Lecture 1. Introduction to cryptographic protocols

(1)

Lecture 1. Introduction to cryptographic protocols

S P Suresh, Chennai Mathematical Institute [email protected]

Topics in Security August – November 2017

August 16, 2017

Suresh Lecture 1. Introduction to cryptographic protocols Topics in Security 1 / 23

(2)

Administrative details

• Aim:Learn about formal modelling and verification of cryptographic protocols

• Instructors:S P Suresh and Vaishnavi Sundararajan

• Evaluation:Assignments (3×15), take-home exam (30), programming project (25)

• Moodle page: to be set up

(3)

Outline

1 What are security protocols?

2 A key establishment protocol

(4)

What are security protocols?

Outline

(5)

What are security protocols?

• Systematic sequence of message exchanges to achieve a goal.

• Based on cryptographic tools.

• Distinct from cryptography schemes.

(6)

The domain of cryptography

• Transform a plain text to cipher text in such a way that it is computationally very difficult to compute the inverse without the key.

• With public key cryptography and digital signatures, one has a reasonable assurance of secrecy and authenticity.

• Cryptanalysis: attacks on cryptographic schemes, involve sophisticated mathematical techniques and computing power.

• Works at the level of messages.

• The connection between different messages is not the concern of cryptography.

(7)

An example security protocol

Msg 1. A→B:{x}_k_b Msg 2. B→A:{x}_k_a

• To be distinguished from a mere sequence of (signed and) encrypted communcations.

• The two messages are part of one logical entity: with thexproviding the connection.

• Authentication protocols are typically run prior to a secure session, to establish identities, keys, etc.

(8)

An example security protocol

Msg 1. A→B:{x}_k_b Msg 2. B→A:{x}_k_a

• To be distinguished from a mere sequence of (signed and) encrypted communcations.

• The two messages are part of one logical entity: with thexproviding the connection.

• Authentication protocols are typically run prior to a secure session, to establish identities, keys, etc.

(9)

A key establishment protocol

Outline

(10)

The basic setting

• AandBwish to share a session key,

despite the machinations ofI(the malicious intruder).

• They are aided in this by the trusted serverS.

• A,B, andSdo not engage in activity that deliberately compromises the security of the key.

• Sis trusted to generate a random, unguessable key.

(11)

The basic setting

• AandBwish to share a session key, despite the machinations ofI(the malicious intruder).

(12)

The basic setting

(13)

The basic setting

(14)

The basic setting

(15)

The goals

• At the end of the protocol, the value of the session key should be known to bothAandB, but to none else saveS.

• AandBshould have some assurance that the key is newly generated.

(16)

The goals

• At the end of the protocol, the value of the session key should be known to bothAandB, but to none else saveS.

• AandBshould have some assurance that the key is newly generated.

(17)

A first attempt

Msg 1. A→S:A,B Msg 2. S→A:k_ab Msg 3. A→B:k_ab,A

(18)

The hidden assumptions

• Only the messages passed in a successful run of the protocol are specified.

• There is no description of what happens if a message of the wrong format is received, or if no message is received at all.

• There is no specification of the internal actions of the different principals.

(19)

The hidden assumptions

(20)

The hidden assumptions

(21)

Defects in our first protocol

• Obvious breach of secrecy.

• Security Assumption:Iis able to eavesdrop on all messages sent in a cryptographic protocol.

• Need to usecryptographyto provide secrecy.

(22)

Defects in our first protocol

(23)

Defects in our first protocol

(24)

A second attempt

• Use the shared keysk_asandk_bs:

Msg 1. A→S:A,B

Msg 2. S→A:{k_ab}_k_as,{k_ab}_k_bs Msg 3. A→B:{k_ab}_k_bs,A

• k_asis assumed to be known only toAandS. Similarly withk_bs.

(25)

A second attempt

• Use the shared keysk_asandk_bs:

Msg 1. A→S:A,B

Msg 2. S→A:{k_ab}_k_as,{k_ab}_k_bs Msg 3. A→B:{k_ab}_k_bs,A

• k_asis assumed to be known only toAandS. Similarly withk_bs.

(26)

Some modelling assumptions

• Messages are not treated as bit strings, but as symbolic terms.

• Perfect encryption assumed:Idoes not engage in cryptanalysis.

• She learnsmfrom{m}_konly if she has the inverse ofk.

• Moreover, it is usually assumed that{m}_k={m^′}_k′only ifm=m^′andk=k^′. SoIcannot learn secrets by accident.

• But still,Imight exploitprotocol loopholesto learn secrets.

(27)

Some modelling assumptions

(28)

Some modelling assumptions

(29)

Some modelling assumptions

(30)

Some modelling assumptions

(31)

Breach of authentication

• Security Assumption:Iis able to alter all the messages sent in the public channel. She can also re-route any message to any principal. She can also generate and insert completely new messages.

