Download presentation
Presentation is loading. Please wait.
1
Security Analysis of Network Protocols John Mitchell Stanford University
2
Computer Security Research Malicious Code MDS/MLS Situational Understanding OODA Semantic Assurance Formalized Design Intrusion Detection IA Sensors Survivable Network Infrastructures Physical Security Autonomic Response Policy Course of Action Projection Auto Forensics Cyber Control Panel Dynamic Coalitions Law Enforcemen t Policy Protective Mechanisms Crypto Composable Trust Open Source Strategies Cyber Sensor Exploitation Intrusion Tolerance Cyber Strategy Lifecycle Attacks Insider ? ? Security of Mobile Agents Privacy Web Services
3
Security Protocols uChallenge-response ISO 9798-1,2,3; Needham-Schroeder, … uAuthentication Kerberos uKey Exchange SSL handshake, IKE, JFK, IKEv2, uWireless and mobile computing Mobile IP, WEP, 802.11i uElectronic commerce Contract signing, SET, electronic cash, …
4
Needham-Schroeder Protocol { A, NonceA } { NonceA, NonceB } { NonceB} KaKa Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb
5
Anomaly in Needham-Schroeder AE B { A, Na } { Na, Nb } { Nb } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key Nb from B. Evil E can then fool B. [Lowe]
6
Needham-Schroeder Lowe { A, NonceA } { NonceA, B, NonceB } { NonceB} Ka Kb AB Authentication? Secrecy? Replay attack Forward secrecy? Denial of service? Identity protection?
7
IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
8
Ticket 2 Ticket 1 Kerberos Protocol Client KDC Service TGS {Kt} Kc C TGS {Ks} Kt {C} Kt S {C} Ks Ktgs Kc Kv {C, Ks} Kv {C, Kt} Ktgs {C, Ks} Kv {C, Kt} Ktgs
9
Protocol layer over TCP/IP Network interface Transport (TCP) Physical layer Internet (IP) Applicationtelnet httpftp nntp SSL Common use: https = http over SSL
10
Handshake Protocol ClientHello C S C, Ver C, Suite C, N C, Suite S, N S, S, K S ServerHello S C Ver S, Suite S, N S, sign CA { S, K S } ClientVerify C S sign CA { C, V C } { Ver C, Secret C } N S sign C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash(Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } (Change to negotiated cipher) N S ServerFinished S C { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + S + Master(N C, N S, Secret C ) + Pad 1 )) } N S ClientFinished C S { Hash( Master(N C, N S, Secret C ) + Pad 2 + N S Hash( Msgs + C + Master(N C, N S, Secret C ) + Pad 1 )) } SKSSKS S Master(N C, N S, Secret C )
11
Mobile IPv6 Architecture IPv6 Mobile Node (MN) Corresponding Node (CN) Home Agent (HA) Direct connection via binding update uAuthentication is a requirement uEarly proposals weak
12
Wireless Authentication: Robust Security Network Association uPre-RSNA Poor Security 802.11 Authentication Wired Equivalent Protocol CRC MIC (Message Integrity Code) uRSNA Better Security 802.1x Authentication Key Management Improved MIC scheme, data encryption
13
RSNA Sub-protocols Ethernet Access Point Radius Server Laptop computer Wireless 4-way Key management 802.11 Association 802.11x Authentication (1) MAC Disabled, Port Blocked (2) MAC Enabled, Port Blocked (3) MAC Enabled, Port Blocked, PMK generated in STA and AS AS move PMK to AP Secure Communication (4) MAC Enabled, Port Allowed, PTK := KCK|KEK|TK
14
Optimistic contract signing uTrusted third party can force contract Third party can declare contract binding if presented with first two messages. AB I am going to sign the contract Here is my signature
15
B A m1= sign(A, c, hash(r_A) ) sign(B, m1, hash(r_B) ) r_A r_B Agree A B Network T Abort ??? ResolveAttack? B A Net T sig T (m 1, m 2 ) m1m1 ??? m2m2 A T Asokan-Shoup-Waidner protocol If not already resolved a 1 sig T (a 1,abort)
16
B A PCS A (text,B,T) PCS B (text,A,T) sig A (text) sig B (text ) Agree A B Network T m 1 = PCS A (text,B,T) Abort ??? ResolveAttack B A Net T PCS A (text,B,T) sig B (text) PCS A (text,B,T) ??? PCS B (text,A,T) B T sig T (abort) abort AND sig B (text) abort Leaked by T Garay, Jakobsson, MacKenzie
17
STS Family Derivation m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFKi protect identities JFKr STS P Properties: Certificates from CA Shared secret: g ab Identity protection DoS protection Reverse ID protection
18
Protocol Analysis uComputational approaches (insightful, no tools…) Proof methods of Bellare-Rogaway, Mauer Canetti, Backes-Pfitzmann-Waidner u BAN and related axiomatic approaches uMethods grounded in symbolic execution Assume perfect cryptography Protocol determines set of traces –Arbitrary number of principals plus intruder Enumerate, search, or reason about this set
19
Run of protocol A B Initiate Respond C D Correct if no security violation in any run Attacker
20
Explicit Intruder Method Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error? Assurance?
