StatVerif: Modelling protocols that involve persistent state

Transcription

1 StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, Stéphanie Delaune, Steve Kremer, Joshua Phillips and Graham Steel 7 8 December 2011

2 Outline The ProVerif method Protocols with persistent state The TPM StatVerif

3 Verifying cryptographic protocols Provable/computational security 1 Computationally bounded (polynomial) attacker 2 Exact cryptographic operations on bitstrings 3 Bitstring (more concrete) model 4 Prove difficulty of violating security property is equivalent to solving a hard problem Formal/symbolic methods 1 Idealised (worst case) attacker 2 Idealised (best case) perfect cryptography 3 Symbolic (more abstract) model of protocol 4 Prove impossibility of violating security property within the model

4 Attacker model We model a very powerful attacker, with Dolev-Yao capabilities: it completely controls the communication channels, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages. (The network is the attacker.) manipulate data in arbitrary ways, including applying crypto operations provided has the necessary keys. It controls dishonest participants. It s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. - Bruce Schneier

5 Coding protocols as processes Handshake protocol Original handshake protocol: let Server = in (ch, pkc ); S new k enc pkc (sign sks (k)) senc k (s) C new k; out (ch, enc(pkc, sign(sks, k ) )); in (ch, m); 0.

6 The handshake protocol in full free ch. (* Public key cryptography *) fun pk/1. fun enc/2. fun dec/2. equation dec(x, enc(pk(x), y) ) = y. (* Signatures *) fun sign/2. fun checksign/2. fun getmess/1. fun ok/0. equation checksign(pk(x), sign(x,y)) = ok. equation getmess(sign(x,y)) = y. (* Shared-key cryptography *) fun senc/2. fun sdec/2. equation sdec(senc(x,y),x) = y.

7 The handshake protocol in full 2 let Server = in (ch, pkc ); new k; out (ch, enc(pkc, sign(sks, k ) )); in (ch, m); 0. let Client = in (ch, pks ); in (ch, m); let m = dec(skc, m) in if checksign(pks, m ) = ok then let k = getmess(m) in if pks = pks then out (ch, senc(k, s)).

8 Security properties The applied pi calculus can model the following: Reachability properties (e.g., secrecy) Correspondence assertions (e.g., authentication) Observational equivalence (e.g., strong secrecy; for instance, ballot secrecy; )

9 Handshake protocol - analysis S I C new k pkm enc pkm (sign sks (k)) pkc enc pkc (sign sks (k)) senc k (s) new s C publishes her public key I starts a session with S I learns sign sks (k) and k I replays sign sks (k) in a session with S I is able to output secrect s Adversary process I in (c, xpk); out (c, pkm); in (c, y); let sig = dec skm (y) in out (c, enc xpk (sig)); in (c, z); out (c, sdec getmsg(sig) (z))

10 Protocols with persistent state

11 Persistent state Agents that have persistent state: Web servers, database servers,... Hardware tokens Smart cards: capabilities,... RFID tags: their identity,... TPM: PCR values, session nonces,... HSM: PIN codes,... Trusted party in contract signing protocols VANETs...

12 The trusted platform module

13 Digital rights management Secure environment rt ble epo a e r rg ion o f t un ura ig nf o c

14 Richard Stallman Creator of GNU, Emacs, GCC, GPL, the Free Software Foundation With a plan they call trusted computing, large media corporations, together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you. He calls it treacherous computing.

15 Ross Anderson Professor of Computer Security, University of Cambridge TC can support remote censorship. In its simplest form, applications may be designed to delete pirated music under remote control. In 2010 President Clinton may have two red buttons on her desk - one that sends the missiles to China, and another that turns off all the PCs in China. He also talks of commercial bullying, economic warfare and political censorship.

16 Secure environment Attestation from cloud Cloud server

17 Platform configuration registers The TPM has 24 platform configuration registers, PCRs. Updating a PCR The command TPM Extend(PCR p, Data x) effects the assignment p := SHA-1(p x)

18 StatVerif

19 StatVerif syntax: processes P, Q ::= processes out(m, N); P output in(m, x); P input P Q parallel composition!p replication new a; P restriction let x = g(m 1,..., M n ) in P else Q destructor application if M = N then P else Q conditional [s M] state cell read s as x; P read s := M; P write lock; P begin locked section unlock; P end locked section

20 Coding processes as Horn clauses: ProVerif let Server = in (ch, x); new n; out (ch, enc(k, (x,n) )); attacker:x attacker:enc(k[], (x,n[x]) );

21 Coding processes as Horn clauses: StatVerif let Server = in (ch, x); new n; out (ch, enc(k, (x,n) )); attacker:x attacker:enc(k[], (x,n[x]) ); attacker:u,x attacker:u,enc(k[], (x,n[x]) );

22 Assignments let Server = in (ch, x); u := h(u,x); attacker:u,x attacker:u,y attacker:h(u,x),y;

23 The Horn clauses representation The translation of a StatVerif process generates clauses built around the following two predicates att( M, N) means that state M is reachable and in that state the attacker knows the value N; mes( M, K, N) means that state M is reachable and in that state the value N is available on channel K.

