• Aucun résultat trouvé

Scyther Tool

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Scyther Tool"

Copied!
50
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Scyther Tool

Wafa Badreddine

[email protected]

(2)

Outline

Cryptography

Attacks

Security Properties

Cryptographic Functions

What is a security protocol ?

Introduction to Scyther tool

(3)

Wafa Badreddine ProgRes - 4I014

What’s Cryptography ?

Cryptography = the science (art) of encryption

Cryptanalysis = the science (art) of breaking encryption

Cryptology = cryptography + cryptanalysis

!3

(4)

Security Attacks

Passive attacks

Obtain message contents

Monitoring traffic flows

Active attacks

Replay previous messages

Modify messages in transmit

Add, delete messages

(5)

Wafa Badreddine ProgRes - 4I014

Cryptography Goals (Security Properties)

Confidentiality (secrecy)

Prevent Z from intercepting and reading the message content

Only Alice and Bob should be able to understand the contents of the transmitted message

!5

(6)

Authentification:

Prevent Z from impersonating Alice Or Bob

Both Alice and Bob need to confirm the identity of other entity involved in the communication

Cryptography Goals (Security Properties)

(7)

Wafa Badreddine ProgRes - 4I014

Data Integrity:

Prevent Z from modifying the message content

The content of their communication is not altered, either maliciously or by accident, in transmission

!7

Cryptography Goals (Security Properties)

(8)

Non-repudiation:

An entity (Alice or Bob) is prevented from denying its previous commitments or actions

Cryptography Goals (Security Properties)

(9)

Wafa Badreddine ProgRes - 4I014

How to ensure these security

properties during a communication between Alice & Bob ?

!9

(10)

Cryptographic Functions

Symmetric Cryptography: Secret key functions

Asymmetric Cryptography: Public/Secret key functions

Hash functions

(11)

Symmetric Cryptography

(12)

Symmetric Cryptography

Using a single key for encryption/decryption

The plaintext and the ciphertext have the same size

(13)

Wafa Badreddine !13 ProgRes - 4I014

(14)

Symmetric Cryptography: Security Properties

Confidentiality: Prevent attackers from eavesdropping, only the entities knowing the key can decrypt it

Authentication: Alice proves to Bob that she knows the key

(15)

Asymmetric Cryptography

(16)

Asymmetric Cryptography

Each individual has two keys

a private key (d): not revealed to anyone

a public key (e): preferably known to the entire world

(17)

Wafa Badreddine !17 ProgRes - 4I014

(18)

Asymmetric Cryptography: Security Properties

Confidentiality: Nobody else can decrypt it

Authentication: How it is ensured ? If the key of encryption is public?

The public key is certified by a Certification Authority (CA)

The public key is obtained from an electronic certificate

(19)

Wafa Badreddine !19 ProgRes - 4I014

How to guarantee the identity linked to the public key?

Electronic Certificate

(20)
(21)

Wafa Badreddine !21 ProgRes - 4I014

(22)

Digital Signatures

Proving that a message is generated by a particular individual

Non-repudiation: the signing individual can not be denied, because only him/her knows the private key

(23)

Hash Functions

(24)

Hash Functions

A mathematical transformation that takes a message of arbitrary length and computes it to a fixed-length(short) number

(25)

Wafa Badreddine ProgRes - 4I014

Let the hash of a message m be h(m)

For any m, it is relatively easy to compute h(m)

It is impossible to find m from h(m)

It is computationally infeasible to find two values that hash to the same thing

Hash functions ensures message integrity

!25

(26)

Security Protocol

(27)

Wafa Badreddine ProgRes - 4I014

Security protocol:

a set of crypto-primitives exchanged between the communication actors

!27

What is a security protocol ?

(28)

What is a security protocol ?

Example 1:

(29)

Wafa Badreddine !29 ProgRes - 4I014

Example 2: TLS (overview) (next course)

(30)

Scyther Tool

(31)

Wafa Badreddine ProgRes - 4I014

Introduction

Scyther is a tool for the automatic verification, falsification and the analysis of security protocols

Verify the correctness of the security protocol written in Scyther

Analyze security protocols to identify potential attacks and vulnerabilities, able to detect several possible attacks

Generate a graph for each attack corresponding to the mentioned claim

Scyther can be freely downloaded

The latest stable version of Scyther is v1.1.3, which was released on April 4, 2014

!31

(32)

The tool can be used in three ways:

Verify whether the security claims in the protocol description hold or not

Automatically generate appropriate security claims for a protocol and verify them

A n a l y z e t h e p r o t o c o l b y p e r f o r m i n g c o m p l e t e characterization.

(33)

Wafa Badreddine ProgRes - 4I014

Verification of claims

The input language of Scyther allows for specification of security properties in terms of claim events

i.e., in a role specification one can claim that a certain value is confidential (secrecy) or certain properties should hold for the communication partners (authentication).

Scyther can be used to verify these properties or falsify them.

!33

(34)

Automatic claims:

If the protocol specification contains no security claims,

Scyther can automatically generate claims.

At the end of each role, authentication claims are added, claiming that the supposed communication partners must have performed the protocol as expected.

Similarly, secrecy claims are added for all locally generated values (nonces) and variables.

This augmented protocol description is then analyzed by Scyther as in the previous case (Verification of claims).

(35)

Wafa Badreddine ProgRes - 4I014

Characterization:

For protocol analysis, each protocol role can be “characterized”

Scyther analyzes the protocol, and provides a finite representation of all traces that contain an execution of the protocol role.

In most cases, this representation consists of a small number (1-5) of possible execution patterns. By manually inspecting these patterns, one can quickly gain insight in the potential problems with the protocol and modify it if necessary.

For example, given the Needham-Schroeder protocol, Scyther determines that there are only two patterns for the responder role:

one is the correct behaviour of the protocol,

the other is the well-known man-in-the-middle attack.

Hence, there are no other possible ways of executing the responder role.

!35

(36)

The tool provides a graphical user interface

(37)

Wafa Badreddine ProgRes - 4I014

Language used to write protocols in Scyther is:

Security Protocol Description Language (SPDL)

Each actor of the security protocol is written in a role with SPDL

The targeted security properties are verified thanks to the Scyther claims

!37

(38)

Fonction de hachage

Nouveau Type

Variables et leurs types (locales)

Fresh: Aléatoire Nonce: Une seule fois

Actions

(39)

Wafa Badreddine ProgRes - 4I014

For authentication & non-repudiation between A and B:

Alive: Aliveness

Weakagree: Weak agreement

Nisynch: Non-injective synchronization

Niagree: Non-injective agreement

!39

What are Scyther claims? (Formal Definitions)

(40)

Alive: Aliveness

A protocol guarantees to an initiator A «  aliveness  » of an agent B if, whenever A (acting as initiator) completes a run of the protocol, apparently with responder B, then B has previously been running the protocol.

(41)

Wafa Badreddine ProgRes - 4I014

weakagree: weak agreement

A protocol guarantees to an initiator A «  weak agreement  » with another agent B if, whenever A (acting as initiator) completes a run of the protocol, apparently with responder B, then B has previously been running the protocol, apparently with A. Note that B may not necessarily have been acting as responder

!41

(42)

Niagree: Non-injective agreement

A protocol guarantees to an initiator A «  non-injective agreement  » with a responder B, on a set of data items ds (where ds is a set of free variables appearing in the protocol description)

If, whenever A (acting as initiator) completes a run of the protocol, apparently with responder B, then B has previously been running the protocol, apparently with A, and B was acting as responder in his run and the two agents agreed on the data values corresponding to all the variables in ds.

(43)

Wafa Badreddine ProgRes - 4I014

Nisynch: Non-injective synchronization

Ensures that messages are transmitted exactly as prescribed by the protocol.

whenever A (initiator) completes running the protocol with B (responder) and B has been running the protocol with A, then, all messages are received exactly as they were sent, in the exact order described by the protocol

It is a Strong Authentication

!43

(44)

For Confidentiality

Secret

For authentication & non-repudiation between A and B:

Nisynch: Non-injective synchronization

Niagree: Non-injective agreement

Alive: Aliveness

Weakagree: Weak agreement

(45)

Wafa Badreddine !45 ProgRes - 4I014

(46)

Few seconds :-)

(47)

Wafa Badreddine !47 ProgRes - 4I014

Attack i1

(48)

Attack i2

(49)

Wafa Badreddine !49 ProgRes - 4I014

Attack i3

(50)

Bibliography

https://people.cispa.io/cas.cremers/scyther/

The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols, CAV 2008, Proceedings of the 20th International Conference on Computer Aided Verification, Princeton, USA, 2008.

https://github.com/cascremers/scyther/blob/master/gui/scyther- manual.pdf

h t t p : / / p e r s o . e l e v e s . e n s - r e n n e s . f r / ~ a c h a t a l i / r e s /

Références

Télécharger maintenant ( PDF - 50 Page - 2.00 MB )

Documents relatifs

Of the 47 countries, the number of countries that are on track to achieve or that have achieved each target is 16 for target 4A

Countries in the African Region have made more progress over the past 10 years but are still not on track to achieve the health and health-related MDGs despite the

Why we understand each other: the role of the context

A first example of this approach could be the extension of an organization’s knowledge base to documents related to its territorial and social context: in this way the

Reevaluating “The End of Mass Communication?”

The present article, therefore, sets out to reassess Chaffee and Metzger’s claim by describing the development of several core theories of communication research, namely

Authentication Module Based on the Protocol of Zero-Knowledge Proof

The issues of its application for pass- wordless user authentication to web application resources are discussed within the framework of the Web Authentication

No patents on seeds! End the legal chaos at the European Patent Office! Conventional breeding must be free of patent claims.

This patent is another example of how patent claims are expanded from genetic engineering (genome editing) to conventional breeding with far reaching conse- quences: the

In Section 1, the role and purpose of the Transport Protocol are stated and the international standards upon which the protocol is based are described

Because of the need to serve transport connections of various levels of operating priority, an implementation shall support the withdrawal of flow control credit from any Class

Approximately 38% of the attendees are new to the IETF at each meeting

This was the only list before the announcement list was created and is where discussions of cosmic significance are held (most Working Groups have their own mailing lists

Approximately 38% of the attendees are new to the IETF at each meeting

This is a list of documents and files that provide useful information about the IETF meetings, Working Groups, and documentation. These may refer to a recently held meeting if the