MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Transcription

1 MSR by Examples Iliano Cervesato ITT Industries, NRL Washington DC IITD, CSE Dept. Delhi, India April 24 th,2002

2 Outline Security Protocols MSR Multiset rewriting The Neuman-Stubblebine Protocol MSR Iliano Cervesato MSR by Examples 2

3 Security Protocols Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce Iliano Cervesato MSR by Examples 3

4 Neuman-Stubblebine Phase I A B: A, n A A wants to access service provided by B B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab S is the key distribution center Ticket Iliano Cervesato MSR by Examples 4

5 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Ticket A wants to use the service provided by B again Iliano Cervesato MSR by Examples 5

6 The Dolev-Yao Model of Security Symbolic data No bits k a Black-box cryptography No guessing of keys Partially abstract data access Knowledge soup a k a k b s Found in most protocol analysis tools Tractability Iliano Cervesato MSR by Examples 6

7 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Iliano Cervesato MSR by Examples 7

8 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Iliano Cervesato MSR by Examples 8

9 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful Iliano Cervesato MSR by Examples 9

10 MSR Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Iliano Cervesato MSR by Examples 10

11 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Iliano Cervesato MSR by Examples 11

12 Neuman-Stubblebine Phase I A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 12

13 NS-I: B s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 13

14 NS-I: S s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 14

15 NS-I: A s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket Iliano Cervesato MSR by Examples 15

16 Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N(X,{n B } kab ) Iliano Cervesato MSR by Examples 16

17 Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e Iliano Cervesato MSR by Examples 17

18 Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 18

19 MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Iliano Cervesato MSR by Examples 19

20 Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 20

21 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Iliano Cervesato MSR by Examples 21

22 Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Memory predicate Iliano Cervesato MSR by Examples 22

23 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Iliano Cervesato MSR by Examples 23

24 Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 24

25 What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 25

26 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Iliano Cervesato MSR by Examples 26

27 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Iliano Cervesato MSR by Examples 29

28 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Iliano Cervesato MSR by Examples 31

29 Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key Iliano Cervesato MSR by Examples 37

30 Data Access Specification DAS r is DAS-valid for A in Γ Catches New Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Iliano Cervesato MSR by Examples 38

31 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 39

32 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Iliano Cervesato MSR by Examples 40

33 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Iliano Cervesato MSR by Examples 41

34 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 42

35 NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Iliano Cervesato MSR by Examples 43

36 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Iliano Cervesato MSR by Examples 44

37 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) Iliano Cervesato MSR by Examples 45

38 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Iliano Cervesato MSR by Examples 46

39 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Iliano Cervesato MSR by Examples 47

40 Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Iliano Cervesato MSR by Examples 48

41 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Iliano Cervesato MSR by Examples 49

42 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing Iliano Cervesato MSR by Examples 50

43 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ [S 2 ] RρA Σ, c:τ c not in S 1 S, F S, G(c) Iliano Cervesato MSR by Examples 51

44 Properties Decidability of type checking Type preservation Access control preservation Decidability of DAS verification Completeness of Dolev-Yao intruder Iliano Cervesato MSR by Examples 52

45 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Iliano Cervesato MSR by Examples 53

46 Part III The Intruder Iliano Cervesato MSR by Examples 54

47 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Iliano Cervesato MSR by Examples 55

48 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved Iliano Cervesato MSR by Examples 56

49 Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data Iliano Cervesato MSR by Examples 57

50 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Iliano Cervesato MSR by Examples 58