An Executable Model for JFKr

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Session 4 Asymmetric ciphers.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Rachana Y. Patil 1 1.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
@Yuan Xue 285: Network Security CS 285 Network Security Digital Signature Yuan Xue Fall 2012.
Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th, 2006.
Security Handshake Pitfalls. Client Server Hello (K)
On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu
Chapter 5 Network Security Protocols in Practice Part I
Web Applications Security Cryptography 1
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
Reviews Rocky K. C. Chang 20 April 2007.
Symmetric and Asymmetric Encryption
Symmetric Cryptography
Protocol Analysis.
CSE 4905 IPsec II.
Cryptographic Hash Function
Public Key Encryption Systems
CS480 Cryptography and Information Security
Public Key Encryption and Digital Signatures
Public-key Cryptography
Security Protocols Analysis
Fundamental Concepts in Security and its Application Cloud Computing
Encryption
Presented by: Dr. Munam Ali Shah
Just Fast Keying (JFK) Protocol
Cryptography Basics and Symmetric Cryptography
Efficient CRT-Based RSA Cryptosystems
The Inductive Approach to Verifying Cryptographic Protocols
Man in the Middle Attacks
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Asymmetric Cryptography
Security through Encryption
CS Introduction to Operating Systems
Practical Aspects of Modern Cryptography
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Application to a “real-world” protocol
Security Analysis of Network Protocols
An Executable Model for Security Protocol JFKr
Key Management Network Systems Security
Key Establishment Protocols ~
Date:2011/09/28 報告人:向峻霈 出處: Ren-Chiun Wang  Wen-Shenq Juang 
Lecture 10: Network Security.
CDK: Chapter 7 TvS: Chapter 9
Topic 13: Message Authentication Code
Chapter 29 Cryptography and Network Security
Formal Methods for Security Protocols
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Public Key Encryption Systems
Chapter 8 roadmap 8.1 What is network security?
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

An Executable Model for JFKr An ACL2 approach to key-establishment protocol verification Presented by: David Rager November 22, 2004 January 11, 2019

About ACL2 J S Moore and Matt Kaufmann ACL2 - A Computational Logic for Applicative Common Lisp Applicative – functional Hierarchical Prove lemmas to prove larger theorems Doubles as an executable model January 11, 2019

Diffie-Helman Model based off a state containing a list of “knowledge” From “knowledge” compute diffie-helman components From diffie-helman components, show: Forward secrecy - yes Authentication - no Replay Attack - yes DoS - no ID Protection - no January 11, 2019

Basic DH Model Parts If an actor has neither of the two nonces used in a DH computation, it can not derive the DH key. An intruder does not begin with either of the two relevant nonces. Nonces are not released during the communication (requires induction). Since nonces are not released during communication and the intruder has neither of the two relevant nonces, the intruder can not obtain the DH key Should be easy January 11, 2019

Knowledge-state Attempt #1 Contained redundant data Should trim to basic building blocks '((A (nonce a) (exp (nonce g) (nonce a)) (exp (nonce g) (nonce b)) (exp (nonce g) (mult (nonce a) (nonce b)))) (B (nonce b) (I (exp (nonce g) (nonce a)) (exp (nonce g) (nonce b)))) January 11, 2019

Knowledge-state Attempt #2 ‘( ;; I is for initiator (I (nonce x) (base g) (mod b) (term (mod (exp g y) b)))) ;; R is for Responder (R (nonce y) (term (mod (exp g x) b)))) ;; N is for intruder (N (base g) (term (mod (exp g x) b))) (term (mod (exp g y) b))))) The need to move forward preempted developing this more January 11, 2019

