31/03/2021

Analyse et Validation de
protocoles de Sécurité

Supptic, mars 2021

M. Zouari

Plan de l’UE

▪ Propriétés de sécurité dans les protocoles et Modèles

d’attaques
▪ Limites de la sécurité des protocoles et de la cryptographie
▪ Exemple de Protocole sécurité : DiffieHellman et Needham-
Shroeder ; Exemples de vulnérabilités et d’attaques
▪ Approches formelles de vérification
▪ Logique modale
▪ Approche algébrique
▪ Réseaux de Petri
▪ Outils de vérification

Basic Notions

▪ Communication Protocols

▪ Cryptographic Protocols

▪ Security Properties, Security Requirements

1
 31/03/2021

Communication Protocols

Some definitions

▪ “ Prescribed sequence of interactions between entities

designed to achieve a certain end” (Ryan & al.)

▪ “ A protocol is a series of steps, involving 2 or more parties,

designed to accomplish a task” (Schneier)

Communication Protocols : Characteristics

▪ Every entity must know in advance the protocol

▪ Every entity must agree to follow it

▪ The protocol must be unambiguous, each step well defined,

and no chance of misunderstanding

▪ The protocol must be complete (a specified action for every

possible situation)

Security Protocols / Cryptographic Protocols

… is a communication protocol

A “simple” definition

▪ A Cryptographic Protocol is a protocol that uses Cryptography

A Question :
Cryptographic Protocol vs Cryptographic Algorithm ?

2
 31/03/2021

Cryptographic Protocols : Goal

To provide various security services across a distributed

system

It includes :
✓ The authentication of agents or nodes,
✓ establishing session keys between nodes,
✓ Ensuring secrecy, integrity, anonymity, non-
repudiation and so on.

Security Goals

What exactly do I want to protect ?

Hardware, software, communications, data, services,…

A protocol is “secure” i.e.

it is claimed to be correct with respect to a given,
precisely defined property and against certain classes
of threats

Security properties

▪ Secrecy (Confidentiality)
▪ Authentication
▪ Anonymity
▪ Fairness
▪ Availability
of ….

3
 31/03/2021

Secrecy (Confidentiality)

▪ The intruder should not be able to derive the plaintext

of messages passing between the honest nodes
(weak interpretation)

▪ The intruder should not be able to deduce anything

about the nodes activities
(message content, message sender/receiver, message length,
time they were sent, scheduling,…)
(strong interpretation)

Authentication

▪ if a recipient R receives a message claiming to be

from a specific sender S then S has sent exactly this
message (weak interpretation)

▪ if a recipient R receives a message claiming to be

from a specific sender S then either S has sent exactly
this message to R or R unconditionally notices this is
not the case
(strong interpretation)

Integrity

Data can not be corrupted, or at least that any such

corruption will always be detected

(corollary of the above definition)

Authentication (of origin) & Integrity are linked

4
 31/03/2021

Non-repudation

A recipient (destination node) is not only confident

that the message is authentic (sent by S and
unmodified),but can also prove this fact to a third
party.

Anonymity

when a user sends a message, then any

observer will be unable to identify the user,
although he might be able to detect the fact
that a message was sent

(e.g. e-voting)

A major role : key exchange

One of the major roles of security protocols is to

enable authenticated, confidential
communication across networks by setting up
key material between the various players.

(keys are seen as sensitive data items for which secrecy is required)

5
 31/03/2021

Design &Analysis of Cryptographic Protocols

is a hard/difficult work ;

• Complexity of distributed systems

• High security requirements
• Non trusted & hostile environment
• High capabilities of intruders/attackers

Protocol Validation/Verification

▪ “La validation de protocoles de sécurité est une tâche qui

requiert typiquement le développement de méthodes formelles
permettant la détection de toute attaque possible sur un
protocole donné. Il n'y a pas si longtemps, ces protocoles
étaient considérés sécuritaires simplement si personne n'y avait
trouvé de faille. Ainsi, certains protocoles furent utilisés
pendant plusieurs années avant d'être prouvés non sécuritaires.
(Lafrance )

Analysis Approaches

▪ Formal methods :
o validation of required properties ;
o Difficult to apply

▪ Simulation techniques :
o verification based techniques (partial state exploration)
o Rising the confidence in properties correctness
o Easy to apply

6
 31/03/2021

Common Notations
A protocol is formulated as a sequence of messages in
the form :
Message n a → b : data
where a is the sender, b the receiver and data the message
content

A message content data can be composed of :

▪ atoms : names, variables and constants
▪ nonces : (notated nA) an unpredictable freshly generated
number (by agent A)
▪ encryption, {data}k : data encrypted under the key k
▪ authentication, Signk(data) :signature of data using the key k
▪ concatenation, m.n : text m concatenated with text n

Common Notations- continued

• Agents are refered by :

• - A (Alice)
• - B (Bob)

Challenge-Response Protocol
This protocol has the purpose of verifying that two parties A and
B share a common secret key k without revealing it. It is
commonly used after a key exchange to ensure that the keys were
not modified either accidentally or by an attacker:

1. A→ B : nA
2. B→ A : {nA}k . nB
3. A → B : {nB}k

After receiving the first message, B encrypts the nonce with his version of k and sends
it back. Now A can decrypt it again and compare the result to the number he originally
sent. If they match, then under the assumption that k is not known to any attacker, A
can be sure that B has the same k as he has. The challenging is then performed.

