Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Executable Model for Security Protocol JFKr

Published byFátima Gil Bentes Modified over 6 years ago

Similar presentations

Presentation on theme: "An Executable Model for Security Protocol JFKr"— Presentation transcript:

1 An Executable Model for Security Protocol JFKr
An ACL2 approach to key-establishment protocol verification Presented by: David L. Rager May 12, 2009 January 17, 2019

2 Outline Background on JFKr Prerequisites for reasoning about JFKr
Heritage Executable model Prerequisites for reasoning about JFKr Cryptography book Diffie Helman book JFKr theorems and proofs Authentication (also shows the attacker) Session Key January 17, 2019

3 Background on JFKr JFKr is a network security protocol used to establish a secret key between two participants JFKr’s Heritage: Diffie Helman ISO Internet Key Exchange (IKE) Just Fast Keying in slight favor of the responder(JFKr) Security properties provided by JFKr: Derives a secret and shared key Authentication of the parties to one another Identity protection Resilience against replay and denial of service attacks January 17, 2019

4 Partial JFKr Network Message Exchange
GM % B GM % B GM % B GM % B GM % B Ni, xi I R GP % B tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) Ni, Nr, xr, tr D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) Ni, Nr, xi, xr, tr, ei, hi hi=hashk(“i”,ei) hi=hashk(“i”,ei) hi=hashk(“i”,ei) er, hr hr=hashk(“r”,er) hr=hashk(“r”,er) January 17, 2019 er=enck(IDr,sar,sigKr(Ni,Nr,xi,xr)) [Aiello et al.] and Shmatikov

5 Executing the Model (defun run-5-steps-honest (network-s initiator-constants responder-constants public-constants initiator-s responder-s) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1 responder-s responder-constants public-constants) (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2 initiator-s-after-1 initiator-constants public-constants) (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3 responder-s-after-2 responder-constants public-constants) (network-s-after-5 initiator-s-after-5) (initiator-step3 network-s-after-4 initiator-s-after-3 initiator-constants public-constants) (mv network-s-after-5 initiator-s-after-5 responder-s-after-4))))))) January 17, 2019

6 An Example Execution ;;; The below theorem shows how to run an example execution of the JFKr protocol ;;; and checks that the keys derived by the initiator and responder are equal (thm (mv-let (network-s initiator-s responder-s) (run-5-steps-honest nil *initiator-constant-list* *responder-constant-list* *public-constant-list* nil nil) (declare (ignore network-s)) (and ;; responder and initiator have the same session key (equal (session-key initiator-s) (session-key responder-s)) ;; responder stores the correct partner (equal (id *initiator-constant-list*) (id-i responder-s)) ;; initiator stores the correct partner (equal (id *responder-constant-list*) (id-r initiator-s))))) January 17, 2019

7 Prerequisites for Reasoning about JFKr
Encryption book Functions that perform primitive hash/encrypt/signature operations To prove that decrypting an encryption requires the key To prove that duplicating a hash of something requires the key To prove that verifying a signature requires the public key To prove that creating a signature that can be verified with a public key requires the matching private key To then disable the definitions of the hash/encrypt/signature functions, because the abstractions all we need and we no longer want to reason about the functions themselves. January 17, 2019

8 Definitions for Symmetric Encryption
The term “symmetric” simply means that the key used to encrypt an object is the same key used to decrypt the object In our implementation of JFKr, we only encrypt and decrypt lists of numbers, so for encryption, it’s sufficient to just add the key to each element of the list (defun encrypt-symmetric-list (lst key) (if (atom lst) nil (cons (+ (car lst) key) (encrypt-symmetric-list (cdr lst) key)))) (defun decrypt-symmetric-list (lst key) (cons (- (car lst) key) (decrypt-symmetric-list (cdr lst) key)))) January 17, 2019

9 Theorems about Symmetric Encryption
Decrypting an encrypted list with the right key yields the original list Decrypting an encrypted list with the wrong key does not yield the original list (defthm decrypt-of-encrypt-symmetric-equals-plaintext (implies (force (encryptable-listp lst)) (equal (decrypt-symmetric-list (encrypt-symmetric-list lst key) key) lst))) (defthm decrypt-of-encrypt-symmetric-needs-key (implies (and (encryptable-listp lst) (not (null lst)) (keyp keyA) (keyp keyB) (not (equal keyA keyB))) (not (equal (decrypt-symmetric-list (encrypt-symmetric-list lst keyA) keyB) lst)))) January 17, 2019

