Control Flow Analysis of Security Protocols (I)

Size: px

Start display at page:

Download "Control Flow Analysis of Security Protocols (I)"

Frederica Jefferson
6 years ago
Views:

1 Control Flow Analysis of Security Protocols (I) Mikael Buchholtz F2005 Mikael Buchholtz p. 1

2 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography F2005 Mikael Buchholtz p. 2

3 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89, F2005 Mikael Buchholtz p. 2

4 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89,... Modal logics Burrows-Abadi-Needham 89, F2005 Mikael Buchholtz p. 2

5 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89,... Modal logics Language-based Burrows-Abadi-Needham 89,... Woo-Lam 93 Model checking of CSP Lowe LySa F2005 Mikael Buchholtz p. 2

6 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography State/transition model Strand Spaces Modal logics Millen 84, Meadows 89,... Burrows-Abadi-Needham 89,... Model checking of CSP Lowe 95 Language-based Woo-Lam LySa Thayer-Herzog- Guttman 98, F2005 Mikael Buchholtz p. 2

7 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Probabalistic/complexity theoretic view Algebraic view of cryptography Herzog 03, of cryptography Zunino-Degano 04 State/transition model Strand Spaces Modal logics Millen 84, Meadows 89,... Burrows-Abadi-Needham 89,... Model checking of CSP Lowe 95 Language-based Woo-Lam LySa Thayer-Herzog- Guttman 98, F2005 Mikael Buchholtz p. 2

8 Analysing a Protocol [Bodei-Buchholtz-Degano-Nielson-Nielson 04] 1. Write the protocol in the process calculus LYSA 2. Specify an attacker 3. Analyse the protocol and the attacker using control flow analysis 4. Inspect the analysis result to determine (security) properties of the protocol F2005 Mikael Buchholtz p. 3

9 LYSA for Symmetric Cryptography E ::= n name (n N ) x variable (x X ) {E 1,, E k } E0 encryption P ::= E 1,, E k. P output (E 1,, E j ; x j+1,, x k ). P input (with matching) decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P decryption (with matching) P 1 P 2 parallel composition (ν n)p introduce new name n! P replication 0 terminated process F2005 Mikael Buchholtz p. 4

10 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB K A A S Network K B B F2005 Mikael Buchholtz p. 5

11 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network A, {B, K AB } KA B F2005 Mikael Buchholtz p. 5

12 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network B {A, K AB } KB F2005 Mikael Buchholtz p. 5

13 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network {mess} KAB B F2005 Mikael Buchholtz p. 5

14 Semantics LYSA has a reduction semantics defined by two relations P P the reduction relation P P the structural congruence (P R P parameterised reduction relation used in the paper) F2005 Mikael Buchholtz p. 6

15 Reduction Relation P P F2005 Mikael Buchholtz p. 7

16 Reduction Relation P P Executions F2005 Mikael Buchholtz p. 7

17 Reduction Relation P P (ν n)p (ν n)p j i=1 E i = E i E 1,, E k. P (E 1,, E j; x j+1,, x k ). Q P Q[E j+1 /x j+1,, E k /x k ] P P P Q P Q F2005 Mikael Buchholtz p. 8

18 Structural Congruence The structural congruence, P Q, brings processes on the right form for the reduction relation P Q Q Q Q P P P F2005 Mikael Buchholtz p. 9

19 Structural Congruence P P P 1 P 2 P 2 P 1 P 1 P 2 P 2 P 3 P 1 P 3 P 1 P 2 E 1,, E k. P 1 E 1,, E k. P 2 P 1 P 2 (E 1,, E j ; x j+1,, x k ). P 1 (E 1,, E j ; x j+1,, x k ). P 2 P 1 P 2 P 3 P 4 P 1 P 3 P 2 P 4 P 1 P 2 (ν n)p 1 (ν n)p 2 P 1 P 2!P 1!P 2 P 1 P 2 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P 1 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P F2005 Mikael Buchholtz p. 10

20 Structural Congruence P 1 P 2 ifp 1 and P 2 are disciplined α-equivalent P 1 P 2 P 2 P 1 (P 1 P 2 ) P 3 P 1 (P 2 P 3 ) P 0 P (ν n)0 0 (ν n)(ν n )P (ν n )(ν n)p (ν n)(p 1 P 2 ) P 1 (ν n)p 2 if n fn(p 1 )!P P!P F2005 Mikael Buchholtz p. 11

21 The Semantics at Work ((ν n) n. 0) (; x). n, x F2005 Mikael Buchholtz p. 12

22 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) F2005 Mikael Buchholtz p. 12

23 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) (ν m)(0 n, m. 0) F2005 Mikael Buchholtz p. 12

24 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) (ν m)(0 n, m. 0) 0 (ν m) n, m. 0 (ν m) n, m F2005 Mikael Buchholtz p. 12

25 Algebraic View of Cryptography For example, to model [Dolev-Yao 81] encrypt as E K (P ) and decrypt as D K (C) such that D K (E K (m)) = m and nothing else F2005 Mikael Buchholtz p. 13

26 Symmetric Cryptography in LYSA Encryption: Decryption: {E 1,, E k } E0 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P Semantics models perfect cryptography: j i=0 E i = E i decrypt {E 1,, E k } E0 as {E 1,, E j; x j+1,, x k } E 0 in P P [E j+1 /x j+1,, E k /x k ] F2005 Mikael Buchholtz p. 14

27 Asymmetric Cryptography in LYSA Keys: (ν ± m)p introduces two keys m +, m in P Encryption: Decryption: { E 1,, E k } E0 decrypt E as { E 1,, E j ; x j+1,, x k } E0 in P F2005 Mikael Buchholtz p. 15

28 Asymmetric Cryptography in LYSA Decryption with private key: j i=1 E i = E i decrypt { E 1,, E k } m + as { E 1,, E j; x j+1,, x k } m in P P [E j+1 /x j+1,, E k /x k ] Signature validation public key: j i=1 E i = E i decrypt { E 1,, E k } m as { E 1,, E j; x j+1,, x k } m + in P P [E j+1 /x j+1,, E k /x k ] (In the paper these two rules are merged into one) F2005 Mikael Buchholtz p. 16

29 Asymmetric Cryptography in LYSA E ::= m +, m public and private keys { E 1,, E k } E0 asymmetric encryption P ::= (ν ± m)p key pair creation decrypt E as { E 1,, E j ; x j+1,, x k } E0 in asymmetric decryption F2005 Mikael Buchholtz p. 17

30 The Analysis Executions F2005 Mikael Buchholtz p. 18

31 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 18

32 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 18

33 Analysis Components Network messages: κ P(V ) Variable bindings: ρ : X P(V) where values from V are variable-free terms i.e. V ::= n {V 1,, V k } V0 { V 1,, V k } V0 Example A, B, {mess} K. 0 (A, B; x). 0 A, B, {mess} K κ {mess} K ρ(x) F2005 Mikael Buchholtz p. 19

34 Analysis Judgements ρ, κ = P reads: ρ and κ are valid analysis estimates for P Example P 1 def = A. 0 (; x). 0 P 2 def = A, B. 0 (B; x). 0 κ a = { A, B } ρ a = [x ] κ b = { A } ρ b = [x {A}] κ c = { A, B } ρ c = [x {A, B}] F2005 Mikael Buchholtz p. 20

35 Analysing Restriction!(ν n) n F2005 Mikael Buchholtz p. 21

36 Analysing Restriction!(ν n) n. 0 (ν m) m. 0 (ν o) o. 0 (ν p) p. 0 (ν q) q. 0 (ν r) r. 0...!(ν n) n F2005 Mikael Buchholtz p. 21

37 Analysing Restriction!(ν n) n. 0 (ν m) m. 0 (ν o) o. 0 (ν p) p. 0 (ν q) q. 0 (ν r) r. 0...!(ν n) n. 0 Each name, n, is assigned a canonical name n The semantics uses disciplined α-equivalence: (ν n)p is α-equivalent to (ν n )P and n = n For example m = o = p = q = r =... = n F2005 Mikael Buchholtz p. 21

38 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) F2005 Mikael Buchholtz p. 22

39 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ) F2005 Mikael Buchholtz p. 22

40 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ). 0 (!(ν n) n, n. 0) (!(; x, y). 0) F2005 Mikael Buchholtz p. 22

41 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ). 0 (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 2 ) n 2, n 2. 0 (; x 2, y 2 ) but n = n 1 = n 2 = F2005 Mikael Buchholtz p. 22

42 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 23

43 The Analysis n i Analysis n 1 n 2 n 3 Executions F2005 Mikael Buchholtz p. 23

44 Protocol Scenarios A S Network B In LySa: A B S F2005 Mikael Buchholtz p. 24

45 Protocol Scenarios A S Network M B In LySa: A B S M legitimate part of system the attacker F2005 Mikael Buchholtz p. 24

46 Protocol Scenarios A S Network M B In LySa: A B S M legitimate part of system the attacker We write the legitimate part of the system The attacker will be handled using the analysis F2005 Mikael Buchholtz p. 24

47 Protocols Scenarios K A A S Network M K B B F2005 Mikael Buchholtz p. 25

48 Protocols Scenarios A 1 A 2 A 3 A i S Network M B 1 B 2 B 3 B i F2005 Mikael Buchholtz p. 25

49 Protocols Scenarios K A1 K Ai A 1 A 2 A 3 A i S Network M B 1 B 2 B 3 B i K B1 K Bi F2005 Mikael Buchholtz p. 25

50 Meta Level E ::= n i1 i k Indexed names x i1 i k Indexed variables... P ::=... i S Indexed parallel (ν i S n i )P Indexed restriction (ν ± i S n i )P Indexed key pair restriction let X S in P Declare set Example i {1,2,3} mess i. 0 mess 1. 0 mess 2. 0 mess F2005 Mikael Buchholtz p. 26

51 Analysing a Protocol 1. Write the protocol in the process calculus LYSA 2. Specify an attacker 3. Analyse the protocol and the attacker using control flow analysis 4. Inspect the analysis result to determine (security) properties of the protocol F2005 Mikael Buchholtz p. 27

52 For Next Time Write one or two protocols from Appendix A of [BBDNN04] in LYSA Things to consider: The use of pattern matching, The use of restriction (ν n)p Scenarios (number of principals, sharing keys, etc.) To be presented on slides next time: Starting 9.30! (February 18 th ) (Try to parse your LySa through the LySatool?) F2005 Mikael Buchholtz p. 28

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University