security protocols
play

Security Protocols 2 A pattern for message exchange, specifying - PowerPoint PPT Presentation


  1. ✝ ✆ ✄ ✆ ✝ ✂✄ ✞✟ ✡ ✟ ✄ ✂✄ ✡ ✄ ✆ ✂✄ ✞✟ ✄ ✆ ☎ ✂✄ ✁ ✟ ✞✟ ✆ ✝ ✠ ✡ ✟ ✡ ✟ ✠ ✝ ✞✟ ✞✟ ☎ ✟ ✡ ✠ ✞✟ ✝ ✠ ✡ ✟ ✝ ✄ ✁ � ☎ � ✂✄ � � � ✁ � Security Protocols 2 A pattern for message exchange, specifying agent Analysing Security Protocols names, nonces, keys, Using Automated Reasoning Goal: establish a secure key, authenticity, freshness, Graham Steel Example: Needham & Schroeder, 1978 I V N E U R S E I H B : T 1. A N A A Y T pubK B O H A : F G 2. B N A N B R pubK A E U D I B N B : 3. A N B pubK B Graham Steel Analysing Security Protocols November 8, 2004 Cryptographic Primitives The Subtlety of Attacks 1 3 Shared key - Alice and Bob both know K AB , and Lowe, 1995 keep it secret. C : 1. A N A A pubK C Alice sends Bob Message B : K AB 1.’ C A N A A pubK B C A : 2.’ B N A N B pubK A Public key - Bob generates privK B , pubK B A : 2. C N A N B pubK A Gives pubK B to Alice (and everyone) C : 3. A N B pubK C Alice sends Bob Message pubK B B : 3.’ C A N B pubK B C can now impersonate A Problem is now the security of keys ( K AB , privK B ) Often manage this with nonces ( N A N B ) Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004

  2. ✄ ✟ ✞ ✞ ✝ ✞ ✆ ✟✠ ✁☎ ✡ ✄ ☛ ✄ ✆ ✂ ☞ ✌ ✄ ✂ ✄ ✞ ✞ ✁ ✟ ✝ ✁☎ � ✞ ✞ ✄ ✟ ✁ � ✟ ✁☎ ✄ ✆ ✟ ☛ ✝ � ✁ ✡ ✂ ✄ ✄ ✂ ✄ ✟✠ ✄ Formal Modelling Scenario Analysis with Isabelle - 2 4 6 Dolev and Yao, 1983 Form security properties as inductive conjectures ‘Perfect Cryptography’ E.g. bad ; B bad ; evs ns public A The spy can: SaysBA Crypt pubK A NonceNA NonceNB Break down and re-assemble messages. set evs Remove, delay and insert messages NonceNB analz spies evs Impersonate an honest agent ‘If A and B are honest agents, and B has sent a ‘message 2’ with nonce NB, the spy cannot learn NB’ Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Analysis with Isabelle - 1 Analysis with C ORAL 5 7 Typed, higher-order inductive model Proving these conjectures in Isabelle can be tricky, Trace is an ‘inductive datatype’ even for experts Rules describe how trace can be extended C ORAL : a tool for finding counterexamples to false inductive conjectures NS 1 : evs 1 ns public; NonceNA used evs1 SaysAB Crypt pubK B NonceNA Agent A Built on S PASS - an automatic first-order theorem # evs 1 ns public prover Automatic Fake : ns public; X evsf synth analz spies evsf SaysSpyB X # evsf ns public Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004