24 Attacker clauses: constructors and destructors The attacker can build new messages by applying any constructor to messages he knows. For each constructor f (M 1,..., M n ) att(xs, M 1 ) att(xs, M n ) att(xs, f (M 1,..., M n )) Asymmetric encryption att(xs, xk) att(xs, xm) att(xs, aenc(xk, xm)) The attacker can analyse messages by applying any destructor to messages he knows. For each destructor g(m 1,..., M n ) M att(xs, M 1 ) att(xs, M n ) att(xs, M) Asymmetric-key decryption att(xs, xk) att(xs, aenc(pbk(xk), xm)) att(xs, xm)

25 Attacker clauses: public channels The attacker can send messages on public channels att(xs, xc) att(xs, xm) mes(xs, xc, xm) The attacker can eavesdrop on public channels att(xs, xc) mes(xs, xc, xm) att(xs, xm)

26 Attacker clauses: public state cells Consider the protocol new m; ([s 1 M 1 ] [s n M n ] P) The attacker can read from public state cells For all i {1,..., n} att((xs 1,..., xs n ), s i []) att((xs 1,..., xs n ), xs i ) The attacker can write to public state cells For all i {1,..., n} att((xs 1,... xs i,..., xs n ), s i []) att((xs 1,..., xs i,..., xs n ), ys i ) mes((xs 1,..., xs i,..., xs n ), zc, zm) mes((xs 1,..., ys i,..., xs n ), zc, zm) att((xs 1,... xs i,..., xs n ), s i []) att((xs 1,..., xs i,..., xs n ), ys i ) att((xs 1,..., xs i,..., xs n ), zm) att((xs 1,..., ys i,..., xs n ), zm)

27 Protocol clauses 0 ρhlφµ = Q 1 Q 2 ρhlφfalse = Q 1 ρ Hlφfalse Q 2 ρhlφfalse!q ρhlφfalse = Q ρhlφfalse j new a; Q ρhlφµ = Q (ρ {a a[l]})hlφµ Q (ρ {a attn[]})hlφµ if a bn(p) otherwise in(m, x); Q ρhlφfalse = Q (ρ {x x, vs 1 vs 1,..., vsn vsn}) H (x :: l) φ false where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh and H = H mes(φ 0, ρ(m), x) in(m, x); Q ρhlφtrue = Q (ρ {x x})(h mes(φ, ρ(m), x))(x :: l)φtrue out(m, N); Q ρhlφµ = {H mes(φ, ρ(m), ρ(n))} Q ρhlφµ let x = g(m 1,..., Mn) in Q 1 else Q 2 ρhlφµ = S j Q 1 ((ρσ) {x p σ })(Hσ)(lσ)(φσ)µ g(p 1,..., p n ) p def (g) and (σ, σ ) mgus and M 1 ρσ = p 1 σ,..., Mnρσ = p n ff σ Q 2 ρhlφµ if M = N then Q 1 else Q 2 ρhlφµ = Q 1 (ρσ)(hσ)(lσ)(φσ)µ Q 2 ρhlφµ where σ = mgu(ρ(m), ρ(n)) lock; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn})hlφ 0 true where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh unlock; Q ρhlφtrue = Q ρhlφfalse s i := M; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn, vc vc, vm vm})hlφfalse {H mes(φ 0, vc, vm) mes(φ 1, vc, vm)} {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vsn), and φ 1 = (vs 1,..., vs i 1, ρ(m), vs i+1,..., vsn) with vs 1,..., vsn, vc, vm fresh s i := M; Q ρhlφtrue = Q (ρ {vc vc, vm vm})hlφ true {H mes(φ, vc, vm) mes(φ, vc, vm)} {H att(φ, vm) att(φ, vm)} where φ = (M 1,..., M i 1, M i, M i+1,..., Mn), and φ = (M 1,..., M i 1, ρ(m), M i+1,..., Mn), and vc, vm fresh read s i as x; Q ρhlφfalse = Q (ρ {x vs i, vs 1 vs 1,..., vs i vs i,..., vsn vsn, vc vc, vm vm})(h mes(φ 0, vc, vm))lφfalse where φ 0 = (vs 1,..., vs i,..., vsn), with vs 1,..., vs i,..., vsn, vc, vm fresh read s i as x; Q ρhlφtrue = Q (ρ {x M i, vc vc, vm vm})(h mes(φ, vc, vm))lφtrue where φ = (M 1,..., M i,..., Mn) and vc, vm fresh

