Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Similar documents
MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Typed MSR: Syntax and Examples

Lecture 7: Specification Languages

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

The Logical Meeting Point of Multiset Rewriting and Process Algebra

Notes on BAN Logic CSG 399. March 7, 2006

Control Flow Analysis of Security Protocols (I)

CPSA and Formal Security Goals

A Logic of Authentication

Relating State-Based and Process-Based Concurrency through Linear Logic

A Calculus for Control Flow Analysis of Security Protocols

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Extending Dolev-Yao with Assertions

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Models for an Adversary-Centric Protocol Logic

Verification of Security Protocols in presence of Equational Theories with Homomorphism

CS 395T. Probabilistic Polynomial-Time Calculus

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

A Cryptographic Decentralized Label Model

Automata-based analysis of recursive cryptographic protocols

Quantum Wireless Sensor Networks

Analysis of authentication protocols Intership report

On the Automatic Analysis of Recursive Security Protocols with XOR

On the Verification of Cryptographic Protocols

A progress report on using Maude to verify protocol properties using the strand space model

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

A compositional logic for proving security properties of protocols

Negative applications of the ASM thesis

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Asymmetric Encryption

Optimization of the Hamming Code for Error Prone Media

Automated Validation of Internet Security Protocols. Luca Viganò

Report Documentation Page

Analysing privacy-type properties in cryptographic protocols

THE SHAPES OF BUNDLES

1 Secure two-party computation

Gurgen Khachatrian Martun Karapetyan

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public Key Cryptography

Optimization of the Hamming Code for Error Prone Media

CPSC 467: Cryptography and Computer Security

Algorithmic Number Theory and Public-key Cryptography

Computing on Encrypted Data

Mechanizing Elliptic Curve Associativity

A process algebraic analysis of privacy-type properties in cryptographic protocols

Handling Encryption in an Analysis for Secure Information Flow

The Faithfulness of Abstract Protocol Analysis: Message Authentication

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Skeletons and the Shapes of Bundles

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

NSL Verification and Attacks Agents Playing Both Roles

The Needham-Schroeder-Lowe protocol

Cryptography IV: Asymmetric Ciphers

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

A new security notion for asymmetric encryption Draft #8

Lecture 1: Introduction to Public key cryptography

1 Indistinguishability for multiple encryptions

Deciding the Security of Protocols with Commuting Public Key Encryption

THE SHAPES OF BUNDLES

CPSC 467b: Cryptography and Computer Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Notes for Lecture 9. 1 Combining Encryption and Authentication

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Fundamentals of Modern Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Exam Security January 19, :30 11:30

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

The Underlying Semantics of Transition Systems

The Sizes of Skeletons: Security Goals are Decidable

Proving Properties of Security Protocols by Induction

A derivation system and compositional logic for security protocols

Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols

An extension of HM(X) with bounded existential and universal data-types

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A Short Tutorial on Proverif

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

A simple procedure for finding guessing attacks (Extended Abstract)

An Undecidability Result for AGh

Cryptographic Protocols Notes 2

An undecidability result for AGh

Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures

1 Number Theory Basics

Automatic, computational proof of EKE using CryptoVerif

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Transcription:

Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software Engineering Institute - CMU August 6 th, 2001

Outline I. Dolev-Yao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the Dolev-Yao Attacker Specifying Crypto-Protocols and their Intruder Models in MSR 2

Part I Dolev-Yao Specification of Security Protocols Specifying Crypto-Protocols and their Intruder Models in MSR 3

Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying Crypto-Protocols and their Intruder Models in MSR 4

Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying Crypto-Protocols and their Intruder Models in MSR 5

pictorially s a k b k a Specifying Crypto-Protocols and their Intruder Models in MSR 6

Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying Crypto-Protocols and their Intruder Models in MSR 7

Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying Crypto-Protocols and their Intruder Models in MSR 8

Part II Specifying Protocols in MSR Specifying Crypto-Protocols and their Intruder Models in MSR 9

What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying Crypto-Protocols and their Intruder Models in MSR 10

Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying Crypto-Protocols and their Intruder Models in MSR 11

Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying Crypto-Protocols and their Intruder Models in MSR 12

Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying Crypto-Protocols and their Intruder Models in MSR 13

Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Specifying Crypto-Protocols and their Intruder Models in MSR 14

Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying Crypto-Protocols and their Intruder Models in MSR 15

Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying Crypto-Protocols and their Intruder Models in MSR 16

Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying Crypto-Protocols and their Intruder Models in MSR 17

Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying Crypto-Protocols and their Intruder Models in MSR 18

Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying Crypto-Protocols and their Intruder Models in MSR 19

Needham-Schroeder Public-Key Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying Crypto-Protocols and their Intruder Models in MSR 20

MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 21

MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 22

Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying Crypto-Protocols and their Intruder Models in MSR 23

Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying Crypto-Protocols and their Intruder Models in MSR 24

Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying Crypto-Protocols and their Intruder Models in MSR 25

Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying Crypto-Protocols and their Intruder Models in MSR 26

Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New Specifying Crypto-Protocols and their Intruder Models in MSR 27

Part III Access Control Specifying Crypto-Protocols and their Intruder Models in MSR 28

Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 29

Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying Crypto-Protocols and their Intruder Models in MSR 30

Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying Crypto-Protocols and their Intruder Models in MSR 31

Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying Crypto-Protocols and their Intruder Models in MSR 32

Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying Crypto-Protocols and their Intruder Models in MSR 33

Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying Crypto-Protocols and their Intruder Models in MSR 34

Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying Crypto-Protocols and their Intruder Models in MSR 35

Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Shared-key encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying Crypto-Protocols and their Intruder Models in MSR 36

Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying Crypto-Protocols and their Intruder Models in MSR 37

Part IV Specifying Attacker Models Specifying Crypto-Protocols and their Intruder Models in MSR 38

Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Specifying Crypto-Protocols and their Intruder Models in MSR 39

The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying Crypto-Protocols and their Intruder Models in MSR 40

Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying Crypto-Protocols and their Intruder Models in MSR 41

DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying Crypto-Protocols and their Intruder Models in MSR 42

DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying Crypto-Protocols and their Intruder Models in MSR 43

DY Intruder vs. AC AC-valid Well-typed Dolev-Yao intruder New/ D-Y Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying Crypto-Protocols and their Intruder Models in MSR 44

Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ Specifying Crypto-Protocols and their Intruder Models in MSR 45

Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations Specifying Crypto-Protocols and their Intruder Models in MSR 46

Part V New Inferring the Dolev-Yao Intruder Specifying Crypto-Protocols and their Intruder Models in MSR 47

The Dolev-Yao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying Crypto-Protocols and their Intruder Models in MSR 48

Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying Crypto-Protocols and their Intruder Models in MSR 49

What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore context Γ Specifying Crypto-Protocols and their Intruder Models in MSR 50

Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying Crypto-Protocols and their Intruder Models in MSR 51

Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying Crypto-Protocols and their Intruder Models in MSR 52 I I I

Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying Crypto-Protocols and their Intruder Models in MSR 53

Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying Crypto-Protocols and their Intruder Models in MSR 54

Carrying on: Shared-Key Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for public-key encryption Specifying Crypto-Protocols and their Intruder Models in MSR 55

Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying Crypto-Protocols and their Intruder Models in MSR 56

Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying Crypto-Protocols and their Intruder Models in MSR 57

Interpreting Shared-Key Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for public-key encryption pairing Specifying Crypto-Protocols and their Intruder Models in MSR 58

Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying Crypto-Protocols and their Intruder Models in MSR 59

Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying Crypto-Protocols and their Intruder Models in MSR 60

Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying Crypto-Protocols and their Intruder Models in MSR 61

Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying Crypto-Protocols and their Intruder Models in MSR 62

Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ -> + type privk: ΠA: + princ. + pubk A -> + type Specifying Crypto-Protocols and their Intruder Models in MSR 63

Generating data Again, annotate types nonce:! type shk: + princ -> + princ ->! type shk: + princ -> + princ ->! type Specifying Crypto-Protocols and their Intruder Models in MSR 64

Interpreting constructors Mark arguments as input or output _,_: -msg -> -msg -> msg {_} _ : - msg -> ΠA: + princ. ΠB: + princ. + shk A B -> msg {{_}} _ : - msg -> ΠA: + princ. Πk: + pubk A. + privk k -> msg hash: + msg -> msg [_] _ : + msg -> ΠA: * princ. Πk: * sigk A. * verk k -> msg Specifying Crypto-Protocols and their Intruder Models in MSR 65

Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 66

alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying Crypto-Protocols and their Intruder Models in MSR 67

Wrap-up Specifying Crypto-Protocols and their Intruder Models in MSR 68

Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Specifying Crypto-Protocols and their Intruder Models in MSR 69

Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 70

Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Specifying Crypto-Protocols and their Intruder Models in MSR 71

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback