1 / 49

Multiset Rewriting and Security Protocol Analysis

Multiset Rewriting and Security Protocol Analysis. John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov. Outline. Protocol security Analysis methods Multiset rewriting with  Rewrite formalism with “choose new value” Protocol modeling within this framework

lonna
Download Presentation

Multiset Rewriting and Security Protocol Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov

  2. Outline • Protocol security • Analysis methods • Multiset rewriting with  • Rewrite formalism with “choose new value” • Protocol modeling within this framework • Decision problems • Applications of the MSR framework

  3. Protocol Security • Cryptographic Protocol • Program distributed over network • Use cryptography to achieve goal • Attacker • Read, intercept, replace messages, and remember their contents • Correctness • Attacker cannot learn protected secret or cause incorrect protocol completion

  4. Needham-Schroeder Protocol { A, Noncea } { Noncea, Nonceb } { Nonceb} Kb A B Ka Kb Result: A and B share two private numbers not known to any observer without Ka-1, Kb-1

  5. Initiate Respond Attacker C D Run of protocol B A Correct if no security violation in any run

  6. Anomaly in N-S Protocol [Lowe] {A, Na} Ke A E {Na, Nb} Ka {Nb} Ke {A, Na} {Na, Nb} Evil agent E tricks honest A into revealing private key Nb from B. Kb Ka B Evil E can then fool B.

  7. Contract Signing (Fair Exchange) • Both parties want to sign a contract • Neither wants to commit first Immunity deal

  8. I am going to sign the contract I am going to sign the contract Here is my signature Here is my signature General protocol outline • Trusted third party can force contract • Third party can declare contract binding if presented with first two messages. A B

  9. Asokan-Shoup-Waidner protocol Agree Abort B A m1= sign(A, c, hash(r_A) ) A B sign(B, m1, hash(r_B) ) a1 Network ??? r_A T If not already resolved r_B sigT(a1,abort) Resolve Attack? m1 A B m2 A Net ??? T T sigT(m1, m2)

  10. Transport (TCP) Internet (IP) Network interface Physical layer Secure Sockets Layer http ftp telnet Application nntp SSL Common use: https = http over SSL

  11. Handshake Protocol Signature:signCA{…} Encryption:{ …}K Hash:Hash( …) ClientHelloCSC, VerC, SuiteC, NC ServerHelloS  CVerS, SuiteS, NS,signCA{S, KS} ClientVerify C  SsignCA{C, VC } {VerC, SecretC} signC {Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) } (Change to negotiated cipher) ServerFinished S  C{Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + S + Master(NC, NS, SecretC) + Pad1)) } ClientFinishedC  S{Hash(Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1)) } KS Master(NC, NS, SecretC) Master(NC, NS, SecretC)

  12. II. Analysis Methods

  13. Protocol Analysis Methods • Non-formal approaches (useful, but no tools…) • Some crypto-based proofs [Bellare, Rogaway] • Communicating Turing Machines [Canetti] • BAN and related logics • Axiomatic semantics of protocol steps • Methods based on operational semantics • Intruder model derived from Dolev-Yao • Protocol gives rise to set of traces • Denotation of protocol = set of runs involving arbitrary number of principals plus intruder

  14. Example projects and tools • Prove protocol correct • Paulson’s “Inductive method”, others in HOL, PVS, • MITRE - Strand spaces • Process calculus: Abadi-Gordon, Gordon-Jeffrey • Search using symbolic representation of states • Meadows: NRL Analyzer, Millen: CAPSL • Exhaustive finite-state analysis • FDR, based on CSP [Lowe, Roscoe, Schneider, …] • Murphi, CASPER, CAPSL, … All depend on behavior of protocol in presence of attack

  15. Multiset Rewriting Method • A form of rewriting with • One associative, commutative operator (Banatre, LeMetayer; Chem Abs Machine) •  to generate fresh data • Conventions for modeling protocols, adversary using rewriting

  16. Linear Logic (      ) Proof search (Horn clause) Multiset rewriting Finite Automata Process Calculus A notation for inf-state systems • Many previous models are buried in tools • Define common model in tool-independent formalism

  17. Modeling Requirements • Express properties of protocols • Initialization • Principals and their private/shared data • Nonces • Generate fresh random data • Model attacker • Characterize possible messages by attacker • Cryptography • Set of runs of protocol under attack

  18. Notation commonly found in literature • The notation describes protocol traces • Does not • specify initial conditions • define response to arbitrary messages • characterize possible behaviors of attacker A  B : { A, Noncea }Kb B  A : { Noncea, Nonceb }Ka A  B : { Nonceb }Kb

  19. Rewriting Notation • Non-deterministic infinite-state systems • Facts F ::= P(t1, …, tn) t ::= x | c | f(t1, …, tn) • States { F1, ..., Fn } • Multiset of facts • Includes network messages, private state • Intruder will see messages, not private state Multi-sorted first-order atomic formulas

  20. Rewrite rules • Transition • F1, …, Fkx1 … xm. G1, … , Gn • What this means • If F1, …, Fkin state, then a next state ’ has • Facts F1, …, Fkremoved • G1, … , Gnadded, with x1 … xm replaced by new symbols • Other facts in state carry over to’ • Free variables in rule universally quantified • Note • Pattern matching in F1, …, Fkcan invert functions • Linear Logic: F1…Fkx1 … xm(G1…Gn)

  21. Finite-State Example • Predicates:State, Input • Function: • Constants:q0, q1, q2, q3, a, b, nil • Transitions:State(q0), Input(a  x)  State(q1), Input(x) State(q0), Input(b  x)  State(q2), Input(x) ... Set of rewrite transition sequences = set of runs of automaton a a q1 b a q0 b q3 b a b q2 b

  22. Simplified Needham-Schroeder • Predicates Ai, Bi, Ni --Alice, Bob, Network in state i • Transitions x. A1(x) A1(x)  N1(x), A2(x) N1(x)  y. B1(x,y) B1(x,y)  N2(x,y), B2(x,y) A2(x), N2(x,y)  A3(x,y) A3(x,y)  N3(y), A4(x,y) B2(x,y), N3(y)  B3(x,y) picture next slide A  B: {na, A}Kb B  A: {na, nb}Ka A  B: {nb}Kb • Authentication A4(x,y)  B3(x,y’)  y=y’

  23. A  B: {na, A}Kb B  A: {na, nb}Ka A  B: {nb}Kb Sample Trace x. A1(x) A1(x)  A2(x), N1(x) N1(x)  y. B1(x,y) B1(x,y)  N2(x,y), B2(x,y) A2(x), N2(x,y)  A3(x,y) A3(x,y)  N3(y), A4(x,y) B2(x,y), N3(y)  B3(x,y) A1(na) N1(na) A2(na) B1(na, nb) A2(na) N2(na, nb) B2(na, nb) A2(na) B2(na, nb) A3(na, nb) N3(nb) B2(na, nb) A4(na, nb) B3(na, nb) A4(na, nb)

  24. Adversary and Cryptography • How powerful is the adversary? • Simple replay of previous messages • Block messages; Decompose, reassemble, resend • Statistical analysis, traffic analysis • Timing attacks • How much detail in underlying data types? • Plaintext, ciphertext and keys • atomic data or bit sequences • Encryption and hash functions • “perfect” cryptography • algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N

  25. Common Intruder Model • Derived from Dolev-Yao model • Adversary is nondeterministic process • Adversary can • Block network traffic • Read any message, decompose into parts • Decrypt if key is known to adversary • Insert new message from data it has observed • Adversary cannot • Gain partial knowledge • Guess part of a key • Perform statistical tests, …

  26. Formalize Intruder Model • Intercept, decompose and remember messages N1(x)  M(x) N2(x,y)  M(x), M(y) N3(x)  M(x) • Decrypt if key is known M(enc(k,x)), M(k)  M(x) • Compose and send messages from “known” data M(x)  N1(x), M(x) M(x), M(y)  N2(x,y), M(x), M(y) M(x)  N3(x), M(x) • Generate new data as needed x. M(x) Highly nondeterministic, same for any protocol

  27. Attack on Simplified Protocol x. A1(x) A1(x)  A2(x), N1(x) N1(x)  M(x) x. M(x) M(x)  N1(x), M(x) N1(x)  y. B1(x,y) A1(na) N1(na) A2(na) A2(na) M(na) A2(na) M(na), M(na’) N1(na’) A2(na) M(na), M(na’) A2(na) M(na), M(na’) B1(na’, nb) Continue “man-in-the-middle” to violate specification

  28. Protocols vs Rewrite rules • Can axiomatize any computational system • But -- protocols are not arbitrary programs Choose principals Select roles Client Client TGS Server

  29. Protocol theory • Initialization theory • Bounded theory that “precedes” protocol run • Example:  key. Principal(key) • Role generation theory • Principal(key)  A0(key), Principal(key) • Principal(key)  B0(key), Principal(key) • Role theory • Finite ordered list of rules Ai(…), Nj(…)  … Ak(…), Nl(x)where i<k, j<l • Can also have persistent predicates on left/right

  30. Two-phase intruder theory • Avoid pointless looping by intruder • M(x), M(y)  N(x,y), M(x), M(y) • N (x,y)  M(x), M(y) • Phase 1: Decomposition • Phase 2: Composition

  31. Thesis: MSR Model is accurate • Captures “Dolev-Yao-Needham-Millen-Meadows- …” model • MSR defines set of traces protocol and attacker • Connections with approach in other formalisms • Useful for protocol analysis • Errors shown by model are errors in protocol • If no error appears, then no attack can be carried out using only the actions allowed by the model