28 Protocol clauses 0 ρhlφµ = Q 1 Q 2 ρhlφfalse = Q 1 ρ Hlφfalse Q 2 ρhlφfalse!q ρhlφfalse Assignments = Q ρhlφfalse j Q (ρ {a a[l]})hlφµ if a bn(p) new a; Q ρhlφµ = Q (ρ {a attn[]})hlφµ otherwise in(m, x); Q ρhlφfalse = Q (ρ {x x, vs 1 vs 1,..., vsn vsn}) H (x :: l) φ false where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh s i := M; Q ρhlφfalse = Q ρ Hlφfalse and H = H mes(φ 0, ρ(m), x) in(m, x); Q ρhlφtrue = Q (ρ {x x})(h mes(φ, ρ(m), x))(x :: l)φtrue {H mes(φ out(m, N); Q ρhlφµ = {H mes(φ, ρ(m), 0, vc, vm) mes(φ ρ(n))} Q ρhlφµ 1, vc, vm)} S j let x = g(m 1,..., Mn) in Q 1 else Q 2 ρhlφµ = Q 1 ((ρσ) {x p σ })(Hσ)(lσ)(φσ)µ {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vs n), g(p 1,..., p n ) p def (g) and (σ, σ ) mgus and M 1 ρσ = p 1 σ,..., Mnρσ = p n ff σ Q 2 ρhlφµ if M = Nand then Qφ 11 else = Q 2 (vs ρhlφµ 1,..., vs i 1, ρ(m), = Qvs 1 (ρσ)(hσ)(lσ)(φσ)µ i+1,..., vs n) Q 2 ρhlφµ where σ = mgu(ρ(m), ρ(n)) lock; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn})hlφ 0 true with vs 1,..., vs n, vc, vm fresh where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh unlock; Q ρhlφtrue = Q ρhlφfalse and ρ = ρ {vs 1 vs 1,..., vs n vs n, vc vc, vm vm} s i := M; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn, vc vc, vm vm})hlφfalse {H mes(φ 0, vc, vm) mes(φ 1, vc, vm)} {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vsn), s i := M; Q ρhlφtrue = and φ 1 = (vs 1,..., vs i 1, ρ(m), vs i+1,..., vsn) Q (ρ {vc vc, vm vm})hlφ with vs 1,... true, vsn, vc, vm fresh s i := M; Q ρhlφtrue = Q (ρ {vc vc, vm vm})hlφ true {H mes(φ, vc, vm) {H mes(φ, vc, vm) mes(φ mes(φ, vc, vm)}, vc, vm)} {H att(φ, vm) vm) att(φ, vm)} att(φ, vm)} where φ = (M 1,..., M i 1, M i, M i+1,..., Mn), where φ = (M 1,..., M i 1, M i, M i+1,..., M n), and φ = (M 1,..., M i 1, ρ(m), M i+1,..., Mn), and vc, vm fresh and φ = (M 1,..., M i 1, ρ(m), M i+1,..., M n), read s i as x; Q ρhlφfalse = Q (ρ {x vs i, vs 1 vs 1,..., vs i vs i,..., vsn vsn, and vc, vm fresh vc vc, vm vm})(h mes(φ 0, vc, vm))lφfalse where φ 0 = (vs 1,..., vs i,..., vsn), with vs 1,..., vs i,..., vsn, vc, vm fresh read s i as x; Q ρhlφtrue = Q (ρ {x M i, vc vc, vm vm})(h mes(φ, vc, vm))lφtrue where φ = (M 1,..., M i,..., Mn) and vc, vm fresh

29 Main result Theorem (The StatVerif compiler is correct) Let M be a message. Let P be a protocol of the form new m; ([s 1 M 1 ] [s n M n ] Q) Clauses(P) secrecy(m) P = secrecy(m) If K the fact att( K, M) is not derivable from Clauses(P), then P preserves the secrecy of M.

30 Some clauses for commands of the TPM TPM Read: att(x p, x) att(x p, x p ) TPM CreateWrapKey: att(x p, x pcr ) key(x p, x sk, x pk, x p ) att(x p, pk(bindk[x pcr ]), wrap(x pk, bindk[x pcr ], tpmpf[], x pcr ) ) TPM LoadKey2: att(x p, pk(x key )) att(x p, wrap(x pk, x key, tpmpf[], x pcr )) key(x p, x sk, x pk, x p ) key(x p, x key, pk(x key ), x pcr ) TPM Unbind: att(x p, aenc(x pk, x data )) key(x p, x sk, x pk, x p ) att(x p, x data ) TPM Extend: att(x p, x v ) att(x p, x) att(h(x p, x v ), x) key(x p, x sk, x pk, x pcr ) att(x p, x v ) key(h(x p, x v ), x sk, x pk, x pcr )

31 Making ProVerif work on the Horn clauses Safe abstraction: Replace att(x p, x v ) att(x p, x) att(h(x p, x v ), x) with n instances, in which x p is zero[] h(zero[], x 1 ) h(h(zero[], x 1 ), x 2 ) h(h(h(zero[], x 1 ), x 2 ), x 3 )...

32 Current and future work Prototype implementation by Joshua Phillips More case studies UMTS protocols, RFID protocols,... Extension to authentication properties Extension to observational equivalence Abstractions