verification of security protocols from confidentiality
play

Verification of security protocols from confidentiality to privacy - PowerPoint PPT Presentation

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:


  1. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  2. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  3. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  4. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  5. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  6. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b Does this constraint system have a solution? S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  7. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b Does this constraint system have a solution? − → Yes ! σ = { y a �→ a , y n a �→ n a , x n b �→ n b } S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  8. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  9. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  10. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Does this constraint system have a solution? S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  11. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Does this constraint system have a solution? x → k Yes ! S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  12. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  T 0 ⊢ x 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? S. Delaune (LSV) Verification of security protocols 26th August 2015 14 / 54

  13. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  T 0 ⊢ x 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? Of course, yes ! Choose u 0 ∈ T 0 , and consider the substitution: σ = { x 0 �→ u 0 , . . . , x n �→ u 0 } S. Delaune (LSV) Verification of security protocols 26th August 2015 14 / 54

  14. Simplification rules − → these rules deal with pairs and symmetric encryption only ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u C ∧ T ⊢ u C R ax : � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } S. Delaune (LSV) Verification of security protocols 26th August 2015 15 / 54

  15. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) S. Delaune (LSV) Verification of security protocols 26th August 2015 16 / 54

  16. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb ))  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  � ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 16 / 54

  17. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 17 / 54

  18. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )   ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  � ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 17 / 54

  19. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  20. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska ) S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  21. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska ) ∅ (empty constraint system) � S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  22. Exercice - still about the Denning Sacco protocol Exercise Reach a solved form starting with the constraint system: ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) aenc ( sign ( x , ska ) , pk ( skb )) ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) ⊢ s S. Delaune (LSV) Verification of security protocols 26th August 2015 19 / 54

  23. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Soundness σ C ′ and θ solution of C ′ then σθ is a solution of C . If C � ∗ − → easy to show S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  24. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Termination There is no infinite chain C � σ 1 C 1 . . . � σ n C n . − → using the lexicographic order (number of var, size of rhs) S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  25. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Completeness If θ is a solution of C then there exists C ′ and θ ′ such that C � ∗ σ C ′ , θ ′ is a solution of C ′ , and θ = σθ ′ . − → more involved to show S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  26. Procedure for solving a constraint system Main idea of the procedure:  ? ⊢ T 0 u 1    ?   C = T 0 , v 1 ⊢ u 2  . . .  ?    T 0 , v 1 , . . . , v n ⊢ s C 1 C 2 C 3 C 4 ⊥ solved ⊥ − → this gives us a symbolic representation of all the solutions. S. Delaune (LSV) Verification of security protocols 26th August 2015 21 / 54

  27. Main result Theorem Deciding confidentiality for a bounded number of sessions is decidable for classical primitives (actually in co-NP). Exercise: NP-hardness can be shown by encoding 3-SAT S. Delaune (LSV) Verification of security protocols 26th August 2015 22 / 54

  28. Main result Theorem Deciding confidentiality for a bounded number of sessions is decidable for classical primitives (actually in co-NP). Exercise: NP-hardness can be shown by encoding 3-SAT Some extensions that already exist: 1 disequality tests (protocol with else branches) 2 more primitives: asymmetric encryption, blind signature, exclusive-or, . . . S. Delaune (LSV) Verification of security protocols 26th August 2015 22 / 54

  29. Avantssar platform This approach has been implemented in the Avantssar Platform. http://www.avantssar.eu − → Typically concludes within few seconds over the flawed protocols of the Clark/Jacob library . S. Delaune (LSV) Verification of security protocols 26th August 2015 23 / 54

  30. Part II Equivalence-based security properties S. Delaune (LSV) Verification of security protocols 26th August 2015 24 / 54

  31. Electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. S. Delaune (LSV) Verification of security protocols 26th August 2015 25 / 54

  32. Electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together . S. Delaune (LSV) Verification of security protocols 26th August 2015 25 / 54

  33. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  34. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  35. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  36. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  37. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  38. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  39. BAC protocol as a process Cryptographic primitives are modelled using function symbols encryption/decryption: senc / 2, sdec / 2 concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 mac construction: mac / 2 − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names S. Delaune (LSV) Verification of security protocols 26th August 2015 27 / 54

