Automated Verification of Privacy in Security Protocols:

Size: px

Start display at page:

Download "Automated Verification of Privacy in Security Protocols:"

Ginger Reed
5 years ago
Views:

1 Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie Delaune

2 Automated Verification of Privacy in Security Protocols 2 /36

3 Security Protocols Once upon a time... Attack at dawn 3 /36

4 Security Protocols Once upon a time... Attack at dawn 3 /36

5 Security Protocols Once upon a time...? Attack at dawn hscpzf df zdad Attack at dawn 3 /36

6 Security Protocols Remote Key Open Car #41 Car #41 Car #41 4 /36

7 Security Protocols Remote Key Attack: steals Open Car #41 Car #41 4 /36

8 Security Protocols Remote Key X X Car #41 Car #41 generate random X 4 /36

9 Security Protocols Remote Key Attack: tracks (attack on unlinkability) Car #41 4 /36

10 Security Protocols Remote Key Attack: tracks (attack on unlinkability) Car??? = = 4 /36

11 Security Protocols Remote Key X X, Y Car #41 generate random X Car #41 generate random Y End of attack/fix cycle? 4 /36

12 Secure? Extremely complex setting unsecure network active attacker parties running concurrently 5 /36

13 Secure? Extremely complex setting unsecure network active attacker parties running concurrently Formal methods mathematical & exhaustive analysis formal guarantees automated & mechanised 5 /36

14 Automated Verification of Privacy in Security Protocols 6 /36

15 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m 7 /36

16 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m Security protocols in a process algebra each party process P = in(x). new Y. out(enc((x, Y ), k)) 7 /36

Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m Security protocols in a process algebra each party process P = in(x).

17 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m Security protocols in a process algebra each party process P = in(x). new Y. out(enc((x, Y ), k)) Attacker = network (worst case scenario) eavesdrop: he learns all protocol outputs injections: he chooses all protocol inputs Benefit: high level of automation! 7 /36

18 Symbolic Model Big Picture Protocol s specification X X, Y e.g. Security goal cannot steal 8 /36

19 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... e.g. Security goal cannot steal Unreachability of bad states e.g. States( knows k) 8 /36

20 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... Undecidable Reachability in a transition system? # sessions s choices e.g. Security goal cannot steal Unreachability of bad states e.g. States( knows k) 8 /36

21 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... Undecidable between transition systems e.g. Privacy goal cannot track between scenarios e.g.,, 8 /36

22 Two Approaches for Verifying Automatically Decision for < sessions < branching bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec 9 /36

23 Two Approaches for Verifying Automatically Decision for < sessions Semi-decision for sessions Real attack < branching False attack bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 9 /36

24 Limitation of Decision Procedures Decision for < sessions < branching bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec States Space Explosion (concurrency) scales very badly PA: 1 sess. 1sec. vs. 3 sess. >2days 10 /36

25 Limitation of Decision Procedures Decision for < sessions < branching Contributions Partial Order Reduction techniques adequate for security & integration (proof & implem) bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec POST 14 & CONCUR 15 States Space Explosion (concurrency) scales very badly PA: 1 sess. 1sec. vs. 3 sess. >2days 10 /36

26 Limitation of Semi-decision Procedures Semi-decision for sessions Real attack False attack Serious Precision Issue (privacy) systematic false attacks (unlinkability) e.g. e-passport, RFID protocols, over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 11 /36

27 Limitation of Semi-decision Procedures Semi-decision for sessions Contributions Real attack Privacy via Sufficient Conditions 2 conditions unlinkability & ano. automatic verification (our tool UKano) False attack new proofs/attacks on real-life protocols Serious Precision Issue (privacy) S&P 16 systematic false attacks (unlinkability) e.g. e-passport, RFID protocols, over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 11 /36

28 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion

29 Applied π-calculus Model of messages: Term algebra Function symbols enc(, ), dec(, ) Equational theory = E Model of protocols: Process calculus dec(enc(x, y), y) = E x Process: P, Q := 0 null in(c, x).p input out(c, m).p output if Test then P else Q conditional P Q parallel! P replication new X.P creation of name 13 /36

