1 / 22

Protocol Verification & Secure Key Exchange

By: Zack Colgan & Eric Busse. Protocol Verification & Secure Key Exchange. Take CS456. Verifying Protocols?. Even a simple and apparently obvious protocol may contain a subtle error. Sadly even subtle errors can crash jets. The verification method we will use is considered formal analysis.

ciel
Download Presentation

Protocol Verification & Secure Key Exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By: Zack Colgan & Eric Busse Protocol Verification&Secure Key Exchange

  2. Take CS456 Verifying Protocols? • Even a simple and apparently obvious protocol may contain a subtle error. • Sadly even subtle errors can crash jets. • The verification method we will use is considered formal analysis. • We will not be considering computational soundness, that’s Tino’s class. Take CS456

  3. A formal description of message formats and the rules that participating parties must follow in order to exchange those messages. What is a protocol?

  4. To securely convey a cryptographic key from one set of parties to another through a hostile environment. What is the goal of key exchange?

  5. How do we specify a protocol? • List of parties involved • List allowable messages • Description of interactions • List of assumptions • List of goals

  6. Definitions/Assumptions • Principal/Party • Primitive • Long Term/Existing Key • Session Key • Channel • Perfect Encryption

  7. Not possible to establish authenticated session key without existing secure channels already being available Methods of establishing a new key: Already shared key Off-line server (public key certificates) On-line server (key shared with trusted server) Establishing Session Keys

  8. Key Protocol Definitions: Transport – one party generates key, transfers to all users Agreement – session key a function of inputs by all users Hybrid – session key a function of inputs by more than one party, but not all Generating Session Keys

  9. A First Protocol A→S: A, B S→A: KAB A→B: KAB,A S 1. A, B 2. KAB B A 3. KAB,A Goal: A & B share a session key

  10. Basic Assumptions • All messages can be intercepted • New messages can be generated and inserted • Messages can be rerouted • The adversary may be an insider, outsider, or both. • The security of any old session key is compromised.

  11. A second attempt… S 1. A, B 2. {KAB}KAS , {KAB}KBS B A 3. {KAB}KBS ,A Goal: A & B share a PRIVATE session key

  12. A third attempt… S 1. A, B 2. {KABB}KAS , {KABA}KBS B A 3. {KABA}KBS Goal: A & B share a PRIVATE session key

  13. Message Freshness • Need to ensure messages sent are not replays • A nonce is a random value generated by one party and returned to that party to show that a message is newly generated.

  14. Keeping it Fresh Guaranteeing freshness of a value can be achieved by having the user choose a value and having the user rely on some received value that is known to be fresh. A session key can be formed as such: KAB = f(NA,NB) Where NA and NB are nonces.

  15. A fourth attempt… S 1. A, B, NA 2. {KAB, B, NA, {KAB,A}KBS}KAS 3.{KAB,A}KBS 4.{NB}KAB B A 5.{NB-1}KAB Goal: A & B share a PRIVATE session key

  16. Further more… S 2. A, B, NA , NB 3. {KAB, B, NA}KAS, {KAB,A, NB}KBS 1.B, NB B A 4. {KAB,A,NB}KBS Goal: A & B share a PRIVATE session key

  17. Confidentiality – ensures data is only available to those authorized to obtain it Data Integrity – ensures data has not been altered by unauthorized entities Data Origin Authentication – guarantees data origin Non-repudiation – ensures entities cannot deny sending data they have committed to Cryptographic Properties

  18. Protocol Attacks Modification – the adversary alters the information sent in the protocol. The adversary may be an insider, and outsider, or a combination of both. Eavesdropping – most basic attack – adversary captures information sent in the protocol.

  19. Protocol Attacks Denial of Service – the adversary prevents or hinders legitimate users from completing the protocol. Can be resource depletion or connection depletion. Cryptanalysis – the adversary can get some useful info from the protocol to help in cryptanalysis. Possible when key is known to be weak.

  20. Protocol Attacks Replay – the adversary records information seen in the protocol and sends it to the same or different party, possibly later in the protocol run. Reflection – the adversary sends protocol messages back to the party who sent them; a special case of replay.

  21. Reflection Attack Protocol Vulnerable to Reflection Attack: 1. A → B : {NA}K 2. B → A : {NB}K,NA 3. A → B : NB The Attack: 1. A → E : {NA}K 2. E → A : {N'A}K, NA 3. A → E : N'A 1'. E → A : {NA}K 2'. A → E : {N'A}K, NA 3'. E → A : N'A

  22. If this interests you, check out CS657 and CS456

More Related