7
 31/03/2021

An Authentication Protocol : statement

Goal : Setting up a secure channel between 2 entities A & B
(Anne & Bob) with the help of a trusted server S.

Server S
SA SB

Anne Bob
kAB
all participants X share pairwise distinct secret keys SX with a central trusted party S
(server) using symmetric encryption algorithms. Apart from this, no other keys need to
be stored permanently. This scenario limits the key explosion problem and makes
adding and deleting participants easy. If two participants A and B want to communicate
securely with each other, they must first establish a common secret session key kAB
between them.

Needham-Shroeder Secret Key Protocol

• The NSSK protocol (from 1970) was the basis of the well-
known Kerboros authentication and authorization System

Message 1 A→ S : A.B.nA

Message 2 S→ A : {nA.B.kAB {kAB.A }SB }SA

Message 3 A→ B : {kAB .A }SB

Message 4 B→ A : {nB}kAB

Message 5 A→ B : {nB -1}kAB

NSSK Protocol : explanation

1. A tells S that it wants to talk with B and supplies a nonce. Note that
this information is not concealed, so it is both subject to
observation and modification.
2. S now generates a fresh session key kAB for A and B and answers
with protocol step 2.
3. A can decrypt this answer using its server key, obtaining
nA.B.kAB {kAB.A }SB. A should verify that nA and B match the values
from step 1 to preclude modifications. The last part that A cannot
decrypt is forwarded to B.
4. B can decrypt the data using his server key, obtaining the session
key and the partner’s name.
5. Step 4 and 5 form a simplified challenge response authentication to
verify the integrity and equality of kAB.

8
 31/03/2021

Diffie-Hellman key exchange principal

▪ Created in 1976 by Diffie et Hellman,

▪ This protocol allows 2 parties generating a shared secret

without knowing each other and without the need of a
trusted third party

→ based on public key cryptography

→ based on the difficulty of computing discrete

logarithms in a finite field

Diffie-Hellman key exchange protocol

Utilisateur 1: Utilisateur 2 :
Mongi Selima

Mongi choisit un grand nombre Selima choisit un grand nombre

aléatoire a (valeur privée) aléatoire b (valeur privée)

Mongi calcule Selima calcule

Échange des valeurs publiques
(valeur publique) (valeur publique)

Mongi calcule Selima calcule

26
(secret partagé) (secret partagé)

Diffie-Hellman : Example
Step Selima Mongi

1 Choose Y & P with Mongi Choose Y & P with Selima

Y=11 Yx Mod(P) public Y=11
P=13 P=13
2 Selima chose (a=2) secret Mongi chose (b=5) secret

3 Compute Compute
Yamod(P)=112mod(13)=121 Yamod(P)=115mod(13)=161.05
mod(13)=4 1mod(13)=7
4 Send 4 to Mongi Exchange of values Send 7 to Selima
4 et 7
5 Compute 72mod(13)=10 Session key is then Compute 45mod(13)=10
10

• Sensible to MIM attack

• Add authentication

9
 31/03/2021

Station-to-Station protocol
Goal : establishment of a common secret key between two
participants, but without the need of a trusted third party.
based on Diffie-Hellman key exchange

Anne Bob
kAB

Station-to-Station protocol (continued)

1. A→ B : ax
2. B→ A : ay {SignB(ay. ax) }k
3. A→B : {SignA(ax. ay) }k

1. A chooses a random x and computes ax(mod p), which is sent to B. (all

calculations are performed modulo p)
2. B chooses his own random y and can compute the common secret key
k = (ax) y = axy now. The data according to protocol step 2 is now sent back to A.
3. A has received ay and thus can calculate k = (ay) x = axy himself. But until now
there is no guarantee that the messages were authentic. Using the freshly
generated k, A can decrypt the second part of the message to obtain B’s
signature of (his version of!) the public keys. This signature can now be checked
against A’s version of ax and ay. Now A sends back the signature of the public
keys to B, so that B can verify their integrity on his own.

Protocol vulnerabilities & Attack types

▪ No one knows all attacks on protocols

▪ Some typical attacks due to flaws in the protocol

design

▪ We are not concerned by attacks such : cryptanalytic,

monitoring timing, EM radiation, fluctuations in
power consumption, etc.

