cryptographic protocols

Md. Rayhan Ahmed

 Summary
• Cryptographic Protocols

• Security Properties:
• Secrecy.
• Authentication.
• Integrity.
• Non-repudiation.
• Anonymity.
• Fairness.
• Availability.
• Money atomicity.
• Good atomicity.
• Certified delivery
 Cryptographic Protocols
• A protocol is a set of rules or conventions that govern the
exchange of information between principals (computers, hosts,
humans, telephones, etc.).
• Cryptographic protocols are a subclass of protocols that use
cryptographic techniques to achieve security objectives.
• A protocol is a precisely defined sequence of communication
and computation steps.
• A communication step transfers a message from one principal
(sender) to another (receiver), while a Computation step
updates a principal’s internal state.
 Examples of Cryptographic Protocols

• Examples of deployed security protocols:

• SSL (Secure Sockets Layer).
• TLS (Transport Layer Security).
• Kerberos.
• SET (Secure Electronic Transaction).
• 3-D Secure
• CCITT X509.
Network Security
 Security Properties
• The main security properties are:
• Secrecy.
• Authentication.
• Integrity.
• Non-repudiation.
• Anonymity.
• Fairness.
• Availability.
• Money atomicity.
• Good atomicity.
• Certified delivery.
 Secrecy
• Secrecy protects against unauthorized disclosure of information.
• The property of secrecy allows the intended receiver in a
communication session to know what was sent, but unintended parties
cannot determine what was sent.
• We say that a protocol preserves the secrecy of one of its parameters if
it does not leak any information about this parameter during the
execution the protocol.
• The parameters of the protocol for which we want secrecy are often
cryptographic keys, but broadly speaking, they can be any sensitive
data.
• Encryption is, in general, the mechanism used to ensure secrecy.
 Authentication
• Authentication means proving an identity over the
network (principal authentication).
• Authentication is sometimes taken to be of two
types:
• Message authentication: Ensuring, that a message
received matches the message sent. Sometimes, it means
a proof of the identity of the creator of the message.
• Principal authentication: Ensuring that a principal is the
one claimed
 Authorization
• The authorization property stipulates which
principal has access to what resource or operation.
• It distinguishes between legal and illegal accesses.
• Legal principals are granted authorization to the
resource/operation in question while illegal ones
are denied access to the resource.
 Integrity
• Integrity is the property of ensuring that information will not be
accidentally or maliciously altered or destroyed.
• It means that data is transmitted from source to destination
without alteration.
• The message data can only be altered by the sender without
detection.
• Integrity protects against unauthorized creation, alteration or
destruction of data.
• If it were possible for a corrupted message to be accepted, then
this would show up as a violation of the integrity property and we
would have to deem the protocol to be flawed.
 Non-Repudiation
• Non-repudiation is defined as the impossibility for one of the
entities involved in a communication denying having participated
in all or part of the communication.

• It provides a protection against false denial of having been

involved in the communication.

• The general goal of non-repudiation is to collect, maintain, make

available, and validate irrefutable evidence concerning a claimed
event or action in order to resolve disputes about the occurrence
or non-occurrence of that event or action.

• Non-repudiation is related to authentication but has strong proof

requirements.
 Anonymity
• The property of anonymity provides a principal with the ability
to make anonymous transactions, which cannot be tracked by
an another principal.
• More generally, we say that if a system is anonymous over
some set of events E, then it should have the following
property.
• Whenever an event from E occurs, then an observer, though he may be able to
deduce that an event from E has occurred, will be unable to identify which
event.

• In the case of e-commerce protocols, this property allows

consumers to make anonymous purchases which cannot be
tracked by a bank or a merchant to identify the purchaser.
 Fairness
• In fair protocols, agents require protection from each other,
rather than from an external hostile agent.
• In electronic contract signing, for instance, we will want to
avoid one of the participants being able to gain some
advantage over another by halting the protocol part-way
through.
• Bob could, for example, refuse to continue after Alice has
signed up, but before he has signed.
• Some efficient fair protocols are conceived to run between two
agents and occasionally call upon a trusted third agent in case
of disputes.
 Availability
• This property deals with the availability of certain resources manipulated
by the protocol.
• For instance, for a key-exchange protocol, we would be confident that a
session will indeed be established.
• That is, if Alice requests the server to set up a session key between her
and Bob, then the system must subsequently reach a state in which Alice
and Bob both have knowledge of the fresh session key.
• Generally, to verify the availability property in crypto protocols, we have
to restrict the capabilities of the intruder. In particular, we cannot allow
the intruder unlimited ability to kill messages.
 Atomicity
• Money atomicity:
• Transactions feature atomic transfer of electronic money.
• The transfer either completes entirely or not at all.
• In money atomic protocols, money is not created or
destroyed by purchase transactions.

• Goods atomicity:
• Transactions with good atomicity are money-atomic and
also ensure that goods-atomic transactions provide an
atomic swap of the electronic goods and funds.
 Certified Delivery
• Certified delivery transactions are goods-atomic
while allowing both the consumer and merchant to
prove exactly what was delivered.
• If there is a dispute, this evidence can be shown to
a judge to prove exactly what goods were
delivered.
 Types of Cryptographic Protocols
• In general, we distinguish between:
• Authentication protocols.
• Key distribution protocols.
• E-commerce protocols.
• Secure group protocols.
• Fair-exchange protocols.
• Contract-signing protocols.
• Anonymity protocols.

