Analysis of Security Protocols (III) John C. Mitchell Stanford University

Analyzing Security Protocols l Non-formal approaches (can be useful, but no tools…)  Some crypto-based proofs [Bellare, Rogaway] l BAN and related logics  Axiomatic semantics of protocol steps H Methods based on operational semantics  Intruder model derived from Dolev-Yao  Protocol gives rise to set of traces  Perfect encryption  Possible to include known algebraic properties

Example projects and tools l Prove protocol correct  Paulson’s “Inductive method”, others in HOL, PVS, etc.  Bolignano -- Abstraction methods  MITRE -- Strand spaces  Process calculus approach: Abadi-Gordon spi-calculus l Search using symbolic representation of states  Meadows: NRL Analyzer, Millen: Interrogator l Exhaustive finite-state analysis  FDR, based on CSP [Lowe, Roscoe, Schneider, …]  Mur  -- specialized input language  Clarke et al. -- state search with axiomatic intruder model

Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Gee whiz. Looks OK to me.

A notation for inf-state systems l Define protocol, intruder in minimal framework l Disadvantage: need to introduce new notation Formal Logic (      ) Process Calculus Finite Automata Proof search (Horn clause) Multiset rewriting

Protocol Notation l Non-deterministic infinite-state systems l Facts F ::= P(t 1, …, t n ) t ::= x | c | f(t 1, …, t n ) l States { F 1, …, F n }  Multiset of facts  Includes network messages, private state  Intruder will see messages, not private state Multi-sorted first-order atomic formulas

State Transitions l Transition  F 1, …, F k   x 1 …  x m. G 1, …, G n l What this means  If F 1, …, F k in state , then a next state  ’ has  Facts F 1, …, F k removed  G 1, …, G n added, with x 1 … x m replaced by new symbols  Other facts in state  carry over to  ’  Free variables in rule universally quantified  Pattern matching in F 1, …, F k can invert functions

Finite-State Example  Predicates: State, Input  Function:   Constants: q 0, q 1, q 2, q 3, a, b, nil  Transitions: State(q 0 ), Input(a  x)  State(q 1 ), Input(x) State(q 0 ), Input(b  x)  State(q 2 ), Input(x)... q0q0 q1q1 q3q3 q2q2 b a a a b b b a b

Existential Quantification l Natural-deduction proof rule [y/x]  (  elim)  x.    l Summary: for proof from  x. , choose new symbol and proceed from [y/x]  y not free in any other hypothesis

Infinite-State Example  Predicates: State, Input, Color Function:   Constants: q 0, a, b, nil, red, blue  Transitions: State(q), Input(a  x), Color(q,red)   q’. State(q’), Input(x), Color(q’,blue), Color(q,red)... Input a: change color Input b: same color Need to preserve facts explicitly q0q0 a a a a a b b bb

Turing Machine l Predicates  Current(state,cell) -- current state, tape pos.  Contents(cell, symbol) -- contents of tape cell  Adjacent(cell, cell) -- keep cells in order l Constants  q 0, q 1, q 2, … -- finite set of states  c 0, c eot -- initial tape cells  “0”, “1”, “b” -- tape symbols

Turing Machine (II) l Transitions  Adjacent(c 0, c eot )  Adjacent(c, c eot )   c’. Adjacent(c,c’), Adjacent(c’,c eot )  Current(q i,c), Contents(c,“0”), Adjacent(c,c’)  Current(q k,c’), Contents(c,“1”), Adjacent(c,c’)  Current(q i,c), Contents(c,“1”), Adjacent(c’,c)  Current(q k,c’),Contents(c,“0”), Adjacent(c,c’) infinite linear tape sample move right sample move left...ceotc...c’eot

Simplified Needham-Schroeder l Predicates A i, B i, N i -- Alice, Bob, Network in state i l Transitions  x. A 1 (x) A 1 (x)  N 1 (x), A 2 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y) picture next slide A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb l Authentication A 4 (x,y)  B 3 (x,y’)  y=y’

