Introduction to cryptographic protocols

Transcription

Stéphanie Delaune
September 17, 2014
Stéphanie Delaune (LSV)
1 / 22
Cryptographic protocols everywhere !
Goal: they aim at securing communications over public/insecure networks
2 / 22
Some security properties
Secrecy: May an intruder learn some secret message between two
honest participants?
Authentication: Is the agent Alice really talking to Bob?
Anonymity: Is an attacker able to learn something about the identity
of the participants who are communicating?
Non-repudiation: Alice sends a message to Bob. Alice cannot later
deny having sent this message. Bob cannot deny having received the
message.
...
3 / 22
Example: E-voting application
Eligibility: only legitimate voters can vote,
and only once
No early results: no early results can be obtained which could influence the remaining
voters
Vote-privacy/Receipt-freeness/Coercion-resistance: the fact that a
particular voter voted in a particular way is not revealed to anyone
Individual/Universal verifiability:
a voter can verify that her vote was really counted,
and that the published outcome is the sum of all
the votes
4 / 22
How does a cryptographic protocol work (or not)? (1/2)
cryptographic primitives = basic building blocks
−→ symmetric/ asymmetric encryption, signature, hash function, . . .
5 / 22
Symmetric encryption
encryption
decryption
Examples: Caesar cipher, Enigma machine (∼ 19181945), or more recently DES (1973) and AES (1997)
5 / 22
Asymmetric encryption
encryption
public key
decryption
private key
Examples: First system published by Diffie-Hellman (1976), RSA (1977)
5 / 22
Signature
signature
private key
verification
public key
5 / 22
protocol = small programs explaining how to exchange messages
−→ key-exchange protocols, authentication protocols, e-voting protocols,
Bitcoin protocol, ...
6 / 22
Example: A simplified version of the Denning-Sacco protocol (1981)
A → B : aenc(sign(k, priv(A)), pub(B))
B → A : senc(s, k)
6 / 22
Example: A simplified version of the Denning-Sacco protocol (1981)
What about secrecy of s ?
6 / 22
Security of cryptographic protocols
How cryptographic protocols can be attacked?
Logical attack
Breaking encryption
replay attacks
cryptanalysis
man-in-the-middle attacks
7 / 22
Going back to the Denning Sacco protocol
Description
8 / 22
Description
Consider a scenario where A starts a session with C who is dishonest.
1. A → C : aenc(sign(k, priv(A)), pub(C ))
8 / 22
Description
8 / 22
Description
2. C (A) → B : aenc(sign(k, priv(A)), pub(B))
Attack !
3.
8 / 22
What about protocols used in real life ?
E-passport
Credit card
9 / 22
Credit card payment
The client Cl puts his credit card C in the
terminal T .
The merchant enters the amount M of the sale.
The terminal authenticates the credit card.
The client enters his PIN.
If M ≥ e 100, then in 20% of cases,
The terminal contacts the bank B.
The banks gives its authorisation.
10 / 22
More details
the Bank B , the Client Cl, the Credit Card C and the Terminal T
11 / 22
More details
Bank
a private signature key – priv(B)
a public key to verify a signature – pub(B)
a secret key shared with the credit card – KCB
11 / 22
More details
Bank
Credit Card
some Data: name of the cardholder, expiry date ...
a signature of the Data – {hash(Data)}priv(B)
a secret key shared with the bank – KCB
11 / 22
More details
Bank
Credit Card
some Data: name of the cardholder, expiry date ...
a signature of the Data – {hash(Data)}priv(B)
a secret key shared with the bank – KCB
