Home >Documents >Security Analysis of Network Protocols John Mitchell Stanford University.

Security Analysis of Network Protocols John Mitchell Stanford University.

Date post:20-Dec-2015
View:213 times
Download:2 times
Share this document with a friend
  • Slide 1
  • Security Analysis of Network Protocols John Mitchell Stanford University
  • Slide 2
  • Computer Security Research Malicious Code MDS/MLS Situational Understanding OODA Semantic Assurance Formalized Design Intrusion Detection IA Sensors Survivable Network Infrastructures Physical Security Autonomic Response Policy Course of Action Projection Auto Forensics Cyber Control Panel Dynamic Coalitions Law Enforcemen t Policy Protective Mechanisms Crypto Composable Trust Open Source Strategies Cyber Sensor Exploitation Intrusion Tolerance Cyber Strategy Lifecycle Attacks Insider ? ? Security of Mobile Agents Privacy Web Services
  • Slide 3
  • Security Protocols uChallenge-response ISO 9798-1,2,3; Needham-Schroeder, uAuthentication Kerberos uKey Exchange SSL handshake, IKE, JFK, IKEv2, uWireless and mobile computing Mobile IP, WEP, 802.11i uElectronic commerce Contract signing, SET, electronic cash,
  • Slide 4
  • Needham-Schroeder Protocol { A, NonceA } { NonceA, NonceB } { NonceB} KaKa Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb
  • Slide 5
  • Anomaly in Needham-Schroeder AE B { A, Na } { Na, Nb } { Nb } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key Nb from B. Evil E can then fool B. [Lowe]
  • Slide 6
  • Needham-Schroeder Lowe { A, NonceA } { NonceA, B, NonceB } { NonceB} Ka Kb AB Authentication? Secrecy? Replay attack Forward secrecy? Denial of service? Identity protection?
  • Slide 7
  • IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
  • Slide 8
  • Ticket 2 Ticket 1 Kerberos Protocol Client KDC Service TGS {Kt} Kc C TGS {Ks} Kt {C} Kt S {C} Ks Ktgs Kc Kv {C, Ks} Kv {C, Kt} Ktgs {C, Ks} Kv {C, Kt} Ktgs
  • Slide 9
  • Protocol layer over TCP/IP Network interface Transport (TCP) Physical layer Internet (IP) Applicationtelnet httpftp nntp SSL Common use: https = http over SSL
  • Slide 10
  • Handshake Protocol ClientHello C S C, Ver C, Suite C, N C, Suite S, N S, S, K S ServerHello S C Ver S, Suite S, N S, sign CA { S, K S } ClientVerify C S sign CA { C, V C } { Ver C, Secret C } N S sign C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash(Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } (Change to negotiated cipher) N S ServerFinished S C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + S + Master(N C, N S, Secret C ) + Pad 1 )) } N S ClientFinished C S { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } SKSSKS S Master(N C, N S, Secret C )
  • Slide 11
  • Mobile IPv6 Architecture IPv6 Mobile Node (MN) Corresponding Node (CN) Home Agent (HA) Direct connection via binding update uAuthentication is a requirement uEarly proposals weak
  • Slide 12
  • Wireless Authentication: Robust Security Network Association uPre-RSNA Poor Security 802.11 Authentication Wired Equivalent Protocol CRC MIC (Message Integrity Code) uRSNA Better Security 802.1x Authentication Key Management Improved MIC scheme, data encryption
  • Slide 13
  • RSNA Sub-protocols Ethernet Access Point Radius Server Laptop computer Wireless 4-way Key management 802.11 Association 802.11x Authentication (1) MAC Disabled, Port Blocked (2) MAC Enabled, Port Blocked (3) MAC Enabled, Port Blocked, PMK generated in STA and AS AS move PMK to AP Secure Communication (4) MAC Enabled, Port Allowed, PTK := KCK|KEK|TK
  • Slide 14
  • Optimistic contract signing uTrusted third party can force contract Third party can declare contract binding if presented with first two messages. AB I am going to sign the contract Here is my signature
  • Slide 15
  • B A m1= sign(A, c, hash(r_A) ) sign(B, m1, hash(r_B) ) r_A r_B Agree A B Network T Abort ??? ResolveAttack? B A Net T sig T (m 1, m 2 ) m1m1 ??? m2m2 A T Asokan-Shoup-Waidner protocol If not already resolved a 1 sig T (a 1,abort)
  • Slide 16
  • B A PCS A (text,B,T) PCS B (text,A,T) sig A (text) sig B (text ) Agree A B Network T m 1 = PCS A (text,B,T) Abort ??? ResolveAttack B A Net T PCS A (text,B,T) sig B (text) PCS A (text,B,T) ??? PCS B (text,A,T) B T sig T (abort) abort AND sig B (text) abort Leaked by T Garay, Jakobsson, MacKenzie
  • Slide 17
  • STS Family Derivation m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFKi protect identities JFKr STS P Properties: Certificates from CA Shared secret: g ab Identity protection DoS protection Reverse ID protection
  • Slide 18
  • Protocol Analysis uComputational approaches (insightful, no tools) Proof methods of Bellare-Rogaway, Mauer Canetti, Backes-Pfitzmann-Waidner u BAN and related axiomatic approaches uMethods grounded in symbolic execution Assume perfect cryptography Protocol determines set of traces Arbitrary number of principals plus intruder Enumerate, search, or reason about this set
  • Slide 19
  • Run of protocol A B Initiate Respond C D Correct if no security violation in any run Attacker
  • Slide 20
  • Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error? Assurance?
