Protocol Verification & Secure Key Exchange

advertisement
Protocol Verification
&
Secure Key Exchange
By: Zack Colgan & Eric Busse
Verifying Protocols?
●
●
●
●
Even a simple and apparently obvious protocol
may contain a subtle error.
Sadly even subtle errors can crash jets.
The verification method we will use is considered
formal analysis.
We will not be considering computational
soundness, that’s Tino’s class.
What is a protocol?
A formal description of message
formats and the rules that
participating parties must follow in
order to exchange those messages.
What is the goal of key
exchange?
To securely convey a
cryptographic key from one set of
parties to another through a hostile
environment.
How do we specify a protocol?
●
List of parties involved
●
List allowable messages
●
Description of interactions
●
List of assumptions
●
List of goals
Definitions/Assumptions
●
Principal/Party
●
Primitive
●
Long Term/Existing Key
●
Session Key
●
Channel
●
Perfect Encryption
Establishing Session Keys
Not possible to establish authenticated session
key without existing secure channels already
being available
●
Methods of establishing a new key:
●
1.
2.
3.
Already shared key
Off-line server (public key certificates)
On-line server (key shared with trusted
server)
Generating Session Keys
Key Protocol Definitions:
●
Transport – one party generates key, transfers to
all users
●
●
Agreement – session key a function of inputs by
all users
Hybrid – session key a function of inputs by more
than one party, but not all
A First Protocol
1. A→S: A, B
S
2. S→A: KAB
1. A, B
3. A→B: KAB,A
2. KAB
A
3. KAB,A
Goal: A & B share a session key
B
Basic Assumptions
●
All messages can be intercepted
●
New messages can be generated and inserted
●
Messages can be rerouted
●
The adversary may be an insider, outsider, or
both.
●
The security of any old session key is
compromised.
A second attempt…
S
1. A, B
2. {KAB}KAS , {KAB}KBS
A
3. {KAB}KBS ,A
Goal: A & B share a PRIVATE session key
B
A third attempt…
S
1. A, B
2. {KABB}KAS , {KABA}KBS
A
3. {KABA}KBS
Goal: A & B share a PRIVATE session key
B
Message Freshness
●
Need to ensure messages sent are not replays
●
A nonce is a random value generated by one party
and returned to that party to show that a message
is newly generated.
Keeping it Fresh
Guaranteeing freshness of a value can be achieved
by having the user choose a value and having the
user rely on some received value that is known to
be fresh.
A session key can be formed as such:
KAB = f(NA,NB)
Where NA and NB are nonces.
A fourth attempt…
1. A, B, NA
S
2. {KAB, B, NA, {KAB,A}KBS}KAS
3.{KAB,A}KBS
A
4.{NB}KAB
5.{NB-1}KAB
Goal: A & B share a PRIVATE session key
B
Further more…
2. A, B, NA , NB
S
3. {KAB, B, NA}KAS, {KAB,A, NB}KBS
1.B, NB
A
B
4. {KAB,A,NB}K
BS
Goal: A & B share a PRIVATE session key
Cryptographic Properties
●
●
●
Confidentiality – ensures data is only available to
those authorized to obtain it
Data Integrity – ensures data has not been altered
by unauthorized entities
Data Origin Authentication – guarantees data origin
●
Non-repudiation – ensures entities cannot deny
sending data they have committed to
Protocol Attacks
Modification – the adversary alters the information
sent in the protocol. The adversary may be an
insider, and outsider, or a combination of both.
Eavesdropping – most basic attack – adversary
captures information sent in the protocol.
Protocol Attacks
Denial of Service – the adversary prevents or
hinders legitimate users from completing the
protocol. Can be resource depletion or
connection depletion.
Cryptanalysis – the adversary can get some useful
info from the protocol to help in cryptanalysis.
Possible when key is known to be weak.
Protocol Attacks
Replay – the adversary records information seen in
the protocol and sends it to the same or different
party, possibly later in the protocol run.
Reflection – the adversary sends protocol messages
back to the party who sent them; a special case
of replay.
Reflection Attack
Protocol Vulnerable to Reflection Attack:
1.
2.
3.
A → B : {NA}K
B → A : {NB}K, NA
A → B : NB
The Attack:
1. A → E : {NA}K
2. E → A : {N'A}K, NA
3. A → E : N'A
1'. E → A : {NA}K
2'. A → E : {N'A}K, NA
3'. E → A : N'A
If this interests you,
check out
CS657 and CS456
Download