1 / 31

Analysis of Security Protocols (III)

Analysis of Security Protocols (III). John C. Mitchell Stanford University. Analyzing Security Protocols. Non-formal approaches (can be useful, but no tools…) Some crypto-based proofs [Bellare, Rogaway] BAN and related logics Axiomatic semantics of protocol steps

colista
Télécharger la présentation

Analysis of Security Protocols (III)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of Security Protocols (III) John C. Mitchell Stanford University

  2. Analyzing Security Protocols • Non-formal approaches (can be useful, but no tools…) • Some crypto-based proofs [Bellare, Rogaway] • BAN and related logics • Axiomatic semantics of protocol steps • Methods based on operational semantics • Intruder model derived from Dolev-Yao • Protocol gives rise to set of traces • Perfect encryption • Possible to include known algebraic properties

  3. Example projects and tools • Prove protocol correct • Paulson’s “Inductive method”, others in HOL, PVS, etc. • Bolignano -- Abstraction methods • MITRE -- Strand spaces • Process calculus approach: Abadi-Gordon spi-calculus • Search using symbolic representation of states • Meadows: NRL Analyzer, Millen: Interrogator • Exhaustive finite-state analysis • FDR, based on CSP [Lowe, Roscoe, Schneider, …] • Mur -- specialized input language • Clarke et al. -- state search with axiomatic intruder model

  4. Explicit Intruder Method Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Gee whiz. Looks OK to me.

  5. Formal Logic (      ) Proof search (Horn clause) Multiset rewriting Finite Automata Process Calculus A notation for inf-state systems • Define protocol, intruder in minimal framework • Disadvantage: need to introduce new notation

  6. Protocol Notation • Non-deterministic infinite-state systems • Facts F ::= P(t1, …, tn) t ::= x | c | f(t1, …, tn) • States { F1, …, Fn } • Multiset of facts • Includes network messages, private state • Intruder will see messages, not private state Multi-sorted first-order atomic formulas

  7. State Transitions • Transition • F1, …, Fkx1 … xm. G1, … , Gn • What this means • If F1, …, Fkin state , then a next state ’ has • Facts F1, …, Fk removed • G1, … , Gnadded, with x1 … xm replaced by new symbols • Other facts in state  carry over to ’ • Free variables in rule universally quantified • Pattern matching in F1, …, Fkcan invert functions

  8. Finite-State Example a • Predicates:State, Input • Function: • Constants:q0, q1, q2, q3, a, b, nil • Transitions:State(q0), Input(a  x)  State(q1), Input(x) State(q0), Input(b  x)  State(q2), Input(x) ... a q1 b a q0 b q3 b a b q2 b

  9. Existential Quantification • Natural-deduction proof rule [y/x] ( elim) x.   • Summary: for proof from x., choose new symbol and proceed from [y/x] y not free in any other hypothesis

  10. Turing Machine • Predicates • Current(state,cell)-- current state, tape pos. • Contents(cell, symbol)-- contents of tape cell • Adjacent(cell, cell)-- keep cells in order • Constants • q0, q1, q2, …-- finite set of states • c0, ceot-- initial tape cells • “0”, “1”, “b”-- tape symbols

  11. Turing Machine (II) • Transitions • Adjacent(c0, ceot) • Adjacent(c, ceot)  c’. Adjacent(c,c’), Adjacent(c’,ceot) • Current(qi,c), Contents(c,“0”), Adjacent(c,c’)  Current(qk,c’), Contents(c,“1”), Adjacent(c,c’) • Current(qi,c), Contents(c,“1”), Adjacent(c’,c)  Current(qk,c’),Contents(c,“0”), Adjacent(c,c’) ... c eot ... c c’ eot infinite linear tape sample move right sample move left

  12. Simplified Needham-Schroeder • Predicates Ai, Bi, Ni --Alice, Bob, Network in state i • Transitions x. A1(x) A1(x)  N1(x), A2(x) N1(x)  y. B1(x,y) B1(x,y)  N2(x,y), B2(x,y) A2(x), N2(x,y)  A3(x,y) A3(x,y)  N3(y), A4(x,y) B2(x,y), N3(y)  B3(x,y) picture next slide A  B: {na, A}Kb B  A: {na, nb}Ka A  B: {nb}Kb • Authentication A4(x,y)  B3(x,y’)  y=y’