• However, the type of the cryptosystem (symmetric key or

public key) used within the protocol and other factors can
also introduce another sub-classification.
 Authentication Protocols
• The authentication of principals to each other is obviously a major issue.
• A great number of protocols has been developed. Mainly two categories:
• Identity authentication: A protocol whereby some principals can prove their
identities to each other is called identity authentication protocol. The aim of these
protocols is to ensure that no principal can prove that it has the identity X when its
real identity is Y , with X ≠Y.
• Message content verification: This concerns the verification of the message
content in order to detect if it has been modified. If an intruder introduces even a
slight modification to a message in the network, the receiver must be able to detect
the alteration. This property is commonly known as the integrity property.

• Authentication protocols could be one-way or mutual way authentication.

 One-Way Authentication Protocols
• Perhaps the simplest example of this class of protocols is the
login protocol, since it allows only the host to check the
identity of the user.
• The Woo and Lam protocol, given below, is also a good
example to understand one-way authentication:
One-Way Authentication Protocols
 Mutual Authentication Protocols
• In some situation, we may need that two principals
could prove simultaneously their identity to each
other. In this case, we require a mutual
authentication protocol.
• In mutual authentication protocols, we can also
distinguish between protocols using public or
symmetric key and protocols with or without a
trusted third party.
 Key Distribution Protocols
• Cryptographic protocols are based on encrypting and decrypting messages to
achieve some security goals such as integrity and confidentiality.
• Somehow, the keys used to encrypt messages have to be generated and
distributed between principals. The longer a key is used, the better are the
chances of an intruder to find it by guessing or by using cryptanalysis
techniques. For that reason, it is very important to have a protocol allowing
the distribution of fresh keys.
• The goals of key distribution protocols can be expressed as follows:
• Key availability: A complete run of a protocol has to ensure that all the concerned
principals have obtained the distributed keys.
• Key confidentiality: The protocol has to ensure that no illicit principal can know the
value of the distributed keys.
• Key integrity: The protocol has to ensure that no modification of a distributed key
could be done without being detected and without leading to a session failure from the
viewpoint of the concerned principals.
Needham-Schroeder Public-Key
Protocol
What Does this Protocol
Achieve?
 Anomaly in
Needham-Schroeder

1.

4.

3. 2.
 Lessons from
Needham-Schroeder
• Classic man-in-the-middle attack.
• Exploits participants’ reasoning to fool them:
• A is correct that B must have decrypted {A, Na}Kb message, but this does
not mean that {Na, Nb} Ka message came from B
• The attack has nothing to do with cryptography!
• It is important to realize limitations of protocols
• The attack requires that A willingly talk to adversary.
• In the original setting, each workstation is assumed to be well
behaved, and the protocol is correct!
• Wouldn’t it be great if one could discover attacks like this
automatically?
 More attack scenario:
Oracle Flaws
• Oracle flaws occur when the cryptographic
protocol dialog allows an adversary to know some
secret information or to foretell the content of some
encrypted messages.
• We can distinguish two subclasses of oracle flaws:
• Single oracle flaws and,
• Multi-role oracle flaws.
Fixing the attack

{ NonceA, NonceB, B }Ka

 Single Oracle Flaws
• It consists of oracle flaws that occur when the protocol does not allow
principals to change their roles from one protocol run to another.

• The most famous example of a single role oracle flaw was given by
Shamir, Rivest and Adelman. It consists of the following three-steps
protocol:

• We assume that the encrypting function is commutative i.e.

{{M}ka }kb = {{M}kb }ka.
 Single Oracle Flaws
• The goal of this protocol is to transfer secret messages from one principal
to another without the help of a trusted server.
• In step one, the principal playing the role A encrypts the messages M
under its secret key ka (can be randomly generated) then sends the result
to the principal playing the role B.
• In the second step, the principal playing the role B encrypts the received
message with its secret key kb and sends the result to the principal
playing the role A.
• Finally, the principal playing the role A decrypts the message {{M}ka }kb
to obtain the message {M}kb (this can be achieved under the commutative
assumption) which is sent to the principal playing the role B.
• This protocol can be attacked as follows:
 Single Oracle Flaws

• At step one, the intruder intercepts the message {M}ka which is

supposed to be sent to the principal playing the role B.
• At step two, the intruder sends the intercepted message to the
principal playing the role A as a B’s response.
• Finally, the principal playing the role A decrypts the received
message and sends the result (M) to the principal playing the role B.
However, the intruder intercepts this message, hence it knows an
information supposed to be secret
 Multi-Role Oracle Flaws
• Multi-role oracle flaws occur when the protocol assumptions allow
principals to change their role from one run to another.
• In this case, an intruder has more chance to attack the protocol. In fact,
the intruder can participate in many runs executed concurrently, hence
messages of one run can be used to form messages that will be used in
another run.
• A good example of multi-roles oracle flaws is:

• The objective of this protocol is to convince the principal playing role A

that the principal playing role B is operational
 Multi-Role Oracle Flaws
• At step one, the principal playing role A sends a challenge, the nonce
Na encrypted under the key kab.
• The principal playing role B can easily give a response ({Na +1}kb ) to
this challenge at step two since it knows the key kab. This protocol can
be attacked as follows:

• At step one of the first protocol run, the intruder intercepts the message
{Na}kab and uses it as its own challenge in the first step of the second
protocol run.
 Multi-Role Oracle Flaws
• Therefore, it is not surprising that the principal playing the
role A will answer by sending the message {Na +
1}kab in step two of the second protocol run.
• Furthermore, this message is also the necessary one to
finish the first run.
• Finally, the principal playing the role A is convinced that the
principal playing the role B is operational, however this
principal may not exist any longer in the system.