Tools to Analye Security Protocols

Tools to Analye Security Protocols Protocol Analyzers… … looking for flaws

Formal Analysis General solutions: • encode problem of a security protocol analysis as a problem in a logic • adapt a „standard“ theorem prover for logic to the problem Examples: • Propositional logic: • State based modeling, model checking (e.g. Millen, Meadows ) • formalisation as (finite) state machines • Higher-order logic: • Algebraic Modeling, inductive theorem proving (e.g Paulson) • formalisation as abstract data types

Formal Analysis Specific solutions: • develop specialized logics, programs and / or (meta-)theories on the analysis of security protocols Examples: • BAN-like logics based on modal logics • reasoning about the beliefs of principals • On-The-Fly-Model Checking (Basin et al.) • lazy and symbolic enumeration of the search space • Strand Spaces (Guttman, Thayer) • reasoning about the interaction of principals

Model Checking – Symbolic Lazy Evaluation • Efficent analysis of a finite state problem • However, security protocols have infinitely many states: • arbitrary number of principals • arbitrary number of protocol runs • arbitrary size of messages (generated by the attacker) • Some (easy) solutions: • restrict number of principals • restrict number of protocol runs • combines different states into a single statee.g. congruences, laziness

On-the-fly-model-checker OMFC • Lazy and intelligent enumeration of the search space • Search space as a tree. • Each node is a trace of the protocol and continues the trace of the predecessor node. • Lazy computation is done in Haskell • Based on D. Basins‘s work on Lazy Infinite-State Analysis of Security Protocols (1999) • Part of the AVISPA-toolset (www.avispa-project.org)

General Approach • Enumeration of all possible traces using rules from R (including actions of the attacker) • Searching for attack states S1 length = 1 US 2S1Ur 2 R stepr (S) S2 length = 2 US 2S2Ur 2 R stepr (S) S3 length = 3 US 2S3Ur 2 R stepr (S)

Protocol Descriptions • Attacker is the network:All messages are sent to or received from the attacker • Rules of the form: h h received messagei£h actual state i£h pos. facts i£h neg. facts i i )hh next message i£h next state i£h new facts i i • e.g. h {A, NA}KB , state(roleB, step1, A, B), Ø, : seen(B, NA) i) h {NA, NB}KA , state(roleB, step2 , A, B), {seen(B, NA)}i one step one step received message received message next message next message

Examples of States and Knowledge • msg(m) : messages {A, NA}KB , {NA, NB}KA , … start, finished (as dummy messages) • state(m): identifying the actual state of principals state(roleA, step0, A, B), state(roleB, step2, A, B, NA, NB), … • P1, P2: positive facts, knowledge of the attacker i_knows(NA) : „intruder knows NA“, secret(M, A) : „M is secret and only known to A“ seen(A, NB) : „A has seen the message NB“ … • N : negative facts: : seen(A, NB) : „A has not seen the message NB“ …

Modeling the Attacker- Dolev Yao What an attacker can deduce DY(M) from a message M: m 2 M m12 DY(M) m22 DY(M) m 2 DY(M) m1, m22 DY(M) m1, m22 DY(M) m12 DY(M) m22 DY(M) mi2 DY(M) {m2}m12 DY(M) mk2 DY(M) k 2 DY(M) m 2 DY(M) GAxiom GPair APair Gscrypt Ascrypt from D. Basin et al.: OFMC

Terms, Matching, Unification { } { } {NA, NB}KA { X }KA as as , KA X KA Variable X NB NA Matching of { X }KA with {NA, NB}KA yields: { XÃ NA, NB } { } { } {Y, NB}KA {NA, X}KA as as , KA , KA Y NB X NA Unification of {NA, X }KA with {Y, NB}KA yields: { YÃ NA, XÃ NB }

State Transitions Rule r: msg(m1) . state(m2) . P1 . N1Æ Cond ) state(m3) . msg(m4 ) . P2 Let P‘1 = P1 \ {f | 9 m . f = i_knows(m) } Successor state of S wrt. r (monoton to the knowledge of the attacker): stepr (S) = { S‘ | 9 .  „applicable“ on LHS(r) and S Æ S‘ = (S \ (state((m2)) [(P‘1)) [ state((m3)) [ i_knows((m4)) [(P2) } All possible successor states in S wrt. a set of rules R: succR(S) = Ur 2 R stepr (S)

Application of Rules • a rule models the generation of a message by the attacker and its response by a honest principal • Let msg(m1) . state(m2) . P1 . N1Æ Cond ) … • applicabler (S) = {  | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) Æ { state((m1)) } [(P‘1) µ S Æ 8 p . :p 2 N1!(p)  S Æ² Cond Æ ground() Æ dom() = Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) }

Modeling the Success of a Protocol Definition of attack-condition: • condition under which an attack is successful • syntactical form of the left hand side of a rule: ar = msg(m1) . state(m2) . P1 . N1Æ Cond • Example: secret(M, {A, B} ), i_knows(M), : secret(M, i) • State S is an attack iff ar is „applicable“ in S. • Protocol is secure iff for all reachable states S and all attack conditions ar: ar is not „applicable“ in S.

