1 / 130

Security Protocol Specification Languages

Security Protocol Specification Languages. Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/. Scope of this Course. Specification languages for cryptographic protocols Evaluation criteria Anthology of languages

ilar
Download Presentation

Security Protocol Specification Languages

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Protocol Specification Languages Iliano Cervesatoiliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ FOSAD 2001 – Bertinoro, Italy

  2. Scope of this Course • Specification languages for cryptographic protocols • Evaluation criteria • Anthology of languages • Scientific impact • Extras . . . • Advertisement for MSR Security Protocol Specification Languages

  3. This Course is not about • Cryptography • Applications of crypto-protocols • Taxonomy of • Protocols • Attacks • Tools • Verification Security Protocol Specification Languages

  4. Outline Hour 1: Specification languages Hour 2: MSR Hour 3: The most powerful attacker Hour 4: Reconstructing the intruder Security Protocol Specification Languages

  5. Hour 1 Specification Languages Security Protocol Specification Languages

  6. Hour 1: Outline • Security protocols • Dolev-Yao abstraction • Specification targets • Major specification languages • Origins • Example (Needham-Schroeder) • Properties • Evaluation Security Protocol Specification Languages

  7. Security Protocols • Use cryptographic means to ensure • confidentiality • authentication • non-repudiation, … in distributed/untrusted environment • Applications • e-commerce • trade/military secrets • everyday computing Security goals Security Protocol Specification Languages

  8. Why is Protocol Analysis Difficult? • Subtle cryptographic primitives • Dolev-Yao abstraction • Distributed hostile environment • “Prudent engineering practice” • Inadequate specification languages • … the devil is in details … Security Protocol Specification Languages

  9. Correctness vs. Security [Mitchell] • Correctness: satisfy specifications • For reasonable inputs, get reasonable output • Security: resist attacks • For unreasonable inputs, output not completely disastrous • Main difference • Active interference from the environment Security Protocol Specification Languages

  10. Dolev-Yao Model of Security Bob Alice Network Server Dan Charlie Security Protocol Specification Languages

  11. Dolev-Yao Abstraction • Symbolic data • No bit-strings • Perfect cryptography • No guessing of keys • Public knowledge soup • Magic access to data Security Protocol Specification Languages

  12. Perfect Cryptography • KA-1 is needed to decrypt {M}KA • No collisions • {M1}KA = {M2}KBiff M1 = M2 and KA = KA • … Security Protocol Specification Languages

  13. Public Knowledge Soup • Free access to auxiliary data • Abstracts actual mechanisms • database • subprotocols, … • But … not all data are public • keys • secrets Security Protocol Specification Languages

  14. … pictorially s a ka kb Security Protocol Specification Languages

  15. Why is specification important? good • Documentation • communicate • Engineering • implementation • verification tools • Science • foundations • assist engineering Security Protocol Specification Languages

  16. Languages to Specify What? • Message flow • Message constituents • Operating environment • Protocol goals Security Protocol Specification Languages

  17. Desirable Properties • Unambiguous • Simple • Flexible • Adapts to protocols • Powerful • Applies to a wide class of protocols • Insightful • Gives insight about protocols Security Protocol Specification Languages

  18. Language Families • “Usual notation” • Knowledge logic • BAN • Process theory • FDR, Casper • Spi-calculus • Petri nets • Strands • MSR • Inductive methods • Temporal logic • Automata • NRL Prot. Analizer • CAPSL • Murf Security Protocol Specification Languages

  19. Why so many? • Convergence of approaches • experience from mature fields • unifying problem • scientifically intriguing • funding opportunities • Fatherhood pride Security Protocol Specification Languages

  20. Needham-Schroeder Protocol But … • purely academic • attack subject to interpretation • Devised in ’78 • Broken in ’95 ! Example of weak specification ! Security Protocol Specification Languages

  21. “Usual Notation” A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB Security Protocol Specification Languages

  22. How does it do?  • Flow • Expected run • Constituents • Side remarks • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  23. BAN Logic[Burrows, Abadi, Needham] • Roots in belief logic • reason about knowledge as prot. unfolds • security: principals share same view • Specification • usual notation • “idealized protocol” • assumptions • Goals • Verification • Logical inference Security Protocol Specification Languages

  24. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB NS: BAN Idealization A  B: {nA}kB B  A: {A nB BnA}kA A  B: {A nA B, B | A nB B nB}kB More readable syntax proposed later Security Protocol Specification Languages

  25. NS: BAN Assumptions • A | kAA • A | kBB • A | #nA • A | A nA B • B | kBB • B | kAA • B | #nB • B | A nB B Security Protocol Specification Languages

  26. NS: BAN Goals • B | A | A nA B • A | B | A nB B Formally derived from BAN rules Security Protocol Specification Languages

  27. How does BAN do?  • Flow • Idealized run • Constituents • Assumptions • Environment • Implicit • Goals • BAN formulas • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  28. CSP [Roscoe, Lowe] • Roots in • process algebra [Hoare] • non-interference • Specification • 1 process for each role • non-deterministic intruder process • Verification • Refinement w.r.t. abstract spec. • FDR: model checker for CSP • Casper: interface to FDR Security Protocol Specification Languages

  29. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB CSP: NS Initiator Init(A, nA) = user.A?B -> I_running.A.B -> comm!Msg1.A.B.encr.key(B).nA.a -> comm.Msg2.B.A.encr.key(A)?nA’.nB -> if nA = nA’ thencomm!Msg3.A.B.encr.key(B).nB -> I_commit.A.B -> session.A.B -> Skip elseStop Responder is similar Security Protocol Specification Languages

