Towards Automated Computationally Faithful Specify protocol - PDF document

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan Jürjens • may participate in some protocol runs, Dep. of Computer Science, TU München • knows some data in advance, Germany • may intercept messages on the public network, juerjens@in.tum.de • injects messages that it can produce into the http://www.jurjens.de/jan public network J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 2 Symbolic Analysis: Limitations Computationally faithful analysis Abadi, Rogaway 2000; Abadi, Jürjens 2001: Keys are symbols, crypto-algorithms are Symbolic equivalence-based analysis faithful abstract operations. wrt. classical complexity-theoretical model • Can only decrypt with right keys. (symmetric encryption, passive adversaries). • Can only compose with available Problem: Symbolic model from AJ01 does not directly support automated verification. messages. Here: Ongoing work to extend above work to • Cannot perform statistical attacks. automated verification using first-order logic Crypto assumed perfect, which it isn’t. atp‘s (Dolev-Yao style). J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 3 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 4 Context: „Verisoft“ Project Security analysis in first-order logic Goal: Practical application of formal methods. Idea: Given set P of control flow diagrams (of C-programs), approximate set of possible Planned for 8 years from 7/2003; 12 industrial + academic partners. data values known to adversary from above. Full formal verification from application software Predicate knows(E) meaning that the adversary down to operating system and processor. may get to know E during the execution of the Intended result: Verified C-implementation. protocol. One application example: Biometric Say that a data value s is secret in P if one can authentication protocol (T-Systems). not derive knows(s) . Goal: Mechanical proof of complexity- theoretical security. J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 5 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 6 1

2 ☎ ☎ ✞ ✄ ✂ ☎ ☎ Crypto Expressions FOL rules for Crypto Expressions � Keys � Data and Term algebra generated by Var • _ :: _ (concatenation) • ( _ ) -1 (inverse key) • { _ } _ (encryption) • Sign_( ) (signing) • Dec_( ) (decryption) • Ext_( ) (extracting from signature) with appropriate equations. J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 7 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 8 Model for Security Protocols Security protocols into 1st order logic State machine (Mealy automaton) with Define knows(E) for any E initially known to the adversary (protocol-specific). control states, local variables and Control flow diagram: Each transition of form transitions between states labeled (in(msg_in),cond(msgs),out(msg_out)) (in(var_in),cond(vars),out(msg_out)) is translated (in a nested way) to: ✁ msg_in. [knows(msg_in) where msg_in is a local variable to which the cond(msgs) incoming message is assigned, msgs can be knows(msg_out)] variables to which messages have been (where for simplicity we use same names for logical previously assigned, and msg_out is an and local variables). output expression (each possibly empty). Adversary knowledge approximated from above. Can Generate from protocol specs/code. put in more info, then more exact (+ less efficient). J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 9 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 10 Analysis Example: Proposed Variant of TLS (SSL) knows(N i ) … ☎✝✆ exp… . (knows(arg S,1,3 ) knows(arg S,1,2 ) snd(Ext expS,1,2 (arg S,1,3 )) = arg S,1,2 knows(“arguments of resp method”) … J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 11 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 12 2

2 Computationally faithful ? Comparison to symbolic AJ01 Works fine for Dolev-Yao style analysis but: Equivalence-based approach: „extrinsic“. doesn‘t detect partial violation of secrecy. Compute observable traces (somehow) and compare. Close to intuitions (but maybe not Add another clause to each implication: immediately clear how to efficiently verify eg Whenever condition in automaton is reached, with atp‘s). all its subterms relevant to its validity are added to adversary knowledge. Present approach: „intrinsic“. Stay as close to protocol model as possible when trying to Again approximation on the „safe“ side which detect information flow to enable efficient works fine for practical examples. verification. J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 13 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 14 The computational view Indistinguishable Ensembles J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 15 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 16 Secure Encryption (variant) Wrong key ? J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 17 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 18 3

2 � � ✁ ✂ Computational interpretation Computational interpretation II Define [[P]] τ To any set P of control flow graphs assign distribution Π , η ([])=[] . [[P]] Π , η on input-/output histories (given an encryption If [[P]] τ Π , η (ins)=outs p (in,gd,out) p‘ gd(in) scheme Π and a security parameter η ): p]]] τ Given an initial probability event τ , map each key then [[P[p‘ Π , η (ins.in)=outs.out . symbol K to a bitstring τ (K) , using K( η ) . Mark all (Assume messages to include address and occurrences of encryptions {E} K with a different coin guards to be mutually exclusive for each p .) symbol r : {E} rK . Map each coin symbol r to a bit string τ (r) . Then for expressions: Define: data value s in P remains • [[b]] τΠ , η = b computationally secret if any two substitutions • [[K]] τΠ , η = τ (K) of s by other values are mutually • [[M::N]] τΠ , η = ([[M]] τΠ , η , [[N]] τΠ , η ) indistinguishable. J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 19 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 20 Computational soundness Conclusion Let P be a set of state machines that does not Work towards automated verification of security-critical generate encryption cycles and Π a secure software using first-order logic theorem provers and confusion-free encryption scheme. which aims to be • efficient, powerful If a data value s in P is secret then s is • intuitive, simple computationally secret. • computationally faithful (Still for symmetric encryption against passive • practically applicable adversaries; extension in progress.) Limitations: • give up (theoretical) completeness • complexity theory is also „just“ a theoretical model J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 21 J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 22 (Advertisement block) Use verification in industrial projects with HypoVereinsbank, T-Systems, BMW, … Hide logic behind industrial notation UML: Book: Jan Jürjens, Secure Systems Development with UML, Springer-Verlag, 2004 Summer School “Foundation of Security Analysis and Design”, Bertinoro (6-11/9) More information (slides, tool etc.): http://www.jurjens.de/jan J. Jürjens (TU Munich): Towards Automated Computationally Faithful Verification ... 23 4