Modeling the Attacker Knowledge Problem of applicability condition: • … {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) … • i.e. attacker can generate arbitrary message from his knowledge • huge set of possible messages Lazy attacker messages: • specify attacker messages containing variables and instantiate variables „on the fly“ Define possible substitutions  such that (T) can be synthesized from (IK) : from(T a IK) denotes set of ground substitutions  such that •  is ground • (T) [(IK) is ground • (T) µ DY((IK))

Constraint Sets • «from(T a IK)¬ = { | ground() Æ ground((T), (IK)) Æ(T) µ DY((IK)) } • «c1, … cn¬ =Åi= 1,…,n«ci¬ • (C, ) `r (C‘, ‘) iff r • C‘ is simple iff it contains only „from(T a IK)“ elements with a variable as T • Let ` be the transitive closure of all `r for constraint reduction rules r • Red(C) = { (C‘, ‘) | ((C, id) ` (C‘, )) Æ simple(C‘) } • A simple C‘ is trivially solvable • Theorem: «C¬ = «Red(C)¬ , Red(C) is finite and ` well founded C‘, ‘ C, 

Constraint Reduction Rules CRR from(m1[ m2[ T a IK) [ C,  from(m1[ m2[ T a IK) [ C,  from(m1,m2[ T a IK) [ C,  from( {m2}m1[ T a IK) [ C,  (from(T a m2[ IK) [ C),  . from(m1[ T a m2[ IK) [ C,  from(k a IK) [ from(T a m [ {m}k[ IK) [ C,  from(T a {m}k[ IK) [ C,  from(T a m1[ m2[ m1,m2[ T, IK) [ C,  from(T a m1,m2[ IK) [ C,  Gscrypt GPair Gunif = mgu(m1, m2), m1 V Ascypt APair from D. Basin et al.: OFMC

Lazy Steps S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set. (P, C, N) denotes all states (P) with 2«C¬ and ² N Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) … Lazy application of steps: • stepr ( (P, C, N) ) = { (P‘, C‘, N‘) | 9 : ( , C‘, N‘) 2 applicabler (P, C, N) Æ P‘ = (P) \ state((m2)) [(P‘1) ) [(P2) [ state((m3)) [ i_knows((m4))

Lazy States and Rule Applications S = (P, C, N) : P : positive facts, N : CNF of inequalities, C a constraint set. (P, C, N) denotes all states (P) with 2«C¬ and ² N Let r = msg(m1) . state(m2) . P1 . N1Æ Cond ) … applicabler ( (P, C, N) ) = { (, C‘, N‘) | {(m1) } [ {(m) | i_knows(m) 2 P1} µ DY({m | i_knows(m) 2 S}) Æ { state((m2)) } [(P‘1) µ (P) Æ dom() µ Vars(m1) [ Vars(m2) [ Vars(P1) [ Vars(N1) [ Vars(P, C, N) Æ C‘ = ( C [ from(m1[ {m | i_knows(m) 2 P1}a {i | i_knows(i) 2 P } ) Æ N‘ = (N) Æ(Cond) Æ SubCond( (N1), (P) ) } SubCond( N, P ) = Æ ( { Çi = 1..n vi ti | : t 2 N, t’ 2 P, mgu(t, t’) = {v1! t1 ,…,v1! t1} })

Strand Spaces • Framework on security protocols • exploring the structure of a protocol, • exploring the possible combination of local runs (at the principles) of a protocol to a common protocol • Based on the Dolev-Yao model • Developed by: Joshua Guttman, Jonathan C. Herzog, F. Javier Thayer (1998) • Implemented in the Athena - system

The Idea Penetrator strands Regular strands Attacker protocol Intended protocol

Strands as Local Views of Principals • Strand represents sequence of signed messages ±m • „+“ means principal sends this message • „-“ means principal receives this message { A, NA }KB + { A, NA }KB { NA , NB } KA - { NA , NB } KA {NB } KB + {NB } KB A‘s view of the protocol A‘s (trace of his) strand

What are Messages? Set M of messages are terms consisting of: • Atomic messages MA (like nonces, names…) • Set K of cryptographic keys with K\MA = ; and a injective function inv: K!K with inv(K) abbreviated as K-1 • Binary operators • crypt : K£M!M with crypt(K, x) abbreviated as: { x }K • pair : M£M!M with pair(x, y) abbreviated as: x, y • Freeness axioms: • { m }K = { m‘ }K‘) m = m‘ Æ K = K‘ • m0, m1 = m‘0, m‘1) m0 = m‘0Æ m1 = m‘1 • pair(m, m‘)  crypt(K, m‘‘), …

