✝ ✆ ✄ ✆ ✝ ✂✄ ✞✟ ✡ ✟ ✄ ✂✄ ✡ ✄ ✆ ✂✄ ✞✟ ✄ ✆ ☎ ✂✄ ✁ ✟ ✞✟ ✆ ✝ ✠ ✡ ✟ ✡ ✟ ✠ ✝ ✞✟ ✞✟ ☎ ✟ ✡ ✠ ✞✟ ✝ ✠ ✡ ✟ ✝ ✄ ✁ � ☎ � ✂✄ � � � ✁ � Security Protocols 2 A pattern for message exchange, specifying agent Analysing Security Protocols names, nonces, keys, Using Automated Reasoning Goal: establish a secure key, authenticity, freshness, Graham Steel Example: Needham & Schroeder, 1978 I V N E U R S E I H B : T 1. A N A A Y T pubK B O H A : F G 2. B N A N B R pubK A E U D I B N B : 3. A N B pubK B Graham Steel Analysing Security Protocols November 8, 2004 Cryptographic Primitives The Subtlety of Attacks 1 3 Shared key - Alice and Bob both know K AB , and Lowe, 1995 keep it secret. C : 1. A N A A pubK C Alice sends Bob Message B : K AB 1.’ C A N A A pubK B C A : 2.’ B N A N B pubK A Public key - Bob generates privK B , pubK B A : 2. C N A N B pubK A Gives pubK B to Alice (and everyone) C : 3. A N B pubK C Alice sends Bob Message pubK B B : 3.’ C A N B pubK B C can now impersonate A Problem is now the security of keys ( K AB , privK B ) Often manage this with nonces ( N A N B ) Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004
✄ ✟ ✞ ✞ ✝ ✞ ✆ ✟✠ ✁☎ ✡ ✄ ☛ ✄ ✆ ✂ ☞ ✌ ✄ ✂ ✄ ✞ ✞ ✁ ✟ ✝ ✁☎ � ✞ ✞ ✄ ✟ ✁ � ✟ ✁☎ ✄ ✆ ✟ ☛ ✝ � ✁ ✡ ✂ ✄ ✄ ✂ ✄ ✟✠ ✄ Formal Modelling Scenario Analysis with Isabelle - 2 4 6 Dolev and Yao, 1983 Form security properties as inductive conjectures ‘Perfect Cryptography’ E.g. bad ; B bad ; evs ns public A The spy can: SaysBA Crypt pubK A NonceNA NonceNB Break down and re-assemble messages. set evs Remove, delay and insert messages NonceNB analz spies evs Impersonate an honest agent ‘If A and B are honest agents, and B has sent a ‘message 2’ with nonce NB, the spy cannot learn NB’ Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Analysis with Isabelle - 1 Analysis with C ORAL 5 7 Typed, higher-order inductive model Proving these conjectures in Isabelle can be tricky, Trace is an ‘inductive datatype’ even for experts Rules describe how trace can be extended C ORAL : a tool for finding counterexamples to false inductive conjectures NS 1 : evs 1 ns public; NonceNA used evs1 SaysAB Crypt pubK B NonceNA Agent A Built on S PASS - an automatic first-order theorem # evs 1 ns public prover Automatic Fake : ns public; X evsf synth analz spies evsf SaysSpyB X # evsf ns public Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004
✆ ☛ ✡ ✌ ✠ ✡ ✞ ☛ ✡ ✡ ✡ ✝ ✞ ✠ ✟ ✟ ✞ ✠ ✝ ✡ ✝ ✆ ☛ ✝ ✝ ✂ ✝ ✝ ✆ ✡ ☎ ✄ ✡ ✌ ☛ ✄ ☞ ✞ ☛ ✠ ✡ ✡ ✝ ✆ ☛ ✝ ☛ ✆ ✝ � � ☛ ☎ ✁ ✞ � ✟ ✠ � � � ☎ ✁ ✎ � ✏ ☎ ☎ ✑ ✡ ✝ ✝ ✞ ✟ ☎ ✄ ✝ ✂ ✡ ✡ ☛ ✠ ✁ ✡ ☛ ✝ ✍ � � � ☎ ✁ More about C ORAL Isabelle on Needham Schroeder 8 10 bad ; B bad ; evs Types modelled with ‘sorted signature’ evs A ns public SaysBA Crypt pubKA NonceNA NonceNB setevs 0 0 numbers 0 0 s nonce nonce s NonceNB analz spies evs 1 evs 3 CB Inference by restricted superposition bad ; B bad ; evs 3 A ns public setevs 