Check of Security Conventions.


102 views
Uploaded on:
Description
Check of Security Conventions. Sandro Etalle etalle@cs.utwente.nl. Plot. Day 2: Practice examination of numerous imperfect convention... ...utilizing the online demo Assets: The online instrument, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library
Transcripts
Slide 1

Check of Security Protocols Sandro Etalle etalle@cs.utwente.nl

Slide 2

Outline Day 2: Practice examination of numerous defective convention... ...utilizing the online demo Resources: The online instrument, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library http://citeseer.nj.nec.com/clark97survey.html www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps

Slide 3

Security Protocols & the Attacks Otway-Rees Secrecy+type-imperfection assault Kao-chow replay-assault Woo-Lam authentication+type defect assault NSL (as reward convention) auth+type-blemish assault

Slide 4

Otway-Rees Protocol 1. A->B : [M,A,B,[Na,M,A,B]+Kas] 2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B->A : [M,[Na,Kab]+Kas ] Aim: key conveyance utilizing a trusted server. Kab: transient key. Could be speculated. Na and Nb serve as difficulties.

Slide 5

Attack upon Otway-Rees a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas] a.4 e(B)- >A : [M,A,B,[Na,M,A,B]+Kas] Type defect assault A takes [M,A,B] to be the key The interloper just answers the first message. It is a verification defect. It is additionally a mystery defect (the gatecrasher knows the key, at this point).

Slide 6

Otway-Rees in the apparatus initiator(A,B,Na,Nb,M,X,Kas,Kab,[ recv([A,B]), % for start presumption send([M,A,B,[Na,M,A,B]+Kas]]), recv([M,[Na,Kab]+Kas]), send(X+Kab)]). % another method for checking mystery responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT recv([M,A,B,[Na,M,A,B]+Kas]), send([[M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs]), recv([[M,Na,Kab]+Kas, [Nb,Kab]+Kbs]), send([M,[Na,Kab]+Kas]), recv(X+Kab) ]).

Slide 7

Otway-Rees in the device cont’d secrecy(N,[recv(N)]). server(A,B,Na,Nb,M,X,Kas,Kab,[ recv([[M,A,B,[Na,M,A,B]+Kas]]], [Nb,[M,[A,B]]]+Kbs]), send([[M,[Na,Kab]]+Kas, [Nb,Kab]+Kbs])]).

Slide 8

One initiator is sufficient. Furthermore, the mystery check. We couldn\'t check mystery the “usual” way in light of the fact that Kab is not instantiated anyplace (it is given by the server). scenario([[sec1,St],[a,Sa1]]) :- initiator(a,b,na,Nb,m,x,kas,Kab,Sa1), secrecy(x, St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]). Situation

Slide 9

The Attack Output Trace: [a,recv([a,b])] [a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])] [a,recv([m,[na,[m,[a,b]]] + kas])] [a,send(x + [m,[a,b]])] [sec1,recv(x)]

Slide 10

Kao-Chow confirmation Protocol 1. A->S : [A,B,Na] 2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs, 3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] 4. A->B : Nb+Kab Assumption: Kab is bargained

Slide 11

Attack upon Kao-Chow a.1 A->S : [A,B,Na] a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] a.4 A->B : Nb+Kab b.2 e(S)- >B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’] b.4 e(A)- >B : Nb’+Kab

Slide 12

How it lives up to expectations Two sessions. Initial an ordinary session is done. We expect the gatecrasher “guesses” Kab. This is something we need to actualize physically. In a brief moment session, the gatecrasher can imitate both An and the server S.

Slide 13

Kao-Chow in the device initiator(A,B,Na,Nb,Kas,Kab,Kbs,[ recv([A,B]), % for beginning supposition send([A,[B,Na]]), recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]), send(Nb+Kab) ]). responder(A,B,Na,Nb,M,Kab,Kbs,[ recv([ M , ([A,[B,[Na,Kab]]]+Kbs)]), %M in light of the fact that he can\'t translate it send([M, [ Na+Kab, Nb ]]), recv(Nb+Kab), send( Kab ) % we demonstrate that the key kab was traded off ... ]).

Slide 14

scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :- initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1), responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1), responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2), server(a,b,Na3,kas,kab,kbs,Ss1). initial_intruder_knowledge([a,b,e]). has_to_finish([a2,a3]). Situation session comprising of: initiator, two responders, one server. any bigger session will do. On the off chance that both responders can complete there is positively an assault.

