Академический Документы
Профессиональный Документы
Культура Документы
Alexander Marsalek
University of Technology Graz, Institute for Applied Information Processing and
Communications, Graz, Austria
amarsalek@student.tugraz.at
Selected Topics in Design & Verification - ExerciseTwo
Abstract. Security protocols should offer properties like integrity, authentication and secrecy. But it is very hard to prove the correctness
of such protocols. There are two way so show that a protocol is secure,
test it with formal methods or show that it is secure against all known
attacks types. Many protocol in the literature claimed to be secure, but
contained errors. We want to find out how useful are formal methods.
Keywords: Security protocol, Automated checks, Model checker, Protocol attacks, Needham-Schroeder Protocol, BAN simplified version of
Yahalom, Diffie-Hellman key exchange, Multi-Protocol Attacks
Introduction
Security protocols are very important in everyday life. We use them for various
things like key agreement, key exchange or authentication. The problem is, it
is very hard to prove the correctness of such protocols. Basically there are two
ways to show that a protocol is secure. The first way is to explain why the
protocol is secure against all known attacks and attack types and the second
way is to prove the properties of the protocol with formal methods. But can we
trust such proves? Many attacks have been found on protocol in the literature that claimed to be secure - some by hand and some by tools. In section 3 we will
present some selected security protocols from the literature. We will show some
famous attacks on them and a corrected version of the protocols. We will also
show some attacks on protocols that are claimed to be secure by formal methods.
In section 4 we present an 3-protocol attack that was found by a tool[3]. With
this attack we want to show some of the advantages of automated tools, it would
be very hard to find that attacks by hand.
Related Work
There are many papers that present the benefits of formal methods, like Realising the Benefits of Formal Methods [7] [6] from Anthony Hall or Getting
the best from formal methods [16] from John B. Wordsworth or Application
and benefits of formal methods in software development [14] from C. Meadows.
But we didnt found papers that make a review of previously unknown attacks
that were found with formal methods.
Alexander Marsalek
Needham-Schroeder Protocol
Principal
Nonce
Key
A S : A, B, N a
S A : {N a, B, Kab, {Kab, A}Kbs }Kas
A B : {Kab, A}Kbs
B A : {N b}Kab
A B : {N b 1}Kab
Attack:
If an attacker knows an old key Kab she can replay the third message I(A)
B : {Kab, A}Kbs . Now B thinks A wants to communicate with him and will
response with message four B I(A) : {N b}Kab . The attacker intercepts the
message and responds with message five I(A) B : {N b 1}Kab . B thinks
he has a secure connection to A but is communicating with the attacker. This
attack was found by Dorothy E. Denning and Giovanni Maria Sacco. They paper
was called Timestamps in key distribution protocols [4] and was published in
1981. Dorothy E. Denning and Giovanni Maria Sacco tried to fix this attack
with timestamps:
A, B, S :
T :
Kas, Kbs, Kab :
Principal
Timestamp
Key
1. A S : A, B
2. S A : {B, Kab, T, {Kab, A, T }Kbs }Kas
3. A B : {Kab, A, T }Kbs
The protocol is called Denning-Sacco shared key, but it is not secure. The
attack was found by Lowe and is explained in A Family of Attacks upon Authentication Protocols [11]:
Session 1:
1. A S : A, B
2. S A : {B, Kab, T, {Kab, A, T }Kbs }Kas
3. A B : {Kab, A, T }Kbs
Session 2:
4. I(A) B : {Kab, A, T }Kbs
In this attack B thinks, that A is trying to set up a second session. Lowe presented a fixed version the Lowe modified Denning-Sacco shared key:
A, B, S :
Nb :
Kas, Kbs, Kab :
T :
1.
2.
3.
4.
5.
principal
nonce
key
timestamp
A S : A, B
S A : {B, Kab, T, {Kab, A, T }Kbs }Kas
A B : {Kab, A, T }Kbs
B A : {N b}Kab
A B : {N b + 1}Kab
A S : A, B
S A : {KP b, B}KSs
A B : {N a, A}KP b
B S : B, A
S B : {KP a, A}KSs
Principal
Nonce
Key
is a key pair
is a key pair
is a key pair
Alexander Marsalek
6. B A : {N a, N b}KP a
7. A B : {N b}KP b
Reduced version:
If we assume, that both agents know the others public key it is possible to use
the reduced version of the protocol:
1. A B : A, B, {N a, A}KP b
2. B A : B, A, {N a, N b}KP a
3. A B : A, B, {N b}KP b
Attack on the full version:
This attack was found by Lowe and is described in the paper An attack on the
Needham-Schroeder public-key authentication protocol [8].
Session 1:
1.
2.
3.
4.
5.
6.
7.
Session 2:
A S : A, I
S A : {KP i, I}KSa
A I : {N a, A}KP i
I S : I, A
S I : {KP a, A}KSa
I A : {N a, N b}KP a
A I : {N b}KP i
1.
2.
3.
4.
5.
6.
7.
