University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Design, Analysis and Verification of Security Protocols Ricardo Corin.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Lecture 3 The CSP approach to the specification and analysis of Security protocols Communicating Sequential Processes [Hoare 78] Mathematical framework.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
1 Protocols are programs too The meta-heuristic search for security protocols By John A. Clark.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols a gzipped.
Computer Science Public Key Management Lecture 5.
Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···
Programming Satan’s Computer
Cryptography, Authentication and Digital Signatures
Formal Analysis of Security Protocols Dr. Changyu Dong
BAN LOGIC Amit Chetal Monica Desai November 14, 2001
A Survey of Authentication Protocol Literature: Version 1.0 Written by John Clark and Jeremy Jacob Presented by Brian Sierawski.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Digital Signatures, Message Digest and Authentication Week-9.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Network Protocols Network Systems Security Mort Anvari.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Cryptography CS 555 Topic 34: SSL/TLS.
Formal Methods for Security Protocols
Security attacks.
CS480 Cryptography and Information Security
Security Protocols Analysis
The Inductive Approach to Verifying Cryptographic Protocols
Man in the Middle Attacks
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Security Analysis of Network Protocols
CDK: Chapter 7 TvS: Chapter 9
Formal Methods for Security Protocols
Outline Designing secure protocols Basic protocols Key exchange
Presentation transcript:

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

University of Twente The Netherlands Centre for Telematics and Information Technology Outline  Day 1: Practice Using the tool we developed in Twente  Day 2: Theory the constraint-solving algorithm

University of Twente The Netherlands Centre for Telematics and Information Technology Schema of Day 1  A couple of words on Security Protocols  How to specify a protocol  How to specify a particular session  How to find security and authentication flaws  Interpreting the result of the tool

University of Twente The Netherlands Centre for Telematics and Information Technology Part 0 What are security protocols anyway?

University of Twente The Netherlands Centre for Telematics and Information Technology Security Protocols  Use symmetric or public key cryptography.  May achieve Confidentiality. Authentication. For assigning responsibility. For giving credit. Non-Repudiation. ….  Difficult to do right!

University of Twente The Netherlands Centre for Telematics and Information Technology The same, old example: Needham-Schroeder The same, old example: Needham-Schroeder A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B)  Notation msg*k: asymmetric encryption Na, Nb: nonces A, B: Agents (Alice and Bob) pk(A): public key of A

University of Twente The Netherlands Centre for Telematics and Information Technology Goals of NS A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B)  Exchange two secrets can be used to form a key  Authentication

University of Twente The Netherlands Centre for Telematics and Information Technology What can go wrong A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B) A -> I: [A,Na]*pk(I) I(A) -> B:[A,Na]*pk(B) B-> A:[Na,Nb]*pk(A) A->I : [Nb]*pk(I) I(A)->B : [Nb]*pk(B)  Secrecy (Na and Nb are disclosed)  Authentication B “thinks” he is talking to A, while he is talking to I  I is the intruder.

University of Twente The Netherlands Centre for Telematics and Information Technology Finding Flaws is not Easy  Protocol dates:  Flaw found in  Difficult to do “by hand”  One can use Belief logics (e.g. BAN logic). Theorem Proving. Model Checking and alike.

University of Twente The Netherlands Centre for Telematics and Information Technology The Model Checking Approach  Basic idea: Model the protocol (finite!). Model the intruder (Dolev-Yao intruder). Can intercept & learn messages. Can forge new messages using his knowledge.  Problems (source of infiniteness) Forging new messages (can be fixed). Number of parallel sessions.

University of Twente The Netherlands Centre for Telematics and Information Technology Two Aspects of Authentication  Authentication can be used: To assign responsibility. a message is supported by someone To assign credit.

University of Twente The Netherlands Centre for Telematics and Information Technology Example A -> B: [A,B,[K,A,B,T]*sk(A)] A -> B: [A,B,[M]*K -1 ] (2) T: timestamp K, K -1 : asymmetric key pair  sk(A): secret key of A  When A sends (2) we can assume he takes responsibility for it  Should we give her credit as well?

University of Twente The Netherlands Centre for Telematics and Information Technology Not suitable for giving Credit A -> C: [A,B,[K,A,B,T]*sk(A)] C -> B: [C,B,[K,C,B,T]*sk(C)] A -> C: [A,B,[M]*K -1 ] (2) C -> B: [C,B,[M]*K -1 ] (2)  C could fake himself in between. and get the credit  It is a man-in-the-middle attack.

