1 using coloured petri nets to simulate dos-resistant protocols 7 th workshop and tutorial on...
Post on 22-Dec-2015
216 views
TRANSCRIPT
1
Using Coloured Petri Nets to Simulate DoS-resistant protocols
7th Workshop and Tutorial on Practical Use ofColoured Petri Nets and CPN Tools 2006
7th Workshop and Tutorial on Practical Use ofColoured Petri Nets and CPN Tools 2006
Suratose TritilanuntColin BoydErnest Foo
Juan Manuel González Nieto
Information Security Institute (ISI)
Queensland University of Technology
2
AgendaAgenda
1. Introduction
2. Related Work
3. HIP Construction in CPNs
4. Experimental Results
5. Conclusion & Future Work
3
IntroductionIntroduction
Denial-of-Service (DoS) attacks attempt to terminate/deny legitimate users by overwhelming resources such as network bandwidth, CPU, and memory
Many Key Exchange protocols have been proposed but they are susceptible to DoS, i.e. resource exhaustion attacks, because they involve with authentication phases based on digital signature
Moreover, most Key Exchange protocols today lack formal security analysis to support their security claims In this work, we adopt CPNs for modeling and analysing two cryptographic protocols; SSL and HIP
4
ContributionContribution
A refinement of Meadows' cost-based framework
The first formal specification and automatic analysis of Meadows' framework of HIP in Timed Coloured Petri Nets (Timed CP-Nets)
Simulation and analysis of HIP under normal conditions and under four scenarios of DoS attacks
5
Related WorkRelated Work
Doyle (1996): developed a model of three-pass mutual authentication and allowed an adversary to launch multiple iteration and parallel session attacks.
Han (2000): constructed a reachability graph to insecure states and examining the final states in OAKLEY.
Al-Azzoni (2004): developed a model of Needham-Schroeder public-key authentication protocol and Tatebayashi-Matsuzaki-Neuman (TMN) key exchange Protocol.
6
Related WorkRelated Work
Beal and Shepard (2004): constructed a model of HIP protocol using a mathematical equation for analysing the effect of puzzle difficulty under the steady-state attack.
Limitations:1) they do not allow the responder to dynamically adjust puzzle difficulty,
2) there is only one attacking technique to overwhelm the responder's resources.
7
Meadows’ Cost-based FrameworkMeadows’ Cost-based Framework
Define the cost set of Operations: Cheap, Medium, Expensive
Compare an operational cost of Initiator or Adversary,with the cost of the protocol engagement on the Responder’s machine
Protocol is secure: Adversary’s cost is great enough in comparison with the defender’s cost to engage in the events up to an accepted action
8
HIP Based ExchangeHIP Based Exchange
Initiator I Responder R
I1: HIT-I, HIT-R
R1: HIT-I, HIT-R, Puzzle(C,k), gr, SIGR1 [gr, PKR]
I2: SIGI[HIT-I, HIT-R, Solution(C,k,J), gi, EKe{PKI}]
R2: SIGR2[HIT-I, HIT-R, HMAC]
No
Sta
tes,
No W
ork
User
Au
then
ticatio
n
DHExchange
Hello
KeyConfirmation
9
Adversary TypesAdversary Types
Informal Definition
Type Major Task
ad1
ad2
ad3
ad4
floods valid/invalid 1st messages
floods valid 1st & 3rd messages
floods 3rd messages by computing only client puzzles
is like ad3, except the client puzzle solution is now also chosen randomly
10
Cryptographic BenchmarkCryptographic Benchmark
Hash Symmetrical Crypto
Asymmetrical Crypto
Key Exchange
SHA-1
MD5
HMAC/MD5
RSA Encryption/Verification
RSA Decryption/Signature
DSA Signature
DSA Verification
kCycleper Block
nsecper bit
kCycleper Block
nsecper bit
kCycleper ops
nsecper bit
kCycleper ops
nsecper bit
DES
Blowfish
AES
Diffie-HellmanKey Agreement
Diffie-HellmanKey-Pair
Generation
1.89
0.59
0.59
383.66
9985.47
4569.62
0.75
0.25
0.53
5239
4605.65
8100.69
1.84
0.58
0.58
5.86
1.94
2.05
187.08
4869.11
2228.23
2554.64
2245.80
3950.05
11
Encryption
Input Output
Key
(i1,num)(i2,
num*Cost)
nn
input (i1,n);output (i2);action(function(encrypt(i1,n)))Cost
Cost-based ModelCost-based Model
e.g. cost of encryption is 5
5
12
Check
Input Output
Resource
(i1,num)if (n>0) (i1,num*Cost)
n-1n
Reject
@+1
Cost
if (n<=0) i1
(num*Cost)
Time-based ModelTime-based Model
Resource > 0
Resource <= 0
e.g. cost of checking is 2 and time usage is 1
2
1
13
Experimental ConfigurationExperimental Configuration
Honest clients (hc) can initiate the amount of requests; C = 80%, 100% and 150% of R
A single type of adversary can fl ood the amount of bogus requests;
Z = 100%, 200% and 1000% of R
The responder’s capacity = R
14
DeclarationsDeclarations
colset User = with hc | ad1 | ad2 | ad3 | ad4 | sv;colset M = with HITi | HITr | gi | gr | PKi | SKi | PKr | SKr;colset cost = int;colset DATA = string;colset COST = product User * cost;colset TIMED = product User * cost;colset MSG = product User * NUM * DATA * cost timed;colset Res = product User * NUM;colset Done = product User * cost;colset Reject = product User * cost;fun cat2(x:DATA, y:DATA ) = (x^","^y);fun cat3(x:DATA, y:DATA, z:DATA ) = (x^","^y^","^z);fun send(u1:User, n:INT, x:DATA, i:INT ) =
if (u1=ad1 ) then num`(u1,n,x,i ) else 1`(u1,n,x,i);fun imin(i:int,j:int )=
if (i<j ) then i else j;fun imax(i:int,j:int)=
if (i>=j ) then i else j;fun Delay () = NetDelay.ran();
15
HIP ConstructionHIP Construction
The responder should select k to force the initiatorto spend time more than time usage in MSG3R & 4R
ResponderInitiator Key Establishment Protocol
Finish
Finish
MSG2
Network
MSG4_I
MSG4_I
MSG3_I
MSG3_I
MSG4_R
MSG4_R
MSG2_R
MSG2_R
MSG3_R
MSG3_R
MSG2_I
MSG2_I
MSG4
Network
MSG3
Network
MSG1_R
Receiver
MSG1_I
Sender
Rejected3Fusion Rej3
Reject
Rejected1Fusion Rej1
Reject
RejectedFusion Rejectd
Done
Completed
Done
Resource I
30`hc ++30`ad3
User
PuzzleTime
TIMED
rk MSG
cost R4
COST
cost I4
COST
cost R3
COST
cost I3
COST
cost R2
COST
cost I2
COST
cost R1
COST
cost I1
COST
OutputMSG
M4MSG
FUser
Received
MSG1
I4
MSG1
I3
MSG
M3 MSG
M1 MSG
M2MSG
R4
MSG
R2
MSG
R3
MSG1
R1
MSG1
I1
MSG1
I2
MSG1
Fusion Rejectd
Fusion Rej1
Fusion Rej3
Sender Receiver
Network
Network
MSG2_I
MSG3_R
MSG2_R
MSG4_R
MSG3_I
MSG4_I
Network
Finish
MSG1
MSG1MSG1
TOP Page
16
HIP ConstructionHIP Construction
MSG1_I SubPage
Sender Subpage
u1
u1
u2
u3 u1
u2
(u1,k)
(u1,n,x,i)
1`(u3)
(u1,n,x,i)
1`(u1,n,"HITi,HITr",k)
from Receiver
ad3&4
ad1 Hash
input (i,n);output (k);action(i+n*0);
ReturnFusion Return
User
ReturnResource
MSG3IFusion 2
User
Respource IIn
User
cost I1Out
COST
FIn
User I1 Out
MSG1
sender
1`(hc,1,"HIi,HIr",0) ++ 1`(ad1,num,"HIi,HIr",0)++ 1`(ad2,num,"HIi,HIr",0)++ 1`(ad3,num,"HIi,HIr",0)++ 1`(ad4,num,"HIi,HIr",0)
MSG
OutIn
Out
In
Fusion 2
Fusion Return
17
HIP ConstructionHIP Construction
MSG1_R SubPage
Receiver Subpage for MSG1_R
1`(u1,n,x,i)
1`(u1,n,x,i)
1`(u1,n,x,i)
n2
n2
if (n1<=0) then (n2-1) else n2
n2
if (n1<=0) then (n4-1) else n4
n4
if (n1<=0) then empty else 1`(u1)
n4+1 n4
1`(u1,n,x,i) 1`(u1,n,x,i)
if (n1>0) then (n1-1) else n1
n1
if (n1<=0) then 1`(u1,i) else empty
if (n1>0) then 1`(u1,n,x,i) else empty
if (n1>0) then 1`(u1,n,x,0) else empty@+0
if (n1>0) then 1`(u1,0) else empty
if (n1>0) then 1`(u1,n,x,i) else empty
Queue@+(n2+1)
CountCheckHIT_R
Msg1MSG
MemoryFusion Memory
1`0INT1
UserFusion User
User
Msg2
MSG
ReturnFusion Return
User
ResourceFusion Resource
1`30NUM
RejectedFusion Rej1
Reject Received2Fusion Rcv2
MSG1CountFusion Count
1`0
NUM
M1 OutMSG cost I1Out
COST
R1In
MSG1
ReceivedOut
MSG1Out
In
Out
Out
Fusion Count Fusion Rcv2Fusion Rej1
Fusion Resource
Fusion Return
Fusion User
Fusion Memory
18
HIP ConstructionHIP ConstructionMSG2_R subpage
n1
n1
n1 n1
u1
n-1
n
n3+1
n3
(n1)
(n1)
1`(n2,y,i)
1`(n2,y,j) if ((n1)<k) then 1`(1,"k00",0) else if (n1<(5*limit)) then 1`(1,"k10",0) else 1`(1,"k20",0)
1`(n2,y,i)k k
1`(u1,n,x,i)@+0
1`(u1,n,x,i)
1`(u1,n,x,i)
1`(u1,n,x,i)
1`(u1,n,x,i)
(u2,k)
1`(u1,n,y,j)@+((n1*waitI2)+1)
1`(u1,n,y,j)@+(n1*waitI2)
1`(n1,x,i)
1`(n2,y,j)
1`(u1,n,cat2(x,y), i+j)
1`(u1,n,x,i)
1`(u2,n2,y,j)
1`(u2,n2,cat2(x,y),j)
1`(u1,n,y,j)
1`(u2,n2,y,j)
1`(n1,x,i)
1`(n2,y,j)
(u1,k)
1`(u1,n,cat3(x,y,"Puzzle"), k)
Decision
[n>0]
HIT
Merge
@+1
Sign1
input (i,j,n2);output (k);action(i+j+n2*4993);
Pre_Cal
Puzzle
@+0
input (i,j,n);output (k);action(i*0+j+n*2);
Count2Fusion Count
1`0
NUM
UserFusion User
User
MemoryFusion Memory
1`0
INT1
ResourceFusion Resource
1`3
NUM
Count1Fusion Count
1`0
NUM
k
Pkt
Limit limitINT1
M3MSG
M2
MSG
M1In
MSG
cost pre_cal
COST
rk
Out
MSG
X1MSG1
R2Out
MSG
poolk
1`(1,"k00",0) ++1`(1,"k10",0) ++1`(1,"k20",0)
Pkt
grMSG1
PKr
1`(1,"PKr",0)
Pkt
r
1`(1,"gr",0)