21
Automated Finite-State Analysis uDefine finite-state system Bound on number of steps Finite number of participants Nondeterministic adversary with finite options uPose correctness condition Can be simple: authentication and secrecy Can be complex: contract signing uExhaustive search using “verification” tool Error in finite approximation Error in protocol No error in finite approximation ???
22
Finite-state limitations uTwo sources of infinite behavior Many instances of participants, multiple runs Message space or data space may be infinite uFinite approximation Assume finite participants –Example: 2 clients, 2 servers Assume finite message space –Represent random numbers by r1, r2, r3, … –Do not allow encrypt(encrypt(encrypt(…)))
23
State Reduction on N-S Protocol
24
Model Checking Studies uStandard academic benchmarks Needham-Schroeder, TMN, Kerberos - uRealistic network protocols SSL 3.0, with resumption protocol uContract signing protocols Asokan-Shoup-Waidner, Garay-Jakobsson-MacKenzie uWireless networking Authenticated Mobile IPv6 802.11i
25
CS259 Term Projects iKP protocol familyElectronic votingXML Security IEEE 802.11i wireless handshake protocol Onion RoutingElectronic Voting Secure Ad-Hoc Distance Vector Routing An Anonymous Fair Exchange E-commerce Protocol Key Infrastructure Secure Internet Live Conferencing Windows file-sharing protocols Homework
26
Analysis Methods Modeling detail Number of sessions Complexity of protocol
27
Protocol analysis spectrum LowHigh Low Modeling detail Protocol complexity Mur FDR NRL Athena Hand proofs Paulson Strand spaces BAN logic Spi-calculus Poly-time calculus Model checking Multiset rewriting with Protocol logic
28
Protocol derivation uProtocol derivation Build security protocols by combining parts from standard sub-protocols. uProof of correctness Prove protocols correct using logic that follows steps of derivation.
29
Example uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
30
Component 1 uDiffie-Hellman A B: g a B A: g b Shared secret (with someone) –A deduces: Knows(Y, g ab) (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection
31
Component 2 uChallenge Response: A B: m, A B A: n, sig B {m, n, A} A B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection
32
Composition uISO 9798-3 protocol: A B: g a, A B A: g b, sig B {g a, g b, A} A B: sig A {g a, g b, B} Shared secret: g ab Authenticated Identity Protection DoS Protection m := g a n := g b
33
Refinement uEncrypt signatures: A B: g a, A B A: g b, E K {sig B {g a, g b, A}} A B: E K {sig A {g a, g b, B}} Shared secret: g ab Authenticated Identity Protection DoS Protection
34
Transformation uUse cookie: JFK core protocol A B: g a, A B A: g b, hash KB {g b, g a } A B: g a, g b, hash KB {g b, g a } E K {sig A {g a, g b, B}} B A: g b, E K {sig B {g a, g b, A}} Shared secret: g ab Authenticated Identity Protection DoS Protection
35
STS Family Derivation m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFKi protect identities JFKr STS P Properties: Certificates from CA Shared secret: g ab Identity protection DoS protection Reverse ID protection
36
Protocol logic (Implicit intruder method) uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data
37
Intuition uReason about local information I chose a new number I sent it out encrypted I received it decrypted Therefore: someone decrypted it uIncorporate knowledge about protocol Protocol: Server only sends m if it got m’ If server not corrupt and I receive m signed by server, then server received m’
38
Execution Model uProtocol “Program” for each protocol role uInitial configuration Set of principals and key Assignment of 1 role to each principal uRun new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B
39
Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) | | 1 2 | x | | uExample After(a,b) = (b a)
40
Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas
![Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas](http://images.slideplayer.com./16/5070355/slides/slide_40.jpg "Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas")
41
Proof System uSample Axioms: Reasoning about knowledge: –Has(A, enc X {m}) Has(A, K) Has(A, m) –Has(A, {m,n}) Has(A, m) Has(A, n) Reasoning about crypto primitives: –Honest(X) Decrypt(Y, enc X {m}) X=Y –Honest(X) Verify(Y, sig X {m}) m’ ( Send(X, m’) Contains(m’, sig X {m}) uInference Rule Persistence rules, … Honesty/Invariance rule uSoundness Theorem: Every provable formula is valid
42
Bidding conventions (motivation) uBlackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces
43
Correctness of NSL uBob knows he’s talking to Alice [ recv encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); recv encrypt( Key(B), n ) ] B Honest(A) Csent(A, msg1) Csent(A, msg3) where Csent(A, …) Created(A, …) Sent(A, …) msg1msg3
![Correctness of NSL uBob knows he’s talking to Alice [ recv encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); recv encrypt( Key(B), n ) ] B Honest(A) Csent(A, msg1) Csent(A, msg3) where Csent(A, …) Created(A, …) Sent(A, …) msg1msg3](http://images.slideplayer.com./16/5070355/slides/slide_43.jpg "Correctness of NSL uBob knows he’s talking to Alice [ recv encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); recv encrypt( Key(B), n ) ] B Honest(A) Csent(A, msg1) Csent(A, msg3) where Csent(A, …) Created(A, …) Sent(A, …) msg1msg3")
44
Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants
![Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants](http://images.slideplayer.com./16/5070355/slides/slide_44.jpg "Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants")
45
Combining protocols DH Honest(X) …CR Honest(X) … ’’ |- Secrecy ’ |- Authentication ’ |- Secrecy ’ |- Authentication ’ |- Secrecy Authentication DH CR ’ ISO Secrecy Authentication =
46
Protocol Templates uProtocols with function variables instead of specific operations One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns
47
Example A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) A B: m B A: n,E KAB (n,m,B) A B: E KAB (n,m) A B: m B A: n,H KAB (n,m,B) A B: H KAB (n,m,A) A B: m B A: n, sig B (n,m,A) A B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Abstraction Instantiation
48
Proof Structure Template axiomhypothesis Instance Discharge hypothesis
49
Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress SSL verification Wireless 802.11i
![Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress SSL verification Wireless i](http://images.slideplayer.com./16/5070355/slides/slide_49.jpg "Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress SSL verification Wireless i")
50
Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against “perfect” cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability
![Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against perfect cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability](http://images.slideplayer.com./16/5070355/slides/slide_50.jpg "Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against perfect cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability")
51
Conclusions uSecurity Protocols Subtle, critical, prone to error uAnalysis methods Model checking –Practically useful; brute force is a good thing –Limitation: find errors in small configurations Protocol derivation –Systematic development of certain classes of protocols Proof methods –Time-consuming to use general logics –Special-purpose logics can be sound, useful Cryptographic foundations –Scientific challenge; currently hot area
52
Collaborators on work described uFormer and current students Vitaly Shmatikov, Ulrich Stern Nancy Durgin, Anupam Datta, Ante Derek Ajith Ramanathan, Changhua He, … uOutside Stanford Andre Scedrov (U Penn) Patrick Lincoln (SRI) Dusko Pavlovic (Kestrel)
Similar presentations
