Lecture 7 (Weds 10/22/97)

Design Principles for Cryptographic Protocols

Sergey Berezin and Andy Myers

Scribe: Prashant Chandra

While formal methods are good to analyze the properties of a security protocol they are not useful in providing guidelines for the design of good security protocols. The following material discusses some principles that can be used as "rules of thumb" to design good security protocols.

Outline

be explicit (but not redundant).
know what you are doing.
know who you trust.
encrypt correctly, minimally.
sign before encrypting (usually).
assume nothing (especially about freshness)
don't be an oracle.
always count your bits.
KISS.
New concepts
References

Be explicit

Otway-Rees

Encrypted parts of message 1 and message 4 are similar leading to ambiguity.

There should be no ambiguity about:

what a message means,

what step a message is from, or

what run of the protocol a message is from.

A (Bad) Fix to Otway-Rees

One way to avoid the ambiguity in the Otway-Rees example is to explicitly encode information about what step a message is from, as shown below. However this makes the messages susceptible to known-plaintext attacks.

Denning-Saco

But now B can spoof A:

If a message should be interpreted relative to a principal, then that principal's name should be in the message.

Denning-Saco Fix

By including B in message 3, A makes sure that the encrypted portion of message 3 is only useful to B. Therefore B cannot use that portion of the message to spoof A.

Redundancy?

A general attack on a public key cryptosystem would be to "decrypt" random bit strings with the public key until a reasonable message appears. Then claim that the owner of the public key said this. This attack:

assumes that signing a document consists of encrypting the document with a private key.
would be much harder if hash of the document is encrypted.
is only realistic maybe for short, unredundant messages.

This attack can be overcome by adding redundancy to all signed messages. However, as Mao and Boyd point out, redundancy gives hackers a known plaintext attack, or at least more data for cryptanalysis. For example, in Otway-Rees' first message:

the quantities M, A and B are known and need not be kept secret. In other words, don't encrypt known quantities and don't confuse integrity with encryption.

Know what you are doing

Wide-mouthed Frog protocol:

The hidden assumption here is that A is capable of generating good session keys.

All aspects of a protocol should be thoroughly and exactly specified:

each principal's actions at each step.

be clear about why encryption is being done.

explicitly state properties of crypto algorithms.

Needham-Schroeder '87

The hidden assumption here is that a hacker can't strip off the first block of a message and append an arbitrary string. For e.g.,

If cryptographic protocols treat cryptography as a black box then one of the useful properties that one may require of underlining cryptography is that it is not possible to chop off random blocks of an encrypted message.

Know who you trust

Consider the following scenario. An evil hacker is able to manipulate the clocks of an organization which uses Kerberos. The result is the system security is terribly compromised. For example, old tickets can be reused. The hidden assumption here in Kerberos is that the time service is trusted or it is impossible to break into the time service.

So the moral of the story is: be explicit about which parties are trusted and what each party is trusted to do. Note however, that the process of deciding who or what is trustworthy isn't a protocol design issue.

Use of Encryption

Encryption can be used for different purposes:

preservation of confidentiality.
authenticity guarantee.
binding several parts of a message.
random number generation.

Be clear about why encryption is being done. Encryption is not synonymous to security, and its improper use can lead to errors [AN96].

Kerberos Protocol

Based on the original Needham-Schroeder protocol:

In this protocol:

no encryption is needed in message 1.
in message 2, conceal K_AB and sign the message; double encryption is redundant.
in message 3, prove knowledge of K_AB near T_A. If |T_A - T_S| is small, use T_S instead. Second part is redundant.
in message 4 prove knowledge of K_AB near T_A.

Otway-Rees Protocol

Here,

in message 2, S figures out keys by plaintext A and B; S decrypts the 2^nd and 3^rd parts and verifies M, A and B.
in message 3, S extracts N_A and N_B and encrypts them with K_AS and K_BS.

Responses to A and B include nonces, hence S exists recently and K_AB was generated recently. Hence, A and B are authenticated to each other (through S).

In order to decrease server load, the protocol can be modified so that we are encrypting and comparing ciphertexts instead of decrypting. Messages 1 and 2 of the protocol are modified as follows:

N_A and N_B are no longer secrets and this generates known plain-text/ciphertext pairs.

(!) Use one way function for {.}_K.

What this means is that we should distinguish between secret concealment and one-way service, and use different algorithms for each [MB94].

What encryption methods to use?

Consider the integrity property. Electronic Code Book (ECB) is bad for integrity because blocks are independent and can be substituted for other blocks. However, Cyclic Block Chaining (CBC) is good because it is not possible to change something in the middle of a message. CBC is recommended over ECB by ISO/IEC 9798.2 and 11770-2.