  40. BAC protocol as a process Cryptographic primitives are modelled using function symbols encryption/decryption: senc / 2, sdec / 2 concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 mac construction: mac / 2 − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out ( n P ) . in ( � z E , z M � ) . if z M = mac ( z E , k M ) then if n P = proj 1 ( proj 2 ( sdec ( z E , k E ))) then out ( � m , mac ( m , k M ) � ) else 0 else 0 where m = senc ( � n P , � proj 1 ( z E ) , k P �� , k E ) . S. Delaune (LSV) Verification of security protocols 26th August 2015 27 / 54

  41. What does unlinkability mean? Informally, an observer/attacker can not observe the difference between the two following situations: 1 a situation where the same passport may be used twice (or even more); 2 a situation where each passport is used at most once. S. Delaune (LSV) Verification of security protocols 26th August 2015 28 / 54

  42. What does unlinkability mean? Informally, an observer/attacker can not observe the difference between the two following situations: 1 a situation where the same passport may be used twice (or even more); 2 a situation where each passport is used at most once. More formally, ? ! new ke . new km . (! P BAC | ! R BAC ) ≈ ! new ke . new km . ( P BAC | ! R BAC ) ↑ ↑ many sessions only one session for each passport for each passport (we still have to formalize the notion of equivalence) S. Delaune (LSV) Verification of security protocols 26th August 2015 28 / 54

  43. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  44. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . ? Example 1: out ( a , s ) ≈ out ( a , s ′ ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  45. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 1: out ( a , s ) �≈ out ( a , s ′ ) − → A = in ( a , x ) . if x = s then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  46. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 2: new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) ? ≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  47. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 2: new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) �≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) − → A = in ( a , x ) . in ( a , y ) . if ( sdec ( x , k ) = sdec ( y , k ′ )) then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  48. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise: Are the two following processes in testing equivalence? ? new s . out ( a , s ) ≈ new s . new k . out ( a , enc ( s , k )) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  49. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  50. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  51. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  52. BAC protocol (French version) as a process Cryptographic primitives are modelled as usual using function symbols − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Error messages are modelled using constants mac _ error and nonce _ error . S. Delaune (LSV) Verification of security protocols 26th August 2015 31 / 54

  53. BAC protocol (French version) as a process Cryptographic primitives are modelled as usual using function symbols − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Error messages are modelled using constants mac _ error and nonce _ error . Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out ( n P ) . in ( � z E , z M � ) . if z M = mac ( z E , k M ) then if n P = proj 1 ( proj 2 ( sdec ( z E , k E ))) then out ( � m , mac ( m , k M ) � ) else out ( nonce _ error ) else out ( mac _ error ) where m = senc ( � n P , � proj 1 ( z E ) , k P �� , k E ) . S. Delaune (LSV) Verification of security protocols 26th August 2015 31 / 54

  54. An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  55. An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . Alice’s Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) M S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  56. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  57. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) mac_error = ⇒ MAC check failed = ⇒ K ′ M � = K M = ⇒ ???? is not Alice S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  58. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) nonce_error = ⇒ MAC check succeeded = ⇒ K ′ M = K M = ⇒ ???? is Alice S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  59. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  60. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) Exercise: Exhibit the process A that witnesses the fact that these two processes are not in testing equivalence. S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  61. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) Exercise: Exhibit the process A that witnesses the fact that these two processes are not in testing equivalence. − → A = in ( c , x ) . out ( c , x ) . in ( c , y ) . if y = nonce_error then out ( ok , _ ) S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  62. Some other equivalence-based security properties The notion of testing equivalence can be used to express: Vote privacy the fact that a particular voted in a particular way is not revealed to anyone Strong secrecy the fact that an adversary cannot see any difference when the value of the secret changes − → stronger than the notion of secrecy as non-deducibility. Guessing attack the fact that an adversary can not learn the value of passwords even if he knows that they have been choosen in a particular dictionary. S. Delaune (LSV) Verification of security protocols 26th August 2015 34 / 54

  63. State of the art in a nutshell (1/2) for analysing equivalence-based security properties for an unbounded number of sessions S. Delaune (LSV) Verification of security protocols 26th August 2015 35 / 54

  64. State of the art in a nutshell (1/2) for analysing equivalence-based security properties for an unbounded number of sessions undecidable in general even for some fragment for which confidentiality is decidable [Chrétien, Cortier & D., 13] some recent decidability results for some restricted fragment e.g. tagged protocol, no nonces, a particular set of primitives .. . [Chrétien, Cortier & D., Icalp’13, Concur’14, CSF’15] ProVerif: a tool that does not correspond to any decidability result for analysing the notion of diff-equivalence (too strong) [Blanchet, Abadi & Fournet, 05] None of these results is suitable to to analyse vote-privacy, or unlinkability of the BAC protocol. S. Delaune (LSV) Verification of security protocols 26th August 2015 35 / 54