30 Applied π-calculus Model of messages: Term algebra Function symbols enc(, ), dec(, ) Equational theory = E Model of protocols: Process calculus dec(enc(x, y), y) = E x Process: P, Q := 0 null in(c, x).p input out(c, m).p output if Test then P else Q conditional P Q parallel! P replication new X.P creation of name Frame (ϕ): the set of messages revealed to ( s knowledge) Configuration: A = (P; ϕ) ϕ = { w }{{} 1 enc(m, k), w 2 k} }{{} handle out. message 13 /36

31 Applied-π - Semantics Recipes: terms built using handles e.g. R = dec(w 1, w 2 ) Rϕ = E m for ϕ = {w 1 enc(m, k), w 2 k} How builds messages from its knowledge 14 /36

Applied-π - Semantics Recipes: terms built using handles e.g. R = dec(w 1, w 2 ) Rϕ = E m for ϕ = {w 1 enc(m, k), w 2 k} How builds messages from its knowledge Protocol s output: ({out(c, u).

32 Applied-π - Semantics Recipes: terms built using handles e.g. R = dec(w 1, w 2 ) Rϕ = E m for ϕ = {w 1 enc(m, k), w 2 k} How builds messages from its knowledge Protocol s output: ({out(c, u).p } P; ϕ) out(c,w) ({P } P; ϕ {w u}) if w fresh Protocol s input: u ({in(c, x).p } P; ϕ) in(c,r) ({P {x Rϕ}} P; ϕ) + expected rules for conditional (modulo = E ) & others RΦ controls all the network 14 /36

33 Applied-π - Trace Equivalence Static Equivalence (intuitively) Φ Ψ when dom(φ) = dom(ψ) and for all tests, it holds on Φ it holds on Ψ (modulo = E ) Trace Equivalence A B: for any A t A there exists B t B such that Φ(A ) Φ(B ) (and the converse). 15 /36

34 Trace Equivalence: Example k = k = = 0 enc(0, k) 0 enc(0, k ) Key k Key k P P P P P = in(c, x).out(c, enc(x, k)) P = in(c, x).out(c, enc(x, k )) (P P ; ) in(c,0).out(c,w 1).in(c,0).out(c,w 2 ) ( ; {w 1 enc(0, k), w 2 enc(0, k)}) (P P ; ) in(c,0).out(c,w 1).in(c,0).out(c,w 2 ) ( ; {w 1 enc(0, k), w 2 enc(0, k )}) 16 /36

35 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion

36 States Space Explosion Problem in(c, M 1 ) out(c, w 1 ) in(c, M 2 ) out(c, w 2 ) 18 /36

37 States Space Explosion Problem in(c, M 1 ) in(c, M 1 ) in(c, M 1 ) in(c, M 2 ) out(c, w 1 ) in(c, M 2 ) out(c, w 2 ) in(c, M 2 ) out(c, w 1 ) out(c, w 2 ) in(c, M 2 ) out(c, w 2 ) out(c, w 1 ) in(c, M 1 ) out(c, w 1 ) out(c, w 2 ) in(c, M 2 ) in(c, M 2 ) in(c, M 1 ) out(c, w 2 ) out(c, w 1 ) out(c, w 2 ) in(c, M 1 ) out(c, w 1 ) Example: Private Authentication protocol Verification of anonymity: 1 session 1 second 2 sessions 1 hour 3 sessions >2 days 2 parties, 4 actions (with APTE) 18 /36

38 1 st Type of Redundancies & Compression out(c 1, m 1 ) out(c 2, m 2 ) out(c 1, w 1 ).out(c 2, w 2 ) out(c 2, w 2 ).out(c 1, w 1 ) = in(c 1, x 1 ) out(c 2, m 2 ) in(c 1, M 1 ).out(c 2, w 2 ) out(c 2, w 2 ).in(c 1, M 1 ) M 1 = 0 M 1 = w 2 M 1 = dec(w 2, 0) 19 /36

39 1 st Type of Redundancies & Compression out(c 1, m 1 ) out(c 2, m 2 ) out(c 1, w 1 ).out(c 2, w 2 ) out(c 2, w 2 ).out(c 1, w 1 ) in(c 1, x 1 ) out(c 2, m 2 ) Goal: do not explore states in(c 1, M 1 ).out(c 2, w 2 ) out(c 2, w 2 ).in(c 1, M 1 ) M 1 = 0 M 1 = w 2 M 1 = dec(w 2, 0) + generic class Compressed semantics c exploration strategy based on nature of available actions actions are executed in a row blocks (big steps) indep. from data 19 /36

