310 likes | 981 Vues
Verification of Security Protocols. Sandro Etalle etalle@cs.utwente.nl. Outline. Day 2: Practice analysis of many flawed protocol... ...using the online demo Resources: The online tool, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library
E N D
Verification of Security Protocols Sandro Etalle etalle@cs.utwente.nl
Outline • Day 2: Practice • analysis of many flawed protocol... • ...using the online demo • Resources: • The online tool, reachable at • wwwes.cs.utwente.nl/24cqet • The Clark-Jacob library • http://citeseer.nj.nec.com/clark97survey.html • www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps
Security Protocols & the Attacks • Otway-Rees • Secrecy+type-flaw attack • Kao-chow • replay-attack • Woo-Lam • authentication+type flaw attack • NSL (as bonus protocol) • auth+type-flaw attack
Otway-Rees Protocol 1. A->B : [M,A,B,[Na,M,A,B]+Kas] 2. B->S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S->B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B->A : [M,[Na,Kab]+Kas ] • Aim: key distribution using a trusted server. • Kab: short-term key. • Could be guessed. • Na and Nb serve as challenges.
Attack upon Otway-Rees a.1 A->e(B) : [M,A,B,[Na,M,A,B]+Kas] a.4 e(B)->A : [M,A,B,[Na,M,A,B]+Kas] • Type flaw attack • A takes [M,A,B] to be the key • The intruder just replies the first message. • It is an authentication flaw. • It is also a secrecy flaw (the intruder knows the key, now).
Otway-Rees in the tool initiator(A,B,Na,Nb,M,X,Kas,Kab,[ recv([A,B]), % for origination assumption send([M,A,B,[Na,M,A,B]+Kas]]), recv([M,[Na,Kab]+Kas]), send(X+Kab)]). % another way of checking secrecy responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT recv([M,A,B,[Na,M,A,B]+Kas]), send([[M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs]), recv([[M,Na,Kab]+Kas, [Nb,Kab]+Kbs]), send([M,[Na,Kab]+Kas]), recv(X+Kab) ]).
Otway-Rees in the tool cont’d secrecy(N,[recv(N)]). server(A,B,Na,Nb,M,X,Kas,Kab,[ recv([[M,A,B,[Na,M,A,B]+Kas]]], [Nb,[M,[A,B]]]+Kbs]), send([[M,[Na,Kab]]+Kas, [Nb,Kab]+Kbs])]).
One initiator is enough. And the secrecy check. We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server). scenario([[sec1,St],[a,Sa1]]) :- initiator(a,b,na,Nb,m,x,kas,Kab,Sa1), secrecy(x, St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]). Scenario
The Attack Output Trace: [a,recv([a,b])] [a,send([m,[a,[b,[na,[m,[a,b]]] + kas]]])] [a,recv([m,[na,[m,[a,b]]] + kas])] [a,send(x + [m,[a,b]])] [sec1,recv(x)]
Kao-Chow authentication Protocol 1. A->S : [A,B,Na] 2. S->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs, 3. B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] 4. A->B : Nb+Kab • Assumption: Kab is compromised
Attack upon Kao-Chow a.1 A->S : [A,B,Na] a.2 S->B : [A,B,Na,Kab]+Kas, [A,B,Na,Kab]+Kbs a.3 B->A : [A,B,Na,Kab]+Kas,[Na+Kab,Nb] a.4 A->B : Nb+Kab b.2 e(S)->B : [A,B,Na,Kab]+Kas,[A,B,Na,Kab]+Kbs b.3 B->e(A) : [A,B,Na,Kab]+Kas, [Na+Kab,Nb’] b.4 e(A)->B : Nb’+Kab
How it works • Two sessions. • First a normal session is carried out. • We assume the intruder “guesses” Kab. • This is something we have to implement manually. • In a second session, the intruder can impersonate both A and the server S.
