Tools to analye security protocols
Download
1 / 44

Tools to Analye Security Protocols - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Tools to Analye Security Protocols. Protocol Analyzers… … looking for flaws. Formal Analysis. General solutions: encode problem of a security protocol analysis as a problem in a logic adapt a „standard“ theorem prover for logic to the problem Examples: Propositional logic:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Tools to Analye Security Protocols' - kaveri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Tools to analye security protocols
Tools to Analye Security Protocols

Protocol Analyzers…

… looking for flaws


Formal analysis
Formal Analysis

General solutions:

  • encode problem of a security protocol analysis as a problem in a logic

  • adapt a „standard“ theorem prover for logic to the problem

    Examples:

  • Propositional logic:

    • State based modeling, model checking (e.g. Millen, Meadows )

    • formalisation as (finite) state machines

  • Higher-order logic:

    • Algebraic Modeling, inductive theorem proving (e.g Paulson)

    • formalisation as abstract data types


Formal analysis1
Formal Analysis

Specific solutions:

  • develop specialized logics, programs and / or (meta-)theories on the analysis of security protocols

    Examples:

  • BAN-like logics based on modal logics

    • reasoning about the beliefs of principals

  • On-The-Fly-Model Checking (Basin et al.)

    • lazy and symbolic enumeration of the search space

  • Strand Spaces (Guttman, Thayer)

    • reasoning about the interaction of principals


Model checking symbolic lazy evaluation
Model Checking – Symbolic Lazy Evaluation

  • Efficent analysis of a finite state problem

  • However, security protocols have infinitely many states:

    • arbitrary number of principals

    • arbitrary number of protocol runs

    • arbitrary size of messages (generated by the attacker)

  • Some (easy) solutions:

    • restrict number of principals

    • restrict number of protocol runs

    • combines different states into a single statee.g. congruences, laziness


On the fly model checker omfc
On-the-fly-model-checker OMFC

  • Lazy and intelligent enumeration of the search space

  • Search space as a tree.

  • Each node is a trace of the protocol and continues the trace of the predecessor node.

  • Lazy computation is done in Haskell

  • Based on D. Basins‘s work on Lazy Infinite-State Analysis of Security Protocols (1999)

  • Part of the AVISPA-toolset (www.avispa-project.org)


General approach
General Approach

  • Enumeration of all possible traces using rules from R (including actions of the attacker)

  • Searching for attack states

S1

length = 1

US 2S1Ur 2 R stepr (S)

S2

length = 2

US 2S2Ur 2 R stepr (S)

S3

length = 3

US 2S3Ur 2 R stepr (S)


Protocol descriptions
Protocol Descriptions

  • Attacker is the network:All messages are sent to or received from the attacker

  • Rules of the form: h h received messagei£h actual state i£h pos. facts i£h neg. facts i i )hh next message i£h next state i£h new facts i i

  • e.g.

    h {A, NA}KB , state(roleB, step1, A, B), Ø, : seen(B, NA) i) h {NA, NB}KA , state(roleB, step2 , A, B), {seen(B, NA)}i

one step

one step

received message

received message

next message

next message


Examples of states and knowledge
Examples of States and Knowledge

  • msg(m) : messages

    {A, NA}KB , {NA, NB}KA , … start, finished (as dummy messages)

  • state(m): identifying the actual state of principals

    state(roleA, step0, A, B),

    state(roleB, step2, A, B, NA, NB),

  • P1, P2: positive facts, knowledge of the attacker

    i_knows(NA) : „intruder knows NA“,

    secret(M, A) : „M is secret and only known to A“

    seen(A, NB) : „A has seen the message NB“ …

  • N : negative facts:

    : seen(A, NB) : „A has not seen the message NB“


Modeling the attacker dolev yao
Modeling the Attacker- Dolev Yao

What an attacker can deduce DY(M) from a message M:

m 2 M m12 DY(M) m22 DY(M)

m 2 DY(M) m1, m22 DY(M)

m1, m22 DY(M) m12 DY(M) m22 DY(M)

mi2 DY(M) {m2}m12 DY(M)

mk2 DY(M) k 2 DY(M)

m 2 DY(M)