40 2 nd Type of Redundancies & Reduction M 2 = 0 M 2 = w 1 IO c1 (M 1, w 1 ).IO c2 (M 2, w 2 ) in(c 1, x 1 ).out(c 1, m 1 ) in(c 2, x 2 ).out(c 2, m 2 ), IO c2 (M 2, w 2 ).IO c1 (M 1, w 1 ) M 1 = 0 M 1 = w 2 Goal: do not explore twice states in the area + generic class 20 /36

41 2 nd Type of Redundancies & Reduction M 2 = 0 M 2 = w 1 IO c1 (M 1, w 1 ).IO c2 (M 2, w 2 ) in(c 1, x 1 ).out(c 1, m 1 ) in(c 2, x 2 ).out(c 2, m 2 ), IO c2 (M 2, w 2 ).IO c1 (M 1, w 1 ) M 1 = 0 M 1 = w 2 Goal: do not explore twice states in the area + generic class Reduced semantics r refines further c by analyzing data exploration strategy relying on data dependencies M 1 needs w 2 : M 1 w 2 20 /36

42 Soundness & Completeness Reachability: soundness & completeness of r / c w.r.t. same states are reachable Equivalence is more involved and requires additional assumption Action-determinacy A is action-deterministic if: two reachable actions in parallel must be Attacker knows to/from whom he is sending/receiving messages. Theorem: r = c = Let A and B be two action-deterministic configurations. A r B A c B A B 21 /36

43 Integration, Implementation & Practical Impact Integration in symbolic & constraints solving setting Proof of soundness of integration in APTE Fully implemented in the distributed version of APTE github.com/apte Selection of benchmarks: seconds reference compression reduction nb. of parallel processes Toy example seconds reference compression reduction nb. of parallel processes Wide Mouthed Frog New scenarios & protocols can be analysed 22 /36

44 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion

45 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. 1 user 2 sessions Id 1 Id 1 Id 2 24 /36

46 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5!new Id.!new Sess. P?!new Id. new Sess. P 24 /36

47 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5 M =!new Id.!new Sess. (P P )?!new Id. new Sess. (P P ) = S Strong Unlinkability [Arapinis, Chothia, Ritter, Ryan CSF 10] 24 /36

48 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5 M =!new Id.!new Sess. (P P )?!new Id. new Sess. (P P ) = S never diff-equivalent (false attacks) 24 /36

49 Contributions between simpler systems with precise verification Unlinkability & Anonymity Reachability property Theory 2 conditions implying unlinkability and anonymity for a large class of 2-party protocols for any crypto. primitives each condition is fundamentally simpler & captures key ingredient Practice our conditions can be checked automatically using encodings we provide tool support for that: UKano Applications new proofs & attacks on real-life protocols e.g. e-passport 25 /36

50 Class of Protocols 2-party Protocols Intuitively, a party P is a process of the form: P ::= 0 in(c, x). if Test then out(c, u).p else P else P else ::= 0 out(c, u ) Two parties: I (initiator) & R (responder) Example: R = P I = P = in(c, x).out(c, enc(x, k)) = out(c, X).in(c, z). if dec(z, k) = X then out(c, open) M =!new k.!new X.(I R) S =!new k. new X.(I R) 26 /36

51 1 st Class: Leaks through Relations over Messages k = k = = 0 enc(0, k) 0 enc(0, k ) For some behaviour relation over messages that leaks info about identities. Key k R[k, sess 1] Key k R[k, sess 2] 27 /36

52 1 st Class: Leaks through Relations over Messages Problem For some s behaviours, relations over messages leak info about involved agents. Ideas of our condition preventing such attacks Avoid rel. R: R holds specific mapping [sessions identities] e.g. w 1 = E w 2 [sess 1 id, sess 2 id] Introduce Ideal(Φ): frame one obtains for [session fresh identity] 1 st Condition: Frame Opacity For all M t (P; Φ), we have that Φ Ideal(Φ). Example: Φ = {w 1 enc(0, k), w 2 enc(0, k)} Ideal(Φ) = {w enc(0, k 1 ), w 2 enc(0, k 2 )} 28 /36

53 2 nd Class: Leaks through Conditionals Outcomes So, let s introduce two modifications... enc( challenge, X, k) Key k new X enc( X, Y, k) Key k new Y 29 /36