Onto JFKr I R Ni, xi Ni, Nr, xr, gr, tr Ni, Nr, xi, xr, tr, ei, hi xi=gdi If initiator knows group g in advance I R xr=gdr DH group tr=hashKr(xr,Nr,Ni,IPi) Same dr for every connection Ni, Nr, xr, gr, tr xidr=xrdi=x Ka,e,v=hashx(Ni,Nr,{a,e,v}) derive a set of keys from shared secret and nonces Ni, Nr, xi, xr, tr, ei, hi ei=encKe(IDi,ID’r,sai,sigKi(Nr,Ni,xr,xi,gr)) hi=hashKa(“i”,ei) er, hr “hint” to responder which identity to use check integrity before decrypting er=encKe(IDr,sar,sigKr(xr,Nr,xi,Ni)) hr=hashKa(“r”,er) real identity of the responder January 11, 2019 [Aiello et al.] and Shmatikov

JFKr Properties Secrecy (via DH like key agreement) Prevention of DoS (via cookie) Forward secrecy (use of nonce for randomization) Authentication (public/private key signatures) ID Protection (ID not revealed until protocol nearing completion) January 11, 2019

What I Did Executable model 1200 lines of ACL2 code Relatively low global constant usage January 11, 2019

Capturing Perfect Cryptography First idea: Make all knowledge broadcast in previous transmissions a constant > 100 Make all private knowledge < 100 Show that the attacker never gains something < 100 January 11, 2019

Capturing Perfect Cryptography Second idea: Assign a probability threshold for what is acceptable Requires tracking probability of a “crack” cumulatively Could use to show mathematical weakness in encryption schemes January 11, 2019

Capturing Perfect Cryptography Third idea: Create generic functions “encapsulated” together with some other functions These functions don’t begin with any definitions Through instantiation of the function set, can prove that there exist functions that satisfy certain properties Useful for specifying mysterious properties like keyed-hash and digital signatures Can specify “perfect” encryption None of these ideas were actually used by me January 11, 2019

Capturing Perfect Cryptography My Version: Computed a hash of an integer list: Signatures similar Symmetric keys modeled with one + key value Encryption was an addition operation and decryption was a subtraction operation Asymmetric keys modeled with +/- key values Encryption and decryption were same + for encryption - for decryption (defun compute-hash (int-list key acc) (if (atom int-list) acc (compute-hash (cdr int-list) key (* key (+ acc (car int-list)))))) January 11, 2019

Main Function Uses “honest” participants Chose to make it an explicit calling of recursion instead of a case statement (defun run-honest (network-s initiator-s responder-s) (mv-let (network-s-after-1 initiator-s-after-1) (step1-honest network-s initiator-s) (network-s-after-2 responder-s-after-2) (step2-honest network-s-after-1 responder-s) … left out part so it would fit … (network-s-after-5 initiator-s-after-5) (step5-honest network-s-after-4 initiator-s-after-3) (network-s-after-6 responder-s-after-6) (step6-honest network-s-after-5 responder-s-after-4) (mv network-s-after-6 initiator-s-after-5 responder-s-after-6)))))))) January 11, 2019

A Simple Honest Step Function ; doesn't matter who responder is (defun step1-honest (network-s my-s); resp-s) ; doesn't matter who responder is (let* ((Ni (nonce-mine my-s)) (Xi (compute-public-dh-value *g* (dh-exponent my-s) *b*)) ;; updates are alists (network-update (list (cons 'Ni Ni) (cons 'Xi Xi) (cons 'Src-ip (ip my-s)))) (my-update (list (cons 'cost-cpu (+ (cost-cpu my-s) 1)) (cons 'cost-mem (+ (cost-mem my-s) 1)) (cons 'public-dh-value-mine Xi) (cons 'role 'initiator)))) (mv (acons 1 network-update network-s) (append my-update my-s)))) January 11, 2019

A Simple Dishonest Step Function (defun step1-dishonest (network-s my-s) ; doesn't matter who responder is (let* ((Ni -1) (Xi -1) (Src-ip (ip my-s)) ;; updates are alists (network-update (list (cons 'Ni Ni) (cons 'Xi Xi) (cons 'Src-ip Src-ip))) (my-update (list (cons 'cost-cpu (+ (cost-cpu my-s) 0)) (cons 'cost-mem (+ (cost-mem my-s) 0))))) (mv (acons 1 network-update network-s) (append my-update my-s)))) January 11, 2019

