Overview Introduction & Motivation Composition Experimental results Conclusion Automated Composition of Security Protocols ela 1 , Iosif Ignat 2 and Haller Piroska 1 Genge B´ 1 “Petru Maior” University of Tˆ argu Mure¸ s, Romania { bgenge, phaller } @engineering.upm.ro 2 Technical University of Cluj Napoca, Romania Iosif.Ignat@cs.utcluj.ro August 28, 2009 1 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Presentation overview Introduction & Motivation Proposed composition method Security protocol specification Experimental results Conclusions and future work 2 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Basic concepts Security protocols are “communication protocols dedicated to achieving security goals” (Cremers and Mauw, 2005) such as confidentiality, integrity or availability Over the last decade, researcher’s attention focused more on developing new security protocol design methods One of the most popular methods is the composition : building new protocols from several existing smaller protocols 3 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Motivating scenario Service interconnection is a problem frequently encountered and addressed by many researchers today There are many proposals dealing with the composition of service capabilities (Srivastava et all 2003, Arpinar et all 2004, Feenstra et all 2007, ...) 4 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Motivating scenario (cont’d) When using security protocols, the composition of services becomes a difficult task Existing solutions rely on using standard parameterized protocols implemented by every service ⇒ Services implementing new security protocols can not be composed with other services 5 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Related work - security protocol composition One of the first proposals came from J.D. Guttman (Guttman, 2002), that used authentication tests as building blocks for multi-party authentication protocols Guttman’s authentication tests were later used by H.J. Choi (Choi, 2006) to develop a framework for constructing security protocols based on predefined protocols A. Datta et all (Datta et all, 2007) propose a method where the composition process starts out from initial protocol equations and tries to reach the properties modeled by the final equations, corresponding to the composed protocol S. Andova et all (Andova et all, 2008) propose a similar method to A. Datta, however, in this case the properties are verified automatically using an existing tool 6 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Related work - security protocol composition (cont’d) The solutions proposed by Guttman and Choi rely on predefined protocols, thus applying them in the composition of existing protocols is not possible The solutions proposed by Datta et all and Andova et all rely on the user to construct the security protocol equations The solution proposed by Andova et all is semi-automatic because only the verification phase uses an automatic protocol verification tool 7 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Protocol model Basic sets: P , N , K , C , M Encryption functions: FuncName ::= sk | pk | h | hmac Terms: T ::= . | R | N | K | C | M | (T , T) | { T } FuncName (T) Nodes and chains: � σ, t � , unde σ ∈ { + , −} , t ∈ T �± t 1 , ± t 2 , . . . , ± t n � ∈ ( ± T) ∗ Precondition-effect predicates: CON CONF , CON KEYEXCHANGE . . . ∈ PR CC Term type predicates: TYPE DN , TYPE KSYM . . . ∈ PR TYPE Participant and protocol models: ς = � prec , eff , type , gen , part , chain � ∈ MPART � { ς | ς ∈ MPART } ∈ MPROT 8 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Composition of preconditions and effects Verifies that: the knowledge required to run a given protocol, expressed through the form of precondition predicates, is available the set of precondition and effect predicates is non-destructive The first condition is verified by applying the PART PREC predicate, defined for the ctx ∈ T ∗ context as: PART PREC ( ctx , eff 1 , prec 2 ) = True , if eff 1 ⊆ prec 2 ∪ , {∪{ CON TERM ( t ) | t ∈ ctx }} , otherwise . False , The second condition is verified by applying the PART NONDESTR predicate, defined as: PART NONDESTR ( eff 1 , prec 2 , eff 2 ) = True , if EF 1 � = CON CONF ∨ if EF 1 = CON CONF ∧ t 1 = t 2 then ∃ EF 2 ( t 2 ) : EF 2 = CON CONF , ∀ EF 1 ( t 1 ) ∈ eff 1 ∧ ∀ PR 2 ( t 2 ) ∈ prec 2 , otherwise . False , 9 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Composition of preconditions and effects (cont’d) In order to denote the PE-composition of two participant or two protocol models, we use the following operators: For participant models: ≺ PE : MPART × MPART → MPART ς For protocol models: ≺ PE : MPROT × MPROT → MPROT ξ ≺ PE By applying the operator on two protocol models ξ 1 ξ and ξ 2 , we have that: ξ 1 ≺ PE ξ 2 � = ξ 2 ≺ PE ξ 1 ξ ξ 10 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Composition of protocol chains Verifies if attacks can be constructed on each protocol by using terms extracted from the other protocols Such a method was proposed in our previous work (Genge 2007, Genge 2008) The condition we proposed through the form of a proposition, would provide protocol independence , meaning that composed protocols for which this condition is satisfied would maintain their security properties In order to prove the correctness of the proposition, we constructed a canonical protocol model, based on the presented protocol model 11 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Composition of protocol chains (cont’d) In order to denote the PC-composition of participant and protocol models, we use the following operators: For participant models: ≺ PC : MPART × MPART → MPART ς For protocol models: ≺ PC : MPROT × MPROT → MPROT ξ ≺ PC By applying the operator on two protocol models ξ 1 ξ and ξ 2 , we have that: ξ 1 ≺ PC ξ 2 � = ξ 2 ≺ PC ξ 1 ξ ξ If two protocol models can be composed PE and PC, then these can be composed using the following operator: ≺ C : MPROT × MPROT → MPROT 12 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Security protocol specification In order to test the proposed composition method, we first constructed a specification Each specification consists of several WSDL-S and OWL files: one WSDL-S and OWL file pair for each participant Specifications were constructed according to the protocol model presented in this paper 13 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN security protocol specification Key exchange protocol Requires previous knowledge on the shared key K ab 14 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model protocol roles: 15 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model protocol roles: Model preconditions: 16 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model protocol roles: Model preconditions: Model initial terms and roles: 17 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model effects: 18 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model effects: Model message 1: 19 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model effects: Model message 1: Model message 2: 20 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model message 3: 21 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model message 3: Model message 4: 22 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model comm terms: 23 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model generated terms: 24 / 33
Overview Introduction & Motivation Composition Experimental results Conclusion Part of Lowe’s BAN specification (cont’d) Model discovered terms: Model generated terms: 25 / 33
Recommend
More recommend