A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Similar documents
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Control Flow Analysis of Security Protocols (I)

A Logic of Authentication

Notes on BAN Logic CSG 399. March 7, 2006

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

A Calculus for Control Flow Analysis of Security Protocols

Analysis and Reconstruction of Attacks on Authentication Protocols. Master Thesis by Nikolaj Hjelm Kaplan

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Analysis of Security Protocols by Annotations

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Primitives for authentication in process algebras

A Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989

Verification of the TLS Handshake protocol

BAN Logic A Logic of Authentication

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

Proving Properties of Security Protocols by Induction

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Exam Security January 19, :30 11:30

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols

Preliminary Proceedings

A Cryptographic Decentralized Label Model

Analysing privacy-type properties in cryptographic protocols

Practice Assignment 2 Discussion 24/02/ /02/2018

Notes for Lecture 17

A derivation system and compositional logic for security protocols

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Quantum Wireless Sensor Networks

A process algebraic analysis of privacy-type properties in cryptographic protocols

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

CPSC 467: Cryptography and Computer Security

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

KEY DISTRIBUTION 1 /74

CS 395T. Probabilistic Polynomial-Time Calculus

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Lecture 11: Key Agreement

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

On the Verification of Cryptographic Protocols

Cryptographical Security in the Quantum Random Oracle Model

Cryptography IV: Asymmetric Ciphers

Models for an Adversary-Centric Protocol Logic

Lecture 1: Introduction to Public key cryptography

CPSC 467b: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Discrete Logarithm Problem

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

Lecture 28: Public-key Cryptography. Public-key Cryptography

Typed MSR: Syntax and Examples

Private Authentication

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

2 Message authentication codes (MACs)

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

CPSA and Formal Security Goals

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

The Elliptic Curve in https

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols

Analysing Layered Security Protocols

Public Key Cryptography

A simple procedure for finding guessing attacks (Extended Abstract)

Lecture 3,4: Multiparty Computation

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

CPSC 467: Cryptography and Computer Security

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

The Laws of Cryptography Zero-Knowledge Protocols

Complexity of Checking Freshness of Cryptographic Protocols

CPSC 467b: Cryptography and Computer Security

TAuth: Verifying Timed Security Protocols

Quantum threat...and quantum solutions

Lecture Notes, Week 6

Smooth Projective Hash Function and Its Applications

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Lecture 15 - Zero Knowledge Proofs

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

A Verifiable Language for Cryptographic Protocols

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Automated Verification of Privacy in Security Protocols:

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

A Semantics for a Logic of Authentication. Cambridge, MA : A; B

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

A compositional logic for proving security properties of protocols

Solutions to the Midterm Test (March 5, 2011)

Introduction to Cryptography. Lecture 8

Transcription:

ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di Informatica, Università di Pisa 2 ASIAN 07 Doha, December 2007

Replay Attacks in s (Bob, Alice, Msg) (Carol, Alice, Msg)

Needham-Schroeder Invented in 1978 Flaw discovered in 1981 1. A S : A, B, N a 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K 6. A B : {Msg} K Key distribution steps: The key should be known to both A and B Authentication steps: A and B make sure that they both know the key Message exchange step

Needham-Schroeder The Denning-Sacco Attack 1. A S : A, B, N a 2. S A : { N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : { N b } K 5. A B : { N b 1} K 6. A B : {Msg} K An old session key K is leaked 1.... 2.... 3. M(A) B : {A, K 0 } Kb 4. B M(A) : {N b } K 0 5. M(A) B : {N b 1} K 0 6. M(A) B : {Msg} K 0 A is convinced that K is fresh B believes he is talking to A! No such guarantee for B

protocol narrations Whole Picture Lysa Lysa Find the Denning-Saccoattack in lessthan 3 sec Dolev-Yao Control Flow Analysis

Calculus One global channel 1. A S : A, B, N a sender receiver payload ha, S, A, B, N a i. 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K 6. A B : {Msg} K ha, B, {A, K} Kb i. pattern matching variable binding (A, B; y). decrypt y as {A; k} Kb in... P = P A P B P S

Session Identifiers protocol run 1 ha, S, N a i. (A, S; x). protocol run 2 ha, S, N a i. (A, S; x).

