440 likes | 568 Views
Tools to Analye Security Protocols. Protocol Analyzers… … looking for flaws. Formal Analysis. General solutions: encode problem of a security protocol analysis as a problem in a logic adapt a „standard“ theorem prover for logic to the problem Examples: Propositional logic:
E N D
Tools to Analye Security Protocols Protocol Analyzers… … looking for flaws
Formal Analysis General solutions: • encode problem of a security protocol analysis as a problem in a logic • adapt a „standard“ theorem prover for logic to the problem Examples: • Propositional logic: • State based modeling, model checking (e.g. Millen, Meadows ) • formalisation as (finite) state machines • Higher-order logic: • Algebraic Modeling, inductive theorem proving (e.g Paulson) • formalisation as abstract data types
Formal Analysis Specific solutions: • develop specialized logics, programs and / or (meta-)theories on the analysis of security protocols Examples: • BAN-like logics based on modal logics • reasoning about the beliefs of principals • On-The-Fly-Model Checking (Basin et al.) • lazy and symbolic enumeration of the search space • Strand Spaces (Guttman, Thayer) • reasoning about the interaction of principals
Model Checking – Symbolic Lazy Evaluation • Efficent analysis of a finite state problem • However, security protocols have infinitely many states: • arbitrary number of principals • arbitrary number of protocol runs • arbitrary size of messages (generated by the attacker) • Some (easy) solutions: • restrict number of principals • restrict number of protocol runs • combines different states into a single statee.g. congruences, laziness
On-the-fly-model-checker OMFC • Lazy and intelligent enumeration of the search space • Search space as a tree. • Each node is a trace of the protocol and continues the trace of the predecessor node. • Lazy computation is done in Haskell • Based on D. Basins‘s work on Lazy Infinite-State Analysis of Security Protocols (1999) • Part of the AVISPA-toolset (www.avispa-project.org)
General Approach • Enumeration of all possible traces using rules from R (including actions of the attacker) • Searching for attack states S1 length = 1 US 2S1Ur 2 R stepr (S) S2 length = 2 US 2S2Ur 2 R stepr (S) S3 length = 3 US 2S3Ur 2 R stepr (S)
Protocol Descriptions • Attacker is the network:All messages are sent to or received from the attacker • Rules of the form: h h received messagei£h actual state i£h pos. facts i£h neg. facts i i )hh next message i£h next state i£h new facts i i • e.g. h {A, NA}KB , state(roleB, step1, A, B), Ø, : seen(B, NA) i) h {NA, NB}KA , state(roleB, step2 , A, B), {seen(B, NA)}i one step one step received message received message next message next message
Examples of States and Knowledge • msg(m) : messages {A, NA}KB , {NA, NB}KA , … start, finished (as dummy messages) • state(m): identifying the actual state of principals state(roleA, step0, A, B), state(roleB, step2, A, B, NA, NB), … • P1, P2: positive facts, knowledge of the attacker i_knows(NA) : „intruder knows NA“, secret(M, A) : „M is secret and only known to A“ seen(A, NB) : „A has seen the message NB“ … • N : negative facts: : seen(A, NB) : „A has not seen the message NB“ …
Modeling the Attacker- Dolev Yao What an attacker can deduce DY(M) from a message M: m 2 M m12 DY(M) m22 DY(M) m 2 DY(M) m1, m22 DY(M) m1, m22 DY(M) m12 DY(M) m22 DY(M) mi2 DY(M) {m2}m12 DY(M) mk2 DY(M) k 2 DY(M) m 2 DY(M) GAxiom GPair APair Gscrypt Ascrypt from D. Basin et al.: OFMC
Terms, Matching, Unification { } { } {NA, NB}KA { X }KA as as , KA X KA Variable X NB NA Matching of { X }KA with {NA, NB}KA yields: { XÃ NA, NB } { } { } {Y, NB}KA {NA, X}KA as as , KA , KA Y NB X NA Unification of {NA, X }KA with {Y, NB}KA yields: { YÃ NA, XÃ NB }
State Transitions Rule r: msg(m1) . state(m2) . P1 . N1Æ Cond ) state(m3) . msg(m4 ) . P2 Let P‘1 = P1 \ {f | 9 m . f = i_knows(m) } Successor state of S wrt. r (monoton to the knowledge of the attacker): stepr (S) = { S‘ | 9 . „applicable“ on LHS(r) and S Æ S‘ = (S \ (state((m2)) [(P‘1)) [ state((m3)) [ i_knows((m4)) [(P2) } All possible successor states in S wrt. a set of rules R: succR(S) = Ur 2 R stepr (S)
Application of Rules • a rule models the generation of a message by the attacker and its response by a honest principal • Let msg(m1) . state(m2) . P1 . N1Æ Cond ) … • applicabler (S) = { | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) Æ { state((m1)) } [(P‘1) µ S Æ 8 p . :p 2 N1!(p) S Ʋ Cond Æ ground() Æ dom() = Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) }
Modeling the Success of a Protocol Definition of attack-condition: • condition under which an attack is successful • syntactical form of the left hand side of a rule: ar = msg(m1) . state(m2) . P1 . N1Æ Cond • Example: secret(M, {A, B} ), i_knows(M), : secret(M, i) • State S is an attack iff ar is „applicable“ in S. • Protocol is secure iff for all reachable states S and all attack conditions ar: ar is not „applicable“ in S.
