ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di Informatica, Università di Pisa 2 ASIAN 07 Doha, December 2007
Replay Attacks in s (Bob, Alice, Msg) (Carol, Alice, Msg)
Needham-Schroeder Invented in 1978 Flaw discovered in 1981 1. A S : A, B, N a 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K 6. A B : {Msg} K Key distribution steps: The key should be known to both A and B Authentication steps: A and B make sure that they both know the key Message exchange step
Needham-Schroeder The Denning-Sacco Attack 1. A S : A, B, N a 2. S A : { N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : { N b } K 5. A B : { N b 1} K 6. A B : {Msg} K An old session key K is leaked 1.... 2.... 3. M(A) B : {A, K 0 } Kb 4. B M(A) : {N b } K 0 5. M(A) B : {N b 1} K 0 6. M(A) B : {Msg} K 0 A is convinced that K is fresh B believes he is talking to A! No such guarantee for B
protocol narrations Whole Picture Lysa Lysa Find the Denning-Saccoattack in lessthan 3 sec Dolev-Yao Control Flow Analysis
Calculus One global channel 1. A S : A, B, N a sender receiver payload ha, S, A, B, N a i. 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K 6. A B : {Msg} K ha, B, {A, K} Kb i. pattern matching variable binding (A, B; y). decrypt y as {A; k} Kb in... P = P A P B P S
Session Identifiers protocol run 1 ha, S, N a i. (A, S; x). protocol run 2 ha, S, N a i. (A, S; x).
Session Identifiers protocol run 1 [ha, S, N a i.] 1 [(A, S; x).] 1 protocol run 2 [ha, S, N a i.] 2 [(A, S; x).] 2
Session Identifiers protocol run 1 T ([ha, S, N a i.] 1 ) T ([(A, S; x).] 1 ) protocol run 2 T ([ha, S, N a i.] 2 ) T ([(A, S; x).] 2 )
F T Dipartimento di Informatica - Università di Pisa Calculus Stops when reaching n or x F Terms E E Processes P P T Stops when reaching 0 or! F([{N} K ] s )={[N] s } [K]s T ([hni.0!((; x).0)] s )= T ([hni.0] s ) T([!((; x).0)] s )= h[n s ]i.0 [!((; x).0)] s 1. A S : A, B, N a ha, S, A, B, N a i. 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K ha, B, {A, K} Kb i. (A, B; y). decrypt y as {A; k} Kb... in P = P A P B P S P =[!P ] 0 Unfold once in each semantics step 6. A B : {Msg} K
Freshness Property Equality with sessin IDs ingnored Extract the session ID E 0 E 0 0 E 1 E 0 1 R(I(E 0 ), I(E 0 0)) R(I(E 1 ), I(E 0 1)) decrypt [{E 1, E 2 } E0 ] s as {E 0 1 ; x 2} E 0 0 in P R P[E 2 /x 2 ] decrypt {[N a ] 1, [N b ] 1 } [K]1 as {[N a ] 1 ; x} [K]1 in 0 decrypt {[N a ] 2, [N b ] 2 } [K]2 as {[N a ] 1 ; x} [K]1 in 0
Static Analysis Approximation Over-Approximation Algorithms Control Flow Analysis All possible solutions Under-approxmation Actual Solution Over-approximation
Static Analysis Analysis of Terms ρ = E : ϑ Determine the possible values that each term may evaluate to Analysis of Processes ρ, κ = RM P : ψ Collect the values that may flow on the network Error component analysis(t ([P ] 0 )) analysis(t ([P ] 1 )) analysis(p)
The Error Component The error component collects labels of decryption where freshness violations may happen. For example: l ψ The empty error component implies free of replay attacks at run time
The Capabilities Eavesdrop Alter Insider or outsider or both Obtain old session keys
Analysis of Needham-Schroeder 1. A S : A, B, N a 2. S A : {N a,b,k,{k, A} Kb } Ka 3. A B : {A, K} Kb 4. B A : {N b } K 5. A B : {N b 1} K (A, B; y). 6. A B : {Msg} K ha, B, {A, K} Kb i. decrypt y as {A; k} Kb in... P = P A P B P S P =[!P ] 0 analysis(t ([P] 0 )) analysis(t ([P] 1 )) analysis(p) 0 T ([ha, B, {A, K} Kb i] 0 ) T ([(A, B, y). decrypt y as {A; k} Kb in] 0 ) Session 1 T ([ha, B, {A, K} Kb i] 1 ) T ([(A, B, y). decrypt y as {A; k} Kb in] 1 )
Conclusion Simply process calculus with cryptographic primitives for modelling security protocols Automatic algorithm for providing security assurances for protocols Semantics correct and sound Implementation has been used to validate a number of protocols
Thank You!
The Control Flow Analysis Over-approximate the protocol behaviour The values of the variables The messages flowing on the network For example: ρ : X P(Val) κ P(Val ) h[a] 1, [B] 1, [N] 1 i κ [N] 1 ρ(x)
Judgement for Decryption At each decryption point, check whether freshness may be violated ρ = E : ϑ E 1 : ϑ 1 ρ = E 0 : ϑ 0 [{v 1,v 2 } v0 ] s ϑ : v 0 ϑ 0 v 1 ϑ 1 v 2 ρ(x 2 ) (I(v 1 ) 6=I(E 1 ) l ψ) ρ, κ = P : ψ ρ, κ = decrypt E as {E 1 ; x 1 } l E 0 in P : ψ evaluate terms evaluate key for all encrypted values pattern matching variable binding freshness checking analyse the rest : membership relation with session IDs ignored