a syntactic criterion for injectivity of authentication
play

A Syntactic Criterion for Injectivity of Authentication Protocols - PowerPoint PPT Presentation

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.


  1. A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 1/22

  2. ECSS group Eindhoven Computer Science Security (ECSS) group Overview Motivation Goal: Problem statement To study the design and analysis of secure systems from a Security model fundamental point of view Main theorem Topics: Conclusions ■ Security protocol analysis ■ Multi-party protocols ■ Ad-hoc/sensor networks ■ Smartcard security ■ Attack trees ■ Digital Rights Management ■ RFID security ■ Privacy Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 2/22

  3. Overview ■ Motivation Overview ■ Problem statement Motivation ■ Main theorem Problem statement ■ Necessity of preconditions Security model ■ Conclusions Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 3/22

  4. Example: unilateral authentication protocol Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nR ● Nonces { I, nR } skR Problem statement Security model Main theorem Conclusions agree ( nR ) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

  5. Example: unilateral authentication protocol Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nR ● Nonces { I, nR } skR Problem statement Security model Main theorem Conclusions agree ( nR ) Question: Does this protocol satisfy agreement? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

  6. A replay attack Overview Motivation ● Example b ( R ) a ( I ) a ( I ) intruder ● Replay attack ● Injectivity ● Fixed protocol nonce nb ● Nonces { a, nb } skb Problem statement Security model learn { a, nb } skb Main theorem { a, nb } skb Conclusions agree ( nb ) agree ( nb ) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

  7. A replay attack Overview Motivation ● Example b ( R ) a ( I ) a ( I ) intruder ● Replay attack ● Injectivity ● Fixed protocol nonce nb ● Nonces { a, nb } skb Problem statement Security model learn { a, nb } skb Main theorem { a, nb } skb Conclusions agree ( nb ) agree ( nb ) Question: How to fix this protocol? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

  8. Fixed protocol should satisfy injectivity Each instance of an agent executing the authenticating role Overview corresponds to a unique instance of its communication partner Motivation ● Example running the responder role. ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 6/22

  9. Non-injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

  10. Non-injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

  11. Injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

  12. Injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

  13. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  14. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Question: What’s the general idea behind this fix? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  15. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Question: What’s the general idea behind this fix? Answer 1: By letting I control the nonce. Answer 2: By introducing a challenge-response mechanism from I via R back to I . (add a loop) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  16. Doesn’t a nonce suffice? Adding nonces does not trivially lead to injectivity. Overview Motivation ● Example pkR, skR pkR ● Replay attack ● Injectivity R I ● Fixed protocol ● Nonces nonce nI Problem statement nI Security model { I, g ( nI ) } skR Main theorem agree ( nI ) Conclusions Here, injectivity depends on the properties of the function g . Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 10/22

  17. Agreement over what? Sometimes roles have no shared value to determine injectivity Overview from ( I and S ?) Motivation ● Example ● Replay attack ● Injectivity skS skR, pkS pkR ● Fixed protocol S R I ● Nonces Problem statement nonce nI Security model I, R, S, nI Main theorem nonce nR Conclusions I, R, S, nR { nR, I, R } skS { I, S, nI } skR agree (?) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 11/22

  18. Authentication Agreement Overview Upon successfully finishing a protocol session, parties Motivation agree on the values of (common) variables. Problem statement (G. Lowe) ● Authentication ● Problem statement Synchronization Security model Upon successfully finishing a protocol session, all Main theorem messages have been executed in intended order, with Conclusions intended contents. (Similar to Intensional Specifications, A.W. Roscoe) Synchronization is strictly stronger than agreement, but the differences are subtle. Both available in injective ( i - synch , i - agree ) and non-injective ( ni - synch ) variants. Claim: well-designed protocols satisfy both properties. Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 12/22

  19. Problem statement Find a generic and easy way to validate injectivity for Overview synchronizing protocols. Motivation Problem statement ● Authentication ● Problem statement Generic: Security model As few assumptions on the security model as possible. Main theorem Easy: Conclusions Statically decidable. Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 13/22

  20. Models for Security Protocols We require that the following two properties hold: Overview Motivation Intruder Model: Problem statement Intruder must have the ability to duplicate messages Security model ● Models ■ Satisfied by the standard Dolev-Yao model. Main theorem ■ No need to encrypt/decrypt. Conclusions Agent/Execution Model: Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

  21. Models for Security Protocols We require that the following two properties hold: Overview Motivation Intruder Model: Problem statement Intruder must have the ability to duplicate messages Security model ● Models ■ Satisfied by the standard Dolev-Yao model. Main theorem ■ No need to encrypt/decrypt. Conclusions Agent/Execution Model: Role instances must be independent: can be executed in any order ■ Satisfied by Strand Spaces, Operational Semantics. ■ No shared memory. (buffers/time) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

  22. The LOOP property After the start of the authenticating role, but before it ends, Overview each involved role must have a read action and a send action. Motivation (As prescribed by the partial order on the protocol) Problem statement Security model Main theorem ● Loop property ● Main Theorem ● Loop ● Synchronization ● Indep. instances Conclusions ni - synch This protocol satisfies LOOP Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 15/22

Recommend


More recommend