Automatic Formal Analyses of Cryptographic Protocols 19th National - - PowerPoint PPT Presentation

▶

Feb 25, 2024 21 likes •145 views

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

SLIDE 1

Page - 1

P R I S M

Custom Command and Control

Automatic Formal Analyses of Cryptographic Protocols

19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center

Dr. Stephen H. Brackin

Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory

SLIDE 2

Page - 2

P R I S M

Custom Command and Control

Outline of Talk

Problem: protocol failure
Automatic Authentication Protocol Analyzer (AAPA)
Three SPX protocols and results of analyzing them
Conclusions, for SPX and arbitrary protocols

SLIDE 3

Page - 3

P R I S M

Custom Command and Control

Cryptographic Protocols

Goal: Secure communication over insecure networks

– Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication

Tools:

– Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions

Distributed algorithms

SLIDE 4

Page - 4

P R I S M

Custom Command and Control

Failure Example

Tatebayeshi-Matsuzaki-Newman protocol

– 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka)

AAPA notation, but more-or-less standard
Published (CRYPTO ‘89), recommended by experts
It’s wrong --- and has lots of company

SLIDE 5

Page - 5

P R I S M

Custom Command and Control

Automatic Authentication Protocol Analyzer

Inputs Interface Specification Language (ISL) specs
Produces Higher Order Logic (HOL) theories
Automatically proves default and user-set goals

– Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage

Gives proof results in ISL

SLIDE 6

Page - 6

P R I S M

Custom Command and Control

claimant credentials trusted authorities

Make Trusted Authorities Read Privkey Create Ticket Claimant name = C PwdC

6 4 5 3 8 9 1 7 10

KsC,UidC CDC

C_certif_Ca1 C

LEAF

C {C,Ts,Rn,H1(PwdC)}Rsa(KpLeaf) {UidC,{KsC}Des(H2(PwdC))}Des(Rn)

SPX Credentials Initialization

{{KsC}Des(H2(PwdC)), H1(PwdC), UidC}Rsa(KpLeaf)

SLIDE 7

Page - 7

P R I S M

Custom Command and Control

What AAPA Analysis Shows: I

KpC must be computable from KsC
Keys must be stored along with recognizable data
PwdC must not be older than KsC
ValidityKpCa1 must include the current time

SLIDE 8

Page - 8

P R I S M

Custom Command and Control

V = verifier Ta1 = claimant trusted authority Ta2 = verifier trusted authority X_certif_Y = X certifies Y’s public key claimant verifier CDC Ticket(C)

CDC Tal_certif_V A(DesKey), Ticket(C), Delegator1 {Ts}Des(DesKey) Ta2_certif_C C

6 5 4 3 2 1

Ta1,UidC,KpTa1 Ta2,UidV,KpTa2 KpV

A(DesKey) = <Ts,ChannelIdC>Hdes(DesKey) Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Delegator1 = [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC)

SPX Authentication

SLIDE 9

Page - 9

P R I S M

Custom Command and Control

What AAPA Analysis Shows: II

Keys must be stored with recognizable data
Validity intervals must include the current time

– ValidityKpV, ValidityKpC, ValidityKspC

Belief DesKey from C depends on dubious assumptions
Delegation gives up to 8 hours of authentication failure

SLIDE 10

Page - 10

P R I S M

Custom Command and Control

V = verifier Ta1 = claimant trusted authority Ta2 = verifier trusted authority X_certif_Y = X certifies Y’s public key claimant verifier CDC Ticket(C)

CDC Tal_certif_V A(DesKey), Ticket(C), Delegator2 {Ts}Des(DesKey) Ta2_certif_C C

6 5 4 3 2 1

Ta1,UidC,KpTa1 Ta2,UidV,KpTa2 KpV

A(DesKey) = <Ts,ChannelIdC>Hdes(DesKey) Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Delegator2 = {DesKey}Rsa(PkV), {KssC}Des(DesKey)

SPX Delegation

SLIDE 11

Page - 11

P R I S M

Custom Command and Control

What AAPA Analysis Shows: III

Similar recognizability and interval restrictions
Dubious assumptions don’t give belief KssC from C
Banker can obtain medical records

SLIDE 12

Page - 12

P R I S M

Custom Command and Control

Conclusions

For the SPX protocols:

– Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation

For all cryptographic protocols:

P R I S M

Automatic Formal Analyses of Cryptographic Protocols

19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center

Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory

P R I S M

Outline of Talk

P R I S M

Cryptographic Protocols

– Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication

– Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions

P R I S M

Failure Example

– 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka)

P R I S M

Automatic Authentication Protocol Analyzer

– Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage

P R I S M

claimant credentials trusted authorities

KsC,UidC CDC

LEAF

SPX Credentials Initialization

P R I S M

What AAPA Analysis Shows: I

P R I S M

V = verifier Ta1 = claimant trusted authority Ta2 = verifier trusted authority X_certif_Y = X certifies Y’s public key claimant verifier CDC Ticket(C)

CDC Tal_certif_V A(DesKey), Ticket(C), Delegator1 {Ts}Des(DesKey) Ta2_certif_C C

A(DesKey) = <Ts,ChannelIdC>Hdes(DesKey) Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Delegator1 = [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC)

SPX Authentication

P R I S M

What AAPA Analysis Shows: II

– ValidityKpV, ValidityKpC, ValidityKspC

P R I S M

V = verifier Ta1 = claimant trusted authority Ta2 = verifier trusted authority X_certif_Y = X certifies Y’s public key claimant verifier CDC Ticket(C)

CDC Tal_certif_V A(DesKey), Ticket(C), Delegator2 {Ts}Des(DesKey) Ta2_certif_C C

A(DesKey) = <Ts,ChannelIdC>Hdes(DesKey) Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Delegator2 = {DesKey}Rsa(PkV), {KssC}Des(DesKey)

SPX Delegation

P R I S M

What AAPA Analysis Shows: III

P R I S M

Conclusions

– Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation

– The AAPA is a fast, easy tool for reducing failures – The AAPA can be used as part of the design process