  65. State of the art in a nutshell (2/2) for analysing equivalence-based security properties for a bounded number of sessions S. Delaune (LSV) Verification of security protocols 26th August 2015 36 / 54

  66. State of the art in a nutshell (2/2) for analysing equivalence-based security properties for a bounded number of sessions A “recent” result [Cheval, Comon & D., 11] A procedure for deciding testing equivalence for a large class of processes for a bounded number of sessions. Our class of processes: + non-trivial else branches, private channels, and non-deterministic choice; – a fixed set of cryptographic primitives (signature, encryption, hash function, mac). Similar results (for different classes of processes) have been obtained by [Baudet, 05], [Dawson& Tiu, 10], [Chevalier & Rusinowitch, 10], . . . S. Delaune (LSV) Verification of security protocols 26th August 2015 36 / 54

  67. Privacy using the constraint solving approach Two main steps: 1 A symbolic exploration of all the possible traces The infinite number of possible traces ( i.e. experiment) are represented by a finite set of constraint systems − → this set can be huge (exponential on the number of sessions) ! 2 A decision procedure for deciding (symbolic) equivalence between sets of constraint systems − → this algorithm works quite well S. Delaune (LSV) Verification of security protocols 26th August 2015 37 / 54

  68. Deciding symbolic equivalence Main idea: We rewrite pairs (Σ , Σ ′ ) of sets of constraint systems (extended to keep track of some information) until a trivial failure or a trivial success is found. (Σ , Σ ′ ) (Σ 1 , Σ ′ (Σ 2 , Σ ′ 1 ) 2 ) ( ⊥ , ⊥ ) (Σ 3 , Σ ′ ( ⊥ ,solved) 3 ) (solved,solved) S. Delaune (LSV) Verification of security protocols 26th August 2015 38 / 54

  69. Results on the simplification rules Termination Applying blindly the simplification rules does not terminate but there is a particular strategy S that allows us to ensure termination. Soundness/Completeness Let (Σ 0 , Σ ′ 0 ) be pair of sets of constraint systems, and consider a binary tree obtained by applying our simplification rule following a strategy S . 1 soundness: If all leaves of the tree are labeled with ( ⊥ , ⊥ ) or ( solved , solved ) , then Σ 0 ≈ s Σ ′ 0 . 2 completeness: if Σ 0 ≈ s Σ ′ 0 , then all leaves of the tree are labeled with ( ⊥ , ⊥ ) or ( solved , solved ) . Theorem Deciding testing equivalence between processes without replication for classical primitives is decidable. S. Delaune (LSV) Verification of security protocols 26th August 2015 39 / 54

  70. APTE- Algorithm for Proving Testing Equivalence http://projects.lsv.ens-cachan.fr/APTE (Ocaml - 12 KLocs) − → developed by Vincent Cheval [Cheval, TACAS’14] S. Delaune (LSV) Verification of security protocols 26th August 2015 40 / 54

  71. APTE- Algorithm for Proving Testing Equivalence http://projects.lsv.ens-cachan.fr/APTE (Ocaml - 12 KLocs) − → developed by Vincent Cheval [Cheval, TACAS’14] − → but a limited practical impact because it scales badly S. Delaune (LSV) Verification of security protocols 26th August 2015 40 / 54

  72. Partial order reduction for security protocols part of the PhD thesis of L. Hirschi Main objective to develop POR techniques that are suitable for analysing security protocols (especially testing equivalence) S. Delaune (LSV) Verification of security protocols 26th August 2015 41 / 54

  73. Partial order reduction for security protocols part of the PhD thesis of L. Hirschi Main objective to develop POR techniques that are suitable for analysing security protocols (especially testing equivalence) Example: in ( c 1 , x 1 ) . out ( c 1 , ok ) | in ( c 2 , x 2 ) . out ( c 2 , ok ) We propose two optimizations: 1 compression: we impose a simple strategy on the exploration of the available actions (roughly outputs are performed first and using a fixed arbitrary order) 2 reduction: we avoid exploring some redundant traces taking into account the data that are exchanged S. Delaune (LSV) Verification of security protocols 26th August 2015 41 / 54

  74. Practical impact of our optimizations (in APTE) Toy example Denning Sacco protocol − → Each optimisation brings an exponential speedup. S. Delaune (LSV) Verification of security protocols 26th August 2015 42 / 54

Recommend


More recommend