A More Complex Step Function… ;; responder is processing and sending message (defun step2-honest (network-s my-s) (let* ((Ni (ni-msg1 network-s)) (Nr (nonce-mine my-s)) (Src-ip (Src-ip-msg1 network-s)) ;;(Xi (xi-msg1 network-s)) (Xr (compute-public-dh-value *g* (dh-exponent my-s) *b*)) (Gr *g*) (Tr (compute-hash (list Xr Nr Ni src-ip) (private-key my-s) 0)) (network-update (list (cons 'Ni Ni) (cons 'Nr Nr) (cons 'Xr Xr) (cons 'Gr Gr) (cons 'Tr Tr) (cons 'src-ip (ip my-s)))) ;; no real update to my state, since I'm throwing it away - stateless (my-update (list (cons 'cost-cpu (+ (cost-cpu my-s) 2)) (cons 'cost-mem (+ (cost-mem my-s) 0)) (cons 'public-dh-value-mine Xr)))) (mv (acons 2 network-update network-s) (append my-update my-s)))) January 11, 2019

Example Script: (defconst *initiator-beg-state* (list (cons 'nonce-mine *initiator-nonce*) (cons 'dh-exponent *initiator-dh-exponent*) (cons 'ip *initiator-ip*) (cons 'private-key *initiator-private-key*) (cons 'cost-cpu 0) (cons 'cost-mem 0) (cons 'id-mine *initiator-id*) (cons 'sa-mine *initiator-sa*))) RESULTS: (((1 (NI . 200) (XI . 202942) (SRC-IP . 100001))) ((COST-CPU . 1) (COST-MEM . 1) (PUBLIC-DH-VALUE-MINE . 202942) (ROLE . INITIATOR) (NONCE-MINE . 200) (DH-EXPONENT . 5091) (IP . 100001) (PRIVATE-KEY . 12481) (COST-CPU . 0) (COST-MEM . 0) (ID-MINE . 50) (SA-MINE . 412))) (step1-honest nil *initiator-beg-state*) January 11, 2019

DOS Non-deterministic Function (defun run-dos-interleaved (network-s initiator-s responder-s) (mv-let (network-s-after-1 initiator-s-after-1) (if (evenp (random-int)) (step1-dishonest network-s initiator-s) (step1-honest network-s initiator-s)) (network-s-after-2 responder-s-after-2) (step2-honest network-s-after-1 responder-s) (mv network-s-after-2 initiator-s-after-1 responder-s-after-2)))) January 11, 2019

Mem DoS Thm Currently proves in 60 seconds. (defthm run-dos-interleaved-mem-safe-generic (implies (and (beginning-statep initiator-s) (beginning-statep responder-s)) (mv-let (network init resp) (run-dos-interleaved nil initiator-s responder-s) (declare (ignore network)) (and (<= (cost-mem resp) (cost-mem init))))) :hints (("Goal" :in-theory (disable DH-EXPONENT ID-MINE IP NONCE-MINE PRIVATE-KEY SA-MINE)))) Currently proves in 60 seconds. January 11, 2019

Future Work Model man in the middle attack Form encapsulate functions for perfect encryption Prove termination of the protocol If JFKr terminates for both parties, then they agree on the key One party terminates iff the other party terminates January 11, 2019

Conclusions Showed safety from memory DoS attacks Separation of actor states allows better inductive reasoning ACL2 proficiency increased January 11, 2019

Resources Davis, Jared for ACL2 help. Kaufmann, Matt and Moore, J Strother. ACL2 FAQ. 2004. Levy, Benjamin (translator). Diffie-Helman Method for Key Agreement. 1997. Paulson, Lawrence C. Proving Properties by Induction. 1997. Shmatikov, Vitaly. Just Fast Keying. 2004. January 11, 2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.