formal verification of security protocols – an introduction mads dam kth/csc access –...
Post on 19-Dec-2015
224 views
TRANSCRIPT
Formal Verification of Security Protocols – an Introduction
Mads Dam
KTH/CSC
ACCESS – distributed management group
Security Protocols
• Two or more parties• Communication over insecure network• Active adversary can
– Intercept messages– Forge messages– Replay messages
• Cryptography is countermeasure– Encrypt data– Sign and authenticate data– Exchange secret keys– Generate nonces and time stamps
Alice
Bob
Charlie
Eve
Security Objectives
Goal: To preserve some desired property as far as possible in face of attack
Confidentiality:• Secrecy of message, secrecy of bits• Anonymity, privacy
Integrity:• Authenticity• Distributed agreement• Survivability
Availability:• Denial of service prevention
Security Analysis
• Model systemGranularity, adversary access paths
• Model adversaryMemory, computational power, observational power
• Identify security properties of interest• Examine if properties preserved under attack
• Result:– Under given assumptions about the system and the
adversary, no attack of a certain form will destroy the property we’re after
– Unconditional security is not possible
Modelling Decisions
• Modelling the system– Single or multiple sessions, several concurrent runs– Accuracy of computation and communication model– Real or idealized crypto?
• How powerful is the attacker?– Simple replays– Block messages– Decompose, reassemble and resend messages– Statistical analysis, traffic analysis?– Timing behaviour?
• Accuracy of security properties
Needham-Schroeder Key Exchange
NA, NB: Nonces, freshly generated random numbers
KA, KB: Public keys
• {M}KA: Encryption of M readable only to by A
• Since only A possesses secret key KA-1
Goal of protocol: Mutual authentication, establishment of shared secret (NA,NB)
A B
{A,NA}KB
{NA,NB}KA
{NB}KB
NSPK - Objectives
• Responder correctly authenticated
If A believes she has authenticated B, and B is honest, then B believes he has authenticated A
• Initiator correctly authenticated
If B believes he has authenticated A, and A is honest, then A believes she has authenticated B
• Nonce secrecy
At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal NA and NB to a third party) then (NA, NB) is a secret shared between A and B
Lowe’s Attack
Man-in-the-middle attack
Dishonest E tricks A into revealing B’s session key NB
Note: Attack purely based on protocol functionality, not crypto dependent
G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995
A E B
{A,NA}KE {A,NA}KB
{NA,NB}KA{NA,NB}KA
{NB}KE
Verification Approaches
Cryptographic analysis:• Protocol security reduced to number-theoretic
assumptions
Model checking:• Build state transition graphs for some system instances
and check as well as possible
Theorem proving:• Phrase problem as idealized mathematical problem
(perfect crypto, other simplifications) and prove it
Process modelling approach:• Model system as communicating processes, use
equational reasoning
Other: temporal logics, logics of knowledge and belief
Cryptographic Protocol Analysis
Security reduced to number-theoretic assumptions, e.g.:• Hardness of prime factorization• Diffie-Hellman: Hard to compute g given g and g, for
, 2 Zq random
Universally composable security [Canetti]• Replace subprotocols by idealized versions while
preserving security
Successfully analyze complex protocols, e.g. [Wikström]
Analysis complex and highly error-prone
Computationally sound formal analysis• Cf. [Rogaway-Abadi], currently active areaR. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001 D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002
Model Checking
Idea: System modelled as communicating finite state machines
• Bounded state spaces• Bounded state variable domains• Communication by shared state variables or message
passingQuery as state reachability problem• Is ”bad” state reachable?Automated state space traversal• Hashing: 1 bit per state suffices• Subject to probabilistic accuracyExamples: SPIN, SMV, Mur
......
...
