Lecture 1 Dr. Verma 1
COSC 6397 – Information Assurance
Module M2 – Protocol Specification and Verification
University of HoustonRakesh VermaLecture 1 of M2
(This work is supported in part by NSF)
Lecture 1 Dr. Verma 2
Contents of M2 Cryptographic basics Types of Protocols Security properties Taxonomy of Flaws and Attacks Specification of Protocols Specification of properties Protocol analysis
Lecture 1 Dr. Verma 3
Cryptographic Basics General principles
Sender, receiver, plaintext, ciphertext, encryption, decryption, etc.
Symmetric key (or secret key) cryptography
Public key (or asymmetric) cryptography One-way hash algorithmsAll of these were covered in module M1?
Lecture 1 Dr. Verma 4
Cryptographic Basics (contd.) Sender – one who sends Receiver – one who receives Plaintext – message to be sent,
Notation: P or M Ciphertext – encoding of P or M,
Lecture 1 Dr. Verma 5
Cryptographic Basics (Contd.) Encryption – the process of
disguising a message to hide its contents Notation: E(M) = C
Decryption – the process of decoding C to recover M Notation: D(C) = M
Basic Identity: D(E(M)) = M
Lecture 1 Dr. Verma 6
Cryptographic Basics (contd.) Cryptography – the art and science
of keeping messages secure Cryptographic algorithm – function
used for encryption and decryption. Restricted (secret) or Unrestricted
(published) our focus Unrestricted – based on a key K. EK and
DK. The key for encryption and decryption can be different.
Lecture 1 Dr. Verma 7
Cryptographic Basics (contd.) Symmetric key cryptography –
encryption key can be computed from the decryption key or vice versa. Special case: the two keys are the same. Key(s) must be kept secret!
Public key cryptography – encryption key is public the decryption key is not. Decryption key should be hard to compute
from the encryption key!
Lecture 1 Dr. Verma 8
Cryptographic Basics (contd.) One-way functions – functions that are
easy to compute but hard to invert Computing f(x), given x, is easy Computing x, given f(x), is hardThis sounds easy, but we have no proof that such functions exist! We will pretend
they do. Trapdoor one-way functions – one-way
functions such that Computing x, given f(x) and some y, is easy
Lecture 1 Dr. Verma 9
Cryptographic Basics (contd.) Notation: 1-way for one-way 1-way hash functions – A hash
function that is also a 1-way function.
A good 1-way hash function is also collision-free.
Security of a 1-way hash function is its 1-wayness.
Lecture 1 Dr. Verma 10
pro·to·col Pronunc… (…) n.1.
a. The forms of ceremony and etiquette observed by diplomats and heads of state.
b. A code of correct conduct: safety protocols; academic protocol.
2. The first copy of a treaty or other such document before its ratification.
3. A preliminary draft or record of a transaction. 4. The plan for a course of medical treatment or for
a scientific experiment. 5. Computer Science. A standard procedure for
regulating data transmission between computers.
Lecture 1 Dr. Verma 11
Protocols Protocol – a series of steps involving
two or more parties to accomplish a task. Must be unambiguous Must be complete in some sense
(specified action for lots of possible situations).
Each step is either a computation or a message
Parties may distrust each other
Lecture 1 Dr. Verma 12
Types of Protocols Our protocols are cryptographic – use
cryptography for preventing eavesdropping, cheating, etc.
Goal of the protocol is beyond secrecy. Examples: simultaneously sign a contract,
convince one another of their identity, etc. Protocols can be classified in many ways
According to: parties involved, the purpose, the environment, etc.
Lecture 1 Dr. Verma 13
Classification by Parties Arbitrated protocols
Lecture 1 Dr. Verma 14
Arbitrated Protocols Arbitrated protocols – have an
arbitrator, a disinterested third party trusted to complete a protocol. Easier if parties are face to face. Over computer networks this results in
delay and overheads. Arbitrator becomes a bottleneck. Scaling issues. Arbitrator is vulnerable.
Lecture 1 Dr. Verma 15
Adjudicated Protocols Adjudicated protocols – A two stage
protocol with: A nonarbitrated subprotocol An arbitrated subprotocol executed only in
exceptional circumstances – a dispute. This kind of arbitrator is called adjudicator
Adjudicator only called in to judge fair execution of protocol. Detects cheating rather than preventing.
Good adjudicated protocol – adjudicator should be able to determine cheater’s identity
Lecture 1 Dr. Verma 16
Self-enforcing Protocols Self-enforcing protocols – protocol
itself guarantees fairness. No arbitrator or adjudicator – if one party
cheats, the others detect the cheating. Best type of protocol. Do not exist for every situation.
Exercise: Find a situation for which there are no self-enforcing protocols.
