Introduction to cryptographic protocols
Transcription
Introduction to cryptographic protocols
Introduction to cryptographic protocols Stéphanie Delaune September 17, 2014 Stéphanie Delaune (LSV) Introduction to cryptographic protocols 1 / 22 Cryptographic protocols everywhere ! Goal: they aim at securing communications over public/insecure networks Stéphanie Delaune (LSV) Introduction to cryptographic protocols 2 / 22 Some security properties Secrecy: May an intruder learn some secret message between two honest participants? Authentication: Is the agent Alice really talking to Bob? Anonymity: Is an attacker able to learn something about the identity of the participants who are communicating? Non-repudiation: Alice sends a message to Bob. Alice cannot later deny having sent this message. Bob cannot deny having received the message. ... Stéphanie Delaune (LSV) Introduction to cryptographic protocols 3 / 22 Example: E-voting application Eligibility: only legitimate voters can vote, and only once No early results: no early results can be obtained which could influence the remaining voters Vote-privacy/Receipt-freeness/Coercion-resistance: the fact that a particular voter voted in a particular way is not revealed to anyone Individual/Universal verifiability: a voter can verify that her vote was really counted, and that the published outcome is the sum of all the votes Stéphanie Delaune (LSV) Introduction to cryptographic protocols 4 / 22 How does a cryptographic protocol work (or not)? (1/2) cryptographic primitives = basic building blocks −→ symmetric/ asymmetric encryption, signature, hash function, . . . Stéphanie Delaune (LSV) Introduction to cryptographic protocols 5 / 22 How does a cryptographic protocol work (or not)? (1/2) cryptographic primitives = basic building blocks −→ symmetric/ asymmetric encryption, signature, hash function, . . . Symmetric encryption encryption decryption Examples: Caesar cipher, Enigma machine (∼ 19181945), or more recently DES (1973) and AES (1997) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 5 / 22 How does a cryptographic protocol work (or not)? (1/2) cryptographic primitives = basic building blocks −→ symmetric/ asymmetric encryption, signature, hash function, . . . Asymmetric encryption encryption public key decryption private key Examples: First system published by Diffie-Hellman (1976), RSA (1977) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 5 / 22 How does a cryptographic protocol work (or not)? (1/2) cryptographic primitives = basic building blocks −→ symmetric/ asymmetric encryption, signature, hash function, . . . Signature signature private key Stéphanie Delaune (LSV) verification public key Introduction to cryptographic protocols 5 / 22 How does a cryptographic protocol work (or not)? (2/2) protocol = small programs explaining how to exchange messages −→ key-exchange protocols, authentication protocols, e-voting protocols, Bitcoin protocol, ... Stéphanie Delaune (LSV) Introduction to cryptographic protocols 6 / 22 How does a cryptographic protocol work (or not)? (2/2) protocol = small programs explaining how to exchange messages −→ key-exchange protocols, authentication protocols, e-voting protocols, Bitcoin protocol, ... Example: A simplified version of the Denning-Sacco protocol (1981) A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 6 / 22 How does a cryptographic protocol work (or not)? (2/2) protocol = small programs explaining how to exchange messages −→ key-exchange protocols, authentication protocols, e-voting protocols, Bitcoin protocol, ... Example: A simplified version of the Denning-Sacco protocol (1981) A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) What about secrecy of s ? Stéphanie Delaune (LSV) Introduction to cryptographic protocols 6 / 22 Security of cryptographic protocols How cryptographic protocols can be attacked? Logical attack Breaking encryption replay attacks cryptanalysis man-in-the-middle attacks Stéphanie Delaune (LSV) Introduction to cryptographic protocols 7 / 22 Going back to the Denning Sacco protocol Description A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) What about secrecy of s ? Stéphanie Delaune (LSV) Introduction to cryptographic protocols 8 / 22 Going back to the Denning Sacco protocol Description A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) What about secrecy of s ? Consider a scenario where A starts a session with C who is dishonest. 1. A → C : aenc(sign(k, priv(A)), pub(C )) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 8 / 22 Going back to the Denning Sacco protocol Description A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) What about secrecy of s ? Consider a scenario where A starts a session with C who is dishonest. 1. A → C : aenc(sign(k, priv(A)), pub(C )) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 8 / 22 Going back to the Denning Sacco protocol Description A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) What about secrecy of s ? Consider a scenario where A starts a session with C who is dishonest. 1. A → C : aenc(sign(k, priv(A)), pub(C )) 2. C (A) → B : aenc(sign(k, priv(A)), pub(B)) Attack ! 