1 / 27

An Executable Model for Security Protocol JFKr

This presentation discusses an executable model for the JFKr security protocol, using an ACL2 approach for verifying key-establishment protocols. It covers the background of JFKr, its heritage, an executable model, and prerequisites for reasoning about JFKr.

kgilbertson
Download Presentation

An Executable Model for Security Protocol JFKr

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Executable Model for Security Protocol JFKr An ACL2 approach to key-establishment protocol verification Presented by: David L. Rager May 12, 2009

  2. Outline • Background on JFKr • Heritage • Executable model • Prerequisites for reasoning about JFKr • Cryptography book • Diffie Helman book • JFKr theorems and proofs • Authentication (also shows the attacker) • Session Key

  3. Background on JFKr • JFKr is a network security protocol used to establish a secret key between two participants • JFKr’s Heritage: • Diffie Helman • ISO 9798-3 • Internet Key Exchange (IKE) • Just Fast Keying in slight favor of the responder(JFKr) • Security properties provided by JFKr: • Derives a secret and shared key • Authentication of the parties to one another • Identity protection • Resilience against replay and denial of service attacks

  4. Partial JFKr Network Message Exchange GM % B GM % B GM % B GM % B GM % B Ni, xi R I GP % B tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) tr=hashKr(Ni,Nr,xr) Ni, Nr, xr, tr D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) D = GM*P % B k=hashD(Ni,Nr) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) ei=enck(IDi , IDr , sai , sigKi(Ni,Nr,xi,xr)) Ni, Nr, xi, xr, tr, ei, hi hi=hashk(“i”,ei) hi=hashk(“i”,ei) hi=hashk(“i”,ei) er, hr hr=hashk(“r”,er) hr=hashk(“r”,er) er=enck(IDr,sar,sigKr(Ni,Nr,xi,xr)) [Aiello et al.] and Shmatikov

  5. Executing the Model (defun run-5-steps-honest (network-s initiator-constants responder-constants public-constants initiator-s responder-s) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (mv-let (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1 responder-s responder-constants public-constants) (mv-let (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2 initiator-s-after-1 initiator-constants public-constants) (mv-let (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3 responder-s-after-2 responder-constants public-constants) (mv-let (network-s-after-5 initiator-s-after-5) (initiator-step3 network-s-after-4 initiator-s-after-3 initiator-constants public-constants) (mv network-s-after-5 initiator-s-after-5 responder-s-after-4)))))))

  6. An Example Execution ;;; The below theorem shows how to run an example execution of the JFKr protocol ;;; and checks that the keys derived by the initiator and responder are equal (thm (mv-let (network-s initiator-s responder-s) (run-5-steps-honest nil *initiator-constant-list* *responder-constant-list* *public-constant-list* nil nil) (declare (ignore network-s)) (and ;; responder and initiator have the same session key (equal (session-key initiator-s) (session-key responder-s)) ;; responder stores the correct partner (equal (id *initiator-constant-list*) (id-i responder-s)) ;; initiator stores the correct partner (equal (id *responder-constant-list*) (id-r initiator-s)))))

  7. Prerequisites for Reasoning about JFKr • Encryption book • Functions that perform primitive hash/encrypt/signature operations • To prove that decrypting an encryption requires the key • To prove that duplicating a hash of something requires the key • To prove that verifying a signature requires the public key • To prove that creating a signature that can be verified with a public key requires the matching private key • To then disable the definitions of the hash/encrypt/signature functions, because the abstractions all we need and we no longer want to reason about the functions themselves.

  8. Definitions for Symmetric Encryption • The term “symmetric” simply means that the key used to encrypt an object is the same key used to decrypt the object • In our implementation of JFKr, we only encrypt and decrypt lists of numbers, so for encryption, it’s sufficient to just add the key to each element of the list (defun encrypt-symmetric-list (lst key) (if (atom lst) nil (cons (+ (car lst) key) (encrypt-symmetric-list (cdr lst) key)))) (defun decrypt-symmetric-list (lst key) (if (atom lst) nil (cons (- (car lst) key) (decrypt-symmetric-list (cdr lst) key))))

  9. Theorems about Symmetric Encryption • Decrypting an encrypted list with the right key yields the original list • Decrypting an encrypted list with the wrong key does not yield the original list (defthm decrypt-of-encrypt-symmetric-equals-plaintext (implies (force (encryptable-listp lst)) (equal (decrypt-symmetric-list (encrypt-symmetric-list lst key) key) lst))) (defthm decrypt-of-encrypt-symmetric-needs-key (implies (and (encryptable-listp lst) (not (null lst)) (keyp keyA) (keyp keyB) (not (equal keyA keyB))) (not (equal (decrypt-symmetric-list (encrypt-symmetric-list lst keyA) keyB) lst))))

  10. Diffie Helman Book • Provides definitions that implement the Diffie Helman protocol • Proves the theorem that if each party derives the key using their own private DH-value and the other party’s public DH-value, then the derived keys are equal • Provides a way to state that knowing one of the two private values is necessary to derive the shared key

  11. Definitions and Theorems about Diffie Helman Key Equality (defun compute-public-dh-value (g exponent-value b) (mod (expt g exponent-value) b)) (defun compute-dh-key (a-public-exponentiation-value a-private-value b) (mod (expt a-public-exponentiation-value a-private-value) b)) (defthm dh-computation-works (implies (and (positive-integerp g) (positive-integerp b) (positive-integerp x-exponent) (positive-integerp y-exponent)) (equal (compute-dh-key (compute-public-dh-value g x-exponent b) y-exponent b) (compute-dh-key (compute-public-dh-value g y-exponent b) x-exponent b)))))

  12. Definition Supporting Diffie Helman Key Secrecy • We can add this function to the hypothesis of any theorem that needs to prove key secrecy for a protocol using Diffie Helman to derive a shared key (defun session-key-requires-one-part-of-key (g b x-exponent y-exponent i-exponent) ;; we set the guards to nil to ensure that this function never executes and ;; is only used in the logical reasoning of the proof (declare (xargs :guard nil :verify-guards nil)) (implies (and (positive-integerp g) ... ; some other positive-integerp specifications (not (equal i-exponent x-exponent)) (not (equal i-exponent y-exponent))) (let ((x-public-value (compute-public-dh-value g x-exponent b)) (y-public-value (compute-public-dh-value g y-exponent b)) (session-key (compute-dh-key (compute-public-dh-value g x-exponent b) y-exponent b))) (and (not (equal (compute-dh-key x-public-value i-exponent b) session-key)) (not (equal (compute-dh-key y-public-value i-exponent b) session-key))))))

  13. Proving Authentication • Simple version of identity agreement (implies (and (initiator-success initiator-s) (responder-success responder-s)) (and (equal (id-I responder-s) (id initiator-constants)) (equal (id-R initiator-s) (id responder-constants))))

  14. Authentication Proof If a participant1 is not really the identity associated with a particular private key, then that participant does not have that private key and If a participant does not have the private key, then they will not be able to correctly sign a message to be later verified with the corresponding public key and If a message is incorrectly signed, then the protocol is unsuccessful <--> { transitivity of implication } If a participant1 is not really the identity associated with a particular private key then the protocol is unsuccessful <--> { contraposition } If the protocol is successful then the participant is really the identity associated with a particular private key • The first hypothesis is assumed to be true and the second and third hypotheses are formalized in ACL2 1a participant is one of an initiator, responder, or attacker

  15. Authentication of the Initiator (defthm run-4-steps-with-badly-forged-attacker-yields-responder-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (mv-let (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) (let ((network-s-after-2-munged (function-we-know-nothing-about2 network-s-after-2))) (mv-let (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2-munged initiator-s-after-1 initiator-constants public-constants) (let ((network-s-after-3-munged (function-we-know-nothing-about3 network-s-after-3))) (mv-let (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3-munged responder-s-after-2 responder-constants public-constants) (implies (and (constantsp constants) (badly-forged-msg3p (msg3 network-s-after-3-munged) (responder-constants constants) (public-key-i public-constants))) (and (protocol-failure responder-s-after-4)))))))))))))

  16. Modeling the Attacker (defthm run-4-steps-with-badly-forged-attacker-yields-responder-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (mv-let (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) (let ((network-s-after-2-munged (function-we-know-nothing-about2 network-s-after-2))) (mv-let (network-s-after-3 initiator-s-after-3) (initiator-step2 network-s-after-2-munged initiator-s-after-1 initiator-constants public-constants) (let ((network-s-after-3-munged (function-we-know-nothing-about3 network-s-after-3))) (mv-let (network-s-after-4 responder-s-after-4) (responder-step2 network-s-after-3-munged responder-s-after-2 responder-constants public-constants) (implies (and (constantsp constants) (badly-forged-msg3p (msg3 network-s-after-3-munged) (responder-constants constants) (public-key-i public-constants))) (and (protocol-failure responder-s-after-4)))))))))))))

  17. Key Agreement • Simple version of key agreement • See comment at end of jfkr.lisp book for more developed (and unproven) version (implies (and (initiator-success initiator-s) (responder-success responder-s)) (equal (session-key initiator) (session-key responder)

  18. Review • Background on JFKr • Heritage • Executable model • Books Required to reason about JFKr • Cryptography book • Diffie Helman book • JFKr theorems and proofs • Authentication • Session Key

  19. ACL2 3.5 Books • Encryption functions and theorems • books/security/jfkr/encryption.lisp • Diffie Helman implementation • books/security/jfkr/diffie-helman.lisp • JFKr implementation and theorems • books/security/jfkr/jfkr.lisp

  20. Resources • Abadi, Blanchet, Fournet. Just Fast Keying in the Pi Calculus. • Datta, Derek, Mitchell, and Pavlovic. A Derivation System and Compositional Logic for Security Protocols. • Levy, Benjamin (translator). Diffie-Helman Method for Key Agreement. 1997. • Paulson, Lawrence C. Proving Properties by Induction. 1997. • Shmatikov, Vitaly. Just Fast Keying Slides. 2004.

  21. Graphical Overview Initiator allocates state and begins process Responder receives a well formed network msg Initiator receives a well formed network msg Initiator does some calculation and saves some data Responder receives a correctly signed network msg that contains Responder’s cookie Responder allocates state, saving the established key and marking itself “successful” Initiator receives a correctly signed network msg Initiator saves some more data and marks itself “successful” 3 Initiator Steps Executable Model 2 Responder Steps Responder ID Agreement Initiator ID Agreement Properties to Prove Key Agreement Success -> Initiator ID Agreement Success -> Responder ID Agreement Success -> Key Agreement

  22. Key Agreement Strategy • Prove that when network messages check out as okay, the key derived in the initiator’s step 2 is equal to something (TDB) • Prove that when network messages check out as okay, the key derived in the responder’s step 2 is equal to something (TBD) • Use the DH book to show that those two something’s are equal • Prove that both parties show success after checking the correctness of the network messages they have received • Conclude that if all parties have received valid network messages, then their derived keys must be equal • Key agreement is yet unproven, but the tools to finish the proof are included in the book jfkr.lisp

  23. Design Objectives for a Key Exchange Protocol • Shared secret • Create and agree on a secret which is known only to protocol participants • Authentication • Participants need to verify each other’s identity • Identity protection • Eavesdropper should not be able to infer participants’ identities by observing protocol execution • Protection against denial of service • Malicious participant should not be able to exploit the protocol to cause the other party to waste resources • Key Freshness • Malicious participant should not be able to reuse crucial data from another session to conduct a replay attack

  24. Model “Features” • Party constants are abstract (defthm run-5-steps-with-badly-forged-attacker-yields-both-failure (let ((initiator-constants (initiator-constants constants)) (responder-constants (responder-constants constants)) (public-constants (public-constants constants))) ; conclusion to come )

  25. Model “Features” • Nondeterministic attacker (defstub function-we-know-nothing-about1 (*) => *) (defthm run-5-steps-with-badly-forged-attacker-yields-both-failure (mv-let (network-s-after-1 initiator-s-after-1) (initiator-step1 network-s initiator-s initiator-constants public-constants) (let ((network-s-after-1-munged (function-we-know-nothing-about1 network-s-after-1))) (mv-let (network-s-after-2 responder-s-after-2) (responder-step1 network-s-after-1-munged responder-s responder-constants public-constants) ; conclusion to come later

  26. Model “Features” • Separation of concepts like a well-formed message versus a message that’s badly-forged (defun well-formed-msg3p (msg) (declare (xargs :guard t)) (and (alistp msg) (integerp (Ni-msg msg)) (integerp (Nr-msg msg)) (integerp (Xi-msg msg)) (<= 0 (Xi-msg msg)) (integerp (Xr-msg msg)) (<= 0 (Xr-msg msg)) (integerp (Tr-msg msg)) (integer-listp (Er-msg msg)) (integerp (Hi-msg msg)) (integerp (Src-ip-msg msg))))

  27. Model “Features” • Separation of concepts like a well-formed message versus a message that’s badly-forged (defun badly-forged-msg3p-old(msg responder-constants initiator-private-key) (let* ((dh-key (CRYPTO::compute-dh-key (xi-msg msg) (dh-exponent responder-constants) (b responder-constants))) (session-key (compute-session-key (Ni-msg msg) (Nr-msg msg) dh-key)) (SigKi (compute-sig-Ki (Ni-msg msg) (Nr-msg msg) (Xi-msg msg) (Xr-msg msg) (g responder-constants) (b responder-constants) initiator-private-key)) (Ei-decrypted (CRYPTO::decrypt-symmetric-list (Ei-msg msg) session-key))) (not (equal (nth 2 Ei-decrypted) SigKi))))

More Related