Tools to Analye Security Protocols

1 / 44

# Tools to Analye Security Protocols - PowerPoint PPT Presentation

Tools to Analye Security Protocols. Protocol Analyzers… … looking for flaws. Formal Analysis. General solutions: encode problem of a security protocol analysis as a problem in a logic adapt a „standard“ theorem prover for logic to the problem Examples: Propositional logic:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Tools to Analye Security Protocols' - kaveri

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Tools to Analye Security Protocols

Protocol Analyzers…

… looking for flaws

Formal Analysis

General solutions:

• encode problem of a security protocol analysis as a problem in a logic
• adapt a „standard“ theorem prover for logic to the problem

Examples:

• Propositional logic:
• State based modeling, model checking (e.g. Millen, Meadows )
• formalisation as (finite) state machines
• Higher-order logic:
• Algebraic Modeling, inductive theorem proving (e.g Paulson)
• formalisation as abstract data types
Formal Analysis

Specific solutions:

• develop specialized logics, programs and / or (meta-)theories on the analysis of security protocols

Examples:

• BAN-like logics based on modal logics
• reasoning about the beliefs of principals
• On-The-Fly-Model Checking (Basin et al.)
• lazy and symbolic enumeration of the search space
• Strand Spaces (Guttman, Thayer)
• reasoning about the interaction of principals
Model Checking – Symbolic Lazy Evaluation
• Efficent analysis of a finite state problem
• However, security protocols have infinitely many states:
• arbitrary number of principals
• arbitrary number of protocol runs
• arbitrary size of messages (generated by the attacker)
• Some (easy) solutions:
• restrict number of principals
• restrict number of protocol runs
• combines different states into a single statee.g. congruences, laziness
On-the-fly-model-checker OMFC
• Lazy and intelligent enumeration of the search space
• Search space as a tree.
• Each node is a trace of the protocol and continues the trace of the predecessor node.
• Lazy computation is done in Haskell
• Based on D. Basins‘s work on Lazy Infinite-State Analysis of Security Protocols (1999)
• Part of the AVISPA-toolset (www.avispa-project.org)
General Approach
• Enumeration of all possible traces using rules from R (including actions of the attacker)
• Searching for attack states

S1

length = 1

US 2S1Ur 2 R stepr (S)

S2

length = 2

US 2S2Ur 2 R stepr (S)

S3

length = 3

US 2S3Ur 2 R stepr (S)

Protocol Descriptions
• Attacker is the network:All messages are sent to or received from the attacker
• Rules of the form: h h received messagei£h actual state i£h pos. facts i£h neg. facts i i )hh next message i£h next state i£h new facts i i
• e.g.

h {A, NA}KB , state(roleB, step1, A, B), Ø, : seen(B, NA) i) h {NA, NB}KA , state(roleB, step2 , A, B), {seen(B, NA)}i

one step

one step

next message

next message

Examples of States and Knowledge
• msg(m) : messages

{A, NA}KB , {NA, NB}KA , … start, finished (as dummy messages)

• state(m): identifying the actual state of principals

state(roleA, step0, A, B),

state(roleB, step2, A, B, NA, NB),

• P1, P2: positive facts, knowledge of the attacker

i_knows(NA) : „intruder knows NA“,

secret(M, A) : „M is secret and only known to A“

seen(A, NB) : „A has seen the message NB“ …

• N : negative facts:

: seen(A, NB) : „A has not seen the message NB“

Modeling the Attacker- Dolev Yao

What an attacker can deduce DY(M) from a message M:

m 2 M m12 DY(M) m22 DY(M)

m 2 DY(M) m1, m22 DY(M)

m1, m22 DY(M) m12 DY(M) m22 DY(M)

mi2 DY(M) {m2}m12 DY(M)

mk2 DY(M) k 2 DY(M)

m 2 DY(M)

GAxiom

GPair

APair

Gscrypt

Ascrypt

from D. Basin et al.: OFMC

Terms, Matching, Unification

{ }

{ }

{NA, NB}KA

{ X }KA

as

as

,

KA

X

KA

Variable X

NB

NA

Matching of { X }KA with {NA, NB}KA yields: { XÃ NA, NB }

{ }

{ }

{Y, NB}KA

{NA, X}KA

as

as

,

KA

,

KA

Y

NB

X

NA

Unification of {NA, X }KA with {Y, NB}KA yields: { YÃ NA, XÃ NB }

State Transitions

Rule r:

msg(m1) . state(m2) . P1 . N1Æ Cond ) state(m3) . msg(m4 ) . P2

Let P‘1 = P1 \ {f | 9 m . f = i_knows(m) }

Successor state of S wrt. r (monoton to the knowledge of the attacker):

stepr (S) = { S‘ | 9 .  „applicable“ on LHS(r) and S Æ

S‘ = (S \ (state((m2)) [(P‘1))