3. B → A : senc(s, k) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 8 / 22 What about protocols used in real life ? E-passport Credit card Stéphanie Delaune (LSV) Introduction to cryptographic protocols 9 / 22 Credit card payment The client Cl puts his credit card C in the terminal T . The merchant enters the amount M of the sale. The terminal authenticates the credit card. The client enters his PIN. If M ≥ e 100, then in 20% of cases, The terminal contacts the bank B. The banks gives its authorisation. Stéphanie Delaune (LSV) Introduction to cryptographic protocols 10 / 22 More details the Bank B , the Client Cl, the Credit Card C and the Terminal T Stéphanie Delaune (LSV) Introduction to cryptographic protocols 11 / 22 More details the Bank B , the Client Cl, the Credit Card C and the Terminal T Bank a private signature key – priv(B) a public key to verify a signature – pub(B) a secret key shared with the credit card – KCB Stéphanie Delaune (LSV) Introduction to cryptographic protocols 11 / 22 More details the Bank B , the Client Cl, the Credit Card C and the Terminal T Bank a private signature key – priv(B) a public key to verify a signature – pub(B) a secret key shared with the credit card – KCB Credit Card some Data: name of the cardholder, expiry date ... a signature of the Data – {hash(Data)}priv(B) a secret key shared with the bank – KCB Stéphanie Delaune (LSV) Introduction to cryptographic protocols 11 / 22 More details the Bank B , the Client Cl, the Credit Card C and the Terminal T Bank a private signature key – priv(B) a public key to verify a signature – pub(B) a secret key shared with the credit card – KCB Credit Card some Data: name of the cardholder, expiry date ... a signature of the Data – {hash(Data)}priv(B) a secret key shared with the bank – KCB Terminal the public key of the bank – pub(B) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 11 / 22 Payment protocol the terminal T reads the credit card C : 1. C Stéphanie Delaune (LSV) → T : Data, {hash(Data)}priv(B) Introduction to cryptographic protocols 12 / 22 Payment protocol the terminal T reads the credit card C : 1. C the terminal T asks 2. 3. 4. Stéphanie Delaune (LSV) the T Cl C → T : Data, {hash(Data)}priv(B) code: → Cl : code? → C : 1234 → T : ok Introduction to cryptographic protocols 12 / 22 Payment protocol the terminal T reads the credit card C : 1. C the terminal T asks 2. 3. 4. the T Cl C → T : Data, {hash(Data)}priv(B) code: → Cl : code? → C : 1234 → T : ok the terminal T requests authorisation the bank B: 5. 6. 7. 8. 9. 10. Stéphanie Delaune (LSV) T B T C T B → → → → → → B T C T B T : : : : : : auth? 4528965874123 4528965874123 {4528965874123}KCB {4528965874123}KCB ok Introduction to cryptographic protocols 12 / 22 Faille sur la carte bleue Initialement la sécurité été assurée par : cartes difficilement réplicables, secret des clefs et du protocole. Stéphanie Delaune (LSV) Introduction to cryptographic protocols 13 / 22 Faille sur la carte bleue Initialement la sécurité été assurée par : cartes difficilement réplicables, secret des clefs et du protocole. Mais il y a des failles ! faille cryptographique : les clefs de 320 bits ne sont plus sûres, faille logique : pas de lien entre le code secret à 4 chiffres et l’authentification, faille matériel : réplicabilité des cartes. → “YesCard” fabriquées par Serge Humpich (1997). Stéphanie Delaune (LSV) Introduction to cryptographic protocols 13 / 22 La « YesCard »: Comment ca marche ? Faille logique 1.C →T : Data, {hash(Data)}priv(B) 2.T → Cl : code? 3.Cl →C : 1234 4.C →T : ok Stéphanie Delaune (LSV) Introduction to cryptographic protocols 14 / 22 La « YesCard »: Comment ca marche ? Faille logique 1.C →T : Data, {hash(Data)}priv(B) 2.T → Cl : code? 3.Cl C′ 4.C Stéphanie Delaune (LSV) ′ → →T : 2345 : ok Introduction to cryptographic protocols 14 / 22 La « YesCard »: Comment ca marche ? Faille logique 1.C →T : Data, {hash(Data)}priv(B) 2.T → Cl : code? 3.Cl C′ 4.C ′ → →T : 2345 : ok Remarque : il y a toujours quelqu’un à débiter. → ajout d’un faux chiffrement sur une fausse carte (Serge Humpich). Stéphanie Delaune (LSV) Introduction to cryptographic protocols 14 / 22 La « YesCard »: Comment ca marche ? Faille logique 1.C →T : Data, {hash(Data)}priv(B) 2.T → Cl : code? 3.Cl C′ 4.C ′ → →T : 2345 : ok Remarque : il y a toujours quelqu’un à débiter. → ajout d’un faux chiffrement sur une fausse carte (Serge Humpich). 