1.31k likes | 1.51k Vues
Security Protocol Specification Languages. Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/. Scope of this Course. Specification languages for cryptographic protocols Evaluation criteria Anthology of languages
E N D
Security Protocol Specification Languages Iliano Cervesatoiliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ FOSAD 2001 – Bertinoro, Italy
Scope of this Course • Specification languages for cryptographic protocols • Evaluation criteria • Anthology of languages • Scientific impact • Extras . . . • Advertisement for MSR Security Protocol Specification Languages
This Course is not about • Cryptography • Applications of crypto-protocols • Taxonomy of • Protocols • Attacks • Tools • Verification Security Protocol Specification Languages
Outline Hour 1: Specification languages Hour 2: MSR Hour 3: The most powerful attacker Hour 4: Reconstructing the intruder Security Protocol Specification Languages
Hour 1 Specification Languages Security Protocol Specification Languages
Hour 1: Outline • Security protocols • Dolev-Yao abstraction • Specification targets • Major specification languages • Origins • Example (Needham-Schroeder) • Properties • Evaluation Security Protocol Specification Languages
Security Protocols • Use cryptographic means to ensure • confidentiality • authentication • non-repudiation, … in distributed/untrusted environment • Applications • e-commerce • trade/military secrets • everyday computing Security goals Security Protocol Specification Languages
Why is Protocol Analysis Difficult? • Subtle cryptographic primitives • Dolev-Yao abstraction • Distributed hostile environment • “Prudent engineering practice” • Inadequate specification languages • … the devil is in details … Security Protocol Specification Languages
Correctness vs. Security [Mitchell] • Correctness: satisfy specifications • For reasonable inputs, get reasonable output • Security: resist attacks • For unreasonable inputs, output not completely disastrous • Main difference • Active interference from the environment Security Protocol Specification Languages
Dolev-Yao Model of Security Bob Alice Network Server Dan Charlie Security Protocol Specification Languages
Dolev-Yao Abstraction • Symbolic data • No bit-strings • Perfect cryptography • No guessing of keys • Public knowledge soup • Magic access to data Security Protocol Specification Languages
Perfect Cryptography • KA-1 is needed to decrypt {M}KA • No collisions • {M1}KA = {M2}KBiff M1 = M2 and KA = KA • … Security Protocol Specification Languages
Public Knowledge Soup • Free access to auxiliary data • Abstracts actual mechanisms • database • subprotocols, … • But … not all data are public • keys • secrets Security Protocol Specification Languages
… pictorially s a ka kb Security Protocol Specification Languages
Why is specification important? good • Documentation • communicate • Engineering • implementation • verification tools • Science • foundations • assist engineering Security Protocol Specification Languages
Languages to Specify What? • Message flow • Message constituents • Operating environment • Protocol goals Security Protocol Specification Languages
Desirable Properties • Unambiguous • Simple • Flexible • Adapts to protocols • Powerful • Applies to a wide class of protocols • Insightful • Gives insight about protocols Security Protocol Specification Languages
Language Families • “Usual notation” • Knowledge logic • BAN • Process theory • FDR, Casper • Spi-calculus • Petri nets • Strands • MSR • Inductive methods • Temporal logic • Automata • NRL Prot. Analizer • CAPSL • Murf Security Protocol Specification Languages
Why so many? • Convergence of approaches • experience from mature fields • unifying problem • scientifically intriguing • funding opportunities • Fatherhood pride Security Protocol Specification Languages
Needham-Schroeder Protocol But … • purely academic • attack subject to interpretation • Devised in ’78 • Broken in ’95 ! Example of weak specification ! Security Protocol Specification Languages
“Usual Notation” A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB Security Protocol Specification Languages
How does it do? • Flow • Expected run • Constituents • Side remarks • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
BAN Logic[Burrows, Abadi, Needham] • Roots in belief logic • reason about knowledge as prot. unfolds • security: principals share same view • Specification • usual notation • “idealized protocol” • assumptions • Goals • Verification • Logical inference Security Protocol Specification Languages
A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB NS: BAN Idealization A B: {nA}kB B A: {A nB BnA}kA A B: {A nA B, B | A nB B nB}kB More readable syntax proposed later Security Protocol Specification Languages
NS: BAN Assumptions • A | kAA • A | kBB • A | #nA • A | A nA B • B | kBB • B | kAA • B | #nB • B | A nB B Security Protocol Specification Languages
NS: BAN Goals • B | A | A nA B • A | B | A nB B Formally derived from BAN rules Security Protocol Specification Languages
How does BAN do? • Flow • Idealized run • Constituents • Assumptions • Environment • Implicit • Goals • BAN formulas • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
CSP [Roscoe, Lowe] • Roots in • process algebra [Hoare] • non-interference • Specification • 1 process for each role • non-deterministic intruder process • Verification • Refinement w.r.t. abstract spec. • FDR: model checker for CSP • Casper: interface to FDR Security Protocol Specification Languages
