Security models
1st Semester 2012/2013
F.Autreau
J. Dreier
P.Lafourcade
Y. Lakhnech
JL. Roch
J. Dreier
P. Lafourcade
Y. Lakhnech
Final Exam
90 minutes
Date: 13.12.2012
TOTAL: 90 points
Notice: the number of points corresponds approximatively to the number of minutes
needed for solving an exercise.
Exercise 1 (Acces Control (10 points))
A computing system consists of 4 users and 4 files, which are labelled according to the
following table:
Labels
high
medium
low
normal
Users
User1
User2
User3
User4
Files
File1
File2
File3
File4
Where the labels are ordered as follows: high > medium > low > normal. The system
allows two operations: {read, write}; i.e. a user can either read from a file or write to a
file.
1. (5 points) Let the labels be security clearances (for users) and classifications (for
files).
• (1 point) Recall Bell-LaPadula Model.
• (4 points) Create an access control matrix of the system following the BellLaPadula Model.
2. (5 points) Let the labels be integrity levels (for users and files).
• (1 point) Recall Biba Model.
• (4 points) Create an access control matrix of the system following the Biba
Model.
Solution :
1. BLP
User1
User2
User3
User4
File1
read, write
write
write
write
File2
read
read, write
write
write
File3
read
read
write, read
write
File4
read
read
read
read, write
File3
write
write
read,write
read
File4
write
write
write
read,write
2. Biba
User1
User2
User3
User4
File1
write, read
read
read
read
File2
write
read, write
read
read
Exercise 2 (Acces-Control (10 points))
Alice can read and write to the file filex.sys, can read the file filey.sys, and can
execute the file filez.sys. Bob can read and write to filey.sys, and cannot access
filez.sys or filex.sys.
1. (4 points) Write the associated acces control matrix?
2. (3 points) Write a set of access control lists for this situation. Which list is associated
with which file?
3. (3 points) Write a set of capability lists for this situation. With what is each list
associated?
Solution :
1. Build an access control matrix, and then from there you can derive the ACL and capabilities.
r: read; w: write; x: execute
Alice
Bob
2.
filex.sys
r,w
filey.sys
r
r,w
filez.sys
x
• ACL (filex.sys) = {(Alice, {r,w})};
• ACL (filey.sys) = {(Alice, {r}), (Bob, {r,w})};
• ACL(filez.sys) = {(Alice, {x})}
3.
• CAP(Alice) = {(filex.sys,{r,w}), (filey.sys, {r}), (filez.sys, {x})};
• CAP(Bob) = {(filey.sys,{r,w})}
Exercise 3 (Diffie-Hellman (15 points))
1. (5 points) Recall the Diffie-Hellman key echange protocol.
2. (5 points) Explain the attack on this protocol.
3. (5 points) We consider the following modified version of Diffie-Hellman key echange
protocol, where H is a public hash function:
• Alice and Bob agree on a finite cyclic group G and a generating element g in
G. We will write the group G multiplicatively.
• Alice picks two random natural numbers a and Na .
• Alice sends the triple (g a , Na , H(Na , g a )) to Bob.
• Bob picks two random natural numbers b and Nb .
• Bob sends the triple (g b , Nb , H(Nb , g b )) to Alice.
• Alice computes (g b )a .
• Bob computes (g a )b .
This modified version is it secure?
Solution :
1.
• Alice and Bob agree on a finite cyclic group G and a generating element g in G. We
will write the group G multiplicatively.
• Alice picks a random natural number a and sends g a to Bob.
• Bob picks a random natural number b and sends g b to Alice.
• Alice computes (g b )a .
• Bob computes (g a )b .
2. Man in the middle attack is possible:
• Alice sends g a
• Mallory sneds g m to Bob
• Bob computes the key (g m )b and send g b
• Mallory sends g m to Alice
Alice has a key g am to talk with Bob but indead she is talking to Mallory.
Bob has a key g bm to talk with Alice but indead she is talking to Mallory.
Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa.
3. The same attack works, the hash does not improve the scheme.
• Alice sends g a , Na , H(Na , g a )
• Mallory sneds g m , Nm , H(Nm , g m ) to Bob
• Bob computes the key (g m )b and send g b , Nb , H(Nb , g b )
• Mallory sends g m , Nm , H(Nm , g m ) to Alice
Alice has a key g am to talk with Bob but indead she is talking to Mallory.