I S : I, B
S I : {KP b, B}KSi
I(A) B : {N a, A}KP b
B S : B, A
S B : {KP a, A}KSb
B I(A) : {N a, N b}KP a
I(A) B : {N b}KP b
Corrected version:
Lowe presented a fix, he suggests to change the sixth message to:
6. B A : {B, N a, N b}KP a
Attack on the reduced version:
This attack was found by Lowe [9] [10] using a Failures Divergences Refinement
Checker (FDR), a model checker for CSP:
Session 1:
Session 2:
1. A I : A, I, {N a, A}KP i
2. I A : I, A, {N a, N b}KP a
3. A I : A, I, {N b}KP i
1. I(A) B : A, B, {N a, A}KP b
2. B I(A) : B, A, {N a, N b}KP a
3. I(A) B : A, B, {N b}KP b
Corrected version:
Lowe presented a corrected version by simply adding an identity to the encrypted
part of message two:
1. A B : A, B, {N a, A}KP b
2. B A : B, A, {N a, N b, B}KP a
3. A B : A, B, {N b}KP b
3.2
original version of Yahalom to strength the protocol and simplify the analysis at
the same time [2].
Protocol specification:
A, B, S :
principal
Na, Nb :
number fresh
Kas, Kbs, Kab : key
A knows :
B knows :
S knows :
1.
2.
3.
4.
A, B, S, Kas
B, S, Kbs
S, A, B, Kas, Kbs
A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : N b, {B, Kab, N a}Kas , {A, Kab, N b}Kbs
A B : {A, Kab, N b}Kbs , {N b}Kab
Paul Syverson, the author of A taxonomy of replay attacks [15] found two
attacks:
Attack 1:
Session 1:
1.
2.
5.
6.
A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : Omitted
I(A) B : {A, N a, N b}Kbs , {N b}Kab
Session 2:
3. I(A) B : A, {N a, N b}
4. B I(S) : B, N b, {A, N a, N b}Kbs
Attack 2:
1.
2.
3.
4.
5.
6.
7.
8.
9.
i.1.
A I(B) : A, N a
ii.1. I(B) A : B, N a
ii.2. A I(S) : A, N 0 a, {B, N a}Kas
iii.1. Omitted
iii.2. I(A) S : A, N a, {B, N a}Kas
iii.3. S I(B) : N a, {A, Kab, N a}Kbs , {B, Kab, N a}Kas
i.2.
Omitted
i.3.
I(S) A : N i, {B, Kab, N a}Kas , {A, Kab, N a}Kbs
i.4.
A I(B) : {A, Kab, N a}Kbs , {N i}Kab
Corrected version:
To prevent this attacks Paulson adds the name B in the third and fourth message.
1.
2.
3.
4.
Alexander Marsalek
A B : A, N a
B S : B, N b, {A, N a}Kbs
S A : N b, {B, Kab, N a}Kas , {A, B, Kab, N b}Kbs
A B : {A, B, Kab, N b}Kbs , {N b}Kab
This algorithm allows to exchange a key between two parties over an insecure
communication channel. It was invented by Whitfield Diffie and Martin E. Hellman and is described in New Directions in Cryptography [5]. This protocol
was checked by a protocol verifier and claimed as secure [1].
A, B :
p,g, Xa, Xb :
a,b :
s :
1.
2.
3.
4.
5.
6.
7.
principal
number
secret numbers
secret key
A B : p,g
A chooses a and calculates Xa = g a mod p
A B : Xa
B chooses b and calculates Xb = g b mod p
B A : Xb
A calculates s = B a mod p
B calculates s = Ab mod p
Attack:
This protocol is not secure against a man-in-the-middle attack (Fig. 1):
The protocol does not provide authentication. To secure this protocol against
man-in-the-middle attacks it is necessary to use message authentication codes
or signatures.
Multi-Protocol Attacks
Summary
We reviewed several attacks on security protocols. Most of the attacks were found
by hand. Formal methods have some disadvantages, much knowledge is necessary
to specify the protocol with formal methods and it is very easy to make errors
or to prove something other than wanted. Another disadvantage is, that most
formal methods assume isolation. But formal methods have some advantages,
as an example, the author is required to specify the goals in detail. Another big
advantage of formal methods is shown by the 3-protocol-attack. Computers are
good at finding subtle faults, that are very hard to find for humans. For me it
looks like most of the previously unknown attacks were found by hand and at
some time later someone shows that it is also possible to find this attack with
formal methods. But the tools are getting better and better I think in future
most of the previously unknown attacks will be found by tools.
References
1. Bruno Blanchet, Inria Rocquencourt, and Le Chesnay Cedex. An efficient cryptographic protocol verifier based on prolog rules. In In 14th IEEE Computer Security
Foundations Workshop (CSFW-14, pages 8296. IEEE Computer Society Press,
2001.
2. Michael Burrows, Martin Abadi, and Roger Needham. A logic of authentication.
ACM Trans. Comput. Syst., 8:1836, February 1990.
3. Cjf Cremers. Verification of multi-protocol attacks. pages 112, 2004.
4. Dorothy E. Denning and Giovanni Maria Sacco. Timestamps in key distribution
protocols. Commun. ACM, 24:533536, August 1981.
5. Whitfield Diffie and Martin E. Hellman. New directions in cryptography, 1976.
Alexander Marsalek