Fall 2001, CSE 597E:
Lecture 1
Security Protocols
Aka Cryptographic Protocols
Goals
To provide various security services accross a distributed system
- Autentication of agents and nodes
- Extablishing session keys between nodes
- Ensuring secrecy
- Ensuring integrity
- Ensuring anonymity
- ...
How they work
- Exchange of messages between nodes
- Often it involves the participation of a trusted third party
- Use of various cryptographic mechanisms
- Symmetric / asymmetric encryption
- Hash functions
- Digital signatures
- ...
Hostile environment
Agents deliberately trying to undermine the protocol.
In literature such hostile agents are also referred to as
intruders, spies, enemies, attackers, evesdroppers, penetrators.
We will illustrate the various issues involved with secury protocols
by using a concrete example
Example: The Needham-Schroeder Secret-Key (NSSK) protocol
- One of the earliest protocols
- Basis of the Kerberos authentication and authorization system
- It uses purely symmetric encryption algorithms
- Purpose: Enable two agents, say Anne and Bob,
to set up a secure channel of communication with the
help of a trusted server, say Jeeves.
We assume that Anne and Bob share private, long-term keys with Jeeves so
each of them is able to communicate securely with Jeeves
Questions
- Why do we want a direct secure channel between Anne and Bob?
- Why don't we provide upfront a private long-term key for every pair of
agents which may wish to communicate?
Answers
- Jeeves would become a bottleneck and a possible point of failure
- Several reasons:
- N2 keys required
- many keys may not be needed
- the number of agents may change dynamically
- long-term keys are more vulnerable
Notation
- Message n x -> y : data
Meaning: in the n-th step of the
protocol the agent x dispatches a message data to the agent y
- nx
Meaning: a nonce generated by agent x.
A nonce is a freshly generated, unique and (usually) unpredictable number.
- {data}k
Meaning: The value data encripted with key k.
- m.n
Meaning: text m followed by (concatenated with) text n.
The NSSK protocol
Message 1 a -> J : a.b.na
Message 2 J -> a : {na.b.kab.{kab.a}ServerKey(b)}ServerKey(a)
Message 3 a -> b : {kab.a}ServerKey(b)
Message 4 b -> a : {nb}kab
Message 5 a -> b : {nb - 1}kab
At the end a and b share the new key kab generated by J.
Security Properties
To say that it a protocol is "secure"
or "correct" does not mean anything.
It is always necessary to define exactly what are the properties that
a security protocol is supposed to satisfy.
We can speak of correctness only wrt these
properties, and even then, only under
precise assumptions on the possible treaths.
Secrecy
Secrecy properties can have various degrees of strength. E.g.
- (Strongest) Intruders cannot deduce anything about the activities of Bob and Anne
- (Weaker, but usually sufficient in practice) An intruder can see that Anne is
sending a message to Bob, and maybe even have an idea of how long it is, but cannot decript the message.
Weaker properties are usually easier to implement and to analyze
Question
What secrecy properties does the NSSK protocol satisfy?
Autentication of origin
If Bob receives a message that claims to be originated by Anne, then Anne should have sent it.
There may be various additional requirements
- The message was intended
- The message was sent within a certain time
- Receive each message only once
- ...
Entity authentication
Bob and Anne are sure of each other identities
Integrity
- (Strongest) Intruders should not be able to corrupt messages
- (Weaker, but usually sufficient in practice) Corruption of
messages can be always detected by the legitimate partners