10 Diffie Helman Book Provides definitions that implement the Diffie Helman protocol Proves the theorem that if each party derives the key using their own private DH-value and the other party’s public DH-value, then the derived keys are equal Provides a way to state that knowing one of the two private values is necessary to derive the shared key January 17, 2019

11 Definitions and Theorems about Diffie Helman Key Equality
(defun compute-public-dh-value (g exponent-value b) (mod (expt g exponent-value) b)) (defun compute-dh-key (a-public-exponentiation-value a-private-value b) (mod (expt a-public-exponentiation-value a-private-value) b)) (defthm dh-computation-works (implies (and (positive-integerp g) (positive-integerp b) (positive-integerp x-exponent) (positive-integerp y-exponent)) (equal (compute-dh-key (compute-public-dh-value g x-exponent b) y-exponent b) (compute-dh-key (compute-public-dh-value g y-exponent b) x-exponent b))))) January 17, 2019

12 Definition Supporting Diffie Helman Key Secrecy
We can add this function to the hypothesis of any theorem that needs to prove key secrecy for a protocol using Diffie Helman to derive a shared key (defun session-key-requires-one-part-of-key (g b x-exponent y-exponent i-exponent) ;; we set the guards to nil to ensure that this function never executes and ;; is only used in the logical reasoning of the proof (declare (xargs :guard nil :verify-guards nil)) (implies (and (positive-integerp g) ... ; some other positive-integerp specifications (not (equal i-exponent x-exponent)) (not (equal i-exponent y-exponent))) (let ((x-public-value (compute-public-dh-value g x-exponent b)) (y-public-value (compute-public-dh-value g y-exponent b)) (session-key (compute-dh-key (compute-public-dh-value g x-exponent b) y-exponent b))) (and (not (equal (compute-dh-key x-public-value i-exponent b) session-key)) (not (equal (compute-dh-key y-public-value i-exponent b) session-key)))))) January 17, 2019

13 Proving Authentication
Simple version of identity agreement (implies (and (initiator-success initiator-s) (responder-success responder-s)) (and (equal (id-I responder-s) (id initiator-constants)) (equal (id-R initiator-s) (id responder-constants)))) January 17, 2019

14 Authentication Proof If a participant1 is not really the identity associated with a particular private key, then that participant does not have that private key and If a participant does not have the private key, then they will not be able to correctly sign a message to be later verified with the corresponding public key and If a message is incorrectly signed, then the protocol is unsuccessful <--> { transitivity of implication } If a participant1 is not really the identity associated with a particular private key then the protocol is unsuccessful <--> { contraposition } If the protocol is successful then the participant is really the identity associated with a particular private key The first hypothesis is assumed to be true and the second and third hypotheses are formalized in ACL2 1a participant is one of an initiator, responder, or attacker January 17, 2019

15 Authentication of the Initiator
(defthm run-4-steps-with-badly-forged-attacker-yields-responder-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) (let ((network-s-after-2-munged (function-we-know-nothing-about2 network-s-after-2))) (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2-munged initiator-s-after-1 initiator-constants public-constants) (let ((network-s-after-3-munged (function-we-know-nothing-about3 network-s-after-3))) (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3-munged responder-s-after-2 (implies (and (constantsp constants) (badly-forged-msg3p (msg3 network-s-after-3-munged) (responder-constants constants) (public-key-i public-constants))) (and (protocol-failure responder-s-after-4))))))))))))) January 17, 2019

16 Modeling the Attacker (defthm run-4-steps-with-badly-forged-attacker-yields-responder-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) (let ((network-s-after-2-munged (function-we-know-nothing-about2 network-s-after-2))) (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2-munged initiator-s-after-1 initiator-constants public-constants) (let ((network-s-after-3-munged (function-we-know-nothing-about3 network-s-after-3))) (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3-munged responder-s-after-2 (implies (and (constantsp constants) (badly-forged-msg3p (msg3 network-s-after-3-munged) (responder-constants constants) (public-key-i public-constants))) (and (protocol-failure responder-s-after-4))))))))))))) January 17, 2019

17 Key Agreement Simple version of key agreement
See comment at end of jfkr.lisp book for more developed (and unproven) version (implies (and (initiator-success initiator-s) (responder-success responder-s)) (equal (session-key initiator) (session-key responder) January 17, 2019

