Scribd
Upload
37 views

Modelling and Analysing of Security Protocol: Lecture 1 Introductions To Modelling Protocols

This lecture introduces modeling security protocols, including notation for protocols, basic modeling rules like the attacker's abilities, and examples of protocols like Needham-Schroeder and Kerberos. It also provides a high-level overview of cryptography used in protocols, such as symmetric encryption, public key encryption, and signing. The lecture is the first in a course on designing, analyzing, and verifying secure communication protocols.

Uploaded by

Venkat Krishnan
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
37 views

Modelling and Analysing of Security Protocol: Lecture 1 Introductions To Modelling Protocols

This lecture introduces modeling security protocols, including notation for protocols, basic modeling rules like the attacker's abilities, and examples of protocols like Needham-Schroeder and Kerberos. It also provides a high-level overview of cryptography used in protocols, such as symmetric encryption, public key encryption, and signing. The lecture is the first in a course on designing, analyzing, and verifying secure communication protocols.

Uploaded by

Venkat Krishnan
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 34

Modelling and Analysing of

Security Protocol: Lecture 1

Introductions to Modelling
Protocols
Tom Chothia
CWI
This Course
This course will primarily teaching you:
How to design your own secure communication
protocols.
How to analyse protocols and look for faults.
How to use automatic tools to help you do this.

Secondary skills:
Know which protocols to use for which jobs.
Improve your system design skills.
Course Outline
This Lecture:
How we model protocols
Types of encryption used.
Lecture 2:
Types of attacks on protocols
Good protocol design
Homework ( 1/6 of total score).
Course Outline
Lecture 3:
Verifying protocols using BAN logic.
Lecture 4:
Automatically verifying protocols.
Homework ( 1/6 of total score)
Lecture 5:
Anonymity protocols.
Course Outline
Lecture 6:
Verifying probabilistic protocols in PRISM
Lecture 7:
Fair exchange & Zero knowledge
Lecture 8 to Lecture 10
Short students presentations ( 2/3 of total score )
Lecture 11
Summary
Sources

Take notes if you want but you will get handouts


with all the important details

and the slides, handouts, papers, homework


and links will be available at:

http://homepages.cwi.nl/~chothia/Teaching
This Lecture
Part 1:
Simple notation for protocols
Modelling rules
Needham-Schroeder and Kerberos protocols
Part 2:
A high level overview the to cryptography
Symmetric key encryption, public key encryptions
and signing
Abstract equation for modelling encryption
A Simple Protocol
A sends message M to B:

M
A B

written as:
A B: M
Rules
We write down protocols as a list of
messages sent between principals,
e.g.

1. A B : Hello
2. B A : Offer
3. A B : Accept
A Simple Protocol

M
A B

Message M can be read by the attacker


A Simple Protocol

M
A B

Even now!
Rule

The attacker can read all the


messages sent across the
network.
Encryption
We can keep our data safe by using
encryption:

{ M }Kab
A B

A B : { M }Kab
Rule
We can use
Encryption {M}K, EK(M)
Signing SignK(M), SK(M), MACK(M)
Hashing #(M), Hash(M)

We assume that these are prefect


cannot be broken by brute force.
Encryption
M is now secret

{ M }Kab
A B

but the protocol is not safe


Replay Attack

1: { Pay Elvis 5 }Kab


A B

1) A B : { Pay Eve 5 }Kab


Replay Attack

1: { Pay Elvis 5 }Kab


A B

E 2: { Pay Elvis 5 }Kab

1) A B : { Pay Eve 5 }Kab


2) E B : { Pay Eve 5 }Kab
Rule
The attacker can repeat any message it
see.
A Nonce
1. A
2. { Na }Kab
A B
3. {Na + 1}Kab , { Pay Elvis 5 }Kab

1. A B : A
2. B A : { Na }Kab
3. A B : { Na + 1 }Kab , { Pay Elvis 5 }Kab
Rule
We can generate nonces.

This is a new random values.

If you generate a new nonce for a


session you know that all future
messages with that include that nonce
are part of the same session.
A Nonce
1. A
2. { Na }Kab
A B
3. {Na + 1}Kab , { Pay Elvis 5 }Kab

4. A

5. { Na2 }Kab

6. {Na2 + 1}Kab , { Pay Bob 5 }Kab


A Nonce
1. A
2. { Na }Kab
A B
3. {Na + 1}Kab , { Pay Elvis 5 }Kab

4. A

5. { Na2 }Kab

6. {Na2 + 1}Kab ,
E 6. {Na2 + 1}Kab ,
{ Pay Bob 5 }Kab { Pay Elvis 5 }Kab
Rule
The attacker can run multiple rounds of the
protocol.

The attacker can


break up messages,
invent new values, keys, nonces,..
combine any of these into new message.
A Better Protocol
1. A
2. { Na }Kab
A B
3. {Na , Pay Elvis 5 }Kab

1. A B : A, Na
2. B A : { Na }Kab
3. A B : {Na, Pay Elvis 5 }Kab
Key Establishment Protocol
This was easy because A and B shared a key.

Often the principals do not share a key, in


which case we need a Key Establishment
Protocol.

This usually involves a Trust Third Party


who has a shared key with each party.
The Needham-Schroeder
Public Key Protocol
A famous authentication protocol

1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )

Na and Nb can then be used to generate a


symmetric key
An Attack Against the
Needham-Schroeder Protocol
The attack acts as a man-in-the-middle:

1. A C : EC( Na, A )
1`. C(A) B : EA( Na, A )
2`. B C(A) : EA( Na, Nb )
2. C A : EA( Na, Nb )
3. A C : EC( Nb )
3`. C(A) B : EB( Nb )
The Corrected Version
A very simple fix:

1. A B : EB( Na, A )
2. B A : EA( Na, Nb )
3. A B : EB( Nb )
The Corrected Version
A very simple fix:

1. A B : EB( Na, A )
2. B A : EA( Na, Nb, B)
3. A B : EB( Nb )
Rule
The attacker can act as a participant of
the protocol.

... (sometimes)
Kerberos
A protocol for key establishment and
authentication used in Windows,
MacOS, Apache, OpenSSH, ...

1. A S : A,B,NA
2. S A : {KAB,B,L,NA,..}KAS,{KAB,A,L,..}KBS
3. A B : {A,TA}KAB,{KAB,A,L,..}KBS
4. B A : {TA+1}KAB
Kerberos
A and S share the key KAS and B and S share KAS
Both A and B trust S to generate a new key for them: KAB
N is a nonce, T is a timestamp and L is an expiration time.

1. A S : A,B,NA
2. S A : {KAB,B,L,NA,..}KAS,{KAB,A,L,..}KBS
3. A B : {A,TA}KAB,{KAB,A,L,..}KBS
4. B A : {TA+1}KAB
Sources
For lectures 1 & 2 the the primary reference
material is the handouts.

This information is covered in more depth in

Paper: Prudent Engineering Practices for


Cryptographic Protocols (by Abadi & Needham)

Book: Protocols for Authentication and Key


Establishment (by Boyd & Mathuria) there are
copies in the library.
This Lecture
Part 1:
Simple notation for protocols
Modelling rules
Needham-Schroeder and Kerberos protocols
Part 2:
A high level overview of cryptography
Symmetric key encryption, public key encryptions
and signing
Abstract equation for modelling encryption

You might also like