Download presentation
Presentation is loading. Please wait.
1
Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano/ Protocol Analysis Seminar, NPS, Monterey, CAFebruary 9, 2004
2
Quantitative Security Analysis1/25 Seminar Web Page http://theory.stanford.edu/~iliano/umbc/
3
Quantitative Security Analysis2/25 Qualitative (Dolev-Yao) Analysis Classifies protocol operations in Possible (Dolev-Yao) Reception/transmission Crypto with key, … Impossible Guessing keys Breaking crypto, … Security assessed only on possible ops “Easily” achieved by most current tools What next? “Easy” (polynomial) “Hard” (exponential)
4
Quantitative Security Analysis3/25 Analysis beyond Dolev-Yao D a t a CryptoCrypto Perfect Real SymbolicBit-oriented More ops - xor - DH, … Type confusion Guessing Probabilistic Crypto hybrid - probability - complexity Cost-aware
5
Quantitative Security Analysis4/25 Cost-Aware Security Analysis Assign cost to operations [Meadows,01] Including non Dolev-Yao Discrete logarithm, factoring, … (Verifiable) guessing [Lowe,02] Principal subversion, … Applications Estimate actual resources needed for attacks Resources limitation (smart cards, PDAs, …) DoS resistance assessment Comparing attacks or protocols
![Quantitative Security Analysis4/25 Cost-Aware Security Analysis Assign cost to operations [Meadows,01] Including non Dolev-Yao Discrete logarithm, factoring, … (Verifiable) guessing [Lowe,02] Principal subversion, … Applications Estimate actual resources needed for attacks Resources limitation (smart cards, PDAs, …) DoS resistance assessment Comparing attacks or protocols](http://images.slideplayer.com/16/5085076/slides/slide_5.jpg "Quantitative Security Analysis4/25 Cost-Aware Security Analysis Assign cost to operations [Meadows,01] Including non Dolev-Yao Discrete logarithm, factoring, … (Verifiable) guessing [Lowe,02] Principal subversion, … Applications Estimate actual resources needed for attacks Resources limitation (smart cards, PDAs, …) DoS resistance assessment Comparing attacks or protocols")
6
Quantitative Security Analysis5/25 Outline Protocol specification MSR Fine-Grained MSR Technique applies to other languages Traces and Scripts Cost Model Operations Scripts Cost-aware Security Threshold analysis Comparative analysis
7
Quantitative Security Analysis6/25 MSR Executable protocol specification language Theoretical results Decidability Most powerful intruder, … 3 generations already MSR 1: (here) MSR 2: 1 + strong typing MSR 3: 2 + -multisets Based on MultiSet Rewriting Foundations in (linear) logic Ties to Petri nets and process algebra Practice Kerberos V Implementation underway
8
Quantitative Security Analysis7/25 Multiset Rewriting … Multiset: set with repetitions allowed a,b,c a,a,b,c,c,c Rewrite rule: r: N 1 N 2 Application: M’, N 1 M’, N 2 M 1 M 2 state
9
Quantitative Security Analysis8/25 … with Existentials msets of 1 st -order atomic formulas Rules: r: F(x) n. G(x,n) Application M’, F(t) M’, G(t,c) M 1 M 2 c not in M 1
10
Quantitative Security Analysis9/25 Traces and Scripts Traces Rewrite sequence (r 1, 1 ),…,(r n, n ) from M 0 to M n Rules r i Substitutions i Scripts Parametric traces S, (r, ) S 1 + S 2 ! n S Normal run: S NR Attack scripts: S A
11
Quantitative Security Analysis10/25 MSR for Security Protocols Messages A, k, n,…Princ., keys, nonces, … {m} k, (m,m’), …Encryption, concat., … Predicates N(m)Network messages M * (t 1,…,t n ) Public data M A (t 1,…,t n )Private data I(m)Intruder info. L v (t 1,…,t n )Local states
12
Quantitative Security Analysis11/25 Example Needham-Schroeder protocol Initiator role A B: {n A, A} kB B A: {n A, n B } kA A B: {n B } kB L (k A,k’ A,k B,n A ), N ({n A,n B } kA ) PrvK A (k A,k’ A ), PubK * (B,k B ) PrvK A (k A,k’ A ), PubK * (B,k B ), L (k A,k’ A,k B,n A ), N ({n A,A} kB ) N ({n B } kB ) n A.