Sample Trace A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb A 2 (n a ) A 1 (n a ) A 2 (n a ) A 3 (n a, n b ) A 4 (n a, n b ) B 2 (n a, n b ) B 1 (n a, n b ) B 2 (n a, n b ) B 3 (n a, n b ) B 2 (n a, n b ) N 1 (n a ) N 2 (n a, n b ) N3( nb)N3( nb)  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y)

Common Intruder Model l Derived from Dolev-Yao model [1989]  Adversary is nondeterministic process  Adversary can  Block network traffic  Read any message, decompose into parts  Decrypt if key is known to adversary  Insert new message from data it has observed  Adversary cannot  Gain partial knowledge  Guess part of a key  Perform statistical tests, …

Formalize Intruder Model l Intercept and remember messages N 1 (x)  M(x) N 2 (x,y)  M(x), M(y) N 3 (x)  M(x) l Send messages from “known” data M(x)  N 1 (x), M(x) M(x), M(y)  N 2 (x,y), M(x), M(y) M(x)  N 3 (x), M(x) l Generate new data as needed  x. M(x) Highly nondeterministic, same for any protocol

Attack on Simplified Protocol A 2 (n a ) A 1 (n a ) A 2 (n a ) B 1 (n a ’, n b ) N 1 (n a )  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)  M(x)  x. M(x) M(x)  N 1 (x), M(x) N 1 (x)   y. B 1 (x,y) M(n a ) M(n a ), M(n a ’) N 1 (n a ’ ) A 2 (n a ) M(n a ), M(n a ’) A 2 (n a ) M(n a ), M(n a ’) Continue “man-in-the-middle” to violate specification

Modeling Perfect Encryption l Encryption functions and keys  For public-key encryption  two key sorts: e_key, d_key  predicate Key_pair(e_key, d_key)  Functions enc : e_key  msg -> msg dec : d_key  msg -> msg (implicit in pattern-matching) l Properties of this model  Encrypt, decrypt only with appropriate keys  Only produce enc(key, msg) from key and msg (!!!)  This is not true for some encryption functions

Steps in public-key protocol l Bob generates key pair and publishes   e_key u.  d_key v. Bob 1 (u,v)  Bob 1 (u,v)  N Announce (u ), Bob 2 (u,v) l Alice sends encrypted message to Bob  Alice 1 (e,d,x), N Announce (e’)  Alice 2 (e,d,x,e’)  Alice 2 (e,d,x,e’)  N 1 (enc(e’,  x,e  )), Alice 3 (u,v,x,w) l Bob decrypts  Bob 1 (u,v), N 1 (enc(u,  x,y  ))   z. Bob 1 (u,v,x,y,z)

Intruder Encryption Capabilities l Intruder can encrypt with encryption key  M e (k), M data (x)  N i (enc(k,x)), M e (k), M data (x) l Intruder can decrypt with decryption key  N j (enc(k,x)),Key_pair(k,k’), M d (k’),  M data (x),... l Add to previous intruder model Assumes sorts data, e_key, d_key with typed predicates M data (data), M e (e_key), M d (d_key)

Intruder: power and limitations l Can find some attacks  Needham-Schroeder by exhaustive search l Other attacks are outside model  Interaction between protocol and encryption l Some protocols cannot be modeled  Probabilistic protocols  Steps that require specific property of encryption l Possible to prove erroneous protocol correct  Requires property that crypto does not provide

Optimize Protocol + Intruder l Adversary receives all messages; no net  Replace  Alice i (x,y)  N j (x), Alice k (x,y)  N j (x)  M(x)  M(z)  N j (z), M(z)  N j (x), Bob i (w)  Bob j (w,y)  By  Alice i (x,y)  M(x), Alice k (x,y)  M(z), Bob i (w)  Bob j (w,y) Alice’s message can go to Bob or M. M can replay or send different msg All messages go directly to M. M can forward or send different msg

Additional Optimizations l Intruder can simulate honest participants  If additional independent sessions are useful for attack, then intruder can simulate these sessions  Therefore -- suffices to consider single initiator, single responder, and intruder (for this protocol). l For decidability, bound on intruder [Lowe]  Suffices to bound the number of new nonces  Analyze...

Analysis of Protocol+Intruder l Prove properties of protocols  Unbounded # of participants, message space  Prove that system satisfies specification  Paulson, etc: prove invariant holds at all reachable states  Spi-calculus: prove protocol equivalent ideal protocol l Symbolic search with pruning  Search backward from error  Prune search by proving forward invariants l Exhaustive finite-state methods  Approximate infinite-state system by finite one  Search all states, perhaps with optimizations

Example description languages l First- or Higher-order Logic  Define set of traces, prove protocol correct l Horn-clause Logic  x… (A 1  A 2  …  B)  Symbolic search methods l Process calculus  FDR model checker based on CSP  Spi-calculus proof methods based on pi-calculus l Additional formalisms  CAPSL protocol description language [Millen]  Mur  language for finite-state systems

Paulson’s Inductive Method l Define set TR of traces of protocol+intruder  Similar to traces in unifying formalism  Transition F 1, …, F k   x 1 …  x m. G 1, …, G n gives one way of extending trace l Auxiliary functions mapping traces to sets  Analz(trace) = data visible to intruder  Synth(trace) = messages intruder can synthesize l Definitions and proofs use induction  Similar inductive arguments for many protocols

Symbolic Search Methods l Examples: NRL Protocol Analyzer, Interrogator l Main idea  Write protocol as set of Horn clauses  Transition F 1, …, F k   x 1 …  x m. G 1, …, G n can be Skolemized and translated to Prolog clauses  Search back from possible error for contradiction  This is usual Prolog refutation procedure l Important pruning technique  Prove invariants by forward reasoning  Use these to avoid searching unreachable states

Process Calculus Description l Protocol defined by set of processes  Each process gives one step of one principal  Can derive by translation from unifying notation  F 1, …, F k   x 1 …  x m. G 1, …, G n is one process  Replace predicates by port names  Replace pattern-matching by explicit destructuring  In pi-calculus, use in place of   Example  B 1 (x,y)  N 2 (x,y), B 2 (x,y)  b 1 (p). let x=fst(p) and y=snd(p) in n 2  x,y  | b 2  x,y  end

Spi-Calculus [AG97,...] l Write protocol in process calculus l Express security using observ. equivalence  Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q]  Context (environment) represents adversary l Use proof rules for  to prove security  Protocol is secure if no adversary can distinguish it from an idealized version of the protocol

Finite-state methods l Two sources of infinite behavior  Many instances of participants, multiple runs  Message space or data space may be infinite l Finite approximation  Transitions: F 1, …, F k   x 1 …  x m. G 1, …, G n choose fixed number of Skolem constants  Terms: restrict repeated functions f(f(f(f(x)))) l Can express finite-state protocol + intruder in  CSP : FDR-based model checking projects  Other notations: Mur  project, Clarke et al.,...

Security Protocols in Mur  l Standard “benchmark” protocols  Needham-Schroeder, TMN, …  Kerberos l Study of Secure Sockets Layer (SSL)  Versions 2.0 and 3.0 of handshake protocol  Include protocol resumption l Discovered all known or suspected attacks l Recent work on tool optimization [Shmatikov, Stern,...]

Malleability [Dolev,Dwork,Naor] l Idealized assumption  If intruder produces Network(enc(k,x)) then either  Network(enc(k,x))  M (enc(k,x)) (replay)  M(k), M(x)  M (enc(k,x)) (knows parts) l Not true for RSA  encrypt(k,msg) = msg k mod N  property encr(x*y) = encr(x) * encr(y) l Model  Network(enc(k,x))  M (…)...  Network (enc(k,c*x)) Can send encrypted message without “knowing” message Finite state ?

Authentication and Secrecy for Handshake Protocols l How many protocols are there to verify?  Average length 7 steps  Data fields per message 5 fields  Distinct ways to fill a field  50 entries  Number of possible combinations 1750 protocols l Research directions  Get the monkeys and typewriters going  Easier description and specification, faster tools  Improved analysis of timestamps,...  Interaction between protocol and crypto primitives