Loading in 2 Seconds...

Formal Verification of Security Protocols – an Introduction

Loading in 2 Seconds...

- By
**jui** - Follow User

- 395 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Formal Verification of Security Protocols – an Introduction' - jui

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Formal Verification of Security Protocols – an Introduction

ACCESS – distributed management group

Mads Dam

KTH/CSC

Security Protocols

- Two or more parties
- Communication over insecure network
- Active adversary can
- Intercept messages
- Forge messages
- Replay messages
- Cryptography is countermeasure
- Encrypt data
- Sign and authenticate data
- Exchange secret keys
- Generate nonces and time stamps

Bob

Alice

Charlie

Eve

Security Objectives

Goal: To preserve some desired property as far as possible in face of attack

Confidentiality:

- Secrecy of message, secrecy of bits
- Anonymity, privacy

Integrity:

- Authenticity
- Distributed agreement
- Survivability

Availability:

- Denial of service prevention

Security Analysis

- Model system

Granularity, adversary access paths

- Model adversary

Memory, computational power, observational power

- Identify security properties of interest
- Examine if properties preserved under attack
- Result:
- Under given assumptions about the system and the adversary, no attack of a certain form will destroy the property we’re after
- Unconditional security is not possible

Modelling Decisions

- Modelling the system
- Single or multiple sessions, several concurrent runs
- Accuracy of computation and communication model
- Real or idealized crypto?
- How powerful is the attacker?
- Simple replays
- Block messages
- Decompose, reassemble and resend messages
- Statistical analysis, traffic analysis?
- Timing behaviour?
- Accuracy of security properties

Needham-Schroeder Key Exchange

NA, NB: Nonces, freshly generated random numbers

KA, KB: Public keys

- {M}KA: Encryption of M readable only to by A
- Since only A possesses secret key KA-1

Goal of protocol: Mutual authentication, establishment of shared secret (NA,NB)

{A,NA}KB

{NA,NB}KA

A

B

{NB}KB

NSPK - Objectives

- Responder correctly authenticated

If A believes she has authenticated B, and B is honest, then B believes he has authenticated A

- Initiator correctly authenticated

If B believes he has authenticated A, and A is honest, then A believes she has authenticated B

- Nonce secrecy

At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal NA and NB to a third party) then (NA, NB) is a secret shared between A and B

Lowe’s Attack

Man-in-the-middle attack

Dishonest E tricks A into revealing B’s session key NB

Note: Attack purely based on protocol functionality, not crypto dependent

{A,NA}KE

{A,NA}KB

{NA,NB}KA

{NA,NB}KA

A

E

B

{NB}KE

G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995

Verification Approaches

Cryptographic analysis:

- Protocol security reduced to number-theoretic assumptions

Model checking:

- Build state transition graphs for some system instances and check as well as possible

Theorem proving:

- Phrase problem as idealized mathematical problem (perfect crypto, other simplifications) and prove it

Process modelling approach:

- Model system as communicating processes, use equational reasoning

Other: temporal logics, logics of knowledge and belief

Cryptographic Protocol Analysis

Security reduced to number-theoretic assumptions, e.g.:

- Hardness of prime factorization
- Diffie-Hellman: Hard to compute g given g and g, for , 2 Zq random

Universally composable security [Canetti]

- Replace subprotocols by idealized versions while preserving security

Successfully analyze complex protocols, e.g. [Wikström]

Analysis complex and highly error-prone

Computationally sound formal analysis

- Cf. [Rogaway-Abadi], currently active area

R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001

D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005

M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002

Model Checking

Idea: System modelled as communicating finite state machines

- Bounded state spaces
- Bounded state variable domains
- Communication by shared state variables or message passing

Query as state reachability problem

- Is ”bad” state reachable?

Automated state space traversal

- Hashing: 1 bit per state suffices
- Subject to probabilistic accuracy

Examples: SPIN, SMV, Mur

...

...

...

Limitations of Finite State Methods

Everything must be fixed:

- Number of participants
- Participants behaviour

So no ”unknown” transitions, no open systems

- Number of sessions
- Message space

No encrypt(encrypt(...(encrypt(...)) ...))

- Memory

Of honest party, of attacker, or communication channel

Really, this is ”just” very comprehensive simulation

Model Checking Security Protocols

- Model protocol entities and network

Initiator and responder as fsa’s

Network as shared variable (SMV, Mur)

- Or as bounded buffer (SPIN)

- Model adversary

Typically one control state, bounded memory

- Intercept messages

- Store and recall messages

- Bounded generation of new messages, using

observed and initial data (typically: Public keys)

- Determine ”bad” states and hope for termination

Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998

Process-Oriented Models

Model ”real” and idealized system as concurrent processes

Ideal system: SPEC

Real system: IMPL

Observational congruence:

SPEC ¼ IMPL

- No observational difference between SPEC and IMPL
- SPEC and IMPL are observationally ”the same”
- Congruence:

SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL]

in any context C[-]

- Even a hostile one ) security for unknown attackers!

R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989

R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992

Example: Applied Pi

Based on pi-calculus [Milner-Parrow-Walker-92]

Processes communicate by synchronous handshaking

Values = channel names

c: Declares new name c

1: A has local c, passes c to B

2: B receives c, spawns node C with link b, passes c on

3: C receives c, B forgets b and c

C

C

b

2

1

3

b

b

c

c

c

c

a

a

a

B

B

A

B

A

A

Applied Pi

Applied pi adds equational theory of names

Example: theory of pairs and asymmetric encryption

- Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-), enc(-,-)
- Equations:

fst(pair(x,y)) = x

snd(pair(x,y) = y

dec(enc(x,pk(y)),sk(y)) = x

Generation of random keys and nonces: Use !!

Alice1(seedA,pkE) =

NA.comm!enc(pair(A,NA),pkE).Alice2(seedA,pkE,NA)

Alice2(seedA,pkE,NA) = ... etc ...

C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01

Applications

ProVerif: Constraint-based tool developed by B. Blanchet

Successfully used for verification of complex protocols in applied pi

Examples:

Just Fast Keying – complex authentication protocol

Protocol for certified email

Rationale for success:

Very rudimentary control flow in protocols

No branching on secrets

Remaining challenges:

Multiple sessions/agents, richer control flow, cryptographic soundness

M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07

M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming 2005

Epistemic Security Logics

Many security-related concepts are naturally phrased in terms of knowledge:

- A should not know the secret data
- B should know the value received is the value sent
- B should know that C knows the value sent
- D should know that E does not know the vote cast
- F should not know that G and H shares the secret x
- ... etc. etc. ...

Epistemic logic: Formalization of modality A knows F

Agent

Property of agents state

M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990

What Is Cryptographic Knowledge?

Not trivial

Standard accounts are cryptographically omniscient:

If x = enc(y,z) then A knows x = enc(y,z)

Ruins all cryptographic security !!

What Is Cryptographic Knowledge?

State: Assignment of terms to variables

x = enc(y,pk(z))

y = pair(0,1)

z = c

All operations and public constants are one-way computable

Different agents have access to different variables

A knows F in state s:

F holds at all global states s’ that A cannot distinguish from s

What Is Cryptographic Knowledge?

State: Assignment of terms to variables

x = enc(y,pk(z)) Accessible to A

y = pair(0,1) Not accessible to A

z = c Not accessible to A

All operations and public constants are one-way computable

Different agents have access to different variables

A knows F in state s:

F holds at all global states s’ that A cannot distinguish from s

E.g.: A knows y = pair(0,1), :(A knows x enc(k,pk(c’))

Results

A can distinguish global states s, s’:

Same equations hold for A in s and s’

Static equivalence in applied pi

Computationally justified semantics for BAN logic

Complete axiomatization of validity

For some theories, cryptographic soundness through link to applied pi:

A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography

M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05

M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05

M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted

State of the Field

Single-session, approximate analysis of industry-scale security protocols becoming feasible

- ”Static” protocols

- Limited control flow, no recursion, no concurrency

- Cf. Avispa project site

Cryptographic analysis remains complex and error-prone

Cryptographic soundness active research area

- May become feasible in limited applications

Main challenge, cf. ACCESS:

- Lifting analysis techniques to dynamic and concurrent

systems

Survivable Systems

Testing, diagnosis, repair, of large scale distributed systems – how?

For given protocol, how to identify a faulty (random, byzantine) node?

How to neutralize a faulty node?

For which fault models?

Random faults?

Byzantine faults?

Relative to given attack goal?

Goal: Probabilistic guarantees for

fault detection and elimination

Bob

Alice

Charlie

Eve

Confidential Aggregation?

Example: Epidemic protocols

At round 0:

Local estimate = local value

At round n+1:

Neighbours exchange + average

local estimates

Local value leaked at step 1

Or when local value changes

Is it possible to aggregate without

leaking information?

6

B

4

A

2

3

B

2

3

A

5

B

5

A

Download Presentation

Connecting to Server..