MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Transcription

1 MSR by Examples Iliano Cervesato ITT Industries, NRL Washington DC PPL 01 March 21 st, 2001

2 Outline I. Security Protocols II. MSR by Examples Multiset rewriting The Neuman-Stubblebine Protocol MSR III. Intruder Models Dolev-Yao intruder MSR by Examples 2

3 Part I Security Protocols MSR by Examples 3

4 What are they? Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce MSR by Examples 4

5 Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 5

6 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 6

7 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR by Examples 7

8 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR by Examples 8

9 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR by Examples 9

10 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful MSR by Examples 10

11 Part II MSR by Examples MSR by Examples 11

12 What s in MSR? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR by Examples 12

13 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability MSR by Examples 13

14 Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 14

15 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 15

16 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 16

17 NS-I: A s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket MSR by Examples 17

18 Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N({n B } kab ) MSR by Examples 18

19 Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e MSR by Examples 19

20 Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 20

21 MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) MSR by Examples 21

22 Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 22

23 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR by Examples 23

24 Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) Memory predicate MSR by Examples 24

25 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR by Examples 25

26 Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 26

27 What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 27

28 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory MSR by Examples 28

29 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR by Examples 29

30 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR by Examples 30

31 Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key MSR by Examples 31

32 Access Control New r is AC-valid for A in Γ Catches Γ A r P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder MSR by Examples 32

33 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 33

34 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint MSR by Examples 34

35 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR by Examples 35

36 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 36

37 NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S MSR by Examples 37

38 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 38

39 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) MSR by Examples 39

40 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) MSR by Examples 40

41 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR by Examples 41

42 Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR by Examples 42

43 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR by Examples 43

44 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing MSR by Examples 44

45 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ) Σ [S 2 ] Rρ Σ, c:τ c not in S 1 S, F S, G(c) MSR by Examples 45

46 Properties Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR by Examples 46

47 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management MSR by Examples 47

48 Part III The Intruder MSR by Examples 48

49 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR by Examples 49

50 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved MSR by Examples 50

51 Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data MSR by Examples 51

52 DY Intruder Net Interference M I (t) : Intruder knowledge t: msg. N(t) M I (t) I t: msg. M I (t) N(t) I MSR by Examples 52

53 DY Intruder Decryption A,B: princ k: shk A B t: msg M I ({t} k ) M I (k) M I (t) I A: princ k: pubk A k : privk A t: msg M I ({t} k ) M I (k) M I (t) I MSR by Examples 53

54 DY Intruder Encryption A,B: princ k: shk A B t: msg M I (t) M I (k) M I ({t} k ) I A: princ k: pubk A t: msg M I (t) M I (k) M I ({t} k ) I MSR by Examples 54

55 DY Intruder Pairs t 1,t 2 : msg M I (t 1,t 2 ) M I (t 1 ) M I (t 2 ) I t 1,t 2 : msg M I (t 1 ) M I (t 2 ) M I (t 1,t 2 ) I MSR by Examples 55

56 DY Intruder Structural rules t: msg M I ( t) M I (t) M I (t) I t: msg M I ( t) I MSR by Examples 56

57 DY Intruder Data access A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR by Examples 57

58 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR by Examples 58

59 DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR by Examples 59

60 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR by Examples 60

61 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR by Examples 61

62 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR by Examples 62