University of Twente The Netherlands Centre for Telematics and Information Technology Another Example A -> B: [A,K]*pk(B) A -> B: [M1]*K (2) B -> A: [M2]*K (3)  Can we assign responsibility/credit to A for M1?  Can we assign responsibility/credit to B for M2?

University of Twente The Netherlands Centre for Telematics and Information Technology Another Example A -> B: [A,K]*pk(B) A -> B: [M1]*K (2) B -> B: [M2]*K (3)  B can assign credit to A for M1. because A included his name in (1). No responsibility, though: anyone could have generated message 1.  A can hold B responsible for M2. But A could have faked (3) so it would be difficult for A to prove that B “did it”. Not really suitable for credit…

University of Twente The Netherlands Centre for Telematics and Information Technology Part 1 Using CoProVe

University of Twente The Netherlands Centre for Telematics and Information Technology Preliminaries: Prolog’s notation  variables: begin with uppercase or with _ Na,Nb,A,B, _a are variables a,na,nb,b are non-variable terms  variable are terms  Complex terms can be built using predicate (function) symbols: pk(b) is a non-variable term ( pk is a function symbol) pk(B) Nb*pk(B) is the same as *(Nb,pk(B)) : * is an infix- operator. send(Nb*pk(B))

University of Twente The Netherlands Centre for Telematics and Information Technology Learning by example: the Needham-Schroeder A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B)  Notation [t1,t2]: pairing (these are lists in PROLOG) msg*k: asymmetric encryption  Conventions Na, Nb: nonces A, B: Agents (Alice and Bob) pk(A): public key of A

University of Twente The Netherlands Centre for Telematics and Information Technology Roles A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B)  Here we have 2 ROLES one INITIATOR (A) one RESPONDER (B)  A role is specified as a sequence of EVENTS

University of Twente The Netherlands Centre for Telematics and Information Technology Events  events are actions, two kind: send(t) recv(t) t is a term (a message)  the crucial part of a role is a list of his actions: [recv([B]), %forget about this one for a moment send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B))]  [t1,…,tn]: is a list in Prolog

University of Twente The Netherlands Centre for Telematics and Information Technology Specifying a Role  Fixed (abstract) notation: name(Variables) = [Actions].  E.g. initiator(A,B,Na,Nb) = [ send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B))].  The tool notation is different! compiler notation vs abstract notation (this one)

University of Twente The Netherlands Centre for Telematics and Information Technology The Responder  How does the responder look like?  Just exchange “send” and “recv” responder(A,B,Na,Nb) = [ recv([A,Na]*pk(B)), send([Na,Nb]*pk(A)), recv(Nb*pk(B))]).  Any name is good (not only “responder)  Notice ALL THESE VARIABLES! names & nonces are not fixed roles are parametric

University of Twente The Netherlands Centre for Telematics and Information Technology Summarizing:  We specified the roles of NS: initiator(A,B,Na, Nb), responder(A,B,Na,Nb)  We still have to specify how our session looks like how many initiators & how many responders NB: a recent result by Comon-Lundh & Cortier states that 2 agents are sufficient (but give no limit on the number of sessions) The names of the agents are there agents playing both as initiator and responders?  We need to define a scenario

University of Twente The Netherlands Centre for Telematics and Information Technology Part 2 How to specify a particular session

University of Twente The Netherlands Centre for Telematics and Information Technology System Scenarios  Protocol roles provide ‘templates’  Set up a finite scenario for verification choose roles participating in the session instantiate the variables of the roles  Instantiation: used for: Say who is playing which role Introduce fresh nonces

University of Twente The Netherlands Centre for Telematics and Information Technology System Scenarios cont’d A->B : [A,Na]*pk(B) B->A : [Na,Nb]*pk(A) A->B : [Nb]*pk(B)  A possible scenario: s1 = {initiator(a,B,na,Nb), responder(A,b,Na,nb)} one INITIATOR A played by agent a one RESPONDER B played by agent b

University of Twente The Netherlands Centre for Telematics and Information Technology Variables & non-variables  Consider the scenario {initiator(a,B,na,Nb), responder(A,b,Na,nb)}  Variables indicate parameters that may assume any value (their value is not known at the start). For instance, the initiator here does not know in advance the name of the responder.  Fresh nonces = new terms (ground terms that don’t occur elsewhere ).