A B:{nA, A}kB B A: {nA, nB}kA A B:{nB}kB CSP: NS Initiator Init(A, nA) = user.A?B -> I_running.A.B -> comm!Msg1.A.B.encr.key(B).nA.a -> comm.Msg2.B.A.encr.key(A)?nA’.nB -> if nA = nA’ thencomm!Msg3.A.B.encr.key(B).nB -> I_commit.A.B -> session.A.B -> Skip elseStop Responder is similar Security Protocol Specification Languages
CSP : Resp. authentication spec. AR0 = R_running.A.B -> I_commit.A.B -> AR0 A1 = {| R_running.A.B, I_commit.A.B |} AR = AR0 ||| Run (S \ A1) Security Protocol Specification Languages
How does CSP do? • Flow • Role-based • Constituents • Formalized math. • Environment • Explicit • Goals • Abstract spec. • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
Casper Specification of NS #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A, B, [na,nb]) Agreement(B,A, [na,nb] #Actual variables Alice, Bob, Mallory: Agent Na, Nb, Nm: Nonce … #Intruder information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory) #Free variables A, B: Agent na, nb : nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INIT(A,na) knows PK, SK(A) RESP(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} Security Protocol Specification Languages
Spi-calculus[Abadi, Gordon] • p-calculus with crypto. Constructs • Specification • 1 process for each role • Instance to be studied • Intruder not explicitly modeled • Verification • Process equivalence to reference proc. Security Protocol Specification Languages
A B:{nA, A}kB B A: {nA, nB}kA A B:{nB}kB Spi: NS Initiator init(A,B,cAB,KB+,KA-) = (nnA) cAB< {|A, nA|}KB+ > . cAB(x) . case x of {|y|}KA- in let (y1,y2) = y in [y1 is nA] cAB< {| y2|}KB+ > . 0 Security Protocol Specification Languages
A B:{nA, A}kB B A: {nA, nB}kA A B:{nB}kB Spi: NS Responder resp(B,A,cAB,KA+,KB-) = cAB(x) . case x of {|y|}KB- in let (y1,y2) = y in [y1 is A] (nnB) cAB< {| y2, nB|}KA+ > . cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB] 0 Security Protocol Specification Languages
Spi: NS Instance inst(A,B,cAB) = (nKA) (nKB) ( init(A,B,cAB,KB+,KA-) | resp(B,A,cAB,KA+,KB-)) Security Protocol Specification Languages
How does Spi do? • Flow • Role-based • Constituents • Informal math. • Environment • Implicit • Goals • Reference proc. • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
Strand Spaces[Guttman, Thayer] • Roots in trace theory • Lamport’s causality • Mazurkiewicz’s traces • Specification • Strands • Sets of principals, keys, … • Verification • Authentication tests • Model checking Security Protocol Specification Languages
A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB {nA, A}kB {nA, A}kB {nA, nB}kA {nA, nB}kA {nB}kB {nB}kB Strands Security Protocol Specification Languages
How do Strands do? • Flow • Role-based • Constituents • Informal math. • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
Inductive methods[Paulson] • Protocol inductively defines traces • Specification • 1 inductive rule for each protocol rule • Universal intruder based on language • Verification • theorem proving (Isabelle HOL) • Related methods • [Bolignano] Security Protocol Specification Languages
A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB IMs: NS NS1 [evs ns; A B; Nonce NAused evs] Says A B {Nonce NA, Agent A} KB# evs ns NS2 [evs ns; A B; Nonce NBused evs; Says A’ B {Nonce NA, Agent A} KBset evs] Says B A {Nonce NA, Nonce NA} KA# evs ns NS3 [evs ns; Says A B {Nonce NA, Agent A} KBset evs; Says B’ A {Nonce NA, Nonce NA} KAset evs] Says A B {Nonce NA} KB# evs ns Security Protocol Specification Languages
IMs: Environment Nil [] ns Fake [evs ns; BSpy; X synth(analz (spies evs))] SaysSpy B X # evs ns synth, analz, spies, … protocol indep. Security Protocol Specification Languages
How do IMs do? • Flow • Trace-based • Constituents • Formalized math. • Environment • Immutable • Goals • Imposs. traces • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
NRL Protocol Analyzer[Meadows] • Roots in automata theory • Specification • 1 finite-state automata for each role • Grammar or words unaccessible to attacker • Verification • Backward state exploration • Theorem proving for finiteness Security Protocol Specification Languages
A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB NPA: NS Resp., action 2 Subroutine rec_request(user(B,honest),N,T): If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))): Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W: send msg(user(B,honest),[{rec_self},{rec_who}],N): event(user(B,honest),[user(A,H)],rec_request,[W],N) Security Protocol Specification Languages
How does NPA do? • Flow • Role-based • Constituents • Prolog code • Environment • Explicit • Goals • Unreachable state • Unambiguous • Simple • Flexible • Powerful • Insightful Security Protocol Specification Languages
RTLA [Gray, McLean] • Roots in Temporal Logic (Lamport) • Specification • State components that change during a step • Verification • Proof in temporal logic • Evaluation • Similar to NPA Security Protocol Specification Languages
CAPSL [Millen] • Ad-hoc model checker • Specification • Special-purpose language • Intruder built-in • Implementation • CIL [Denker] -> similar to MSR • Related systems • Murf[Shmatikov, Stern] • ?? [Clarke, Jha, Marrero] Security Protocol Specification Languages
A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB CAPSL: NS PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; Security Protocol Specification Languages