UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY

UNIVERZITA KOMENSKÉHO V BRATISLAVE
FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY
PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V
ANGLICKOM JAZYKU
ITMS: 26140230008
DOPYTOVO – ORIENTOVANÝ PROJEKT
Moderné vzdelávanie pre vedomostnú spoločnosť/Projekt je
spolufinancovaný zo zdrojov EÚ
Cryptographic protocols – introduction
Martin Stanek
Department of Computer Science
Comenius University
stanek@dcs.fmph.uniba.sk
Cryptology 1 (2014/15)
Content
Introduction
Some protocols and basic notions
Diffie-Hellman protocol
Interlock protocol
Dolev-Yao model
Freshness – nonces and timestamps
Some protocol failures
Needham-Schroeder protocol
Modified WMF protocol
Cryptographic protocols – introduction
3 / 15
,
Introduction
I
cryptographic protocols
I
authentication and key agreement (session-key)
session-key
I
I
I
I
less data for cryptanalyis
logical separation of data from different sessions
using symmetric constructions for confidentiality and authenticity
I
IPSec (IKE), TLS (handshake), SSH
I
prerequisite for secure communication
I
various proposals (requirements, capabilities, environment)
other protocols (not today)
I
I
voting, money, private information retrieval, multiparty computation, etc.
Cryptographic protocols – introduction
4 / 15
,
Diffie-Hellman protocol
I
I
two principals A, B
shared group G of prime order q with generator g
I
I
I
known to everyone (e.g. an attacker)
goal: key agreement
DH protocol:
1. A → B: g a , for random a ∈ Zq
2. B → A: g b , for random b ∈ Zq
I
I
I
A computes K = (g b ) a = g ab , and B computes K = (g a ) b = g ab
the shared secret can be used to derive a symmetric key
passive adversary: CDH problem g a , g b → g ab
Cryptographic protocols – introduction
5 / 15
,
MITM attack
I
active adversary in DH protocol
I
I
1.
2.
3.
4.
I
I
I
I
can intercept and change messages
man-in-the-middle attack (M is the attacker):
A → M(B): g a
M(A) → B: g x
B → M(A): g b
M(B) → A: g y
A computes KA = g ay , B computes KB = g xb
M can compute KA = (g a ) y = g ay as well as KB = (g b ) x = g bx
M can “translate” messages between A and B (or create his/her own)
Can M enforce KA = KB in the MITM attack?
I
If not, M should be there till the end or “simulate” a connection error.
Cryptographic protocols – introduction
6 / 15
,
Fixing DH protocol
I
authenticate messages in the protocol
I
additional assumptions – PKI (distribution of authentic public keys)
Station-to-Station protocol:
I
1. A → B: g a
2. B → A: g b , CertB , EK (SigB (g b , g a ))
3. A → B: CertA , EK (SigA (g a , g b ))
I
I
I
I
I
key agreement and authentication of participants
the shared secret K = g ab
SigU denotes signature produced by user U
certificates contain public keys for verifying signatures
E is symmetric encryption and “proves” the possession of K
Cryptographic protocols – introduction
7 / 15
,
Interlock protocol
I
I
idea: let’s force the MITM attacker to be “active” in the communication
scenarios (possible MITM attack):
I
I
I
I
A/B wants to send a message mA /mB to B/A
both encrypt their message and exchange halves of the ciphertexts
(cA /cB ), and then the other halves:
1.
2.
3.
4.
I
after unauthenticated DH protocol
after unauthenticated distribution of key using asymmetric encryption
A → B: cA1
B → A: cB1
A → B: cA2
B → A: cB2
(first half of cA )
(first half of cB )
(second half of cA )
(second half of cB )
a half of the ciphertext should be useless for the recipient
I
e.g. even/odd bits, encryption combined with MAC, . . .
Cryptographic protocols – introduction
8 / 15
,
Interlock protocol (2)
I
assume MITM attacker M and keys KA and KB used for A ↔ M and
M ↔ B communications, respectively
I
M can send the original message to A or B but not both
example (sending mB to A)
I
1.
2.
3.
4.
5.
6.
7.
8.
I
A → M(B): cA1
0
M(A) → B: cA1
B → M(A): cB1
0
M(A) → B: cA2
B → M(A): cB2
0
M(B) → A: cB1
A → M(B): cA2
0
M(B) → A: cB2
(first half of cA )
(first half of cA0 , for some made-up mA0 )
(first half of cB )
(second half of cA0 )
(second half of cB , M can decrypt mB )
(first half of cB0 , M encrypts mB with KA )
(second half of cA , M can decrypt mA )
(second half of cB0 , A decrypts mB )
Can we detect made-up messages?
I
phones – reading aloud the messages from interlock protocol or
session-key checksum (voice synthesis ?)
Cryptographic protocols – introduction
9 / 15
,
Dolev-Yao model
I
the adversary in the network
I
eavesdrop, forge, replay, delete, replay (whatever (s)he wants)
I
very strong (but appropriate) model
I
protocol secure in DY model will be secure also in a weaker model
sometimes weaker model is assumed in practice:
I
I
I
verification SMS sent to a mobile phone
we will assume DY model in this and subsequent lectures
Cryptographic protocols – introduction
10 / 15
,
What is wrong with this protocol?
I
I
A generates a session-key K and sends it encrypted and signed to B
one way authentication and key distribution
1. A → B: EB (A, B, K ), SigA (EB (A, B, K ))
I
I
I
the problem: replay attack
I
I
I
assumptions: A knows the public key of B (for asymmetric encryption), B
knows the public key of A (for signature verification)
B verifies the signature and decrypts K
after compromising K (e.g. it leaks) the attacker can replay the message
B is tricked into using K as a good key for communication with A
Exercise: What other problems can you find in the protocol when we
omit the IDs of participants?
Cryptographic protocols – introduction
11 / 15
,
What is wrong with this protocol?
I
I
A generates a session-key K and sends it encrypted and signed to B
one way authentication and key distribution
1. A → B: EB (A, B, K ), SigA (EB (A, B, K ))
I
I
I
the problem: replay attack
I
I
I
assumptions: A knows the public key of B (for asymmetric encryption), B
knows the public key of A (for signature verification)
B verifies the signature and decrypts K
after compromising K (e.g. it leaks) the attacker can replay the message
B is tricked into using K as a good key for communication with A
Exercise: What other problems can you find in the protocol when we
omit the IDs of participants?
Cryptographic protocols – introduction
11 / 15
,
What is wrong with this protocol?
I
I
A generates a session-key K and sends it encrypted and signed to B
one way authentication and key distribution
1. A → B: EB (A, B, K ), SigA (EB (A, B, K ))
I
I
I
the problem: replay attack
I
I
I
assumptions: A knows the public key of B (for asymmetric encryption), B
knows the public key of A (for signature verification)
B verifies the signature and decrypts K
after compromising K (e.g. it leaks) the attacker can replay the message
B is tricked into using K as a good key for communication with A
Exercise: What other problems can you find in the protocol when we
omit the IDs of participants?
Cryptographic protocols – introduction
11 / 15
,
Freshness of messages
I
I
prevention of replay attacks: nonces and timestamps
nonce
I
I
I
I
I
I
usually sufficiently long random string/number (i.e. unpredictable);
(sometimes “unique” is sufficient)
used just for a particular instance of the protocol
unlikely to be present in some previous instances of the protocol
usually the confidentiality not needed
examples: SSL/TLS, IKEv2
timestamp
I
I
I
I
sufficiently precise time information included into a message
somewhat synchronized clocks required
clock manipulation should be prevented
example: Kerberos
Cryptographic protocols – introduction
12 / 15
,
Needham-Schroeder protocol
I
uses trusted third party – server S
I
S shares symmetric keys with participants (KU with participant U)
I
participants A and B
I
goals: authentication and distribution of the session-key KAB
I
assumptions: NA /NB nonces generated by A/B,
the protocol:
I
1.
2.
3.
4.
5.
A → S: A, B, NA
S → A: {NA , KAB , B, {KAB , A}KB }KA
A → B: {KAB , A}KB
B → A: {NB }KAB
A → B: {NB − 1}KAB
I
positives: S involved only once, stateless, . . .
I
insecure!
Cryptographic protocols – introduction
13 / 15
,
Needham-Schroeder protocol
I
uses trusted third party – server S
I
S shares symmetric keys with participants (KU with participant U)
I
participants A and B
I
goals: authentication and distribution of the session-key KAB
I
assumptions: NA /NB nonces generated by A/B,
the protocol:
I
1.
2.
3.
4.
5.
A → S: A, B, NA
S → A: {NA , KAB , B, {KAB , A}KB }KA
A → B: {KAB , A}KB
B → A: {NB }KAB
A → B: {NB − 1}KAB
I
positives: S involved only once, stateless, . . .
I
insecure!
Cryptographic protocols – introduction
13 / 15
,
Attacking Needham-Schroeder protocol
I
attack found by Denning and Sacco
I
weakness: B cannot verify the freshness of KAB
I
the attacker can force B to accept a compromised KAB (by cryptanalysis
or by leak)
the attack (M knows KAB and thus (s)he can finish the protocol):
I
3. M(A) → B: {KAB , A}KB
4. B → M(A): {NB0 }KAB
5. M(A) → B: {NB0 − 1}KAB
I
(replay of old message)
How to fix the protocol?
I
e.g. A requests NB from B at the beginning
Cryptographic protocols – introduction
14 / 15
,
Modified Wide Mouth Frog protocol
I
participants A and B, trusted third party (server S)
I
timestamps (TU generated by U)
I
S shares symmetric keys with participants
I
goals: one-way authentication and distribution of the session-key K
the protocol
I
1. A → S: A, {TA , B, K }KA
2. S → B: {TS , A, B, K }KB
I
Original WMF:
1. A → S: A, {TA , B, K }KA
2. S → B: {TS , A, K }KB
I
Can you find a weakness?
Cryptographic protocols – introduction
15 / 15
,
Modified Wide Mouth Frog protocol
I
participants A and B, trusted third party (server S)
I
timestamps (TU generated by U)
I
S shares symmetric keys with participants
I
goals: one-way authentication and distribution of the session-key K
the protocol
I
1. A → S: A, {TA , B, K }KA
2. S → B: {TS , A, B, K }KB
I
Original WMF:
1. A → S: A, {TA , B, K }KA
2. S → B: {TS , A, K }KB
I
Can you find a weakness?
Cryptographic protocols – introduction
15 / 15
,