Prudent Engineering Practice for Cryptographic Protocols

1. Prudent Engineering Practice for Cryptographic Protocols By Martin Abadi and Roger Needham Presented by Jay Gyuricza

2. Overview • Authors’ Abstract • Definitions • The Principles • Conclusion

3. Authors’ Abstract • Goal of paper is to present principles for designing cryptographic protocols • These principles are neither necessary nor sufficient • Adherence to them would have prevented a number of published errors

4. Definitions • A, B, C : Arbitrary principals • S : Server • T : Timestamp • N : Nonce - Something generated for the purpose of being recent; an identifier used only once

5. Principle 1 • Every message should say what it means. • “A should sign message M and then send B a session key K” • Necessary to explicitly say what should happen without any context

6. Principle 2 • Conditions for a message to be acted upon should be clearly set out so that someone reviewing the design may see whether they are acceptable or not. • These conditions are called statements of trust

7. Principle 3 • If the identity of a principal is essential to the meaning of a message, mention the principal’s name explicitly in the message.

8. Denning and Sacco Msg 1 A  S: A, B Msg 2 S  A: CA, CB Msg 3 A  B: CA, CB, {{Kab, Ta}Ka-1}Kb

9. Denning and Sacco • Three purposes of the protocol • No other principal should obtain Kab • B should know that A sent it • B should know that the message was intended for B

10. Denning and Sacco Msg 1 B  S: A, C Msg 2 S  B: CA, CC Msg 3 B  C: CA, CC, {{Kab, Ta}Ka-1}Kc Msg 3’ A  B: CA, CB, {{A, B, Kab, Ta}Ka-1}Kb

11. Principle 4 • Be clear about why encryption is being done • Encryption is expensive • Improper use can lead to errors

12. Principle 5 • When a principle signs encrypted material, the principle may not know the content of the message • When a principle signs a message, then encrypts it, the principle knows the content

13. CCITT X.509 Standard Msg 1 A  B: A,{Ta, Na, B, Xa, {Ya}Kb}Ka-1 • Protocol intended to ensure the integrity of Xa and Ya • Sender may not know data sent in the private part of the message • Problem can be avoided by signing the secret data before it is encrypted

14. Principle 6 • Be clear about what properties nonces have • A nonces is best used to ensure a message is fresh • Be careful when using them to ensure association • Instead, look for another way to ensure association

15. Woo and Lam Msg 1 A  B: A Msg 2 B  A: Nb Msg 3 A  B: {Nb}Kas Msg 4 B  S: {A, {Nb}Kas}Kbs Msg 5 S  B: {Nb}Kbs

16. Woo and Lam Msg 1 A  B: A Msg 2 B  A: Nb Msg 3 A  B: {Nb}Kas Msg 4 B  S: A, B, {Nb}Kas Msg 5 S  B: {A, Nb}Kbs

17. Principle 7 • A predictable quantity can serve in guaranteeing newness, but it should be protected so that an intruder cannot simulate it.

18. Principle 8 • If timestamps are used as freshness guarantees, then the difference between local clocks at various machines must be less than the allowable age of a message to be deemed valid.

19. Principle 9 • Recent use does not make a key fresh

20. Varadharajan, Allen, Black Msg 5 S  B: S, B, {Tb+1}Kbs, {Kbs}Kbt • Authors claim that since S replies to a fresh message, Kbs must be fresh • B obtains no proof that Kbs is fresh, only that Kbs has been used recently

21. Principle 10 • When an encoding is protocol dependent, is should be possible to deduce the message’s protocol, particular run, and its number in the protocol • Trivial if you follow the other principles

22. Principle 11 • A protocol designer should know which trust relations the protocol depends on, and why the dependence is necessary

23. Conclusion • Every message should say what it means • The conditions for a message to be acted upon should be clearly set out so that someone can review the design to see if they are acceptable or not

24. Questions?