10
 31/03/2021

Man in the middle attack

An intruder may intercept communications

between participants and may generate proper
messages

Protocol Example : exchanging public keys

Anne wants to send a secret message X to Bob using public-key
techniques but where Anne and Bob do not even need to know
each other’s public keys. Using an algorithm like RSA, for which
encryption and decryption are inverse and commute :

1. A→ B : {X}pA
2. B→ A : {{X}pA }pB
Using the commutative property of RSA {{X}pA }pB ={{X}pB }pA,
A can strip off his own encryption and send back

3. A→B : {X}pB

B can strip off his own encryption

exchanging public keys, MiM attack

What about Yves (I) if he wants to intercept the secret X
exchanged between Anne & Bob?

1. A→ I : {X}pA
2. I→ A : {{X}pA }pI
A can strip off his own encryption and send back

3. A→I: {X}pI

I can strip off his own encryption ! He knows the secret X !

11
 31/03/2021

Exercise : Analyzing the Diffie-Hellman P.

What about the Diffie-Hellman Protocol ?

Mirror (Reflection) vulnerabilty

Principle :
Let the participant answer his own questions

Let’s take the challenge-response protocol …

Challenge-Response Authentication
Recall that the purpose is to verify that two parties A and B share
a common secret key k without revealing it.
Suppose there is a server S (e.g. mainframe) which several clients
(terminals) can log on. Authentication is done with challenge-
Response to avoid sending passwords through the possibly
observed connection and also provide server authentication.

1. A → S : nA
2. S → A : {nA}k . nS
3. A→ S : {nS}k

12
 31/03/2021

Mirror (Reflection) vulnerabilty

Principle : Let the participant answer his own questions

Let’s take the challenge-response protocol

1. A→S : nA (first login request)

2. S→A : {nA}k . nS (attacker can’t encrypt nS by now)

3. A’ → S : nS (second dummy login request)

4. S → A’ : {nS}k . n'S (attacker got encrypted nS and

abandons this session)
5. A → S : {nS}k (taken from the last answer)

Interleave attack

Principle : Several parallel runs of a protocol leading to

a mismatch situation

Let’s take the Needham-Schroeder Public-Key protocol

(1978)

NSPK protocol
Needham-Schroeder Public-Key protocol (1978)

Goal : mutual authentication and secret exchange of 2 nonces

two agents use public key technique in order to share a
new secret (e.g. : for a future symmetric key use)

1. A → B : {A.nA}pB
2. B → A : {nA.nB}pA
3. A → B : {nB}pB

13
 31/03/2021

NSPK protocol : Aimed properties

At the end of the protocol run, A & B might be inclined
to feel confident that :

▪ they know with whom they have been interacting;

▪ they agree on the values of nA and nB

▪ no one else knows the values nA and nB

NSPK protocol : Interleave attack result

Vulnerability discovered in 1996 [4] ;
Idea : 2 parallel runs with A & B and an additional agent I
Notation : a and b denotes 2 instances of the protocol and I(A) means that I sends
the message but making it appear to come from A.

At the end of the attack, I knows both nonces and caused

the following mismatch in A’s and B’s perception:
➢A assumes that he exclusively shares the knowledge of
nA and nB with I, whereas
➢ B assumes that he ran the protocol with A and
exclusively shares the knowledge only with him.

NSPK protocol : Interleave attack

a.1. A → I : {A.nA}pI (A innocently starts the run with I)

b.1. I(A) → B : {A.nA}pB (I decrypts the message, encrypts

it again for B and forwards it to him)
b.2. B → I(A) : {nA.nB}pA (thinking he is talking to A, B answers properly)

a.2. I → A : {nA.nB}pA (I can’t decrypt this , but forward it to A ; it’s

exactly what A expects, since A can’t determine
who actually created nB !)
a.3. A → I : {nB}pI (A answers properly, so I gets to know nB )

b.3. I(A) → B : {nB}pB (now also B gets the expected response )

14
 31/03/2021

Replay attack
Principle : the attacker monitors a (possibly partial) run of
the protocol and later replays some messages.

This can happen if the protocol does not have any mechanism for distinguishing
between separate runs or cannot determine the freshness of messages.

Examples : military ships - HQ commands

Remedial measures : using techniques like nonces, run identifiers,

and timestamps.

timestamps
Sometimes, nonces are not sufficient to ensure freshness ;
Nonces are meaningful to only their creators

Timestamps allow to attach a “time information” to messages

→ not necessary the “physical” time

Require the management of logical time and maintaining

consistency between clocks across the network

Useful for digital signature, e-transactions, …

Bibliographic references

[1] The Modelling and Analysis of Security Protocols: the CSP Approach ;
P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe
(http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf)
[2] Specification & validation of security protocols, S. Lafrance, PhD thesis,
Ecole Polytechnique de Montréal, Avril 2005.
[3] Applied Cryptography, B. Schneier, Wiley Ed., 1996
[4] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol
using FDR. Proceedings of TACAS, number 1055 in LNCS. Springer,
1996. Also in Software – Concepts and Tools, 17:93–102, 1996.

15