Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory P R I S M Page - 1 Custom Command and Control
Outline of Talk • Problem: protocol failure • Automatic Authentication Protocol Analyzer (AAPA) • Three SPX protocols and results of analyzing them • Conclusions, for SPX and arbitrary protocols P R I S M Page - 2 Custom Command and Control
Cryptographic Protocols • Goal: Secure communication over insecure networks – Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication • Tools: – Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions • Distributed algorithms P R I S M Page - 3 Custom Command and Control
Failure Example • Tatebayeshi-Matsuzaki-Newman protocol – 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka) • AAPA notation, but more-or-less standard • Published (CRYPTO ‘89), recommended by experts • It’s wrong --- and has lots of company P R I S M Page - 4 Custom Command and Control
Automatic Authentication Protocol Analyzer • Inputs Interface Specification Language (ISL) specs • Produces Higher Order Logic (HOL) theories • Automatically proves default and user-set goals – Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage • Gives proof results in ISL P R I S M Page - 5 Custom Command and Control
SPX Credentials Initialization name = C 2 PwdC {C,Ts,Rn,H1(PwdC)}Rsa(KpLeaf) 3 LEAF 1 Read Privkey {UidC,{KsC}Des(H2(PwdC))}Des(Rn) KsC,UidC 6 7 4 Create Ticket C 5 claimant credentials {{KsC}Des(H2(PwdC)), H1(PwdC), 8 UidC}Rsa(KpLeaf) Make C Trusted Authorities 10 trusted CDC authorities C_certif_Ca1 9 Claimant P R I S M Page - 6 Custom Command and Control
What AAPA Analysis Shows: I • KpC must be computable from KsC • Keys must be stored along with recognizable data • PwdC must not be older than KsC • ValidityKpCa1 must include the current time P R I S M Page - 7 Custom Command and Control
SPX Authentication V = verifier 1 Ta1 = claimant trusted authority CDC Ta1,UidC,KpTa1 Ta2 = verifier trusted authority V Ticket(C) X_certif_Y = Tal_certif_V X certifies Y’s public key 2 claimant A(DesKey), Ticket(C), Delegator1 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator1 = CDC [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC) P R I S M Page - 8 Custom Command and Control
What AAPA Analysis Shows: II • Keys must be stored with recognizable data • Validity intervals must include the current time – ValidityKpV, ValidityKpC, ValidityKspC • Belief DesKey from C depends on dubious assumptions • Delegation gives up to 8 hours of authentication failure P R I S M Page - 9 Custom Command and Control
SPX Delegation V = verifier Ta1 = claimant trusted authority 1 Ta2 = verifier trusted authority CDC Ta1,UidC,KpTa1 V Ticket(C) X_certif_Y = X certifies Y’s public key Tal_certif_V 2 claimant A(DesKey), Ticket(C), Delegator2 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator2 = CDC {DesKey}Rsa(PkV), {KssC}Des(DesKey) P R I S M Page - 10 Custom Command and Control
What AAPA Analysis Shows: III • Similar recognizability and interval restrictions • Dubious assumptions don’t give belief KssC from C • Banker can obtain medical records P R I S M Page - 11 Custom Command and Control
Conclusions • For the SPX protocols: – Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation • For all cryptographic protocols: – The AAPA is a fast, easy tool for reducing failures – The AAPA can be used as part of the design process P R I S M Page - 12 Custom Command and Control
Recommend
More recommend