ASIAN’07 A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara Bodei 2 , Pierpaolo Degano 2 , Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di Informatica, Università di Pisa 2 ASIAN’07 Doha, December 2007
Dipartimento di Informatica - Università di Pisa Replay Attacks in Protocols (Bob, Alice, Msg) (Carol, Alice, Msg) … … Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Needham-Schroeder Flaw discovered in 1981 • Invented in 1978 1 . A → S : A, B, N a Key distribution steps: 2 . S → A : { N a , B, K, { K, A } K b } K a The key should be known to both A and B 3 . A → B : { A, K } K b Authentication steps: 4 . B → A : { N b } K A and B make sure that they both 5 . A → B : { N b − 1 } K know the key 6 . A → B : { Msg } K Message exchange step Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Needham-Schroeder An old session key K’ is leaked • The Denning-Sacco Attack 1 . . . . 1 . A → S : A, B, N a 2 . . . . 2 . S → A : { N a , B, K, { K, A } K b } K a { A, K 0 } K b 3 . M ( A ) → B : 3 . A → B : { A, K } K b 4 . B → M ( A ) : { N b } K 0 4 . B → A : { N b } K 5 . M ( A ) → B : { N b − 1 } K 0 5 . A → B : { N b − 1 } K 6 . M ( A ) → B : { Msg } K 0 6 . A → B : { Msg } K A is convinced that K is fresh B believes he is talking to A! No such guarantee for B Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Whole Picture the Denning-Sacco attack Find in less than 3 sec Standard Lysa Dolev-Yao Extended protocol Attacker Lysa narrations Control Flow Analysis Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa LySa Calculus sender receiver One global channel payload 1 . A → S : A, B, N a h A, S, A, B, N a i . 2 . S → A : { N a , B, K, { K, A } K b } K a h A, B, { A, K } K b i . 3 . A → B : { A, K } K b pattern matching variable binding 4 . B → A : { N b } K ( A, B ; y ) . 5 . A → B : { N b − 1 } K decrypt y as { A ; k } K b in . . . 6 . A → B : { Msg } K P = P A | P B | P S Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Session Identifiers protocol run 1 ( A, S ; x ) . h A, S, N a i . protocol run 2 h A, S, N a i . ( A, S ; x ) . Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Session Identifiers protocol run 1 [ h A, S, N a i . ] 1 [( A, S ; x ) . ] 1 protocol run 2 [ h A, S, N a i . ] 2 [( A, S ; x ) . ] 2 Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Session Identifiers protocol run 1 T ([ h A, S, N a i . ] 1 ) T ([( A, S ; x ) . ] 1 ) protocol run 2 T ([ h A, S, N a i . ] 2 ) T ([( A, S ; x ) . ] 2 ) Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Extended LySa Calculus Stops when reaching n or x F F ([ { N } K ] s ) = { [ N ] s } [ K ] s Standard Extended F E Terms E T ([ h N i . 0 | !((; x ) . 0)] s ) = T Processes P P T ([ h N i . 0] s ) | T ([!((; x ) . 0)] s ) = T h [ N s ] i . 0 | [!((; x ) . 0)] s Stops when reaching 0 or ! 1 . A → S : A, B, N a h A, S, A, B, N a i . P = P A | P B | P S 2 . S → A : { N a , B, K, { K, A } K b } K a h A, B, { A, K } K b i . 3 . A → B : { A, K } K b Unfold once in each 4 . B → A : { N b } K ( A, B ; y ) . P = [! P ] 0 semantics step decrypt y as { A ; k } K b in . . . 5 . A → B : { N b − 1 } K 6 . A → B : { Msg } K Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Freshness Property Equality with sessin IDs Extract the session ID ingnored E 0 ≈ E 0 0 ∧ E 1 ≈ E 0 1 ∧ R ( I ( E 0 ) , I ( E 0 0 )) ∧ R ( I ( E 1 ) , I ( E 0 1 )) decrypt [ {E 1 , E 2 } E 0 ] s as {E 0 1 ; x 2 } E 0 0 in P → R P [ E 2 /x 2 ] decrypt { [ N a ] 1 , [ N b ] 1 } [ K ] 1 as { [ N a ] 1 ; x } [ K ] 1 in 0 decrypt { [ N a ] 2 , [ N b ] 2 } [ K ] 2 as { [ N a ] 1 ; x } [ K ] 1 in 0 Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Static Analysis All possible solutions • Approximation – Over-Approximation • Algorithms – Control Flow Analysis Under-approxmation Actual Solution Over-approximation Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Static Analysis ρ | = E : ϑ • Analysis of Terms – Determine the possible values that each term may evaluate to • Analysis of Processes ρ , κ | = RM P : ψ – Collect the values that may flow on the ) ) ] 1 P network [ ( T ( s i s y l a n a | – Error component ) ) ] 0 P [ ( ) T P ( ( s s i i s s y y l l a a n n a a Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa The Error Component • The error component collects labels of decryption where freshness violations may happen. For example: l ∈ ψ • The empty error component implies free of replay attacks at run time Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa The Attacker • Capabilities – Eavesdrop – Alter – Insider or outsider or both – Obtain old session keys Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Analysis of Needham-Schroeder 1 . A → S : A, B, N a P = P A | P B | P S 2 . S → A : { N a , B, K, { K, A } K b } K a P = [! P ] 0 3 . A → B : { A, K } K b h A, B, { A, K } K b i . 4 . B → A : { N b } K 5 . A → B : { N b − 1 } K ( A, B ; y ) . ) decrypt y as { A ; k } K b in ) 6 . A → B : { Msg } K ] P [ ( 1 T ( . . . s i s y l a n a | ) ) ] P [ ( 0 T ( s ) i P s y ( s l a i s n y a l a n a T ([( A, B, y ) . 0 T ([ h A, B, { A, K } K b i ] 0 ) decrypt y as { A ; k } K b in ] 0 ) T ([( A, B, y ) . Session 1 T ([ h A, B, { A, K } K b i ] 1 ) decrypt y as { A ; k } K b in ] 1 ) Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Dipartimento di Informatica - Università di Pisa Conclusion • Simply process calculus with cryptographic primitives for modelling security protocols • Automatic algorithm for providing security assurances for protocols – Semantics correct and sound • Implementation has been used to validate a number of protocols
Thank You! Dipartimento di Informatica - Università di Pisa
Dipartimento di Informatica - Università di Pisa The Control Flow Analysis • Over-approximate the protocol behaviour • The values of the variables ρ : X → P ( V al ) • The messages flowing on the network κ ⊆ P ( V al ∗ ) • For example: h [ A ] 1 , [ B ] 1 , [ N ] 1 i ∈ κ [ N ] 1 ∈ ρ ( x )
Dipartimento di Informatica - Università di Pisa Judgement for Decryption • At each decryption point, check whether freshness may be violated evaluate terms ρ | = E : ϑ ∧ E 1 : ϑ 1 ∧ evaluate key ρ | = E 0 : ϑ 0 ∧ for all encrypted values ∀ [ { v 1 , v 2 } v 0 ] s ∈ ϑ : v 0 ∝ ϑ 0 ∧ v 1 ∝ ϑ 1 ⇒ pattern matching v 2 ∈ ρ ( x 2 ) ∧ variable binding ( I ( v 1 ) 6 = I ( E 1 ) ⇒ l ∈ ψ ) ∧ freshness checking ρ , κ | = P : ψ analyse the rest = decrypt E as {E 1 ; x 1 } l ρ , κ | E 0 in P : ψ ∝ : membership relation with session IDs ignored Protocol Standard Extended Attacker Narration LySa LySa CFA Result
Recommend
More recommend
