Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Security Protocols (III) John C. Mitchell Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of Security Protocols (III) John C. Mitchell Stanford University."— Presentation transcript:

1 Analysis of Security Protocols (III) John C. Mitchell Stanford University

2 Analyzing Security Protocols l Non-formal approaches (can be useful, but no tools…)  Some crypto-based proofs [Bellare, Rogaway] l BAN and related logics  Axiomatic semantics of protocol steps H Methods based on operational semantics  Intruder model derived from Dolev-Yao  Protocol gives rise to set of traces  Perfect encryption  Possible to include known algebraic properties

3 Example projects and tools l Prove protocol correct  Paulson’s “Inductive method”, others in HOL, PVS, etc.  Bolignano -- Abstraction methods  MITRE -- Strand spaces  Process calculus approach: Abadi-Gordon spi-calculus l Search using symbolic representation of states  Meadows: NRL Analyzer, Millen: Interrogator l Exhaustive finite-state analysis  FDR, based on CSP [Lowe, Roscoe, Schneider, …]  Mur  -- specialized input language  Clarke et al. -- state search with axiomatic intruder model

4 Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Gee whiz. Looks OK to me.

5 A notation for inf-state systems l Define protocol, intruder in minimal framework l Disadvantage: need to introduce new notation Formal Logic (      ) Process Calculus Finite Automata Proof search (Horn clause) Multiset rewriting

6 Protocol Notation l Non-deterministic infinite-state systems l Facts F ::= P(t 1, …, t n ) t ::= x | c | f(t 1, …, t n ) l States { F 1, …, F n }  Multiset of facts  Includes network messages, private state  Intruder will see messages, not private state Multi-sorted first-order atomic formulas

7 State Transitions l Transition  F 1, …, F k   x 1 …  x m. G 1, …, G n l What this means  If F 1, …, F k in state , then a next state  ’ has  Facts F 1, …, F k removed  G 1, …, G n added, with x 1 … x m replaced by new symbols  Other facts in state  carry over to  ’  Free variables in rule universally quantified  Pattern matching in F 1, …, F k can invert functions

8 Finite-State Example  Predicates: State, Input  Function:   Constants: q 0, q 1, q 2, q 3, a, b, nil  Transitions: State(q 0 ), Input(a  x)  State(q 1 ), Input(x) State(q 0 ), Input(b  x)  State(q 2 ), Input(x)... q0q0 q1q1 q3q3 q2q2 b a a a b b b a b

9 Existential Quantification l Natural-deduction proof rule [y/x]  (  elim)  x.    l Summary: for proof from  x. , choose new symbol and proceed from [y/x]  y not free in any other hypothesis

10 Infinite-State Example  Predicates: State, Input, Color Function:   Constants: q 0, a, b, nil, red, blue  Transitions: State(q), Input(a  x), Color(q,red)   q’. State(q’), Input(x), Color(q’,blue), Color(q,red)... Input a: change color Input b: same color Need to preserve facts explicitly q0q0 a a a a a b b bb

11 Turing Machine l Predicates  Current(state,cell) -- current state, tape pos.  Contents(cell, symbol) -- contents of tape cell  Adjacent(cell, cell) -- keep cells in order l Constants  q 0, q 1, q 2, … -- finite set of states  c 0, c eot -- initial tape cells  “0”, “1”, “b” -- tape symbols

12 Turing Machine (II) l Transitions  Adjacent(c 0, c eot )  Adjacent(c, c eot )   c’. Adjacent(c,c’), Adjacent(c’,c eot )  Current(q i,c), Contents(c,“0”), Adjacent(c,c’)  Current(q k,c’), Contents(c,“1”), Adjacent(c,c’)  Current(q i,c), Contents(c,“1”), Adjacent(c’,c)  Current(q k,c’),Contents(c,“0”), Adjacent(c,c’) infinite linear tape sample move right sample move left...ceotc...c’eot

13 Simplified Needham-Schroeder l Predicates A i, B i, N i -- Alice, Bob, Network in state i l Transitions  x. A 1 (x) A 1 (x)  N 1 (x), A 2 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y) picture next slide A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb l Authentication A 4 (x,y)  B 3 (x,y’)  y=y’

