1 / 13

On the Evolution of Adversary Models for Security Protocols*

On the Evolution of Adversary Models for Security Protocols*. Virgil D. Gligor Electrical and Computer Engineering University of Maryland College Park, MD. 20742 gligor@umd.edu Florida State University Tallahassee, FL. 32306 May 5, 2005.

keahi
Download Presentation

On the Evolution of Adversary Models for Security Protocols*

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University of Maryland College Park, MD. 20742 gligor@umd.edu Florida State University Tallahassee, FL. 32306 May 5, 2005 *based on joint work with H. Chan, B. Parno and A. Perrig

  2. Overview • A Security Perspective with some Old Examples New Technologies ~> New Vulnerabilities ~> New Adversary Models … <~> New Security Protocol Analysis Methods and Tools “~>” = almost always implies) 2. A New Example New Technology: sensor networks New Vulnerabilities: (variable number of) nodes captured and replicated New Application: distributed Sensing New Adversary: different from both Dolev-Yao and Byzantine adversaries New Tools: emergent properties, protocols 3. Conclusions

  3. A Security Perspective and some Old Examples Technology ~> Vulnerability ~> Adversary < ~> Methods & Tools -sharing programs confidentiality and untrusted user sys. vs. user mode (’62 ->) & data; integrity breaches; programs (TH) rings, sec. kernel (’65, ‘67) - computing utility system penetration; FHM (’75)theory/tool(’91)* (early – mid ’60s) DoS instances DoS instances ex. (’67-’75) acc. policy models (’71 ->) • shared services; denial of service untrusted user DoS general def. (’83-’85)* • e.g., DBMS, net. prot. os, net. protocols processes; formal spec. & verif. (’88)* • (early - mid ’70s) concurrent, coord. models (’92 -> ) • attacks • PCs, LANs; read, modify, block, man-in-the-middle, informal: NS, DS (’78–81) • public-domain Crypto replay, forge untrusted user semi-formal: DY (‘81) • (early – mid ’70s) messages processes; Byzantine (‘82 –>) • active, adaptive, crypto models (‘84->)*, • mobile adv. auth. prot. analysis (87->) • internetworking; large-scale effects: distributed, virus scans, tracebacks • E2E argument worms, viruses, coordinated intrusion detection • (mid – late ’80s) DDoS (e.g., flooding) attacks (mid ’90s ->) -etc.

  4. A Security Perspective … Long delays … New Technology ~> New Vulnerability ~> New Adversary Model <~> New Analysis Method & Tools +O(years) +/- O(months) +O(years) … cause problems New Technology ~> New Vulnerability Old Adversary Model Reuse of Old (Secure) Protocols mismatch

  5. New Technology: Sensor Networks 1. Ease of Scalable Deployment and Extension - simply drop sensors at desired locations - net. connectivity => neither administrative intervention nor base-station interaction - key sharing => simple neighbor discovery protocols, path keys - comm.: radio broadcast => Adv. cannot block-modify-retransmit 2. Nodes: Low-Cost, Commodity Hardware - low cost => physical node shielding is impractical => ease of access to internal node state (Q: how good should physical node shielding be to prevent access to a sensor’s internal state ? A: most likely, impractically good) 3. Unattended Node Operation in Hostile Areas => adversary can capture & replicate nodes, insert replicas at chosen locations within a network

  6. A New Attack: Node Capture and Replication 3 Captured Node NEIGHBORHOOD j NEIGHBORHOOD i shared key outside neighborhood 1 NEIGHBORHOOD k i 3 shared key outside neighborhood 2

  7. A New Attack: Node Capture and Replication (ctnd.) Node Replica 1 NEIGHBORHOOD i 3 1 Node Replica 2 i 3 3 3 2 Captured Node NEIGHBORHOOD j NEIGHBORHOOD k Note: Replica IDs are cryptographically bound to pre-distributed keys and cannot be changed

