[PPT] - Security Protocols 2 A pattern for message exchange, specifying PowerPoint Presentation

SLIDE 1

Analysing Security Protocols Using Automated Reasoning

Graham Steel

T H E U N I V E R S I T Y O F E D I N B U R G H

2

Security Protocols

A pattern for message exchange, specifying agent names, nonces, keys,

Goal: establish a secure key, authenticity, freshness,
Example: Needham & Schroeder, 1978
1. A

✁

B :

✂✄

NA

☎

A

✆ ✄

pubKB

2. B

✁

A :

✂✄

NA

☎

NB

✆ ✄

pubKA

3. A

✁

B :

✂✄

NB

✆ ✄

pubKB

Graham Steel Analysing Security Protocols November 8, 2004

1

Cryptographic Primitives

Shared key - Alice and Bob both know KAB, and keep it secret. Alice sends Bob

✂✄

Message

✆ ✄

KAB

Public key - Bob generates privKB, pubKB Gives pubKB to Alice (and everyone) Alice sends Bob

✂✄

Message

✆ ✄

pubKB

Problem is now the security of keys (KAB, privKB) Often manage this with nonces (NA

☎

NB)

Graham Steel Analysing Security Protocols November 8, 2004

3

The Subtlety of Attacks

Lowe, 1995

1. A

✝

C :

✞✟

NA

✠

A

✡ ✟

pubKC

1.’ CA

✝

B :

✞✟

NA

✠

A

✡ ✟

pubKB

2.’ B

✝

CA :

✞✟

NA

✠

NB

✡ ✟

pubKA

2. C

✝

A :

✞✟

NA

✠

NB

✡ ✟

pubKA

3. A

✝

C :

✞✟

NB

✡ ✟

pubKC

3.’ CA

✝

B :

✞✟

NB

✡ ✟

pubKB

C can now impersonate A

Graham Steel Analysing Security Protocols November 8, 2004

SLIDE 2

4

Formal Modelling Scenario

Dolev and Yao, 1983 ‘Perfect Cryptography’ The spy can: Break down and re-assemble messages. Remove, delay and insert messages Impersonate an honest agent

Graham Steel Analysing Security Protocols November 8, 2004

6

Analysis with Isabelle - 2

Form security properties as inductive conjectures E.g.

✁

A

✂ ✄

bad; B

✂ ✄

bad; evs

✄

ns public

✁☎ ✆ ✝

SaysBA

✞

Crypt

✞

pubK A

✟✠

NonceNA

✡

NonceNB

☛ ✟ ✄

set evs

☞ ✌

NonceNB

✂ ✄

analz

✞

spies evs

✟

‘If A and B are honest agents, and B has sent a ‘message 2’ with nonce NB, the spy cannot learn NB’

Graham Steel Analysing Security Protocols November 8, 2004

5

Analysis with Isabelle - 1

Typed, higher-order inductive model Trace is an ‘inductive datatype’ Rules describe how trace can be extended

NS1 :

✁

evs1

✄

ns public; NonceNA

✂ ✄

used evs1

✁☎ ✆ ✝

SaysAB

✞

Crypt

✞

pubK B

✟✠

NonceNA

✡

Agent A

☛ ✟

# evs1

✄

ns public Fake :

✁

evsf

✄

ns public; X

✄

synth

✞

analz

✞

spies evsf

✟ ✟ ✁☎ ✆ ✝

SaysSpyB X # evsf

✄

ns public

Graham Steel Analysing Security Protocols November 8, 2004

7

Analysis with CORAL

Proving these conjectures in Isabelle can be tricky, even for experts CORAL: a tool for finding counterexamples to false inductive conjectures Built on SPASS- an automatic first-order theorem prover Automatic

Graham Steel Analysing Security Protocols November 8, 2004

SLIDE 3

8

More about CORAL

Types modelled with ‘sorted signature’

☎

s

✁

☎

numbers

nonce

✁

☎

nonce

s
✁

✁ ☎

Inference by restricted superposition

— (roughly) paramodulation + rewriting (Bachmair & Ganzinger, 1990) CORAL restricts superposition to a linear strategy I-Axiomatisation (Comon & Nieuwenhuis, 1999)

Graham Steel Analysing Security Protocols November 8, 2004

10

Isabelle on Needham Schroeder

✂

evs

✄ ☎ ✟

A

✆ ✝

bad;B

✆ ✝

bad;evs

✝

ns public

✟✞ ✟ ✠

SaysBA

✡

Crypt

✡

pubKA

☛ ✞

NonceNA

✠

NonceNB

✡ ☛ ✝

setevs

☞ ✝

NonceNB

✆ ✝

analz

✡

spies evs

☛

1

✄ ✂

CB

✌

evs3

✄ ☎

A

✆ ✝

bad;B

✆ ✝

bad;evs3

✝

ns public SaysAC

✡

Crypt

✡

pubKC

☛ ✞

NonceNA

✠

AgentA

✡ ☛ ✝

setevs3; SaysB

✌

A

✡

Crypt

✡

pubKA

☛ ✞

NonceNA

✠

NonceNB

✡ ☛ ✝

setevs3; C

✝

bad; SaysBA

✡

Crypt

✡

pubKA

☛ ✞

NonceNA

✠

NonceNB

✡ ☛ ✝

setevs3; NonceNB

✍ ✝

analz

✡

spies evs3

☛ ✞ ✟ ✠

False

Graham Steel Analysing Security Protocols November 8, 2004

9

Heursitic reductions

Can prune search space: Fake messages look like real messages Spy only expects realistic messages No two spy messages in a row Must prove completeness under these assumptions

Graham Steel Analysing Security Protocols November 8, 2004

11

Group Key Management Protocols

Mutual secrecy, authentication, for n players,

n

✎ ✏ ☎

n

✑

1 Group is dynamic - members may join and leave Challenging: Arbitrary n increases search space Security properties harder to specify

Graham Steel Analysing Security Protocols November 8, 2004

SLIDE 4

12

Group Protocol Scenario

1 2

Server M M M 3 Gk Ik Ik 1

2

M3 is an ex-member

Can he read M2’s message? Can he trick M1 or M2 into accepting a message?

Graham Steel Analysing Security Protocols November 8, 2004

14

Attack on Iolus

9. server

✌

M2

:

✠ ✁

ik

✞

11

✟ ✡

Gk

✞

11

✟ ☛ ✁

longtermK

M2

✁

10.

M1

✌

server :

✠ ✁

leave

☛ ✁

ik

2

✁

11. server

✌

all :

✠

✁

Gk

✞

14

✟ ☛ ✁

ik

11

✁ ✡ ✠ ✁

Gk

✞

14

✟ ☛ ✁

ik

5

✁ ☎

12. spy

✌

server :

✠ ✁

leave

☛ ✁

ik

5

✁

13. server

✌

all :

✠

✁

Gk

✞

26

✟ ☛ ✁

ik

11

✁ ☎

14. spy

✌

all :

✠

✁

Gk

✞

14

✟ ☛ ✁

ik

11

✁ ✡ ✠ ✁

Gk

✞

14

✟ ☛ ✁

ik

5

✁ ☎

Spy leaves in message 13, then replays old key update in message 14 CORAL discovers 3-agent scenario

Graham Steel Analysing Security Protocols November 8, 2004

13

Example: Iolus

Join: Send: 1.

Mi

✌

S :

✠ ✁

join

☛ ✁

KMi

1.

Mi

✌

ALL :

✠ ✁

message

☛ ✁

Gk

n

✁

2.

S

✌

Mi :

✠ ✁

IkMi

✡

Gk

✞

n

✟ ☛ ✁

KMi

3.

S

✌

ALL :

✠ ✁

Gkn

✂ ☛ ✁

Gkn

Leave: 1.

Mi

✌

S :

✠ ✁

leave

☛ ✁

IkMi

2.

S

✌

ALL : [

✠ ✁

Gkn

✂ ☛ ✁

IkMj

✄ ✄ ✄

]

☎

j

✂ ✆

i

✡

M j

✄

group

Graham Steel Analysing Security Protocols November 8, 2004

15

Other Approaches

Model checking

e.g. OFMC [Basin, Moedersheim, Vigan´
,

ESORICS 2003] ‘Strand space’ tools

e.g. Athena [Song, JCS 2001]

Logic Programming

e.g. NPA [Meadows, J. Log. Prog. 1996]

First-order invariants

e.g. TAPS [Cohen, JCS 2003]

Graham Steel Analysing Security Protocols November 8, 2004

SLIDE 5

16

L C Paulson. The inductive approach to verifying cryptographic protocols.

J. Computer Security 6 (1998), 85–128.

http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html G Steel, A. Bundy, M. Maidl. Attacking a Protocol for Group Key Agreement by Refuting Incorrect Inductive Conjectures, with Alan Bundy and Monika

Maidl. In Proceedings of IJCAR 2004, pages 137-151.

http://homepages.inf.ed.ac.uk/gsteel/papers/ AVISPA Project (OFMC, SATMC, etc..) http://www.avispa-project.org/ New Project - Hardware Security Module APIs http://homepages.inf.ed.ac.uk/gsteel/

Graham Steel Analysing Security Protocols November 8, 2004

SLIDE 6