Share this document with a friend

Description:

COSC 6397 – Information Assurance. Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 1 of M2 (This work is supported in part by NSF). Contents of M2. Cryptographic basics Types of Protocols Security properties Taxonomy of Flaws and Attacks - PowerPoint PPT Presentation

Embed Size (px)

Popular Tags:

of 34
/34

Transcript

Lecture 1 Dr. Verma 1

COSC 6397 – Information Assurance

Module M2 – Protocol Specification and Verification

University of HoustonRakesh VermaLecture 1 of M2

(This work is supported in part by NSF)

Lecture 1 Dr. Verma 2

Contents of M2 Cryptographic basics Types of Protocols Security properties Taxonomy of Flaws and Attacks Specification of Protocols Specification of properties Protocol analysis

Lecture 1 Dr. Verma 3

Cryptographic Basics General principles

Sender, receiver, plaintext, ciphertext, encryption, decryption, etc.

Symmetric key (or secret key) cryptography

Public key (or asymmetric) cryptography One-way hash algorithmsAll of these were covered in module M1?

Lecture 1 Dr. Verma 4

Cryptographic Basics (contd.) Sender – one who sends Receiver – one who receives Plaintext – message to be sent,

Notation: P or M Ciphertext – encoding of P or M,

Notation: C

Lecture 1 Dr. Verma 5

Cryptographic Basics (Contd.) Encryption – the process of

disguising a message to hide its contents Notation: E(M) = C

Decryption – the process of decoding C to recover M Notation: D(C) = M

Basic Identity: D(E(M)) = M

Lecture 1 Dr. Verma 6

Cryptographic Basics (contd.) Cryptography – the art and science

of keeping messages secure Cryptographic algorithm – function

used for encryption and decryption. Restricted (secret) or Unrestricted

(published) our focus Unrestricted – based on a key K. EK and

DK. The key for encryption and decryption can be different.

Lecture 1 Dr. Verma 7

Cryptographic Basics (contd.) Symmetric key cryptography –

encryption key can be computed from the decryption key or vice versa. Special case: the two keys are the same. Key(s) must be kept secret!

Public key cryptography – encryption key is public the decryption key is not. Decryption key should be hard to compute

from the encryption key!

Lecture 1 Dr. Verma 8

Cryptographic Basics (contd.) One-way functions – functions that are

easy to compute but hard to invert Computing f(x), given x, is easy Computing x, given f(x), is hardThis sounds easy, but we have no proof that such functions exist! We will pretend

they do. Trapdoor one-way functions – one-way

functions such that Computing x, given f(x) and some y, is easy

Lecture 1 Dr. Verma 9

Cryptographic Basics (contd.) Notation: 1-way for one-way 1-way hash functions – A hash

function that is also a 1-way function.

A good 1-way hash function is also collision-free.

Security of a 1-way hash function is its 1-wayness.

Lecture 1 Dr. Verma 10

pro·to·col Pronunc… (…) n.1.

a. The forms of ceremony and etiquette observed by diplomats and heads of state.

b. A code of correct conduct: safety protocols; academic protocol.

2. The first copy of a treaty or other such document before its ratification.

3. A preliminary draft or record of a transaction. 4. The plan for a course of medical treatment or for

a scientific experiment. 5. Computer Science. A standard procedure for

regulating data transmission between computers.

Lecture 1 Dr. Verma 11

Protocols Protocol – a series of steps involving

two or more parties to accomplish a task. Must be unambiguous Must be complete in some sense

(specified action for lots of possible situations).

Each step is either a computation or a message

Parties may distrust each other

Lecture 1 Dr. Verma 12

Types of Protocols Our protocols are cryptographic – use

cryptography for preventing eavesdropping, cheating, etc.

Goal of the protocol is beyond secrecy. Examples: simultaneously sign a contract,

convince one another of their identity, etc. Protocols can be classified in many ways

According to: parties involved, the purpose, the environment, etc.

Lecture 1 Dr. Verma 13

Classification by Parties Arbitrated protocols

Adjudicated protocols

Self-enforcing protocols

Lecture 1 Dr. Verma 14

Arbitrated Protocols Arbitrated protocols – have an

arbitrator, a disinterested third party trusted to complete a protocol. Easier if parties are face to face. Over computer networks this results in

delay and overheads. Arbitrator becomes a bottleneck. Scaling issues. Arbitrator is vulnerable.

Lecture 1 Dr. Verma 15

Adjudicated Protocols Adjudicated protocols – A two stage

protocol with: A nonarbitrated subprotocol An arbitrated subprotocol executed only in

exceptional circumstances – a dispute. This kind of arbitrator is called adjudicator

Adjudicator only called in to judge fair execution of protocol. Detects cheating rather than preventing.

Good adjudicated protocol – adjudicator should be able to determine cheater’s identity

Lecture 1 Dr. Verma 16

Self-enforcing Protocols Self-enforcing protocols – protocol

itself guarantees fairness. No arbitrator or adjudicator – if one party

cheats, the others detect the cheating. Best type of protocol. Do not exist for every situation.