Strand Space • A strand space is a collection of strands • Given a set of messages M, a strand space is a set  with a trace mapping: tr : ! (±M)* • e.g.  = { A, B}, tr(A) = h+{ A, NA }KB , -{ NA , NB } KA , +{NB } KB i + { A, NA }KB - { A, NA }KB - { NA , NB } KA + {NA, NB } KA + {NB } KB - {NB } KB ,

Originating Messages • Submessage: m ⊑m and m ⊑m1,m2 iff m ⊑m1 or m ⊑m2and m ⊑{ m’ }K iff m ⊑ m‘ • A node n is an entry point for a set of messages Miff n = h + t i for some t 2 M and n’ )* n implies n’  M • A term t originates on a node n of a strand s iff n is an entry point for { t‘ : t ⊑ t‘ }i.e. n is positive and is the first node of s that contains t. • A term t is uniquely originating iff t originates on a unique node

Modeling the Penetrator - X + X - X + T + X Text M T 2MA Flush G Tee T • The penetrator participates in protocols via penetrator strands • Penetrator strands reflect the potentials of the penetrator - X - y + X, Y Concatenation C

Modeling the Penetrator II - X - K - X, Y + { X }K + X + Y … more penetrator strands: - { X }K - K-1 + X + K Separation S Key K (K 2Kp) Decryption D Encryption E

Penetrator‘s Work – An Example Breaking into Needham-Schroeder protocol - { NA, A }Kp - Kp-1 + Kp-1 Key K - NA, A + NA, A Key K Decryption D - KB + KB + {NA, A }KB Encryption E

Composing Strands to Bundles Penetrator strands Regular strands Attacker protocol Intended protocol

Rules for Composing the Jigsaw Technical restrictions: • Every received message has been sent from somewhere • If a node n (on a strand s) occurs in the jigsaw then all it‘s predecessors on s occur also Semantic restrictions: • Composition complies to the uniquely originating property ! • i.e. no guess of keys or nonces by the penetrator

Bundles as Composition of Strands A bundleB is an acylic subgraph hNB, (!B[)B ) i • if h- m i2NB then there is a unique h+ m i2NB with:h+ m i!Bh- m i • if n22NB and n1) n2 then n1)B n2 • ≼B is the reflexive and transitive closure (!B[)B ) Properties: • ≼B is a well-founded partial order, any non-empty set has ≼B –minimal members • if B is a bundle and  a replacement, then ( B ) is also a bundle • height of a strand s in B is the number of nodes of s in B

The Bundle: An Example + {NB } KB - {NB } KB Examples of ≼B : • + { A, NA }KB ≼B - { A, NA }KB≼B + {NA, NB } KA≼B - { NA , NB} KA • + {NA, NB } KA≼B - {NB } KB • + {NB } KB≼B - {NB } KB + { A, NA }KB - { A, NA }KB - { NA , NB} KA + {NA, NB } KA

Some Properties of Bundles B Lemma: Let S ½B with 8 n‘, n‘‘ : |n‘| = |n‘‘| implies n‘ 2 S iff n‘‘ 2 S.Then, if n is a ≼B-minimal member of S then n is positive. Lemma: Let t 2M and S = { m 2B | t ⊑ m }. Let n 2B be a ≼B-minimal element of S. Then, t originates on n. Lemma: Let K 2K \ Kp. If K never originates on a regular node, then K ⋢ n for all n 2B i.e. for all penetrator nodes p 2B holds: K ⋢ p.

Needham-Schroeder-Lowe (NSL - Space) NSL space (i.e. strand space) consists of: • Penetrator strands s 2P • Initiator strands: s 2 Init[ A, B, NA, NB ] tr(s) = h+{ A, NA }KB , -{ NA , NB, B} KA , +{ NB } KB • Responder strands: s 2 Resp[ A, B, NA, NB ] tr(s) = h -{ A, NA }KB , +{ NA , NB, B} KA , -{ NB } KB i • with „parameters“: A, B, NA, NB2MA

Proving Properties of NSL - Space Suppose: • Let B be a bundle in the NSL-space and s be a responder strand in Resp[A, B, NA, NB] with height 3. • KA-1Kp • NA NB and NB is uniquely originating in the NSL-space. Then:B contains t 2 Init[A, B, NA, NB] with height 3.

