Modelling and Analysing Security Protocol: Lecture 4 Attacks

Modelling and Analysing Security Protocol: Lecture 4 Attacks

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI Today: First Lecture: Goals for security protocol To know if a protocol is secure you must know what is aims to achieve.

Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles Common types of attacks on protocols. Good design principles for protocol. Some Common Types of Attack

Eavesdropping Modification Replay / Preplay Man-in-the-Middle

Reflection Denial of Service Typing Attack Eavesdropping An Eavesdropping attack only passively observe messages. Protocols defend against Eavesdropping attacks by using encryption for confidentiality.

The attacker is a passive outsider. Modification A Modification attack alters or replaces some messages. Protocols often define against Modification attacks by using encryption for binding. Replay / Preplay

The attacker sends a message that it has observed as part of the protocol run. Protocols defend against replay attacks by make the message clear so that it cannot be replayed out of context. Reflection Reflection attacks are a kind of replay attack that use a protocol

against itself. The attacker provides the proof of authentication by challenging the challenger. Reflection Attack Example In this protocol A and B share the key K. They want to ensure they both take part in the protocol. 1. A B : { Na }K

2. B A : Na , { Nb }K 3. A B : Nb Reflection Attack Example 1. A E(B) : { Na1 }K 1. E(B) A : { Na1 }K 2. A E(B) : Na1 , { Na2 }K 2. E(B) A : Na1 , { Na2 }K A E(B) : Na2 3. E(B) A : Na2

Man-in-the-Middle In a Man-in-the-Middle attack the attacker gets in the middle of a real run of a protocol. A B

Man-in-the-Middle In a Man-in-the-Middle attack the attacker gets in the middle of a real run of a protocol. A B E

Denial of Service (DoS) Every communication request uses an amount of memory and CPU. A DoS attack tries to use up all of a severs CPU or memory by making 1,000,000s of requests. All systems can be subject to a DoS attack... ... but some protocols can make this better or worse. A Protocol Vulnerable to

Denial of Service A uses its public key Ka to establish a session key Kas 1. 2. 3. A S : A , Na S A : EKa ( Na , Ns, Kas ) A S : { Ns }Kas

S is particularly vulnerable to a DoS attack because for each connection is has to: generate a nonce and a key, perform a public key encryption. allocate memory for the nonce and the key. A Protocol Resistant to Denial of Service A uses Ss public key Ks to establish a session key Kas 1.

2. A S : Eks(A, S, SignA(Na,Kas) ) S A : { Na }Kas Now A has to do the expensive encryption in order to make S do any more than a single decryption. Therefore may more bots would be needed for a successful attack.

SYN flood DoS Attack TCP starts a session by: 1. A S : SYN 2. S A : ACK,SYN (add A to the table of connections) 3. A S : ACK ( ~ 3 min. time out ) The SYN flood attack sends lots of SYN

messages to S and fills its tables, therefore real requests will be ignored. Typing Attack In a typing attack the attacker passes off one type of message as being another. This kind of attack may not work on a real implementation... ... but is also hard to spot.

Typing Attack Example Andrews secure RPC protocol is a handshake, then a key distribution: 1. 2. 3.

4. A B : { NA }Kab B A : { NA + 1, NB }Kab A B : { NB + 1}Kab B A : { Ks , N }Kab Typing Attack Example 1. 2.

3. 4. A B : { NA }Kab B A : { NA + 1, NB }Kab A B : { NB + 1}Kab E(B) A : { NA + 1, NB }Kab 1. The attacker replays message 2. A now uses the wrong key...

2. but the attacker only learns it if NA is predicable. Some Common Types of Attack

Eavesdropping Modification Replay / Preplay Man-in-the-Middle Reflection Denial of Service Typing Attack

Good Protocol Design The best way to avoid protocol faults is to design them right in the first place. Principle 0 The protocol must be efficient No unnecessary encryption Dont include message you dont need. Problem: Principle 0 goes against most

of the other principles. Example: Kerberos Update An old version two of Kerberos ran as follows: 1. 2. 3. 4. A S : A,B,NA

S A : {KAB,B,L,NA,{KAB,A,L}KBS }KAS A B : {A,TA}KAB,{KAB,A,L}KBS B A : {TA+1 }KAB N.B. note the use of double encryption in 2. Example: Kerberos Update A newer version is: 1. 2.

