Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group."— Presentation transcript:

1 Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group

2 Security Protocols Two or more parties Communication over insecure network Active adversary can –Intercept messages –Forge messages –Replay messages Cryptography is countermeasure –Encrypt data –Sign and authenticate data –Exchange secret keys –Generate nonces and time stamps Alice Bob Charlie Eve

3 Security Objectives Goal: To preserve some desired property as far as possible in face of attack Confidentiality: Secrecy of message, secrecy of bits Anonymity, privacy Integrity: Authenticity Distributed agreement Survivability Availability: Denial of service prevention

4 Security Analysis Model system Granularity, adversary access paths Model adversary Memory, computational power, observational power Identify security properties of interest Examine if properties preserved under attack Result: –Under given assumptions about the system and the adversary, no attack of a certain form will destroy the property we’re after –Unconditional security is not possible

5 Modelling Decisions Modelling the system –Single or multiple sessions, several concurrent runs –Accuracy of computation and communication model –Real or idealized crypto? How powerful is the attacker? –Simple replays –Block messages –Decompose, reassemble and resend messages –Statistical analysis, traffic analysis? –Timing behaviour? Accuracy of security properties

6 Needham-Schroeder Key Exchange N A, N B : Nonces, freshly generated random numbers K A, K B : Public keys {M} K A : Encryption of M readable only to by A Since only A possesses secret key K A -1 Goal of protocol: Mutual authentication, establishment of shared secret (N A,N B ) AB {A,N A } K B {N A,N B } K A {N B } K B

7 NSPK - Objectives Responder correctly authenticated If A believes she has authenticated B, and B is honest, then B believes he has authenticated A Initiator correctly authenticated If B believes he has authenticated A, and A is honest, then A believes she has authenticated B Nonce secrecy At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal N A and N B to a third party) then (N A, N B ) is a secret shared between A and B

8 Lowe’s Attack Man-in-the-middle attack Dishonest E tricks A into revealing B’s session key N B Note: Attack purely based on protocol functionality, not crypto dependent G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995 AEB {A,N A } K E {A,N A } K B {N A,N B } K A {N B } K E

9 Verification Approaches Cryptographic analysis: Protocol security reduced to number-theoretic assumptions Model checking: Build state transition graphs for some system instances and check as well as possible Theorem proving: Phrase problem as idealized mathematical problem (perfect crypto, other simplifications) and prove it Process modelling approach: Model system as communicating processes, use equational reasoning Other: temporal logics, logics of knowledge and belief

10 Cryptographic Protocol Analysis Security reduced to number-theoretic assumptions, e.g.: Hardness of prime factorization Diffie-Hellman: Hard to compute g  given g  and g , for ,  2 Z q random Universally composable security [Canetti] Replace subprotocols by idealized versions while preserving security Successfully analyze complex protocols, e.g. [Wikström] Analysis complex and highly error-prone Computationally sound formal analysis Cf. [Rogaway-Abadi], currently active area R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001 D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005 M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002

11 Model Checking Idea: System modelled as communicating finite state machines Bounded state spaces Bounded state variable domains Communication by shared state variables or message passing Query as state reachability problem Is ”bad” state reachable? Automated state space traversal Hashing: 1 bit per state suffices Subject to probabilistic accuracy Examples: SPIN, SMV, Mur ...

12 Limitations of Finite State Methods Everything must be fixed: Number of participants Participants behaviour So no ”unknown” transitions, no open systems Number of sessions Message space No encrypt(encrypt(...(encrypt(...))...)) Memory Of honest party, of attacker, or communication channel Really, this is ”just” very comprehensive simulation

13 Model Checking Security Protocols 1.Model protocol entities and network Initiator and responder as fsa’s Network as shared variable (SMV, Mur  ) - Or as bounded buffer (SPIN) 2.Model adversary Typically one control state, bounded memory - Intercept messages - Store and recall messages - Bounded generation of new messages, using observed and initial data (typically: Public keys) 3.Determine ”bad” states and hope for termination Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998