Bob has a key g bm to talk with Alice but indead she is talking to Mallory.
Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa.
Exercise 4 (Square CDH (15 points))
1. (1 point) Compute (a + b)2 .
2. (3 points) Recall the Computational Diffie-Hellman (CDH) assumption.
3. (4 + 7 = 11 points ) We define the S-CDH problem as follows: on input g, g x ,
2
computing g (x ) .
• Prove that S-CDH ⇒ CDH.
• Prove that S-CDH ⇐ CDH.
Solution :
1. Computational Diffie-Hellman (CDH): On input g, g x , g y , computing g xy .
2. SCDH ⇐ CDH.
Given an adversary A who can breaks CDH (On input g, g x , g y , computing g xy ). Then A
can break SCDH given g, g x , g x as input of CDH.
3. SCDH ⇒ CDH. Given an adversary A who can breaks SCDH (On input g, g x , computing
2
g x ). Then A can break CDH by the following way:
2
2
Given g, g x , g y , can we compute g xy . With g x and g y we get α1 = g x and α2 = g y using
2
SCDH. Knowing g x and g y we can give to A g x+y to obtain β = g (x+y) .
We can obtain g 2xy dividing β by the product of α1 and α2 .
Exercise 5 (Passive Dolev Yao (30 points))
We consider the classical Dolev-Yao deduction system. We add the following rule for
considering exclusive-or operator (xor), denoted by ⊕.
(Xor)
T `x T `y
T `x⊕y
Of course we need to make all our deductions modulo the equational theory of the xor.
Note that this operator is a binary operator. It means that all terms are in normal form,
for example the term x ⊕ y ⊕ z ⊕ y is reduced to x ⊕ z.
1. (7 points) Consider the classical Dolev-Yao deduction system. We define the notion
of simple proof: A proof P is simple if each node appears at most once in each branch
of P .
Prove that if P is a minimal proof of T ` u then P is a simple proof of T ` u.
2. (4 points) Give the 4 equations associated to the xor operator ⊕.
3. (4 points) We first extend naively the definition of syntactic subterm as follow. S(t)
is the smallest set such that:
• t ∈ S(t)
• hu, vi ∈ S(t) ⇒ u, v ∈ S(t)
• {u}v ∈ S(t) ⇒ u, v ∈ S(t)
• u ⊕ v ∈ S(t) ⇒ u, v ∈ S(t)
Compute the syntactic subterm of h(a ⊕ b) ⊕ {b}c , {c}k i
4. (7 points) Give an counter-example of a proof P of T ` w which is minimal and is
not S-local (you can define T and w as you want).
5. (8 points) Propose an other definition of sub-term in order that your example is now
S-local. Give the set of sub-term associated to T ∪ {w}. (Of course the proof of the
S-locality is not asked)
Solution :
1. Let us assume to the contrary that P is a non-simple proof of T ` u. Then there is a
branch of P in which T ` v occurs twice. We can cut the derivation between these two
occurrences and so get a smaller proof P 0 , which is in contradiction to the minimality of
P.
2. S(h(a ⊕ b) ⊕ {b}c , {c}k i) = {h(a ⊕ b) ⊕ {b}c , {c}k i, (a ⊕ b) ⊕ {b}c , a ⊕ b, a, b, {b}c , c, {c}k , k, }
3. T = {a ⊕ b, b ⊕ c, c ⊕ d} and w = a ⊕ d
(A)
(Xor)
(Xor)
a ⊕ b ∈ T0
T0 ` a ⊕ b
(A)
b ⊕ c ∈ T0
T0 ` b ⊕ c
T0 ` a ⊕ c
(A)
c ⊕ d ∈ T0
T0 ` c ⊕ d
T0 ` a ⊕ d
a ⊕ c 6∈ S(T ∪ {w}) = T ∪ {w} ∪ {a, b, c, d}
4. You need to consider all possible xor of all elements of S(T ∪{w}). Then from S(T ∪{w}) =
T ∪ {w} ∪ {a, b, c, d} you need to add the following subterms: a ⊕ c and a ⊕ d.
Exercise 6 (Tools (10 points) ONLY PRO)
We consider the output of one tool studied during the lecture for a given protocol.
1. (1 points) Give the name of the tool used.
