A Syntactic Criterion for Injectivity of Authentication Protocols - - PowerPoint PPT Presentation

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 1/22

A Syntactic Criterion for Injectivity of Authentication Protocols

Cas Cremers

joint work with Sjouke Mauw and Erik de Vink

ccremers@win.tue.nl

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 2/22

ECSS group

Eindhoven Computer Science Security (ECSS) group

Goal:

To study the design and analysis of secure systems from a fundamental point of view

Topics:

■ Security protocol analysis ■ Multi-party protocols ■ Ad-hoc/sensor networks ■ Smartcard security ■ Attack trees ■ Digital Rights Management ■ RFID security ■ Privacy

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 3/22

Overview

■ Motivation ■ Problem statement ■ Main theorem ■ Necessity of preconditions ■ Conclusions

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

Example: unilateral authentication protocol

pkR, skR R pkR I nonce nR {I, nR}skR agree(nR)

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

Example: unilateral authentication protocol

pkR, skR R pkR I nonce nR {I, nR}skR agree(nR) Question: Does this protocol satisfy agreement?

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

A replay attack

b(R) a(I) intruder a(I) nonce nb {a, nb}skb learn {a, nb}skb {a, nb}skb agree(nb) agree(nb)

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

A replay attack

b(R) a(I) intruder a(I) nonce nb {a, nb}skb learn {a, nb}skb {a, nb}skb agree(nb) agree(nb) Question: How to fix this protocol?

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 6/22

Fixed protocol should satisfy injectivity

Each instance of an agent executing the authenticating role corresponds to a unique instance of its communication partner running the responder role.

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

Non-injective authentication

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

Non-injective authentication

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

Injective authentication

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

Injective authentication

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

Fixing the injectivity problem

pkR, skR R pkR I nonce nI nI {I, nI}skR agree(nI)

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

Fixing the injectivity problem

pkR, skR R pkR I nonce nI nI {I, nI}skR agree(nI) Question: What’s the general idea behind this fix?

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

Fixing the injectivity problem

pkR, skR R pkR I nonce nI nI {I, nI}skR agree(nI) Question: What’s the general idea behind this fix? Answer 1: By letting I control the nonce. Answer 2: By introducing a challenge-response mechanism

from I via R back to I. (add a loop)

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 10/22

Doesn’t a nonce suffice?

Adding nonces does not trivially lead to injectivity.

pkR, skR R pkR I nonce nI nI {I, g(nI)}skR agree(nI)

Here, injectivity depends on the properties of the function g.

Overview Motivation

• Example
• Replay attack
• Injectivity
• Fixed protocol
• Nonces

Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 11/22

Agreement over what?

Sometimes roles have no shared value to determine injectivity from (I and S?)

skS S skR, pkS R pkR I nonce nI I, R, S, nI nonce nR I, R, S, nR {nR, I, R}skS {I, S, nI}skR agree(?)

Overview Motivation Problem statement

• Authentication
• Problem statement

Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 12/22

Authentication

Agreement

Upon successfully finishing a protocol session, parties agree on the values of (common) variables. (G. Lowe)

Synchronization

Upon successfully finishing a protocol session, all messages have been executed in intended order, with intended contents. (Similar to Intensional Specifications, A.W. Roscoe) Synchronization is strictly stronger than agreement, but the differences are subtle. Both available in injective (i-synch, i-agree) and non-injective (ni-synch) variants. Claim: well-designed protocols satisfy both properties.

Overview Motivation Problem statement

• Authentication
• Problem statement

Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 13/22

Problem statement

Find a generic and easy way to validate injectivity for synchronizing protocols.

Generic:

As few assumptions on the security model as possible.

Easy:

Statically decidable.

Overview Motivation Problem statement Security model

• Models

Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

Models for Security Protocols

We require that the following two properties hold:

Intruder Model:

Intruder must have the ability to duplicate messages

■ Satisfied by the standard Dolev-Yao model. ■ No need to encrypt/decrypt.

Agent/Execution Model:

Overview Motivation Problem statement Security model

• Models

Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

Models for Security Protocols

We require that the following two properties hold:

Intruder Model:

Intruder must have the ability to duplicate messages

■ Satisfied by the standard Dolev-Yao model. ■ No need to encrypt/decrypt.