13
Quantitative Security Analysis12/25 Preparing for Cost Assignment Isolate operations Verification Success Failure Construction Apply rule in stages Pre-screening Detailed verification Split LHS in atomic steps Allow failure
14
Quantitative Security Analysis13/25 Fine-Grained MSR (1) Rules Clean-uplhs rhs else cr Predicates RegistersR v (m) HeadersN h (m) Phased execution Select rule based only on predicates Verify if arguments match Allow failure
15
Quantitative Security Analysis14/25 Fine-Grained MSR (2) Verification rules N h (x) R(x) L v (x) R(x) R(y), R’(op y (x)) R’’(x)else cr R(x), R’(x) .else cr R(x) R’(m) … Construction rules Remain the same
16
Quantitative Security Analysis15/25 Fine-Grained Intruder Dolev-Yao style SubversionGuessing N h (x) I(x) M*(x) I(x) I(y), I(op y (x)) I(x) I(x) N h (x) . x. I(x) I(x) I(op(x)) . X(A) X(A) . X(A), M A (x) X(A), I(x) … G(x) … V 1 (m 1 ) … V 2 (m 2 ) G(x), V 1 (y), V 2 (y) I(x) I(g), I(g x ) I(x)
17
Quantitative Security Analysis16/25 Cost v A : cost type Time, space, energy, … A: principal incurring cost v: amount of cost Physical measurements 0 / (Dolev-Yao model) Complexity classes
18
Quantitative Security Analysis17/25 Assigning Cost – Basic Operations Network Storage Operations Construction Successful verification Failed verification Subversion Guessing Various ways Supports very high precision Difficulty depends on precision Possibly subjective
19
Quantitative Security Analysis18/25 Assigning Costs – Traces & Scripts Traces: (T) Add up basic costs Monotonic costs: time, energy, … Non-monotonic: space, … Scripts: (S) Interval arithmetic Script alternative
20
Quantitative Security Analysis19/25 Quantitative Security Analysis A model checking view C 0 (Dolev-Yao) C 1 C 2
21
Quantitative Security Analysis20/25 Threshold Analysis (S NR ) HW/HCI ? Cost of normal run acceptable? PDAs, cell phones, … (S A ) I ? Cost of attack/defense acceptable? Cost of candidate attack vs. resources Non Dolev-Yao operations min x. (S A (x)) I++ ? Design protocol Fine-tuning parameters
22
Quantitative Security Analysis21/25 Comparative Analysis (S A1 ) (S A2 ) ? Comparing attacks Protocol can always be attacked (S P1 ) (S P2 ) ? Comparing protocols B (S A ) I (S A ) ? Comparing attack and defense costs Denial of Service
23
Quantitative Security Analysis22/25 Typical Client/Server Exchange Client Server request challenge response ok scqscq sccscc scrscr scosco tcqtcq tcctcc tcrtcr tcotco ssqssq sscssc -(s s q +s s c ) 0 tsqtsq tsctsc tsrtsr tsotso T B
24
Quantitative Security Analysis23/25 Time DoS q c tcqtcq 0 tsqtsq tsctsc q c tcqtcq 0 tsqtsq tsctsc tsrtsr tsqtsq 1. 2. 3. Service rate 1/(t s q + t s c + t s r ) Attack rate 1/t c q Service rate: 1/t s q Usually dominated by networking costs Service rate 1/(t s q + t s c ) Attack rate 1/t c q Better attack
25
Quantitative Security Analysis24/25 Space DDoS Max concurrent requests B / (s s q + s s c ) Space allocation rate (s s q + s s c ) / (t s q + t s c ) Space reclamation rate B / T Max. concurrent attacks 0 0 0 ssqssq sscssc -(s s q +s s c ) T q c tcqtcq 0 tsqtsq tsctsc tsrtsr B B (t s q + t s c ) (s s q + s s c ) T n Use large B Keep T small
26
Quantitative Security Analysis25/25 Conclusions Quantitative protocol analysis Cost conscious attacks (non Dolev-Yao) Fine-Grained specification languages (MSR) Paper: http://theory.stanford.edu/~iliano/forthcoming/ http://theory.stanford.edu/~iliano/forthcoming/ Related work C. Meadows: Cost framework for DoS G. Lowe: guessing attacks D. Tomioka, et al: cost for spi-calculus Future work Attack costs: WEP DoS aware protocols: JFK, puzzle-based Client/Server Complexity-based costs Mixing probability
Similar presentations