18 Review Background on JFKr Books Required to reason about JFKr
Heritage Executable model Books Required to reason about JFKr Cryptography book Diffie Helman book JFKr theorems and proofs Authentication Session Key January 17, 2019

19 ACL2 3.5 Books Encryption functions and theorems
books/security/jfkr/encryption.lisp Diffie Helman implementation books/security/jfkr/diffie-helman.lisp JFKr implementation and theorems books/security/jfkr/jfkr.lisp January 17, 2019

20 Resources Abadi, Blanchet, Fournet. Just Fast Keying in the Pi Calculus. Datta, Derek, Mitchell, and Pavlovic. A Derivation System and Compositional Logic for Security Protocols. Levy, Benjamin (translator). Diffie-Helman Method for Key Agreement Paulson, Lawrence C. Proving Properties by Induction Shmatikov, Vitaly. Just Fast Keying Slides January 17, 2019

21 Graphical Overview 3 Initiator Steps Executable Model
Initiator allocates state and begins process Responder receives a well formed network msg Initiator receives a well formed network msg Initiator does some calculation and saves some data Responder receives a correctly signed network msg that contains Responder’s cookie Responder allocates state, saving the established key and marking itself “successful” Initiator receives a correctly signed network msg Initiator saves some more data and marks itself “successful” 3 Initiator Steps Executable Model 2 Responder Steps Responder ID Agreement Properties to Prove Initiator ID Agreement Key Agreement Success -> Initiator ID Agreement Success -> Responder ID Agreement Success -> Key Agreement January 17, 2019

22 Key Agreement Strategy
Prove that when network messages check out as okay, the key derived in the initiator’s step 2 is equal to something (TDB) Prove that when network messages check out as okay, the key derived in the responder’s step 2 is equal to something (TBD) Use the DH book to show that those two something’s are equal Prove that both parties show success after checking the correctness of the network messages they have received Conclude that if all parties have received valid network messages, then their derived keys must be equal Key agreement is yet unproven, but the tools to finish the proof are included in the book jfkr.lisp January 17, 2019

23 Design Objectives for a Key Exchange Protocol
Shared secret Create and agree on a secret which is known only to protocol participants Authentication Participants need to verify each other’s identity Identity protection Eavesdropper should not be able to infer participants’ identities by observing protocol execution Protection against denial of service Malicious participant should not be able to exploit the protocol to cause the other party to waste resources Key Freshness Malicious participant should not be able to reuse crucial data from another session to conduct a replay attack January 17, 2019

24 Model “Features” Party constants are abstract
(defthm run-5-steps-with-badly-forged-attacker-yields-both-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) ; conclusion to come ) January 17, 2019

25 Model “Features” Nondeterministic attacker
(defstub function-we-know-nothing-about1 (*) => *) (defthm run-5-steps-with-badly-forged-attacker-yields-both-failure (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) ; conclusion to come later January 17, 2019

26 Model “Features” Separation of concepts like a well-formed message versus a message that’s badly-forged (defun well-formed-msg3p (msg) (declare (xargs :guard t)) (and (alistp msg) (integerp (Ni-msg msg)) (integerp (Nr-msg msg)) (integerp (Xi-msg msg)) (<= 0 (Xi-msg msg)) (integerp (Xr-msg msg)) (<= 0 (Xr-msg msg)) (integerp (Tr-msg msg)) (integer-listp (Er-msg msg)) (integerp (Hi-msg msg)) (integerp (Src-ip-msg msg)))) January 17, 2019

27 Model “Features” Separation of concepts like a well-formed message versus a message that’s badly-forged (defun badly-forged-msg3p-old(msg responder-constants initiator-private-key) (let* ((dh-key (CRYPTO::compute-dh-key (xi-msg msg) (dh-exponent responder-constants) (b responder-constants))) (session-key (compute-session-key (Ni-msg msg) (Nr-msg msg) dh-key)) (SigKi (compute-sig-Ki (Ni-msg msg) (Xi-msg msg) (Xr-msg msg) (g responder-constants) (b responder-constants) initiator-private-key)) (Ei-decrypted (CRYPTO::decrypt-symmetric-list (Ei-msg msg) session-key))) (not (equal (nth 2 Ei-decrypted) SigKi)))) January 17, 2019

Download ppt "An Executable Model for Security Protocol JFKr"

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.

Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.

Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)

Similar presentations

Ads by Google