Professional Documents
Culture Documents
Analyse et Validation de
protocoles de Sécurité
Plan de l’UE
Basic Notions
▪ Communication Protocols
▪ Cryptographic Protocols
1
31/03/2021
Communication Protocols
Some definitions
… is a communication protocol
A “simple” definition
A Question :
Cryptographic Protocol vs Cryptographic Algorithm ?
2
31/03/2021
It includes :
✓ The authentication of agents or nodes,
✓ establishing session keys between nodes,
✓ Ensuring secrecy, integrity, anonymity, non-
repudiation and so on.
Security Goals
Security properties
▪ Secrecy (Confidentiality)
▪ Authentication
▪ Anonymity
▪ Fairness
▪ Availability
of ….
3
31/03/2021
Secrecy (Confidentiality)
Authentication
Integrity
4
31/03/2021
Non-repudation
Anonymity
(e.g. e-voting)
(keys are seen as sensitive data items for which secrecy is required)
5
31/03/2021
is a hard/difficult work ;
Protocol Validation/Verification
Analysis Approaches
▪ Formal methods :
o validation of required properties ;
o Difficult to apply
▪ Simulation techniques :
o verification based techniques (partial state exploration)
o Rising the confidence in properties correctness
o Easy to apply
6
31/03/2021
Common Notations
A protocol is formulated as a sequence of messages in
the form :
Message n a → b : data
where a is the sender, b the receiver and data the message
content
Challenge-Response Protocol
This protocol has the purpose of verifying that two parties A and
B share a common secret key k without revealing it. It is
commonly used after a key exchange to ensure that the keys were
not modified either accidentally or by an attacker:
1. A→ B : nA
2. B→ A : {nA}k . nB
3. A → B : {nB}k
After receiving the first message, B encrypts the nonce with his version of k and sends
it back. Now A can decrypt it again and compare the result to the number he originally
sent. If they match, then under the assumption that k is not known to any attacker, A
can be sure that B has the same k as he has. The challenging is then performed.
7
31/03/2021
Server S
SA SB
Anne Bob
kAB
all participants X share pairwise distinct secret keys SX with a central trusted party S
(server) using symmetric encryption algorithms. Apart from this, no other keys need to
be stored permanently. This scenario limits the key explosion problem and makes
adding and deleting participants easy. If two participants A and B want to communicate
securely with each other, they must first establish a common secret session key kAB
between them.
Message 1 A→ S : A.B.nA
Message 4 B→ A : {nB}kAB
8
31/03/2021
Diffie-Hellman : Example
Step Selima Mongi
3 Compute Compute
Yamod(P)=112mod(13)=121 Yamod(P)=115mod(13)=161.05
mod(13)=4 1mod(13)=7
4 Send 4 to Mongi Exchange of values Send 7 to Selima
4 et 7
5 Compute 72mod(13)=10 Session key is then Compute 45mod(13)=10
10
9
31/03/2021
Station-to-Station protocol
Goal : establishment of a common secret key between two
participants, but without the need of a trusted third party.
based on Diffie-Hellman key exchange
Anne Bob
kAB
10
31/03/2021
1. A→ B : {X}pA
2. B→ A : {{X}pA }pB
Using the commutative property of RSA {{X}pA }pB ={{X}pB }pA,
A can strip off his own encryption and send back
3. A→B : {X}pB
1. A→ I : {X}pA
2. I→ A : {{X}pA }pI
A can strip off his own encryption and send back
3. A→I: {X}pI
11
31/03/2021
Challenge-Response Authentication
Recall that the purpose is to verify that two parties A and B share
a common secret key k without revealing it.
Suppose there is a server S (e.g. mainframe) which several clients
(terminals) can log on. Authentication is done with challenge-
Response to avoid sending passwords through the possibly
observed connection and also provide server authentication.
1. A → S : nA
2. S → A : {nA}k . nS
3. A→ S : {nS}k
12
31/03/2021
Interleave attack
NSPK protocol
Needham-Schroeder Public-Key protocol (1978)
1. A → B : {A.nA}pB
2. B → A : {nA.nB}pA
3. A → B : {nB}pB
13
31/03/2021
14
31/03/2021
Replay attack
Principle : the attacker monitors a (possibly partial) run of
the protocol and later replays some messages.
This can happen if the protocol does not have any mechanism for distinguishing
between separate runs or cannot determine the freshness of messages.
timestamps
Sometimes, nonces are not sufficient to ensure freshness ;
Nonces are meaningful to only their creators
Bibliographic references
[1] The Modelling and Analysis of Security Protocols: the CSP Approach ;
P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe
(http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf)
[2] Specification & validation of security protocols, S. Lafrance, PhD thesis,
Ecole Polytechnique de Montréal, Avril 2005.
[3] Applied Cryptography, B. Schneier, Wiley Ed., 1996
[4] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol
using FDR. Proceedings of TACAS, number 1055 in LNCS. Springer,
1996. Also in Software – Concepts and Tools, 17:93–102, 1996.
15