Pkt
cost R2Out
COST
X2
MSG
OutOut
Out
In
Fusion Count
Fusion Resource
Fusion Memory
Fusion User
Fusion Count
MSG2_R SubPage
19
HIP ConstructionHIP Construction
MSG2_I SubPage
MSG2_I
case u1 of ad1 => (u1,0) | ad2 => (u1,k) | ad3 => (u1,0) | ad4 => (u1,0) | hc => (u1,k)
case u1 of ad1 => empty | ad2 => 1`(u1,n,x,k) | ad3 => 1`(u1,n,x,0) | ad4 => 1`(u1,n,x,0) | hc => 1`(u1,n,x,k)@+13
1`(u1,n,x,i)
if (u1=ad1) then empty else 1`(u1,n,x,i*0+n*2)
1`(u1,n,x,i)
p p
1`(u1,n,x,i)
1`(u1,n,x,i)
case u1 of ad1 => 1`(u1) | ad2 => empty | ad3 => empty | ad4 => empty | hc => empty
VerifysigR1
input (i,n);output (k);action(i+n*192);
to_MSG3_I
VerifyHIT
@+1
Accept1
MSG
M2Out
MSG
SP
10
Ten0
cost I2Out
COST
I2In
MSG1
FailOut
User
Accept2MSG
Out
In
OutOut
20
HIP ConstructionHIP Construction
MSG3_I SubPage
k00 -> @+1k10 -> @+500k20 -> @+1000
MSG3_I Subpage
1`(u1,n,"HIT",j)
if u1=ad4 then empty else 1`(u1,n,"HIT",j)
1`(u1,n,"HIT",j)
1`(u1,n,substring (x,10,9),j) 1`(u1,n,"gr",j)
1`(u1,n,x,i)
Sign
Sign
puzzle
puzzle
EncryptEncrypt
KeyGenKeyGen
Split
input (i,n);output (j);actionn*(i*0);
PuzzleTime
Out
TIMED
HIT2 MSGHIT1 MSG
h1 MSGp1MSG
g1
MSG
HIT3
MSG
puzzle
MSG
gr
MSG
cost I3Out COST
M4
Out
MSG
M2 InMSG
I3Out
MSG
Out
In
Out
Out
Out
KeyGen
Encryptpuzzle
Sign
21
HIP ConstructionHIP Construction
MSG3_R SubPage
MSG3_R Subpage
if (n1<=0) then (n2-1) else n2
n2
n2-1
n2
(u1,i)
if (n1<=0) then 1`(u1,i) else empty
1`(u1,0)
if (n1>0) then (n1-1) else n1
n1
(u1,n)
1`(u1,n,z1,i)
1`(u1,n,y,j)
1`(u1,n,x,i)1`(u1,n,z,i)
1`(u1,n,y1,i)
if (x="gr")then emptyelse 1`(u1,n,x,i)
if (x="gr")then 1`(u1,n,x,i)else empty
1`(u1,n,x,i)
if (n1>0) then 1`(u1,n, substring (x,12,9),0) else empty@+waitSol
if (n1>0) then 1`(u1,n, substring (x,0,11),0) else empty@+waitSol
if (n1>0) then 1`(u1,n,"gi",0) else empty@+waitSol
if (n1>0) then 1`(u1,n, substring (x,12,9),0) else empty
1`(u1,n,x,i)
reject g^r
Decrypt& Verify Sig
Decrypt
Hash2Hash2
Hash1Hash1
Queue
CountFusion Count
1`0NUM
Rejectedad4
Fusion Rejectd
Done
ResourceFusion Resource
1`3 NUM
RejectedFusion Rej3
Reject
Returnad4
Fusion Ret4
Res
fail
MSG
k
MSG1
r MSG1HIT2MSG
rkIn
MSG
cost R3Out
COST
M3Out
MSG
Ke MSG
SolMSG
E1
MSG
gi
MSG
HIT1
MSG
R3In
MSG1
In
OutOut
In
Fusion Ret4
Fusion Rej3
Fusion Resource
Fusion Rejectd
Fusion Count
Hash1
Hash2
Decrypt
22
HIP ConstructionHIP Construction
MSG4_R SubPage
MSG4_R Subpage
n2+1
n2
1`(u2,n2,x,j)
1`(u2,n2,x,j)
1`(u1,n,y,i)
1`(u1,n,y,i)
if (x="HIT") then 1`(u1,n,"HIT",j) else empty
1`(u1,n,y,k)
1`(u1,n,"Ks",i+j+k+n*2*2)
1`(u1,n,z,k)
1`(u2,n1,x,j) 1`(u2,n1,x,j)
1`(u2,n1,x,j)
1`(u2,n1,x,j)1`(u1,n,z,l)1`(u1,n,"HMAC",l)
case x of "SIGi" => 1`(u1,n,"SIGi",j) | "HIT" => empty
if (x="HIT") then 1`(u1,n,"HIT",j) else empty
1`(u1,n,x,i)
(u1,k)
1`(u1,n,"SKr["^cat2(y,z)^"]",k)
Hash
@+1
Split
input (i,n);output (j);action(n*i*0);
