Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Similar documents
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols

arxiv: v1 [cs.cr] 27 May 2016

Notes on BAN Logic CSG 399. March 7, 2006

A Logic of Authentication

BAN Logic A Logic of Authentication

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Collaborative Planning with Privacy

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Reachability Results for Timed Automata with Unbounded Data Structures

Typed MSR: Syntax and Examples

Slides for Chapter 14: Time and Global States

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

Automata-based analysis of recursive cryptographic protocols

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

CPSA and Formal Security Goals

Control Flow Analysis of Security Protocols (I)

TAuth: Verifying Timed Security Protocols

A compositional logic for proving security properties of protocols

On the Automatic Analysis of Recursive Security Protocols with XOR

Analysis of authentication protocols Intership report

CPSC 467b: Cryptography and Computer Security

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

A Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989

Analysing Layered Security Protocols

Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation

Report Documentation Page

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Agreement. Today. l Coordination and agreement in group communication. l Consensus

Unreliable Failure Detectors for Reliable Distributed Systems

A decidable subclass of unbounded security protocols

Lecture 7: Specification Languages

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

DRAFT. Distance-Bounding Protocols: Verification without Time and Location. Sjouke Mauw CSC/SnT University of Luxembourg

Complexity of Checking Freshness of Cryptographic Protocols

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Proving Properties of Security Protocols by Induction

Logical Time. 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation

Exam Security January 19, :30 11:30

An undecidability result for AGh

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Time. Today. l Physical clocks l Logical clocks

Coordination. Failures and Consensus. Consensus. Consensus. Overview. Properties for Correct Consensus. Variant I: Consensus (C) P 1. v 1.

Verification of the TLS Handshake protocol

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Notes on Zero Knowledge

Group Diffie Hellman Protocols and ProVerif

An Undecidability Result for AGh

Complexity of automatic verification of cryptographic protocols

CS 347 Parallel and Distributed Data Processing

The Logical Meeting Point of Multiset Rewriting and Process Algebra

On the Verification of Cryptographic Protocols

Cuts. Cuts. Consistent cuts and consistent global states. Global states and cuts. A cut C is a subset of the global history of H

Finite Models for Formal Security Proofs

Our Problem. Model. Clock Synchronization. Global Predicate Detection and Event Ordering

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

Equational Tree Automata: Towards Automated Verification of Network Protocols

Lecture 28: Public-key Cryptography. Public-key Cryptography

Timed Automata VINO 2011

Models for an Adversary-Centric Protocol Logic

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Consensus when failstop doesn't hold

Cryptographic Protocols Notes 2

Clocks in Asynchronous Systems

The Sizes of Skeletons: Security Goals are Decidable

A derivation system and compositional logic for security protocols

A simple procedure for finding guessing attacks (Extended Abstract)

structure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p

Failure detectors Introduction CHAPTER

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

The Weighted Byzantine Agreement Problem

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Distributed Systems. 06. Logical clocks. Paul Krzyzanowski. Rutgers University. Fall 2017

Recent results on Timed Systems

Automatic Synthesis of Distributed Protocols

Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

A progress report on using Maude to verify protocol properties using the strand space model

Cryptography and Security Final Exam

A Calculus for Control Flow Analysis of Security Protocols

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Deriving GDOI. Dusko Pavlovic and Cathy Meadows

Lecture 1: Introduction to Public key cryptography

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

Lecture 3,4: Multiparty Computation

Deciding the Security of Protocols with Commuting Public Key Encryption

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

George Danezis Microsoft Research, Cambridge, UK

416 Distributed Systems. Time Synchronization (Part 2: Lamport and vector clocks) Jan 27, 2017

Angelo Troina. Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)

Transcription:

Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek Nigam, Federal University of Paraíba, Brazil Andre Scedrov, UPENN, USA National Research University HSE, Russia Carolyn Talcott, SRI International, USA LAP 2014.

Cyber-Physical Security Protocols Cyber-Physical Security Protocols are security protocols which rely on the physical properties in which its protocol sessions are carried out, such as: message transmission takes time processing requests takes time different transmission channels different transmission velocities physical and network distances between participants

Cyber-Physical Security Protocols Example: Distance Bounding Protocols A t 0 m B t 1 t 3 m t 2 m t 4 t 5 t 3 t 0 is the response time The round trip time of messages and the transmission velocity is taken into account to infer an upper bound of the distance between two agents.

Cyber-Physical Security Protocols Example: Distance Bounding Protocols A t 0 m B t 1 t 3 m t 2 m t 4 t 5 If t 3 t 0 R for a given distance bounding time R, then the verifier A grants the access to its resources to the prover B and sends a confirmation message.

Specification of Cyber-Physical Security Protocols Specification of Distance Bounding Protocols Standard "Alice-Bob" notation needs to be refined. A B : m at time t 0 B A : m at time t 1 A B : m if t 1 t 0 R Many assumptions about time need to be formally specified, including: time requirements for the fulfillment of a protocol session assumptions about the network, such as communication mediums and transmission velocities

Verification of Cyber-Physical Security Protocols Protocol verification Following issues need to be addressed: which properties does the protocol ensure under which conditions against which intruders

Verification of Cyber-Physical Security Protocols Protocol verification Following issues need to be addressed: which properties does the protocol ensure under which conditions against which intruders Moreover, the standard Dolev-Yao intruder should be ammended with time features in order to make the physical properties of the system relevant.

Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models We investigate how the models with continuous time relate to models with discrete time in protocol verification.

Cyber-Physical Security Protocols Example: Original (non-secure) Needham-Schroeder protocol A B {N A, A} KB {N A, N B } KA {N B } KB

Cyber-Physical Security Protocols Example: Original (non-secure) Needham-Schroeder protocol A B t 0 {N A, A} KB t 1 t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 Can the protocol be fixed by means of time (by some time requirements)?

Time-Sensitive Features We need to take into account time-sensitive features such as:

Time-Sensitive Features We need to take into account time-sensitive features such as: network delays

Time-Sensitive Features We need to take into account time-sensitive features such as: network delays participants processing time

Time-Sensitive Features We need to take into account time-sensitive features such as: network delays participants processing time protocol execution depends on the round trip time of messages by means of measuring the response time

Time-Sensitive Features Network Delay t 0 m t 1 A and B communicate through network: Message m sent at the moment t 0 is received at some later moment t 1, i.e. traversal of messages takes non-zero time t 1 t 0.

Time-Sensitive Features Network Delay t 0 m t 1 A and B communicate through network: Message m sent at the moment t 0 is received at some later moment t 1, i.e. traversal of messages takes non-zero time t 1 t 0. m 1 t 1 m 2 t 2 Processing Time Message m 1 is received at the moment t 1. Reply m 2 is sent at some later moment t 2. That is, processing takes non-zero time t 2 t 1.

Time-Bounding Needham-Schroeder Protocol A B t 0 {N A, A} KB t 1 t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 If t 3 t 0 R for a given response bounding time R, then A and sends to Bob the confirmation message {N B } KB.

Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack?

Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack? We show that the answer depends on whether time is considered discrete or continuous.

Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack? We show that the answer depends on whether time is considered discrete or continuous. We show that the answer also depends on network delay and on internal processing time.

Time-Bounding Needham-Schroeder Protocol A t 0 {N A, A} KB B t 1 The protocol is safe with an appropriate response bounding time R when using a model with discrete time : no attack can be found. t 3 {N A, N B } KA t 2 {N B } KB t t 5 4

Time-Bounding Needham-Schroeder Protocol A t 0 {N A, A} KB B t 1 The protocol is safe with an appropriate response bounding time R when using a model with discrete time : no attack can be found. t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 The protocol is insecure for any response bounding time R in the case of continuous time : there is a timed version of Lowe attack.

Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory {N t A, A} km 0 t 1 Bob Lowe-style attack t 2 {N A, A} kb t 3 Mallory forces Bob to believe that he communicated with Alice, and that only Alice learned Bob s nonce N B. t 7 t 5 {N A, N B } ka t 6 {N A, N B } ka t 4 Actually, Bob communicated with Mallory, and Mallory learned N B. {N t B } km 8 t 9 {N t B } kb 10 t 11

Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory {N t A, A} km 0 t 1 Bob Lowe-style attack t 2 {N A, A} kb t 3 Mallory forces Bob to believe that he communicated with Alice, and that only Alice learned Bob s nonce N B. t 7 t 5 {N A, N B } ka t 6 {N A, N B } ka t 4 Actually, Bob communicated with Mallory, and Mallory learned N B. {N t B } km 8 t 9 Under which time conditions is the attack possible? {N t B } kb 10 t 11

Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 1 Bob Lowe-style attack t 2 = 2 {N A, A} kb t 3 = 3 Discrete time model t 7 = 7 t 5 = 5 {N A, N B} ka {N A, N B} ka t 6 = 6 t 4 = 4 Since both network delay and processing take at least 1 time unit, attack can be performed only for response bounding time R 7. {N t 8 = 8 B} km t 9 = 9 {N t 10 = 10 B} kb t 11 = 11

Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 1 Bob Lowe-style attack t 2 = 2 {N A, A} kb t 3 = 3 Discrete time model t 7 = 7 t 5 = 5 {N A, N B} ka {N A, N B} ka t 6 = 6 t 4 = 4 Since both network delay and processing take at least 1 time unit, attack can be performed only for response bounding time R 7. {N t 8 = 8 B} km t 9 = 9 There is no attack for R < 7. {N t 10 = 10 B} kb t 11 = 11

Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 0.1 Bob Lowe-style attack t 2 = 0.2 {N A, A} kb t 3 = 0.3 Continuous time model t 5 = 0.5 {N A, N B} ka t 4 = 0.4 Attack is possible for every response bounding time t 7 = 0.7 {N A, N B} ka t 6 = 0.6 R > 0 {N t 8 = 0.8 B} km t 9 = 0.9 {N t 11 = 1 B} kb t 11 = 1.1

Discrete vs. Continuous Time The existance of the attack depends on whether time is considered discrete or continuous. No rescaling of discrete time units removes this issue: For any discretisation of time, such as days, seconds or any other infinitesimal time unit, there is a protocol, for which - there exists an attack with continuous time, and - no attack is possible in the discrete case.

Discrete vs. Continuous Time The existance of the attack depends on whether time is considered discrete or continuous. No rescaling of discrete time units removes this issue: For any discretisation of time, such as days, seconds or any other infinitesimal time unit, there is a protocol, for which - there exists an attack with continuous time, and - no attack is possible in the discrete case. Between moments t i and t j only a finite number of acts can happen within discrete time, whereas an unbounded number of timed events are possible within continuous time.

Specification of Cyber-Physical Security Protocols Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages t 0 m t 1 Network Delay Traversal of messages is greater then a : t 1 t 0 > a m 1 t 1 m 2 t 2 Processing Time Internal processing is greater then b : t 2 t 1 > b

Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages A B t 0 {N A, A} KB t 1 For which R the protocol is safe? For which R there is an attack? t 3 {N A, N B } KA t 2 {N B } KB t t 5 4

Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages A B t 0 t 3 {N A, A} KB {N A, N B } KA t 1 t 2 {N B } KB t t 5 4 For which R the protocol is safe? For which R there is an attack? Given explicit lower bounds we can provide precise results.

Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages In case a > 0 or b > 0, for non-negative integers a, b, For discrete time, there is no Dolev-Yao attack on the time-bounding Needham-Schroeder protocol with response bounding time R < 4a + 3b + 7. For continuous time, there is no Dolev-Yao attack on the time-bounding Needham-Schroeder protocol with the response bounding time R < 4a + 3b.

Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models There is a difference! There are protocols for which there is no attack in the discrete time model, but there is an attack in the continuous time model.

Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models There is a difference! There are protocols for which there is no attack in the discrete time model, but there is an attack in the continuous time model. One should be aware of this difference in cyber-physical security protocol verification.

Complexity results Planning Problem \ Reachability Problem Untimed system PSPACE-complete [Kanovich et al., FAST 10] Balanced System with PSPACE-complete actions discrete time [Kanovich et al.,rta 12] System with real time Actions not necessarily balanced PSPACE-complete new Undecidable Though the nonce updates cause a potentially infinite number of states, the PSPACE membership is given for the timed systems with fresh values (nonces).

Future Work Investigating the power of our intruder model: how much damage can be done under which conditions Alternative Intruder and Protocol Models e.g. agents allowed to move, not static Implementation of our model in automated tools e.g. Maude: verifying cyber-physical protocols Specification of asynchronous systems Time synchronization mechanisms Network Time Protocols Analysis of security protocols e.g. timestamps, timing channels

Related Work Durgin, Lincoln, Mitchell, Scedrov. Multiset rewriting and the complexity of bounded security protocols. 1999. Kanovich, Okada, Scedrov. Specifying real-time finite-state systems in linear logic, 1998. Alur, Dill. A theory of timed automata, 1994. Brands, Chaum. Distance-bounding protocols, 1993. Meadows, Poovendran, Pavlovic, Chang, Syverson. Distance bounding protocols: Authentication logic analysis and collusion attacks, 2007. Lanotte, Maggiolo-Schettini, Troina. Reachability results for timed automata with unbounded data structures, 2010. Malladi, Bruhadeshwar, Kothapalli. Automatic analysis of distance bounding protocols, 2010.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback