230 likes | 329 Vues
Explore the Needham-Schroeder Protocol from 1996, focusing on perfect encryption, intruders' abilities, security properties, atomic messages handling, and principals' actions. Learn about the model checking algorithm, verification, attacks, and maintaining global state security.
E N D
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha
Needham-Schroeder Protocol (circa 1996) • Purpose: Authenticate Participants
Assumptions • Perfect Encryption • The decryption key must be known to encrypt • No encryption collisions • Proof offer no protection from poor encryption implementation!
Intruder’s Ability • Interception • Ex: • Impersonation • Ex: • Legitimate Participant • Ex: • Compromise Temporary Secrets • But those secrets should not be revealed by protocol
Security Properties • Secrecy • Tracked by two sets in global state • Correspondence • “If A believes it has completed two protocol runs with principal B, then principal B must have at least begun two protocol runs with principal A.” • Tracked by counters in global state
Atomic Messages • Keys • Ex: • Principal Names • Ex: A, B, I • Nonces • Ex: • Data
Messages and Atomic Messages • Given A a set of atomic messages, M the set of all messages is defined inductively:
Closure of Messages • Let be a subset of messages • The closure of is defined by: (pairing) (projection) (encryption) (decryption)
Principals • A 4-Tuple • N the name of the principal • p a process given as a sequence of actions to be performed • is a set of known messages, generally infinite, but from a finite generator set. • B a set of bindings from variables in p to messages in I
Initial Knowledge • For the intruder
Global State • A 5-Tuple • is the product of the individual principals (including the intruder) • difference between number of times A has initiated a protocol and the number of times B has finished responding • difference between number of times A has begun responding and the number of times B has finished initiating
Global State Continued • A 5-Tuple • a set of safe secrets. Remains constant. • a set of temporary secrets. New secrets generated during the run of the protocol. • The last four values check security constraints.
NEWNONCE(var) NEWSECRET(var) Internal Actions
Internal Actions • GETSECRET(val) – Intruder Only
Internal Actions • A calls BEGINIT(B), • B calls ENDRESPOND(A) • BEGRESPOND/ENDINIT • Symmetric on
Communication Actions • Send and receives are synchronized • A process can only send a message if it unifies with a receive message • Sender must be able to sculpt a message that matches all existing bindings and expectations • How does the intruder sculpt such a message?
Finding a needle in a haystack • Decidability of when is probably infinite? • Normalized Derivation: (pairing) (projection) (encryption) (decryption) Expanding Rules Shrinking Rules
Normalized Derivation • Following algorithm is guaranteed to terminate and decide : Start with a generator set Apply all possible shrinking rules Try all possible sequences of expanding rules until word size is equal to s • Proves existence
An Efficient Approach • When adding a message to I in : Apply all possible shrinking rules Remove ‘redundant messages’ Result is minimal generator • Can recursively attempt to build
Verification and Attack • The lack of correspondence trace reveals the following attack: