security protocols vitaly shmatikov cs 6431. security protocols use cryptography to achieve some...
TRANSCRIPT
Security Protocols
Use cryptography to achieve some higher-level security objective• Authentication, confidentiality, integrity, key
distribution or establishment, payment…
Examples: SSL/TLS, IPsec, Kerberos, SSH, 802.11b and 802.11i, Skype, hundreds of others • New protocols constantly proposed,
standardized, implemented, and deployed
Critical component of modern Web and mobile applications
slide 2
Needham and Schroeder. “Using Encryption for Authentication in Large Networks of Computers” (CACM 1979)
Initiated the field of cryptographic protocol design• Led to Kerberos, IPsec, SSL, and all modern protocols
Observed the need for rigorous protocol analysis• “Protocols … are prone to extremely subtle errors that
are unlikely to be detected in normal operation… The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area.”
slide 3
Needham-Schroeder Protocols
Many simple attacks against protocols have been discovered over the years• Even carefully designed, widely deployed
protocols... often years after the protocol has been deployed
– Examples: SSL, SSH, 802.11b, GSM
• Simple = attacks do not involve breaking crypto!
Why is the problem difficult?• Concurrency + distributed participants + (often
incorrect) use of cryptography• Active attackers in full control of communications • Implicit assumptions and goals behind protocols
slide 4
Things Goes Wrong
Design Principles (1)
1. Every message should say what it means2. The conditions for a message to be acted on
should be clearly set out3. Mention the principal’s name explicitly in
the message if it is essential to the meaning4. Be clear as to why encryption is being done5. Don’t assume a principal knows the content
of encrypted material that is signed by that principal
slide 5
[Abadi and Needham. “Prudent Engineering Practice for Cryptographic Protocols ”. Oakland 1994]
Design Principles (2)
6. Be clear on what properties you are assuming about nonces
7. Predictable quantities used for challenge-response should be protected from replay
8. Timestamps must take into account local clock variation and clock maintenance mechanisms
9. A key may have been used recently, yet be old
slide 6
[Abadi and Needham]
Design Principles (3)
10. If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used
11. The protocol designer should know which trust relations his protocol depends on
slide 7
[Abadi and Needham]
slide 8
NS Symmetric-Key Protocol
Alice Bob
{Kc, A}Kb
Goal: A and B establish a fresh, shared, secret key Kc with the help of a trusted key server
Trusted key serverA, B, NonceA
{ NonceA, B, Kc, {Kc, A}Kb }KaKaKb
Ka, Kb
{NonceB}Kc
{NonceB-1}Kc
Denning-Sacco Attack
Attacker recorded an old session and compromised session key Kx used in that session
B now believes he shares a fresh secret Kx with A
Moral: use timestamps to detect replay of old messages
slide 9
Bob
{Kx, A}Kb
{NonceB}Kx
{NonceB-1}Kx
A B
A ’s identity Fresh random number
generated by A
B’s reasoning: The only way to learn NonceB is to decrypt the second message Only A can decrypt second message Therefore, A is on the other end
A is authenticated!
Kb{ NonceB}
Ka{ NonceA, NonceB }
Kb{ A, NonceA } Encrypted with B’s public key
slide 10
A ’s reasoning: The only person who could know NonceA is the person who decrypted the first message Only B can decrypt message encrypted with Kb Therefore, B is on the other end of the line B is authenticated!
NS Public-Key Protocol
What Does This Protocol Achieve?
A B
Kb{ NonceB }
Ka{ NonceA, NonceB }
Kb{ A, NonceA }
Protocol aims to provide both authentication and secrecyAfter this exchange, only A and B know NonceA and
NonceB they can be used to derive a shared key
slide 11
B can’t decrypt this message,
but he can replay it
A B
{ A, Na }Kc
C
{ A, Na }Kb
{ Na, Nc }Ka
{ Na, Nc }Ka
{ Nc }Kb
Evil participant B trickshonest A into revealingC’s nonce Nc
C is convinced that he is talking to A!
Evil B pretendsthat he is A
Lowe’s Attack on NSPK
slide 12
[Lowe. “Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR”. TACAS 1996]
A B
{ A, Na }Kc
C
{ A, Na }Kb
{ Na, Nc }Ka
{ Na, Nc }Ka
Abadi-Needham Principle #1
slide 13
Every message should say what it means
Who sent this message?
A B
Kb{ NonceB}
Ka{ NonceA, B, NonceB }
Kb{ A, NonceA }
slide 14
Does this solve the problem? How?
Lowe’s Fix to NSPK
Lessons of Lowe’s Attack
Attacker is a legitimate protocol participant!Exploits participants’ reasoning to fool them
• A is correct that B must have decrypted {A,Na}Kb message, but this does not mean that the {Na,Nb}Ka message came from B
• The attack does not rely on breaking cryptography!
It is important to realize limitations of protocols• The attack requires that A willingly talk to adversary• In the original setting, each workstation is assumed
to be well-behaved, and the protocol is correct!
