- 101 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Tools to Analye Security Protocols' - kaveri

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Formal Analysis

General solutions:

- encode problem of a security protocol analysis as a problem in a logic
- adapt a „standard“ theorem prover for logic to the problem

Examples:

- Propositional logic:
- State based modeling, model checking (e.g. Millen, Meadows )
- formalisation as (finite) state machines
- Higher-order logic:
- Algebraic Modeling, inductive theorem proving (e.g Paulson)
- formalisation as abstract data types

Formal Analysis

Specific solutions:

- develop specialized logics, programs and / or (meta-)theories on the analysis of security protocols

Examples:

- BAN-like logics based on modal logics
- reasoning about the beliefs of principals
- On-The-Fly-Model Checking (Basin et al.)
- lazy and symbolic enumeration of the search space
- Strand Spaces (Guttman, Thayer)
- reasoning about the interaction of principals

Model Checking – Symbolic Lazy Evaluation

- Efficent analysis of a finite state problem
- However, security protocols have infinitely many states:
- arbitrary number of principals
- arbitrary number of protocol runs
- arbitrary size of messages (generated by the attacker)
- Some (easy) solutions:
- restrict number of principals
- restrict number of protocol runs
- combines different states into a single statee.g. congruences, laziness

On-the-fly-model-checker OMFC

- Lazy and intelligent enumeration of the search space
- Search space as a tree.
- Each node is a trace of the protocol and continues the trace of the predecessor node.
- Lazy computation is done in Haskell
- Based on D. Basins‘s work on Lazy Infinite-State Analysis of Security Protocols (1999)
- Part of the AVISPA-toolset (www.avispa-project.org)

General Approach

- Enumeration of all possible traces using rules from R (including actions of the attacker)
- Searching for attack states

S1

length = 1

US 2S1Ur 2 R stepr (S)

S2

length = 2

US 2S2Ur 2 R stepr (S)

S3

length = 3

US 2S3Ur 2 R stepr (S)

Protocol Descriptions

- Attacker is the network:All messages are sent to or received from the attacker
- Rules of the form: h h received messagei£h actual state i£h pos. facts i£h neg. facts i i )hh next message i£h next state i£h new facts i i
- e.g.

h {A, NA}KB , state(roleB, step1, A, B), Ø, : seen(B, NA) i) h {NA, NB}KA , state(roleB, step2 , A, B), {seen(B, NA)}i

one step

one step

received message

received message

next message

next message

Examples of States and Knowledge

- msg(m) : messages

{A, NA}KB , {NA, NB}KA , … start, finished (as dummy messages)

- state(m): identifying the actual state of principals

state(roleA, step0, A, B),

state(roleB, step2, A, B, NA, NB),

…

- P1, P2: positive facts, knowledge of the attacker

i_knows(NA) : „intruder knows NA“,

secret(M, A) : „M is secret and only known to A“

seen(A, NB) : „A has seen the message NB“ …

- N : negative facts:

: seen(A, NB) : „A has not seen the message NB“

…

Modeling the Attacker- Dolev Yao

What an attacker can deduce DY(M) from a message M:

m 2 M m12 DY(M) m22 DY(M)

m 2 DY(M) m1, m22 DY(M)

m1, m22 DY(M) m12 DY(M) m22 DY(M)

mi2 DY(M) {m2}m12 DY(M)

mk2 DY(M) k 2 DY(M)

m 2 DY(M)

GAxiom

GPair

APair

Gscrypt

Ascrypt

from D. Basin et al.: OFMC

Terms, Matching, Unification

{ }

{ }

{NA, NB}KA

{ X }KA

as

as

,

KA

X

KA

Variable X

NB

NA

Matching of { X }KA with {NA, NB}KA yields: { XÃ NA, NB }

{ }

{ }

{Y, NB}KA

{NA, X}KA

as

as

,

KA

,

KA

Y

NB

X

NA

Unification of {NA, X }KA with {Y, NB}KA yields: { YÃ NA, XÃ NB }

State Transitions

Rule r:

msg(m1) . state(m2) . P1 . N1Æ Cond ) state(m3) . msg(m4 ) . P2

Let P‘1 = P1 \ {f | 9 m . f = i_knows(m) }

Successor state of S wrt. r (monoton to the knowledge of the attacker):

stepr (S) = { S‘ | 9 . „applicable“ on LHS(r) and S Æ

S‘ = (S \ (state((m2)) [(P‘1))

[ state((m3)) [ i_knows((m4)) [(P2) }

All possible successor states in S wrt. a set of rules R:

succR(S) = Ur 2 R stepr (S)