Is CBC really good? CBC has a cut-and-paste property which can be used to perform an attack on Otway-Rees as shown below.

In the CBC algorithm:

Encryption:

Decryption:

Assume,

and

CBC has a cut-and-paste property:

Form .

What is ?

Turns out that

where, and can be computed without knowing keys.

This cut-and-paste property can be used to perform an attack on Otway-Rees as shown below. For suppose that P₁ = N_B, P₂ = M, etc. Now, the evil person E records

from the previous (normal) run between E and B. Let,

Now consider the following run of the protocol:

Here, .

The result of the run is: E shares K_EB with B, and B thinks it is K_AB! So, CBC is still bad!

Sign Before or After Encryption?

When a principal signs encrypted material, it does not mean he knows the content of the message. The content of signed then encrypted messages should be known to the principal [AN96].

Consider one of the CCITT X.509 protocols:

The protocol guarantees integrity of X_A and Y_A and the privacy of Y_A. But it does not guarantee that A knows Y_A! The fix for this is to sign before encrypting.

Hash functions: Sign on encryption:

In this case, A might not know X, thus may not support it.

"Trapdoor" Moduli

RSA example [AN95]. Consider,

Assuming n_B is 500-600 bits long, Bob (B) can work out discrete logarithms and find x such that:

Then Bob registers (x^e_B, n_B) as his public key and claims Alice (A) signed M', not M.

Sign before encrypting: This prevents the attack with "trapdoor" moduli for which the signed document can be forged by computing discrete logarithms and changing the public key (key spoofing) [AN95].

Is it a real threat?

The example above is not realistic. The certificate for (x^e_B, n_B) will not be valid at the time M was signed [Syv96].

In some cases it is important to encrypt before signing. Consider the Coin Flip Protocol:

Non-repudiation is only preserved if Alice's signature appears on encrypted H and T.

Are double signatures secure?

Consider the Closed-bid Auction Protocol:

where,

M₁ = {Alice bids $X on item Y at T_A}K_A^-1

M₂ = "Alice's bid of $X on item Y is accepted at T_r".

Now, the attack against this protocol is as follows:

Alice registers both K₁ and K₂ such that

{M₁}K₁ = "Alice bids $X on item Y at T_A", and
{M₁}K₂ = "Alice bids $Z on item Y at T_A",
and Z > X.

Alice submits M₁ with K₁ (lower bid).
If she wins, she wins.
If she loses, then she submits the claim M₁ with K₂ (higher bid), and wins again (or has another chance to bid).

Signing before encrypting is not a bill of health [AN96].

Note: For this attack to work, you need short messages and short keys. Can do with RSA with small number of bits (500 bits) --- same as trapdoor moduli.

Assume Nothing

Consider the CCITT X.509 protocol:

T_A is a timestamp, N_A is a nonce, X_A and Y_A are user data. An evil hacker could send:

Don't assume that a principal who signs an encrypted message has any inkling about its meaning. This isn't true for a message that is signed and then encrypted.

Old secrets can hurt you

Consider Goss' Diffie-Hellman based key exchange protocol:

Asymmetric key cyrptosystem
Globals: generator g, of subgroup Z^*_p
Private key for A: x_A
Public key for A: g^x_A
Key for A and B: , where A picks r_A and B picks r_B.

Key exchange is as follows:

Now, A has r_A, g^x_B, x_A, g^r_B and B has r_B, g^x_A, x_B, g^r_A. So both can compute the shared key. An attack (by Alice) on Goss' protocol is as follows:

Bob can compute the key, . But, Alice can only compute the first part, g^x_A^r_B. So, if Bob lets that session key leak after some period of time, Alice can find Z^x_B. In this case, Alice uses Bob as an oracle.

So, the moral of the story is: Do not assume the secrecy of anyone else's secrets.

Moral

Anderson and Needham say not to assume that a message has a particular form unless you can verify it.
Syverson says that even if you can verify that a message has a particular form, you can't be sure that's its only form.

Freshness

Consider the Needham-Schroeder protocol:

Notice that an unbounded amount of time can pass between messages 2 and 3. Don't assume that a key is fresh just because it's been used recently. The fix to this is either have S add a timestamp, or else let B pass a nonce to S.

Note: The largest tolerable difference between local time and a timestamp has to be larger than the largest difference between any two clocks. Clock synchronization becomes a security issue.

Timeliness

Consider a basic protocol to find out what time it is:

If N_A is predictable, an evil party could make Alice set her clock back:

There could a large delay between messages 2 and 3 causing Alice to set her clock back. Predictable values can be used to ensure timeliness, but only if they are effectively protected. The fix is to encrypt ("randomize") N_A.

