Fall 2001, CSE 597E: Lecture 1

Security Protocols

Aka Cryptographic Protocols

Goals

To provide various security services accross a distributed system

Autentication of agents and nodes
Extablishing session keys between nodes
Ensuring secrecy
Ensuring integrity
Ensuring anonymity
...

How they work

Exchange of messages between nodes
Often it involves the participation of a trusted third party
Use of various cryptographic mechanisms
- Symmetric / asymmetric encryption
- Hash functions
- Digital signatures
- ...

Hostile environment

Agents deliberately trying to undermine the protocol. In literature such hostile agents are also referred to as intruders, spies, enemies, attackers, evesdroppers, penetrators.

We will illustrate the various issues involved with secury protocols by using a concrete example

Example: The Needham-Schroeder Secret-Key (NSSK) protocol

One of the earliest protocols
Basis of the Kerberos authentication and authorization system
It uses purely symmetric encryption algorithms
Purpose: Enable two agents, say Anne and Bob, to set up a secure channel of communication with the help of a trusted server, say Jeeves.

We assume that Anne and Bob share private, long-term keys with Jeeves so each of them is able to communicate securely with Jeeves

Questions

Why do we want a direct secure channel between Anne and Bob?
Why don't we provide upfront a private long-term key for every pair of agents which may wish to communicate?

Answers

Jeeves would become a bottleneck and a possible point of failure
Several reasons:
- N² keys required
- many keys may not be needed
- the number of agents may change dynamically
- long-term keys are more vulnerable

Notation

Message n x -> y : data
Meaning: in the n-th step of the protocol the agent x dispatches a message data to the agent y
n_x
Meaning: a nonce generated by agent x. A nonce is a freshly generated, unique and (usually) unpredictable number.
{data}_k
Meaning: The value data encripted with key k.
m.n
Meaning: text m followed by (concatenated with) text n.

The NSSK protocol

Message 1 a -> J : a.b.n_a
Message 2 J -> a : {n_a.b.k_ab.{k_ab.a}_ServerKey(b)}_ServerKey(a)
Message 3 a -> b : {k_ab.a}_ServerKey(b)
Message 4 b -> a : {n_b}_{k_ab}
Message 5 a -> b : {n_b - 1}_{k_ab}

At the end a and b share the new key k_ab generated by J.

Security Properties

To say that it a protocol is "secure" or "correct" does not mean anything. It is always necessary to define exactly what are the properties that a security protocol is supposed to satisfy. We can speak of correctness only wrt these properties, and even then, only under precise assumptions on the possible treaths.

Secrecy

Secrecy properties can have various degrees of strength. E.g.

(Strongest) Intruders cannot deduce anything about the activities of Bob and Anne
(Weaker, but usually sufficient in practice) An intruder can see that Anne is sending a message to Bob, and maybe even have an idea of how long it is, but cannot decript the message.

Weaker properties are usually easier to implement and to analyze

Question

What secrecy properties does the NSSK protocol satisfy?

Autentication of origin

If Bob receives a message that claims to be originated by Anne, then Anne should have sent it.

There may be various additional requirements

The message was intended
The message was sent within a certain time
Receive each message only once
...

Entity authentication

Bob and Anne are sure of each other identities

Integrity

(Strongest) Intruders should not be able to corrupt messages
(Weaker, but usually sufficient in practice) Corruption of messages can be always detected by the legitimate partners