3. 4. A S : A,B,NA S A : {KAB,B,L,NA }KAS,{KAB,A,L}KBS A B : {A,TA}KAB,{KAB,A,L}KBS B A : {TA+1 }KAB Double encryption removed: its expensive and unnecessary.

Principle 1 Every message should say what it means: the interpretation of the message should depend only on its contain. It should be possible to write down a straight forward sentence describing what the message means. Meaning of Messages

For instance the Needham-Schroeder Protocol: 1. A B : EB( Na, A ) 2. B A : EA( Na, Nb ) 3. A B : EB( Nb ) Message 1: EX( Y, Z ) means I am Z and I want to communicate with X using Y. Meaning of Messages For instance the Needham-Schroeder Protocol: 1. A B : EB( Na, A )

2. B A : EA( Na, Nb ) 3. A B : EB( Nb ) Message 2: EX( Y, Z ) means someone wants to communicate X using Y and Z. Meaning of Messages For instance the Needham-Schroeder Protocol: 1. A B : EB( Na, A ) 2. B A : EA( Na, Nb ) 3. A B : EB( Nb )

EA( Na, Nb ) does not mean that B wants to communicate with A using Na & Nb because there is no reference to B Meaning of Messages The corrected version fixes this: 1. A B : EB( Na, A ) 2. B A : EA( Na, Nb , B) 3. A B : EB( Nb ) Message 2: EX( Y, Z ,W ) means I am W and I

want to communicate X using Y and Z. Meaning of Messages For instance the Needham-Schroeder Protocol: 1. A B : EB( Na, A ) 2. B A : EA( Na, Nb , B) 3. A B : EB( Nb ) Message 3: EX( Y ) means someone accepts communication with X using Y. Here we dont need to mention A because only A knows

Nb Principle 2 The conditions for a message to be acted upon should be clearly set out so that someone reviewing a design may see whether they are acceptable or not. Principle 3 If the identity of a principal is essential

to the meaning of a message, it is prudent to mention the principals name in the message. Example of Principle 3 The following protocol lets B authenticate A using a trusted server S 1. 2. 1.

2. 3. AB:A B A : Nb A B : { Nb }Kas B S : { A, { Nb }Kas}Kbs S B : { Nb }Kbs Example of Principle 3

1. E(A) B : A 1. E B : E 2. B E(A) : Nba 2. B E : Nbe E(A) B : { Nba }Kes 3. E B : { Nba }Kes B S : { A, { Nba }Kes}Kbs 4. B S : { E, { Nba }Kes}Kbs 5. S B : Fail 5. S B : { Nba }Kbs

Example of Principle 3 1. E(A) B : A 1. E B : E 2. B E(A) : Nba 2. B E : Nbe E(A) B : { Nba }Kes 3. E B : { Nba }Kes B S : { A, { Nba }Kes}Kbs 4. B S : { E, { Nba }Kes}Kbs

5. S B : { Nba }Kbs Principle 4 Be clear about why encryption is being done. Encryption is not wholly cheap, and not asking precisely why it is begin done can lead to redundancy. Encryption is not synonymous with security and its improper use can lead to errors.

Principle 5 When a principal signs material that has already been encrypted, it should not be inferred that the principal knows the content of the message. On the other hand, it is proper to infer that the principal that signs a message then encrypts it for privacy knows the content of the message.

CCITT X.509 Was used by a range of governments and banks for public key management. A B : A, SignA( Ta,Na,B,Xa,EB(Ya) ) Supposed to prove that A knows the data Xa, Ya and keep Ya secret. But A might not know Ya Principle 6 Be clear what properties you are assuming

about nonces. What may do for ensuring temporal succession may not do for ensuring association - and perhaps association is best established by other means. Principle 7 The use of a predictable quantity (such as the value of a counter) can serve in guaranteeing newness, through a challenge-response

exchange. But if a predictable quantity is to be effective, it should be protected so that an intruder cannot simulate a challenge and later replay the response. Principle 8 If a timestamps are used as freshness guarantees by reference to absolute time, then the difference between local clocks at

various machines must be less than the allowable age of a message deemed to be valid. Furthermore, the time maintenance mechanism everywhere becomes part of the trusted computing base. Principle 9 A key may have been used recently, for example to encrypt a nonce, yet be quite old,

and possibly compromised. Recent use does not make the key look any better than it would otherwise. Needham-Schroeder Key Establishment Protocol 1. A B : A, B, Na 2. S A : { Na, B, Kab, {Kab, A}Kbs }Kas 3. A B : {Kab, A}Kbs

4. B A : { Nb }Kab 5. A B : { Nb + 1 }Kab Forcing Reuse of an Old Key I spend 1 year breaking a single key (Kab) on a super computer and then trick everyone into using that key.

