Introduction To Information Security 18-631 Lecture 14 PDF

Summary

This document presents a lecture on security protocols, focusing on cryptographic principles, basic primitives, key exchange, and timeliness in secure communication. It outlines various aspects of secure communication protocol design, emphasizing important considerations and potential vulnerabilities.

Full Transcript

18-631: INTRODUCTION TO INFORMATION SECURITY Unit 04: Network Security LECTURE 14: SECURITY PROTOCOLS AGEND A Outline engineering principles for crypt...

18-631: INTRODUCTION TO INFORMATION SECURITY Unit 04: Network Security LECTURE 14: SECURITY PROTOCOLS AGEND A Outline engineering principles for cryptographic protocols o Naming o Encryption o Timeliness Objectives o Expose you to the difficulties of secure communication protocol design See the following reading for more details: o M. A b a d i et al, Prudent Engineering Practice for Cryptographic Protocols, Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security a n d Privacy, November 1995 Page 3 SECURITY PROTOCOLS Cryptography is a powerful tool, but it is easy to make design errors that render it useless Combine a number of basic primitives o Cryptography o Network communication Individual primitives generally work as expected, but interaction between primitives c a n create problems Page 4 BUILDING BLOCKS Basic cryptographic primitives o Block/stream cipher o Symmetric/asymmetric keys o Diffi e-Hellman o Hash functions, M A C We use the basic cryptographic primitives to design higher-level security properties Entity authentication o Proving identity to e a c h other Page 5 BUILDING BLOCKS Basic cryptographic primitives o Block/stream cipher o Symmetric/asymmetric keys o Diffi e-Hellman o Hash functions, M A C We use the basic cryptographic primitives to design higher-level security properties Entity authentication o Proving identity to e a c h other Page 6 BUILDING BLOCKS Key exc h an g e o Establish a trusted session between two entities (principals) o Used to set up trusted communication channel providing secrecy a n d authenticity Trusted entities Timeliness proofs o Nonces a n d timestamps o NONCE = Number used only ONCE (e.g., counter, random number) o Timestamps c a n b e nonces, but nonces don’t have to b e Page 7 timestamps ASSUMPTION S Always assume a n attacker is on the network where you want to deploy your secure communication protocol What c a n the attacker d o ? o Can eavesdrop on all protocol runs o Can replay messages o Can inject fabricated messages onto the network o Can modify a principal’s message o Can initiate multiple parallel protocol sessions o Can perform dictionary attack on passwords o Can perform exhaustive attack on non-random n o n c e Page 8 NOTATIO N Princ ipa ls: A (Alice), B (Bo b ), etc. o M (Mallory) sometimes used to denote a malicious user Authentication server: S o Used to authenticate A, B or both Timestamp: T o Ta timestamp selected by A o Tb tim esta m p se le c ted b y B Nonce: N o Na n o n c e selected by A Page 9 NOTATIO N Keys: K an d its inve rse K-1 o Fo r symmetric keys, K = K-1 o Kab symmetric key known to both A a n d B o {X}K message X encrypted with shared key Kab ab o If Ka is A’s public key (encryption/verification), then Ka-1 is A’s private key (decryption/signature) o CB is a certifi cate containing B’s public key, Kb What follows are eleven (11) principles proposed by Martin A b a d i a n d Roger N e e d h a m See: Prudent Engineering Practice for Cryptographic Protocols Page 10 PRINCIPLE S Principle 1 o Every message should say what it means: the interpretation of the message should depend only on its content. It should be possible to write down a straightforward English (or other language) sentence Sdescribing the content. might send a message whose meaning may b e expressed as: o After receiving P, S sends to A a session key Kab intended to secure conversation with B o All elements of this meaning should b e explicitly represented in the message o S → A: Ka b Page 11 PRINCIPLE S Principle 2 o The conditions for a message to be acted up on should be clearly set out so that someone reviewing a design may see whether they are acceptable or not. For example: o Should Ka b o nly rem a in se c ret to A an d B fo r the d ura tion o f communication, or much longer? o Should Kab b e negotiated afresh with e a c h new session? E.g. Forward Secrecy o Ho w long is Ka b va lid fo r? Page 12 PRINCIPLE S Principle 2 o The conditions for a message to be acted up on should be clearly set out so that someone reviewing a design may see whether they are acceptable or not. For example: o Should Ka b o nly rem a in se c ret to A an d B fo r the d ura tion o f communication, or much longer? o Should Kab b e negotiated afresh with e a c h new session? E.g. Forward Secrecy o Ho w long is Ka b va lid fo r? Page 13 PRINCIPLE S Principle 3 o If the identity of a principal is essential to the meaning of a message, it is prudent to mention the principal's n a m e explicitly in the message. Denning-Sacco protocol (1982) proposed key exchange based on asymmetric cryptography oMessa g e 1 A → S : A, B o Messa g e S → A : CA, CB 2 o Messa g e A → B : C A , CB, {{Ka b , Ta } Ka -1} Kb 3 Problem: B c a n impersonate A after receiving Message 3 Page 14 PRINCIPLE S Principle 3 o If the identity of a principal is essential