Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group
Security Protocols Two or more parties Communication over insecure network Active adversary can –Intercept messages –Forge messages –Replay messages Cryptography is countermeasure –Encrypt data –Sign and authenticate data –Exchange secret keys –Generate nonces and time stamps Alice Bob Charlie Eve
Security Objectives Goal: To preserve some desired property as far as possible in face of attack Confidentiality: Secrecy of message, secrecy of bits Anonymity, privacy Integrity: Authenticity Distributed agreement Survivability Availability: Denial of service prevention
Security Analysis Model system Granularity, adversary access paths Model adversary Memory, computational power, observational power Identify security properties of interest Examine if properties preserved under attack Result: –Under given assumptions about the system and the adversary, no attack of a certain form will destroy the property we’re after –Unconditional security is not possible
Modelling Decisions Modelling the system –Single or multiple sessions, several concurrent runs –Accuracy of computation and communication model –Real or idealized crypto? How powerful is the attacker? –Simple replays –Block messages –Decompose, reassemble and resend messages –Statistical analysis, traffic analysis? –Timing behaviour? Accuracy of security properties
Needham-Schroeder Key Exchange N A, N B : Nonces, freshly generated random numbers K A, K B : Public keys {M} K A : Encryption of M readable only to by A Since only A possesses secret key K A -1 Goal of protocol: Mutual authentication, establishment of shared secret (N A,N B ) AB {A,N A } K B {N A,N B } K A {N B } K B
NSPK - Objectives Responder correctly authenticated If A believes she has authenticated B, and B is honest, then B believes he has authenticated A Initiator correctly authenticated If B believes he has authenticated A, and A is honest, then A believes she has authenticated B Nonce secrecy At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal N A and N B to a third party) then (N A, N B ) is a secret shared between A and B
Lowe’s Attack Man-in-the-middle attack Dishonest E tricks A into revealing B’s session key N B Note: Attack purely based on protocol functionality, not crypto dependent G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995 AEB {A,N A } K E {A,N A } K B {N A,N B } K A {N B } K E
Verification Approaches Cryptographic analysis: Protocol security reduced to number-theoretic assumptions Model checking: Build state transition graphs for some system instances and check as well as possible Theorem proving: Phrase problem as idealized mathematical problem (perfect crypto, other simplifications) and prove it Process modelling approach: Model system as communicating processes, use equational reasoning Other: temporal logics, logics of knowledge and belief
Cryptographic Protocol Analysis Security reduced to number-theoretic assumptions, e.g.: Hardness of prime factorization Diffie-Hellman: Hard to compute g given g and g , for , 2 Z q random Universally composable security [Canetti] Replace subprotocols by idealized versions while preserving security Successfully analyze complex protocols, e.g. [Wikström] Analysis complex and highly error-prone Computationally sound formal analysis Cf. [Rogaway-Abadi], currently active area R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001 D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005 M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002
Model Checking Idea: System modelled as communicating finite state machines Bounded state spaces Bounded state variable domains Communication by shared state variables or message passing Query as state reachability problem Is ”bad” state reachable? Automated state space traversal Hashing: 1 bit per state suffices Subject to probabilistic accuracy Examples: SPIN, SMV, Mur ...
Limitations of Finite State Methods Everything must be fixed: Number of participants Participants behaviour So no ”unknown” transitions, no open systems Number of sessions Message space No encrypt(encrypt(...(encrypt(...))...)) Memory Of honest party, of attacker, or communication channel Really, this is ”just” very comprehensive simulation
Model Checking Security Protocols 1.Model protocol entities and network Initiator and responder as fsa’s Network as shared variable (SMV, Mur ) - Or as bounded buffer (SPIN) 2.Model adversary Typically one control state, bounded memory - Intercept messages - Store and recall messages - Bounded generation of new messages, using observed and initial data (typically: Public keys) 3.Determine ”bad” states and hope for termination Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998
Process-Oriented Models Model ”real” and idealized system as concurrent processes Ideal system: SPEC Real system: IMPL Observational congruence: SPEC ¼ IMPL No observational difference between SPEC and IMPL SPEC and IMPL are observationally ”the same” Congruence: SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL] in any context C[-] Even a hostile one ) security for unknown attackers! R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989 R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992
Example: Applied Pi Based on pi-calculus [Milner-Parrow-Walker-92] Processes communicate by synchronous handshaking Values = channel names c: Declares new name c 1: A has local c, passes c to B 2: B receives c, spawns node C with link b, passes c on 3: C receives c, B forgets b and c a c a b c a b c c b A A ABBB C C
Applied Pi Applied pi adds equational theory of names Example: theory of pairs and asymmetric encryption Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-), enc(-,-) Equations: fst(pair(x,y)) = x snd(pair(x,y) = y dec(enc(x,pk(y)),sk(y)) = x Generation of random keys and nonces: Use !! Alice 1 (seed A,pk E ) = N A.comm!enc(pair(A,N A ),pk E ).Alice 2 (seed A,pk E,N A ) Alice 2 (seed A,pk E,N A ) =... etc... C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01
Applications ProVerif: Constraint-based tool developed by B. Blanchet Successfully used for verification of complex protocols in applied pi Examples: Just Fast Keying – complex authentication protocol Protocol for certified Rationale for success: Very rudimentary control flow in protocols No branching on secrets Remaining challenges: Multiple sessions/agents, richer control flow, cryptographic soundness M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07 M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified . Science of Computer Programming 2005
Epistemic Security Logics Many security-related concepts are naturally phrased in terms of knowledge: –A should not know the secret data –B should know the value received is the value sent –B should know that C knows the value sent –D should know that E does not know the vote cast –F should not know that G and H shares the secret x –... etc. etc.... Epistemic logic: Formalization of modality A knows F Agent Property of agents state M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990
What Is Cryptographic Knowledge? Not trivial Standard accounts are cryptographically omniscient: If x = enc(y,z) then A knows x = enc(y,z) Ruins all cryptographic security !!
What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z)) y = pair(0,1) z = c All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s
What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z))Accessible to A y = pair(0,1)Not accessible to A z = cNot accessible to A All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s E.g.: A knows y = pair(0,1), :(A knows x enc(k,pk(c’))
Results A can distinguish global states s, s’: Same equations hold for A in s and s’ Static equivalence in applied pi Computationally justified semantics for BAN logic Complete axiomatization of validity For some theories, cryptographic soundness through link to applied pi: A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05 M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05 M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted
State of the Field Single-session, approximate analysis of industry-scale security protocols becoming feasible - ”Static” protocols - Limited control flow, no recursion, no concurrency - Cf. Avispa project site Cryptographic analysis remains complex and error-prone Cryptographic soundness active research area - May become feasible in limited applications Main challenge, cf. ACCESS: - Lifting analysis techniques to dynamic and concurrent systems
Survivable Systems Testing, diagnosis, repair, of large scale distributed systems – how? For given protocol, how to identify a faulty (random, byzantine) node? How to neutralize a faulty node? For which fault models? Random faults? Byzantine faults? Relative to given attack goal? Goal: Probabilistic guarantees for fault detection and elimination Alice Bob Charlie Eve
Confidential Aggregation? Example: Epidemic protocols At round 0: Local estimate = local value At round n+1: Neighbours exchange + average local estimates Local value leaked at step 1 Or when local value changes Is it possible to aggregate without leaking information? A B 4 6 A B A B 5 5