Proof Sketch Lemma: NB originates at n1 Lemma: S = { n 2B | NB⊑ n Æ n1⋢ n } has a minimal element n“ that is regular and positive Lemma:9 n‘ : n‘ )* n“ and n‘ = - {NA, NB, B}KA Lemma: Since n‘= - {NA, NB, B}KA and n“ = + {NB}KB , they are both part of an Init[A, B, NA, NB] strand Theorem: If  is an NSL-Space and NA is uniquely originating in  then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB

NSL – Space – Lemmata (I) Lemma: NB originates at n1 Proof: • by Definition holds NB⊑ n1; • n1 is positive and • NA NB (by assumption) and NB A (by the types of both). • Thus: NB⋢ n0 n0 - { A, NA }KB + {NA, NB, B} KA n1 - {NB } KB n2

NSL – Space – Lemmata (II) n0 - { A, NA }KB + {NA, NB, B} KA n1 - {NB } KB n2 Lemma: S = {n 2B | NBv n Æ n1⋢ n } has a ≼B-minimal element n“ that is regular and positive Proof: • Since NBv n22B but n1⋢ n2 : S is non empty. • Hence, S has at least one ≼B-minimal, positive element n“. • Assumption that n“ is on a penetrator strand results in a contradiction. Case analysis on all penetrator strands

NSL – Space – Lemmata (III) - { A, NA }KB n0 n1 + {NA, NB, B} KA n‘ * - {NB } KB n“ n2 Let n“ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on a regular strand and is positive Lemma: 9 n‘ with n‘ )* n“ and n‘ = - {NA, NB, B} KA Proof: • NB originates uniquely at n1. • n“  n1 because n1⋢ n“. • Thus, NB does not originate in n“ and 9 n‘: NBv n‘. • By minimality: n‘ = - {NA, NB, B} KA Lemma: The strand of n‘ and n“ is an initiator strand and contained in B Proof: Exercise.

NSL-Space Lemmata (IV) Lemma: Since the strand of n‘ = - {NA, NB, B} KAand n“ = + {NB}KBis an initiator strand s, we know that s 2 Init[A, B, NA, NB] Theorem: If  is an NSL-Space and NA is uniquely originating in  then there is at most one strand s 2 Init[A, B, NA, NB] for any A, B, NB Proof: • if s 2 Init[A, B, NA, NB] for any A, B, NB then the first node n1 of s is positive. • NA2 n1 and obviously NA originates on n1 • Since NA is uniquely originating in  there is only one s of this type

Analysis of the Insights Why does this proof fail when using the original Needham- Schroeder-protocol? • We could prove: Let n‘‘ be a ≼B-minimal element of S = {n 2B | NBv n Æ n1⋢ n } that is on a regular strand and is positive Lemma:9 n‘ with n‘ )* n‘‘ and n‘ = + {NA, NB} KA • But we fail to prove: Lemma: Since the strand of n‘ = - {NA, NB} KAand n‘‘ = + {NB} KCis an initiator strand s, we know that s 2 Init[A, B, NA, NB] we only know that s 2 Init[A, C, NA, NB] for some C !!!

Authentication Tests • Authentication of a principal is done by forcing the principal to apply his secret key • Typically: • decryption: { m }K … …m… • signing: …m… … { m }K-1 • Precondition: nobody can learn about the secret key K-1 • K-12 Prot( B ) :K-1 occurs in the bundle only inside encryptions : {… K-1…}K‘ Notice: K occurs in { t }K only if K occurs in t !

Outgoing Authentication Test n1: + …{ m } K … n‘ + * nm: - …m… n‘‘ knowledge of K-1 Let S ½ { { t }K | K-12 Prot( B ) } Suppose a message m • originates uniquely in B at n1 and • occurs only within S in n1 • but occurs in some node nm2B outside S then • there is a regular strand s with a positive node n‘‘ such that m occurs outside S for the first time in S and • there is a node n‘ preceeding n‘‘ on s such that m v n‘‘.

Incoming Authentication Test n1: + …m… n‘ + * nm: - …{ m } K … n‘‘ knowledge of K Suppose a message { m }K • occurs within a negative node nm • K 2 Prot( B ) • m originates outside { m }K at a node n1 then • there is a regular strand s with a node positive node n‘‘ such that m occurs outside { m }K in n‘‘ • n1≼B n‘ )+ n‘‘ ≺B nmwith m‘ v n‘.(Solicited Incoming Test)

The End

Tools to Analye Security Protocols

Tools to Analye Security Protocols

Presentation Transcript

Verification of Security Protocols

Application Layer Security Protocols

Trust-Based Security Protocols

Security Tools

Security of Authentication Protocols

Network Security: Security Protocols

Logics for Security Protocols

Internet Security Protocols

Verification of Security Protocols

Network Protocols and Security

Security Protocols

Security Protocols

Model Checking Security Protocols

Network Security Protocols

Chapter 11 Security Protocols

Security Protocols Analysis

Security protocols

Security Tools

Internet Security Protocols

Security Protocols

Security Protocols