2. (4 points) Give the role of the two honest participants of this protocol.
3. (2 points) Explain the attack.
4. (3 points) Propose and explain a possible correction.
Solution :
1. Scyther
2. const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// Hash function: nobody knows the inverse
const hash: Function;
secret unhash: Function;
inversekeys (hash,unhash);
// User type declaration
usertype Key;
// Protocol description
protocol protocol2(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Key;
send_1 (I,R, { ni,I }pk(R) );
read_2 (R,I, hash(ni),{nr }pk(I) );
send_3 (I,R, hash(nr,ni) );
claim_i2 (I, Nisynch );
claim_i3 (I, Secret, nr );
claim_i4 (I, Secret, ni );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Key;
read_1 (I,R, { ni,I }pk(R) );
send_2 (R,I, hash(ni),{nr }pk(I) );
read_3 (I,R, hash(nr,ni) );
claim_r2 (R, Nisynch );
claim_r3 (R, Secret, nr );
claim_r4 (R, Secret, ni );
}
}
// An untrusted agent, with compromised key
const e: Agent;
untrusted e;
compromised sk(e);
3. There is a problem of authentication, and secrecy. Intruder can learn the secret.
4. Correction: for instance add R in the encryption correct this attack.
Exercise 7 (Tools (10 points) R ONLY)
Here is the AVISPA code of a protocol
role alice (A,B
: agent,
Ka,Kb
: public_key,
Snd,Rcv : channel (dy)) played_by A def=
local
State : nat,
Na
: message,
Nb
: text
init
State:=0
transition
1. State=0 /\ Rcv(start) =|>
State’:=1
/\ Na’:=new()
/\ Snd({Na’.A}_Kb)
/\ witness(A,B,bob_alice_na,Na’)
/\ secret(Na’,na,{A,B})
2. State=1 /\ Rcv({Nb’.xor(Na,B)}_Ka) =|>
State’:=2
/\ Snd({Nb’}_Kb)
/\ wrequest (A,B,alice_bob_nb,Nb’)
end role
role bob (B,A
Kb,Ka
: agent,
: public_key,
Snd,Rcv : channel (dy)) played_by B def=
local
State : nat,
Na
: message,
Nb
: text
init
State:=0
transition
1. State=0 /\ Rcv({Na’.A}_Kb) =|>
State’:=1
/\ Nb’:=new()
/\ Snd({Nb’.xor(Na’,B)}_Ka)
/\ witness(B,A,alice_bob_nb,Nb’)
/\ secret(Nb’,nb,{A,B})
2. State=1 /\ Rcv({Nb}_Kb) =|>
State’:=2
/\ wrequest(B,A,bob_alice_na,Na)
end role
role session (A,B: agent,
Ka, Kb: public_key,
SND, RCV: channel(dy) ) def=
composition
alice(A,B,Ka,Kb,SND,RCV) /\
bob(B,A,Kb,Ka,SND,RCV)
end role
role environment() def=
local
Snd, Rcv: channel(dy)
const
a, b, i: agent,
ka, kb, ki: public_key,
na, nb, alice_bob_nb, bob_alice_na: protocol_id
intruder_knowledge = {a,b,i,ka,kb,ki,inv(ki)}
composition
session(a,b,ka,kb,Snd,Rcv) /\
session(a,i,ka,ki,Snd,Rcv)
end role
goal
weak_authentication_on alice_bob_nb
weak_authentication_on bob_alice_na
secrecy_of na, nb
end goal
environment()
1. (3 points) Give an Alice and Bob description of the protocol and propose a relevant
name for this protocol.
2. (3 points) Explain the properties that are verified.
3. (4 points) Give an attack on the protocol and explain it.
Solution :
1. The protocol works has follows
• A → B : {NA , A}KB
• B → A : {NB , NA ⊕ B}KP A
• A → B : {NB }KP A
2. We have the following 4 properties encoded in the file:
• Secrecy of Na, Nb
• Authentication of Alice to Bob using Nb
• Authentication of Bob to Alice using Na
3. The attack is the following:
• A → I : {NA , A}KI
• I → B : {NA ⊕ B ⊕ I, A}KB
• B → I : {NB , NA ⊕ I}KA
• I → B : {NB , NA ⊕ I}KA
• A → I : {NB }KI
• I → B : {NB }KB