Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov."— Presentation transcript:

1 Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov

2 Outline uProtocol security uAnalysis methods uMultiset rewriting with  Rewrite formalism with “choose new value” Protocol modeling within this framework uDecision problems uApplications of the MSR framework

3 Protocol Security uCryptographic Protocol Program distributed over network Use cryptography to achieve goal uAttacker Read, intercept, replace messages, and remember their contents uCorrectness Attacker cannot learn protected secret or cause incorrect protocol completion

4 Needham-Schroeder Protocol { A, Nonce a } { Nonce a, Nonce b } { Nonce b } Ka Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb

5 Run of protocol A B Initiate Respond C D Attacker Correct if no security violation in any run

6 Anomaly in N-S Protocol AE B {A, Na} {Na, Nb} {Nb} Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key Nb from B. Evil E can then fool B. [Lowe]

7 Contract Signing (Fair Exchange) uBoth parties want to sign a contract uNeither wants to commit first Immunity deal

8 General protocol outline uTrusted third party can force contract Third party can declare contract binding if presented with first two messages. AB I am going to sign the contract Here is my signature

9 B A m1= sign(A,  c, hash(r_A)  ) sign(B,  m1, hash(r_B)  ) r_A r_B Agree A B Network T Abort ??? ResolveAttack? B A Net T sig T (m 1, m 2 ) m1m1 ??? m2m2 A T Asokan-Shoup-Waidner protocol If not already resolved a 1 sig T (a 1,abort)

10 Secure Sockets Layer Network interface Transport (TCP) Physical layer Internet (IP) Applicationtelnet httpftp nntp SSL Common use: https = http over SSL

11 Handshake Protocol ClientHello C  S C, Ver C, Suite C, N C, Suite S, N S, S, K S ServerHello S  C Ver S, Suite S, N S, sign CA { S, K S } ClientVerify C  S sign CA { C, V C } { Ver C, Secret C } N S sign C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash(Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } (Change to negotiated cipher) N S ServerFinished S  C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + S + Master(N C, N S, Secret C ) + Pad 1 )) } N S ClientFinished C  S { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } SKSSKS S Master(N C, N S, Secret C ) … Signature: sign CA { … } Encryption: { … } K Hash: Hash( … )

12 II. Analysis Methods

13 Protocol Analysis Methods uNon-formal approaches (useful, but no tools…) Some crypto-based proofs [Bellare, Rogaway] Communicating Turing Machines [Canetti] u BAN and related logics Axiomatic semantics of protocol steps u Methods based on operational semantics Intruder model derived from Dolev-Yao Protocol gives rise to set of traces –Denotation of protocol = set of runs involving arbitrary number of principals plus intruder

14 Example projects and tools uProve protocol correct Paulson’s “Inductive method”, others in HOL, PVS, MITRE - Strand spaces Process calculus: Abadi-Gordon, Gordon-Jeffrey uSearch using symbolic representation of states Meadows: NRL Analyzer, Millen: CAPSL uExhaustive finite-state analysis FDR, based on CSP [Lowe, Roscoe, Schneider, …] Murphi, CASPER, CAPSL, … All depend on behavior of protocol in presence of attack

15 III. Multiset Rewriting Method A form of rewriting with –One associative, commutative operator (Banatre, LeMetayer; Chem Abs Machine) –  to generate fresh data Conventions for modeling protocols, adversary using rewriting

16 A notation for inf-state systems Many previous models are buried in tools Define common model in tool-independent formalism Linear Logic (      ) Process Calculus Finite Automata Proof search (Horn clause) Multiset rewriting

17 Modeling Requirements uExpress properties of protocols Initialization –Principals and their private/shared data Nonces –Generate fresh random data uModel attacker Characterize possible messages by attacker Cryptography uSet of runs of protocol under attack

18 Notation commonly found in literature The notation describes protocol traces Does not –specify initial conditions –define response to arbitrary messages –characterize possible behaviors of attacker A  B : { A, Nonce a } Kb B  A : { Nonce a, Nonce b } Ka A  B : { Nonce b } Kb

19 Rewriting Notation uNon-deterministic infinite-state systems uFacts F ::= P(t 1, …, t n ) t ::= x | c | f(t 1, …, t n ) uStates { F 1,..., F n } Multiset of facts –Includes network messages, private state –Intruder will see messages, not private state Multi-sorted first-order atomic formulas