  32. IV. Decision Problems

  33. Bounded # of roles Bounded use of  Unbounded use of  Intruder with  ,   only Intruder w/o  ,   only Complexity results using MSR Key insight: existential quantification () captures cryptographic nonce; main source of complexity NP – complete ?? Undecidable DExp – time All: Finite number of different roles, each role of finite length, bounded message size [Durgin, Lincoln, Mitchell, Scedrov]

  34. Bounded # of subsets Bounded use of  Unbounded use of  Transfer rules with  ,   only Transfer rules w/o  ,   only [Durgin, Lincoln, Mitchell, Scedrov] Corresponding rewrite systems • Standard set of rules, standard rewrite sequence • Partition into disjoint subsets • Each subset progresses finitely • Fixed set of rules move terms from one subset to another • Bounded number of function symbols in any term NP – complete ?? Undecidable DExp – time

  35. Bounded # of roles Bounded # of  Unbounded # of  Intruder with  ,   only Intruder w/o  ,   only Lower bounds from Horn clauses Need to show that hard instances of Horn clause inference can be be represented in the restricted form of a security protocol NP-complete: Provable by bounded-length proof ?? Undecidable: Datalog +  Dexptime: Datalog All: Finite number of different roles, each role of finite length, bounded message size [Durgin, Lincoln, Mitchell, Scedrov]

  36. Additional decidable cases • Bounded role instances, unbounded msg size • Huima 99: decidable • Amadio, Lugiez: NP w/ atomic keys • Rusinowitch, Turuani: NP-complete, composite keys • Other studies, e.g., Kusters: unbounded # data fields • Constraint systems • Cortier, Comon: Limited equality test • Millen, Shmatikov: Finite-length runs All: bound number of role instances

  37. IV. Refinement and applications of multiset rewriting framework

  38. Using MSR for protocol analysis • Extensions and general properties • Add dependent types and subsorting [C] • DY intruder is most powerful attacker [C] • Relate to other models • Strand space model [CDLMS] • Linear logic provability [CDKS] • Prove protocols correct • Contract signing [Chadha, Kanovich, Scedrov] • Kerberos 5 [Butler, Cervesato, Jaggard, Scedrov]

  39. [Chadha, Kanovich, Scedrov] A glimpse of contract signing • Each party enters contract with goal • Party who wants contract acts to complete the contract • Correctness is relative to goal • Do not want well-intentioned party to suffer • Leads to game-theoretic notions • If A follows strategy S, then B cannot achieve win over A • Or, A follows strategy from some class …

  40. S1 S3 S2 S4 S5 S8 S6 S7 Strategy: example S • Define execution tree using MSR • Prune tree according to assumed strategy • Determine correctness

  41. Honest participant • Principle A is said to be honest if • A moves only according to protocol Equivalent: A’s key not known to adversary

  42. Interested participant • Honest A is said to be interested if • Whenever A can choose between • waiting for a message from B • asking TTP for an abort A waits and allows B to move next [Chadha, Mitchell, Scedrov, Shmatikov]

  43. Optimistic participant • Honest A is said to be optimistic if • Whenever A can choose between • waiting for a message from B • contacting TTP for any purpose A waits and allows B to move next

  44. Hierarchy Advantage against honest A H-adv  Advantage against interested A I-adv  Advantage against optimistic A O-adv MSR model lets us define execution tree Define strategies, correctness over execution model (End glimpse of contract signing)

  45.   Protocol analysis spectrum Hand proofs  High Poly-time calculus Multiset rewriting with  Spi-calculus  Sophistication of attacks Strands  Paulson    NRL  Bolignano BAN logic   Low Model checking Protocol logic   FDR Murj Low High Protocol complexity

  46. What’s missing? (Future directions) • Specification language • MSR defines traces, execution tree • Need to specify correctness formally • Programming language? • Separate commands done from those that remain • Distinguish local knowledge from global state • Quantification over protocols • Every protocol satisfying  also satisfies . • Composition: Properties of Compose(P, Q) from properties of P and Q

  47. Conclusions • Thesis • Protocol analysis requires precise definition of possible runs under attack • Multiset rewriting with  • Provides natural, usable formalism • Captures set of runs • Exhibits uniformity of DY attacker • Related to linear logic, other protocol notations • Can use proof-theoretic results from LL • Can approximate MSR model by finite-state analysis

  48. Conclusions • Results • Decision problems • NP-complete with bounded role instances • Dexp-time complete with bounded nonces () • Undecidable even if everything else bounded • Applications • Metatheory • Two attackers no better than one • Correctness of model checking optimizations • Protocol analysis • Contract signing, Kerberos v5

More Related