Exercise: Find a situation for which there are no self-enforcing protocols.

Lecture 1 Dr. Verma 17

Protocol Classification by Aim Key-exchange protocols Authentication protocols Authentication and Key exchange

protocols Electronic Commerce protocols …

Lecture 1 Dr. Verma 18

Key Exchange Protocols Goal is to distribute keys for secure

sessions, channels, communication, etc. Classical key exchange protocols

TMN Symmetric Needham-Schroeder Denning-Sacco

Deployed Protocols Kerberos IV SSL/TLS

Lecture 1 Dr. Verma 19

The TMN Protocol (1990)(Tatebayashi-Matsuzaki-Newman)

Suitable for networks, mobile computing. Symmetric. Trusted Server S. Parties don’t have long term keys. Randomly chosen keys KA , KB , etc. Standard encryption function E(.),

invertible only by server. Vernam encryption function V(., .)

V(M, V(M, N)) = N

Lecture 1 Dr. Verma 20

The TMN Protocol1. A S : A, S, B, E(KA)2. S B : S, B, A3. B S : B, S, A, E(KB)4. S A : S, A, B, V(KA , KB) A extracts KB from message 4. Parties should agree on the session

key chosen by B.

Lecture 1 Dr. Verma 21

An Implementation of TMN n = p.q, p, q are primes E(x) = x3 mod n S knows the 2 prime factors of n V(x , y) = x exclusive-or y

Protocol looks good, but has big flaws!

Lecture 1 Dr. Verma 22

Authentication Protocols Authentication protocols – for

authentication of parties (principals) Authentication – assurance of who you

are talking to Examples of specific aims:

To make sure that those obtaining a session key are who they say they are

Make sure that the principal you think has the key does have it.

Lecture 1 Dr. Verma 23

Authentication Protocols Passwords or shared keys typically

used by system administrators Authentication can be a byproduct

of a key-exchange protocol Some authentication protocols

Feige-Fiat-Shamir (1987) Guillou-Quisquater (1988) Schnorr (1989)

Lecture 1 Dr. Verma 24

Guillou-Quisquater Protocol Smart-cards and other applications Alice wants to prove her identity,

bit string J, to Victor Public information: exponent v,

and a number n (n = p.q, p and q primes)

Private key: B, with JBv = 1 (mod n)

Lecture 1 Dr. Verma 25

Guillou-Quisquater Protocol A V : JP wants to prove that this J is hers1. A V: T = rv mod n (1 < r < n - 1, r

random)2. V A: d (0 < d < v – 1, d random)3. A V: D = rBd mod n4. V computes T’ = DvJd mod n. If T = T’

(mod n), authentication succeeds.

Lecture 1 Dr. Verma 26

3 Important Concepts Security

Privacy

Reliability

Lecture 1 Dr. Verma 27

Security Security – the control of information.

Ensures that: Authorized parties are properly authenticated Their messages are sent through a network

unaltered. In a secure system the origin, content

and intended recipients of a message can be ensured.

Security is not privacy.

Lecture 1 Dr. Verma 28

Privacy Privacy – the subject of information

can control the information. Privacy requires security, but security

is not sufficient. Security may preclude privacy! (by

assuring that the subjects of information have neither control nor knowledge of the uses of that information)

Lecture 1 Dr. Verma 29

Reliability Reliability – provide certainty in the

presence of network failures, memory losses and adversaries. Reliability and security are interdependent. Reliability is not security. Reliable protocols

on unsecure servers provide reliable services to attackers as well as authentic users.

Reliable electronic commerce requires fail-proof transactions.

Lecture 1 Dr. Verma 30

Security Properties Authentication – receiver of a message

should be able to ascertain its origin. An intruder should not be able to masquerade

as someone else. Implemented using shared information or

ability to prove unique information (PINs and passwords).

Secrecy – confidentiality. If a message is confidential it can be read only by intended recipients. Eavesdropping is difficult or useless

Lecture 1 Dr. Verma 31

Security Properties (contd.) Integrity – receiver of a message can verify

that it has not been modified in transit. Integrity alone is not security.

Availability – a system must be available availability can be compromised by malicious

hackers, network failures or commercial espionage.

Nonrepudiation – a party cannot reasonably claim not to have taken an action. Example: sender falsely denies sending a

message.

Lecture 1 Dr. Verma 32

Reliability Properties Atomicity – indivisibility. An atomic

transaction either fails completely or succeeds completely.

Consistency – all relevant parties agree on critical facts of the exchange.

Isolation – result of a set of overlapping transactions must be serializable

Durability – a transaction can recover to its last consistent state.

Lecture 1 Dr. Verma 33

Other PropertiesOther properties may also be needed. For example, in Electronic Commerce Certified Delivery Goods Atomicity Etc.are also required.

Lecture 1 Dr. Verma 34

Primary References Bruce Schneier, Applied

Cryptography Linda Jean Camp, Privacy and

Reliability in Electronic Commerce, PhD dissertation, CMU

Recommended