14 Sample Trace A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb A 2 (n a ) A 1 (n a ) A 2 (n a ) A 3 (n a, n b ) A 4 (n a, n b ) B 2 (n a, n b ) B 1 (n a, n b ) B 2 (n a, n b ) B 3 (n a, n b ) B 2 (n a, n b ) N 1 (n a ) N 2 (n a, n b ) N3( nb)N3( nb)  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y)

15 Common Intruder Model l Derived from Dolev-Yao model [1989]  Adversary is nondeterministic process  Adversary can  Block network traffic  Read any message, decompose into parts  Decrypt if key is known to adversary  Insert new message from data it has observed  Adversary cannot  Gain partial knowledge  Guess part of a key  Perform statistical tests, …

16 Formalize Intruder Model l Intercept and remember messages N 1 (x)  M(x) N 2 (x,y)  M(x), M(y) N 3 (x)  M(x) l Send messages from “known” data M(x)  N 1 (x), M(x) M(x), M(y)  N 2 (x,y), M(x), M(y) M(x)  N 3 (x), M(x) l Generate new data as needed  x. M(x) Highly nondeterministic, same for any protocol

17 Attack on Simplified Protocol A 2 (n a ) A 1 (n a ) A 2 (n a ) B 1 (n a ’, n b ) N 1 (n a )  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)  M(x)  x. M(x) M(x)  N 1 (x), M(x) N 1 (x)   y. B 1 (x,y) M(n a ) M(n a ), M(n a ’) N 1 (n a ’ ) A 2 (n a ) M(n a ), M(n a ’) A 2 (n a ) M(n a ), M(n a ’) Continue “man-in-the-middle” to violate specification

18 Modeling Perfect Encryption l Encryption functions and keys  For public-key encryption  two key sorts: e_key, d_key  predicate Key_pair(e_key, d_key)  Functions enc : e_key  msg -> msg dec : d_key  msg -> msg (implicit in pattern-matching) l Properties of this model  Encrypt, decrypt only with appropriate keys  Only produce enc(key, msg) from key and msg (!!!)  This is not true for some encryption functions

19 Steps in public-key protocol l Bob generates key pair and publishes   e_key u.  d_key v. Bob 1 (u,v)  Bob 1 (u,v)  N Announce (u ), Bob 2 (u,v) l Alice sends encrypted message to Bob  Alice 1 (e,d,x), N Announce (e’)  Alice 2 (e,d,x,e’)  Alice 2 (e,d,x,e’)  N 1 (enc(e’,  x,e  )), Alice 3 (u,v,x,w) l Bob decrypts  Bob 1 (u,v), N 1 (enc(u,  x,y  ))   z. Bob 1 (u,v,x,y,z)

20 Intruder Encryption Capabilities l Intruder can encrypt with encryption key  M e (k), M data (x)  N i (enc(k,x)), M e (k), M data (x) l Intruder can decrypt with decryption key  N j (enc(k,x)),Key_pair(k,k’), M d (k’),  M data (x),... l Add to previous intruder model Assumes sorts data, e_key, d_key with typed predicates M data (data), M e (e_key), M d (d_key)

21 Intruder: power and limitations l Can find some attacks  Needham-Schroeder by exhaustive search l Other attacks are outside model  Interaction between protocol and encryption l Some protocols cannot be modeled  Probabilistic protocols  Steps that require specific property of encryption l Possible to prove erroneous protocol correct  Requires property that crypto does not provide

22 Optimize Protocol + Intruder l Adversary receives all messages; no net  Replace  Alice i (x,y)  N j (x), Alice k (x,y)  N j (x)  M(x)  M(z)  N j (z), M(z)  N j (x), Bob i (w)  Bob j (w,y)  By  Alice i (x,y)  M(x), Alice k (x,y)  M(z), Bob i (w)  Bob j (w,y) Alice’s message can go to Bob or M. M can replay or send different msg All messages go directly to M. M can forward or send different msg

23 Additional Optimizations l Intruder can simulate honest participants  If additional independent sessions are useful for attack, then intruder can simulate these sessions  Therefore -- suffices to consider single initiator, single responder, and intruder (for this protocol). l For decidability, bound on intruder [Lowe]  Suffices to bound the number of new nonces  Analyze...