  30. CSP : Resp. authentication spec. AR0 = R_running.A.B -> I_commit.A.B -> AR0 A1 = {| R_running.A.B, I_commit.A.B |} AR = AR0 ||| Run (S \ A1) Security Protocol Specification Languages

  31. How does CSP do?  • Flow • Role-based • Constituents • Formalized math. • Environment • Explicit • Goals • Abstract spec. • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  32. Casper Specification of NS #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A, B, [na,nb]) Agreement(B,A, [na,nb] #Actual variables Alice, Bob, Mallory: Agent Na, Nb, Nm: Nonce … #Intruder information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory) #Free variables A, B: Agent na, nb : nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INIT(A,na) knows PK, SK(A) RESP(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} Security Protocol Specification Languages

  33. Spi-calculus[Abadi, Gordon] • p-calculus with crypto. Constructs • Specification • 1 process for each role • Instance to be studied • Intruder not explicitly modeled • Verification • Process equivalence to reference proc. Security Protocol Specification Languages

  34. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB Spi: NS Initiator init(A,B,cAB,KB+,KA-) = (nnA) cAB< {|A, nA|}KB+ > . cAB(x) . case x of {|y|}KA- in let (y1,y2) = y in [y1 is nA] cAB< {| y2|}KB+ > . 0 Security Protocol Specification Languages

  35. A  B:{nA, A}kB B  A: {nA, nB}kA A  B:{nB}kB Spi: NS Responder resp(B,A,cAB,KA+,KB-) = cAB(x) . case x of {|y|}KB- in let (y1,y2) = y in [y1 is A] (nnB) cAB< {| y2, nB|}KA+ > . cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB] 0 Security Protocol Specification Languages

  36. Spi: NS Instance inst(A,B,cAB) = (nKA) (nKB) ( init(A,B,cAB,KB+,KA-) | resp(B,A,cAB,KA+,KB-)) Security Protocol Specification Languages

  37. How does Spi do?  • Flow • Role-based • Constituents • Informal math. • Environment • Implicit • Goals • Reference proc. • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  38. Strand Spaces[Guttman, Thayer] • Roots in trace theory • Lamport’s causality • Mazurkiewicz’s traces • Specification • Strands • Sets of principals, keys, … • Verification • Authentication tests • Model checking Security Protocol Specification Languages

  39. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB {nA, A}kB {nA, A}kB {nA, nB}kA {nA, nB}kA {nB}kB {nB}kB Strands Security Protocol Specification Languages

  40. How do Strands do?  • Flow • Role-based • Constituents • Informal math. • Environment • Side remarks • Goals • Side remarks • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  41. Inductive methods[Paulson] • Protocol inductively defines traces • Specification • 1 inductive rule for each protocol rule • Universal intruder based on language • Verification • theorem proving (Isabelle HOL) • Related methods • [Bolignano] Security Protocol Specification Languages

  42. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB IMs: NS NS1 [evs  ns; A  B; Nonce NAused evs] Says A B {Nonce NA, Agent A} KB# evs  ns NS2 [evs  ns; A  B; Nonce NBused evs; Says A’ B {Nonce NA, Agent A} KBset evs] Says B A {Nonce NA, Nonce NA} KA# evs  ns NS3 [evs  ns; Says A B {Nonce NA, Agent A} KBset evs; Says B’ A {Nonce NA, Nonce NA} KAset evs] Says A B {Nonce NA} KB# evs  ns Security Protocol Specification Languages

  43. IMs: Environment Nil []  ns Fake [evs  ns; BSpy; X synth(analz (spies evs))] SaysSpy B X # evs  ns synth, analz, spies, … protocol indep. Security Protocol Specification Languages

  44. How do IMs do?  • Flow • Trace-based • Constituents • Formalized math. • Environment • Immutable • Goals • Imposs. traces • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  45. NRL Protocol Analyzer[Meadows] • Roots in automata theory • Specification • 1 finite-state automata for each role • Grammar or words unaccessible to attacker • Verification • Backward state exploration • Theorem proving for finiteness Security Protocol Specification Languages

  46. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB NPA: NS Resp., action 2 Subroutine rec_request(user(B,honest),N,T): If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))): Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W: send msg(user(B,honest),[{rec_self},{rec_who}],N): event(user(B,honest),[user(A,H)],rec_request,[W],N) Security Protocol Specification Languages

  47. How does NPA do?  • Flow • Role-based • Constituents • Prolog code • Environment • Explicit • Goals • Unreachable state • Unambiguous • Simple • Flexible • Powerful • Insightful     Security Protocol Specification Languages

  48. RTLA [Gray, McLean] • Roots in Temporal Logic (Lamport) • Specification • State components that change during a step • Verification • Proof in temporal logic • Evaluation • Similar to NPA Security Protocol Specification Languages

  49. CAPSL [Millen] • Ad-hoc model checker • Specification • Special-purpose language • Intruder built-in • Implementation • CIL [Denker] -> similar to MSR • Related systems • Murf[Shmatikov, Stern] • ?? [Clarke, Jha, Marrero] Security Protocol Specification Languages

  50. A  B: {nA, A}kB B  A: {nA, nB}kA A  B: {nB}kB CAPSL: NS PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; Security Protocol Specification Languages

More Related