Proving Security Protocols Correct Lawrence C. Paulson Computer - - PowerPoint PPT Presentation

proving security protocols correct
SMART_READER_LITE
LIVE PREVIEW

Proving Security Protocols Correct Lawrence C. Paulson Computer - - PowerPoint PPT Presentation

Oct 12, 2023 282 likes •594 views

Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' ``attacks'' everything everything publications 1

slide-1
SLIDE 1

Proving Security Protocols Correct

Lawrence C. Paulson Computer Laboratory

slide-2
SLIDE 2

How Detailed Should a Model Be?

concrete abstract

too detailed not usable not credible too simple ``proves'' everything ``attacks'' everything

publications

1

  • L. C. Paulson
slide-3
SLIDE 3

Case Study: the Plight of Monica and Bill

2

  • L. C. Paulson
slide-4
SLIDE 4

A,Na,Sid,Pa

client server client hello

Nb,Sid,Pb

server hello

cert(B,Kb)

server certificate

cert(A,Ka)

client certificate

{PMS}Kb

client key exchange

{Hash(Nb,B,PMS)}Ka-1

certificate verify

{Finished}clientK(Na,Nb,M)

client finished

M = PRF(PMS,Na,Nb) Finished = Hash(M,messages) {Finished}serverK(Na,Nb,M)

server finished

An Internet Security Protocol (TLS)

3

  • L. C. Paulson
slide-5
SLIDE 5

Why Are Security Protocols Often Wrong?

  • they are TRIVIAL programs built from simple

primitives, BUT they are complicated by

  • concurrency
  • a hostile environment

– a bad user controls the network

  • obscure concepts
  • vague specifications

– we have to guess what is wanted

4

  • L. C. Paulson
slide-6
SLIDE 6

Typical Protocol Goals

  • Authenticity: who sent it?
  • Integrity: has it been altered?
  • Secrecy: who can receive it?
  • Anonymity
  • Non-repudiation . . .

all SAFETY properties

5

  • L. C. Paulson
slide-7
SLIDE 7

What Are Session Keys?

  • used for a single session
  • not safeguarded forever
  • distributed using long-term keys
  • could eventually become compromised
  • can only be trusted if FRESH

6

  • L. C. Paulson
slide-8
SLIDE 8

Freshness, or Would You Eat This Fish?

wine: six years old fish: ? weeks old

7

  • L. C. Paulson
slide-9
SLIDE 9

Packaging a Session Key for Bill

{ |K, A, Nb| }Kb

session key person it's shared with nonce specified by Bill: proof of freshness sealed using Bill's key

8

  • L. C. Paulson
slide-10
SLIDE 10

A Bad Variant of the Otway-Rees Protocol

3: Na, { |Na, Kab| }Ka, { |Nb, Kab| }Kb 1: Na, A, B, { |Na, A, B| }Ka

B S A

2: Na, A, B, { |Na, A, B| }Ka, Nb, { |Na, A, B| }Kb 4: Na, { |Na, Kab| }Ka

9

  • L. C. Paulson
slide-11
SLIDE 11

A Splicing Attack with Interleaved Runs

1. A → CB : Na, A, B, { |Na, A, B| }Ka 1′. C → A : Nc, C, A, { |Nc, C, A| }Kc 2′. A → CS : Nc, C, A, { |Nc, C, A| }Kc, Na′, { |Nc, C, A| }Ka 2′′. CA → S : Nc, C, A, { |Nc, C, A| }Kc, Na, { |Nc, C, A| }Ka 3′. S → CA : Nc, { |Nc, Kca| }Kc, { |Na, Kca| }Ka

  • 4. CB → A : Na, {

|Na, Kca| }Ka

Alice thinks the key Kca is shared with Bill, but it's shared with Carol!

10

  • L. C. Paulson
slide-12
SLIDE 12

A Bad Variant of the Yahalom Protocol

2: B, Nb, { |A, Na| }Kb

B S A

1: A, Na 3: { |B, Kab, Na, Nb| }Ka, { |A, Kab| }Kb 4: { |A, Kab| }Kb, { |Nb| }Kab

11

  • L. C. Paulson
slide-13
SLIDE 13

A Replay Attack

} 1. CA → B : A, Nc 2. B → CS : B, Nb, { |A, Nc| }Kb 4. CA → B : { |A, K|Kb, { |Nb| }K

Carol has broken the old key, K. She makes Bill think it is shared with Alice.

12

  • L. C. Paulson
slide-14
SLIDE 14

Verification Method I: Authentication Logics

BAN logic: Burrows, Abadi, Needham (1989) Short proofs using high-level primitives: Nonce N is fresh Key Kab is good Agent S can be trusted

  • good for freshness
  • not-so-good for secrecy or splicing attacks

13

  • L. C. Paulson
slide-15
SLIDE 15

Verification Method II: State Enumeration

Specialized tools (Meadows) General model-checkers (Lowe) Model protocol as a finite-state system

  • automatically finds splicing attacks
  • freshness is hard to model

Try using formal proof!

14

  • L. C. Paulson
slide-16
SLIDE 16

Why An Operational Model?

  • good fit to informal protocol proofs: inductive
  • simple foundations
  • readable protocol specifications
  • easily explained to security experts
  • easily mechanized using Isabelle

15

  • L. C. Paulson
slide-17
SLIDE 17

An Overview of Isabelle

  • uses higher-order logic as a logical framework
  • generic treatment of inference rules
  • logics supported include ZF set theory & HOL
  • powerful simplifier & classical reasoner
  • strong support for inductive definitions

16

  • L. C. Paulson
slide-18
SLIDE 18

Overview of the Model

  • Traces of events

– A sends B message X – A receives X – A stores X

  • A powerful attacker

– is an accepted user – attempts all possible splicing attacks – has the same specification in all protocols

17

  • L. C. Paulson
slide-19
SLIDE 19

Agents and Messages

agent A, B, . . . = Server | Friend i | Spy message X, Y, . . . = Agent A | Nonce N | Key K | { |X, X′| } compound message | Crypt K X free algebras: we assume PERFECT ENCRYPTION

18

  • L. C. Paulson
slide-20
SLIDE 20

Functions over Sets of Messages

  • parts H: message components

Crypt K X → X

  • analz H: accessible components

Crypt K X, K −1 → X

  • synth H: expressible messages

X, K → Crypt K X RELATIONS are traditional, but FUNCTIONS give us an equational theory

19

  • L. C. Paulson
slide-21
SLIDE 21

Operational Definition: analz H

Crypt K X ∈ analz H K −1 ∈ analz H X ∈ analz H X ∈ H X ∈ analz H { |X, Y| } ∈ analz H X ∈ analz H { |X, Y| } ∈ analz H Y ∈ analz H Typical derived law: analz G ∪ analz H ⊆ analz(G ∪ H)

20

  • L. C. Paulson
slide-22
SLIDE 22

Operational Definition: synth H

X ∈ H X ∈ synth H Agent A ∈ synth H X ∈ synth H Y ∈ synth H { |X, Y| } ∈ synth H X ∈ synth H K ∈ H Crypt K X ∈ synth H

  • agent names can be guessed
  • nonces & keys cannot be!

21

  • L. C. Paulson
slide-23
SLIDE 23

A Few Equations

parts(parts H) = parts H transitivity analz(synth H) = analz H ∪ synth H “cut elimination” Symbolic Evaluation: analz({Crypt K X} ∪ H) =    {Crypt K X} ∪ analz({X} ∪ H) if K −1 ∈ analz H {Crypt K X} ∪ analz H

  • therwise

22

  • L. C. Paulson
slide-24
SLIDE 24

What About Freshness?

23

  • L. C. Paulson
slide-25
SLIDE 25

Modelling Attacks and Key Losses

If X ∈ synth(analz(spies evs)) may add Says Spy B X (Fake rule) If the server distributes session key K may add Notes Spy { |Na, Nb, K| } (Oops rule) Nonces show the TIME of the loss

24

  • L. C. Paulson
slide-26
SLIDE 26

Overview of Results

  • facts proved by induction & classical reasoning
  • simplifying analz H: case analysis, big formulas
  • handles REAL protocols: TLS, Kerberos, . . .
  • lemmas reveal surprising protocol features
  • failed proofs can suggest attacks

Proofs require days or weeks of effort Generalizing induction formulas is hard!

25

  • L. C. Paulson
slide-27
SLIDE 27

The Recursive Authentication Protocol

  • designed in industry (APM Ltd)
  • novel recursive structure: variable length
  • VERIFIED by Paulson

– assuming perfect encryption

  • ATTACKED by Ryan and Schneider

– using the specified encryption (XOR) Doesn’t proof give certainty? Not in the real world!

26

  • L. C. Paulson
slide-28
SLIDE 28

So Then, How Detailed Should a Model Be?

  • detailed enough to answer the relevant

questions

  • abstract enough to fit our budget
  • model-checking is almost free

(thanks to Lowe, Roscoe, Schneider)

  • formal proofs give more, but cost more

27

  • L. C. Paulson
slide-29
SLIDE 29

Don’t let theory displace reality