Modeling the Attacker Knowledge Problem of applicability condition: • … {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) … • i.e. attacker can generate arbitrary message from his knowledge • huge set of possible messages Lazy attacker messages: • specify attacker messages containing variables and instantiate variables „on the fly“ Define possible substitutions such that (T) can be synthesized from (IK) : from(T a IK) denotes set of ground substitutions such that • is ground • (T) [(IK) is ground • (T) µ DY((IK))
Constraint Sets • «from(T a IK)¬ = { | ground() Æ ground((T), (IK)) Æ(T) µ DY((IK)) } • «c1, … cn¬ =Åi= 1,…,n«ci¬ • (C, ) `r (C‘, ‘) iff r • C‘ is simple iff it contains only „from(T a IK)“ elements with a variable as T • Let ` be the transitive closure of all `r for constraint reduction rules r • Red(C) = { (C‘, ‘) | ((C, id) ` (C‘, )) Æ simple(C‘) } • A simple C‘ is trivially solvable • Theorem: «C¬ = «Red(C)¬ , Red(C) is finite and ` well founded C‘, ‘ C,
Constraint Reduction Rules CRR from(m1[ m2[ T a IK) [ C, from(m1[ m2[ T a IK) [ C, from(m1,m2[ T a IK) [ C, from( {m2}m1[ T a IK) [ C, (from(T a m2[ IK) [ C), . from(m1[ T a m2[ IK) [ C, from(k a IK) [ from(T a m [ {m}k[ IK) [ C, from(T a {m}k[ IK) [ C, from(T a m1[ m2[ m1,m2[ T, IK) [ C, from(T a m1,m2[ IK) [ C, Gscrypt GPair Gunif = mgu(m1, m2), m1 V Ascypt APair from D. Basin et al.: OFMC
Lazy Steps S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set. (P, C, N) denotes all states (P) with 2«C¬ and ² N Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) … Lazy application of steps: • stepr ( (P, C, N) ) = { (P‘, C‘, N‘) | 9 : ( , C‘, N‘) 2 applicabler (P, C, N) Æ P‘ = (P) \ state((m2)) [(P‘1) ) [(P2) [ state((m3)) [ i_knows((m4))
Lazy States and Rule Applications S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set. (P, C, N) denotes all states (P) with 2«C¬ and ² N Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) … applicabler ( (P, C, N) ) = { (, C‘, N‘) | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) Æ { state((m2)) } [(P‘1) µ (P) Æ dom() µ Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) [ Vars(P, C, N) Æ C‘ = ( C [ from(m1[ {m | i_knows(m) 2 P1}a {i | i_knows(i) 2 P } ) Æ N‘ = (N) Æ(Cond) Æ SubCond( (N1), (P) ) } SubCond( N, P ) = Æ ( { Çi = 1..n vi ti | : t 2 N, t’ 2 P, mgu(t, t’) = {v1! t1 ,…,v1! t1} })
Strand Spaces • Framework on security protocols • exploring the structure of a protocol, • exploring the possible combination of local runs (at the principles) of a protocol to a common protocol • Based on the Dolev-Yao model • Developed by: Joshua Guttman, Jonathan C. Herzog, F. Javier Thayer (1998) • Implemented in the Athena - system
The Idea Penetrator strands Regular strands Attacker protocol Intended protocol
Strands as Local Views of Principals • Strand represents sequence of signed messages ±m • „+“ means principal sends this message • „-“ means principal receives this message { A, NA }KB + { A, NA }KB { NA , NB } KA - { NA , NB } KA {NB } KB + {NB } KB A‘s view of the protocol A‘s (trace of his) strand
What are Messages? Set M of messages are terms consisting of: • Atomic messages MA (like nonces, names…) • Set K of cryptographic keys with K\MA = ; and a injective function inv: K!K with inv(K) abbreviated as K-1 • Binary operators • crypt : K£M!M with crypt(K, x) abbreviated as: { x }K • pair : M£M!M with pair(x, y) abbreviated as: x, y • Freeness axioms: • { m }K = { m‘ }K‘) m = m‘ Æ K = K‘ • m0, m1 = m‘0, m‘1) m0 = m‘0Æ m1 = m‘1 • pair(m, m‘) crypt(K, m‘‘), …
