analysis Method
  • Dolev-Yao
  • Set of polynomial-time algorithms for deciding
    security of a restricted class of protocols
  • First to develop formal model of environment in
    which
  • Multiple executions of the protocol can be
    running concurrently
  • Cryptographic algorithms considered as black
    boxes
  • Includes intrudes model
  • Tools based on Dolev-Yao
  • NRL protocol analyzer
  • Longley-Rigby tool

20
Model checking
  • Two components
  • Finite state system
  • Specification of properties
  • Exhaustive search the state space to determine
    security

21
Theorem Prover
  • Theorems properties of protocols
  • Prove or check proofs automatically
  • Could find flaws not detected by manual analysis
  • Do not give counterexamples like the model
    checkers

22
Logic
  • Burrows, Abadi, and Needham (BAN) logic
  • Logic of belief
  • Set of modal operators describing the
    relationship of principal to data
  • Set of possible beliefs
  • Inference rules
  • Seems to be promising but weaker than state
    exploration tools and theorem proving (higher
    level abstraction)

23
Next weekCSP
Write a Comment
User Comments (0)
About PowerShow.com