GAxiom

GPair

APair

Gscrypt

Ascrypt

from D. Basin et al.: OFMC


Terms matching unification
Terms, Matching, Unification

{ }

{ }

{NA, NB}KA

{ X }KA

as

as

,

KA

X

KA

Variable X

NB

NA

Matching of { X }KA with {NA, NB}KA yields: { XÃ NA, NB }

{ }

{ }

{Y, NB}KA

{NA, X}KA

as

as

,

KA

,

KA

Y

NB

X

NA

Unification of {NA, X }KA with {Y, NB}KA yields: { YÃ NA, XÃ NB }


State transitions
State Transitions

Rule r:

msg(m1) . state(m2) . P1 . N1Æ Cond ) state(m3) . msg(m4 ) . P2

Let P‘1 = P1 \ {f | 9 m . f = i_knows(m) }

Successor state of S wrt. r (monoton to the knowledge of the attacker):

stepr (S) = { S‘ | 9 .  „applicable“ on LHS(r) and S Æ

S‘ = (S \ (state((m2)) [(P‘1))

[ state((m3)) [ i_knows((m4)) [(P2) }

All possible successor states in S wrt. a set of rules R:

succR(S) = Ur 2 R stepr (S)


Application of rules
Application of Rules

  • a rule models the generation of a message by the attacker and its response by a honest principal

  • Let msg(m1) . state(m2) . P1 . N1Æ Cond ) …

  • applicabler (S) = {  | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

    Æ { state((m1)) } [(P‘1) µ S

    Æ 8 p . :p 2 N1!(p)  S

    Æ² Cond

    Æ ground()

    Æ dom() = Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1)

    }


Modeling the success of a protocol
Modeling the Success of a Protocol

Definition of attack-condition:

  • condition under which an attack is successful

  • syntactical form of the left hand side of a rule:

    ar = msg(m1) . state(m2) . P1 . N1Æ Cond

  • Example: secret(M, {A, B} ), i_knows(M), : secret(M, i)

  • State S is an attack iff ar is „applicable“ in S.

  • Protocol is secure iff for all reachable states S and all attack conditions ar: ar is not „applicable“ in S.


Modeling the attacker knowledge
Modeling the Attacker Knowledge

Problem of applicability condition:

  • … {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) …

  • i.e. attacker can generate arbitrary message from his knowledge

  • huge set of possible messages

    Lazy attacker messages:

  • specify attacker messages containing variables

    and instantiate variables „on the fly“

    Define possible substitutions  such that (T) can be synthesized from (IK) :

    from(T a IK) denotes set of ground substitutions  such that

    •  is ground

    • (T) [(IK) is ground

    • (T) µ DY((IK))


Constraint sets
Constraint Sets

  • «from(T a IK)¬ = { | ground() Æ ground((T), (IK)) Æ(T) µ DY((IK)) }

  • «c1, … cn¬ =Åi= 1,…,n«ci¬

  • (C, ) `r (C‘, ‘) iff r

  • C‘ is simple iff it contains only „from(T a IK)“ elements with a variable as T

  • Let ` be the transitive closure of all `r for constraint reduction rules r

  • Red(C) = { (C‘, ‘) | ((C, id) ` (C‘, )) Æ simple(C‘) }

  • A simple C‘ is trivially solvable

  • Theorem: «C¬ = «Red(C)¬ , Red(C) is finite and ` well founded

C‘, ‘

C, 


Constraint reduction rules crr
Constraint Reduction Rules CRR

from(m1[ m2[ T a IK) [ C,  from(m1[ m2[ T a IK) [ C, 

from(m1,m2[ T a IK) [ C,  from( {m2}m1[ T a IK) [ C, 

(from(T a m2[ IK) [ C),  .

from(m1[ T a m2[ IK) [ C, 

from(k a IK) [ from(T a m [ {m}k[ IK) [ C, 

from(T a {m}k[ IK) [ C, 

from(T a m1[ m2[ m1,m2[ T, IK) [ C, 

from(T a m1,m2[ IK) [ C, 

Gscrypt

GPair

Gunif

= mgu(m1, m2), m1 V

Ascypt

APair

from D. Basin et al.: OFMC


Lazy steps
Lazy Steps

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

Lazy application of steps:

  • stepr ( (P, C, N) ) =

    { (P‘, C‘, N‘) | 9 :

    ( , C‘, N‘) 2 applicabler (P, C, N)

    Æ P‘ = (P) \ state((m2))

    [(P‘1) ) [(P2)

    [ state((m3)) [ i_knows((m4))


Lazy states and rule applications
Lazy States and Rule Applications

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

applicabler ( (P, C, N) ) = { (, C‘, N‘) | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

Æ { state((m2)) } [(P‘1) µ (P)

Æ dom() µ Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) [ Vars(P, C, N)

Æ C‘ = ( C [ from(m1[ {m | i_knows(m) 2 P1}a {i | i_knows(i) 2 P } )

Æ N‘ = (N) Æ(Cond)

Æ SubCond( (N1), (P) ) }

SubCond( N, P ) = Æ ( { Çi = 1..n vi ti | : t 2 N, t’ 2 P, mgu(t, t’) = {v1! t1 ,…,v1! t1} })


Strand spaces
Strand Spaces

  • Framework on security protocols

    • exploring the structure of a protocol,

    • exploring the possible combination of local runs (at the principles) of a protocol to a common protocol

  • Based on the Dolev-Yao model

  • Developed by: Joshua Guttman, Jonathan C. Herzog, F. Javier Thayer (1998)

  • Implemented in the Athena - system


The idea
The Idea

Penetrator strands

Regular strands

Attacker protocol

Intended protocol


Strands as local views of principals
Strands as Local Views of Principals

  • Strand represents sequence of signed messages ±m

  • „+“ means principal sends this message

  • „-“ means principal receives this message

{ A, NA }KB

+ { A, NA }KB

{ NA , NB } KA

- { NA , NB } KA

{NB } KB

+ {NB } KB

A‘s view of the protocol

A‘s (trace of his) strand


What are messages
What are Messages?

Set M of messages are terms consisting of:

  • Atomic messages MA (like nonces, names…)

  • Set K of cryptographic keys with K\MA = ; and a injective function inv: K!K with inv(K) abbreviated as K-1

  • Binary operators

    • crypt : K£M!M with crypt(K, x) abbreviated as: { x }K

    • pair : M£M!M with pair(x, y) abbreviated as: x, y

  • Freeness axioms:

    • { m }K = { m‘ }K‘) m = m‘ Æ K = K‘

    • m0, m1 = m‘0, m‘1) m0 = m‘0Æ m1 = m‘1

    • pair(m, m‘)  crypt(K, m‘‘), …


Strand space
Strand Space

  • A strand space is a collection of strands

  • Given a set of messages M, a strand space is a set  with a trace mapping: tr : ! (±M)*

  • e.g.  = { A, B}, tr(A) = h+{ A, NA }KB , -{ NA , NB } KA , +{NB } KB i

+ { A, NA }KB

- { A, NA }KB

- { NA , NB } KA

+ {NA, NB } KA

+ {NB } KB

- {NB } KB

,


Originating messages
Originating Messages

  • Submessage: m ⊑m and m ⊑m1,m2 iff m ⊑m1 or m ⊑m2and m ⊑{ m’ }K iff m ⊑ m‘

  • A node n is an entry point for a set of messages Miff n = h + t i for some t 2 M and n’ )* n implies n’  M

  • A term t originates on a node n of a strand s iff n is an entry point for { t‘ : t ⊑ t‘ }i.e. n is positive and is the first node of s that contains t.

  • A term t is uniquely originating iff t originates on a unique node


Modeling the penetrator
Modeling the Penetrator

- X

+ X

- X

+ T

+ X

Text M

T 2MA

Flush G

Tee T

  • The penetrator participates in protocols via penetrator strands

  • Penetrator strands reflect the potentials of the penetrator

- X

- y

+ X, Y

Concatenation C


Modeling the penetrator ii
Modeling the Penetrator II

- X

- K

- X, Y

+ { X }K

+ X

+ Y

… more penetrator strands:

- { X }K

- K-1

+ X

+ K

Separation S

Key K (K 2Kp)

Decryption D

Encryption E


Penetrator s work an example
Penetrator‘s Work – An Example

Breaking into

Needham-Schroeder protocol

- { NA, A }Kp

- Kp-1

+ Kp-1

Key K

- NA, A

+ NA, A

Key K

Decryption D

- KB

+ KB

+ {NA, A }KB

Encryption E


Composing strands to bundles
Composing Strands to Bundles

Penetrator strands

Regular strands

Attacker protocol

Intended protocol


Rules for composing the jigsaw
Rules for Composing the Jigsaw

Technical restrictions:

  • Every received message has been sent from somewhere

  • If a node n (on a strand s) occurs in the jigsaw then all it‘s predecessors on s occur also

    Semantic restrictions:

  • Composition complies to the uniquely originating property !

    • i.e. no guess of keys or nonces by the penetrator


Bundles as composition of strands
Bundles as Composition of Strands

A bundleB is an acylic subgraph hNB, (!B[)B ) i

  • if h- m i2NB then there is a unique h+ m i2NB with:h+ m i!Bh- m i

  • if n22NB and n1) n2 then n1)B n2

  • ≼B is the reflexive and transitive closure (!B[)B )

    Properties:

  • ≼B is a well-founded partial order, any non-empty set has ≼B –minimal members

  • if B is a bundle and  a replacement, then ( B ) is also a bundle

  • height of a strand s in B is the number of nodes of s in B


The bundle an example
The Bundle: An Example

+ {NB } KB

- {NB } KB

Examples of ≼B :

  • + { A, NA }KB ≼B - { A, NA }KB≼B + {NA, NB } KA≼B - { NA , NB} KA

  • + {NA, NB } KA≼B - {NB } KB

  • + {NB } KB≼B - {NB } KB

+ { A, NA }KB

- { A, NA }KB

- { NA , NB} KA

+ {NA, NB } KA


Some properties of bundles b
Some Properties of Bundles B

Lemma:

Let S ½B with 8 n‘, n‘‘ : |n‘| = |n‘‘| implies n‘ 2 S iff n‘‘ 2 S.Then, if n is a ≼B-minimal member of S then n is positive.

Lemma:

Let t 2M and S = { m 2B | t ⊑ m }. Let n 2B be a ≼B-minimal element of S. Then, t originates on n.

Lemma:

Let K 2K \ Kp. If K never originates on a regular node, then K ⋢ n for all n 2B

i.e. for all penetrator nodes p 2B holds: K ⋢ p.


Needham schroeder lowe nsl space
Needham-Schroeder-Lowe (NSL - Space)

NSL space (i.e. strand space) consists of:

  • Penetrator strands s 2P

  • Initiator strands: s 2 Init[ A, B, NA, NB ]

    tr(s) = h+{ A, NA }KB , -{ NA , NB, B} KA , +{ NB } KB

  • Responder strands: s 2 Resp[ A, B, NA, NB ]

    tr(s) = h -{ A, NA }KB , +{ NA , NB, B} KA , -{ NB } KB i

  • with „parameters“: A, B, NA, NB2MA


Proving properties of nsl space
Proving Properties of NSL - Space

Suppose:

  • Let B be a bundle in the NSL-space and s be a responder strand in Resp[A, B, NA, NB] with height 3.

  • KA-1Kp

  • NA NB and NB is uniquely originating in the NSL-space.

    Then:B contains t 2 Init[A, B, NA, NB] with height 3.


Proof sketch
Proof Sketch

Lemma: NB originates at n1

Lemma: S = { n 2B | NB⊑ n Æ n1⋢ n } has a minimal element n“ that is regular and positive

Lemma:9 n‘ : n‘ )* n“ and n‘ = - {NA, NB, B}KA

Lemma: Since n‘= - {NA, NB, B}KA and n“ = + {NB}KB , they are both part of an Init[A, B, NA, NB] strand

Theorem: If  is an NSL-Space and NA is uniquely originating in  then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB


Nsl space lemmata i
NSL – Space – Lemmata (I)

Lemma:

NB originates at n1

Proof:

  • by Definition holds NB⊑ n1;

  • n1 is positive and

  • NA NB (by assumption) and NB A (by the types of both).

  • Thus: NB⋢ n0

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2


Nsl space lemmata ii
NSL – Space – Lemmata (II)

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2

Lemma:

S = {n 2B | NBv n Æ n1⋢ n } has a ≼B-minimal element n“ that is regular and positive

Proof:

  • Since NBv n22B but n1⋢ n2 : S is non empty.

  • Hence, S has at least one ≼B-minimal, positive element n“.

  • Assumption that n“ is on a penetrator strand results in a contradiction. Case analysis on all penetrator strands


Nsl space lemmata iii
NSL – Space – Lemmata (III)

- { A, NA }KB

n0

n1

+ {NA, NB, B} KA

n‘

*

- {NB } KB

n“

n2

Let n“ be a ≼B-minimal element of

S = {n 2B | NBv n Æ n1⋢ n }

that is on a regular strand and is positive

Lemma:

9 n‘ with n‘ )* n“ and n‘ = - {NA, NB, B} KA

Proof:

  • NB originates uniquely at n1.

  • n“  n1 because n1⋢ n“.

  • Thus, NB does not originate in n“ and 9 n‘: NBv n‘.

  • By minimality: n‘ = - {NA, NB, B} KA

    Lemma:

    The strand of n‘ and n“ is an initiator strand and contained in B

    Proof: Exercise.


Nsl space lemmata iv
NSL-Space Lemmata (IV)

Lemma:

Since the strand of n‘ = - {NA, NB, B} KAand n“ = + {NB}KBis an

initiator strand s, we know that s 2 Init[A, B, NA, NB]

Theorem:

If  is an NSL-Space and NA is uniquely originating in  then

there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

Proof:

  • if s 2 Init[A, B, NA, NB] for any A, B, NB then the first node n1 of s is positive.

  • NA2 n1 and obviously NA originates on n1

  • Since NA is uniquely originating in  there is only one s of this type


Analysis of the insights
Analysis of the Insights

Why does this proof fail when using the original Needham-

Schroeder-protocol?

  • We could prove:

    Let n‘‘ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on

    a regular strand and is positive

    Lemma:9 n‘ with n‘ )* n‘‘ and n‘ = + {NA, NB} KA

  • But we fail to prove:

    Lemma:

    Since the strand of n‘ = - {NA, NB} KAand n‘‘ = + {NB} KCis an

    initiator strand s, we know that s 2 Init[A, B, NA, NB]

    we only know that s 2 Init[A, C, NA, NB] for some C !!!


Authentication tests
Authentication Tests

  • Authentication of a principal is done by forcing the principal to apply his secret key

  • Typically:

    • decryption: { m }K … …m…

    • signing: …m… … { m }K-1

  • Precondition: nobody can learn about the secret key K-1

  • K-12 Prot( B ) :K-1 occurs in the bundle only inside encryptions : {… K-1…}K‘

    Notice: K occurs in { t }K only if K occurs in t !


Outgoing authentication test
Outgoing Authentication Test

n1: + …{ m } K …

n‘

+

*

nm: - …m…

n‘‘

knowledge of K-1

Let S ½ { { t }K | K-12 Prot( B ) }

Suppose a message m

  • originates uniquely in B at n1 and

  • occurs only within S in n1

  • but occurs in some node nm2B outside S

    then

  • there is a regular strand s with a positive node n‘‘ such that m occurs outside S for the first time in S and

  • there is a node n‘ preceeding n‘‘ on s such that m v n‘‘.


Incoming authentication test
Incoming Authentication Test

n1: + …m…

n‘

+

*

nm: - …{ m } K …

n‘‘

knowledge of K

Suppose a message { m }K

  • occurs within a negative node nm

  • K 2 Prot( B )

  • m originates outside { m }K at a node n1

    then

  • there is a regular strand s with a node positive node n‘‘ such that m occurs outside { m }K in n‘‘

  • n1≼B n‘ )+ n‘‘ ≺B nmwith m‘ v n‘.(Solicited Incoming Test)



ad