20 Rewrite rules uTransition F 1, …, F k   x 1 …  x m. G 1, …, G n uWhat this means If F 1, …, F k in state , then a next state  ’ has –Facts F 1, …, F k removed –G 1, …, G n added, with x 1 … x m replaced by new symbols –Other facts in state  carry over to  ’ Free variables in rule universally quantified uNote Pattern matching in F 1, …, F k can invert functions Linear Logic: F 1  …  F k    x 1 …  x m (G 1  …  G n )

21 Finite-State Example Predicates: State, Input Function:  Constants: q 0, q 1, q 2, q 3, a, b, nil Transitions: State(q 0 ), Input(a  x)  State(q 1 ), Input(x) State(q 0 ), Input(b  x)  State(q 2 ), Input(x)... Set of rewrite transition sequences = set of runs of automaton q0q0 q1q1 q3q3 q2q2 b a a a b b b a b

22 Simplified Needham-Schroeder uPredicates A i, B i, N i -- Alice, Bob, Network in state i uTransitions  x. A 1 (x) A 1 (x)  N 1 (x), A 2 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y) picture next slide A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb uAuthentication A 4 (x,y)  B 3 (x,y’)  y=y’

23 Sample Trace A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb A 2 (n a ) A 1 (n a ) A 2 (n a ) A 3 (n a, n b ) A 4 (n a, n b ) B 2 (n a, n b ) B 1 (n a, n b ) B 2 (n a, n b ) B 3 (n a, n b ) B 2 (n a, n b ) N 1 (n a ) N 2 (n a, n b ) N3( nb)N3( nb)  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y)

24 Adversary and Cryptography uHow powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble, resend Statistical analysis, traffic analysis Timing attacks uHow much detail in underlying data types? Plaintext, ciphertext and keys –atomic data or bit sequences Encryption and hash functions –“perfect” cryptography –algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N

25 Common Intruder Model uDerived from Dolev-Yao model Adversary is nondeterministic process Adversary can –Block network traffic –Read any message, decompose into parts –Decrypt if key is known to adversary –Insert new message from data it has observed Adversary cannot –Gain partial knowledge –Guess part of a key –Perform statistical tests, …

26 Formalize Intruder Model uIntercept, decompose and remember messages N 1 (x)  M(x) N 2 (x,y)  M(x), M(y) N 3 (x)  M(x) uDecrypt if key is known M(enc(k,x)), M(k)  M(x) uCompose and send messages from “known” data M(x)  N 1 (x), M(x) M(x), M(y)  N 2 (x,y), M(x), M(y) M(x)  N 3 (x), M(x) uGenerate new data as needed  x. M(x) Highly nondeterministic, same for any protocol

27 Attack on Simplified Protocol A 2 (n a ) A 1 (n a ) A 2 (n a ) B 1 (n a ’, n b ) N 1 (n a )  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)  M(x)  x. M(x) M(x)  N 1 (x), M(x) N 1 (x)   y. B 1 (x,y) M(n a ) M(n a ), M(n a ’) N 1 (n a ’ ) A 2 (n a ) M(n a ), M(n a ’) A 2 (n a ) M(n a ), M(n a ’) Continue “man-in-the-middle” to violate specification

28 Protocols vs Rewrite rules uCan axiomatize any computational system uBut -- protocols are not arbitrary programs Choose principals Client Select roles ClientTGSServer

29 Protocol theory uInitialization theory Bounded theory that “precedes” protocol run Example:  key. Principal(key) uRole generation theory Principal(key)  A 0 (key), Principal(key) Principal(key)  B 0 (key), Principal(key) uRole theory Finite ordered list of rules A i (…), N j (…)   … A k (…), N l (x) where i<k, j<l Can also have persistent predicates on left/right

30 Two-phase intruder theory uAvoid pointless looping by intruder M(x), M(y)  N(x,y), M(x), M(y) N (x,y)  M(x), M(y) uPhase 1: Decomposition uPhase 2: Composition

31 Thesis: MSR Model is accurate uCaptures “Dolev-Yao-Needham-Millen-Meadows- …” model MSR defines set of traces protocol and attacker Connections with approach in other formalisms uUseful for protocol analysis Errors shown by model are errors in protocol If no error appears, then no attack can be carried out using only the actions allowed by the model

32 IV. Decision Problems

33 Complexity results using MSR Key insight: existential quantification (  ) captures cryptographic nonce; main source of complexity [Durgin, Lincoln, Mitchell, Scedrov]  only ,   only ,  Intruder w/o  Intruder with  Unbounded use of  Bounded use of  Bounded # of roles NP – complete Undecidable ?? DExp – time All: Finite number of different roles, each role of finite length, bounded message size

