Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Size: px

Start display at page:

Download "Abstract Specification of Crypto- Protocols and their Attack Models in MSR"

Virgil Maxwell
6 years ago
Views:

Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.

1 Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato ITT Industries, NRL Washington DC Software Engineering Institute - CMU August 6 th, 2001

2 Outline I. Dolev-Yao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the Dolev-Yao Attacker Specifying Crypto-Protocols and their Intruder Models in MSR 2

3 Part I Dolev-Yao Specification of Security Protocols Specifying Crypto-Protocols and their Intruder Models in MSR 3

4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying Crypto-Protocols and their Intruder Models in MSR 4

5 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying Crypto-Protocols and their Intruder Models in MSR 5

6 pictorially s a k b k a Specifying Crypto-Protocols and their Intruder Models in MSR 6

7 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying Crypto-Protocols and their Intruder Models in MSR 7

8 Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying Crypto-Protocols and their Intruder Models in MSR 8

9 Part II Specifying Protocols in MSR Specifying Crypto-Protocols and their Intruder Models in MSR 9

10 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying Crypto-Protocols and their Intruder Models in MSR 10

11 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying Crypto-Protocols and their Intruder Models in MSR 11

12 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying Crypto-Protocols and their Intruder Models in MSR 12

13 Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying Crypto-Protocols and their Intruder Models in MSR 13

14 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Specifying Crypto-Protocols and their Intruder Models in MSR 14

15 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying Crypto-Protocols and their Intruder Models in MSR 15

16 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying Crypto-Protocols and their Intruder Models in MSR 16

17 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying Crypto-Protocols and their Intruder Models in MSR 17

18 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying Crypto-Protocols and their Intruder Models in MSR 18

19 Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying Crypto-Protocols and their Intruder Models in MSR 19

20 Needham-Schroeder Public-Key Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying Crypto-Protocols and their Intruder Models in MSR 20

21 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 21

22 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 22

23 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying Crypto-Protocols and their Intruder Models in MSR 23

24 Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying Crypto-Protocols and their Intruder Models in MSR 24

25 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying Crypto-Protocols and their Intruder Models in MSR 25

26 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying Crypto-Protocols and their Intruder Models in MSR 26

27 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New Specifying Crypto-Protocols and their Intruder Models in MSR 27

28 Part III Access Control Specifying Crypto-Protocols and their Intruder Models in MSR 28

29 Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 29

30 Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying Crypto-Protocols and their Intruder Models in MSR 30

31 Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying Crypto-Protocols and their Intruder Models in MSR 31

32 Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying Crypto-Protocols and their Intruder Models in MSR 32

33 Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying Crypto-Protocols and their Intruder Models in MSR 33

34 Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying Crypto-Protocols and their Intruder Models in MSR 34

35 Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying Crypto-Protocols and their Intruder Models in MSR 35

36 Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Shared-key encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying Crypto-Protocols and their Intruder Models in MSR 36

37 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying Crypto-Protocols and their Intruder Models in MSR 37

38 Part IV Specifying Attacker Models Specifying Crypto-Protocols and their Intruder Models in MSR 38

39 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Specifying Crypto-Protocols and their Intruder Models in MSR 39

40 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying Crypto-Protocols and their Intruder Models in MSR 40

41 Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying Crypto-Protocols and their Intruder Models in MSR 41

42 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying Crypto-Protocols and their Intruder Models in MSR 42

43 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying Crypto-Protocols and their Intruder Models in MSR 43

44 DY Intruder vs. AC AC-valid Well-typed Dolev-Yao intruder New/ D-Y Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying Crypto-Protocols and their Intruder Models in MSR 44

45 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ Specifying Crypto-Protocols and their Intruder Models in MSR 45

46 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations Specifying Crypto-Protocols and their Intruder Models in MSR 46

47 Part V New Inferring the Dolev-Yao Intruder Specifying Crypto-Protocols and their Intruder Models in MSR 47

48 The Dolev-Yao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying Crypto-Protocols and their Intruder Models in MSR 48

49 Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying Crypto-Protocols and their Intruder Models in MSR 49

50 What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore context Γ Specifying Crypto-Protocols and their Intruder Models in MSR 50

51 Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying Crypto-Protocols and their Intruder Models in MSR 51

52 Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying Crypto-Protocols and their Intruder Models in MSR 52 I I I

53 Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying Crypto-Protocols and their Intruder Models in MSR 53

54 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying Crypto-Protocols and their Intruder Models in MSR 54

55 Carrying on: Shared-Key Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for public-key encryption Specifying Crypto-Protocols and their Intruder Models in MSR 55

56 Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying Crypto-Protocols and their Intruder Models in MSR 56

57 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying Crypto-Protocols and their Intruder Models in MSR 57

58 Interpreting Shared-Key Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for public-key encryption pairing Specifying Crypto-Protocols and their Intruder Models in MSR 58

59 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying Crypto-Protocols and their Intruder Models in MSR 59

60 Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying Crypto-Protocols and their Intruder Models in MSR 60

61 Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying Crypto-Protocols and their Intruder Models in MSR 61

62 Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying Crypto-Protocols and their Intruder Models in MSR 62

63 Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ -> + type privk: ΠA: + princ. + pubk A -> + type Specifying Crypto-Protocols and their Intruder Models in MSR 63

64 Generating data Again, annotate types nonce:! type shk: + princ -> + princ ->! type shk: + princ -> + princ ->! type Specifying Crypto-Protocols and their Intruder Models in MSR 64

65 Interpreting constructors Mark arguments as input or output _,_: -msg -> -msg -> msg {_} _ : - msg -> ΠA: + princ. ΠB: + princ. + shk A B -> msg {{_}} _ : - msg -> ΠA: + princ. Πk: + pubk A. + privk k -> msg hash: + msg -> msg [_] _ : + msg -> ΠA: * princ. Πk: * sigk A. * verk k -> msg Specifying Crypto-Protocols and their Intruder Models in MSR 65

66 Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 66

67 alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying Crypto-Protocols and their Intruder Models in MSR 67

68 Wrap-up Specifying Crypto-Protocols and their Intruder Models in MSR 68

69 Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Specifying Crypto-Protocols and their Intruder Models in MSR 69

70 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 70

71 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Specifying Crypto-Protocols and their Intruder Models in MSR 71

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC. MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples