Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach.

Published byAlaina Wells Modified over 8 years ago

Similar presentations

Presentation on theme: "Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach."— Presentation transcript:

1 Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach

2 AN AUTOMATED THEOREM PROVER FOR FIRST- ORDER LOGIC WITH EQUALITY Automatic Analysis of Security Protocols using SPASS

3 Formalization of a concrete application: Neuman-Stubblebine key exchange protocol. Proof by refutation: ( Inconsistency ) intruder can break the protocol. Proof by consistency: ( Consistency ) no unsafe states exist.

4 The growing importance of the Internet causes a growing need for security protocols that protect transactions and communication. It turns out that the design of such protocols is highly error-prone.

5 Therefore, there is a need for tools that automatically detect flaws like, e.g., attacks by an intruder. A detailed description of the analysis can be found in [2].

6 Neumann-Stubbleline (1993) Summary: Protocol of session key exchange inspired by the Yahalom protocol with the addition of timestamps, and mutual authentication. Symmetric key cryptography with server.

7

8

9

10

11

12

13

14 The animation successively shows two runs of the Neuman-Stubblebine [1] key exchange protocol. The first run works the way the protocol is designed to do, i.e., it establishes a secure key between Alice and Bob.

15 The second situation shows a potential problem of the protocol. An intruder may intercept the final message sent from Alice to Bob, replace it with a different message and may eventually own a key that Bob believes to be a secure key with Alice.

16 The initial situation for the protocol is that the two participants Alice (A) and Bob (B) want to establish a secure session key, K ab, for communication between them. They do so with the help of a trusted server trust (Trent) where (master keys, K at and K bt ). The below picture shows a sequence of four message exchanges that eventually establishes the key K ab.

17

18 Timestamps In step 2, T b is a timestamp added to Trent’s message encrypted with the Bob’s key K bt Timestamps require a secure and accurate system clock - (not a trivial problem itself)

19 Timestamps Timestamps works. But it assumes that everyone’s clock are synchronized with a trusted server’s (Trent) clock. In practice, this effect is obtained by synchronizing clocks with a secure time server.

20 Timestamp Whether by system faults or by sabotage, clocks become unsynchronized. If clocks get out of sync, there is a possible attack against most of these protocols.

21

22

23

24

25

26 How can an intruder now break this protocol? The key Kab is only transmitted inside encrypted parts of messages and we assume that an intruder cannot break any keys nor does he know any of the initial keys Kat or Kbt. Here is what can happen:

27 The second situation shows a potential problem of the protocol. An intruder may intercept the final message sent from Alice to Bob, replace it with a different message and may eventually own a key that Bob believes to be a secure key with Alice.

28

29

30 Intruder (I)  Bob (B) In the final message, Intruder (I)  Bob (B), Bob decrypts the part of the message E bt (A, K ab, T b ) with his key K bt, extracts K ab, and (in a regular situation Bob confirms that T b and N b have the same values they did in step 2), … but now (in a attack of an intruder I) Bob decrypts the first part of the message E bt (A, N a, T b ), with his key K bt and believes that N a found is a secure session Key K ab he shares with Alice. Bob start communication with Alice … but he talks with Intruder I.

31 Here we will show that our automated theorem prover SPASS can successfully be used to analyze the Neuman-Stubblebine key exchange protocol [1].

32 To this end the protocol is formalized in logic and then the security properties are automatically analyzed by SPASS.

33 The key idea of the formalization is to describe the set of sent messages. This is done by introducing a monadic predicate M in first-order logic. Furthermore, every participant holds its set of known keys, represented by the predicates Ak for Alice’s keys, Bk for Bob’s keys, Tk for Trust’s keys and Ik for the keys the intruder knows. The rest of the used symbols is introduced and explained with the first appearance in a formula.

34 Step 1 The two formulae express that initially Alice holds the key at for communication with t (for Trust) and that she sends the first message. In order to formalize messages we employ a three place function sent where the first argument is the sender, the second the receiver and the third the content of the message. So the constant a represents Alice, b represents Bob, t Trust and i Intruder. The functions pair (triple, quadr) simply form sequences of messages of the indicated length.

35 Then the four messages can be translated into the following formulae: Step 1 to Step 4.

36 Step 2 Bob holds the key bt for secure communication with Trust and whenever he receives a message of the form of message 1 (formula (2)), he sends a key request to Trust according to message 2. Note that encryption is formalized by the two place function encr where the first argument is the data and the second argument the key. Every lowercase symbol starting with an x denotes a variable. The functions nb and tb generate, respectively, a new nonce and timestamp of B, tb(xna). span out of xa’s (Alice’s) request represented by her nonce xna.

37

38 Step 3 Trust holds the keys for Alice and Bob and answers appropriately to a message in the format of message 2. Note that decryption is formalized by unification with an appropriate term structure where it is checked that the necessary keys are known to Trust. The server generates the key by applying his key generation function kt to the nonce xna.

39

40 Step 4 Finally, Alice answers according to the protocol to message 3 and stores the generated key for communication, formula (7). Formula (8) describes Bob’s behaviour when he receives Alice’s message. Bob decodes this message and stores the new key as well.

41

42 USING THE SPASS SINTAX Conjectures = suposições ou hipóteses a serem provadas. list_of_formulae(conjectures). formula(exists([x],and(Ak(key(x,b)),Bk(key(x,a))))). end_of_list.

43 Sa is Alice’s local store that will eventually be used to verify the nonce when it is sent back to her in Step (3).

44

45

46

47

48 Now the protocol formulae together with the intruder formulae (9)-(20) and the insecurity formula before can be given to SPASS. Then SPASS automatically proves that this formula holds and that the problematic key is the nonce Na. The protocol can be repaired by putting type checks on the keys, such that keys can no longer be confused with nonces.

49 This can be added to the SPASS first-order logic formalization. Then SPASS disproves the insecurity formula. This capability is currently unique to SPASS. The experiment is available in full detail from the SPASS home page in the download area.

50 Based on these References: [1] Neuman, B. C. and Stubblebine, S. G., 1993, A note on the use of timestamps as nonces, ACM SIGOPS, Operating Systems Review, 27(2), 10- 14. [2] Weidenbach, C., 1999, Towards an automatic analysis of security protocols in first-order logic, in 16th International Conference on Automated Deduction, CADE-16, Vol. 1632 of LNAI, Springer, pp.378-382.

51 Other Provers Although some other provers might be able to prove that the insecurity formula holds in the formalization without type checks, we are currently not aware of any prover that can disprove the insecurity formula in the formalization with type checking. Further details can be found in reference [2].

52 State-of-the-art in automated theorem proving NRL Protocol Analyzer (Navy Research Laboratory) - PROLOG SPASS ProVerif Isabelle – High-Order Logic TAPS: A First-Order Verifier for Cryptographic Protocols http://www.swmath.org/software/2244 http://www.swmath.org/?term=security%20protocols

53 A Prática http://www.spass-prover.org/ Downloads  (Problem Libraries) The Neuman-Stubblebine Security Protocol Analysis Version 1.1 (.tgz 1KB).tgz You can copy the above input description for SPASS and paste it in our WebSPASS interface. WebSPASS

Download ppt "Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Similar presentations

Ads by Google