490 likes | 516 Views
This outline discusses protocol security, analysis methods, multiset rewriting, and protocol modeling within the MSR framework. It also explores decision problems and applications of the MSR framework.
E N D
Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov
Outline • Protocol security • Analysis methods • Multiset rewriting with • Rewrite formalism with “choose new value” • Protocol modeling within this framework • Decision problems • Applications of the MSR framework
Protocol Security • Cryptographic Protocol • Program distributed over network • Use cryptography to achieve goal • Attacker • Read, intercept, replace messages, and remember their contents • Correctness • Attacker cannot learn protected secret or cause incorrect protocol completion
Needham-Schroeder Protocol { A, Noncea } { Noncea, Nonceb } { Nonceb} Kb A B Ka Kb Result: A and B share two private numbers not known to any observer without Ka-1, Kb-1
Initiate Respond Attacker C D Run of protocol B A Correct if no security violation in any run
Anomaly in N-S Protocol [Lowe] {A, Na} Ke A E {Na, Nb} Ka {Nb} Ke {A, Na} {Na, Nb} Evil agent E tricks honest A into revealing private key Nb from B. Kb Ka B Evil E can then fool B.
Contract Signing (Fair Exchange) • Both parties want to sign a contract • Neither wants to commit first Immunity deal
I am going to sign the contract I am going to sign the contract Here is my signature Here is my signature General protocol outline • Trusted third party can force contract • Third party can declare contract binding if presented with first two messages. A B
Asokan-Shoup-Waidner protocol Agree Abort B A m1= sign(A, c, hash(r_A) ) A B sign(B, m1, hash(r_B) ) a1 Network ??? r_A T If not already resolved r_B sigT(a1,abort) Resolve Attack? m1 A B m2 A Net ??? T T sigT(m1, m2)
Transport (TCP) Internet (IP) Network interface Physical layer Secure Sockets Layer http ftp telnet Application nntp SSL Common use: https = http over SSL
Handshake Protocol Signature:signCA{…} Encryption:{ …}K Hash:Hash( …) ClientHelloCSC, VerC, SuiteC, NC ServerHelloS CVerS, SuiteS, NS,signCA{S, KS} ClientVerify C SsignCA{C, VC } {VerC, SecretC} signC {Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) } (Change to negotiated cipher) ServerFinished S C{Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + S + Master(NC, NS, SecretC) + Pad1)) } ClientFinishedC S{Hash(Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1)) } KS Master(NC, NS, SecretC) Master(NC, NS, SecretC)
Protocol Analysis Methods • Non-formal approaches (useful, but no tools…) • Some crypto-based proofs [Bellare, Rogaway] • Communicating Turing Machines [Canetti] • BAN and related logics • Axiomatic semantics of protocol steps • Methods based on operational semantics • Intruder model derived from Dolev-Yao • Protocol gives rise to set of traces • Denotation of protocol = set of runs involving arbitrary number of principals plus intruder
Example projects and tools • Prove protocol correct • Paulson’s “Inductive method”, others in HOL, PVS, • MITRE - Strand spaces • Process calculus: Abadi-Gordon, Gordon-Jeffrey • Search using symbolic representation of states • Meadows: NRL Analyzer, Millen: CAPSL • Exhaustive finite-state analysis • FDR, based on CSP [Lowe, Roscoe, Schneider, …] • Murphi, CASPER, CAPSL, … All depend on behavior of protocol in presence of attack
Multiset Rewriting Method • A form of rewriting with • One associative, commutative operator (Banatre, LeMetayer; Chem Abs Machine) • to generate fresh data • Conventions for modeling protocols, adversary using rewriting
Linear Logic ( ) Proof search (Horn clause) Multiset rewriting Finite Automata Process Calculus A notation for inf-state systems • Many previous models are buried in tools • Define common model in tool-independent formalism
Modeling Requirements • Express properties of protocols • Initialization • Principals and their private/shared data • Nonces • Generate fresh random data • Model attacker • Characterize possible messages by attacker • Cryptography • Set of runs of protocol under attack
Notation commonly found in literature • The notation describes protocol traces • Does not • specify initial conditions • define response to arbitrary messages • characterize possible behaviors of attacker A B : { A, Noncea }Kb B A : { Noncea, Nonceb }Ka A B : { Nonceb }Kb
Rewriting Notation • Non-deterministic infinite-state systems • Facts F ::= P(t1, …, tn) t ::= x | c | f(t1, …, tn) • States { F1, ..., Fn } • Multiset of facts • Includes network messages, private state • Intruder will see messages, not private state Multi-sorted first-order atomic formulas
Rewrite rules • Transition • F1, …, Fkx1 … xm. G1, … , Gn • What this means • If F1, …, Fkin state, then a next state ’ has • Facts F1, …, Fkremoved • G1, … , Gnadded, with x1 … xm replaced by new symbols • Other facts in state carry over to’ • Free variables in rule universally quantified • Note • Pattern matching in F1, …, Fkcan invert functions • Linear Logic: F1…Fkx1 … xm(G1…Gn)
Finite-State Example • Predicates:State, Input • Function: • Constants:q0, q1, q2, q3, a, b, nil • Transitions:State(q0), Input(a x) State(q1), Input(x) State(q0), Input(b x) State(q2), Input(x) ... Set of rewrite transition sequences = set of runs of automaton a a q1 b a q0 b q3 b a b q2 b
Simplified Needham-Schroeder • Predicates Ai, Bi, Ni --Alice, Bob, Network in state i • Transitions x. A1(x) A1(x) N1(x), A2(x) N1(x) y. B1(x,y) B1(x,y) N2(x,y), B2(x,y) A2(x), N2(x,y) A3(x,y) A3(x,y) N3(y), A4(x,y) B2(x,y), N3(y) B3(x,y) picture next slide A B: {na, A}Kb B A: {na, nb}Ka A B: {nb}Kb • Authentication A4(x,y) B3(x,y’) y=y’
A B: {na, A}Kb B A: {na, nb}Ka A B: {nb}Kb Sample Trace x. A1(x) A1(x) A2(x), N1(x) N1(x) y. B1(x,y) B1(x,y) N2(x,y), B2(x,y) A2(x), N2(x,y) A3(x,y) A3(x,y) N3(y), A4(x,y) B2(x,y), N3(y) B3(x,y) A1(na) N1(na) A2(na) B1(na, nb) A2(na) N2(na, nb) B2(na, nb) A2(na) B2(na, nb) A3(na, nb) N3(nb) B2(na, nb) A4(na, nb) B3(na, nb) A4(na, nb)
Adversary and Cryptography • How powerful is the adversary? • Simple replay of previous messages • Block messages; Decompose, reassemble, resend • Statistical analysis, traffic analysis • Timing attacks • How much detail in underlying data types? • Plaintext, ciphertext and keys • atomic data or bit sequences • Encryption and hash functions • “perfect” cryptography • algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N
Common Intruder Model • Derived from Dolev-Yao model • Adversary is nondeterministic process • Adversary can • Block network traffic • Read any message, decompose into parts • Decrypt if key is known to adversary • Insert new message from data it has observed • Adversary cannot • Gain partial knowledge • Guess part of a key • Perform statistical tests, …
Formalize Intruder Model • Intercept, decompose and remember messages N1(x) M(x) N2(x,y) M(x), M(y) N3(x) M(x) • Decrypt if key is known M(enc(k,x)), M(k) M(x) • Compose and send messages from “known” data M(x) N1(x), M(x) M(x), M(y) N2(x,y), M(x), M(y) M(x) N3(x), M(x) • Generate new data as needed x. M(x) Highly nondeterministic, same for any protocol
Attack on Simplified Protocol x. A1(x) A1(x) A2(x), N1(x) N1(x) M(x) x. M(x) M(x) N1(x), M(x) N1(x) y. B1(x,y) A1(na) N1(na) A2(na) A2(na) M(na) A2(na) M(na), M(na’) N1(na’) A2(na) M(na), M(na’) A2(na) M(na), M(na’) B1(na’, nb) Continue “man-in-the-middle” to violate specification
Protocols vs Rewrite rules • Can axiomatize any computational system • But -- protocols are not arbitrary programs Choose principals Select roles Client Client TGS Server
Protocol theory • Initialization theory • Bounded theory that “precedes” protocol run • Example: key. Principal(key) • Role generation theory • Principal(key) A0(key), Principal(key) • Principal(key) B0(key), Principal(key) • Role theory • Finite ordered list of rules Ai(…), Nj(…) … Ak(…), Nl(x)where i<k, j<l • Can also have persistent predicates on left/right
Two-phase intruder theory • Avoid pointless looping by intruder • M(x), M(y) N(x,y), M(x), M(y) • N (x,y) M(x), M(y) • Phase 1: Decomposition • Phase 2: Composition
Thesis: MSR Model is accurate • Captures “Dolev-Yao-Needham-Millen-Meadows- …” model • MSR defines set of traces protocol and attacker • Connections with approach in other formalisms • Useful for protocol analysis • Errors shown by model are errors in protocol • If no error appears, then no attack can be carried out using only the actions allowed by the model
Bounded # of roles Bounded use of Unbounded use of Intruder with , only Intruder w/o , only Complexity results using MSR Key insight: existential quantification () captures cryptographic nonce; main source of complexity NP – complete ?? Undecidable DExp – time All: Finite number of different roles, each role of finite length, bounded message size [Durgin, Lincoln, Mitchell, Scedrov]
