Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato ITT Industries, NRL Washington, DC Protocol Analysis Seminar, NPS, Monterey, CAFebruary 9, 2004

Quantitative Security Analysis1/25 Seminar Web Page

Quantitative Security Analysis2/25 Qualitative (Dolev-Yao) Analysis  Classifies protocol operations in  Possible (Dolev-Yao)  Reception/transmission  Crypto with key, …  Impossible  Guessing keys  Breaking crypto, …  Security assessed only on possible ops  “Easily” achieved by most current tools  What next? “Easy” (polynomial) “Hard” (exponential)

Quantitative Security Analysis3/25 Analysis beyond Dolev-Yao D a t a CryptoCrypto Perfect Real SymbolicBit-oriented More ops - xor - DH, … Type confusion Guessing Probabilistic Crypto hybrid - probability - complexity Cost-aware

Quantitative Security Analysis4/25 Cost-Aware Security Analysis  Assign cost to operations [Meadows,01]  Including non Dolev-Yao  Discrete logarithm, factoring, …  (Verifiable) guessing [Lowe,02]  Principal subversion, …  Applications  Estimate actual resources needed for attacks  Resources limitation (smart cards, PDAs, …)  DoS resistance assessment  Comparing attacks or protocols

Quantitative Security Analysis5/25 Outline  Protocol specification  MSR  Fine-Grained MSR  Technique applies to other languages  Traces and Scripts  Cost Model  Operations  Scripts  Cost-aware Security  Threshold analysis  Comparative analysis

Quantitative Security Analysis6/25 MSR  Executable protocol specification language  Theoretical results  Decidability  Most powerful intruder, …  3 generations already  MSR 1: (here)  MSR 2: 1 + strong typing  MSR 3: 2 +  -multisets  Based on MultiSet Rewriting  Foundations in (linear) logic  Ties to Petri nets and process algebra  Practice  Kerberos V  Implementation underway

Quantitative Security Analysis7/25 Multiset Rewriting …  Multiset: set with repetitions allowed  a,b,c  a,a,b,c,c,c  Rewrite rule: r: N 1  N 2  Application: M’, N 1  M’, N 2 M 1  M 2 state

Quantitative Security Analysis8/25 … with Existentials  msets of 1 st -order atomic formulas  Rules: r: F(x)   n. G(x,n)  Application M’, F(t)  M’, G(t,c) M 1  M 2 c not in M 1

Quantitative Security Analysis9/25 Traces and Scripts  Traces  Rewrite sequence (r 1,  1 ),…,(r n,  n ) from M 0 to M n  Rules r i  Substitutions  i  Scripts  Parametric traces  S, (r,  )  S 1 + S 2  ! n S  Normal run: S NR  Attack scripts: S A

Quantitative Security Analysis10/25 MSR for Security Protocols  Messages  A, k, n,…Princ., keys, nonces, …  {m} k, (m,m’), …Encryption, concat., …  Predicates  N(m)Network messages  M * (t 1,…,t n ) Public data  M A (t 1,…,t n )Private data  I(m)Intruder info.  L v (t 1,…,t n )Local states

Quantitative Security Analysis11/25 Example  Needham-Schroeder protocol  Initiator role A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB L (k A,k’ A,k B,n A ), N ({n A,n B } kA ) PrvK A (k A,k’ A ), PubK * (B,k B ) PrvK A (k A,k’ A ), PubK * (B,k B ), L (k A,k’ A,k B,n A ), N ({n A,A} kB ) N ({n B } kB )    n A.