  8. New (Replication) vs. Old (Dolev-Yao) Adversary Old (Dolev-Yao) Adversary can - control network operation - man-in-the-middle: read, replay, forge, block, modify, insert messages anywhere in the network - send/receive any message to/from any legitimate principal (e.g., node) - act as a legitimate principal of the network Old (Dolev-Yao) Adversary cannot - perform unbounded computations - perform cryptanalysis; e.g., discover a legitimate principal’s secrets - capture and coerce the behavior of legitimate principals’ nodes - replicate nodes adaptively, modify network and trust topology New (Replication) Adversary =/= Old (Dolev-Yao) Adversary - can block/modify/insert messages only at specific node (replica) locations - replicated nodes can adaptively modify network and trust topology

  9. Distributed Sensing: A New Application and its Adversary Application: a set of m sensors observe and signal a global event - each sensor broadcasts “1” whenever it senses the global event; else, it does nothing - if t broadcasts are “1,” all m sensors signal the event; else they do nothing Operational Constraints - absence of the global event cannot be sensed (e.g., no periodic “0” broadcasts) - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than m - broadcasts are reliable and synchronous (i.e., counted in sessions) Adversary Goals: violate integrity (i.e., any set of t < m false broadcasts ) deny service (i.e., suppress m-t+1 broadcasts) New (Distributed-Sensing) Adversary - captures insiders (i.e., any ofm) nodes forge, replay or suppress broadcasts (within same or across different sessions) - increases broadcast membership: increases m with outsider nodes

  10. An Example of Distributed Sensing: distributed revocation decision Distributed Revocation Decision: - d local neighbors sense the misbehavior of target node with which they share a pairwise private key - each local neighbor broadcasts “revoke” whenever it senses target misbehavior; else, it does nothing - if t (<= d) broadcasts are “revoke,” all d sensors revoke their key shared with the target(and propagate “revoke” decision to non-neighbor nodes that share a pairwise private key with target); else they do nothing. Operational Constraints - absence of target misbehavior cannot be sensed - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than d - broadcasts (and “revoke” propagations) are reliable and synchronous Distributed Node-Revocation Decision => Distributed Sensing

  11. New (Distributed Sensing) vs. Old (Byzantine) Adversary Q: Byzantine Agreement Problem (with similar operational constraints) ? - reactive: both global event and its absence are (“1/0”) broadcast by each node - no PKI => no authenticated broadcast => t > 2/3m honest (not captured) nodes - broadcasts are reliable and synchronous (i.e., counted in sessions) A: No. Byzantine Agreement Problem => => Constrained Distributed Sensing (i.e., with “1/0” broadcasts, t > 2/3m) (=> Constrained Distributed-Revocation Decision) => Distributed Sensing New (Distributed-Sensing) Adv. =/= Old (Byzantine) Adv. - new adversary need not forge, initiate, or replay “0 broadcasts - t < 2/3m => new integrity adversary is stronger; otherwise, same or weaker - new adversary may attempt to modify membership Note: Replication Adversary must also be countered - Replication Adversary => membership violation (not possible with Byzantine Adversaries)

  12. New Vulnerabilities 1. Collusion toSubvert Applications - Ex. 1: subvert aggregation of sensor data; blocks legitimate transmissions, modifies and injects false data - Ex. 2: can subvert “distributed sensing” e.g., sense false events, deny sensing of real events 2. Collusion toSubvert Network Operation - Ex. 1: replicated nodes cooperate to block traffic & partition the network - Ex. 2: revokes legitimate nodes and disconnects network using legitimate, distributed-revocation protocol 3. Circumvent Intrusion Detection (and net’s “immune” system) - Ex: spread abnormal behavior over multiple replicas to avoid detection

  13. Conclusions 1. New Technologies ~> New Vulnerabilities ~> New Adversary Models … ~> New Protocol Analysis Methods and Tools 2. Time Gap between New Technologies and New Protocol Analysis Methods and Tools is Substantial and Must be Decreased =>must anticipate New Vulnerabilities and define Adversary Models =>adversary models must be realistic 4. Re-examination of Formal Methods and Analyzed Protocols is also Required if (Old) Protocols are Reused 5. Some adversaries are best countered by “emergent detection protocols” - distributed node replication - distributed sensing adversary (that captures over t nodes) (viz., examples given in papers co-authored with H. Chen, B. Parno and A. Perrig)

More Related