COSC 6397 – Information Assurance

Lecture 2 Dr. Verma 1

COSC 6397 – Information Assurance

Module M2 – Protocol Specification and Verification

University of HoustonRakesh VermaLecture 2 of M2

(This work is supported in part by NSF)

Lecture 2 Dr. Verma 2

Contents of M2 Cryptographic basics Types of Protocols Security properties Taxonomy of Flaws and Attacks Specification of Protocols Specification of properties Protocol analysis

Lecture 2 Dr. Verma 3

Security Flaws Flaw – a protocol property that contradicts

the security requirements. Security flaw – a part of a program that

can cause the system to violate its security requirements. Finding security flaws demands some knowledge of the system security requirements.

The proof of a flaw is commonly known as an “attack” and it is generally presented as actions performed on the protocol.

Lecture 2 Dr. Verma 4

Freshness Attacks Occurs when a message (or message

component) from a previous run of a protocol is recorded by intruder and replayed in the current run.

Reason – critical messages used in protocol without including Nonces or timestamps.

Example – symmetric key protocol of Needham and Schroeder

Lecture 2 Dr. Verma 5

Needham-Schroeder ProtocolGoal: to convince B that A is genuinely

operational. Trusted third party S. 1. A -> S : A, B, Na2. S -> A : E(Kas: Na, B, Kab, E(Kbs:

Kab, A))3. A -> B : E(Kbs: Kab, A)4. B -> A : E(Kab: Nb) 5. A -> B : E(Kab: (Nb – 1))

Lecture 2 Dr. Verma 6

Freshness Flaw in NS Protocol Denning and Sacco in 1981. Problem is with Message 3. Nothing in

this message to indicate that it was created by S as part of the current protocol run.

Assume Z knows previously distributed K’ab (compromised by cryptanalysis).

Z monitors and records E(Kbs: K’ab, A)

Lecture 2 Dr. Verma 7

Freshness Flaw in NS Protocol Notation: Z(A) – Z acting in place

of A.

3. Z(A) -> B: E(Kbs: K’ab, A)4. B -> Z(A): E(K’ab: Nb)5. Z(A) -> B: E(K’ab: Nb – 1)

Lecture 2 Dr. Verma 8

Type Flaws Messages consist of a sequence of fields

each with some value. Extraction of message fields requires knowledge of their types. Message is implemented as a sequence of bits, so to extract the first field, we need its type/length.

Such information can be implicit -- receiver has previous knowledge about the message’s fields, their types and positions.

Another solution -- represent types explicitly in the transmitted data structure.

Lecture 2 Dr. Verma 9

Type Flaws Type flaws – when an adversary can

induce the receiver to infer message component types which are different from the real ones.

Andrew Secure RPC Protocol, provides a good example of this class of flaws.

1. A -> B : A, E(Kab: Na) 2. B -> A : E(Kab: Na + 1, Nb) 3. A -> B : E(Kab, Nb + 1)4. B -> A : E(Kab: K’ab, N’b)

Lecture 2 Dr. Verma 10

Type Flaws (contd.) Notation: Mn – Message n. If nonces and keys are represented as

bit vectors of same length (e.g. 128 bits), then intruder Z can record M2, intercept M3 and replay M2 as M4.

1. A -> B : A, E(Kab: Na) 2. B -> A : E(Kab: Na + 1, Nb) 3. A -> Z(B) : E(Kab, Nb + 1)4. Z(B) -> A : E(Kab: Na + 1, Nb)

Lecture 2 Dr. Verma 11

Andrew Secure RPC Protocol Protocol is flawed in other ways as

well. Example – M4 of a previous run

can be recorded and replayed. (BAN 1989)

What kind of attack is that? Answer – Freshness Attack.

Lecture 2 Dr. Verma 12

Parallel Session Attacks Flaw – when the protocol dialog

allows an adversary to know some secret information or to predict the content of some encrypted messages.

Attack – when >= 2 runs are executed concurrently and messages from one are used to form messages in another.

Lecture 2 Dr. Verma 13

Example of || Session Attack One way authentication protocol.

Goal: convince A that B is operational.

1. A -> B: E(Kab: Na)2. B -> A: E(Kab: Na+1)

Lecture 2 Dr. Verma 14

Parallel Session Attacks Intruder Z can play role of B both

as responder and initiator. Attack works by starting another run in response to initial challenge.

1.1 A -> Z(B): E(Kab: Na)2.1 Z(B) -> A: E(Kab: Na)2.2 A -> Z(B): E(Kab: Na+1)1.2 Z(B) -> A: E(Kab: Na+1)

Lecture 2 Dr. Verma 15

Parallel Session Attacks At the least, A now believes that B

is operational. In fact, B may no longer exist. In this attack, Z used A to do some

work for Z. “Poses question to A”. A acts as an oracle (since always

provides correct answer). Attack also called an oracle attack.

