Proving Properties of Security Protocols by Induction Lawrence C. - - PowerPoint PPT Presentation

proving properties of security protocols by induction
SMART_READER_LITE
LIVE PREVIEW

Proving Properties of Security Protocols by Induction Lawrence C. - - PowerPoint PPT Presentation

Aug 30, 2023 135 likes •389 views

Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis

slide-1
SLIDE 1

Proving Security Protocols 1

  • L. C. Paulson

Proving Properties of Security Protocols by Induction

Lawrence C. Paulson Computer Laboratory University of Cambridge

slide-2
SLIDE 2

Proving Security Protocols 2

  • L. C. Paulson

Cryptographic Protocol Analysis

  • Finite-state checking

Lowe, Millen, . . .

+ find attacks quickly − drastic simplifying assumptions

  • Belief logics

Burrows, Abadi, Needham, . . .

+ short, abstract proofs − some variants are complicated & ill-motivated

slide-3
SLIDE 3

Proving Security Protocols 3

  • L. C. Paulson

An Inductive Approach

  • Traces of events: A sends X to B
  • Any number of interleaved runs
  • Algebraic theory of messages
  • A general attacker
  • Modelling of accidents
  • Mechanized proofs
slide-4
SLIDE 4

Proving Security Protocols 4

  • L. C. Paulson

Agents and Messages agent A, B, . . . = Server | Friend i | Spy msg X, Y, . . . =

Agent A

|

Nonce N

|

Key K

| { |X, X′| } |

Hash X

|

Crypt KX

slide-5
SLIDE 5

Proving Security Protocols 5

  • L. C. Paulson

Processing Sets of Messages

parts: message components Crypt KX X analz: message decryption Crypt KX, K−1 X synth: message faking

X, K Crypt KX

Regularity lemmas stated using parts H Secrecy theorems stated using analz H Spoof messages drawn from synth(analz H)

slide-6
SLIDE 6

Proving Security Protocols 6

  • L. C. Paulson

Inductive Definition: parts H X ∈ H X ∈ parts H

Crypt KX ∈ parts H

X ∈ parts H { |X, Y | } ∈ parts H X ∈ parts H { |X, Y | } ∈ parts H Y ∈ parts H

parts G ∪ parts H = parts(G ∪ H)

slide-7
SLIDE 7

Proving Security Protocols 7

  • L. C. Paulson

Inductive Definition: analz H X ∈ H X ∈ analz H

Crypt KX ∈ analz H

K−1 ∈ analz H X ∈ analz H { |X, Y | } ∈ analz H X ∈ analz H { |X, Y | } ∈ analz H Y ∈ analz H

analz G ∪ analz H ⊆ analz(G ∪ H)

slide-8
SLIDE 8

Proving Security Protocols 8

  • L. C. Paulson

Inductive Definition: synth H X ∈ H X ∈ synth H

Agent A ∈ synth H

X ∈ H

Hash X ∈ synth H

X ∈ synth H Y ∈ synth H { |X, Y | } ∈ synth H X ∈ synth H K ∈ H

Crypt KX ∈ synth H

G ⊆ H = ⇒ synth G ⊆ synth H

slide-9
SLIDE 9

Proving Security Protocols 9

  • L. C. Paulson

Simplification Laws

parts(parts H) = parts H analz(analz H) = analz H synth(synth H) = synth H

      

idempotence parts(analz H) = analz(parts H) = parts H parts(synth H) = parts H ∪ synth H analz(synth H) = analz H ∪ synth H synth(analz H) = ??

slide-10
SLIDE 10

Proving Security Protocols 10

  • L. C. Paulson

Symbolic Evaluation of parts(ins XH)

ins XH = {X} ∪ H parts(ins(Key K)H) = ins(Key K)(parts H) parts(ins(Hash X)H) = ins(Hash X)(parts H) parts(ins{

|X, Y | }H) = ins{ |X, Y | }(parts(ins X(ins Y H)))

parts(ins(Crypt KX)H) = ins(Crypt KX)(parts(ins XH))

slide-11
SLIDE 11

Proving Security Protocols 11

  • L. C. Paulson

Symbolic Evaluation of analz(ins XH)

analz(ins(Key K)H)

= ins(Key K)(analz H) K ∈ keysFor(analz H)

analz(ins(Crypt KX)H)

=   

ins(Crypt KX)(analz(ins XH))

K−1 ∈ analz H

ins(Crypt KX)(analz H)

  • therwise
slide-12
SLIDE 12

Proving Security Protocols 12

  • L. C. Paulson

Deductions from synth H

Nonce N ∈ synth H =

⇒ Nonce N ∈ H

Key K ∈ synth H =

⇒ Key K ∈ H

Crypt KX ∈ synth H =

⇒ Crypt KX ∈ H

  • r

X ∈ synth H ∧ K ∈ H

A similar law for {

|X, Y | } ∈ synth H

slide-13
SLIDE 13

Proving Security Protocols 13

  • L. C. Paulson

Spoof Messages: Limiting the Damage

Breaking down the spoof message:

{ |X, Y | } ∈ synth(analz H) ⇐ ⇒ X ∈ synth(analz H) ∧ Y ∈ synth(analz H)

Eliminating the spoof message:

X ∈ synth(analz G) = ⇒

parts(ins X H) ⊆ synth(analz G) ∪ parts G ∪ parts H

slide-14
SLIDE 14

Proving Security Protocols 14

  • L. C. Paulson

The Shared-Key Model

Traces as lists of events: Says A B X Alice’s shared key: shrK A Items already used in this trace: used evs Reading the traffic (with the help of lost keys): spies (Says A B X # evs) = {X} ∪ spies evs spies [] = {shrK A | A ∈ lost}

slide-15
SLIDE 15

Proving Security Protocols 15

  • L. C. Paulson

The Simplified Otway-Rees Protocol 1. A → B : Na, A, B, { |Na, A, B| }Kas 2. B → S : Na, A, B, { |Na, A, B| }Kas, Nb, { |Na, A, B| }Kbs 3. S → B : Na, { |Na, Kab| }Kas, { |Nb, Kab| }Kbs 4. B → A : Na, { |Na, Kab| }Kas

slide-16
SLIDE 16

Proving Security Protocols 16

  • L. C. Paulson

Inductively Defining the Protocol, 1–2

  • 1. If evs is a trace and Na is unused, may add

Says A B {

|Na, A, B, Crypt(shrK A){ |Na, A, B| }| }

  • 2. If evs has Says A′ B {

|Na, A, B, X| } and Nb is unused, may

add Says B Server {

|Na, A, B, X, Nb, Crypt(shrK B){ |Na, A, B| }| } B doesn’t know the true sender & can’t read X

slide-17
SLIDE 17

Proving Security Protocols 17

  • L. C. Paulson

Inductively Defining the Protocol, 4

  • 4. If evs contains the events

Says B Server {

|Na, A, B, X′, Nb, Crypt(shrK B){ |Na, A, B| }| }

Says S′ B {

|Na, X, Crypt(shrK B){ |Nb, K| }| }

may add Says B A {

|Na, X| }

Rule applies only if nonces agree, etc.

slide-18
SLIDE 18

Proving Security Protocols 18

  • L. C. Paulson

Modelling Attacks and Accidents

  • Fake. If X ∈ synth(analz(spies evs)), may add

Says Spy B X

  • Oops. If server distributes key K, may add

Says A Spy {

|Na, Nb, K| }

Nonces show the time of the loss

slide-19
SLIDE 19

Proving Security Protocols 19

  • L. C. Paulson

Regularity & Unicity

  • Agents don’t talk to themselves
  • Secret keys are never lost (except initially)
  • Nonces & keys uniquely identify creating message

Easily proved by induction & simplification of parts

slide-20
SLIDE 20

Proving Security Protocols 20

  • L. C. Paulson

Secrecy

  • Keys, if secure, are never encrypted using any session keys
  • Distributed keys remain confidential — to recipients!
  • Yahalom: nonce Nb remains secure

Simplification of analz: case analysis, big formulas

slide-21
SLIDE 21

Proving Security Protocols 21

  • L. C. Paulson

An Attack

  • 1. A → B×: Na, A, B, {

|Na, A, B| }Kas 1′. C → A : Nc, C, A, { |Nc, C, A| }Kcs 2′. A → S×: Nc, C, A, { |Nc, C, A| }Kcs, Na′, { |Nc, C, A| }Kas 2′′. CA → S : Nc, C, A, { |Nc, C, A| }Kcs, Na, { |Nc, C, A| }Kas 3′. S → A×: Nc, { |Nc, Kca| }Kcs, { |Na, Kca| }Kas

  • 4. CB → A : Na, {

|Na, Kca| }Kas

slide-22
SLIDE 22

Proving Security Protocols 22

  • L. C. Paulson

New Guarantees of Fixed Protocol B can trust the message if he sees

Says S′ B {

|Na, X, Crypt(shrK B){ |Nb, K| }| }

Says B Server {

|Na, A, B, X′, Crypt(shrK B){ |Na, Nb, A, B| }| } A can trust the message if she sees

Says B′ A {

|Na, Crypt(shrK A){ |Na, K| }| }

Says A B {

|Na, A, B, Crypt(shrK A){ |Na, A, B| }| }

slide-23
SLIDE 23

Proving Security Protocols 23

  • L. C. Paulson

Statistics

  • 200 theorems about 10 protocol variants

(3 × Otway-Rees, 2 × Yahalom, Needham-Schroeder, . . .)

  • 110 laws proved concerning messages
  • 2–9 minutes CPU time per protocol
  • few hours or days human time per protocol
  • over 1200 proof commands in all
slide-24
SLIDE 24

Proving Security Protocols 24

  • L. C. Paulson

Conclusions

  • A feasible method of analyzing protocols
  • Guarantees proved in a clear framework
  • Complementary to other methods:

– Finite-state: finding simple attacks automatically – Belief logics: freshness analysis

  • Related work by Dominique Bolignano