54 2 nd Class: Leaks through Conditionals Outcomes Attack: tracks enc( challenge, X, k) enc( challenge, X, k) Key k new X enc( X, Y, k) Key k new Y enc( challenge, X, k) Abort Abort Key k 29 /36

55 2 nd Class: Leaks through Conditionals Outcomes Problem For some s behaviours, conditionals outcomes leak info about involved agents. Ideas of our condition preventing such attacks Expected: does not interfere conditionals Problems when: did interfere conditionals / binary info about agents Require: conditional did not interfere 2 nd Condition: Well-Authentication For any execution of M, if an agent I(id, sess) successfully passes a test, he must be interacting honestly with some unique R(id, sess ). 30 /36

56 Main Result Theorem For any protocol in our class, for any term algebra: Frame Opacity & Well-Authentication } { Unlinkability & Anonymity Idea of the proof M t (P; Φ) S t (Q; Ψ) with Φ Ψ Seen as exchanges between threads: [id,session] Rename ids to pairwise distinct ids (keeping connected threads together) Goal: (i) still executable & (ii) frames (i) Have honest interactions stable by our renaming + Well-Authentication (ii) Stability of Ideal( ) by renamings + Frame Opacity 31 /36

57 Practical Impact Mechanisation & UKano Benefit: each condition is fundamentally simpler Unlinkability:.. Frame Opacity:. Well-Authentication:.Reach Both conditions can be automatically verified using ProVerif & encodings Well-Authentication: just reachability properties Frame Opacity: checkable with good precision via diff-equivalence Tool: UKano (built on top of ProVerif) Automatically checks our conditions 32 /36

58 Practical Impact Case Studies: verification of unlinkability (UK) RFID protocols FO WA UK Feldhofer safe Hash-Lock safe LAK (stateless) Fixed LAK safe [*] FO WA UK DAA sign safe DAA join safe abcdh (irma) safe e-passport FO WA UK BAC safe BAC/PA/AA safe PACE (fallible dec) PACE (missing test) PACE PACE with tags safe Our conditions are tight Established new proofs and found new attacks using UKano Was impossible before: systematic false attacks except for [*] 33 /36

59 Practical Impact Case Studies: verification of unlinkability (UK) RFID protocols FO WA UK Feldhofer safe Hash-Lock safe LAK (stateless) Fixed LAK safe [*] FO WA UK DAA sign safe DAA join safe abcdh (irma) safe e-passport FO WA UK BAC safe BAC/PA/AA safe PACE (fallible dec) PACE (missing test) PACE PACE with tags safe Our conditions are tight Established new proofs and found new attacks using UKano Was impossible before: systematic false attacks except for [*] 33 /36

60 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion

61 Summary Decision for < sessions Semi-decision for sessions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 35 /36

62 Summary Decision for < sessions Semi-decision for sessions POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Implem + Benchmarks Tool + New Proofs/Attacks Verification of privacy for real-life protocols 35 /36

63 Future Work Decision for < sessions Drop action-determinacy assumption Semi-decision for sessions POR for backward search (e.g. Tamarin) POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36

64 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36

65 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36

66 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols Generic approach: Exploit in broader contexts & Infer guidelines for PETs 36 /36

67 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols Generic approach: Exploit in broader contexts & Infer guidelines for PETs Ready to guide analysis/design/standardisation? 36 /36

68 Backup Slides

69 Compressed Strategy Compressed semantics c Polarities: Negative: out().p, (P 1 P 2 ), 0 & Positive: in().p Negative: explored greedily, in a given order e.g. c 1 < c 2 Positive: explored only when Negative, chooses one and put it under focus focus is released when becomes begative Replication:! a c,np is positive but releases the focus. 34 /36

70 Reduced Strategy We assume an arbitrary order over blocks priority order. Reduced Semantics r r explores a block b after a trace t only when: c explores t.b and t b. Informally, t b means: there is no way to swap b towards the beginning of t before a block b 0 b (even by modifying recipes) Theorem: r = Let A and B be two action-deterministic configurations. A B if, and, only if, A r B. 35 /36

71 POR & Trace Equivalence What about trace equivalence ( c )? e.g., (in(c 1, x) out(c 2, m)) (out(c 2, m).in(c 1, x)) same swaps are possible ( same sequential dependencies) Lemma: A, B action-det, A B same sequential dependencies 36 /36

Analysing privacy-type properties in cryptographic protocols

Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th