• Breach of authentication …

Msg 1. A→S:A,B

Msg 2. S→A:{k_ab}_k_as,{k_ab}_k_bs Msg 3. A→(I)B:{k_ab}_k_bs,A Msg 3. I→B:{k_ab}_k_bs,I

• Bis led to the mistaken belief that she shares the key withI.

(32)

Breach of authentication

Msg 1. A→S:A,B

(33)

Breach of authentication

Msg 1. A→S:A,B

(34)

Another attack!!

• Security Assumption:Imight be a legitimate member of the community, for all we know.

• No principal knows that she is indeed a hacker.

• A leak …

Msg 1. A→(I)S:A,B Msg 1. I→S:A,I

Msg 2. S→I:{k_ai}_k_as,{k_ai}_k_is Msg 2. (I)S→A:{k_ai}_k_as,{k_ai}_k_is Msg 3. A→(I)B:{k_ai}_k_is,A

(35)

Another attack!!

• A leak …

(36)

Another attack!!

• A leak …

(37)

Fixing the leak

• Include the identity of the partner in the messages.

Msg 1. A→S:A,B

Msg 2. S→A:{k_ab,B}_k_as,{k_ab,A}_k_bs Msg 3. A→B:{k_ab,A}_k_bs

• AreI’s previous attempts quelled by the new design?

(38)

Fixing the leak

• Include the identity of the partner in the messages.

Msg 1. A→S:A,B

Msg 2. S→A:{k_ab,B}_k_as,{k_ab,A}_k_bs Msg 3. A→B:{k_ab,A}_k_bs

• AreI’s previous attempts quelled by the new design?

(39)

Replays …

• ButIhas a very old trick to counter this.

Msg 1. A→S:A,B

Msg 2. (I)S→A:{k^′_ab,B}_k_as,{k^′_ab,A}_k_bs Msg 3. A→B:{k^′_ab,A}_k_bs

• Security Assumption:Iis able to obtain the value of the session keyk_abused in any sufficiently old previous run of the protocol.

(40)

Replays …

• ButIhas a very old trick to counter this.

Msg 1. A→S:A,B

Msg 2. (I)S→A:{k^′_ab,B}_k_as,{k^′_ab,A}_k_bs Msg 3. A→B:{k^′_ab,A}_k_bs

• Security Assumption:Iis able to obtain the value of the session keyk_abused in any sufficiently old previous run of the protocol.

(41)

Why is the replay attack bad?

• IfImanages to breakk^′_abin the time between the two sessions,AandBare in for a lot of trouble!

• Even if the key is not broken, what if the next message in the original session was{“Deposit Rs. 10000 from my account intoI’s”}_k^′

ab?

• EnablesIto replay it in the later session, with obvious effects.

(42)

Why is the replay attack bad?

ab?

(43)

Why is the replay attack bad?

ab?

(44)

Challenge-response with nonces

• Anonceis a random value generated by one party and returned to that party to show that a message is newly generated.

• TheNeedham-Schrödershared-key protocol Msg 1. A→S:A,B,m

Msg 2. S→A:{k_ab,B,m,{k_ab,A}_k_bs}_k_as Msg 3. A→B:{k_ab,A}_k_bs,A

Msg 4. B→A:{n}_k_ab Msg 5. A→B:{n−1}_k_ab

(45)

Challenge-response with nonces

• Anonceis a random value generated by one party and returned to that party to show that a message is newly generated.

• TheNeedham-Schrödershared-key protocol Msg 1. A→S:A,B,m

Msg 2. S→A:{k_ab,B,m,{k_ab,A}_k_bs}_k_as Msg 3. A→B:{k_ab,A}_k_bs,A

Msg 4. B→A:{n}_k_ab Msg 5. A→B:{n−1}_k_ab

(46)

Denning-Sacco

• Bdoes not have direct contact withS…

• and therefore …

Msg 3. (I)A→B:{k^′_ab,A}_k_bs Msg 4. B→(I)A:{n}_k^′

ab

Msg 5. (I)A→B:{n−1}_k′ ab

(47)

Denning-Sacco

• Bdoes not have direct contact withS…

• and therefore …

Msg 3. (I)A→B:{k^′_ab,A}_k_bs Msg 4. B→(I)A:{n}_k^′

ab

Msg 5. (I)A→B:{n−1}_k′ ab

(48)

A fifth attempt

• LetBget a freshness assurance directly fromS.

Msg 1. B→A:B,n Msg 2. A→S:A,B,m,n

Msg 3. S→A:{k_ab,B,m}_k_as,{k_ab,A,n}_k_bs Msg 4. A→B:{k_ab,A,n}_k_bs

• Is this protocol “correct”?

• How do we prove correctness of protocols in general?

(49)

A fifth attempt

(50)