Quantitative Security Analysis12/25 Preparing for Cost Assignment  Isolate operations  Verification  Success  Failure  Construction  Apply rule in stages  Pre-screening  Detailed verification  Split LHS in atomic steps  Allow failure

Quantitative Security Analysis13/25 Fine-Grained MSR (1)  Rules  Clean-uplhs  rhs else cr  Predicates  RegistersR v (m)  HeadersN h (m)  Phased execution  Select rule based only on predicates  Verify if arguments match  Allow failure

Quantitative Security Analysis14/25 Fine-Grained MSR (2)  Verification rules  N h (x)  R(x)  L v (x)  R(x)  R(y), R’(op y (x))  R’’(x)else cr  R(x), R’(x) .else cr  R(x)  R’(m)  …  Construction rules  Remain the same

Quantitative Security Analysis15/25 Fine-Grained Intruder Dolev-Yao style SubversionGuessing  N h (x)  I(x)  M*(x)  I(x)  I(y), I(op y (x))  I(x)  I(x)  N h (x) .   x. I(x)  I(x)  I(op(x)) .  X(A)  X(A) .  X(A), M A (x)  X(A), I(x) …  G(x) …  V 1 (m 1 ) …  V 2 (m 2 ) G(x), V 1 (y), V 2 (y)  I(x) I(g), I(g x )  I(x)

Quantitative Security Analysis16/25 Cost  v  A   : cost type  Time, space, energy, …  A: principal incurring cost  v: amount of cost  Physical measurements  0 /  (Dolev-Yao model)  Complexity classes

Quantitative Security Analysis17/25 Assigning Cost – Basic Operations  Network  Storage  Operations  Construction  Successful verification  Failed verification  Subversion  Guessing  Various ways  Supports very high precision  Difficulty depends on precision  Possibly subjective

Quantitative Security Analysis18/25 Assigning Costs – Traces & Scripts  Traces:  (T)  Add up basic costs  Monotonic costs: time, energy, …  Non-monotonic: space, …  Scripts:  (S)  Interval arithmetic  Script alternative

Quantitative Security Analysis19/25 Quantitative Security Analysis  A model checking view C  0 (Dolev-Yao) C   1 C   2

Quantitative Security Analysis20/25 Threshold Analysis   (S NR )   HW/HCI  ?  Cost of normal run acceptable?  PDAs, cell phones, …   (S A )   I  ?  Cost of attack/defense acceptable?  Cost of candidate attack vs. resources  Non Dolev-Yao operations  min x.  (S A (x))   I++  ?  Design protocol  Fine-tuning parameters

Quantitative Security Analysis21/25 Comparative Analysis   (S A1 )   (S A2 )  ?  Comparing attacks  Protocol can always be attacked   (S P1 )   (S P2 )  ?  Comparing protocols   B (S A )   I (S A )  ?  Comparing attack and defense costs  Denial of Service

Quantitative Security Analysis22/25 Typical Client/Server Exchange Client Server request challenge response ok scqscq sccscc scrscr scosco tcqtcq tcctcc tcrtcr tcotco ssqssq sscssc -(s s q +s s c ) 0 tsqtsq tsctsc tsrtsr tsotso  T  B

Quantitative Security Analysis23/25 Time DoS q c tcqtcq 0 tsqtsq tsctsc q c  tcqtcq 0  tsqtsq tsctsc tsrtsr   tsqtsq  Service rate  1/(t s q + t s c + t s r )  Attack rate  1/t c q  Service rate: 1/t s q  Usually dominated by networking costs  Service rate  1/(t s q + t s c )  Attack rate  1/t c q Better attack

Quantitative Security Analysis24/25 Space DDoS  Max concurrent requests  B / (s s q + s s c )  Space allocation rate  (s s q + s s c ) / (t s q + t s c )  Space reclamation rate  B / T  Max. concurrent attacks  ssqssq sscssc -(s s q +s s c )  T q c  tcqtcq 0  tsqtsq tsctsc tsrtsr  B B (t s q + t s c ) (s s q + s s c ) T n   Use large B  Keep T small

Quantitative Security Analysis25/25 Conclusions  Quantitative protocol analysis  Cost conscious attacks (non Dolev-Yao)  Fine-Grained specification languages (MSR)  Paper:  Related work  C. Meadows: Cost framework for DoS  G. Lowe: guessing attacks  D. Tomioka, et al: cost for spi-calculus  Future work  Attack costs: WEP  DoS aware protocols: JFK, puzzle-based Client/Server  Complexity-based costs  Mixing probability