24 Analysis of Protocol+Intruder l Prove properties of protocols  Unbounded # of participants, message space  Prove that system satisfies specification  Paulson, etc: prove invariant holds at all reachable states  Spi-calculus: prove protocol equivalent ideal protocol l Symbolic search with pruning  Search backward from error  Prune search by proving forward invariants l Exhaustive finite-state methods  Approximate infinite-state system by finite one  Search all states, perhaps with optimizations

25 Example description languages l First- or Higher-order Logic  Define set of traces, prove protocol correct l Horn-clause Logic  x… (A 1  A 2  …  B)  Symbolic search methods l Process calculus  FDR model checker based on CSP  Spi-calculus proof methods based on pi-calculus l Additional formalisms  CAPSL protocol description language [Millen]  Mur  language for finite-state systems

26 Paulson’s Inductive Method l Define set TR of traces of protocol+intruder  Similar to traces in unifying formalism  Transition F 1, …, F k   x 1 …  x m. G 1, …, G n gives one way of extending trace l Auxiliary functions mapping traces to sets  Analz(trace) = data visible to intruder  Synth(trace) = messages intruder can synthesize l Definitions and proofs use induction  Similar inductive arguments for many protocols

27 Symbolic Search Methods l Examples: NRL Protocol Analyzer, Interrogator l Main idea  Write protocol as set of Horn clauses  Transition F 1, …, F k   x 1 …  x m. G 1, …, G n can be Skolemized and translated to Prolog clauses  Search back from possible error for contradiction  This is usual Prolog refutation procedure l Important pruning technique  Prove invariants by forward reasoning  Use these to avoid searching unreachable states

28 Process Calculus Description l Protocol defined by set of processes  Each process gives one step of one principal  Can derive by translation from unifying notation  F 1, …, F k   x 1 …  x m. G 1, …, G n is one process  Replace predicates by port names  Replace pattern-matching by explicit destructuring  In pi-calculus, use in place of   Example  B 1 (x,y)  N 2 (x,y), B 2 (x,y)  b 1 (p). let x=fst(p) and y=snd(p) in n 2  x,y  | b 2  x,y  end

29 Spi-Calculus [AG97,...] l Write protocol in process calculus l Express security using observ. equivalence  Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q]  Context (environment) represents adversary l Use proof rules for  to prove security  Protocol is secure if no adversary can distinguish it from an idealized version of the protocol

30 Finite-state methods l Two sources of infinite behavior  Many instances of participants, multiple runs  Message space or data space may be infinite l Finite approximation  Transitions: F 1, …, F k   x 1 …  x m. G 1, …, G n choose fixed number of Skolem constants  Terms: restrict repeated functions f(f(f(f(x)))) l Can express finite-state protocol + intruder in  CSP : FDR-based model checking projects  Other notations: Mur  project, Clarke et al.,...

31 Security Protocols in Mur  l Standard “benchmark” protocols  Needham-Schroeder, TMN, …  Kerberos l Study of Secure Sockets Layer (SSL)  Versions 2.0 and 3.0 of handshake protocol  Include protocol resumption l Discovered all known or suspected attacks l Recent work on tool optimization [Shmatikov, Stern,...]

32 Malleability [Dolev,Dwork,Naor] l Idealized assumption  If intruder produces Network(enc(k,x)) then either  Network(enc(k,x))  M (enc(k,x)) (replay)  M(k), M(x)  M (enc(k,x)) (knows parts) l Not true for RSA  encrypt(k,msg) = msg k mod N  property encr(x*y) = encr(x) * encr(y) l Model  Network(enc(k,x))  M (…)...  Network (enc(k,c*x)) Can send encrypted message without “knowing” message Finite state ?

33 Authentication and Secrecy for Handshake Protocols l How many protocols are there to verify?  Average length 7 steps  Data fields per message 5 fields  Distinct ways to fill a field  50 entries  Number of possible combinations 1750 protocols l Research directions  Get the monkeys and typewriters going  Easier description and specification, faster tools  Improved analysis of timestamps,...  Interaction between protocol and crypto primitives

Download ppt "Analysis of Security Protocols (III) John C. Mitchell Stanford University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)

Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)
Comparative Succinctness of KR Formalisms Paolo Liberatore.

Comparative Succinctness of KR Formalisms Paolo Liberatore.
Inference Rules Universal Instantiation Existential Generalization

Inference Rules Universal Instantiation Existential Generalization
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.

CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov.

Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Similar presentations

Ads by Google