Formalizing and Analyzing the Needham-Schroeder Symmetric-Key - PowerPoint PPT Presentation

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi Giuseppina Rucci Dipartimento di Informatica Università di L' Aquila (Italy) ARSPA’05 – p.1

Protocol Verification • Aim: formally prove properties of security protocols (e.g. authentication, secrecy or confidentiality, freshness, . . . ) • Rewriting techniques and strategies • Case studies • the Needham-Schroeder Public-Key protocol (NSPK) • the Needham-Schroeder Symmetric-Key protocol (NSSK) ARSPA’05 – p.2

Related Work • Model checking • FDR ( Lowe 1996 ) • Murphi ( Mitchell-Mitchell-Stern 1997 ) . . . • Theorem proving • NRL ( Meadows 1996 ) • Isabelle ( Paulson 1997, 1998, . . . ) • SPASS ( Weidenbach 1999 ) . . . ARSPA’05 – p.3

Related Work • Rewriting techniques and strategies • ELAN ( Cirstea 2001 ) • Maude ( Denker-Meseguer-Talcott 1998 ) • CASRUL ( Jacquemard-Rusinowitch-Vigneron 2000 ) . . . • Rewriting + abstract interpretation ( Monniaux 1999 ) ARSPA’05 – p.4

Related Work • Rewriting + tree automata in Timbuk ( Genet-Viet Triem Tong 2001 ) • Combination of different approaches • the combination of Genet-Klay' s approximation technique and Paulson' s inductive method ( Oehl-Sinclair 2001, 2002 ) • AVISPA project ARSPA’05 – p.5

Outline of the Talk • The approximation technique by Genet and Klay • The formalization for NSSK (insecure version) through rewrite systems and tree automata • The basic ingredients of the rewriting strategy ARSPA’05 – p.6

Outline of the Talk • The rewriting strategy and its properties • A verification example: authentication attacks in insecure NSSK • Conclusions + current and future work ARSPA’05 – p.7

Approximation Technique Aim: finding that there are no attacks on a protocol ( Genet-Klay 2000 ). • The protocol is operationally specified by a TRS R . • The initial set E of communication requests and an intruder' s initial knowledge are described through a tree automaton A such that L ( A ) ⊇ E . ARSPA’05 – p.8

Approximation Technique • The property p to be proved is given through a tree automaton A p that models the negation of p . • The approximation technique builds an over-approximation of the set R ∗ ( E ) of all R -descendants of the set E . • Result: an approximation automaton T R ↑ ( A ) such that L ( T R ↑ ( A )) ⊇ R ∗ ( E ) . ARSPA’05 – p.9

Approximation Technique A finite number of tree automata A i = �F , Q , Q f , ∆ i � is built as follows: 1. A 0 = A ; 2. A i +1 is constructed from A i by computing a critical pair between a rule in R and the transitions in ∆ i . The rule derived from the critical pair is a new transition that is normalized using an approximation function γ and then added to ∆ i , thus yielding ∆ i +1 . It follows that L ( A i ) ⊂ L ( A i +1 ) . ARSPA’05 – p.10

Approximation Technique Step 2 is repeated until an automaton A k is obtained such that L ( A k ) ⊇ R ∗ ( L ( A 0 )) , i.e. L ( A k ) ⊇ R ∗ ( E ) . • Quality of the approximation depends on γ . • Reachability properties on R and E are proved by checking whether L ( T R ↑ ( A )) ∩ L ( A p ) = ∅ . Empty intersection means that property p is satisfied. ARSPA’05 – p.11

Our Approach As in Genet-Klay' s approximation technique, • the protocol is operationally specified by a TRS R • the intruder' s initial knowledge is described through a tree automaton A The approximation technique is a particular completion process using an approximation function. ARSPA’05 – p.12

Our Approach • Aim: prove or disprove properties. • No approximation function. • Idea: rewriting strategy simulating the critical pairs computed in the completion process in a bottom-up manner. • Based on a rewriting strategy for dealing with the divergence of completion ( Inverardi-Nesi 1992, 1996 ). ARSPA’05 – p.13

The NSSK Protocol Given agents A and B and a server S , the NSSK protocol can be described as follows: 1 . A − → S : A, B, N A 2 . S − → A : { N A , B, K AB , { K AB , A } K BS } K AS 3 . A − → B : { K AB , A } K BS 4 . B − → A : { N B } K AB 5 . A − → B : { N B − 1 } K AB Insecure version! ARSPA’05 – p.14

The NSSK Protocol Authentication attack ( Denning-Sacco 1981 ): Hp: an intruder has recorded session ( i ) and the key K ′ AB , created in session ( i ) , has been compromised and is known to the intruder. Session ( ii ) can develop as follows: ii. 1 . A − → S : A, B, N A ii. 2 . S − → A : { N A , B, K AB , { K AB , A } K BS } K AS → B : { K ′ ii. 3 . I ( A ) − AB , A } K BS ii. 4 . B − → I ( A ) : { N B } K ′ AB ii. 5 . I ( A ) − → B : { N B − 1 } K ′ AB ARSPA’05 – p.15

Formalizing the Protocol A protocol is formalized through a rewrite system R = R P ∪ R I , where • R P describes the steps of the protocol and the properties to be verified, • R I defines an intruder' s ability of decomposing and decrypting messages. ARSPA’05 – p.16

A TRS R P for NSSK goal ( agt ( a ) , agt ( b ) , r ( j )) (1) → mesg ( agt ( a ) , serv ( S ) , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( a ) , agt ( b ))) , r ( j )) mesg ( a 2 , a 3 , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( a ) , agt ( b ))) , r ( j )) (2) → mesg ( serv ( S ) , agt ( a ) , encr ( ltk ( agt ( a ) , serv ( S )) , serv ( S ) , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( b ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( j )) , encr ( ltk ( agt ( b ) , serv ( S )) , serv ( S ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( j )) , agt ( a ))))))) , r ( j )) ARSPA’05 – p.17

A TRS R P for NSSK mesg ( a 4 , a 5 , (3) encr ( ltk ( agt ( a ) , serv ( S )) , a 3 , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( b ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 1 )) , encr ( ltk ( agt ( b ) , serv ( S )) , a 1 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 2 )) , agt ( a ))))))) , r ( j )) → mesg ( agt ( a ) , agt ( b ) , encr ( ltk ( agt ( b ) , serv ( S )) , a 1 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 2 )) , agt ( a ))) , r ( j )) ARSPA’05 – p.18

A TRS R P for NSSK mesg ( a 6 , a 7 , (4) encr ( ltk ( agt ( b ) , serv ( S )) , a 5 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i )) , agt ( a ))) , r ( j )) → mesg ( a 7 , a 6 , encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) mesg ( a 8 , a 6 , (5) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → mesg ( a 6 , a 8 , encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 6 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) ARSPA’05 – p.19

A TRS R P for NSSK mesg ( a 8 , a 6 , (6) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → c init ( agt ( a ) , agt ( b ) , a 7 , r ( j )) mesg ( a 10 , a 6 , (7) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 9 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → c resp ( agt ( b ) , agt ( a ) , a 9 , r ( j )) ARSPA’05 – p.20

A TRS R I for NSSK cons ( x, y ) → x (8) cons ( x, y ) → y (9) encr ( sk ( agt (0) , agt ( x ) , w ) , y, z ) → z (10) encr ( sk ( agt ( x ) , agt (0) , w ) , y, z ) → z (11) encr ( sk ( agt ( s ( x 1 )) , agt ( x ) , w ) , y, z ) → z (12) encr ( sk ( agt ( x ) , agt ( s ( x 1 )) , w ) , y, z ) → z (13) encr ( ltk ( agt (0) , serv ( S )) , y, z ) → z (14) encr ( ltk ( agt ( s ( x 1 )) , serv ( S )) , y, z ) → z (15) mesg ( x, y, z, w ) → z (16) ARSPA’05 – p.21

The Intruder' s Knowledge A tree automaton A = �F , Q , Q f , ∆ � , where Q f = { q f } and ∆ is as follows: 0 → q int s ( q int ) → q int agt ( q int ) → q agtI 0 → q 0 A → q A agt ( q A ) → q agtA s ( q 0 ) → q 1 B → q B agt ( q B ) → q agtB r ( q 0 ) → q r 0 S → q S serv ( q S ) → q serv r ( q 1 ) → q r 1 ARSPA’05 – p.22

The Intruder' s Knowledge communication requests goal ( q agtA , q agtB , q f ) → q f goal ( q agtA , q agtA , q f ) → q f goal ( q agtB , q agtA , q f ) → q f goal ( q agtB , q agtB , q f ) → q f goal ( q agtA , q agtI , q f ) → q f goal ( q agtI , q agtA , q f ) → q f goal ( q agtB , q agtI , q f ) → q f goal ( q agtI , q agtB , q f ) → q f goal ( q agtI , q agtI , q f ) → q f ARSPA’05 – p.23

The Intruder' s Knowledge intruder' s initial knowledge agt ( q int ) → q f sk ( q agtI , q agtI , q f ) → q f agt ( q A ) → q f sk ( q agtI , q agtA , q f ) → q f agt ( q B ) → q f sk ( q agtI , q agtB , q f ) → q f serv ( q S ) → q f ltk ( q agtI , q serv ) → q f r ( q 0 ) → q f r ( q 1 ) → q f ARSPA’05 – p.24

The Intruder' s Knowledge intruder' s initial knowledge mesg ( q f , q f , q f , q f ) → q f N ( q agtI , q agtI , q f ) → q f cons ( q f , q f ) → q f N ( q agtI , q agtA , q f ) → q f encr ( q f , q agtI , q f ) → q f N ( q agtI , q agtB , q f ) → q f N ( q agtI , q serv , q f ) → q f ARSPA’05 – p.25

Strategy: Basic Ingredients • Simulation of critical pairs through a bottom-up strategy • Expansion of terms • Well-formedness of terms (to ensure termination of the expansion process) • Recognizability by the intruder ARSPA’05 – p.26