Limitations of Finite State Methods
Everything must be fixed:• Number of participants• Participants behaviour
So no ”unknown” transitions, no open systems• Number of sessions• Message space
No encrypt(encrypt(...(encrypt(...)) ...))• Memory
Of honest party, of attacker, or communication channel
Really, this is ”just” very comprehensive simulation
Model Checking Security Protocols
1. Model protocol entities and network
Initiator and responder as fsa’s
Network as shared variable (SMV, Mur)
- Or as bounded buffer (SPIN)
2. Model adversary
Typically one control state, bounded memory
- Intercept messages
- Store and recall messages
- Bounded generation of new messages, using
observed and initial data (typically: Public keys)
3. Determine ”bad” states and hope for terminationExample: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998
Process-Oriented Models
Model ”real” and idealized system as concurrent processesIdeal system: SPECReal system: IMPL
Observational congruence:SPEC ¼ IMPL
• No observational difference between SPEC and IMPL• SPEC and IMPL are observationally ”the same”• Congruence:
SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL]in any context C[-]
• Even a hostile one ) security for unknown attackers!R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992
Example: Applied Pi
Based on pi-calculus [Milner-Parrow-Walker-92]
Processes communicate by synchronous handshaking
Values = channel names
c: Declares new name c
1: A has local c, passes c to B
2: B receives c, spawns node C with link b, passes c on
3: C receives c, B forgets b and c
aca
b
c
a
b
cc b
1 23
A A A BBB
C C
Applied Pi
Applied pi adds equational theory of namesExample: theory of pairs and asymmetric encryption• Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-),
enc(-,-)• Equations:
fst(pair(x,y)) = xsnd(pair(x,y) = ydec(enc(x,pk(y)),sk(y)) = x
Generation of random keys and nonces: Use !!
Alice1(seedA,pkE) =
NA.comm!enc(pair(A,NA),pkE).Alice2(seedA,pkE,NA)
Alice2(seedA,pkE,NA) = ... etc ...C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01
Applications
ProVerif: Constraint-based tool developed by B. BlanchetSuccessfully used for verification of complex protocols in
applied piExamples:
Just Fast Keying – complex authentication protocolProtocol for certified email
Rationale for success:Very rudimentary control flow in protocolsNo branching on secrets
Remaining challenges:Multiple sessions/agents, richer control flow, cryptographic soundness
M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming 2005
Epistemic Security Logics
Many security-related concepts are naturally phrased in terms of knowledge:– A should not know the secret data– B should know the value received is the value sent– B should know that C knows the value sent– D should know that E does not know the vote cast– F should not know that G and H shares the secret x– ... etc. etc. ...
Epistemic logic: Formalization of modality A knows F
AgentProperty of agents state
M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990
What Is Cryptographic Knowledge?
Not trivial
Standard accounts are cryptographically omniscient:
If x = enc(y,z) then A knows x = enc(y,z)
Ruins all cryptographic security !!
What Is Cryptographic Knowledge?
State: Assignment of terms to variables
x = enc(y,pk(z))
y = pair(0,1)
z = c
All operations and public constants are one-way computable
Different agents have access to different variables
A knows F in state s:
F holds at all global states s’ that A cannot distinguish from s
What Is Cryptographic Knowledge?
State: Assignment of terms to variables
x = enc(y,pk(z)) Accessible to A
y = pair(0,1) Not accessible to A
z = c Not accessible to A
All operations and public constants are one-way computable
Different agents have access to different variables
A knows F in state s:
F holds at all global states s’ that A cannot distinguish from s
E.g.: A knows y = pair(0,1), :(A knows x enc(k,pk(c’))
Results
A can distinguish global states s, s’:
Same equations hold for A in s and s’
Static equivalence in applied pi
Computationally justified semantics for BAN logic
Complete axiomatization of validity
For some theories, cryptographic soundness through link to applied pi:
A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography
M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted
State of the Field
Single-session, approximate analysis of industry-scale security protocols becoming feasible - ”Static” protocols - Limited control flow, no recursion, no concurrency - Cf. Avispa project site
Cryptographic analysis remains complex and error-proneCryptographic soundness active research area
- May become feasible in limited applications
Main challenge, cf. ACCESS: - Lifting analysis techniques to dynamic and concurrent systems
Survivable Systems
Testing, diagnosis, repair, of large scale distributed systems – how?
For given protocol, how to identify a faulty (random, byzantine) node?
How to neutralize a faulty node?For which fault models?
Random faults?Byzantine faults?Relative to given attack goal?
Goal: Probabilistic guarantees for fault detection and elimination
Alice
Bob
Charlie
Eve
Confidential Aggregation?
Example: Epidemic protocols
At round 0:
Local estimate = local value
At round n+1:
Neighbours exchange + average
local estimates
Local value leaked at step 1
Or when local value changes
Is it possible to aggregate without
leaking information?
A
B
4
6
A
B
2
32
3
A
B
5
5