Agent/Execution Model:

Role instances must be independent: can be executed in any order

■ Satisfied by Strand Spaces, Operational Semantics. ■ No shared memory. (buffers/time)

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 15/22

The LOOP property

After the start of the authenticating role, but before it ends, each involved role must have a read action and a send action. (As prescribed by the partial order on the protocol)

ni-synch

This protocol satisfies LOOP

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 15/22

The LOOP property

After the start of the authenticating role, but before it ends, each involved role must have a read action and a send action. (As prescribed by the partial order on the protocol)

ni-synch

This protocol satisfies LOOP

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 15/22

The LOOP property

After the start of the authenticating role, but before it ends, each involved role must have a read action and a send action. (As prescribed by the partial order on the protocol)

ni-synch

This protocol does not satisfy LOOP

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 16/22

Main theorem

Preconditions:

■ duplicating intruder ■ independent role instances

ni-synch ∧ LOOP ⇒ i-synch So, for synchronizing protocols, injectivity follows from the LOOP property. No reference is made to the data model (operators, etc.) or the contents of the messages (e.g. nonces)

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 17/22

Do we need a loop?

Given a duplicating intruder and independent role instances: ni-synch ⇒ i-synch?

pkR, skR R pkR I nonce nR {I, nR}skR ni-synch

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 17/22

Do we need a loop?

Given a duplicating intruder and independent role instances: ni-synch ⇒ i-synch?

b(R) a(I) intruder a(I) nonce nb {a, nb}skb learn {a, nb}skb {a, nb}skb ni-synch ni-synch

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 18/22

Do we need Synchronization?

Given a duplicating intruder and independent role instances: ni-agree ∧ LOOP ⇒ i-agree?

R I I, R nR {I, nR}sk(r) ni-agree

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 18/22

Do we need Synchronization?

Given a duplicating intruder and independent role instances: ni-agree ∧ LOOP ⇒ i-agree?

b(R) a(I) intruder a(I) a, b a, b nonce nb {a, nb}skb learn {a, nb}skb {a, nb}skb ni-agree ni-agree

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 19/22

Do we need independent role instances?

Given a duplicating intruder: ni-synch ∧ LOOP ⇒ i-synch?

pkR, skR R pkR I time t I, R, t check t {I, t}skR ni-synch

Overview Motivation Problem statement Security model Main theorem

• Loop property
• Main Theorem
• Loop
• Synchronization
• Indep. instances

Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 19/22

Do we need independent role instances?

Given a duplicating intruder: ni-synch ∧ LOOP ⇒ i-synch?

b(R) a(I) intruder a(I) time t time t a, b, t a, b, t {a, t}skb learn {a, t}skb {a, t}skb ni-synch ni-synch

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 20/22

Conclusions

Given a duplicating intruder and independent role instances: ni-synch ∧ LOOP ⇒ i-synch

■ LOOP-property can be checked easily. ■ Generic: Sufficient condition for large class of security

protocol semantics.

■ LOOP plus agreement not sufficient to imply injective

agreement. Extra structure in synchronization is helpful.

■ Generalizes easily to multi-party protocols with multiple

claims.

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 21/22

Future Work

■ Challenge: Is there a similar condition for agreement?

• statically checkable
• generic

■ Use in model checker/theorem prover. ■ Analyze other security properties for statically decidable

subproperties.

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 22/22

Thanks for your attention

Any Questions? E-mail: ccremers@win.tue.nl

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 22/22

How to verify injectivity?

model-checking approach

Counting: ♯(I-runs) ≤ ♯(corresponding R-runs)

• ther approaches (logics, term rewriting)

■ Strand spaces: solicited authentication tests (Guttman,

Theyer 2002)

■ π-calculus: injective correspondence (Gordon, Jeffrey

2002)

■ Logic: e-commerce protocol logic (Adi, Debbabi, Mejri

2003)

■ Further: Ad-hoc reasoning, informal reasoning, or simply

not.

Overview Motivation Problem statement Security model Main theorem Conclusions

Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 22/22

The LOOP property

For all e ≺p claim, such that role(e) = role(claim) there exist e′ and e′′ such that e′ ≺p e′′ ≺p claim ∧ role(e′) = role(claim) ∧ role(e′′) = role(e) This property can be easily verified on the syntactic description

• f the protocol.