CS 6431
Security Protocols
Vitaly Shmatikov
Security Protocols
Use cryptography to achieve some higher-level
security objective
• Authentication, confidentiality, integrity, key
distribution or establishment, payment…
Examples: SSL/TLS, IPsec, Kerberos, SSH,
802.11b and 802.11i, Skype, hundreds of others
• New protocols constantly proposed, standardized,
implemented, and deployed
Critical component of modern Web and mobile
applications
slide 2
Needham-Schroeder Protocols
Needham and Schroeder. “Using Encryption for
Authentication in Large Networks of Computers”
(CACM 1979)
Initiated the field of cryptographic protocol design
• Led to Kerberos, IPsec, SSL, and all modern protocols
Observed the need for rigorous protocol analysis
• “Protocols … are prone to extremely subtle errors that
are unlikely to be detected in normal operation… The
need for techniques to verify the correctness of such
protocols is great, and we encourage those interested
in such problems to consider this area.”
slide 3
Things Goes Wrong
Many simple attacks against protocols have been
discovered over the years
• Even carefully designed, widely deployed protocols...
often years after the protocol has been deployed
– Examples: SSL, SSH, 802.11b, GSM
• Simple = attacks do not involve breaking crypto!
Why is the problem difficult?
• Concurrency + distributed participants + (often
incorrect) use of cryptography
• Active attackers in full control of communications
• Implicit assumptions and goals behind protocols
slide 4
Design Principles (1)
[Abadi and Needham. “Prudent Engineering Practice
for Cryptographic Protocols ”. Oakland 1994]
1. Every message should say what it means
2. The conditions for a message to be acted on
should be clearly set out
3. Mention the principal’s name explicitly in the
message if it is essential to the meaning
4. Be clear as to why encryption is being done
5. Don’t assume a principal knows the content of
encrypted material that is signed by that
principal
slide 5
Design Principles (2)
[Abadi and Needham]
6. Be clear on what properties you are assuming
about nonces
7. Predictable quantities used for challengeresponse should be protected from replay
8. Timestamps must take into account local clock
variation and clock maintenance mechanisms
9. A key may have been used recently, yet be old
slide 6
Design Principles (3)
[Abadi and Needham]
10. If an encoding is used to present the meaning
of a message, then it should be possible to tell
which encoding is being used
11. The protocol designer should know which trust
relations his protocol depends on
slide 7
NS Symmetric-Key Protocol
Ka, Kb
Trusted key server
A, B, NonceA
{ NonceA, B, Kc, {Kc, A}Kb }Ka
Ka
Kb
{Kc, A}Kb
{NonceB}Kc
Alice
{NonceB-1}Kc
Bob
Goal: A and B establish a fresh, shared, secret
key Kc with the help of a trusted key server
slide 8
Denning-Sacco Attack
Attacker recorded an old session and
compromised session key Kx used in that session
{Kx, A}Kb
{NonceB}Kx
{NonceB-1}Kx
Bob
B now believes he shares a fresh secret Kx with A
Moral: use timestamps to detect replay of old
messages
slide 9
NS Public-Key Protocol
A’s identity
Fresh random number
generated by A
{ A, NonceA } Kb
A
{ NonceA, NonceB }
{ NonceB}
A’s reasoning:
The only person who could know NonceA
is the person who decrypted the first message
Only B can decrypt message encrypted with Kb
Therefore, B is on the other end of the line
B is authenticated!
Encrypted with B’s public
key
Ka
B
Kb
B’s reasoning:
The only way to learn NonceB is
to decrypt the second message
Only A can decrypt second message
Therefore, A is on the other end
A is authenticated!
slide 10
What Does This Protocol Achieve?
{ A, NonceA } Kb
A
{ NonceA, NonceB }
Ka
B
{ NonceB }
Kb
 Protocol aims to provide both authentication and secrecy
 After this exchange, only A and B know NonceA and
NonceB  they can be used to derive a shared key
slide 11
Lowe’s Attack on NSPK
[Lowe. “Breaking and Fixing the Needham-Schroeder
Public-Key Protocol using FDR”. TACAS 1996]
{ A, Na } Kb
A
{ Na, Nc } Ka
B
{ Nc } Kb
Evil B pretends
that he is A
B can’t decrypt this message,
but he can replay it
Evil participant B tricks
honest A into revealing
C’s nonce Nc
{ Na, Nc }
C is convinced that he is talking to A!
{ A, Na }
Ka
Kc
C
slide 12
Abadi-Needham Principle #1
Every message should say what it means
{ A, Na } Kb
A
{ Na, Nc } Ka
B
{ A, Na }Kc
{ Na, Nc } Ka
Who sent this message?
C
slide 13
Lowe’s Fix to NSPK
{ A, NonceA } Kb
A
{ NonceA, B, NonceB }
Ka
{ NonceB}
B
Kb
Does this solve the problem? How?
slide 14
Lessons of Lowe’s Attack
Attacker is a legitimate protocol participant!
Exploits participants’ reasoning to fool them
• A is correct that B must have decrypted {A,Na}Kb
message, but this does not mean that the {Na,Nb}Ka
message came from B
• The attack does not rely on breaking cryptography!
It is important to realize limitations of protocols
• The attack requires that A willingly talk to adversary
• In the original setting, each workstation is assumed to
be well-behaved, and the protocol is correct!