Lecture 1 Dr. Verma 17
Protocol Classification by Aim Key-exchange protocols Authentication protocols Authentication and Key exchange
protocols Electronic Commerce protocols …
Lecture 1 Dr. Verma 18
Key Exchange Protocols Goal is to distribute keys for secure
sessions, channels, communication, etc. Classical key exchange protocols
TMN Symmetric Needham-Schroeder Denning-Sacco
Deployed Protocols Kerberos IV SSL/TLS
Lecture 1 Dr. Verma 19
The TMN Protocol (1990)(Tatebayashi-Matsuzaki-Newman)
Suitable for networks, mobile computing. Symmetric. Trusted Server S. Parties don’t have long term keys. Randomly chosen keys KA , KB , etc. Standard encryption function E(.),
invertible only by server. Vernam encryption function V(., .)
V(M, V(M, N)) = N
Lecture 1 Dr. Verma 20
The TMN Protocol1. A S : A, S, B, E(KA)2. S B : S, B, A3. B S : B, S, A, E(KB)4. S A : S, A, B, V(KA , KB) A extracts KB from message 4. Parties should agree on the session
key chosen by B.
Lecture 1 Dr. Verma 21
An Implementation of TMN n = p.q, p, q are primes E(x) = x3 mod n S knows the 2 prime factors of n V(x , y) = x exclusive-or y
Protocol looks good, but has big flaws!
Lecture 1 Dr. Verma 22
Authentication Protocols Authentication protocols – for
authentication of parties (principals) Authentication – assurance of who you
are talking to Examples of specific aims:
To make sure that those obtaining a session key are who they say they are
Make sure that the principal you think has the key does have it.
Lecture 1 Dr. Verma 23
Authentication Protocols Passwords or shared keys typically
used by system administrators Authentication can be a byproduct
of a key-exchange protocol Some authentication protocols
Feige-Fiat-Shamir (1987) Guillou-Quisquater (1988) Schnorr (1989)
Lecture 1 Dr. Verma 24
Guillou-Quisquater Protocol Smart-cards and other applications Alice wants to prove her identity,
bit string J, to Victor Public information: exponent v,
and a number n (n = p.q, p and q primes)
Private key: B, with JBv = 1 (mod n)
Lecture 1 Dr. Verma 25
Guillou-Quisquater Protocol A V : JP wants to prove that this J is hers1. A V: T = rv mod n (1 < r < n - 1, r
random)2. V A: d (0 < d < v – 1, d random)3. A V: D = rBd mod n4. V computes T’ = DvJd mod n. If T = T’
(mod n), authentication succeeds.
Lecture 1 Dr. Verma 26
3 Important Concepts Security
Lecture 1 Dr. Verma 27
Security Security – the control of information.
Ensures that: Authorized parties are properly authenticated Their messages are sent through a network
unaltered. In a secure system the origin, content
and intended recipients of a message can be ensured.
Security is not privacy.
Lecture 1 Dr. Verma 28
Privacy Privacy – the subject of information
can control the information. Privacy requires security, but security
is not sufficient. Security may preclude privacy! (by
assuring that the subjects of information have neither control nor knowledge of the uses of that information)
Lecture 1 Dr. Verma 29
Reliability Reliability – provide certainty in the
presence of network failures, memory losses and adversaries. Reliability and security are interdependent. Reliability is not security. Reliable protocols
on unsecure servers provide reliable services to attackers as well as authentic users.
Reliable electronic commerce requires fail-proof transactions.
Lecture 1 Dr. Verma 30
Security Properties Authentication – receiver of a message
should be able to ascertain its origin. An intruder should not be able to masquerade
as someone else. Implemented using shared information or
ability to prove unique information (PINs and passwords).
Secrecy – confidentiality. If a message is confidential it can be read only by intended recipients. Eavesdropping is difficult or useless
Lecture 1 Dr. Verma 31
Security Properties (contd.) Integrity – receiver of a message can verify
that it has not been modified in transit. Integrity alone is not security.
Availability – a system must be available availability can be compromised by malicious
hackers, network failures or commercial espionage.
Nonrepudiation – a party cannot reasonably claim not to have taken an action. Example: sender falsely denies sending a
Lecture 1 Dr. Verma 32
Reliability Properties Atomicity – indivisibility. An atomic
transaction either fails completely or succeeds completely.
Consistency – all relevant parties agree on critical facts of the exchange.
Isolation – result of a set of overlapping transactions must be serializable
Durability – a transaction can recover to its last consistent state.
Lecture 1 Dr. Verma 33
Other PropertiesOther properties may also be needed. For example, in Electronic Commerce Certified Delivery Goods Atomicity Etc.are also required.
Lecture 1 Dr. Verma 34
Primary References Bruce Schneier, Applied
Cryptography Linda Jean Camp, Privacy and
Reliability in Electronic Commerce, PhD dissertation, CMU