Slide 15

The Attack Output Trace: [a1,recv([a,b])] [a1,send([a,[b,na]])] [s1,recv([a,[b,na]])] [s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])] [a2,recv([_ h381 ,[a,[b,[na,kab]]] + kbs])] % a variable here [a2,send([_h381,[na + kab,nb1]])] [a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])] [a1,send(nb1 + kab)] [a2,recv(nb1 + kab)] [a2,send(kab)] [a3,recv([_h433,[a,[b,[na,kab]]] + kbs])] [a3,send([_h433,[na + kab,nb2]])] [a3,recv(nb2 + kab)] [a3,send(kab)]

Slide 16

Woo-Lam Mutual Authentication Protocol 1. A->B : [A,Na] 2. B->A : [B,Nb] 3. A->B : [A,B,Na,Nb]+Kas 4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs 5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs 6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab 7. A->B: Nb+Kab

Slide 17

Attack upon Woo-Lam a.1 e(A)- >B : [A,B] a.2 B->e(A) : [B,Nb] a.3 e(A)- >B : [A,B,B,Nb]+Kes a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs b.1 e(A)- >B : [A,Nb] b.2 B->e(A) : [B,Nb\' ] b.3 e(A)- >B : [A,B,Nb,Nb\' ]+Kes b.4 B->e(S) : [A,B,Nb,Nb\' ]+Kes,[A,B,Nb,Nb\' ]+Kbs a.5 e(S)- >B: [B,B,Nb,Nb\' ]+Kes,[A,B,Nb,Nb\' ]+Kbs a.6 B->e(A): [B,B,Nb,Nb\' ]+Kes,[ B,Nb]+Nb\' a.7 e(A)- >B: Nb+Nb\'

Slide 18

Comments There is one finished session and one fragmented session. Which specialists do we really need to execute to discover this assault?

Slide 19

responder(A,B,Na,Nb,Kab,Kas,Kbs,[ recv([A,B]), % for start supposition recv([A,Na]), send([B,Nb]), recv([A,[B,[Na,Nb]]]+Kas), send([([A,[B,[Na,Nb]]]+Kas), ([A,[B,[Na,Nb]]]+Kbs) ]), recv([([B,[Na,[Nb,Kab]]]+Kas), ([A,[Na,[Nb,Kab]]]+Kbs) ]), send([([B,[Na,[Nb,Kab]]]+Kas), ([Na,Nb]+Kab) ]), recv(Nb+Kab) ]). One Responder will do: Woo-Lam in the Tool

Slide 20

scenario([[b1,Sb1],[b2,Sb2]]) :- responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1), responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2). initial_intruder_knowledge([a,b,e]). has_to_finish([b1]). The responder\'s meaning is adequate, however we require two responders here. In the event that one of the two completions, there is positively an assault. Guideline: if a part can complete when no comparing part is characterized we are in unquestionably vicinity of a validation issue. Situation

Slide 21

The Attack Output (after 30s!) Trace: [b1,recv([a,b])] [b1,send([b,nb1])] [b1,recv([a,[b,[b,nb1]]] + _h97)] [b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])] [b2,recv([a,b])] [b2,recv([a,nb1])] [b2,send([b,nb2])] [b2,recv([a,[b,[nb1,nb2]]] + _h97)] [b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])] [b1,recv(nb1 + nb2)]

Slide 22

Exercises Explain the assault in the Woo-Lam convention. Say why it is a sort imperfection assault. Actualize and discover the blemish of the Needham-Schroeder with Conventional keys (see Clark-Jacob Survey). Actualize and discover the defect of the Yahalom convention (see Clark-Jacob Survey). Compose a little article over how to discover security bugs in conventions utilizing the COProVe instrument.

Slide 23

1. A->B : [A,Na]*pk(B) 2. B->A : [Na,Nb,B]*pk(A) 3. A->B : Nb*pk(B) Corrected variant of the other one. Still contains an (unlikely) blemish Extra: Needham-Schroeder-Lowe Protocol

Slide 24

a.1 A->e(B) : [A,Na]*pk(B) a.1\' e(A)- >B : [A,e]*pk(B) a.2 B->e(A) : [e,Nb,B]*pk(A) b.1 e->A : [e, [Nb,B] ]*pk(A) b.2 A->e: [[Nb,B], Na\' ,A] *pk(e) Message a.2 is gone as b.1. Notice that a.2 has three fields, while b.1 has two. It is a sort defect assault. Maybe doubtful. Assault upon NSL

Slide 25

NSL in the instrument initiator(A,B,Na,Nb,[ recv([A,B]), % for beginning suspicion send([A,Na]*pk(B)), recv([Na,[Nb,B]]*pk(A)), send(Nb*pk(B)) ]). responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,[Nb,B]]*pk(A)), recv(Nb*pk(B)) ]). secrecy(N,[recv(N)]).

Slide 26

Scenario scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):- initiator(a,b,na,Nb,Sa), responder(a,b,Na,nb,Sb), initiator(A1,B1,na2,Nb2,Sa2), responder(A2,B2,Na2,nb2,Sb2), secrecy(nb,St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]).

Slide 27

NSL yield Trace: [a1,recv([a,b])] [a1,send([a,na] * pk(b))] [a2,recv([a,e] * pk(b))] [a2,send([e,[nb,b]] * pk(a))] [a3,recv([_h414,e])] [a3,send([_h414,na2] * pk(e))] [a3,recv([na2,[_h416,e]] * pk(_h414))] [a3,send(_h416 * pk(e))] [b1,recv([e,[nb,b]] * pk(a))] [b1,send([[nb,b],[nb2,a]] * pk(e))] [a2,recv(nb * pk(b))] [b1,recv(nb2 * pk(a))] [sec1,recv(nb)] .:tsli

Recommended
View more...