Bounded # of subsets Bounded use of Unbounded use of Transfer rules with , only Transfer rules w/o , only [Durgin, Lincoln, Mitchell, Scedrov] Corresponding rewrite systems • Standard set of rules, standard rewrite sequence • Partition into disjoint subsets • Each subset progresses finitely • Fixed set of rules move terms from one subset to another • Bounded number of function symbols in any term NP – complete ?? Undecidable DExp – time
Bounded # of roles Bounded # of Unbounded # of Intruder with , only Intruder w/o , only Lower bounds from Horn clauses Need to show that hard instances of Horn clause inference can be be represented in the restricted form of a security protocol NP-complete: Provable by bounded-length proof ?? Undecidable: Datalog + Dexptime: Datalog All: Finite number of different roles, each role of finite length, bounded message size [Durgin, Lincoln, Mitchell, Scedrov]
Additional decidable cases • Bounded role instances, unbounded msg size • Huima 99: decidable • Amadio, Lugiez: NP w/ atomic keys • Rusinowitch, Turuani: NP-complete, composite keys • Other studies, e.g., Kusters: unbounded # data fields • Constraint systems • Cortier, Comon: Limited equality test • Millen, Shmatikov: Finite-length runs All: bound number of role instances
IV. Refinement and applications of multiset rewriting framework
Using MSR for protocol analysis • Extensions and general properties • Add dependent types and subsorting [C] • DY intruder is most powerful attacker [C] • Relate to other models • Strand space model [CDLMS] • Linear logic provability [CDKS] • Prove protocols correct • Contract signing [Chadha, Kanovich, Scedrov] • Kerberos 5 [Butler, Cervesato, Jaggard, Scedrov]
[Chadha, Kanovich, Scedrov] A glimpse of contract signing • Each party enters contract with goal • Party who wants contract acts to complete the contract • Correctness is relative to goal • Do not want well-intentioned party to suffer • Leads to game-theoretic notions • If A follows strategy S, then B cannot achieve win over A • Or, A follows strategy from some class …
S1 S3 S2 S4 S5 S8 S6 S7 Strategy: example S • Define execution tree using MSR • Prune tree according to assumed strategy • Determine correctness
Honest participant • Principle A is said to be honest if • A moves only according to protocol Equivalent: A’s key not known to adversary
Interested participant • Honest A is said to be interested if • Whenever A can choose between • waiting for a message from B • asking TTP for an abort A waits and allows B to move next [Chadha, Mitchell, Scedrov, Shmatikov]
Optimistic participant • Honest A is said to be optimistic if • Whenever A can choose between • waiting for a message from B • contacting TTP for any purpose A waits and allows B to move next
Hierarchy Advantage against honest A H-adv Advantage against interested A I-adv Advantage against optimistic A O-adv MSR model lets us define execution tree Define strategies, correctness over execution model (End glimpse of contract signing)
Protocol analysis spectrum Hand proofs High Poly-time calculus Multiset rewriting with Spi-calculus Sophistication of attacks Strands Paulson NRL Bolignano BAN logic Low Model checking Protocol logic FDR Murj Low High Protocol complexity
What’s missing? (Future directions) • Specification language • MSR defines traces, execution tree • Need to specify correctness formally • Programming language? • Separate commands done from those that remain • Distinguish local knowledge from global state • Quantification over protocols • Every protocol satisfying also satisfies . • Composition: Properties of Compose(P, Q) from properties of P and Q
Conclusions • Thesis • Protocol analysis requires precise definition of possible runs under attack • Multiset rewriting with • Provides natural, usable formalism • Captures set of runs • Exhibits uniformity of DY attacker • Related to linear logic, other protocol notations • Can use proof-theoretic results from LL • Can approximate MSR model by finite-state analysis
Conclusions • Results • Decision problems • NP-complete with bounded role instances • Dexp-time complete with bounded nonces () • Undecidable even if everything else bounded • Applications • Metatheory • Two attackers no better than one • Correctness of model checking optimizations • Protocol analysis • Contract signing, Kerberos v5