to the meaning of a message, it is prudent to mention the principal's n a m e explicitly in the message. Denning-Sacco protocol (1982) proposed key exchange based on asymmetric cryptography oMessa g e 1 A → S : A, B o Messa g e S → A : CA, CB 2 o Messa g e A → B : C A , CB, {{Ka b , Ta } Ka -1} Kb 3 Problem: B c a n impersonate A after receiving Message 3 Page 15 PRINCIPLE S Initial protocol run o M e ssa g e 1 A → S : A, B o M e ssa g e 2 S → A : CA, CB o M e ssa g e 3 A → B : C A , CB, {{Kab , Ta } Ka -1} Kb B n o w h a s C A a n d {Ka b , Ta } Ka -1 ; B no w m a kes a se c o nd run o M e ssa g e 1’ B → S : B, C o Message 2’ S → B : CB, C C o Message 3’ B → C : CA, C C , {{Kab , Ta } Ka -1} Kc C now thinks they are talking to A for as long as is Ta valid o Flaw seems obvious now, but took 12 years to Page notice! 16 PRINCIPLE S The intended meaning of the original Message 3 was that at time Ta, the key Kab was g o o d for communication between A and B Solution: include the principals’ names in the signed message o M e ssa g e 3 A → B : C A , CB, {{A, B, Ka b , Ta } Ka -1} Kb N o w B c a n n o t impersonate A b y sending {A, B, K ab, Ta} Ka-1 to C, since it explicitly mentions the principals Kab is intended for Page 17 PRINCIPLE S Improved design: Initial protocol run o M e ssa g e 1 A → S : A, B o Message 2 S → A : CA, CB o Message 3 A → B : C A , CB, {{A, B, Kab , Ta } Ka -1} Improved design: B n o w has C A a n d {A, B, K ab, Ta} Kb Ka-1 ; B n o w m a ke s a s e c o n d run o M e ssa g e 1’ B → S : B, C o Message 2’ S → B : CB, C C o Message 3’ B → C : CA, C C , {{A, B, Kab , Ta } Ka -1} Kc C rejects Message 3’ as they are not identified as one of the principals Page o What C expects: CA, CC, {{A, C, Kac, Ta} } Ka-1 Kc 18 SUMMARY Message 1: A → S : A, B In this equation, A represents the sender, S is the receiver, and B is the intended recipient. The message being transmitted from A to S includes the identities of both A and B. This initial message likely serves to initiate the key exchange process between entities A and S, establishing the foundation for secure communication between the two parties. SUMMARY Message 2: S → A : CA, CB In this equation, S represents the sender, and A is the receiver. CA and CB denote the certificates associated with entities A and B, respectively. The transmission of these certificates from the server S to entity A is crucial for verifying the identities of both A and B and ensuring the authenticity and integrity of the communication SUMMARY Message 3: A → B : CA, CB, {{Kab, Ta} Ka-1} Kb In this equation, A is the sender, and B is the intended recipient. CA and CB once again represent the certificates associated with entities A and B, respectively. {{Kab, Ta} Ka-1} Kb denotes the encrypted message containing the session key Kab, a timestamp Ta, and their encryption under A's private key Ka-1, encrypted once more under B's public key Kb. However, the vulnerability arises from the fact that entity B can potentially impersonate entity A after receiving this message, leading to security threats and unauthorized access to sensitive information. Original com 1. Message 1 A → S : A, B: Entity A sends a message to the authentication server S, including the identities of A and B. 2. Message 2 S → A : CA, CB: The authentication server S responds to A, providing the certificates CA and CB. 3. Message 3 A → B : CA, CB, {{Kab, Ta} Ka-1} Kb: A sends a message to B, including the certificates CA and CB, along with the encrypted session key Kab, a timestamp Ta, encrypted under A's private key Ka-1 and then encrypted again under B's public key Kb. Subseq com 1. Message 1’ B → S : B, C: Entity B sends a message to the authentication server S, including the identities of B and C. 2. Message 2’ S → B : CB, CC: The authentication server S responds to B, providing the certificates CB and CC. 3. Message 3’ B → C : CA, CC, {{Kab, Ta} Ka-1} Kc: B sends a message to C, including the certificates CA and CC, along with the encrypted session key Kab, a timestamp Ta, encrypted under A's private key Ka-1, and then encrypted again under C's public key Kc. Solutions The solution proposed aims to address the vulnerability in the protocol by explicitly including the names of the involved principals within the signed message. By incorporating the names of the entities in the message, the communication process gains additional clarity and security, ensuring that the intended recipients of the key Kab are explicitly mentioned within the cryptographic exchange. This approach effectively mitigates the risk of unauthorized entity impersonation and strengthens the integrity and authenticity of the communication process. Solutions The revised Message 3 now includes the names of the principals A and B within the signed message, explicitly stating that the key Kab is intended for secure communication between entities A and B at the specified time Ta. By clearly delineating the intended recipients of the key Kab, the protocol prevents entities from impersonating each other and ensures that the cryptographic exchange remains secure and reliable. This enhancement significantly reduces the potential for unauthorized access and manipulation of sensitive information, reinforcing the integrity and confidentiality of the communication channel between entities A and B.

Use Quizgecko on...
Browser
Browser