Nonces

Consider Otway-Rees (again):

In the above protocol, nonces N_A and N_B are being used both to guarantee timeliness and as references to Alice and Bob. Be explicit about a nonce's use and meaning.

Don't be an Oracle

Consider the Tatebayashi-Matsuazaki-Newmann (TMN) Scheme.

Both Alice and Bob share r_B, the secret key. Suppose Charlie and David conspire. Then Charley gets r_B as follows:

In this case the server S is an oracle that computes cubic roots. So "be careful when signing or decrypting data that you never let yourself be used as an oracle by your opponent [AN95]".

Oracle attacks can be fixed by,

explicit typing of nonces
using different keys for different purposes
etc.

A second example of oracle misuse is the Woo and Lam protocol.

"Among other problems a serious problem of this protocol is that S can be used as an oracle and can be impersonated, because between messages 4 and 5 he decrypts N_A [AN95]". Can you figure this out?

Count Bits

Account for all the bits --- how many provide equivocation, redundancy, computational complexity, and so on. Make sure that any extra bits cannot be used against you in some way [AN95].

Digital signatures are vulnerable to forward search attacks, if they don't have enough redundancy.

ISO 11166 Key Certificates

Here the redundancy is 45 bits for the short certificate and depends on namespace for long certificate.

If in future there were 30,000 banks sharing the US banking namespace, then the search effort might be as little as 2⁴² modular multiplications [AN95].

KISS Principle

KISS is an acronym for "Keep It Simple Stupid". The design of the cryptographic protocols should be as simple as possible.

New Concepts

A function

is called a cryptographic function, where M is the message space, K is the key space and C is the ciphertext space.

f is confidentiality function if there exists inverse and given it is not feasible to find without knowledge of k^-1.
f is integrity function if given it is not feasible to find f(m,k) without knowledge of k.
integrity function f has cohesive property if, when part of an encrypted message comes from a known source, then the whole of it does. That is given

it is infeasible to find f({m,x}, k) for any x without the knowledge of k [Boy90].

Note: While these new concepts are useful, they don't provide a complete formal definition of cryptographic protocols. More detailed formal properties need to be defined.

New notation

secret concealment --- confidentiality function
one-way --- irreversible integrity function with cohesive property [MB94]. This means it is infeasible to derive x from

even with the knowledge of K. Thus, known plaintext/cipertext pairs don't help to break it.

Using the new concetps and notations, examples of protocol redesign are given below. The main ideas behind redesign are:

Encrypt only when a secret has to be passed. Encrypting parts of messages that are not secrets makes the message more susceptible to cryptanalysis attacks or even integrity attacks (e.g. cut-and-paste attack).
Use a one-way integrity function to preserve integrity. The receiver of a message computes a hash of the message and compares it with the hash value in the message to check the integrity. Computing and comparing hashes is cheaper than decryption.

Kerberos protocol redesign

Here,

in message 2, the key K_AB is the only secret that has to be passed and hence it is the only part of the message that is encrypted. A can compute the hashes of the cleartext parts of the message and compare them to the hashes passed in the message to check for integrity.
in message 3, the nonce T_A is passed in the clear and B returns only the hash value of [T_A + 1, B] in message 4, which can be verified by A.

Otway-Rees protocol redesign

Otway-Rees protocol redesign-2

Simplify messages 1 and 2 (if we don't care about flood attacks):

References

[AN96] Martin Abadi and Roger M. Needham. "Prudent Engineering Practice for Cryptographic Protocols", IEEE Transactions on Software Engineering, 22(1):6-15, January 1996.

[AN95] R. Anderson and R. Needham. "Robustness Principles for Public Key Protocols", LCNS, 963:236-247, 1995.

[Boy90] Colin Boyd. "Hidden Assumptions in Cryptographic Protocols", Proceedings of the IEEE, 137 Part E(6):433-436, November 1990.

[MB94] Wenbo Mao and Colin Boyd. "Development of Authentication Protocols: Some Misconceptions and a New Approach", in Proceedings 7^th Computer Security Foundations Workshop, pages 178-186, IEEE Computer Society Press, 1994.

[Syv96] Paul Syverson. "Limitations on Design Principles for Public Key Protocols", in Proceedings of IEEE Symposium on Security and Privacy, Research in Security and Privacy, pages 62-72, Oakland, CA, May 1996.