Discover attacks like this automatically?slide 15
slide 16
Cashier-as-a-Service
PayPal, Amazon Payments, Google Checkout, etc.
Web store
Shopper
communication about the order
communication about the payment
Joint decision:is an orderappropriately paid?
[Wang et al. “How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores”. Oakland 2011]
nopCommerce + Amazon Simple Pay
[Wang et al.]
(and seller Mark)
Jeff, I want to buy this DVD.
Shopper Chuck
Amazon (CaaS)
Jeff
Chuck, pay in Amazon with this signed letter:
Dear Amazon, order#123 is $10, when it is paid, text me at 425-111-2222. [Jeff’s signature]
Amazon, I want to pay with this letter
Hi, $10 has been paid for order#123. [Amazon’s signature]
Great, I will ship order#123!
Anyone can register an Amazon seller account, so can Chuck
Purchase a $25 MasterCard gift card by cash, register under a fake address and phone numberCreate seller accounts in PayPal, Amazon and Google using the cardChuck’s trickCheck out from Jeff, but pay to “Mark” (Chuck himself)Amazon tells Jeff that payment has been successfulJeff is confused, ships product
slide 17
slide 18
Interspire + PayPal Express
Message A redirects to store.com/finalizeOrder?[orderID1]store
Session 1: pay for a cheap order (orderID1), but prevent the merchant from finalizing it by holding Message B
Expensive order is checked out but the cheap one is paid!
Message A
Message B
Message B calls store.com/finalizeOrder?[orderID1]store [orderID2]store
store
Session 2: place an expensive order (orderID2), but skip the payment step
Message A
Message A redirects to store.com/finalizeOrder?[orderID2]store
store
[Wang et al.]
slide 19
Side-Channel Leaks[Chen et al. “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow”. Oakland 2010]
encrypted!privacy problems solved?
Attacker can still see the number of packets,size of each packet, time between packets…
Search using encrypted Wi-Fi (WPA / WPA2)
Example: user types “l-i-s-t” on his laptop…
slide 20
[Chen et al.]
821 910
822 931
823 995
824 1007
Query
suggestion
Consequence: any eavesdropper knows our search queriesAttacker’s effort linear in the size of query
Each additional letter of query…
…different size of suggestion list
Entering health records• By typing – auto-suggestion• By mouse – a tree structure of elements
Finding a doctor• Dropdown list
slide 21
[Chen et al.]
Online Medical Application
2000x reduction in ambiguityUniquely identify the specialty
Wizard-style questionnaire• Tailor the questions based on previous inputs
Which forms you work on reveal filing status, big medical bills, adjusted gross income…
Knowing the state machine of the application the eavesdropper can infer sensitive information• Especially by combining information learned
from multiple state machines
slide 22
[Chen et al.]
Tax Preparation Application
slide 23
[Chen et al.]
Child Credit State Machine
Entry page of deductions & credits Summary of
deductions & credits
Full credit
Not eligible
Partial credit
All transitions have unique traffic patterns
Consult the IRS instruction: $1000 for each child Phase-out starting from $110,000. For every $1000 income, lose $50 credit.
slide 24
[Chen et al.]
Student Loan Interest State Machine
Entry page of deductions & credits
Summary of deductions & credits
Full credit
Not eligible
Partial credit
Enter your paid interest
Even worse, most decision procedures for credits/deductions have asymmetric paths: eligible – more questions, not eligible – no more questions
slide 25
[Chen et al.]
Some Identifiable AGI Thresholds
Disabled Credit$24999
Retirement Savings
$53000
IRA Contribution
$85000 $105000
College Expense$116000
$115000Student Loan Interest
$145000
First-time Homebuyer Credit $150000 $170000
Earned Income Credit$41646
Child Credit$110000
Adoption Expense $174730 $214780
$130000 or $150000 or $170000 …
$0
slide 26
[Chen et al.]
Online Investments
Which funds you invest in? Each price history curve is a
GIF image from MarketWatch• Anyone in the world can get
them from this website Just compare the image
sizes!
Your investment allocation? Can see the size of the pie
chart, but hundreds of pie charts have the same image…
slide 27
[Chen et al.]
Change Over Time Is Revealing!
800 charts 80 charts 8 charts 1 chart
Siz
e o
f day 1
Siz
e o
f day 2
;Pri
ces
of
the
day
Siz
e o
f day 3
;Pri
ces
of
the
day
Siz
e o
f day 4
;Pri
ces
of
the
day
8
00
00 c
hart
s
Financial institution updates your pie chart every day after market close.Mutual fund prices are public knowledge.
Still have the asymmetric path problemGoogle’s responses are compressed, destination
networks may or may not uncompress responses• For example, Microsoft gateways uncompress and
inspect Web traffic, but university does not• Round before compression – university still sees
distinguishable sizes; after compression – Microsoft does
Random padding is not appropriate• If user checks several times, repeated random padding
of the same responses quickly degrades effectiveness• Images come from MarketWatch, not site itself
slide 28
[Chen et al.]
Rounding? Padding?