34 Corresponding rewrite systems [Durgin, Lincoln, Mitchell, Scedrov]  only ,   only ,  Transfer rules w/o  Transfer rules with  Unbounded use of  Bounded use of  Bounded # of subsets NP – complete Undecidable ?? DExp – time Standard set of rules, standard rewrite sequence –Partition into disjoint subsets –Each subset progresses finitely –Fixed set of rules move terms from one subset to another –Bounded number of function symbols in any term

35 Lower bounds from Horn clauses Need to show that hard instances of Horn clause inference can be be represented in the restricted form of a security protocol [Durgin, Lincoln, Mitchell, Scedrov]  only ,   only ,  Intruder w/o  Intruder with  Unbounded # of  Bounded # of  Bounded # of roles NP-complete: Provable by bounded- length proof Undecidable: Datalog +  ?? Dexptime: Datalog All: Finite number of different roles, each role of finite length, bounded message size

36 Additional decidable cases uBounded role instances, unbounded msg size Huima 99: decidable Amadio, Lugiez: NP w/ atomic keys Rusinowitch, Turuani: NP-complete, composite keys Other studies, e.g., Kusters: unbounded # data fields uConstraint systems Cortier, Comon: Limited equality test Millen, Shmatikov: Finite-length runs All: bound number of role instances

37 IV. Refinement and applications of multiset rewriting framework

38 Using MSR for protocol analysis uExtensions and general properties Add dependent types and subsorting [C] DY intruder is most powerful attacker [C] uRelate to other models Strand space model [CDLMS] Linear logic provability [CDKS] uProve protocols correct Contract signing [Chadha, Kanovich, Scedrov] Kerberos 5 [Butler, Cervesato, Jaggard, Scedrov]

39 A glimpse of contract signing uEach party enters contract with goal Party who wants contract acts to complete the contract uCorrectness is relative to goal Do not want well-intentioned party to suffer uLeads to game-theoretic notions If A follows strategy S, then B cannot achieve win over A Or, A follows strategy from some class … [Chadha, Kanovich, Scedrov]

40 Strategy: example Define execution tree using MSR Prune tree according to assumed strategy Determine correctness S 4 S 7 S S 1 S 2 S 3 S 8 S 6 S 5

41 Honest participant uPrinciple A is said to be honest if A moves only according to protocol Equivalent: A’s key not known to adversary

42 Interested participant uHonest A is said to be interested if Whenever A can choose between –waiting for a message from B –asking TTP for an abort A waits and allows B to move next [Chadha, Mitchell, Scedrov, Shmatikov]

43 Optimistic participant uHonest A is said to be optimistic if Whenever A can choose between –waiting for a message from B –contacting TTP for any purpose A waits and allows B to move next

44 Hierarchy Advantage against honest A H-adv  Advantage against interested A I-adv  Advantage against optimistic A O-adv MSR model lets us define execution tree Define strategies, correctness over execution model (End glimpse of contract signing)

45 Protocol analysis spectrum LowHigh Low Sophistication of attacks Protocol complexity Mur  FDR  NRL  Strands  Hand proofs  Paulson  Bolignano  BAN logic  Spi-calculus  Poly-time calculus   Model checking Multiset rewriting with   Protocol logic  

46 What’s missing? (Future directions) uSpecification language MSR defines traces, execution tree Need to specify correctness formally uProgramming language? Separate commands done from those that remain Distinguish local knowledge from global state uQuantification over protocols Every protocol satisfying  also satisfies . Composition: Properties of Compose(P, Q) from properties of P and Q

47 Conclusions uThesis Protocol analysis requires precise definition of possible runs under attack Multiset rewriting with  –Provides natural, usable formalism –Captures set of runs –Exhibits uniformity of DY attacker –Related to linear logic, other protocol notations Can use proof-theoretic results from LL Can approximate MSR model by finite-state analysis

48 Conclusions uResults Decision problems –NP-complete with bounded role instances –Dexp-time complete with bounded nonces (  ) –Undecidable even if everything else bounded Applications –Metatheory Two attackers no better than one Correctness of model checking optimizations –Protocol analysis Contract signing, Kerberos v5

49

Download ppt "Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Formal Methods and Computer Security John Mitchell Stanford University.

Formal Methods and Computer Security John Mitchell Stanford University.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Analysis of Security Protocols (III) John C. Mitchell Stanford University.

Analysis of Security Protocols (III) John C. Mitchell Stanford University.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Similar presentations

Ads by Google