Strand Space • A strand space is a collection of strands • Given a set of messages M, a strand space is a set with a trace mapping: tr : ! (±M)* • e.g. = { A, B}, tr(A) = h+{ A, NA }KB , -{ NA , NB } KA , +{NB } KB i + { A, NA }KB - { A, NA }KB - { NA , NB } KA + {NA, NB } KA + {NB } KB - {NB } KB ,
Originating Messages • Submessage: m ⊑m and m ⊑m1,m2 iff m ⊑m1 or m ⊑m2and m ⊑{ m’ }K iff m ⊑ m‘ • A node n is an entry point for a set of messages Miff n = h + t i for some t 2 M and n’ )* n implies n’ M • A term t originates on a node n of a strand s iff n is an entry point for { t‘ : t ⊑ t‘ }i.e. n is positive and is the first node of s that contains t. • A term t is uniquely originating iff t originates on a unique node
Modeling the Penetrator - X + X - X + T + X Text M T 2MA Flush G Tee T • The penetrator participates in protocols via penetrator strands • Penetrator strands reflect the potentials of the penetrator - X - y + X, Y Concatenation C
Modeling the Penetrator II - X - K - X, Y + { X }K + X + Y … more penetrator strands: - { X }K - K-1 + X + K Separation S Key K (K 2Kp) Decryption D Encryption E
Penetrator‘s Work – An Example Breaking into Needham-Schroeder protocol - { NA, A }Kp - Kp-1 + Kp-1 Key K - NA, A + NA, A Key K Decryption D - KB + KB + {NA, A }KB Encryption E
Composing Strands to Bundles Penetrator strands Regular strands Attacker protocol Intended protocol
Rules for Composing the Jigsaw Technical restrictions: • Every received message has been sent from somewhere • If a node n (on a strand s) occurs in the jigsaw then all it‘s predecessors on s occur also Semantic restrictions: • Composition complies to the uniquely originating property ! • i.e. no guess of keys or nonces by the penetrator
Bundles as Composition of Strands A bundleB is an acylic subgraph hNB, (!B[)B ) i • if h- m i2NB then there is a unique h+ m i2NB with:h+ m i!Bh- m i • if n22NB and n1) n2 then n1)B n2 • ≼B is the reflexive and transitive closure (!B[)B ) Properties: • ≼B is a well-founded partial order, any non-empty set has ≼B –minimal members • if B is a bundle and a replacement, then ( B ) is also a bundle • height of a strand s in B is the number of nodes of s in B
The Bundle: An Example + {NB } KB - {NB } KB Examples of ≼B : • + { A, NA }KB ≼B - { A, NA }KB≼B + {NA, NB } KA≼B - { NA , NB} KA • + {NA, NB } KA≼B - {NB } KB • + {NB } KB≼B - {NB } KB + { A, NA }KB - { A, NA }KB - { NA , NB} KA + {NA, NB } KA
Some Properties of Bundles B Lemma: Let S ½B with 8 n‘, n‘‘ : |n‘| = |n‘‘| implies n‘ 2 S iff n‘‘ 2 S.Then, if n is a ≼B-minimal member of S then n is positive. Lemma: Let t 2M and S = { m 2B | t ⊑ m }. Let n 2B be a ≼B-minimal element of S. Then, t originates on n. Lemma: Let K 2K \ Kp. If K never originates on a regular node, then K ⋢ n for all n 2B i.e. for all penetrator nodes p 2B holds: K ⋢ p.
Needham-Schroeder-Lowe (NSL - Space) NSL space (i.e. strand space) consists of: • Penetrator strands s 2P • Initiator strands: s 2 Init[ A, B, NA, NB ] tr(s) = h+{ A, NA }KB , -{ NA , NB, B} KA , +{ NB } KB • Responder strands: s 2 Resp[ A, B, NA, NB ] tr(s) = h -{ A, NA }KB , +{ NA , NB, B} KA , -{ NB } KB i • with „parameters“: A, B, NA, NB2MA
Proving Properties of NSL - Space Suppose: • Let B be a bundle in the NSL-space and s be a responder strand in Resp[A, B, NA, NB] with height 3. • KA-1Kp • NA NB and NB is uniquely originating in the NSL-space. Then:B contains t 2 Init[A, B, NA, NB] with height 3.