Discover attacks like this automatically?
slide 15
Cashier-as-a-Service
[Wang et al. “How to Shop for Free Online: Security Analysis of
Cashier-as-a-Service Based Web Stores”. Oakland 2011]
Web store
Shopper
Joint decision:
is an order
appropriately paid?
PayPal, Amazon Payments,
Google Checkout, etc.
slide 16
nopCommerce + Amazon Simple Pay
[Wang et al.]
Anyone can register an Amazon
seller account, so can Chuck
Purchase a $25 MasterCard gift card
by cash, register under a fake
address and phone number
Create seller accounts in PayPal,
Amazon and Google using the card
Chuck’s trick
Chuck, pay in Amazon
with this signed letter:
Amazon, I want to pay
Dearthis
Amazon,
with
letter
Great,
I
will
ship
order#123
is $10, when it is
Dear
Amazon,
Jeff,order#123!
paid, text me at 425-111-2222.
order#123 is $10, when it is
I want
to text
buysignature]
thisat 425-111[Jeff’s
paid,
me
DVD.2222. [Jeff’s signature]
[Mark’s signature]
Jeff
Hi, $10 has been paid for
order#123.
[Amazon’s signature]
Check out from Jeff, but pay to
“Mark” (Chuck himself)
Amazon tells Jeff that payment has
been successful
Shopper Chuck
Jeff is confused, ships product
(and seller Mark)
Amazon (CaaS)
slide 17
Interspire + PayPal Express
Session 1: pay for a cheap order (orderID1),
but prevent the merchant from finalizing it
by holding Message B store
[Wang et al.]
Session 2: place an expensive order
(orderID2), but skip the payment step
store
Message A
Message A
Message B
Message A redirects to
store.com/finalizeOrder?[orderID1]store
Message A redirects to
store.com/finalizeOrder?[orderID2]store
Message B calls store.com/finalizeOrder?[orderID1]store
[orderID2]store
Expensive order is checked out but the cheap one is paid!
slide 18
Side-Channel Leaks
[Chen et al. “Side-Channel Leaks in Web Applications:
a Reality Today, a Challenge Tomorrow”. Oakland
2010]
encrypted!
privacy problems solved?
Attacker can still see the number of packets,
size of each packet, time between packets…
slide 19
[Chen et al.]
Search using encrypted Wi-Fi (WPA / WPA2)
Example: user types “l-i-s-t” on his laptop…
821
…different size of suggestion list
 910
Each additional
letter of query…
822
 931
823
 995
824
 1007
Attacker’s effort linear in the size of query
Consequence: any eavesdropper knows our search queries
slide 20
Online Medical Application
[Chen et al.]
Entering health records
• By typing – auto-suggestion
• By mouse – a tree structure of elements
Finding a doctor
• Dropdown list
2000x reduction in ambiguity
Uniquely identify the specialty
slide 21
Tax Preparation Application
[Chen et al.]
Wizard-style questionnaire
• Tailor the questions based on previous inputs
Which forms you work on reveal filing status,
big medical bills, adjusted gross income…
Knowing the state machine of the application
the eavesdropper can infer sensitive information
• Especially by combining information learned from
multiple state machines
slide 22
Child Credit State Machine
[Chen et al.]
Entry page of
deductions &
credits
All transitions have unique traffic patterns
Summary of
deductions &
credits
Partial credit
Not eligible
Full credit
Consult the IRS instruction:
$1000 for each child
Phase-out starting from $110,000. For every $1000 income, lose $50 credit.
slide 23
Student Loan Interest State Machine
[Chen et al.]
Even worse, most decision procedures for credits/deductions have
asymmetric paths: eligible – more questions, not eligible – no more questions
Entry page of
deductions &
credits
Summary of
deductions &
credits
Not eligible
Enter your paid
interest
Partial credit
Full credit
slide 24
Some Identifiable AGI Thresholds
[Chen et al.]
Disabled Credit
$0
Earned Income Credit
$24999
$41646
Retirement Savings
College Expense
$53000
$116000
IRA Contribution
Student Loan Interest
Child Credit
First-time Homebuyer Credit
Adoption Expense
$85000
$105000
$115000
$110000
$145000
$130000 or $150000 or $170000 …
$150000
$170000
$174730
$214780
slide 25
Online Investments
[Chen et al.]
Which funds you invest in?
 Each price history curve is a
GIF image from MarketWatch
• Anyone in the world can get
them from this website
 Just compare the image sizes!
Your investment allocation?
 Can see the size of the pie
chart, but hundreds of pie
charts have the same image…
slide 26
Change Over Time Is Revealing!
[Chen et al.]
 800 charts
 80 charts
 8 charts
Size of day 4;
Prices of the day
Size of day 3;
Prices of the day
Size of day 2;
Prices of the day
Size of day 1
 80000 charts
Financial institution updates your pie chart every day after market close.
Mutual fund prices are public knowledge.
1 chart
slide 27
Rounding? Padding?
[Chen et al.]
Still have the asymmetric path problem
Google’s responses are compressed, destination
networks may or may not uncompress responses
• For example, Microsoft gateways uncompress and
inspect Web traffic, but university does not
• Round before compression – university still sees
distinguishable sizes; after compression – Microsoft does
Random padding is not appropriate
• If user checks several times, repeated random padding
of the same responses quickly degrades effectiveness
• Images come from MarketWatch, not site itself
slide 28