Communications security is an ancient art. Julius Caesar is said to have
encrypted his messages, shifting each letter three places along the
alphabet. Mary Queen of Scots was convicted of treason after a cipher used
in her letters was broken. Today's postal system
incorporates security features. The envelope provides a degree of \emph{secrecy}. The signature provides \emph{authenticity} (proof of
origin), as do departmental stamps and letterheads.
Networks are vulnerable: messages pass through many computers, any of which
might be controlled by an adversary, who thus can capture or redirect
messages. People who wish to communicate securely over such a network can
use cryptography, but if they are to understand each other, they need to
follow a \emph{protocol}: a pre-arranged sequence of message formats.
Protocols can be attacked in many ways, even if encryption is unbreakable.
A \emph{splicing attack} involves an adversary's sending a message composed
of parts of several old messages. This fake message may have the correct
format, fooling an honest party. The adversary might be able to masquerade
as somebody else, or he might obtain a secret key.
\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
random number. Each message that requires a reply incorporates a nonce. The
reply must include a copy of that nonce, to prove that it is not a replay of
a past message. The nonce in the reply must be cryptographically
protected, since otherwise an adversary could easily replace it by a
different one. You should be starting to see that protocol design is
tricky!
Researchers are developing methods for proving the correctness of security
protocols. The Needham-Schroeder public-key
protocol~\cite{needham-schroeder} has become a standard test case.
Proposed in 1978, it was found to be defective nearly two decades
later~\cite{lowe-fdr}. This toy protocol will be useful in demonstrating
how to verify protocols using Isabelle.
\index{Needham-Schroeder protocol|(}%
This protocol uses public-key cryptography. Each person has\chapter{Case Study: Verifying a Security Protocol}
, anda key,knowntoeverybody Alicewantsto send asecretmessage,she
encryptsitusingBobspublic ( everybodyknows) and Bob.Only hasthe
matching private key, which is needed in order to decrypt Alice's message.
The core of the Needham-Schroeder protocol consists of three messages: \begin{alignat*}{2}
&1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
&2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
&3.&\quad A\to B &: \comp{Nb}\sb{Kb} \end{alignat*}
First, let's understand the notation. In the first message, Alice
sends Bob a message consisting of a nonce generated by Alice~($Na$)
paired with Alice's name~($A$) and encrypted using Bob's public
key~($Kb$). In the second message, Bob sends Alice a message
consisting of $Na$ paired with a nonce generated\def\rbb\mathclose{|\ern-.32em}}
encrypted using Alicejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
$ his.
WhenencryptedAlicepublic$)In ,Alice
,since could decrypted
WhenAliceMessage, has acted on her
nonces are for. Similarly, message have
waswidely~{}satisfy
further property: that
$Na .Similarly ~ Bob is
protocols generate such shared secrets, which can be used
to lessen the reliance on slow public-key operations.)
activeButthe was widelybelieved\{} a
: java.lang.StringIndexOutOfBoundsException: Index 72 out of bounds for length 72
(Charlieclaim : runs with someonejava.lang.StringIndexOutOfBoundsException: Range [72, 73) out of bounds for length 72
CharlieAlicetoBob\{}java.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 29
AlicetoBob\lowe-fdr \begin{alignat*}{4}
&1.&\quad A\to C &: \comp{Na,A} qquad1&quadC B& compNa,A}\{Kb}\\ \qquad 1'.& 2.&\quad \toA &: \comp{Na,Nb}\b{Ka}\\
&.\ BtoA&:\{Na,}sbKa} java.lang.NullPointerException
&3.&\quad A\to C &: \comp{Nb}\sb{Kc} && \qquad 3'.&\quad C\to B &: \comp{Nb}\sb{Kb} \end{alignat*}
In messages~1 and~3, Charlie removes the encryption using his private
key and re-encrypts Alice's messages using Bob's public key. Bob is
left thinking he has run the protocol with Alice, which was not
Alice's intention, and Bob is unaware that the ``secret'' nonces are
known to Charlie. This is a typical man-in-the-middle attack launched
by an insider.
Whether this counts as an attack has been disputed. In protocols of this
type, we normally assume that the other party is honest. To be honest
means to obey the protocol rules, so Alice's running the protocol with
Charlie does not make her dishonest, just careless. After Lowe's
attack, Alice has no grounds for complaint: this protocol does not have to
guarantee anything if you run it with a bad person. Bob does have
grounds for complaint, however: the protocol tells him that he is
communicating with Alice (who is honest) but it does not guarantee
secrecy of the nonces.
Lowe also suggested a correction, namely to include Bob's name in
message~2: \begin\ 3'.&\quad Cto B&: comp{b\sb{bjava.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for length 51
&2 ,whichnot
`' are \end{alignat . Thisis attack
Charlietries , Alicewill the java.lang.StringIndexOutOfBoundsException: Index 64 out of bounds for length 64
$\comp{Na,Nb,B}\sbtype assume that party . To java.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for length 70
$compNaNb,}sbKa$ willabandon , and eventuallyjava.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69
Bob Below lookat parts this protocolscorrectness
proof.
In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
showed how guarantee anything personBobdoeshave
automatically amodelcheckerAn alternative
which we shallcommunicating withAlice( ishonest)butitdoes guarantee
can
befinite.Thestrategyis formalize
semantics and prove properties rule
induction.% \index{Needham-Schroeder protocol|)}
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