3; — (roughly) paramodulation + rewriting SaysAC Crypt pubKC NonceNA AgentA setevs 3; SaysB A Crypt pubKA NonceNA NonceNB (Bachmair & Ganzinger, 1990) bad ; C setevs 3; C ORAL restricts superposition to a linear strategy SaysBA Crypt pubKA NonceNA NonceNB spies evs 3 NonceNB analz I-Axiomatisation (Comon & Nieuwenhuis, 1999) False Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Group Key Management Protocols Heursitic reductions 9 11 Can prune search space: Mutual secrecy, authentication, for n players, 1 Fake messages look like real messages n n Spy only expects realistic messages Group is dynamic - members may join and leave No two spy messages in a row Challenging: Arbitrary n increases search space Must prove completeness under these assumptions Security properties harder to specify Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004
✟ ✞ ✌ � ✁ ☎ ✁ ☎ � ✌ ✁ ☛ ✟ ✠ ✁ ☛ ✁ ✠ ✡ ✁ ☛ � ✁ ✁ ☛ ✟ ✌ ✞ ✠ ✁ ✠ � ✁ ✠ ✁ ☎ ✁ ✞ � ✁ ☛ ✟ ☛ ✞ ✁ ✠ ✁ � � ✁ ✌ ✡ ✠ ✁ ✁ � ✞ ✁ ☛ ✟ ✁ ✠ � ✌ ✞ ✂ ✁ ✠ ☛ ✁ ✌ ✌ ✠ ✁ ☛ ✁ ✠ ✁ ✁ ✂ ☛ ✁ ✄ ✄ ✄ ☎ ✂ ✆ ✡ ✄ ✁ ✟ ✡ ✠ ☛ ✌ ✁ � ✁ ✁ � ✌ ✁ ☛ ✠ ✁ ✠ ✁ ✡ ✌ ✞ ✟ ✁ ☛ � ✁ ✁ ☛ ✟ ✌ ✞ ✌ Group Protocol Scenario Attack on Iolus 12 14 11 11 9. server M 2 : ik Gk longtermK M 2 Ik 1 Server M 1 leave 10. server : 2 ik M 1 14 14 Gk Gk 11. server all : M 3 11 5 ik ik Ik 2 12. spy server : leave 5 ik 26 13. server all : Gk 11 M Gk ik 2 14 14 14. spy all : Gk Gk 11 5 ik ik M 3 is an ex-member Spy leaves in message 13, then replays old key update Can he read M 2 ’s message? in message 14 C ORAL discovers 3-agent scenario Can he trick M 1 or M 2 into accepting a message? Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004 Example: Iolus Other Approaches 13 15 Model checking Join: Send: - e.g. OFMC [Basin, Moedersheim, Vigan´ o, 1. M i S : join 1. M i ALL : message K Mi Gk n ESORICS 2003] 2. S M i : Ik M i Gk n K Mi ALL : 3. S Gk n ‘Strand space’ tools Gk n Leave: - e.g. Athena [Song, JCS 2001] 1. M i S : leave Ik Mi Logic Programming 2. S ALL : [ Gk n ] j i M j group Ik Mj - e.g. NPA [Meadows, J. Log. Prog. 1996] First-order invariants - e.g. TAPS [Cohen, JCS 2003] Graham Steel Analysing Security Protocols November 8, 2004 Graham Steel Analysing Security Protocols November 8, 2004
Further Reading 16 L C Paulson. The inductive approach to verifying cryptographic protocols. J. Computer Security 6 (1998), 85–128. http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html G Steel, A. Bundy, M. Maidl. Attacking a Protocol for Group Key Agreement by Refuting Incorrect Inductive Conjectures, with Alan Bundy and Monika Maidl. In Proceedings of IJCAR 2004, pages 137-151. http://homepages.inf.ed.ac.uk/gsteel/papers/ AVISPA Project (OFMC, SATMC, etc..) http://www.avispa-project.org/ New Project - Hardware Security Module APIs http://homepages.inf.ed.ac.uk/gsteel/ Graham Steel Analysing Security Protocols November 8, 2004
Recommend
More recommend