Terminal
the public key of the bank – pub(B)
11 / 22
Payment protocol
the terminal T reads the credit card C :
1. C
→ T : Data, {hash(Data)}priv(B)
12 / 22
Payment protocol
1. C
the terminal T asks
2.
3.
4.
the
T
Cl
C
code:
→ Cl : code?
→ C : 1234
→ T : ok
12 / 22
Payment protocol
1. C
the terminal T asks
2.
3.
4.
the
T
Cl
C
code:
→ Cl : code?
→ C : 1234
→ T : ok
the terminal T requests authorisation the bank B:
5.
6.
7.
8.
9.
10.
T
B
T
C
T
B
→
→
→
→
→
→
B
T
C
T
B
T
:
:
:
:
:
:
auth?
4528965874123
4528965874123
{4528965874123}KCB
{4528965874123}KCB
ok
12 / 22
Faille sur la carte bleue
Initialement la sécurité été assurée par :
cartes difficilement réplicables,
secret des clefs et du protocole.
13 / 22
Faille sur la carte bleue
Initialement la sécurité été assurée par :
cartes difficilement réplicables,
secret des clefs et du protocole.
Mais il y a des failles !
faille cryptographique : les clefs de 320 bits ne sont plus sûres,
faille logique : pas de lien entre le code secret à 4 chiffres et
l’authentification,
faille matériel : réplicabilité des cartes.
→ “YesCard” fabriquées par Serge Humpich (1997).
13 / 22
La « YesCard »: Comment ca marche ?
Faille logique
1.C
→T
: Data, {hash(Data)}priv(B)
2.T
→ Cl
: code?
3.Cl
→C
: 1234
4.C
→T
: ok
14 / 22
Faille logique
1.C
→T
2.T
→ Cl
: code?
3.Cl
C′
4.C
′
→
→T
: 2345
: ok
14 / 22
Faille logique
1.C
→T
2.T
→ Cl
: code?
3.Cl
C′
4.C
′
→
→T
: 2345
: ok
Remarque : il y a toujours quelqu’un à débiter.
→ ajout d’un faux chiffrement sur une fausse carte (Serge Humpich).
14 / 22
Faille logique
1.C
→T
2.T
→ Cl
: code?
3.Cl
C′
4.C
′
→
→T
: 2345
: ok
Remarque : il y a toujours quelqu’un à débiter.
→ ajout d’un faux chiffrement sur une fausse carte (Serge Humpich).
1.C ′
→T
: XXX, {hash(XXX)}priv(B)
2.T
→ Cl
: code?
3.Cl
C′
4.C
′
→
→T
: 0000
: ok
14 / 22
Electronic passport
−→ studied in [Arapinis et al., 10]
An electronic passport is a passport with an RFID tag embedded in it.
The RFID tag stores:
the information printed on your passport,
a JPEG copy of your picture.
15 / 22
Electronic passport
−→ studied in [Arapinis et al., 10]
An electronic passport is a passport with an RFID tag embedded in it.
The RFID tag stores:
the information printed on your passport,
a JPEG copy of your picture.
The Basic Access Control (BAC) protocol is a key establishment protocol
that has been designed to also ensure unlinkability.
ISO/IEC standard 15408
Unlinkability aims to ensure that a user may make multiple uses of a
service or resource without others being able to link these uses together.
15 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
16 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
get_challenge
16 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
get_challenge
NP , KP
NP
16 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
get_challenge
NP , KP
NP
NR , KR
{NR , NP , KR }K , MACK
E
M
({NR , NP , KR }K )
E
16 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
get_challenge
NP , KP
NP
NR , KR
{NR , NP , KR }K , MACK
M
({NR , NP , KR }K )
{NP , NR , KP }K , MACK
M
({NP , NR , KP }K )
E
E
E
E
16 / 22
BAC protocol
Passport
Reader
(KE , KM )
(KE , KM )
get_challenge
NP , KP
NP
NR , KR
{NR , NP , KR }K , MACK ({NR , NP , KR }K )
E
M
E
{NP , NR , KP }K , MACK ({NP , NR , KP }K )
E
M
Kseed = KP ⊕ KR
E
Kseed = KP ⊕ KR
16 / 22
French electronic passport
−→ the passport must reply to all received messages.
Passport
Reader
(KE ,KM )
(KE ,KM )
get_challenge
NP , KP
NP
NR , KR
E
M
E
17 / 22
