Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software Engineering Institute - CMU August 6 th, 2001
Outline I. Dolev-Yao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the Dolev-Yao Attacker Specifying Crypto-Protocols and their Intruder Models in MSR 2
Part I Dolev-Yao Specification of Security Protocols Specifying Crypto-Protocols and their Intruder Models in MSR 3
Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying Crypto-Protocols and their Intruder Models in MSR 4
Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying Crypto-Protocols and their Intruder Models in MSR 5
pictorially s a k b k a Specifying Crypto-Protocols and their Intruder Models in MSR 6
Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying Crypto-Protocols and their Intruder Models in MSR 7
Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying Crypto-Protocols and their Intruder Models in MSR 8
Part II Specifying Protocols in MSR Specifying Crypto-Protocols and their Intruder Models in MSR 9
What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying Crypto-Protocols and their Intruder Models in MSR 10
Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying Crypto-Protocols and their Intruder Models in MSR 11
Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying Crypto-Protocols and their Intruder Models in MSR 12
Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying Crypto-Protocols and their Intruder Models in MSR 13
Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Specifying Crypto-Protocols and their Intruder Models in MSR 14
Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying Crypto-Protocols and their Intruder Models in MSR 15
Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying Crypto-Protocols and their Intruder Models in MSR 16
Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying Crypto-Protocols and their Intruder Models in MSR 17
Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying Crypto-Protocols and their Intruder Models in MSR 18
Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying Crypto-Protocols and their Intruder Models in MSR 19
Needham-Schroeder Public-Key Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying Crypto-Protocols and their Intruder Models in MSR 20
MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 21
MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 22
Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying Crypto-Protocols and their Intruder Models in MSR 23
Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying Crypto-Protocols and their Intruder Models in MSR 24
Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying Crypto-Protocols and their Intruder Models in MSR 25
Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying Crypto-Protocols and their Intruder Models in MSR 26
Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New Specifying Crypto-Protocols and their Intruder Models in MSR 27
Part III Access Control Specifying Crypto-Protocols and their Intruder Models in MSR 28
Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 29
Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying Crypto-Protocols and their Intruder Models in MSR 30
Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying Crypto-Protocols and their Intruder Models in MSR 31
Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying Crypto-Protocols and their Intruder Models in MSR 32
Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying Crypto-Protocols and their Intruder Models in MSR 33
Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying Crypto-Protocols and their Intruder Models in MSR 34
Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying Crypto-Protocols and their Intruder Models in MSR 35
Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Shared-key encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying Crypto-Protocols and their Intruder Models in MSR 36
Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying Crypto-Protocols and their Intruder Models in MSR 37
Part IV Specifying Attacker Models Specifying Crypto-Protocols and their Intruder Models in MSR 38
Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Specifying Crypto-Protocols and their Intruder Models in MSR 39
The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying Crypto-Protocols and their Intruder Models in MSR 40
Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying Crypto-Protocols and their Intruder Models in MSR 41
DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying Crypto-Protocols and their Intruder Models in MSR 42
DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying Crypto-Protocols and their Intruder Models in MSR 43
DY Intruder vs. AC AC-valid Well-typed Dolev-Yao intruder New/ D-Y Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying Crypto-Protocols and their Intruder Models in MSR 44
Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ Specifying Crypto-Protocols and their Intruder Models in MSR 45
Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations Specifying Crypto-Protocols and their Intruder Models in MSR 46
Part V New Inferring the Dolev-Yao Intruder Specifying Crypto-Protocols and their Intruder Models in MSR 47
The Dolev-Yao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying Crypto-Protocols and their Intruder Models in MSR 48
Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying Crypto-Protocols and their Intruder Models in MSR 49
What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore context Γ Specifying Crypto-Protocols and their Intruder Models in MSR 50
Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying Crypto-Protocols and their Intruder Models in MSR 51
Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying Crypto-Protocols and their Intruder Models in MSR 52 I I I
Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying Crypto-Protocols and their Intruder Models in MSR 53
Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying Crypto-Protocols and their Intruder Models in MSR 54
Carrying on: Shared-Key Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for public-key encryption Specifying Crypto-Protocols and their Intruder Models in MSR 55
Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying Crypto-Protocols and their Intruder Models in MSR 56
Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying Crypto-Protocols and their Intruder Models in MSR 57
Interpreting Shared-Key Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for public-key encryption pairing Specifying Crypto-Protocols and their Intruder Models in MSR 58
Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying Crypto-Protocols and their Intruder Models in MSR 59
Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying Crypto-Protocols and their Intruder Models in MSR 60
Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying Crypto-Protocols and their Intruder Models in MSR 61
Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying Crypto-Protocols and their Intruder Models in MSR 62
Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ -> + type privk: ΠA: + princ. + pubk A -> + type Specifying Crypto-Protocols and their Intruder Models in MSR 63
Generating data Again, annotate types nonce:! type shk: + princ -> + princ ->! type shk: + princ -> + princ ->! type Specifying Crypto-Protocols and their Intruder Models in MSR 64
Interpreting constructors Mark arguments as input or output _,_: -msg -> -msg -> msg {_} _ : - msg -> ΠA: + princ. ΠB: + princ. + shk A B -> msg {{_}} _ : - msg -> ΠA: + princ. Πk: + pubk A. + privk k -> msg hash: + msg -> msg [_] _ : + msg -> ΠA: * princ. Πk: * sigk A. * verk k -> msg Specifying Crypto-Protocols and their Intruder Models in MSR 65
Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 66
alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying Crypto-Protocols and their Intruder Models in MSR 67
Wrap-up Specifying Crypto-Protocols and their Intruder Models in MSR 68
Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Specifying Crypto-Protocols and their Intruder Models in MSR 69
Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 70
Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Specifying Crypto-Protocols and their Intruder Models in MSR 71