Lecture 2 Dr. Verma 16

Implementation Dependent Attacks Cryptosystems used within protocols

are supposed to be perfect, modulo a set of properties containing at least integrity and confidentiality.

However, these conditions are not sufficient for some protocols, because their security can be severely affected by the implementation adopted for cryptographic functions.

Lecture 2 Dr. Verma 17

Implementation Dep. Attacks The interaction between cryptosystems

and cryptographic protocols has not been deeply studied – open area of research.

However, clearly, speaking of the security of a protocol combination with respect to a specific cryptosystem is better than speaking of the security of a protocol in absolute.

Lecture 2 Dr. Verma 18

Example – Impl. Dep. Attack Proposed by Shamir, Rivest and Adleman:1. A -> B : E(Ka: M)2. B -> A : E(Kb: E(Ka: M))3. A -> B : E(Kb: M) Assume that we use the XOR function to

encrypt messages. E(K: M) = M xor K. Since k xor k = 0, the decrypting

operation is the same: D(K: E(K: M)) = (M xor k) xor k = M.

Lecture 2 Dr. Verma 19

Example – Imp. Dep. Attack The intent of this protocol is to

transmit a secret message M from principal A to principal B.

However, if we compute the XOR of the three messages used in this protocol E(Ka: M) xor E(Kb: E(Ka: M)) xor E(Kb: M)), the result is M (the message which is supposed to be secret).

Lecture 2 Dr. Verma 20

Binding Flaws In public key cryptography, the integrity

of public keys is paramount. Assume your public key is Ky and

intruder’s public key is Ki. If intruder can convince others that your public key is Ki, then they will encrypt secret information using Ki, which the intruder can read.

To avoid such a flaw, a verifiable binding between agents and public keys must be established.

Lecture 2 Dr. Verma 21

Binding Flaws Generally, in distributed systems, a

trusted server is in charge of key distribution. Each principal uses an authentication protocol to get public keys of other principals from the server.

However, if authentication protocol is not carefully designed, binding flaws occur. Example:

1. A -> S : A, B, Na2. S -> A : S, E(Ks-1: S, A, Na, Kb)

Lecture 2 Dr. Verma 22

Binding Attack All components are concatenated and

encrypted under S’s private key allowing the principal playing the role A to be sure about the origin of the message. S sent in clear to tell A which public key to use for decryption.

Attack (shown by Hwang and Chen):1.1 A -> Z(S) : A, B, Na2.1 Z(A) -> S : A, Z, Na2.2 S -> Z(A) : S, E(Ks-1: S, A, Na, Kz)1.2 Z(S) -> A : S, E(Ks-1: S, A, Na, Kz)

Lecture 2 Dr. Verma 23

Binding Attack Suggest a simple fix for this

problem.

Answer: Include the name of the party in M2 whose public key is being sent.

M2 should be: S, E(Ks-1: S, A, Na, B, Kb)

Lecture 2 Dr. Verma 24

Repudiation Flaws A protocol contains a repudiation flaw if at

least one principal is able to deny its participation in any run of this protocol.

An example of this category of flaws is the coin-flip protocol (Toussaint). It can be used by 2 principals to toss a coin over a phone:

1. B -> A: choice of Heads or Tails.2. A chooses a key Ka and A -> B: E(Ka:

Heads) , E(Ka: Tails).3. B chooses arbitrarily one of E(Ka: Heads) ,

E(Ka: Tails) and sends his choice, say X, to A.

Lecture 2 Dr. Verma 25

Repudiation Flaw Example 4. A decrypts X, compares result with B’s

initial choice and sends Ka to B.5. B decrypts X and compares result with his

initial choice. The probability that A wins is equal to B’s

(1/2) as shown by Toussaint. However, in this protocol, the result of the

game is known by A before B. So, if A discovers she has lost, she can abort the protocol at step 4 and never reveal Ka to B.

Lecture 2 Dr. Verma 26

Other Flaws Elementary Flaws: Some cryptographic protocols

provide only marginal protection against an adversary. In general, this category of protocols is breakable with a little effort. (Arbitrary!)

A little protection or a non-protection of a protocol leads in almost all the cases to so-called elementary flaws. Simple example:

1 A -> B : E(Ka-1: Na, Kab) 2 B -> A : E(Kab: Na) Proposed by Nesset to highlight a limitation of

BAN logic as a tool for cryptographic protocol analysis.

Lecture 2 Dr. Verma 27

Other Flaws Aim of this protocol is to exchange a

secret key Kab between A and B. Flaw in this protocol is obvious since

Kab is transmitted in a message encrypted under A’s private key.

Then, all other principals can read the content of this message and the key that is supposed to be secret is in fact a broadcasted information.

Lecture 2 Dr. Verma 28

Other Flaws Password Guessing Flaws: occur if it is

easy for an adversary to guess a secret key. An intruder can do an exhaustive search in a word space smaller than the whole key space to look for keys that are not randomly selected.

This category of flaws is independent from the protocol design but related to cryptographic techniques used to generate keys.

Lecture 2 Dr. Verma 29

Other Flaws Calculi Flaws: Normally, after

receiving a message, the receiver does some verification in order to know if this received message is expected or not.

However, if these computations are not completed or not correctly done, then a calculi flaw could arise.

Lecture 2 Dr. Verma 30

Protocol Analysis Approaches Four types of approaches (Meadows)

Type I – model and verify the protocol using specification languages and verification tools not specific to cryptographic protocols (Kemmerer, Varadharajan)

Type II – develop expert systems that protocol designer can use to investigate different scenarios (Millen et al., Longley and Rigby)

Lecture 2 Dr. Verma 31

Protocol Analysis Approaches

Type III – model the requirements of a protocol family using logics developed for the analysis of knowledge and belief (BAN logic)

Type IV – formal model based on algebraic term rewriting properties of cryptographic systems (Dolev and Yao, Meadows, … )

Type I is least popular, Type III is most common. We will study a Type IV approach.

Lecture 2 Dr. Verma 32

Basic Steps in Analysis1. Protocol specification - Model the parties

in the protocol, including the Intruder 2. Security Property specification -

Formulate the security goals as a specification the systems should specify

3. Protocol Analysis - Apply available verification techniques, e.g., model checking or theorem proving to establish that protocol meets specification or find a counterexample

Lecture 2 Dr. Verma 33

Protocol Specification Specification language – Prolog Prolog – Horn clause logic. A Prolog

program consists of a set of Horn clauses and a query or goal

A Horn clause is of the form P :- q1, … , qn. Read as: “If q1 and q2 … and qn, then

P.”

Lecture 2 Dr. Verma 34

Prolog – Simple ExampleProgram:ancestor(A, A).ancestor(A, B) :- edge(A, X), ancestor(X, B).edge(a, b). edge(a, c). edge(d, a). Goal: ancestor(Y, b).Prolog uses unification to solve goals.Unification: compute substitution that

makes 2 terms identical.

Lecture 2 Dr. Verma 35

Prolog – Preliminaries Variables: begin with uppercase or

with _ Na, Nb, A, B, _a are variables a, na, nb, b are non-variable terms

variable are terms

Lecture 2 Dr. Verma 36

Prolog – Preliminaries Complex terms can be built using

predicate (function) symbols: pk(b) is a non-variable term (pk is a

function symbol) pk(B) Nb*pk(B) is the same as *(Nb, pk(B)):

* is an infix-operator send(Nb*pk(B))

Lecture 2 Dr. Verma 37

Learning by Example: Needham-Schroeder

1. A->B : [A, Na]*pk(B)2. B->A : [Na, Nb]*pk(A)3. A->B : [Nb]*pk(B)

Notation [t1, t2]: pairing (these are lists in

PROLOG) msg*k: asymmetric encryption pk(A): public key of A

Lecture 2 Dr. Verma 38

Roles

A -> B : [A, Na]*pk(B)B -> A : [Na, Nb]*pk(A)A -> B : [Nb]*pk(B)

Here we have 2 ROLES one INITIATOR (A) one RESPONDER (B)

A’s role is specified as a sequence of EVENTS

Lecture 2 Dr. Verma 39

Events events are actions, two kind:

send(t) recv(t) t is a term (a message)

the crucial part of a role is a list of actions: [recv([A, B]), send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B))]

Lecture 2 Dr. Verma 40

Specifying a Role Fixed (abstract) notation:

name(Variables) = [Actions].

E.g.initiator(A,B,Na,Nb) = [ send([A,Na]*pk(B)),

recv([Na,Nb]*pk(A)),send(Nb*pk(B))].

The tool notation is different! (compiler notation vs abstract notation)

Lecture 2 Dr. Verma 41

The Responder How does the responder look like? Just exchange “send” and “recv”

responder(A,B,Na,Nb) = [ recv([A,Na]*pk(B)),

send([Na,Nb]*pk(A)), recv(Nb*pk(B))]).

Any name is good (not only “responder”) Notice ALL THESE VARIABLES!

names & nonces are not fixed roles are parametric

Lecture 2 Dr. Verma 42

Summarizing: We specified the roles of NS:

initiator(A,B,Na, Nb), responder(A,B,Na,Nb)

Lecture 2 Dr. Verma 43

Summarizing: We still have to specify how the session

looks like how many initiators & how many responders

NB: a recent result by Comon-Lundh & Cortier states that 2 agents are sufficient (but give no limit on the number of sessions)

The names of the agents are there agents playing both as initiator

and responders? We need to define a scenario

Lecture 2 Dr. Verma 44

Primary References A short course, “Verification of

Security Protocols,” by S. Etalle “A survey of Authentication

Protocol Literature” by J. Clark and J. Jacob