Identifying Flaws in Cryptographic Protocols: Design & Analysis - Prof. Hao Chen, Papers of Computer Science

An analysis of various cryptographic protocols, including their design and potential vulnerabilities. It covers topics such as challenge-response protocols, key exchange protocols, and mutual authentication. The document also includes exercises and moral lessons to help readers understand the importance of secure communication and the potential consequences of protocol flaws.

Typology: Papers

Pre 2010

Uploaded on 09/17/2009

koofers-user-mi3
koofers-user-mi3 🇺🇸

10 documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptographic protocols:
design and analysis
David Wagner
University of California, Berkeley
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Identifying Flaws in Cryptographic Protocols: Design & Analysis - Prof. Hao Chen and more Papers Computer Science in PDF only on Docsity!

Cryptographic protocols:

design and analysis

David Wagner

University of California, Berkeley

Notation

A, B, C, S

: names of legitimate parties.

M (Short for: Alice, Bob, client, server.)

(^) : name of a malicious attacker. (Short for: Mallet.)

1 Caveats

. A

B

x

Do note:

B

only receives the message

(^) x

, not who it came from.

know it.)(Thus, messages should include the sender’s name if the recipient needs to

  1. There is no guarantee that

A

, the network, or the adversary will behave as

(Thus, messages might be intercepted, modified, re-ordered, etc.)intended.

Warmup

Establishing a secure channel with a challenge-response protocol:

A

B

A

2. B → A : N B

A

B

: [ N B ] K − 1

A

A

B

message

K B

A

B

message

K B

Can you spot the flaw?

Breaking Denning-Sacco

Look closely:

A

B

cert

A , (^) cert

B , (^) { [ k AB

, T

A ] K − 1

A

} K B

The key

(^) k AB

isn’t bound to the names of the endpoints

A, B

Therefore,

B

can extract the quantity

[

k AB

, T

A ] K − 1

A

and use it to spoof

A

in a new

connection to

C

, like this:

3 ′. B → C :

cert

A , (^) cert

C , (^) { [ k AB

, T

A ] K − 1

A

} K C

As a result,

C

mistakenly concludes he is speaking with

A

A Lesson

Exercise: Why do so many protocols fail this way? message. Moral: Be explicit. Bind all names, and all other relevant context, to every

Credits: Abadi and Needham.

Breaking early SSL

Look closely:

  1. A → B : { k

AB

K B

  1. B → A : { N B } k

AB

3. A → B : {

cert

A , [ N B ] K − 1

A

} k AB

Alice will sign

anything

with her private key.

The attack on early SSL

B

can open a connection to

C

and pretend to be

A

, as follows:

B → C : { k

BC

K C

C

A

N

C } k BC

When

C

challenges

B

with nonce

N

C , Bob sends

N

B

=

N

C

back to

A

and uses her as an oracle.

A

B

k AB

K B

B

A

N

C } k AB

A

B

cert

A , (^) [ N C ] K − 1

A

k AB

A

will sign

(^) anything

, so

B

extracts

[

N C ] K − 1

A

and he’s in:

B

C

cert

A , (^) [ N C ] K − 1

A

} k AB

GSM challenge-response

A

is cellphone handset,

B

is a base station.

B

A

N

B

A

B

A,

[

N B ] K − 1

AB

data

k

where

k

=

f (^) ( K

AB

, N

B ) (^) is the voice privacy key.

Can you spot the weakness?

X.509 standard

Sending a signed, encrypted message to

B

1. A → B :

A,

[

T

A , B,

message

K B (^) ] K − 1

A

This has a subtle issue, depending upon how it is used.

An Attack on X.509

Attacker Example: Proving yourself by sending a password.

M

intercepts Alice’s encrypted password:

1. A → B :

A,

[

T

A , B,

password

K B (^) ] K − 1

A

Then

M

extracts

password

K B (^) , and sends

M

B

M,

[

T

M

(^) , B,

password

K B (^) ] K − 1

M

Now

M

is in, without needing to know the password.

Another Attack on X.509

The same attack provides an easy way for Example: Secure auctions.

M

to send in a copy of

A

’s bid under his

own name, without needing to know what

A

’s bid was.

TMN

A, B

establish a shared key

(^) k B

using the help of a fast server

S

A

S

: { k A } K S

B

S

: { k B } K S

  1. S → A : k A

(^) k B

A

recovers

(^) k B

as

k A (^) ⊕

(^) ( k A (^) ⊕

(^) k B ) .

What’s the flaw?

Breaking TMN

The attack: Given Let’s play spot the oracle!

{ k B } K S

M, M

(^) ′ can conspire to recover

(^) k B :

M → S : { k B } K S

M

(^) ′ →

(^) S

k M (^) ′ } K S

S → M : k B ⊕

(^) k M

(^) ′

Now

M, M

(^) ′ can recover

(^) k B

from

k B } K S (^).

This lets eavesdroppers recover session keys established by other parties.

Credits: Simmons.