Overview Overview � What is SILC? What is SILC? � Analysis of the SILC Protocol with Analysis of the SILC Protocol with � Stands for Stands for S S ecure ecure I I nternet nternet L L ive ive C C onferencing. onferencing. � Murphi Murphi � Designed as a secure replacement for IRC ( Designed as a secure replacement for IRC ( I I nternet nternet � R elay R elay C C hat). hat). � Also has some features of instant messaging. Also has some features of instant messaging. � � Stable implementations for clients and servers are Stable implementations for clients and servers are � available. (http://www.silcnet silcnet.org) .org) available. (http://www. Project objectives Project objectives Results Results � Used rational reconstruction to verify the Used rational reconstruction to verify the � Examine the security of SILC, and hopefully Examine the security of SILC, and hopefully � � necessity of key part of the chat protocol. necessity of key part of the chat protocol. find attacks with Murphi find attacks with Murphi. . � Found a possible non Found a possible non- -trivial attack. trivial attack. � More specifically, we wanted to see if a More specifically, we wanted to see if a � � � Bad news: Bad news: Murphi Murphi didn didn ’ ’ t find it; we thought it t find it; we thought it malicious client can “ malicious client can “ eavesdrop eavesdrop ” ” on a on a � up while fine up while fine- -tuning our invariants. (It turned tuning our invariants. (It turned conversation in a channel to which he does not conversation in a channel to which he does not out that the invariant broke because of a bug in out that the invariant broke because of a bug in belong. belong. our code and not because of the exploit.) our code and not because of the exploit.) � Good news: Good news: Murphi Murphi verifies the exploit. verifies the exploit. � Presentation outline Presentation outline Terminology Terminology � A A server server handles channel maintenance and accepts handles channel maintenance and accepts � The SILC channel protocol The SILC channel protocol � � connections from clients. connections from clients. � Our model of the protocol Our model of the protocol � A A client client connects to a server to join and part channels. connects to a server to join and part channels. � � � Rational reconstruction of the model Rational reconstruction of the model � A A channel channel is a group of clients that are in the same is a group of clients that are in the same � � conversation. conversation. � The exploit The exploit � � No one outside a channel is supposed to be able to No one outside a channel is supposed to be able to � Problems we encountered Problems we encountered � listen in on the conversation. listen in on the conversation. � � Future work Future work � It is assumed that each client has already established a It is assumed that each client has already established a � � session key with each server to which it talks. session key with each server to which it talks. 1
Protocol description (Client) Protocol description (Client) Protocol description (Server) Protocol description (Server) If entity A sends something to entity B in SILC, it is always encrypted with If entity A sends something to entity B in SILC, it is always en crypted with � A server, when it receives a join request for a channel from a A server, when it receives a join request for a channel from a � � � the session key between A and B. the session key between A and B. client, adds that client to the channel roster if it is not alre client, adds that client to the channel roster if it is not already ady A client initially connects to a server. A client initially connects to a server. there. there. � � A connected client can request to join a channel on a server. A connected client can request to join a channel on a server. � A server, when it receives a part request for a channel from a A server, when it receives a part request for a channel from a � � The client knows that it has joined the channel when it receives a channel key The client knows that it has joined the channel when it receives a channel key � client, removes that client from the channel roster if it is there. client, removes that client from the channel roster if it is the re. � � from the server. from the server. � If the channel roster changes, a new session key is created and If the channel roster changes, a new session key is created and Every time a client joins or parts a channel, a new channel key is generated is generated Every time a client joins or parts a channel, a new channel key � � � distributed to all remaining clients in the channel roster. distributed to all remaining clients in the channel roster. and distributed among the remaining channel members. and distributed among the remaining channel members. Each channel message, instead of being with the session key, is encrypted Each channel message, instead of being with the session key, is encrypted � Whenever a message for a channel is received from a client of Whenever a message for a channel is received from a client of � � � with the channel key. However, the packet header (which stores the source with the channel key. However, the packet header (which stores the source which it is a member, it is broadcast to all clients in the chan which it is a member, it is broadcast to all clients in the channel nel and destination) is still encrypted with the session key. and destination) is still encrypted with the session key. roster. (Only the header is roster. (Only the header is reencrypted reencrypted.) .) A client, when it parts a channel, notifies the server so that it may update the A client, when it parts a channel, notifies the server so that i t may update the � � channel roster and regenerate the channel key. channel roster and regenerate the channel key. Protocol example Protocol example Simplifications Simplifications Connect Connect Join #silctalk generated-silctalk-key(1) � We assume no packet loss. We assume no packet loss. � {Message: “ I ’ m all alone. ” }(1) � We assume lag We assume lag- -free connections. free connections. {C1 message: “ I ’ m all alone. ” }(1) � Join #silctalk � In other words, as soon as a client joins or parts a In other words, as soon as a client joins or parts a � generated-silctalk-key(2) generated-silctalk-key(2) channel, the new key is instantly distributed to all other channel, the new key is instantly distributed to all other clients (unless intercepted by an intruder). clients (unless intercepted by an intruder). {Message: “ Sup C1. ” }(2) C1 S C2 {C2 Message: “ Sup C1. ” }(2) {C2 Message: “ Sup C1. ” }(2) � In practice, clients keep around old keys so that they In practice, clients keep around old keys so that they � Part #silctalk may still decrypt messages that have been delayed, but may still decrypt messages that have been delayed, but generated-silctalk-key(3) ’ t model that. we don ’ we don t model that. Part #silctalk � Perfect cryptography and key exchange. Perfect cryptography and key exchange. You have joined channel #silctalk � C1: I ’ m all alone. You have channel #silctalk C2 has joined channel #silctalk C2: Sup C1. C2: Sup C1. C1 has parted channel #silctalk You have parted channel #silctalk You have channel #silctalk Murphi implementation Murphi implementation Intruder model Intruder model ( Command Command ) ( ) � Intruder can intercept packets and store them. Intruder can intercept packets and store them. Com mand :reco Com mand :reco rd rd � source source : : Agen Agen t t Id Id ; ; � Intruder can then forward packets it has stored. Intruder can then forward packets it has stored. � des des t t : : Agen Agen t t Id Id ; ; � Intruder may have a partner client and/or a partner server. Intruder may have a partner client and/or a partner server. i n tDes t : Agen t Id ;- - -i i n tended des t i na t i on � i n tDes t : Agen t Id ; - n tended des t i na t i on � If a client/server is a partner of an intruder it is malicious. If a client/server is a partner of an intruder it is malicious. - -( ( sou rce ,i i n tDes t )i st he key - - sou rce , n tDes t )i st he key � � Intruder cannot directly decrypt packets, but it can pass it on Intruder cannot directly decrypt packets, but it can pass it on to to � cType cType: : CommandType; CommandType ; its partner(s), which may be able to decrypt it. its partner(s), which may be able to decrypt it. - - - - C_Jo C_Jo in in , C_Par , C_Par t t , C_Msg , C_ Msg, C_ , C_NewChanne NewChanne l l Key Key channe channe l l : : Channe Channe l l Id Id ; ;- - - - a a l l l msg l msg t t ypes ypes channe channe lKey lKey : Key : Key Id Id ; ; - - - - NewKey NewKey, , Msg Msg message message : : Msg Msg Id Id ; ; - - - - Msg Msg on on l l y y end ; end ; 2
Recommend
More recommend