Passport
Reader
(KE ,KM )
(KE ,KM )
get_challenge
NP , KP
NP
NR , KR
E
M
E
If MAC check fails
mac_error
17 / 22
Passport
Reader
(KE ,KM )
(KE ,KM )
get_challenge
NP , KP
NP
NR , KR
E
M
E
If MAC check
succeeds
If nonce check fails
nonce_error
17 / 22
An attack on the French passport
Attack against unlinkability
[Chothia & Smirnov, 10]
An attacker can track a French passport, provided he has once witnessed a
successful authentication.
18 / 22
Attack against unlinkability
[Chothia & Smirnov, 10]
An attacker can track a French passport, provided he has once witnessed a
successful authentication.
Part 1 of the attack. The attacker eavesdropes on Alice using her passport
and records message M.
Alice’s Passport
Reader
(KE ,KM )
(KE ,KM )
get_challenge
NP , KP
NP
NR , KR
M = {NR , NP , KR }K , MACK ({NR , NP , KR }K )
E
M
E
18 / 22
Part 2 of the attack.
The attacker replays the message M and checks the error code he receives.
????’s Passport
Attacker
′ )
(KE′ ,KM
get_challenge
NP′ , KP′
NP′
E
M
E
18 / 22
????’s Passport
Attacker
′ )
(KE′ ,KM
get_challenge
NP′ , KP′
NP′
E
E
M
mac_error
=⇒ MAC check failed =⇒
′ 6= K
KM
M
=⇒ ???? is not Alice
18 / 22
????’s Passport
Attacker
′ )
(KE′ ,KM
get_challenge
NP′ , KP′
NP′
E
M
E
nonce_error
=⇒ MAC check succeeded =⇒
′ =K
KM
M
=⇒
???? is Alice
18 / 22
Logical attacks - How to detect them?
Symbolic approach
messages are represented by terms rather than bit-strings
֒→ {m}k encryption of the message m with key k,
֒→ hm1 , m2 i pairing of messages m1 and m2 , . . .
attacker controls the network and can perform specific actions
19 / 22
Logical attacks - How to detect them?
Symbolic approach
messages are represented by terms rather than bit-strings
֒→ {m}k encryption of the message m with key k,
֒→ hm1 , m2 i pairing of messages m1 and m2 , . . .
attacker controls the network and can perform specific actions
Relevance of the approach
numerous attacks have already been obtained,
soundness results w.r.t. to the computational model already exist, e.g.
[Abadi & Rogaway’01]
allows us to perform automatic verification
19 / 22
Course program
Part I: Stéphanie Delaune
1
Proofs in the symbolic model: from confidentiality to privacy
Part II: Bruno Blanchet and Cédric Fournet
1
Proofs in the computational model (CryptoVerif)
−→ Bruno Blanchet
2
Proofs at the implementation level (F#)
−→ Cédric Fournet
20 / 22
Outline of my lectures (1/2)
Lecture 1 (today)
verification in the passive case: intruder deduction problem
Lecture 2 (24th september)
modelling protocols and some security properties
Lecture 3 (1st october)
decision procedure for a bounded number of sessions
Lecture 4 (8th october)
undecidability result for an unbounded number of sessions
a decidability result for a restricted fragment
21 / 22
Outline of my lectures (2/2)
unbounded number of sessions: ProVerif tool
privacy-type security properties (motivation, definitions)
verification in the passive case: static equivalence problem
Lecture 8 (5th november)
verification in the active case
22 / 22

Introduction to cryptographic protocols

Transcription

Documents pareils

catalogue anglais basse def janv 013

Stéphanie Delaune

Langue Vivante Anglais Tests et Textes à Etudier

VISA REQUIREMENTS - Generations Visa Services

Langue Vivante Anglais - Université des Antilles et de la Guyane

on-line visa application form

GHANA (Multiple Entry), TOGO and BENIN

VIP PASSPORT SERVICES, INC. - VIP Passports and Visa Services

Executive summary - Internet Mark 2 Project