[ state((m3)) [ i_knows((m4)) [(P2) }

All possible successor states in S wrt. a set of rules R:

succR(S) = Ur 2 R stepr (S)

Application of Rules
• a rule models the generation of a message by the attacker and its response by a honest principal
• Let msg(m1) . state(m2) . P1 . N1Æ Cond ) …
• applicabler (S) = {  | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

Æ { state((m1)) } [(P‘1) µ S

Æ 8 p . :p 2 N1!(p)  S

Æ² Cond

Æ ground()

Æ dom() = Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1)

}

Modeling the Success of a Protocol

Definition of attack-condition:

• condition under which an attack is successful
• syntactical form of the left hand side of a rule:

ar = msg(m1) . state(m2) . P1 . N1Æ Cond

• Example: secret(M, {A, B} ), i_knows(M), : secret(M, i)
• State S is an attack iff ar is „applicable“ in S.
• Protocol is secure iff for all reachable states S and all attack conditions ar: ar is not „applicable“ in S.
Modeling the Attacker Knowledge

Problem of applicability condition:

• … {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) …
• i.e. attacker can generate arbitrary message from his knowledge
• huge set of possible messages

Lazy attacker messages:

• specify attacker messages containing variables

and instantiate variables „on the fly“

Define possible substitutions  such that (T) can be synthesized from (IK) :

from(T a IK) denotes set of ground substitutions  such that

•  is ground
• (T) [(IK) is ground
• (T) µ DY((IK))
Constraint Sets
• «from(T a IK)¬ = { | ground() Æ ground((T), (IK)) Æ(T) µ DY((IK)) }
• «c1, … cn¬ =Åi= 1,…,n«ci¬
• (C, ) `r (C‘, ‘) iff r
• C‘ is simple iff it contains only „from(T a IK)“ elements with a variable as T
• Let ` be the transitive closure of all `r for constraint reduction rules r
• Red(C) = { (C‘, ‘) | ((C, id) ` (C‘, )) Æ simple(C‘) }
• A simple C‘ is trivially solvable
• Theorem: «C¬ = «Red(C)¬ , Red(C) is finite and ` well founded

C‘, ‘

C, 

Constraint Reduction Rules CRR

from(m1[ m2[ T a IK) [ C,  from(m1[ m2[ T a IK) [ C, 

from(m1,m2[ T a IK) [ C,  from( {m2}m1[ T a IK) [ C, 

(from(T a m2[ IK) [ C),  .

from(m1[ T a m2[ IK) [ C, 

from(k a IK) [ from(T a m [ {m}k[ IK) [ C, 

from(T a {m}k[ IK) [ C, 

from(T a m1[ m2[ m1,m2[ T, IK) [ C, 

from(T a m1,m2[ IK) [ C, 

Gscrypt

GPair

Gunif

= mgu(m1, m2), m1 V

Ascypt

APair

from D. Basin et al.: OFMC

Lazy Steps

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

Lazy application of steps:

• stepr ( (P, C, N) ) =

{ (P‘, C‘, N‘) | 9 :

( , C‘, N‘) 2 applicabler (P, C, N)

Æ P‘ = (P) \ state((m2))

[(P‘1) ) [(P2)

[ state((m3)) [ i_knows((m4))

Lazy States and Rule Applications

S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set.

(P, C, N) denotes all states (P) with 2«C¬ and ² N

Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) …

applicabler ( (P, C, N) ) = { (, C‘, N‘) | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S})

Æ { state((m2)) } [(P‘1) µ (P)

Æ dom() µ Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) [ Vars(P, C, N)

Æ C‘ = ( C [ from(m1[ {m | i_knows(m) 2 P1}a {i | i_knows(i) 2 P } )

Æ N‘ = (N) Æ(Cond)

Æ SubCond( (N1), (P) ) }

SubCond( N, P ) = Æ ( { Çi = 1..n vi ti | : t 2 N, t’ 2 P, mgu(t, t’) = {v1! t1 ,…,v1! t1} })

Strand Spaces
• Framework on security protocols
• exploring the structure of a protocol,
• exploring the possible combination of local runs (at the principles) of a protocol to a common protocol
• Based on the Dolev-Yao model
• Developed by: Joshua Guttman, Jonathan C. Herzog, F. Javier Thayer (1998)
• Implemented in the Athena - system
The Idea

Penetrator strands

Regular strands

Attacker protocol

Intended protocol

Strands as Local Views of Principals
• Strand represents sequence of signed messages ±m
• „+“ means principal sends this message
• „-“ means principal receives this message

{ A, NA }KB

+ { A, NA }KB

{ NA , NB } KA

- { NA , NB } KA

{NB } KB

+ {NB } KB

A‘s view of the protocol

A‘s (trace of his) strand

What are Messages?

Set M of messages are terms consisting of:

• Atomic messages MA (like nonces, names…)
• Set K of cryptographic keys with K\MA = ; and a injective function inv: K!K with inv(K) abbreviated as K-1
• Binary operators
• crypt : K£M!M with crypt(K, x) abbreviated as: { x }K
• pair : M£M!M with pair(x, y) abbreviated as: x, y
• Freeness axioms:
• { m }K = { m‘ }K‘) m = m‘ Æ K = K‘
• m0, m1 = m‘0, m‘1) m0 = m‘0Æ m1 = m‘1
• pair(m, m‘)  crypt(K, m‘‘), …
Strand Space
• A strand space is a collection of strands
• Given a set of messages M, a strand space is a set  with a trace mapping: tr : ! (±M)*
• e.g.  = { A, B}, tr(A) = h+{ A, NA }KB , -{ NA , NB } KA , +{NB } KB i

+ { A, NA }KB

- { A, NA }KB

- { NA , NB } KA

+ {NA, NB } KA

+ {NB } KB

- {NB } KB

,

Originating Messages
• Submessage: m ⊑m and m ⊑m1,m2 iff m ⊑m1 or m ⊑m2and m ⊑{ m’ }K iff m ⊑ m‘
• A node n is an entry point for a set of messages Miff n = h + t i for some t 2 M and n’ )* n implies n’  M
• A term t originates on a node n of a strand s iff n is an entry point for { t‘ : t ⊑ t‘ }i.e. n is positive and is the first node of s that contains t.
• A term t is uniquely originating iff t originates on a unique node
Modeling the Penetrator

- X

+ X

- X

+ T

+ X

Text M

T 2MA

Flush G

Tee T

• The penetrator participates in protocols via penetrator strands
• Penetrator strands reflect the potentials of the penetrator

- X

- y

+ X, Y

Concatenation C

Modeling the Penetrator II

- X

- K

- X, Y

+ { X }K

+ X

+ Y

… more penetrator strands:

- { X }K

- K-1

+ X

+ K

Separation S

Key K (K 2Kp)

Decryption D

Encryption E

Penetrator‘s Work – An Example

Breaking into

Needham-Schroeder protocol

- { NA, A }Kp

- Kp-1

+ Kp-1

Key K

- NA, A

+ NA, A

Key K

Decryption D

- KB

+ KB

+ {NA, A }KB

Encryption E

Composing Strands to Bundles

Penetrator strands

Regular strands

Attacker protocol

Intended protocol

Rules for Composing the Jigsaw

Technical restrictions:

• Every received message has been sent from somewhere
• If a node n (on a strand s) occurs in the jigsaw then all it‘s predecessors on s occur also

Semantic restrictions:

• Composition complies to the uniquely originating property !
• i.e. no guess of keys or nonces by the penetrator
Bundles as Composition of Strands

A bundleB is an acylic subgraph hNB, (!B[)B ) i

• if h- m i2NB then there is a unique h+ m i2NB with:h+ m i!Bh- m i
• if n22NB and n1) n2 then n1)B n2
• ≼B is the reflexive and transitive closure (!B[)B )

Properties:

• ≼B is a well-founded partial order, any non-empty set has ≼B –minimal members
• if B is a bundle and  a replacement, then ( B ) is also a bundle
• height of a strand s in B is the number of nodes of s in B
The Bundle: An Example

+ {NB } KB

- {NB } KB

Examples of ≼B :

• + { A, NA }KB ≼B - { A, NA }KB≼B + {NA, NB } KA≼B - { NA , NB} KA
• + {NA, NB } KA≼B - {NB } KB
• + {NB } KB≼B - {NB } KB

+ { A, NA }KB

- { A, NA }KB

- { NA , NB} KA

+ {NA, NB } KA

Some Properties of Bundles B

Lemma:

Let S ½B with 8 n‘, n‘‘ : |n‘| = |n‘‘| implies n‘ 2 S iff n‘‘ 2 S.Then, if n is a ≼B-minimal member of S then n is positive.

Lemma:

Let t 2M and S = { m 2B | t ⊑ m }. Let n 2B be a ≼B-minimal element of S. Then, t originates on n.

Lemma:

Let K 2K \ Kp. If K never originates on a regular node, then K ⋢ n for all n 2B

i.e. for all penetrator nodes p 2B holds: K ⋢ p.

Needham-Schroeder-Lowe (NSL - Space)

NSL space (i.e. strand space) consists of:

• Penetrator strands s 2P
• Initiator strands: s 2 Init[ A, B, NA, NB ]

tr(s) = h+{ A, NA }KB , -{ NA , NB, B} KA , +{ NB } KB

• Responder strands: s 2 Resp[ A, B, NA, NB ]

tr(s) = h -{ A, NA }KB , +{ NA , NB, B} KA , -{ NB } KB i

• with „parameters“: A, B, NA, NB2MA
Proving Properties of NSL - Space

Suppose:

• Let B be a bundle in the NSL-space and s be a responder strand in Resp[A, B, NA, NB] with height 3.
• KA-1Kp
• NA NB and NB is uniquely originating in the NSL-space.

Then:B contains t 2 Init[A, B, NA, NB] with height 3.

Proof Sketch

Lemma: NB originates at n1

Lemma: S = { n 2B | NB⊑ n Æ n1⋢ n } has a minimal element n“ that is regular and positive

Lemma:9 n‘ : n‘ )* n“ and n‘ = - {NA, NB, B}KA

Lemma: Since n‘= - {NA, NB, B}KA and n“ = + {NB}KB , they are both part of an Init[A, B, NA, NB] strand

Theorem: If  is an NSL-Space and NA is uniquely originating in  then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

NSL – Space – Lemmata (I)

Lemma:

NB originates at n1

Proof:

• by Definition holds NB⊑ n1;
• n1 is positive and
• NA NB (by assumption) and NB A (by the types of both).
• Thus: NB⋢ n0

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2

NSL – Space – Lemmata (II)

n0

- { A, NA }KB

+ {NA, NB, B} KA

n1

- {NB } KB

n2

Lemma:

S = {n 2B | NBv n Æ n1⋢ n } has a ≼B-minimal element n“ that is regular and positive

Proof:

• Since NBv n22B but n1⋢ n2 : S is non empty.
• Hence, S has at least one ≼B-minimal, positive element n“.
• Assumption that n“ is on a penetrator strand results in a contradiction. Case analysis on all penetrator strands
NSL – Space – Lemmata (III)

- { A, NA }KB

n0

n1

+ {NA, NB, B} KA

n‘

*

- {NB } KB

n“

n2

Let n“ be a ≼B-minimal element of

S = {n 2B | NBv n Æ n1⋢ n }

that is on a regular strand and is positive

Lemma:

9 n‘ with n‘ )* n“ and n‘ = - {NA, NB, B} KA

Proof:

• NB originates uniquely at n1.
• n“  n1 because n1⋢ n“.
• Thus, NB does not originate in n“ and 9 n‘: NBv n‘.
• By minimality: n‘ = - {NA, NB, B} KA

Lemma:

The strand of n‘ and n“ is an initiator strand and contained in B

Proof: Exercise.

NSL-Space Lemmata (IV)

Lemma:

Since the strand of n‘ = - {NA, NB, B} KAand n“ = + {NB}KBis an

initiator strand s, we know that s 2 Init[A, B, NA, NB]

Theorem:

If  is an NSL-Space and NA is uniquely originating in  then

there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

Proof:

• if s 2 Init[A, B, NA, NB] for any A, B, NB then the first node n1 of s is positive.
• NA2 n1 and obviously NA originates on n1
• Since NA is uniquely originating in  there is only one s of this type
Analysis of the Insights

Why does this proof fail when using the original Needham-

Schroeder-protocol?

• We could prove:

Let n‘‘ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on

a regular strand and is positive

Lemma:9 n‘ with n‘ )* n‘‘ and n‘ = + {NA, NB} KA

• But we fail to prove:

Lemma:

Since the strand of n‘ = - {NA, NB} KAand n‘‘ = + {NB} KCis an

initiator strand s, we know that s 2 Init[A, B, NA, NB]

we only know that s 2 Init[A, C, NA, NB] for some C !!!

Authentication Tests
• Authentication of a principal is done by forcing the principal to apply his secret key
• Typically:
• decryption: { m }K … …m…
• signing: …m… … { m }K-1
• Precondition: nobody can learn about the secret key K-1
• K-12 Prot( B ) :K-1 occurs in the bundle only inside encryptions : {… K-1…}K‘

Notice: K occurs in { t }K only if K occurs in t !

Outgoing Authentication Test

n1: + …{ m } K …

n‘

+

*

nm: - …m…

n‘‘

knowledge of K-1

Let S ½ { { t }K | K-12 Prot( B ) }

Suppose a message m

• originates uniquely in B at n1 and
• occurs only within S in n1
• but occurs in some node nm2B outside S

then

• there is a regular strand s with a positive node n‘‘ such that m occurs outside S for the first time in S and
• there is a node n‘ preceeding n‘‘ on s such that m v n‘‘.
Incoming Authentication Test

n1: + …m…

n‘

+

*

nm: - …{ m } K …

n‘‘

knowledge of K

Suppose a message { m }K

• occurs within a negative node nm
• K 2 Prot( B )
• m originates outside { m }K at a node n1

then

• there is a regular strand s with a node positive node n‘‘ such that m occurs outside { m }K in n‘‘
• n1≼B n‘ )+ n‘‘ ≺B nmwith m‘ v n‘.(Solicited Incoming Test)