Designing Usable Security --- Alma Whitten

Outline

motivation
existing work
five challenges in security
understanding the problem
critique of Mac PGP UI
usable security requirements
a learning strategy
plan of attack

Motivation

A 100% secure system won't help if the users get it wrong.
90-95% of the break-ins are claimed to be result of misconfiguration.
User interface design for security tools is tricky and cannot be handled by traditional GUI designers.

Existing work

Adage/MAP project at OpenGroup

rule based system for web security management.
demonstrates that rules are more usable than capabilities or access control lists.

Nothing else!

While researchers agree that usability is an important program, not much work has been done or publicized on this subject.

Five challenges unique to UI design in secure systems

There are five challenges listed below, which are unique to user-interface design in secure systems. Each one is described in greater detail in the following sections.

"Barn door" problem
Weakest link
Motivating users
Novices "programming"
Feedback is hard

"Barn door" problem

This refers to the fact that once security is compromised, then it cannot be undone. For example, there is no use in restricting read permission on a file, if it could previously be read by anyone. This problem also refers to the fact that it is not safe to adopt a "trial and error" policy when dealing with security. The ideal situation is for a user to be fully informed of the consequences of various actions and to eliminate the possibility of errors.

Weakest link

Security is only as strong as its weakest link; and there are many links all of which have to be managed well. For example, there is no point in employing the strongest cryptographic techniques to secure email, if the user's computer that stores key is itself not secure from attacks (via anonymous ftp for example).

Also, users typically learn about parts of the system that are "interesting" to them. In a secure system, such learning by unguided exploration, risks neglecting areas and creating weak links. For example, in learning about a secure email system, users might concentrate on "cool" cryptographic parts of the system and neglect more basic things such as file-system security. Hence, some sort of "breadth-first search" learning is needed.

Motivating learning

Typically, users only read manuals when they are not satisfied with the results they have. However naive users may not realize that they have bad secuirty. Therefore one cannot expect users to read the manual before using the system.

Novice "programmers"

Managing security policy typically involves creating a set of abstract rules to apply to concrete situations. For example, in setting file system security, a user is basically creating a set of rules that allow/disallow accesses to certain files under certain situations. In this respect, managing security policy is like "programming". And this is not a familiar skill for average users. While the "Weakest link" challenge shows why users have to get the big picture, "novice programmers" challenge shows why it is difficult for users to get the big picture.

Feedback is hard

In a secure system, it is usually hard for the system to give feedback to the user about the consequences about the user's actions. Firstly, there is too much detailed state information which cannot be summarized in a way that makes sense to the user. For example, it is almost impossible to capture the global effects of changing file permissions locally (in one directory) and display that information to the user on a single screen. Secondly, the system does not know what the users wanted, so cannot say whether they got it right. And finally, it may be too late to notify the user that an error has occured (barn door problem).

Understanding the problem

The approach followed in this research is as follows:

analyze what's most important in making security usable, and what's hardest.
look at existing security UIs for validation.

Critique of Mac PGP UI

PGP tools display

The following observations can be made about this display:

"Sign" icon does not show that you need a key. Emphasis is on making the interface pretty and not making the interface clear.
metaphor use could be better. For example instead of using a quilt-pen for the sign icon, an ink-bottle with a key could be used.

PGP keys display

In this display,

there is too much information, no prioritizing what's important. For example, it is not important for beginners to know about the validity, trust or creation date information.
there is reliance on documentation to explain concepts. For instance, there is no obvious way to tell why some keys look different and what that means.
not obvious which actions are risky. For e.g., sending information to key server can be irreversible and the UI does not warn the user about this.

Usable security requirements

So, usable security requires:

extreme learnability. Users should be able to learn about the system in a fast, safe and structured manner, while avoiding errors.
observability. Users should be able to assess the state of the system from the display.
predictability. Users must be able to predict the results of their actions from the display.

A learning strategy

The learning strategy that is proposed in this research is a combination of the following two approaches:

Kieras & Bovair, 1984: Their approach is "users learn faster, better when given explicit mental models". The Handbook of Human-Computer Interaction defines "mental models" as
knowledge of the components of a system, their interconnection, and the processes that change the components; knowledge that forms the basis for users being able to construct reasonable actions; and explanations about why a set of actions is appropriate.
Caroll & Carrithers, 1984: Their approact is based on using a "training wheels interface" which gives faster learning with fewer errors. The training wheels interface restricts users from performing certain risky actions during a certain "learning" period. An important question is to determine when the users have gained sufficient knowledge about the system and enable previously restricted actions.

Plan of attack

Here is how this research will be carried out:

development guidelines for learnable security interface design based on nested mental models.
analysis of existing UIs against guidelines.
implementation of non-trivial security interface based on guidelines (e.g. applet security management).
evaluation of interface impact.