Inductive Analysis of the Internet Protocol TLS Lawrence C. Paulson - PowerPoint PPT Presentation

Inductive Analysis of TLS 1 L. C. Paulson Inductive Analysis of the Internet Protocol TLS Lawrence C. Paulson Computer Laboratory University of Cambridge

� � � � � Inductive Analysis of TLS 2 L. C. Paulson TLS: An Internet Protocol to protect data between Web browsers and servers RSA and symmetric-key encryption (among others) random-number generator for negotiating secrets resumption of old sessions with new keys also known as “SSL 3.1”

✍ ✖ ✍ ✘ ☛ ☞ ✆ ✌ ✄ ✏ ☎ ✄ ✂ ✁ ☎ ✎✏ ✑ ✒ ✓✔ ✝ ✁ ✒ ✁ ✚ ✍ ✟ ✁ ✂ ✄ ☎ ✌ ✂ ✟ ☛ ☛ ☞ ✠ ✟ ✙ ✄ ✎✕ Inductive Analysis of TLS 3 L. C. Paulson Hello Messages client hello ✆✞✝ ✆✡✠ ✆✞✌ server hello ✆✡✠ resumption? go straight to Finished messages server certificate ✆✞✗ session Id (for resumption) crypto preferences ☞✛✚ ✆✞✌

✷ ✣ ✤ ✵ ✲✶ ✷ ✸ ✵ ✜ ✢ ✤ ✢ ✱ ✲ ✳ ✹ ✹ ✹ ✲ ✶ ✣ ✜ ✽ ✥✫ ✜ ✢ ✣ ✤ ✥✦ ✧ ★ ✩✪ ★ ✦ ✬ ✜ ✯ ✰ Inductive Analysis of TLS 4 L. C. Paulson Client Key Exchange Messages client certificate* ✭✞✮ client key exchange ✱✲✴✳ certificate verify* Hash ✺✼✻ * omit for anonymous session = pre-master-secret Diffie-Hellman exchange also possible

❪ ❩ ▲ ▼ ❞ ❵ ❡❢ ❫ ❣ ◆ ❭ ❤ ❳ ❲ ❱ ❯ ❑ ❖ ❘ ❜❝ ❪ ❭ ❵ ❳ ❜ ❯ ❯ P ❛ P◗ ❍■ ❉❋● ❉❊ ❈ ❙❚ P◗ ❫ ✾ ❇ ❆ ❣ ❅ ❧♠ ❂ ❁ ❈ ❀ ✿ ✾ ❣ ❧ ❥ ❦ ❉❊ ■ ◆ ❍ ● ❉❋ ❉❊ ❈ ❖P ▼ ❉❋● ▲ ❑ ✐ ❥ ❏ ❍■ ❩ Inductive Analysis of TLS 5 L. C. Paulson Finished Messages = master-secret ❃✞❄ ❃✞❄ hash of previous messages client finished ❨❬❩ ❪✛❴ server finished ❨❬❩ ❪✛❴ , make fresh session keys Each party checks the other’s

♥ ♥ ♥ ♥ ♥ ♥ Inductive Analysis of TLS 6 L. C. Paulson An Inductive Approach to Proving Protocols Work in higher-order logic Inductively model traces of agent actions Include an active attacker, compromised & careless agents No finite-state assumptions Prove results by induction Mechanized using Isabelle/HOL

✇ r r ✇ ✇ r ③ t ① t ✇ s ① ✇ ② ✈ ④ ✉ t t ✇⑤ r q ♦♣ ✇ r ✇ Inductive Analysis of TLS 7 L. C. Paulson Message Types Agent s✞t Nonce non-guessable number Number guessable number Key Hash concatenation s✞t Crypt strong encryption

❶❼ ❼ ⑧ ⑥ ⑦ ❷ ❸ ❹ ❺ ⑦ ❶ ⑥ ⑩ ❿ ⑨ ⑧ ⑩❶ ⑥ ❿ ❹ ❺ ❿ ❶ ❷ ⑨ ⑦ ⑥ ⑦ ⑧⑨ ⑩❶ ❷ ⑥ ⑧ ❶❼ ⑦ ❹ ❺ Inductive Analysis of TLS 8 L. C. Paulson Inductively Defining the Protocol: Hello client hello. If is fresh in the trace, may add Says ❷✞❻ ❷✡❸ server hello. If the trace has Says and ⑧❾❽ ❷✞❻ is fresh, may add Says ❷✡❸ ❷✞❻

➌ ➀ ➌ ➒ ➌ ➔ → ➙ ➒ ➐↔ ➂ ➛ ➍ ➁ ➅ ➅ ➆ ➇ ➈➉ ➃ ➁ ➜ ➇ ➃➊ ➜ ➛ ➙ ➀➁ ↕ ➆ ➇ ➈➉ ➇ ➁ ➅ ➂ ➀ ➋ ➂ ➀ ➌ ➌ ➀ ➊ Inductive Analysis of TLS 9 L. C. Paulson Defining the Protocol: Client Key Exchange certificate. May add Says pubK to a trace ➂➄➃➅ client key exchange. If the trace contains the events Says ➀➎➍ ➏➐✴➑ ➋✞➣ ➋✡➓ Says ➀➎➍ ➋✞↕ ➂➄➃ and is fresh, may add Says Crypt

➤ ➧ ➯ ➯ ➯➲ ➸➺ ➭ ➥ ➡ ➤ ➢ ➡ ➫ ➫ ➩ ➨ ➡ ➵ ➝ ➭ ➤ ➥ ➝ ➡ ➞ ➤ ➠➦ ➢ ➢ ➤ ➡ ➥ ➤ ➳ Inductive Analysis of TLS 10 L. C. Paulson Modelling Attacks and Accidents Fake. If can be forged in the trace, may add Says Spy SpyKeys. If the spy has then he has ➟➠✴➡ and Oops. Anybody who uses a session key may give it to the spy.

➻ ➻ ➻ ➻ ➻ Inductive Analysis of TLS 11 L. C. Paulson Security Goals Proved The pre-master-secret remains secret (assuming honest peers) The master-secret remains secret Certificate verify guarantees that the client is present session keys remain secret (unless given away) A message encrypted with peer’s session key came from him

➼ ➼ ➼ ➼ Inductive Analysis of TLS 12 L. C. Paulson Lemmas Proved Along the Way Protocol steps don’t reveal private keys All certificates are valid (too perfect?) A fresh PMS yields fresh session keys Compromise of a session key doesn’t compromise any PMS (hard to prove)

➽ ➽ ➽ Inductive Analysis of TLS 13 L. C. Paulson Related Work Wagner and Schneier’s analysis of SSL 3.0: weaknesses in abstract protocol (fixed in TLS) discussion of cryptanalysis Dietrich’s thesis: investigated anonymous connections against an eavesdropper using NCP belief logic Mitchell et al.: simple model-checking experiments

➚ ➮ ➾ ➾ ➾ ✃ ➚ ➪ ➶ ➹ ➘➴ ➴➱ Inductive Analysis of TLS 14 L. C. Paulson Comments on TLS Strengthen client key exchange to ➷✞➬ ❐❮❒ Explicitness: beware of hashing everything but the kitchen sink Make the abstract message exchange part of every protocol spec

❰ ❰ ❰ ❰ ❰ Inductive Analysis of TLS 15 L. C. Paulson Conclusions 6 weeks effort; 8 minutes cpu time (model-checking: 8 hours) mundane proofs but interesting model Can model key negotiation Non-determinism is no obstacle Realistic protocols can now be analyzed—abstractly, at least