Kao-Chow in the tool initiator(A,B,Na,Nb,Kas,Kab,Kbs,[ recv([A,B]), % for origination assumption send([A,[B,Na]]), recv([ [A,[B,[Na,Kab]]]+Kas,[ Na+Kab, Nb ]]), send(Nb+Kab) ]). responder(A,B,Na,Nb,M,Kab,Kbs,[ recv([M, ([A,[B,[Na,Kab]]]+Kbs)]), %M because he cannot decipher it send([M, [ Na+Kab, Nb ]]), recv(Nb+Kab), send(Kab) % we model that the key kab was compromised... ]).
scenario([[a1,Sa1],[a2,Sb1],[a3,Sb2],[s1,Ss1]]) :- initiator(a,b,na,Nb,kas,Kab,Kbs,Sa1), responder(a,b,Na1,nb1,M,Kab1,kbs,Sb1), responder(a,b,Na2,nb2,M2,Kab2,kbs,Sb2), server(a,b,Na3,kas,kab,kbs,Ss1). initial_intruder_knowledge([a,b,e]). has_to_finish([a2,a3]). Scenario • session consisting of: initiator, two responders, one server. • any larger session will do. • If both responders can finish there is certainly an attack.
The Attack Output Trace: [a1,recv([a,b])] [a1,send([a,[b,na]])] [s1,recv([a,[b,na]])] [s1,send([[a,[b,[na,kab]]] + kas,[a,[b,[na,kab]]] + kbs])] [a2,recv([_h381,[a,[b,[na,kab]]] + kbs])] % a variable here [a2,send([_h381,[na + kab,nb1]])] [a1,recv([[a,[b,[na,kab]]] + kas,[na + kab,nb1]])] [a1,send(nb1 + kab)] [a2,recv(nb1 + kab)] [a2,send(kab)] [a3,recv([_h433,[a,[b,[na,kab]]] + kbs])] [a3,send([_h433,[na + kab,nb2]])] [a3,recv(nb2 + kab)] [a3,send(kab)]
Woo-Lam Mutual Authentication Protocol 1. A->B : [A,Na] 2. B->A : [B,Nb] 3. A->B : [A,B,Na,Nb]+Kas 4. B->S : [A,B,Na,Nb]+Kas, [A,B,Na,Nb]+Kbs 5. S->B: [B,Na,Nb,Kab]+Kas,[A,Na,Nb,Kab]+Kbs 6. B->A: [B,Na,Nb,Kab]+Kas, [Na,Nb]+Kab 7. A->B: Nb+Kab
Attack upon Woo-Lam a.1 e(A)->B : [A,B] a.2 B->e(A) : [B,Nb] a.3 e(A)->B : [A,B,B,Nb]+Kes a.4 B->e(S) : [A,B,B,Nb]+Kes, [A,B,B,Nb]+Kbs b.1 e(A)->B : [A,Nb] b.2 B->e(A) : [B,Nb' ] b.3 e(A)->B : [A,B,Nb,Nb' ]+Kes b.4 B->e(S) : [A,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.5 e(S)->B: [B,B,Nb,Nb' ]+Kes,[A,B,Nb,Nb' ]+Kbs a.6 B->e(A): [B,B,Nb,Nb' ]+Kes,[ B,Nb]+Nb' a.7 e(A)->B: Nb+Nb'
Comments • There is one complete session and one incomplete session. • Which agents do we actually have to implement to find this attack?
