140 likes | 161 Views
Learn about vulnerabilities in security protocols, such as man-in-the-middle attacks and replay strategies, illustrated using the Diffie-Hellman key establishment scheme and the NSSK protocol. Explore solutions like timestamps and nonces to enhance security.
E N D
Formal Methods for Security Protocols Catuscia Palamidessi Penn State University, USA TU Dresden - Ws on Proof Theory and Computation
Security Protocols Contents of previous lecture: • A brief introduction to security protocols • Distributed systems, insecure communication, intruders • Aims and properties • authentication, secrecy, integrity, anonymity, etc. • Notation Message # x-> y data • Example: the Noedam-Schoeder SK protocol • A very brief introduction to Cryptographic methods • Symmetric and asymmetric cryptography • one-way functions, door traps • Vulnerabilities of Security protocols (just started) TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities Attack strategies • Man-in-the middle • The attacker interferes by intercepting the message and possibly modifying it and/or pretending to be one of the two parties. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Attack strategy Man-in-the middle • Example: The Diffie-Hellman key establishment scheme • This scheme is meant to establish a private key between two parties. It is more straightforward and requires neither a third party nor a trap-door. • Chose a prime p and a primitive root r modulo p. (primitive means that all numbers between 1 and p can be generated by taking exponents of r modulo p) • Alice chooses at random an integer x and sends Bob the message m1 = rx(mod p) • Bob chooses an integer y and sends Alice the message m2 = ry(mod p) • Alice calculates K1 = m2x(mod p) • Bob calculates K2 = m1y(mod p) • It is easy to prove that K1 = K2. Hence Alice and Bob can use K1 as a private key between themselves. Note that Alice and Bob play a symmetric role in the generation of the key. • Deriving x from m1 (and y from m2) is considered to be intractable. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • The Diffie-Hellman key establishment scheme has no way to ensure authentication. A man-in-the-middle, Yves, could pretend to be Bob and establish a shared key with Alice, thus reading all the messages that Alice thinks she is sending to Bob. The same he could do with Bob, even at the same time. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Replay • The intruder monitors a (possibly partial) run of the protocol and at some time reproduces (replays) one or more of the messages. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Example: Let us consider what could happen to the NSSK protocol (Needham-Schroeder-Secret-Key) if we remove the nonce from A Message 1 A -> J : A.B Message 2 J -> A : {B.kAB.{kAB.A} ServerKey(B) }ServerKey(A) Message 3 A -> B : {kAB.A} ServerKey(B)Message 4 B -> A : {nB}kAB Message 5 A -> B : {nB - 1}kAB • Suppose that Yves eventually succeeds to break the key, so he now knows kAB. Presumably this will have taken a long time, so kAB is not used anymore by A and B. However, next time Alice sends a request to Jeeves, Yves can intercept Jeeves’ reply, and send back to Alice the message {B.kAB.{kAB.A} ServerKey(B) } ServerKey(A) SoAlice will take the old key kAB as the key to use in next conversation with Bob. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities In theoriginalNSSK protocol this attack is not possible because A would recognize that the nonce is different from the one it sent. Note that the nonce is used as a sort of local time stamp The original NSSK protocol Message 1 A -> J : A.B.nAMessage 2 J -> A : {nA.B.kAB.{kAB.A} ServerKey(B) }ServerKey(A) Message 3 A -> B : {kAB.A} ServerKey(B)Message 4 B -> A : {nB}kAB Message 5 A -> B : {nB - 1}kAB TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • In the original NSSK protocol, however, a similar attack is possible on the other partner B. In fact, B has no way to establish the freshness of the first message he sees (the #3 in the protocol). So, Yves could intercept the message from A to B, and send to B, instead, a previously intercepted message{kAB.A} ServerKey(B) Assuming that the intruder had time to discover the previous keykAB, thecommunication from B using this key is compromised This attack was discovered by Denning and Sacco, 1981. (three years after it had been in use in the Kerberos protocol) A solution to this problem is to use timestamps. So in message #3, also a timestamp (generated by A or by J) should be sent, encrypted, to B. Note: Time stamps assume a global notion of time. • The use of timestamps was introduced in the Kerberos protocol so to avoid the problem above TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Alternatively, one could use nonces in a different way, as with the Yahalom protocol: Message 1 A -> B : A.nAMessage 2 B -> J : B.{A.nA.nB}ServerKey(B) Message 3 J -> A : {B.kAB.nA.nB}ServerKey(A) {A.kAB}ServerKey(B) Message 4 A -> B : {A.kAB}ServerKey(B).{nB}kAB In this protocol, both A and B get to inject nonces before the request reaches Jeeves, so they both get a handle on the freshness of the key generated by Jeeves. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Oracle • The intruder tricks an agent into inadvertently reveal some information, possibly by inducing him to perform some steps of a protocol. • Interleave • The intruder contrives for two or more runs of the protocol to overlap TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • Example of an attack to the Needham-Schroeder-Public-Key protocol which combines oracle and interleaving techniques The NSPK protocol (simplified version) Message 1 A -> B : { A.nA }PKBMessage 2 B -> A : { nA.nB }PKAMessage 3 A -> B : { nB }PKB • At the end of the protocol, it would seems reasonable to believe that: • A and B know with whom they have been interacting • A and B agree on the values of nA and nB • No one else knows the values of nA and nB TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities • In fact, for many years the NSPK protocol (1981) has been believed to satisfy those properties, but in 1995 Gavin Lowe discovered the following attack: • here, Y(A) represents Y generating (resp. receiving) the message, making it appear as generated (resp. received) by A. Message a.1 A -> Y : { A.nA }PKYMessage b.1 Y(A) -> B : { A.nA }PKBMessage b.2 B -> Y(A) : { nA.nB }PKAMessage a.2 Y -> A : { nA.nB }PKAMessage a.3 A -> Y : { nB }PKYMessage b.3 Y(A) -> B : { nB }PKB • Initially, Alice starts a protocol run with Yves thinking that he is an honest agent. • At the end, Bob thinks that • he has been communicating with Alice, while this is not the case • he and Alice share exclusively nA and nB, while this is not the case. TU Dresden - Ws on Proof Theory and Computation
Security Protocols Vulnerabilities It is actually relatively easy to fix the NSPK protocol: it is sufficient to include the identity of the responder within the encrypted part of Message 2 Message 1 A -> B : A.B.{ A.nA }PKBMessage 2 B -> A : B.A.{B.nA.nB}PKAMessage 3 A -> A : A.B.{nB}PKB This new protocol (called the Lowe-Needham-Schroeder protocol) has been proved correct by using CSP/FDR methods TU Dresden - Ws on Proof Theory and Computation