HMAC1 block
@+12
input (j,k,n);output (l);action(n*2+j+k);
Sign
@+0
input (i,j,l,n);output (k);action(n*4993+i+j+l);
ResourceFusion Resource
1`3 NUM
HIT2MSG
Ks MSG
HMAC
MSG
SKr 1`(sv,1,"SKr",0)MSG
02
1`(sv,1,"01",0)
MSG
SIGi
MSG
HIT1
MSG
cost R4Out
COST
SPI
1`(sv,1,"SPI",0)
MSG
R4Out
MSG
M3
In
MSG
In
Out
Out
Fusion Resource
23
HIP ConstructionHIP Construction
MSG4_I SubPage
MSG4_I Subpage
1`(u2,n1,z,l)
1`(u2,n1,z,l)
p
if (u2=hc) then 1`(u2,n1,x,j) else empty
if (u2=hc) then 1`(u2,n1,"HMAC",j) else empty
p
(u1,k)if chk(p,f)then 1`(u1,n,x,k)else empty
if chk(p,f)then emptyelse 1`(u1,n,x,k)
1`(u1,n,x,i)
1`(u1,n,y,j)
if chk(p,f)then 1`(u1,n,x,k)else empty
if chk(p,f)then emptyelse 1`(u1,n,x,k)
1`(u1,n,x,i)
1`(u1,n,y,j)
1`(u1,n,"Ks",(imax(j,k))+n*2*2)
p p1`(u1,n,z,k)
1`(u1,n,y,j)
1`(u2,n1,x,i)
1`(u2,n1,x,i)
1`(u1,n,y,j)
if u1 = hc then case x of "g ir" => 1`(u1,n,x,n*i*0) | "HIT" => empty else empty
if u1 = hc then case x of "HIT" => 1`(u1,n,x,n*i*0) | "g ir" => empty else empty
1`(u1,n,x,i)
1`(u1,n,x,i)
if (u2=hc) then 1`(u2,n1,"HIT",j) else empty
1`(u2,n1,x,i)
if chk(p,f)then emptyelse 1`(u1,n,x,k)
if chk(p,f)then 1`(u1,n,x,k)else empty
pp
verifyHMAC
1 block
@+1
input (i,j,n);output (k);action(i+j+n*2);
verifysigR2 @+13
input (i,j,l,n);output (k);action(i+j+l+n*192);
Split2
Split1
input (i,n1);output (j);action(n1*i*0);
Hash
@+1
verifyHIT
@+0
input (i,j,n);output (k);action(i+j+n);
PKr1`(hc,1,"PKr",0)
MSG
SP210
Ten0
Fail2
MSG
Accept2MSG
KSMSG
02
1`(hc,1,"01",0)
MSG
Fail
MSG
g ir MSG HIT_3I MSG
SIGr2 MSG
HMACMSG
HIT
MSG
cost I4Out COST
Accept1 MSG SP110
Ten0
Fail1
MSG
M4 In
MSG
I4In
MSG1
OutputOut
MSG
Out
In
In
Out
24
Experiment 1: HIP Cost-based ModelExperiment 1: HIP Cost-based Model
Comparison of Computational Cost of HIP with k=1 and k=10
Protocol
HIP
InitiatorJ,E1,sigI valid
19591
-
19591
6
2
4998
Responderonly J valid
hc
ad1
ad4
19973
everything invalid
ad2
ad3
k=1 k=10
0
0 0
0
22017
17026
2048
14982
4 -
-
-
-
-
-
- -
-
CPU Usage between Initiator and Responder
25
Experiment 2: non-adjustable client puzzleExperiment 2: non-adjustable client puzzle
Percentage of throughput from hc with k=1 and C = 150% of R
26
Experiment 3: adjustable client puzzleExperiment 3: adjustable client puzzle
Percentage of throughput from hc with k=1-10 and C = 150% of R
27
ConclusionConclusion
We have achieved the aims of extending the Meadows's cost-based framework and shown the potential of automated analysis by using CPN Tools
We have explored unbalanced computational vulnerabilities on SSL and HIP based on Cost-based and Time-based analysis
28
Future WorkFuture Work
1) Adopt state space analysis for exploring more vulnerabilities and attack strategies to deny services
2) Extend the power of adversaries in different ways in order to model more powerful attacks
29
Questions ?Questions ?