responder(A,B,Na,Nb,Kab,Kas,Kbs,[ recv([A,B]), % for origination assumption recv([A,Na]), send([B,Nb]), recv([A,[B,[Na,Nb]]]+Kas), send([([A,[B,[Na,Nb]]]+Kas), ([A,[B,[Na,Nb]]]+Kbs) ]), recv([([B,[Na,[Nb,Kab]]]+Kas), ([A,[Na,[Nb,Kab]]]+Kbs) ]), send([([B,[Na,[Nb,Kab]]]+Kas), ([Na,Nb]+Kab) ]), recv(Nb+Kab) ]). One Responder will do:Woo-Lam in the Tool
scenario([[b1,Sb1],[b2,Sb2]]) :- responder(a,b,Na1,nb1,Kab1,Kas,kbs,Sb1), responder(a,b,Na2,nb2,Kab2,Kas,kbs,Sb2). initial_intruder_knowledge([a,b,e]). has_to_finish([b1]). The definition of the responder is sufficient, but we need two responders here. If one of the two finishes, there is certainly an attack. RULE: if a role can finish when no corresponding role is defined we are in certainly presence of an authentication problem. Scenario
The Attack Output (after 30s!) Trace: [b1,recv([a,b])] [b1,recv([a,b])] [b1,send([b,nb1])] [b1,recv([a,[b,[b,nb1]]] + _h97)] [b1,send([[a,[b,[b,nb1]]] + _h97,[a,[b,[b,nb1]]] + kbs])] [b2,recv([a,b])] [b2,recv([a,nb1])] [b2,send([b,nb2])] [b2,recv([a,[b,[nb1,nb2]]] + _h97)] [b2,send([[a,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,recv([[b,[b,[nb1,nb2]]] + _h97,[a,[b,[nb1,nb2]]] + kbs])] [b1,send([[b,[b,[nb1,nb2]]] + _h97,[b,nb1] + nb2])] [b1,recv(nb1 + nb2)]
Exercises • Explain the attack in the Woo-Lam protocol. • Say why it is a type flaw attack. • Implement and find the flaw of the Needham-Schroeder with Conventional keys (see Clark-Jacob Survey). • Implement and find the flaw of the Yahalom protocol (see Clark-Jacob Survey). • Write a small article over how to find security bugs in protocols using the COProVe tool.
1. A->B : [A,Na]*pk(B) 2. B->A : [Na,Nb,B]*pk(A) 3. A->B : Nb*pk(B) Corrected version of the other one. Still contains an (unrealistic) flaw Extra: Needham-Schroeder-Lowe Protocol
a.1 A->e(B) : [A,Na]*pk(B) a.1' e(A)->B : [A,e]*pk(B) a.2 B->e(A) : [e,Nb,B]*pk(A) b.1 e->A : [e, [Nb,B] ]*pk(A) b.2 A->e: [[Nb,B], Na' ,A] *pk(e) Message a.2 is passed as b.1. Notice that a.2 has three fields, while b.1 has two. It is a type flaw attack. Rather unrealistic. Attack upon NSL
NSL in the tool initiator(A,B,Na,Nb,[ recv([A,B]), % for origination assumption send([A,Na]*pk(B)), recv([Na,[Nb,B]]*pk(A)), send(Nb*pk(B)) ]). responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,[Nb,B]]*pk(A)), recv(Nb*pk(B)) ]). secrecy(N,[recv(N)]).
Scenario scenario([[a1,Sa],[a2,Sb],[a3,Sa2],[b1,Sb2],[sec1,St]]):- initiator(a,b,na,Nb,Sa), responder(a,b,Na,nb,Sb), initiator(A1,B1,na2,Nb2,Sa2), responder(A2,B2,Na2,nb2,Sb2), secrecy(nb,St). initial_intruder_knowledge([a,b,e]). has_to_finish([sec1]).
NSL output Trace: [a1,recv([a,b])] [a1,send([a,na] * pk(b))] [a2,recv([a,e] * pk(b))] [a2,send([e,[nb,b]] * pk(a))] [a3,recv([_h414,e])] [a3,send([_h414,na2] * pk(e))] [a3,recv([na2,[_h416,e]] * pk(_h414))] [a3,send(_h416 * pk(e))] [b1,recv([e,[nb,b]] * pk(a))] [b1,send([[nb,b],[nb2,a]] * pk(e))] [a2,recv(nb * pk(b))] [b1,recv(nb2 * pk(a))] [sec1,recv(nb)]