  • Slide 21
  • Automated Finite-State Analysis uDefine finite-state system Bound on number of steps Finite number of participants Nondeterministic adversary with finite options uPose correctness condition Can be simple: authentication and secrecy Can be complex: contract signing uExhaustive search using verification tool Error in finite approximation Error in protocol No error in finite approximation ???
  • Slide 22
  • Finite-state limitations uTwo sources of infinite behavior Many instances of participants, multiple runs Message space or data space may be infinite uFinite approximation Assume finite participants Example: 2 clients, 2 servers Assume finite message space Represent random numbers by r1, r2, r3, Do not allow encrypt(encrypt(encrypt()))
  • Slide 23
  • State Reduction on N-S Protocol
  • Slide 24
  • Model Checking Studies uStandard academic benchmarks Needham-Schroeder, TMN, Kerberos - uRealistic network protocols SSL 3.0, with resumption protocol uContract signing protocols Asokan-Shoup-Waidner, Garay-Jakobsson-MacKenzie uWireless networking Authenticated Mobile IPv6 802.11i
  • Slide 25
  • CS259 Term Projects iKP protocol familyElectronic votingXML Security IEEE 802.11i wireless handshake protocol Onion RoutingElectronic Voting Secure Ad-Hoc Distance Vector Routing An Anonymous Fair Exchange E-commerce Protocol Key Infrastructure Secure Internet Live Conferencing Windows file-sharing protocols Homework
  • Slide 26
  • Analysis Methods Modeling detail Number of sessions Complexity of protocol
  • Slide 27
  • Protocol analysis spectrum LowHigh Low Modeling detail Protocol complexity Mur FDR NRL Athena Hand proofs Paulson Strand spaces BAN logic Spi-calculus Poly-time calculus Model checking Multiset rewriting with Protocol logic
  • Slide 28
  • Protocol derivation uProtocol derivation Build security protocols by combining parts from standard sub-protocols. uProof of correctness Prove protocols correct using logic that follows steps of derivation.
  • Slide 29
  • Example uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
  • Slide 30
  • Component 1 uDiffie-Hellman A B: g a B A: g b Shared secret (with someone) A deduces: Knows(Y, g ab) (Y = A) Knows(Y,b) Authenticated Identity Protection DoS Protection
  • Slide 31
  • Component 2 uChallenge Response: A B: m, A B A: n, sig B {m, n, A} A B: sig A {m, n, B} Shared secret (with someone) Authenticated A deduces: Received (B, msg1) Sent (B, msg2) Identity Protection DoS Protection
  • Slide 32
  • Composition uISO 9798-3 protocol: A B: g a, A B A: g b, sig B {g a, g b, A} A B: sig A {g a, g b, B} Shared secret: g ab Authenticated Identity Protection DoS Protection m := g a n := g b
  • Slide 33
  • Refinement uEncrypt signatures: A B: g a, A B A: g b, E K {sig B {g a, g b, A}} A B: E K {sig A {g a, g b, B}} Shared secret: g ab Authenticated Identity Protection DoS Protection
  • Slide 34
  • Transformation uUse cookie: JFK core protocol A B: g a, A B A: g b, hash KB {g b, g a } A B: g a, g b, hash KB {g b, g a } E K {sig A {g a, g b, B}} B A: g b, E K {sig B {g a, g b, A}} Shared secret: g ab Authenticated Identity Protection DoS Protection MQV GDOI [Meadows, Pavlovic] uWork in progress SSL verificati">
  • Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress SSL verification Wireless 802.11i
  • Slide 50
  • Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against perfect cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability
  • Slide 51
  • Conclusions uSecurity Protocols Subtle, critical, prone to error uAnalysis methods Model checking Practically useful; brute force is a good thing Limitation: find errors in small configurations Protocol derivation Systematic development of certain classes of protocols Proof methods Time-consuming to use general logics Special-purpose logics can be sound, useful Cryptographic foundations Scientific challenge; currently hot area
  • Slide 52
  • Collaborators on work described uFormer and current students Vitaly Shmatikov, Ulrich Stern Nancy Durgin, Anupam Datta, Ante Derek Ajith Ramanathan, Changhua He, uOutside Stanford Andre Scedrov (U Penn) Patrick Lincoln (SRI) Dusko Pavlovic (Kestrel)
Popular Tags:
of 51/51
Security Analysis of Network Protocols John Mitchell Stanford University
Embed Size (px)