University of Twente The Netherlands Centre for Telematics and Information Technology More System Scenarios for NS {initiator(a,b,na,nb), responder(a,b,na,nb)} –the ‘honest’ scenario (but unrealistic) {initiator(a,B,na,Nb), responder(A,b,Na,nb)} –may not communicate with each other {initiator(a,b,na,nb), responder(A,B,Na,Nb)} –a may also play the responder role {initiator(a,b,na,nb), responder(c,d,nc,nd)} –no communication!

University of Twente The Netherlands Centre for Telematics and Information Technology The network model Network/Intruder Scenario Agent Role Network - intruder: Dolev-Yao. send(t) recv(t)

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Store  knowledge (K) the intruder’s knowledge: the set of intercepted messages  constraint store: {msg_1:K_1, …, msg_n:K_n} msg_1, …, msg_n: messages (terms) K_1, …, K_n: knowledges (set of messages)  Is satisfiable: each msg_i is generable using K_i.

University of Twente The Netherlands Centre for Telematics and Information Technology Overview of the Verification Algorithm  A step of the verification algorithm: choose an event e from a role of S Two cases: e = send(t) –t is added to the intruder’s knowledge e = recv(t) –add constraint t:K to the constraint store –if constraint store is solvable, proceed –otherwise, stop

University of Twente The Netherlands Centre for Telematics and Information Technology Part 3 Using the tool in practice How to find security and authentication flaws

University of Twente The Netherlands Centre for Telematics and Information Technology Finding Secrecy flaws  What is a secrecy flaw?  To check if na remains secret, one just has to add to the scenario the singleton role [recv(na)]  na remains secret the intruder cannot output it!  in practice we define a special role secrecy(X) = [recv(X)].

University of Twente The Netherlands Centre for Telematics and Information Technology Finding Authentication Flaws  More complex than checking secrecy.  What is an authentication flaw? Various definitions. Basically: an input event recv(t) without corresponding preceding output event send(t). Can be checked by e.g., running the responder strand without an initiator role. We are working on it.

University of Twente The Netherlands Centre for Telematics and Information Technology From abstract notation to implementation notation  Abstract notation role_name(Var1,…,VarN) = [Events].  Concrete notation role_name(Var1,...,VarN,[Events]). Abstract Notation initiator(A,B,Na,Nb) = [ send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]). % Implementation Notation initiator(A,B,Na,Nb,[ send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]).

University of Twente The Netherlands Centre for Telematics and Information Technology Specification of NS % Initiator role initiator(A,B,Na,Nb,[ send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]). % Responder role responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,Nb]*pk(A)), recv(Nb*pk(B)) ]). % Standard secrecy-checking role secrecy(X,[recv(X)]).

University of Twente The Netherlands Centre for Telematics and Information Technology Scenarios in Practice scenario([ [name_1,Var_1],..., [name_n,Var_n] ] ) :- role_1(...,Var_1),... role_n(...,Var_n).

University of Twente The Netherlands Centre for Telematics and Information Technology For Instance  What do we achieve with this scenario? scenario([ [alice,Init1], [bob,Resp1], [sec,Secr1] ] ) :- initiator(a,B,na,Nb,Init1), responder(a,b,Na,nb,Resp1), secrecy(nb, Secr1).

University of Twente The Netherlands Centre for Telematics and Information Technology Last Details (1): Initial intruder knowledge & has_to_finish % Set up the initial intruder knowledge initial_intruder_knowledge([a,b,e]). % specify which roles we want to force to % finish (only sec in this example) has_to_finish([sec]).

University of Twente The Netherlands Centre for Telematics and Information Technology The Origination assumption  Roles are ‘parametric’, i.e. may contain variables  We have to avoid sending out uninstantiated variables (only the intruder may do so).  We must satisfy the origination assumption: Any variable should appear for the first time in a recv event So, we add events of the form recv(X), where appropriate

University of Twente The Netherlands Centre for Telematics and Information Technology Specification of NS with O.A. % Initiator role initiator(A,B,Na,Nb,[ recv(B), send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]). % Responder role responder(A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,Nb]*pk(A)), recv(Nb*pk(B)) ]). scenario([[alice,Init1], [bob,Resp1], [sec,Secr1]]) :- initiator(a,B,na,Nb,Init1), responder(a,b,Na,nb,Resp1), secrecy(nb, Secr1).

University of Twente The Netherlands Centre for Telematics and Information Technology Last steps before execution…  Decide whether we want Prolog stop at first solution it finds, or iterate and show them all.  Click on Verify

University of Twente The Netherlands Centre for Telematics and Information Technology The Results  For each run, the tool visualizes: which events of a role could not be completed (nb: the tools tries to complete each role, but this is sometimes impossible) the complete run.

University of Twente The Netherlands Centre for Telematics and Information Technology Examples of Results (1) SOLUTION FOUND State: [[alice,[]],[bob,[recv(nb * pk(b))]],[sec,[]]]. alice finishedsec finished! bob did not finish

University of Twente The Netherlands Centre for Telematics and Information Technology Examples of Results (2) SOLUTION FOUND State: [[a,[]],[b,[recv(nb * pk(b))]],[sec,[]]] Trace: [a,send([a,na] * pk(e))] [b,recv([a,na] * pk(b))] [b,send([na,nb] * pk(a))] [a,recv([na,nb] * pk(a))] [a,send(nb * pk(e))] [sec,recv(nb)]

University of Twente The Netherlands Centre for Telematics and Information Technology What if we try another scenario? scenario([ [alice1,Init1], [alice2,Init2], [bob,Resp1], [sec,Secr1] ] ) :- initiator(a,b,na,Nb,Init1), initiator(b,A,na,Nb,Init1), responder(a,b,Na,nb,Resp1), secrecy(nb, Secr1). TRY THIS!

University of Twente The Netherlands Centre for Telematics and Information Technology Exercise 1: Modify NS as Lowe proposed A->B : [A,Na]*pk(B) B->A : [Na,Nb,B]*pk(A) A->B : [Nb]*pk(B)  To do implement the roles Try bigger scenarios, with at least two parallel sessions Find Millen’s type flaw attack

University of Twente The Netherlands Centre for Telematics and Information Technology Millen’s type flaw attack  a1. E(A) -> B : {A, E}pk(B) (E is the intruder name, should be a nonce!)  a2. B -> E(A): {E, Nb, B}pk(A)  b1. E -> A : {E, Nb, B}pk(A) (here is the field confusion)  b2. A -> E : {Nb,B, Nb2, A}pk(E)

University of Twente The Netherlands Centre for Telematics and Information Technology Looking for authentication flaws in Needham-Schroeder  Consider (again) the scenario:  No secrecy check this time.  But, if B is not b, and the responder role finishes, we have an authentication attack! {initiator(a,B,na,Nb), responder(a,b,Na,nb)}

University of Twente The Netherlands Centre for Telematics and Information Technology Looking for authentication flaws in Needham-Schroeder cont’d  We only have to specify has_to_finish to b: has_to_finish([b]).  And verify again…

University of Twente The Netherlands Centre for Telematics and Information Technology Results: the first reported trace SOLUTION FOUND State: [[a,[]],[b,[]]] Trace: [a,send([a,na] * pk(b))] [b,recv([a,na] * pk(b))] [b,send([na,nb] * pk(a))] [a,recv([na,nb] * pk(a))] [a,send(nb * pk(b))] [b,recv(nb * pk(b))]  This is a normal run  This is a correct trace. To find a flaw we must look for B not instantiated to b!

University of Twente The Netherlands Centre for Telematics and Information Technology Results: the right trace SOLUTION FOUND State: [[a,[]],[b,[]]] Trace: [a,send([a,na] * pk(e))] [b,recv([a,na] * pk(b))] [b,send([na,nb] * pk(a))] [a,recv([na,nb] * pk(a))] [a,send(nb * pk(e))] [b,recv(nb * pk(b))]

University of Twente The Netherlands Centre for Telematics and Information Technology Another protocol: Yahalom A->B : A,Na B->S : [A, Na,Nb]+Kbs S->A : [B, Kab, Na, Nb]+Kas, [A,Kab]+Kbs A->B : [A, Kab]+Kbs, [Nb]+Kab  [t]+k: symmetric encryption  Kxs: shared key between x and s  Na, Nb: nonces  Goal: establish a secret session key Kab  Incorrect (see Clark and Jacob library)

University of Twente The Netherlands Centre for Telematics and Information Technology Exercise for home  For the yahalom protocol: Encode the protocol Verify the protocol: try many scenarios Could you find any flaw? Model leakage of Nb (i.e., B sends Nb in plain at some point) Verify again the protocol: could you find any flaw? Compare this attack to the one described by Clark & Jacob  2. Try the other protocols listed in the online tool.  