Protocol Verification & Secure Key Exchange By: Zack Colgan & Eric Busse Verifying Protocols? ● ● ● ● Even a simple and apparently obvious protocol may contain a subtle error. Sadly even subtle errors can crash jets. The verification method we will use is considered formal analysis. We will not be considering computational soundness, that’s Tino’s class. What is a protocol? A formal description of message formats and the rules that participating parties must follow in order to exchange those messages. What is the goal of key exchange? To securely convey a cryptographic key from one set of parties to another through a hostile environment. How do we specify a protocol? ● List of parties involved ● List allowable messages ● Description of interactions ● List of assumptions ● List of goals Definitions/Assumptions ● Principal/Party ● Primitive ● Long Term/Existing Key ● Session Key ● Channel ● Perfect Encryption Establishing Session Keys Not possible to establish authenticated session key without existing secure channels already being available ● Methods of establishing a new key: ● 1. 2. 3. Already shared key Off-line server (public key certificates) On-line server (key shared with trusted server) Generating Session Keys Key Protocol Definitions: ● Transport – one party generates key, transfers to all users ● ● Agreement – session key a function of inputs by all users Hybrid – session key a function of inputs by more than one party, but not all A First Protocol 1. A→S: A, B S 2. S→A: KAB 1. A, B 3. A→B: KAB,A 2. KAB A 3. KAB,A Goal: A & B share a session key B Basic Assumptions ● All messages can be intercepted ● New messages can be generated and inserted ● Messages can be rerouted ● The adversary may be an insider, outsider, or both. ● The security of any old session key is compromised. A second attempt… S 1. A, B 2. {KAB}KAS , {KAB}KBS A 3. {KAB}KBS ,A Goal: A & B share a PRIVATE session key B A third attempt… S 1. A, B 2. {KABB}KAS , {KABA}KBS A 3. {KABA}KBS Goal: A & B share a PRIVATE session key B Message Freshness ● Need to ensure messages sent are not replays ● A nonce is a random value generated by one party and returned to that party to show that a message is newly generated. Keeping it Fresh Guaranteeing freshness of a value can be achieved by having the user choose a value and having the user rely on some received value that is known to be fresh. A session key can be formed as such: KAB = f(NA,NB) Where NA and NB are nonces. A fourth attempt… 1. A, B, NA S 2. {KAB, B, NA, {KAB,A}KBS}KAS 3.{KAB,A}KBS A 4.{NB}KAB 5.{NB-1}KAB Goal: A & B share a PRIVATE session key B Further more… 2. A, B, NA , NB S 3. {KAB, B, NA}KAS, {KAB,A, NB}KBS 1.B, NB A B 4. {KAB,A,NB}K BS Goal: A & B share a PRIVATE session key Cryptographic Properties ● ● ● Confidentiality – ensures data is only available to those authorized to obtain it Data Integrity – ensures data has not been altered by unauthorized entities Data Origin Authentication – guarantees data origin ● Non-repudiation – ensures entities cannot deny sending data they have committed to Protocol Attacks Modification – the adversary alters the information sent in the protocol. The adversary may be an insider, and outsider, or a combination of both. Eavesdropping – most basic attack – adversary captures information sent in the protocol. Protocol Attacks Denial of Service – the adversary prevents or hinders legitimate users from completing the protocol. Can be resource depletion or connection depletion. Cryptanalysis – the adversary can get some useful info from the protocol to help in cryptanalysis. Possible when key is known to be weak. Protocol Attacks Replay – the adversary records information seen in the protocol and sends it to the same or different party, possibly later in the protocol run. Reflection – the adversary sends protocol messages back to the party who sent them; a special case of replay. Reflection Attack Protocol Vulnerable to Reflection Attack: 1. 2. 3. A → B : {NA}K B → A : {NB}K, NA A → B : NB The Attack: 1. A → E : {NA}K 2. E → A : {N'A}K, NA 3. A → E : N'A 1'. E → A : {NA}K 2'. A → E : {N'A}K, NA 3'. E → A : N'A If this interests you, check out CS657 and CS456