1.C ′ →T : XXX, {hash(XXX)}priv(B) 2.T → Cl : code? 3.Cl C′ 4.C Stéphanie Delaune (LSV) ′ → →T : 0000 : ok Introduction to cryptographic protocols 14 / 22 Electronic passport −→ studied in [Arapinis et al., 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. Stéphanie Delaune (LSV) Introduction to cryptographic protocols 15 / 22 Electronic passport −→ studied in [Arapinis et al., 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together. Stéphanie Delaune (LSV) Introduction to cryptographic protocols 15 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) Stéphanie Delaune (LSV) Introduction to cryptographic protocols 16 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) get_challenge Stéphanie Delaune (LSV) Introduction to cryptographic protocols 16 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) get_challenge NP , KP NP Stéphanie Delaune (LSV) Introduction to cryptographic protocols 16 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK E Stéphanie Delaune (LSV) M ({NR , NP , KR }K ) Introduction to cryptographic protocols E 16 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK M ({NR , NP , KR }K ) {NP , NR , KP }K , MACK M ({NP , NR , KP }K ) E E Stéphanie Delaune (LSV) E Introduction to cryptographic protocols E 16 / 22 BAC protocol Passport Reader (KE , KM ) (KE , KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E M E {NP , NR , KP }K , MACK ({NP , NR , KP }K ) E M Kseed = KP ⊕ KR Stéphanie Delaune (LSV) E Kseed = KP ⊕ KR Introduction to cryptographic protocols 16 / 22 French electronic passport −→ the passport must reply to all received messages. Passport Reader (KE ,KM ) (KE ,KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E Stéphanie Delaune (LSV) M Introduction to cryptographic protocols E 17 / 22 French electronic passport −→ the passport must reply to all received messages. Passport Reader (KE ,KM ) (KE ,KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E M E If MAC check fails mac_error Stéphanie Delaune (LSV) Introduction to cryptographic protocols 17 / 22 French electronic passport −→ the passport must reply to all received messages. Passport Reader (KE ,KM ) (KE ,KM ) get_challenge NP , KP NP NR , KR {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E M E If MAC check succeeds If nonce check fails nonce_error Stéphanie Delaune (LSV) Introduction to cryptographic protocols 17 / 22 An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. Stéphanie Delaune (LSV) Introduction to cryptographic protocols 18 / 22 An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M. Alice’s Passport Reader (KE ,KM ) (KE ,KM ) get_challenge NP , KP NP NR , KR M = {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E Stéphanie Delaune (LSV) M Introduction to cryptographic protocols E 18 / 22 An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ????’s Passport Attacker ′ ) (KE′ ,KM get_challenge NP′ , KP′ NP′ M = {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E Stéphanie Delaune (LSV) M Introduction to cryptographic protocols E 18 / 22 An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ????’s Passport Attacker ′ ) (KE′ ,KM get_challenge NP′ , KP′ NP′ M = {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E E M mac_error =⇒ MAC check failed =⇒ Stéphanie Delaune (LSV) ′ 6= K KM M =⇒ ???? is not Alice Introduction to cryptographic protocols 18 / 22 An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ????’s Passport Attacker ′ ) (KE′ ,KM get_challenge NP′ , KP′ NP′ M = {NR , NP , KR }K , MACK ({NR , NP , KR }K ) E M E nonce_error =⇒ MAC check succeeded =⇒ Stéphanie Delaune (LSV) ′ =K KM M Introduction to cryptographic protocols =⇒ ???? is Alice 18 / 22 Logical attacks - How to detect them? Symbolic approach messages are represented by terms rather than bit-strings ֒→ {m}k encryption of the message m with key k, ֒→ hm1 , m2 i pairing of messages m1 and m2 , . . . attacker controls the network and can perform specific actions Stéphanie Delaune (LSV) Introduction to cryptographic protocols 19 / 22 Logical attacks - How to detect them? Symbolic approach messages are represented by terms rather than bit-strings ֒→ {m}k encryption of the message m with key k, ֒→ hm1 , m2 i pairing of messages m1 and m2 , . . . attacker controls the network and can perform specific actions Relevance of the approach numerous attacks have already been obtained, soundness results w.r.t. to the computational model already exist, e.g. [Abadi & Rogaway’01] allows us to perform automatic verification Stéphanie Delaune (LSV) Introduction to cryptographic protocols 19 / 22 Course program Part I: Stéphanie Delaune 1 Proofs in the symbolic model: from confidentiality to privacy Part II: Bruno Blanchet and Cédric Fournet 1 Proofs in the computational model (CryptoVerif) −→ Bruno Blanchet 2 Proofs at the implementation level (F#) −→ Cédric Fournet Stéphanie Delaune (LSV) Introduction to cryptographic protocols 20 / 22 Outline of my lectures (1/2) Lecture 1 (today) verification in the passive case: intruder deduction problem Lecture 2 (24th september) modelling protocols and some security properties Lecture 3 (1st october) decision procedure for a bounded number of sessions Lecture 4 (8th october) undecidability result for an unbounded number of sessions a decidability result for a restricted fragment Stéphanie Delaune (LSV) Introduction to cryptographic protocols 21 / 22 Outline of my lectures (2/2) Lecture 5 (15th october) unbounded number of sessions: ProVerif tool Lecture 6 (22th october) privacy-type security properties (motivation, definitions) Lecture 7 (29th october) verification in the passive case: static equivalence problem Lecture 8 (5th november) verification in the active case Stéphanie Delaune (LSV) Introduction to cryptographic protocols 22 / 22