3. E B : {Kab, A}Kbs 4. B E : { Nb }Kab 5. E B : { Nb + 1 }Kab Principle 10 If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used. In the common case where the encoding is protocol dependent, it should be deduce that

the message belongs to this protocol, and in fact to a particular run of the protocol. Principle 11 The protocol designers should know which trust relations their protocols depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit.

Example for Principle 11 The Kerberos protocol fails complete if the timestamp on the key server is incurrent. Your web-browser comes with a number of public keys for verifying the identity of websites. If these keys are compromised, then you can be tricked by spoof websites.

Today: First Lecture: Goals for security protocol To know if a protocol is secure you must know what is aims to achieve. Example: Diffie-Hellman & STS Protocol. Second Part: Attacks and Principles Common types of attacks on protocols. Good design principles for protocol.

Homework! There is homework that will count 1/6 of your total grade. Written exercises, find a couple of protocols errors, correct a protocol, and design a protocol of your own. It is due on 28th in class. You may e-mail me questions related to the homework. Next Time

No lecture next week (I am presenting an attack on a protocol a conference). On the 28th, BAN logic: An framework and software tool for checking protocols.

Recently Viewed Presentations

  • UNIT 1: Basic Economic Concepts

    UNIT 1: Basic Economic Concepts

    ACDC Leadership 2015 The Circular Flow Model The Product Market- The "place" where goods and services produced by businesses are sold to households. The Resource (Factor) Market- The "place" where resources (land, labor, capital, and entrepreneurship) are sold to businesses.
  • Resume Rocket Science

    Resume Rocket Science

    Direct and coordinate activities of workers or staff. Estimate materials or labor requirements. Use oral or written communication techniques. Inspect facilities or equipment for regulatory compliance. Résumé Journal. You do amazing things every day in the culinary program.
  • Screen Capture - Institute Of Molecular Biophysics

    Screen Capture - Institute Of Molecular Biophysics

    Screen Capture How to quickly capture a diffraction image KLB Crystallography Club Meeting | Sept. 29, 2004 | Thayumanasamy Somasundaram Programs Linux/UNIX XdisplayF (HKL) Adxv Ksnapshot xwd Gimp Image Magick (display) MS Windows PrintScreen Paint Shop Pro XdisplayF (HKL Suite/Denzo)...
  • What is Geography?

    What is Geography?

    I like Pat Gober's definition because it clarifies that geography is NOT factoids: the highest mountains, the longest rivers, capitals of nations, etc. Instead, it is the spatial organization of human activity and natural processes on Earth. If it is...
  • A Brief History of the Earth - Biology Junction

    A Brief History of the Earth - Biology Junction

    The Burninator Eocene period - 50 million years Eocene period - 50 million years Oligocene - 32 million years Miocene - 10 million years Pleistocene - 19,000 years ago A Brief History of the Earth Timescale 7/8 of the entire...
  • Wearable Speech Enhancement

    Wearable Speech Enhancement

    Wearable Speech Enhancement Team Members: Brandon Mikulis Carl Audet John Dimmick Advisor: Dr. Amuso Coordinator: Professor Slack
  • GSM - Yola

    GSM - Yola

    We can currently use a data terminal attached to an MS to connect to any standard data service provided by the PSTN, ISDN or PDN networks as long as the network accepts a data rate of 9.6 kbps and the...
  • The Periodic Table - GST BOCES

    The Periodic Table - GST BOCES

    The Periodic Table Periodic Table of Elements There are 117 elements (January, 2007) Your table contains 113 94 of the elements are naturally occurring, the rest are man-made Most of the elements were discovered between 1735-1843 History/Development Development of the...