Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha
Needham-Schroeder Protocol (circa 1996) Purpose: Authenticate Participants
Assumptions Perfect Encryption The decryption key must be known to encrypt No encryption collisions Proof offer no protection from poor encryption implementation!
Intruder’s Ability Interception Ex: Impersonation Ex: Legitimate Participant Ex: Compromise Temporary Secrets But those secrets should not be revealed by protocol
Security Properties Secrecy Tracked by two sets in global state Correspondence “If A believes it has completed two protocol runs with principal B, then principal B must have at least begun two protocol runs with principal A.” Tracked by counters in global state
Atomic Messages Keys Ex: Principal Names Ex: A, B, I Nonces Ex: Data
Messages and Atomic Messages Given A a set of atomic messages, M the set of all messages is defined inductively:
Closure of Messages Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)
Principals A 4-Tuple N the name of the principal p a process given as a sequence of actions to be performed is a set of known messages, generally infinite, but from a finite generator set. B a set of bindings from variables in p to messages in I
Initial Knowledge For the intruder
Global State A 5-Tuple is the product of the individual principals (including the intruder) difference between number of times A has initiated a protocol and the number of times B has finished responding difference between number of times A has begun responding and the number of times B has finished initiating
Global State Continued A 5-Tuple a set of safe secrets. Remains constant. a set of temporary secrets. New secrets generated during the run of the protocol. The last four values check security constraints.
Process
Internal Actions NEWNONCE( var ) NEWSECRET( var )
Internal Actions GETSECRET( val ) – Intruder Only
Internal Actions A calls BEGINIT(B), B calls ENDRESPOND(A) BEGRESPOND/ENDINIT Symmetric on
Communication Actions Send and receives are synchronized A process can only send a message if it unifies with a receive message Sender must be able to sculpt a message that matches all existing bindings and expectations How does the intruder sculpt such a message?
Model Checking Algorithm
Finding a needle in a haystack Decidability of when is probably infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption) Expanding RulesShrinking Rules
Normalized Derivation Following algorithm is guaranteed to terminate and decide : Start with a generator set Apply all possible shrinking rules Try all possible sequences of expanding rules until word size is equal to s Proves existence
An Efficient Approach When adding a message to I in : Apply all possible shrinking rules Remove ‘redundant messages’ Result is minimal generator Can recursively attempt to build
Verification and Attack
The lack of correspondence trace reveals the following attack: