© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.

Slides:



Advertisements
Similar presentations
Universally Composable Symbolic Analysis of Cryptographic Protocols
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Design, Analysis and Verification of Security Protocols Ricardo Corin.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.
Cryptographic Protocol Analysis Jonathan Millen SRI International.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
The Formal Method CAPSL Kyle Taylor Zhenxiao Yang.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Duminda WijesekeraFall AVISPA Class Notes for ISA 780 Made from many publications available from the AVISPA web site
MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange.
Analysis of Security Protocols (III) John C. Mitchell Stanford University.
Document Number Here © 2006 The MITRE Corporation. All rights reserved. Holds and Diversions June 22, 2004.
September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato ITT Industries, Inc.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
School of Information Technology Centre for Software Assurance Enabling Security Testing from Specification to Code Shane Bracher and Padmanabhan Krishnan.
A New Replay Attack Against Anonymous Communication Networks Xinwen Fu June 30, 2015.
Progress Report on Java Based Protocol Analysis Presented by Stephen W. Mancini, 1Lt, USAF/AFIT Robert P. Graham, MAJ, USAF/AFIT Presentation date: 09.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols a gzipped.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.
Formal Analysis of Security Protocols Dr. Changyu Dong
1 Firewalls. 2 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.
December 6, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato
 System Sequence Diagrams Sheridan SYST Engineering Quality Systems 11.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
An Overview of Requirements Engineering Tools and Methodologies*
Formal Methods for Security Protocols
Security Protocols Analysis
ISA 763 Security Protocol Verification
AVISPA Automated Validation of Internet Security Protocols and Applications Slides adapted from Duminda Wijesekera as well as from Alessandro Armando.
Man in the Middle Attacks
Symbolic Protocol Analysis
Expressing Security Properties in CSP
IT IS 6200/8200.
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Security Analysis of Network Protocols
Efficient Short-Password Key Exchange (ESP-KE)
CDK: Chapter 7 TvS: Chapter 9
Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION
Formal Methods for Security Protocols
The CPAL Development Environment
Presentation transcript:

© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005

© 2005 The MITRE Corporation. All rights reserved 2 Security Protocol Specification Languages n Alice & Bob –Textbook and article style –Specification is a normal message list A  B: {A,Na}Kb –CAPSL, Casper, HLPSL, ISL,... n Role process specifications –Separate specifications for each participant –Some form of state transition spec –Semantics is easier to understand –Varying degrees of customization, convenience Prolog, CSP, PVS, Maude, pi-calculus: existing languages MSR, CPPL, Spi-calculus: specialized languages CIL, IF: just intermediate languages –May or may not support code generation

© 2005 The MITRE Corporation. All rights reserved 3 CAPSL PROTOCOL NeedhamSchroederPK; VARIABLES A, B: PKUser; Na, Nb: Nonce, FRESH; ASSUMPTIONS HOLDS A: B; MESSAGES 1. A -> B: {Na, A}pk(B); 2. B -> A: {Na, Nb}pk(A); 3. A -> B: {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; ENVIRONMENT Test1; IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; END; Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code

© 2005 The MITRE Corporation. All rights reserved 4 Casper -- Needham Schroeder Public Key Protocol, -- 3 message version #Free variables A, B : Agent na, nb : Nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INITIATOR(A,na) knows PK, SK(A) RESPONDER(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A,B,[na,nb]) Agreement(B,A,[na,nb]) #Actual variables Alice, Bob, Mallory : Agent Na, Nb, Nm : Nonce #Functions symbolic PK, SK #System INITIATOR(Alice, Na) RESPONDER(Bob, Nb) #Intruder Information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)} Example from Lowe's Web page Translated to CSP and Java Translated to CSP and Java

© 2005 The MITRE Corporation. All rights reserved 5 AVISPA OFMC Page

© 2005 The MITRE Corporation. All rights reserved 6 HLPSL PROTOCOL NSPK; Identifiers A, B: user; Na, Nb: number; Ka, Kb: public_key; Knowledge A: B,Ka,Ka',Kb; B: A,Ka,Kb,Kb'; Messages 1. A -> B: {Na,A}Kb 2. B -> A: {Na,Nb}Ka 3. A -> B: {Nb}Kb Session_instances [ A:a, B:b, Ka:ka, Kb:kb ] [ A:a, B:I, Ka:ka, Kb:ki ]; Intruder divert, impersonate; Intruder_knowledge I, b, ka, kb, ki; Goal A authenticate B on Nb; Goal B authenticate A on Na;

© 2005 The MITRE Corporation. All rights reserved 7 Design Issues n A  B: source, destination; part of the message or not? (no) n Principal-to-key and key inverse relations –public_key(A,Ka) vs. pk(A) –pk(A) only (free algebra) or inverse(Kpa,Ksa) n Message views (hidden structure) and implicit message actions –Lowe "%" notation: A  B: {M}Kc%F where B sees only "blob" F n Role and parameter identification –Which parameters are independent inputs –Which nonces and session keys are generated by whom n Security goal statements n Other issues –Data types and extensibility –Attacker capabilities and knowledge –Scenario specification for model checking –Implementability checking - definedness of variables –Some of these issues apply to role process specs as well

© 2005 The MITRE Corporation. All rights reserved 8 Non sequitur: Constraint Solver (Csolve) n Bounded-process model checker in Prolog n Parametric strand specifications n SWI-Prolog/XPCE for diagrams n Working on translation from CPPL