Verification of authentication protocols the past and the present
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Verification of Authentication Protocols: the Past and the Present PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Verification of Authentication Protocols: the Past and the Present. Why do we need to verify protocols even after we constructed them with so much care?. There is a database of possible attacks on protocols, but new types of attacks crop up as history shows over and over again

Download Presentation

Verification of Authentication Protocols: the Past and the Present

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Verification of authentication protocols the past and the present

Verification of Authentication Protocols:the Past and the Present


Verification of authentication protocols the past and the present

Why do we need to verify protocols even after we constructed them with so much care?

  • There is a database of possible attacks on protocols, but new types of attacks crop up as history shows over and over again

  • We need methods which are suitable to finding previously unknown attacks


Verification of authentication protocols the past and the present

Example: Needham-Schroeder’s PK protocol

  • Originally created in 1978

  • It took 15 years to find man-in-the-middle attack

  • Formal logic (BAN) could not find the attack, i.e. the protocol was proven to be correct!

  • It takes less than 1 min to find the attack using model-checking approach. The coding part takes no more than 1 hour.


Verification of authentication protocols the past and the present

The Protocol’s Description

  • A B: {NA,A}PKB

  • B A: {NA, NB} PKA

  • A B: {NB} PKB

The Man-in-the-Middle Attack

  • A C: {NA,A} PKC

  • C B: {NA,A} PKB

  • B C: {NA, NB} PKA

  • C A: {NA, NB} PKA

  • A C: {NB} PKC

  • C B: {NB} PKB


Verification of authentication protocols the past and the present

Man-in-the-Middle Attack (cont’d)

  • Discovery published in 1993 (15 years after the protocol was designed) by Gavin Lowe (Oxford, UK).

  • Initially found manually

  • Fixed and proved in 1995 using a combination of FDR

  • (automated model-checking) and logical reasoning. The corrected version is called Needhame-Schroeder-Lowe PK protocol. The only modification is the 2nd message includes identity of B


Verification of authentication protocols the past and the present

SPIN and forward search techniques

  • SPIN is a model-checking software based on Hoare’s CSP (communicating sequential processes) model

  • One models the processes of legitimate users and the intruder. Intruder comes with Dolev-Yao capabilities and incorporates all malicious users. Intruder also has a legitimate identity.

  • SPIN will go through all possible interleavings of steps taken by users and see if any red flags are raised

  • This is a forward search technique, i.e. the processes that will participate are known in advance and all possible trails of interactions are modeled and checked


Verification of authentication protocols the past and the present

Problems with forward search techniques

  • In authentication involving 2 users it is enough only to model legitimate users A and B and the intruder C, but one has to choose how many parallel sessions A and B are allowed to start. Therefore, negative result does not completely confirm that the protocol is secure

  • The state-space explodes exponentially with additional parallel sessions. One has to limit them to 2 or 3. As a result, one has to resort to other methods to extend negative result to the protocol (for example using logical reasoning)


Verification of authentication protocols the past and the present

Motivation for Backward Search

  • Let us look at the Needham-Schroeder’s protocol

  • Receiver B needs to receive M1= {NANY, A}PKBand M2= {NB}PKB to successfully authenticate A.

  • M2 can be generated by anyone who has the nonce. If it’s generated by someone other than intruder, attack will not succeed. For intruder to generate M2, it needs to receive NBin {N?, NB}PKI or {NB, N?}PKI or {NB}PKI

  • To generate {N?, NB}PKIwe need B to know that Intruder is trying to authenticate itself. This is not what we want


Verification of authentication protocols the past and the present

Motivation for Backward Search (cont’d)

  • To generate {NB, N?}PKI , the intruder had to have initiated authentication with process “?” and have passed it {NB, Intruder}PK?. This message can be generated only by the intruder and it needs to have NB. We encounter a cycle

  • To generate {NB}PKI, some user X has to initiate communication with the intruder.

  • X needs to receive {NX, NB}PKX. This message can be generated only by B. In turn, B will need to receive {NX, A}PKB.


Verification of authentication protocols the past and the present

  • {NX, A}PKB can not be generated by X, since it’s trying to contact Intruder. Therefore this message has to be generated by the intruder.

  • For intruder to generate {NX, A}PKB , it needs to have the nonce which will be sent by X in its first message.

  • Conclusion: we need one receiver B process, and one process X trying to initiate authentication with intruder. We can let X=A


Verification of authentication protocols the past and the present

Strand Spaces: building causal dependencies

  • Start with an initial set of causal dependencies and messages.

  • If a message is causally dependent on a message not present in the set, add that message

  • Continue until all dependencies are satisfied

  • Check which strands are contained in the resulting set.


Verification of authentication protocols the past and the present

Strands: what are they?

A’s strand would be

+{NA,A}PKB -{NA, NB, B} PKA +{NB} PKB

B’s strand is

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB


Verification of authentication protocols the past and the present

Strands: what are they? (Cont’d)

A bundle formed by these strands is

+{NA,A}PKB -{NA, NB, B} PKA +{NB} PKB

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB

This is a bundle for a legitimate run of the protocol and it is complete in the sense that on each strand all previous messages are included, and every message received in the bundle is actually sent in the bundle


Verification of authentication protocols the past and the present

Strands: what are intruder’s strands?

Intruder strands have to be more flexible since it does not follow the protocol.

Some of intruder’s strands are:

Similarly, strands that combine 2 messages into one can be defined as well as those decrypting message

  • +{t} where t is any text message

  • -g where g is any message

  • -{K} -h +{h}K which means that if intruder receives a key and a message, it can encrypt the message and send it out


Verification of authentication protocols the past and the present

Building a bundle for NSL

Suppose we have an acyclic bundle S that contains one run of B’s strand. We would like to prove that this bundle will also contain a run of A’s strand with corresponding nonces.

We start with the assumption that S contains the strand

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB

We assume that NA NB and that NB uniquely originates in S on some strand. We want to prove that S must contain the strand

+{NA,A}PKB -{NA, NB, B} PKA +{NB} PKB


Verification of authentication protocols the past and the present

Building a bundle for NSL

  • S must contain node +{NB} PKB. First we prove that this node is the only node that contains NB which does not include message {NA, NB, B} PKA. And causally leads to -{NB} PKB We also prove that node +{NB} PKB does not lie on an intruder’s strand. Let L denote the legitimate strand on which node +{NB} PKB lies.

  • All preceding nodes on L must also be in S. One can easily show that node -{NA, NB, B} PKA must precede +{NB} PKB on L, and that this node corresponds to +{NA, NB, B} PKA


Verification of authentication protocols the past and the present

Building a bundle for NSL

As a result, S must contain the following:

+{NA, NB, B} PKA +{NB} PKB

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB


Verification of authentication protocols the past and the present

Building a bundle for NSL

Also, we can see that the upper strand must be A’s and therefore the picture becomes:

+{NA,A}PKB +{NA, NB, B} PKA +{NB} PKB

-{NA,A}PKB +{NA, NB, B} PKA -{NB} PKB

This proves that S must contain corresponding strand of A


Verification of authentication protocols the past and the present

Building a bundle for NSL

Finally, we can show that we have only 1 strand with the same signature as the upper one. This shows uniqueness, i.e. the upper strand is not a replay.


Verification of authentication protocols the past and the present

How does this help us?

  • One need to be ADD-free and have good analytical abilities to analyze even a simple protocol like NSL!

  • Analysis of 5-step protocols can be published as monographs

  • One can do it with a pencil and paper by using logic without strand spaces

  • We can use model-checkers , let the program run for a week and come back for a result which is 99% accurate

  • Can we automate this strand-space approach?


Verification of authentication protocols the past and the present

D.Song’s Athena: automation of the strand-space approach

  • If the search terminates, a negative/positive result is produced.

  • The search does not always terminate but works for most useful protocols

  • State-explosion problem is alleviated through avoidance of asynchronous composition (i.e. going through all possible interleavings).

  • States may contain free-variables. Storage/CPU are thus more efficiently used since free variable states and their transitions represent infinitely many variable-free states/transitions.

  • Athena determines on-the-fly how many sessions need to be initiated.


Verification of authentication protocols the past and the present

D.Song’s Athena: automation of the strand-space approach

  • The idea is the following: given the strand of B, we look for all possible completions of this strand to a bundle and see if one of them does not contain corresponding strand of A.

  • Note that in the previous presentation there is a subtle issue: we ignore forwarding of messages by the intruder.

  • To ignore such situations we introduce the notion of goal-binding: if a message M1 has to be triggered by content T, we would “bind” M1 to the “minimal” positive node from which one can derive T.

  • Note that in a bundle every node that needs to be “binded” is actually “binded” within the bundle itself.


Verification of authentication protocols the past and the present

Athena: states

  • Suppose we start with a strand s. Let the set containing s be called C. Each time we add nodes to C, we make sure that given a node nC the nodes preceding n on its strand are also included. In this way, C is a “semi-bundle”: it’s backward closed under but not necessarily under

  • Note that a bundle is a particular case of a “semi-bundle”, and if a “semi-bundle” C has no “unbound” goals, then generally it’s also a bundle (in some degenerate cases intruder’s strands need to be added).

  • The “semi-bundles” encapsulate the notion of “state”


Verification of authentication protocols the past and the present

Athena: state-transitions

  • State-transitions map a “semi-bundle” C to a finite set of other semi-bundles that can be derived by causally completing C

  • To construct the next state, for each unbound goal we find a way to bind it. This way we produce a new semi-bundle. The set of all such semi-bundles is the next state. Note that free variables may arise in the next state

  • The algorithm itself works by expanding the semi-bundle to its maximum and seeing whether the result satisfies our needs. What if the expansion does not terminate?

  • Additional techniques for early detection of unreachability can speed up the process


Verification of authentication protocols the past and the present

Conclusions

  • Forward-search model-checking has limited effectiveness.

  • Backward-search avoids many of the previous problems but is harder (slightly) to code. In addition, it may not finish at all.

  • Manual methods of proving correctness can not be trusted completely (BAN logic for example), and one has to be patient and careful to verify the proofs.

  • Why not create protocols which are easily analyzed instead?

  • AGVI—Automatic Generation, Verification and Implementation of Security Protocols.


  • Login