Proof Sketch Lemma: NB originates at n1 Lemma: S = { n 2B | NB⊑ n Æ n1⋢ n } has a minimal element n“ that is regular and positive Lemma:9 n‘ : n‘ )* n“ and n‘ = - {NA, NB, B}KA Lemma: Since n‘= - {NA, NB, B}KA and n“ = + {NB}KB , they are both part of an Init[A, B, NA, NB] strand Theorem: If is an NSL-Space and NA is uniquely originating in then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB
NSL – Space – Lemmata (I) Lemma: NB originates at n1 Proof: • by Definition holds NB⊑ n1; • n1 is positive and • NA NB (by assumption) and NB A (by the types of both). • Thus: NB⋢ n0 n0 - { A, NA }KB + {NA, NB, B} KA n1 - {NB } KB n2
NSL – Space – Lemmata (II) n0 - { A, NA }KB + {NA, NB, B} KA n1 - {NB } KB n2 Lemma: S = {n 2B | NBv n Æ n1⋢ n } has a ≼B-minimal element n“ that is regular and positive Proof: • Since NBv n22B but n1⋢ n2 : S is non empty. • Hence, S has at least one ≼B-minimal, positive element n“. • Assumption that n“ is on a penetrator strand results in a contradiction. Case analysis on all penetrator strands
NSL – Space – Lemmata (III) - { A, NA }KB n0 n1 + {NA, NB, B} KA n‘ * - {NB } KB n“ n2 Let n“ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on a regular strand and is positive Lemma: 9 n‘ with n‘ )* n“ and n‘ = - {NA, NB, B} KA Proof: • NB originates uniquely at n1. • n“ n1 because n1⋢ n“. • Thus, NB does not originate in n“ and 9 n‘: NBv n‘. • By minimality: n‘ = - {NA, NB, B} KA Lemma: The strand of n‘ and n“ is an initiator strand and contained in B Proof: Exercise.
NSL-Space Lemmata (IV) Lemma: Since the strand of n‘ = - {NA, NB, B} KAand n“ = + {NB}KBis an initiator strand s, we know that s 2 Init[A, B, NA, NB] Theorem: If is an NSL-Space and NA is uniquely originating in then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB Proof: • if s 2 Init[A, B, NA, NB] for any A, B, NB then the first node n1 of s is positive. • NA2 n1 and obviously NA originates on n1 • Since NA is uniquely originating in there is only one s of this type
Analysis of the Insights Why does this proof fail when using the original Needham- Schroeder-protocol? • We could prove: Let n‘‘ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on a regular strand and is positive Lemma:9 n‘ with n‘ )* n‘‘ and n‘ = + {NA, NB} KA • But we fail to prove: Lemma: Since the strand of n‘ = - {NA, NB} KAand n‘‘ = + {NB} KCis an initiator strand s, we know that s 2 Init[A, B, NA, NB] we only know that s 2 Init[A, C, NA, NB] for some C !!!
Authentication Tests • Authentication of a principal is done by forcing the principal to apply his secret key • Typically: • decryption: { m }K … …m… • signing: …m… … { m }K-1 • Precondition: nobody can learn about the secret key K-1 • K-12 Prot( B ) :K-1 occurs in the bundle only inside encryptions : {… K-1…}K‘ Notice: K occurs in { t }K only if K occurs in t !
Outgoing Authentication Test n1: + …{ m } K … n‘ + * nm: - …m… n‘‘ knowledge of K-1 Let S ½ { { t }K | K-12 Prot( B ) } Suppose a message m • originates uniquely in B at n1 and • occurs only within S in n1 • but occurs in some node nm2B outside S then • there is a regular strand s with a positive node n‘‘ such that m occurs outside S for the first time in S and • there is a node n‘ preceeding n‘‘ on s such that m v n‘‘.
Incoming Authentication Test n1: + …m… n‘ + * nm: - …{ m } K … n‘‘ knowledge of K Suppose a message { m }K • occurs within a negative node nm • K 2 Prot( B ) • m originates outside { m }K at a node n1 then • there is a regular strand s with a node positive node n‘‘ such that m occurs outside { m }K in n‘‘ • n1≼B n‘ )+ n‘‘ ≺B nmwith m‘ v n‘.(Solicited Incoming Test)