Session Identifiers protocol run 1 [ha, S, N a i.] 1 [(A, S; x).] 1 protocol run 2 [ha, S, N a i.] 2 [(A, S; x).] 2

Session Identifiers protocol run 1 T ([ha, S, N a i.] 1 ) T ([(A, S; x).] 1 ) protocol run 2 T ([ha, S, N a i.] 2 ) T ([(A, S; x).] 2 )

F T Dipartimento di Informatica - Università di Pisa Calculus Stops when reaching n or x F Terms E E Processes P P T Stops when reaching 0 or! F([{N} K ] s )={[N] s } [K]s T ([hni.0!((; x).0)] s )= T ([hni.0] s ) T([!((; x).0)] s )= h[n s ]i.0 [!((; x).0)] s 1. A S : A, B, N a ha, S, A, B, N a i. 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K ha, B, {A, K} Kb i. (A, B; y). decrypt y as {A; k} Kb... in P = P A P B P S P =[!P ] 0 Unfold once in each semantics step 6. A B : {Msg} K

Freshness Property Equality with sessin IDs ingnored Extract the session ID E 0 E 0 0 E 1 E 0 1 R(I(E 0 ), I(E 0 0)) R(I(E 1 ), I(E 0 1)) decrypt [{E 1, E 2 } E0 ] s as {E 0 1 ; x 2} E 0 0 in P R P[E 2 /x 2 ] decrypt {[N a ] 1, [N b ] 1 } [K]1 as {[N a ] 1 ; x} [K]1 in 0 decrypt {[N a ] 2, [N b ] 2 } [K]2 as {[N a ] 1 ; x} [K]1 in 0

Static Analysis Approximation Over-Approximation Algorithms Control Flow Analysis All possible solutions Under-approxmation Actual Solution Over-approximation

Static Analysis Analysis of Terms ρ = E : ϑ Determine the possible values that each term may evaluate to Analysis of Processes ρ, κ = RM P : ψ Collect the values that may flow on the network Error component analysis(t ([P ] 0 )) analysis(t ([P ] 1 )) analysis(p)

The Error Component The error component collects labels of decryption where freshness violations may happen. For example: l ψ The empty error component implies free of replay attacks at run time

The Capabilities Eavesdrop Alter Insider or outsider or both Obtain old session keys

Analysis of Needham-Schroeder 1. A S : A, B, N a 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K (A, B; y). 6. A B : {Msg} K ha, B, {A, K} Kb i. decrypt y as {A; k} Kb in... P = P A P B P S P =[!P ] 0 analysis(t ([P] 0 )) analysis(t ([P] 1 )) analysis(p) 0 T ([ha, B, {A, K} Kb i] 0 ) T ([(A, B, y). decrypt y as {A; k} Kb in] 0 ) Session 1 T ([ha, B, {A, K} Kb i] 1 ) T ([(A, B, y). decrypt y as {A; k} Kb in] 1 )

Conclusion Simply process calculus with cryptographic primitives for modelling security protocols Automatic algorithm for providing security assurances for protocols Semantics correct and sound Implementation has been used to validate a number of protocols

Thank You!

The Control Flow Analysis Over-approximate the protocol behaviour The values of the variables The messages flowing on the network For example: ρ : X P(Val) κ P(Val ) h[a] 1, [B] 1, [N] 1 i κ [N] 1 ρ(x)

Judgement for Decryption At each decryption point, check whether freshness may be violated ρ = E : ϑ E 1 : ϑ 1 ρ = E 0 : ϑ 0 [{v 1,v 2 } v0 ] s ϑ : v 0 ϑ 0 v 1 ϑ 1 v 2 ρ(x 2 ) (I(v 1 ) 6=I(E 1 ) l ψ) ρ, κ = P : ψ ρ, κ = decrypt E as {E 1 ; x 1 } l E 0 in P : ψ evaluate terms evaluate key for all encrypted values pattern matching variable binding freshness checking analyse the rest : membership relation with session IDs ignored

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback