Security Protocol Specification Languages - PowerPoint PPT Presentation

security protocol specification languages n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security Protocol Specification Languages PowerPoint Presentation
Download Presentation
Security Protocol Specification Languages

play fullscreen
1 / 130
Security Protocol Specification Languages
161 Views
Download Presentation
ozzy
Download Presentation

Security Protocol Specification Languages

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Protocol Specification Languages Iliano Cervesatoiliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ FOSAD 2001 – Bertinoro, Italy

  2. Scope of this Course • Specification languages for cryptographic protocols • Evaluation criteria • Anthology of languages • Scientific impact • Extras . . . • Advertisement for MSR Security Protocol Specification Languages

  3. This Course is not about • Cryptography • Applications of crypto-protocols • Taxonomy of • Protocols • Attacks • Tools • Verification Security Protocol Specification Languages

  4. Outline Hour 1: Specification languages Hour 2: MSR Hour 3: The most powerful attacker Hour 4: Reconstructing the intruder Security Protocol Specification Languages

  5. Hour 1 Specification Languages Security Protocol Specification Languages

  6. Hour 1: Outline • Security protocols • Dolev-Yao abstraction • Specification targets • Major specification languages • Origins • Example (Needham-Schroeder) • Properties • Evaluation Security Protocol Specification Languages

  7. Security Protocols • Use cryptographic means to ensure • confidentiality • authentication • non-repudiation, … in distributed/untrusted environment • Applications • e-commerce • trade/military secrets • everyday computing Security goals Security Protocol Specification Languages

  8. Why is Protocol Analysis Difficult? • Subtle cryptographic primitives • Dolev-Yao abstraction • Distributed hostile environment • “Prudent engineering practice” • Inadequate specification languages • … the devil is in details … Security Protocol Specification Languages

  9. Correctness vs. Security [Mitchell] • Correctness: satisfy specifications • For reasonable inputs, get reasonable output • Security: resist attacks • For unreasonable inputs, output not completely disastrous • Main difference • Active interference from the environment Security Protocol Specification Languages

  10. Dolev-Yao Model of Security Bob Alice Network Server Dan Charlie Security Protocol Specification Languages

  11. Dolev-Yao Abstraction • Symbolic data • No bit-strings • Perfect cryptography • No guessing of keys • Public knowledge soup • Magic access to data Security Protocol Specification Languages

  12. Perfect Cryptography • KA-1 is needed to decrypt {M}KA • No collisions • {M1}KA = {M2}KBiff M1 = M2 and KA = KA • … Security Protocol Specification Languages

  13. Public Knowledge Soup • Free access to auxiliary data • Abstracts actual mechanisms • database • subprotocols, … • But … not all data are public • keys • secrets Security Protocol Specification Languages

  14. … pictorially s a ka kb Security Protocol Specification Languages

  15. Why is specification important? good • Documentation • communicate • Engineering • implementation • verification tools • Science • foundations • assist engineering Security Protocol Specification Languages

  16. Languages to Specify What? • Message flow • Message constituents • Operating environment • Protocol goals Security Protocol Specification Languages

  17. Desirable Properties • Unambiguous • Simple • Flexible • Adapts to protocols • Powerful • Applies to a wide class of protocols • Insightful • Gives insight about protocols Security Protocol Specification Languages

  18. Language Families • “Usual notation” • Knowledge logic • BAN • Process theory • FDR, Casper • Spi-calculus • Petri nets • Strands • MSR • Inductive methods • Temporal logic • Automata • NRL Prot. Analizer • CAPSL • Murf Security Protocol Specification Languages

  19. Why so many? • Convergence of approaches • experience from mature fields • unifying problem • scientifically intriguing • funding opportunities • Fatherhood pride Security Protocol Specification Languages

  20. Needham-Schroeder Protocol But … • purely academic • attack subject to interpretation • Devised in ’78 • Broken in ’95 ! Example of weak specification ! Security Protocol Specification Languages

  21. “Usual Notation” A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB Security Protocol Specification Languages

  22. How does it do?  • Flow • Expected run • Constituents • Side remarks • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  23. BAN Logic[Burrows, Abadi, Needham] • Roots in belief logic • reason about knowledge as prot. unfolds • security: principals share same view • Specification • usual notation • “idealized protocol” • assumptions • Goals • Verification • Logical inference Security Protocol Specification Languages

  24. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB NS: BAN Idealization A  B: {nA}kB B  A: {A nB BnA}kA A  B: {A nA B, B | A nB B nB}kB More readable syntax proposed later Security Protocol Specification Languages

  25. NS: BAN Assumptions • A | kAA • A | kBB • A | #nA • A | A nA B • B | kBB • B | kAA • B | #nB • B | A nB B Security Protocol Specification Languages

  26. NS: BAN Goals • B | A | A nA B • A | B | A nB B Formally derived from BAN rules Security Protocol Specification Languages

  27. How does BAN do?  • Flow • Idealized run • Constituents • Assumptions • Environment • Implicit • Goals • BAN formulas • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  28. CSP [Roscoe, Lowe] • Roots in • process algebra [Hoare] • non-interference • Specification • 1 process for each role • non-deterministic intruder process • Verification • Refinement w.r.t. abstract spec. • FDR: model checker for CSP • Casper: interface to FDR Security Protocol Specification Languages

  29. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB CSP: NS Initiator Init(A, nA) = user.A?B -> I_running.A.B -> comm!Msg1.A.B.encr.key(B).nA.a -> comm.Msg2.B.A.encr.key(A)?nA’.nB -> if nA = nA’ thencomm!Msg3.A.B.encr.key(B).nB -> I_commit.A.B -> session.A.B -> Skip elseStop Responder is similar Security Protocol Specification Languages

  30. CSP : Resp. authentication spec. AR0 = R_running.A.B -> I_commit.A.B -> AR0 A1 = {| R_running.A.B, I_commit.A.B |} AR = AR0 ||| Run (S \ A1) Security Protocol Specification Languages

  31. How does CSP do?  • Flow • Role-based • Constituents • Formalized math. • Environment • Explicit • Goals • Abstract spec. • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  32. Casper Specification of NS #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A, B, [na,nb]) Agreement(B,A, [na,nb] #Actual variables Alice, Bob, Mallory: Agent Na, Nb, Nm: Nonce … #Intruder information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory) #Free variables A, B: Agent na, nb : nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INIT(A,na) knows PK, SK(A) RESP(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} Security Protocol Specification Languages

  33. Spi-calculus[Abadi, Gordon] • p-calculus with crypto. Constructs • Specification • 1 process for each role • Instance to be studied • Intruder not explicitly modeled • Verification • Process equivalence to reference proc. Security Protocol Specification Languages

  34. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB Spi: NS Initiator init(A,B,cAB,KB+,KA-) = (nnA) cAB< {|A, nA|}KB+ > . cAB(x) . case x of {|y|}KA- in let (y1,y2) = y in [y1 is nA] cAB< {| y2|}KB+ > . 0 Security Protocol Specification Languages

  35. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB Spi: NS Responder resp(B,A,cAB,KA+,KB-) = cAB(x) . case x of {|y|}KB- in let (y1,y2) = y in [y1 is A] (nnB) cAB< {| y2, nB|}KA+ > . cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB] 0 Security Protocol Specification Languages

  36. Spi: NS Instance inst(A,B,cAB) = (nKA) (nKB) ( init(A,B,cAB,KB+,KA-) | resp(B,A,cAB,KA+,KB-)) Security Protocol Specification Languages

  37. How does Spi do?  • Flow • Role-based • Constituents • Informal math. • Environment • Implicit • Goals • Reference proc. • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  38. Strand Spaces[Guttman, Thayer] • Roots in trace theory • Lamport’s causality • Mazurkiewicz’s traces • Specification • Strands • Sets of principals, keys, … • Verification • Authentication tests • Model checking Security Protocol Specification Languages

  39. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB {nA, A}kB {nA, A}kB {nA, nB}kA {nA, nB}kA {nB}kB {nB}kB Strands Security Protocol Specification Languages

  40. How do Strands do?  • Flow • Role-based • Constituents • Informal math. • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  41. Inductive methods[Paulson] • Protocol inductively defines traces • Specification • 1 inductive rule for each protocol rule • Universal intruder based on language • Verification • theorem proving (Isabelle HOL) • Related methods • [Bolignano] Security Protocol Specification Languages

  42. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB IMs: NS NS1 [evs  ns; A  B; Nonce NAused evs] Says A B {Nonce NA, Agent A} KB# evs  ns NS2 [evs  ns; A  B; Nonce NBused evs; Says A’ B {Nonce NA, Agent A} KBset evs] Says B A {Nonce NA, Nonce NA} KA# evs  ns NS3 [evs  ns; Says A B {Nonce NA, Agent A} KBset evs; Says B’ A {Nonce NA, Nonce NA} KAset evs] Says A B {Nonce NA} KB# evs  ns Security Protocol Specification Languages

  43. IMs: Environment Nil []  ns Fake [evs  ns; BSpy; X synth(analz (spies evs))] SaysSpy B X # evs  ns synth, analz, spies, … protocol indep. Security Protocol Specification Languages

  44. How do IMs do?  • Flow • Trace-based • Constituents • Formalized math. • Environment • Immutable • Goals • Imposs. traces • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  45. NRL Protocol Analyzer[Meadows] • Roots in automata theory • Specification • 1 finite-state automata for each role • Grammar or words unaccessible to attacker • Verification • Backward state exploration • Theorem proving for finiteness Security Protocol Specification Languages

  46. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB NPA: NS Resp., action 2 Subroutine rec_request(user(B,honest),N,T): If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))): Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W: send msg(user(B,honest),[{rec_self},{rec_who}],N): event(user(B,honest),[user(A,H)],rec_request,[W],N) Security Protocol Specification Languages

  47. How does NPA do?  • Flow • Role-based • Constituents • Prolog code • Environment • Explicit • Goals • Unreachable state • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  48. RTLA [Gray, McLean] • Roots in Temporal Logic (Lamport) • Specification • State components that change during a step • Verification • Proof in temporal logic • Evaluation • Similar to NPA Security Protocol Specification Languages

  49. CAPSL [Millen] • Ad-hoc model checker • Specification • Special-purpose language • Intruder built-in • Implementation • CIL [Denker] -> similar to MSR • Related systems • Murf[Shmatikov, Stern] • ?? [Clarke, Jha, Marrero] Security Protocol Specification Languages

  50. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB CAPSL: NS PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; Security Protocol Specification Languages