1 / 23

Model Checking for Security Protocols

Model Checking for Security Protocols. Will Marrero, Edmund Clarke, Shomesh Jha. Needham-Schroeder Protocol (circa 1996). Purpose: Authenticate Participants. Assumptions. Perfect Encryption The decryption key must be known to encrypt No encryption collisions

santo
Download Presentation

Model Checking for Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha

  2. Needham-Schroeder Protocol (circa 1996) • Purpose: Authenticate Participants

  3. Assumptions • Perfect Encryption • The decryption key must be known to encrypt • No encryption collisions • Proof offer no protection from poor encryption implementation!

  4. Intruder’s Ability • Interception • Ex: • Impersonation • Ex: • Legitimate Participant • Ex: • Compromise Temporary Secrets • But those secrets should not be revealed by protocol

  5. Security Properties • Secrecy • Tracked by two sets in global state • Correspondence • “If A believes it has completed two protocol runs with principal B, then principal B must have at least begun two protocol runs with principal A.” • Tracked by counters in global state

  6. Atomic Messages • Keys • Ex: • Principal Names • Ex: A, B, I • Nonces • Ex: • Data

  7. Messages and Atomic Messages • Given A a set of atomic messages, M the set of all messages is defined inductively:

  8. Closure of Messages • Let be a subset of messages • The closure of is defined by: (pairing) (projection) (encryption) (decryption)

  9. Principals • A 4-Tuple • N the name of the principal • p a process given as a sequence of actions to be performed • is a set of known messages, generally infinite, but from a finite generator set. • B a set of bindings from variables in p to messages in I

  10. Initial Knowledge • For the intruder

  11. Global State • A 5-Tuple • is the product of the individual principals (including the intruder) • difference between number of times A has initiated a protocol and the number of times B has finished responding • difference between number of times A has begun responding and the number of times B has finished initiating

  12. Global State Continued • A 5-Tuple • a set of safe secrets. Remains constant. • a set of temporary secrets. New secrets generated during the run of the protocol. • The last four values check security constraints.

  13. Process

  14. NEWNONCE(var) NEWSECRET(var) Internal Actions

  15. Internal Actions • GETSECRET(val) – Intruder Only

  16. Internal Actions • A calls BEGINIT(B), • B calls ENDRESPOND(A) • BEGRESPOND/ENDINIT • Symmetric on

  17. Communication Actions • Send and receives are synchronized • A process can only send a message if it unifies with a receive message • Sender must be able to sculpt a message that matches all existing bindings and expectations • How does the intruder sculpt such a message?

  18. Model Checking Algorithm

  19. Finding a needle in a haystack • Decidability of when is probably infinite? • Normalized Derivation: (pairing) (projection) (encryption) (decryption) Expanding Rules Shrinking Rules

  20. Normalized Derivation • Following algorithm is guaranteed to terminate and decide : Start with a generator set Apply all possible shrinking rules Try all possible sequences of expanding rules until word size is equal to s • Proves existence

  21. An Efficient Approach • When adding a message to I in : Apply all possible shrinking rules Remove ‘redundant messages’ Result is minimal generator • Can recursively attempt to build

  22. Verification and Attack

  23. Verification and Attack • The lack of correspondence trace reveals the following attack:

More Related