Application of Rules

- a rule models the generation of a message by the attacker and its response by a honest principal
- Let msg(m1) . state(m2) . P1 . N1Æ Cond ) …
- applicabler (S) = { | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

Æ { state((m1)) } [(P‘1) µ S

Æ 8 p . :p 2 N1!(p) S

Æ² Cond

Æ ground()

Æ dom() = Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1)

}

Modeling the Success of a Protocol

Definition of attack-condition:

- condition under which an attack is successful
- syntactical form of the left hand side of a rule:

ar = msg(m1) . state(m2) . P1 . N1Æ Cond

- Example: secret(M, {A, B} ), i_knows(M), : secret(M, i)
- State S is an attack iff ar is „applicable“ in S.
- Protocol is secure iff for all reachable states S and all attack conditions ar: ar is not „applicable“ in S.

Modeling the Attacker Knowledge

Problem of applicability condition:

- … {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) …
- i.e. attacker can generate arbitrary message from his knowledge
- huge set of possible messages

Lazy attacker messages:

- specify attacker messages containing variables

and instantiate variables „on the fly“

Define possible substitutions such that (T) can be synthesized from (IK) :

from(T a IK) denotes set of ground substitutions such that

- is ground
- (T) [(IK) is ground
- (T) µ DY((IK))

Constraint Sets

- «from(T a IK)¬ = { | ground() Æ ground((T), (IK)) Æ(T) µ DY((IK)) }
- «c1, … cn¬ =Åi= 1,…,n«ci¬
- (C, ) `r (C‘, ‘) iff r
- C‘ is simple iff it contains only „from(T a IK)“ elements with a variable as T
- Let ` be the transitive closure of all `r for constraint reduction rules r
- Red(C) = { (C‘, ‘) | ((C, id) ` (C‘, )) Æ simple(C‘) }
- A simple C‘ is trivially solvable
- Theorem: «C¬ = «Red(C)¬ , Red(C) is finite and ` well founded

C‘, ‘

C,

Constraint Reduction Rules CRR

from(m1[ m2[ T a IK) [ C, from(m1[ m2[ T a IK) [ C,

from(m1,m2[ T a IK) [ C, from( {m2}m1[ T a IK) [ C,

(from(T a m2[ IK) [ C), .

from(m1[ T a m2[ IK) [ C,

from(k a IK) [ from(T a m [ {m}k[ IK) [ C,

from(T a {m}k[ IK) [ C,

from(T a m1[ m2[ m1,m2[ T, IK) [ C,

from(T a m1,m2[ IK) [ C,

Gscrypt

GPair

Gunif

= mgu(m1, m2), m1 V

Ascypt

APair

from D. Basin et al.: OFMC

Lazy Steps

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

Lazy application of steps:

- stepr ( (P, C, N) ) =

{ (P‘, C‘, N‘) | 9 :

( , C‘, N‘) 2 applicabler (P, C, N)

Æ P‘ = (P) \ state((m2))

[(P‘1) ) [(P2)

[ state((m3)) [ i_knows((m4))

Lazy States and Rule Applications

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

applicabler ( (P, C, N) ) = { (, C‘, N‘) | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

Æ { state((m2)) } [(P‘1) µ (P)

Æ dom() µ Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) [ Vars(P, C, N)

Æ C‘ = ( C [ from(m1[ {m | i_knows(m) 2 P1}a {i | i_knows(i) 2 P } )

Æ N‘ = (N) Æ(Cond)

Æ SubCond( (N1), (P) ) }

SubCond( N, P ) = Æ ( { Çi = 1..n vi ti | : t 2 N, t’ 2 P, mgu(t, t’) = {v1! t1 ,…,v1! t1} })

Strand Spaces

- Framework on security protocols
- exploring the structure of a protocol,
- exploring the possible combination of local runs (at the principles) of a protocol to a common protocol
- Based on the Dolev-Yao model
- Developed by: Joshua Guttman, Jonathan C. Herzog, F. Javier Thayer (1998)
- Implemented in the Athena - system

Strands as Local Views of Principals

- Strand represents sequence of signed messages ±m
- „+“ means principal sends this message
- „-“ means principal receives this message

{ A, NA }KB

+ { A, NA }KB

{ NA , NB } KA

- { NA , NB } KA

{NB } KB

+ {NB } KB

A‘s view of the protocol

A‘s (trace of his) strand

What are Messages?

Set M of messages are terms consisting of:

- Atomic messages MA (like nonces, names…)
- Set K of cryptographic keys with K\MA = ; and a injective function inv: K!K with inv(K) abbreviated as K-1
- Binary operators
- crypt : K£M!M with crypt(K, x) abbreviated as: { x }K
- pair : M£M!M with pair(x, y) abbreviated as: x, y
- Freeness axioms:
- { m }K = { m‘ }K‘) m = m‘ Æ K = K‘
- m0, m1 = m‘0, m‘1) m0 = m‘0Æ m1 = m‘1
- pair(m, m‘) crypt(K, m‘‘), …

Strand Space

- A strand space is a collection of strands
- Given a set of messages M, a strand space is a set with a trace mapping: tr : ! (±M)*
- e.g. = { A, B}, tr(A) = h+{ A, NA }KB , -{ NA , NB } KA , +{NB } KB i

+ { A, NA }KB

- { A, NA }KB

- { NA , NB } KA

+ {NA, NB } KA

+ {NB } KB

- {NB } KB

,

Originating Messages

- Submessage: m ⊑m and m ⊑m1,m2 iff m ⊑m1 or m ⊑m2and m ⊑{ m’ }K iff m ⊑ m‘
- A node n is an entry point for a set of messages Miff n = h + t i for some t 2 M and n’ )* n implies n’ M
- A term t originates on a node n of a strand s iff n is an entry point for { t‘ : t ⊑ t‘ }i.e. n is positive and is the first node of s that contains t.
- A term t is uniquely originating iff t originates on a unique node

Modeling the Penetrator

- X

+ X

- X

+ T

+ X

Text M

T 2MA

Flush G

Tee T

- The penetrator participates in protocols via penetrator strands
- Penetrator strands reflect the potentials of the penetrator

- X

- y

+ X, Y

Concatenation C

Modeling the Penetrator II

- X

- K

- X, Y

+ { X }K

+ X

+ Y

… more penetrator strands:

- { X }K

- K-1

+ X

+ K

Separation S

Key K (K 2Kp)

Decryption D

Encryption E

Penetrator‘s Work – An Example

Breaking into

Needham-Schroeder protocol

- { NA, A }Kp

- Kp-1

+ Kp-1

Key K

- NA, A

+ NA, A

Key K

Decryption D

- KB

+ KB

+ {NA, A }KB

Encryption E

Rules for Composing the Jigsaw

Technical restrictions:

- Every received message has been sent from somewhere
- If a node n (on a strand s) occurs in the jigsaw then all it‘s predecessors on s occur also

Semantic restrictions:

- Composition complies to the uniquely originating property !
- i.e. no guess of keys or nonces by the penetrator

Bundles as Composition of Strands

A bundleB is an acylic subgraph hNB, (!B[)B ) i

- if h- m i2NB then there is a unique h+ m i2NB with:h+ m i!Bh- m i
- if n22NB and n1) n2 then n1)B n2
- ≼B is the reflexive and transitive closure (!B[)B )

Properties:

- ≼B is a well-founded partial order, any non-empty set has ≼B –minimal members
- if B is a bundle and a replacement, then ( B ) is also a bundle
- height of a strand s in B is the number of nodes of s in B

The Bundle: An Example

+ {NB } KB

- {NB } KB

Examples of ≼B :

- + { A, NA }KB ≼B - { A, NA }KB≼B + {NA, NB } KA≼B - { NA , NB} KA
- + {NA, NB } KA≼B - {NB } KB
- + {NB } KB≼B - {NB } KB

+ { A, NA }KB

- { A, NA }KB

- { NA , NB} KA

+ {NA, NB } KA

Some Properties of Bundles B

Lemma:

Let S ½B with 8 n‘, n‘‘ : |n‘| = |n‘‘| implies n‘ 2 S iff n‘‘ 2 S.Then, if n is a ≼B-minimal member of S then n is positive.

Lemma:

Let t 2M and S = { m 2B | t ⊑ m }. Let n 2B be a ≼B-minimal element of S. Then, t originates on n.

Lemma:

Let K 2K \ Kp. If K never originates on a regular node, then K ⋢ n for all n 2B

i.e. for all penetrator nodes p 2B holds: K ⋢ p.

Needham-Schroeder-Lowe (NSL - Space)

NSL space (i.e. strand space) consists of:

- Penetrator strands s 2P
- Initiator strands: s 2 Init[ A, B, NA, NB ]

tr(s) = h+{ A, NA }KB , -{ NA , NB, B} KA , +{ NB } KB

- Responder strands: s 2 Resp[ A, B, NA, NB ]

tr(s) = h -{ A, NA }KB , +{ NA , NB, B} KA , -{ NB } KB i

- with „parameters“: A, B, NA, NB2MA

Proving Properties of NSL - Space

Suppose:

- Let B be a bundle in the NSL-space and s be a responder strand in Resp[A, B, NA, NB] with height 3.
- KA-1Kp
- NA NB and NB is uniquely originating in the NSL-space.

Then:B contains t 2 Init[A, B, NA, NB] with height 3.

Proof Sketch

Lemma: NB originates at n1

Lemma: S = { n 2B | NB⊑ n Æ n1⋢ n } has a minimal element n“ that is regular and positive

Lemma:9 n‘ : n‘ )* n“ and n‘ = - {NA, NB, B}KA

Lemma: Since n‘= - {NA, NB, B}KA and n“ = + {NB}KB , they are both part of an Init[A, B, NA, NB] strand

Theorem: If is an NSL-Space and NA is uniquely originating in then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

NSL – Space – Lemmata (I)

Lemma:

NB originates at n1

Proof:

- by Definition holds NB⊑ n1;
- n1 is positive and
- NA NB (by assumption) and NB A (by the types of both).
- Thus: NB⋢ n0

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2

NSL – Space – Lemmata (II)

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2

Lemma:

S = {n 2B | NBv n Æ n1⋢ n } has a ≼B-minimal element n“ that is regular and positive

Proof:

- Since NBv n22B but n1⋢ n2 : S is non empty.
- Hence, S has at least one ≼B-minimal, positive element n“.
- Assumption that n“ is on a penetrator strand results in a contradiction. Case analysis on all penetrator strands

NSL – Space – Lemmata (III)

- { A, NA }KB

n0

n1

+ {NA, NB, B} KA

n‘

*

- {NB } KB

n“

n2

Let n“ be a ≼B-minimal element of

S = {n 2B | NBv n Æ n1⋢ n }

that is on a regular strand and is positive

Lemma:

9 n‘ with n‘ )* n“ and n‘ = - {NA, NB, B} KA

Proof:

- NB originates uniquely at n1.
- n“ n1 because n1⋢ n“.
- Thus, NB does not originate in n“ and 9 n‘: NBv n‘.
- By minimality: n‘ = - {NA, NB, B} KA

Lemma:

The strand of n‘ and n“ is an initiator strand and contained in B

Proof: Exercise.

NSL-Space Lemmata (IV)

Lemma:

Since the strand of n‘ = - {NA, NB, B} KAand n“ = + {NB}KBis an

initiator strand s, we know that s 2 Init[A, B, NA, NB]

Theorem:

If is an NSL-Space and NA is uniquely originating in then

there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

Proof:

- if s 2 Init[A, B, NA, NB] for any A, B, NB then the first node n1 of s is positive.
- NA2 n1 and obviously NA originates on n1
- Since NA is uniquely originating in there is only one s of this type

Analysis of the Insights

Why does this proof fail when using the original Needham-

Schroeder-protocol?

- We could prove:

Let n‘‘ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on

a regular strand and is positive

Lemma:9 n‘ with n‘ )* n‘‘ and n‘ = + {NA, NB} KA

- But we fail to prove:

Lemma:

Since the strand of n‘ = - {NA, NB} KAand n‘‘ = + {NB} KCis an

initiator strand s, we know that s 2 Init[A, B, NA, NB]

we only know that s 2 Init[A, C, NA, NB] for some C !!!

Authentication Tests

- Authentication of a principal is done by forcing the principal to apply his secret key
- Typically:
- decryption: { m }K … …m…
- signing: …m… … { m }K-1
- Precondition: nobody can learn about the secret key K-1
- K-12 Prot( B ) :K-1 occurs in the bundle only inside encryptions : {… K-1…}K‘

Notice: K occurs in { t }K only if K occurs in t !

Outgoing Authentication Test

n1: + …{ m } K …

n‘

+

*

nm: - …m…

n‘‘

knowledge of K-1

Let S ½ { { t }K | K-12 Prot( B ) }

Suppose a message m

- originates uniquely in B at n1 and
- occurs only within S in n1
- but occurs in some node nm2B outside S

then

- there is a regular strand s with a positive node n‘‘ such that m occurs outside S for the first time in S and
- there is a node n‘ preceeding n‘‘ on s such that m v n‘‘.

Incoming Authentication Test

n1: + …m…

n‘

+

*

nm: - …{ m } K …

n‘‘

knowledge of K

Suppose a message { m }K

- occurs within a negative node nm
- K 2 Prot( B )
- m originates outside { m }K at a node n1

then

- there is a regular strand s with a node positive node n‘‘ such that m occurs outside { m }K in n‘‘
- n1≼B n‘ )+ n‘‘ ≺B nmwith m‘ v n‘.(Solicited Incoming Test)

Download Presentation

Connecting to Server..