  13. A  B: {na, A}Kb B  A: {na, nb}Ka A  B: {nb}Kb Sample Trace A1(na) x. A1(x) A1(x)  A2(x), N1(x) N1(x)  y. B1(x,y) B1(x,y)  N2(x,y), B2(x,y) A2(x), N2(x,y)  A3(x,y) A3(x,y)  N3(y), A4(x,y) B2(x,y), N3(y)  B3(x,y) N1(na) A2(na) B1(na, nb) A2(na) N2(na, nb) B2(na, nb) A2(na) B2(na, nb) A3(na, nb) N3(nb) B2(na, nb) A4(na, nb) B3(na, nb) A4(na, nb)

  14. Common Intruder Model • Derived from Dolev-Yao model [1989] • Adversary is nondeterministic process • Adversary can • Block network traffic • Read any message, decompose into parts • Decrypt if key is known to adversary • Insert new message from data it has observed • Adversary cannot • Gain partial knowledge • Guess part of a key • Perform statistical tests, …

  15. Formalize Intruder Model • Intercept and remember messages N1(x)  M(x) N2(x,y)  M(x), M(y) N3(x)  M(x) • Send messages from “known” data M(x)  N1(x), M(x) M(x), M(y)  N2(x,y), M(x), M(y) M(x)  N3(x), M(x) • Generate new data as needed x. M(x) Highly nondeterministic, same for any protocol

  16. Attack on Simplified Protocol A1(na) x. A1(x) A1(x)  A2(x), N1(x) N1(x)  M(x) x. M(x) M(x)  N1(x), M(x) N1(x)  y. B1(x,y) N1(na) A2(na) A2(na) M(na) A2(na) M(na), M(na’) N1(na’) A2(na) M(na), M(na’) A2(na) M(na), M(na’) B1(na’, nb) Continue “man-in-the-middle” to violate specification

  17. Modeling Perfect Encryption • Encryption functions and keys • For public-key encryption • two key sorts: e_key, d_key • predicate Key_pair(e_key, d_key) • Functions enc :e_key  msg -> msg dec :d_key  msg -> msg (implicit in pattern-matching) • Properties of this model • Encrypt, decrypt only with appropriate keys • Only produce enc(key, msg) from key and msg (!!!) • This is not true for some encryption functions

  18. Steps in public-key protocol • Bob generates key pair and publishes • e_keyu. d_keyv. Bob1(u,v) • Bob1(u,v)NAnnounce(u),Bob2(u,v) • Alice sends encrypted message to Bob • Alice1(e,d,x), NAnnounce(e’)Alice2(e,d,x,e’) • Alice2(e,d,x,e’) N1(enc(e’,x,e)), Alice3(u,v,x,w) • Bob decrypts • Bob1(u,v), N1(enc(u, x,y))z. Bob1(u,v,x,y,z)

  19. Intruder Encryption Capabilities • Intruder can encrypt with encryption key • Me(k), Mdata(x)  Ni(enc(k,x)), Me(k), Mdata(x) • Intruder can decrypt with decryption key • Nj(enc(k,x)),Key_pair(k,k’), Md(k’),  Mdata(x), ... • Add to previous intruder model Assumes sorts data, e_key, d_key with typed predicates Mdata(data), Me(e_key), Md(d_key)

  20. Intruder: power and limitations • Can find some attacks • Needham-Schroeder by exhaustive search • Other attacks are outside model • Interaction between protocol and encryption • Some protocols cannot be modeled • Probabilistic protocols • Steps that require specific property of encryption • Possible to prove erroneous protocol correct • Requires property that crypto does not provide

  21. Optimize Protocol + Intruder • Adversary receives all messages; no net • Replace • Alicei(x,y)  Nj(x), Alicek(x,y) • Nj(x)  M(x) • M(z)  Nj(z), M(z) • Nj(x), Bobi(w)  Bobj(w,y) • By • Alicei(x,y)  M(x), Alicek(x,y) • M(z), Bobi(w)  Bobj(w,y) Alice’s message can go to Bob or M. M can replay or send different msg All messages go directly to M. M can forward or send different msg

  22. Analysis of Protocol+Intruder • Prove properties of protocols • Unbounded # of participants, message space • Prove that system satisfies specification • Paulson, etc: prove invariant holds at all reachable states • Spi-calculus: prove protocol equivalent ideal protocol • Symbolic search with pruning • Search backward from error • Prune search by proving forward invariants • Exhaustive finite-state methods • Approximate infinite-state system by finite one • Search all states, perhaps with optimizations

  23. Example description languages • First- or Higher-order Logic • Define set of traces, prove protocol correct • Horn-clause Logic x… (A1A2 …  B) • Symbolic search methods • Process calculus • FDR model checker based on CSP • Spi-calculus proof methods based on pi-calculus • Additional formalisms • CAPSL protocol description language [Millen] • Mur language for finite-state systems

  24. Paulson’s Inductive Method • Define set TR of traces of protocol+intruder • Similar to traces in unifying formalism • Transition F1, …, Fkx1 … xm. G1, … , Gn gives one way of extending trace • Auxiliary functions mapping traces to sets • Analz(trace) = data visible to intruder • Synth(trace) = messages intruder can synthesize • Definitions and proofs use induction • Similar inductive arguments for many protocols

  25. Symbolic Search Methods • Examples: NRL Protocol Analyzer, Interrogator • Main idea • Write protocol as set of Horn clauses • Transition F1, …, Fkx1 … xm. G1, … , Gn can be Skolemized and translated to Prolog clauses • Search back from possible error for contradiction • This is usual Prolog refutation procedure • Important pruning technique • Prove invariants by forward reasoning • Use these to avoid searching unreachable states

  26. Process Calculus Description • Protocol defined by set of processes • Each process gives one step of one principal • Can derive by translation from unifying notation • F1, …, Fkx1 … xm. G1, … , Gn is one process • Replace predicates by port names • Replace pattern-matching by explicit destructuring • In pi-calculus, use  in place of  • Example • B1(x,y) N2(x,y), B2(x,y) • b1(p). let x=fst(p) and y=snd(p) in n2x,y| b2 x,y end

  27. Spi-Calculus [AG97, ...] • Write protocol in process calculus • Express security using observ. equivalence • Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] • Context (environment) represents adversary • Use proof rules for  to prove security • Protocol is secure if no adversary can distinguish it from an idealized version of the protocol

  28. Finite-state methods • Two sources of infinite behavior • Many instances of participants, multiple runs • Message space or data space may be infinite • Finite approximation • Transitions: F1, …, Fkx1 … xm. G1, … , Gn choose fixed number of Skolem constants • Terms: restrict repeated functions f(f(f(f(x)))) • Can express finite-state protocol + intruder in • CSP : FDR-based model checking projects • Other notations: Mur project, Clarke et al., ...

  29. Security Protocols in Mur • Standard “benchmark” protocols • Needham-Schroeder, TMN, … • Kerberos • Study of Secure Sockets Layer (SSL) • Versions 2.0 and 3.0 of handshake protocol • Include protocol resumption • Discovered all known or suspected attacks • Recent work on tool optimization [Shmatikov, Stern, ...]

  30. Malleability [Dolev,Dwork,Naor] • Idealized assumption • If intruder produces Network(enc(k,x)) then either • Network(enc(k,x))  M (enc(k,x)) (replay) • M(k), M(x)  M (enc(k,x))(knows parts) • Not true for RSA • encrypt(k,msg) = msgk mod N • property encr(x*y) = encr(x) * encr(y) • Model • Network(enc(k,x))  M (…) ...  Network (enc(k,c*x)) Can send encrypted message without “knowing” message Finite state ?

  31. Authentication and Secrecy for Handshake Protocols • How many protocols are there to verify? • Average length 7 steps • Data fields per message 5 fields • Distinct ways to fill a field  50 entries • Number of possible combinations 1750 protocols • Research directions • Get the monkeys and typewriters going • Easier description and specification, faster tools • Improved analysis of timestamps, ... • Interaction between protocol and crypto primitives

More Related