14 Process-Oriented Models Model ”real” and idealized system as concurrent processes Ideal system: SPEC Real system: IMPL Observational congruence: SPEC ¼ IMPL No observational difference between SPEC and IMPL SPEC and IMPL are observationally ”the same” Congruence: SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL] in any context C[-] Even a hostile one ) security for unknown attackers! R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989 R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992

15 Example: Applied Pi Based on pi-calculus [Milner-Parrow-Walker-92] Processes communicate by synchronous handshaking Values = channel names c: Declares new name c 1: A has local c, passes c to B 2: B receives c, spawns node C with link b, passes c on 3: C receives c, B forgets b and c a c a b c a b c c b 1 2 3 A A ABBB C C

16 Applied Pi Applied pi adds equational theory of names Example: theory of pairs and asymmetric encryption Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-), enc(-,-) Equations: fst(pair(x,y)) = x snd(pair(x,y) = y dec(enc(x,pk(y)),sk(y)) = x Generation of random keys and nonces: Use  !! Alice 1 (seed A,pk E ) = N A.comm!enc(pair(A,N A ),pk E ).Alice 2 (seed A,pk E,N A ) Alice 2 (seed A,pk E,N A ) =... etc... C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01

17 Applications ProVerif: Constraint-based tool developed by B. Blanchet Successfully used for verification of complex protocols in applied pi Examples: Just Fast Keying – complex authentication protocol Protocol for certified email Rationale for success: Very rudimentary control flow in protocols No branching on secrets Remaining challenges: Multiple sessions/agents, richer control flow, cryptographic soundness M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07 M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming 2005

18 Epistemic Security Logics Many security-related concepts are naturally phrased in terms of knowledge: –A should not know the secret data –B should know the value received is the value sent –B should know that C knows the value sent –D should know that E does not know the vote cast –F should not know that G and H shares the secret x –... etc. etc.... Epistemic logic: Formalization of modality A knows F Agent Property of agents state M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990

19 What Is Cryptographic Knowledge? Not trivial Standard accounts are cryptographically omniscient: If x = enc(y,z) then A knows x = enc(y,z) Ruins all cryptographic security !!

20 What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z)) y = pair(0,1) z = c All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s

21 What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z))Accessible to A y = pair(0,1)Not accessible to A z = cNot accessible to A All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s E.g.: A knows y = pair(0,1), :(A knows x  enc(k,pk(c’))

22 Results A can distinguish global states s, s’: Same equations hold for A in s and s’ Static equivalence in applied pi Computationally justified semantics for BAN logic Complete axiomatization of validity For some theories, cryptographic soundness through link to applied pi: A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05 M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05 M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted

23 State of the Field Single-session, approximate analysis of industry-scale security protocols becoming feasible - ”Static” protocols - Limited control flow, no recursion, no concurrency - Cf. Avispa project site Cryptographic analysis remains complex and error-prone Cryptographic soundness active research area - May become feasible in limited applications Main challenge, cf. ACCESS: - Lifting analysis techniques to dynamic and concurrent systems

24 Survivable Systems Testing, diagnosis, repair, of large scale distributed systems – how? For given protocol, how to identify a faulty (random, byzantine) node? How to neutralize a faulty node? For which fault models? Random faults? Byzantine faults? Relative to given attack goal? Goal: Probabilistic guarantees for fault detection and elimination Alice Bob Charlie Eve

25 Confidential Aggregation? Example: Epidemic protocols At round 0: Local estimate = local value At round n+1: Neighbours exchange + average local estimates Local value leaked at step 1 Or when local value changes Is it possible to aggregate without leaking information? A B 4 6 A B 2 3 2 3 A B 5 5

Download ppt "Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Computer Security Key Management

Computer Security Key Management
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

Similar presentations

Ads by Google