  3. ✆ ☛ ✡ ✌ ✠ ✡ ✞ ☛ ✡ ✡ ✡ ✝ ✞ ✠ ✟ ✟ ✞ ✠ ✝ ✡ ✝ ✆ ☛ ✝ ✝ ✂ ✝ ✝ ✆ ✡ ☎ ✄ ✡ ✌ ☛ ✄ ☞ ✞ ☛ ✠ ✡ ✡ ✝ ✆ ☛ ✝ ☛ ✆ ✝ � � ☛ ☎ ✁ ✞ � ✟ ✠ � � � ☎ ✁ ✎ � ✏ ☎ ☎ ✑ ✡ ✝ ✝ ✞ ✟ ☎ ✄ ✝ ✂ ✡ ✡ ☛ ✠ ✁ ✡ ☛ ✝ ✍ � � � ☎ ✁ More about C ORAL Isabelle on Needham Schroeder 8 10 bad ; B bad ; evs Types modelled with ‘sorted signature’ evs A ns public SaysBA Crypt pubKA NonceNA NonceNB setevs 0 0 numbers 0 0 s nonce nonce s NonceNB analz spies evs 1 evs 3 CB Inference by restricted superposition bad ; B bad ; evs 3 A ns public setevs 3; — (roughly) paramodulation + rewriting SaysAC Crypt pubKC NonceNA AgentA setevs 3; SaysB A Crypt pubKA NonceNA NonceNB (Bachmair & Ganzinger, 1990) bad ; C setevs 3; C ORAL restricts superposition to a linear strategy SaysBA Crypt pubKA NonceNA NonceNB spies evs 3 NonceNB analz I-Axiomatisation (Comon & Nieuwenhuis, 1999) False Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Group Key Management Protocols Heursitic reductions 9 11 Can prune search space: Mutual secrecy, authentication, for n players, 1 Fake messages look like real messages n n Spy only expects realistic messages Group is dynamic - members may join and leave No two spy messages in a row Challenging: Arbitrary n increases search space Must prove completeness under these assumptions Security properties harder to specify Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004

  4. ✟ ✞ ✌ � ✁ ☎ ✁ ☎ � ✌ ✁ ☛ ✟ ✠ ✁ ☛ ✁ ✠ ✡ ✁ ☛ � ✁ ✁ ☛ ✟ ✌ ✞ ✠ ✁ ✠ � ✁ ✠ ✁ ☎ ✁ ✞ � ✁ ☛ ✟ ☛ ✞ ✁ ✠ ✁ � � ✁ ✌ ✡ ✠ ✁ ✁ � ✞ ✁ ☛ ✟ ✁ ✠ � ✌ ✞ ✂ ✁ ✠ ☛ ✁ ✌ ✌ ✠ ✁ ☛ ✁ ✠ ✁ ✁ ✂ ☛ ✁ ✄ ✄ ✄ ☎ ✂ ✆ ✡ ✄ ✁ ✟ ✡ ✠ ☛ ✌ ✁ � ✁ ✁ � ✌ ✁ ☛ ✠ ✁ ✠ ✁ ✡ ✌ ✞ ✟ ✁ ☛ � ✁ ✁ ☛ ✟ ✌ ✞ ✌ Group Protocol Scenario Attack on Iolus 12 14 11 11 9. server M 2 : ik Gk longtermK M 2 Ik 1 Server M 1 leave 10. server : 2 ik M 1 14 14 Gk Gk 11. server all : M 3 11 5 ik ik Ik 2 12. spy server : leave 5 ik 26 13. server all : Gk 11 M Gk ik 2 14 14 14. spy all : Gk Gk 11 5 ik ik M 3 is an ex-member Spy leaves in message 13, then replays old key update Can he read M 2 ’s message? in message 14 C ORAL discovers 3-agent scenario Can he trick M 1 or M 2 into accepting a message? Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Example: Iolus Other Approaches 13 15 Model checking Join: Send: - e.g. OFMC [Basin, Moedersheim, Vigan´ o, 1. M i S : join 1. M i ALL : message K Mi Gk n ESORICS 2003] 2. S M i : Ik M i Gk n K Mi ALL : 3. S Gk n ‘Strand space’ tools Gk n Leave: - e.g. Athena [Song, JCS 2001] 1. M i S : leave Ik Mi Logic Programming 2. S ALL : [ Gk n ] j i M j group Ik Mj - e.g. NPA [Meadows, J. Log. Prog. 1996] First-order invariants - e.g. TAPS [Cohen, JCS 2003] Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004

  5. Further Reading 16 L C Paulson. The inductive approach to verifying cryptographic protocols. J. Computer Security 6 (1998), 85–128. http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html G Steel, A. Bundy, M. Maidl. Attacking a Protocol for Group Key Agreement by Refuting Incorrect Inductive Conjectures, with Alan Bundy and Monika Maidl. In Proceedings of IJCAR 2004, pages 137-151. http://homepages.inf.ed.ac.uk/gsteel/papers/ AVISPA Project (OFMC, SATMC, etc..) http://www.avispa-project.org/ New Project - Hardware Security Module APIs http://homepages.inf.ed.ac.uk/gsteel/ Graham Steel Analysing Security Protocols November 8, 2004

Recommend


More recommend