J o s h u a D G u t t m a n F . J a v ier T h a y er T h e...
Transcript of J o s h u a D G u t t m a n F . J a v ier T h a y er T h e...
+ +
Joshua D GuttmanF. Javier Thayer
The MITRE Corporation
http://www.ccs.neu.edu/home/guttman
Thanks to support from: National Security Agency
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 1
+ +
Try to prove it correct
– Where you get stuckthat’s where the flaw is
Focus on services provided by protocol
– Actions the protocol requires regular principals to perform– Produce values useful to penetrator
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 2
+ +
A{|N1, A|}KB !
{|N1, A|}KB !B
•!""
"{|N1, N2|}KA "
{|N1, N2|}KA •!""
•!""
{|N2|}KB !{|N2|}KB !•
!""
KA, KB Public (asymmetric) keys of A, B
N1, N2 Nonces, one-time random bitstrings
{|t|}K Encryption of t with K
N1 !N2 New shared secret
(whitespace)
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 3
+ +
Symmetric key cryptography: algorithm usinga single value, shared as a secret between sender, receiver
– Same key makes ciphertext, extracts plaintext
Public key cryptography: algorithm usingtwo related values, one private, the other public
– Encryption: Public key makes ciphertext,only private key owner can decrypt
– Signature: Private key makes ciphertext,anyone can verify signature with public key
Terminology: A’s public key: KA A’s private key: K!1A
In symmetric crypto, K = K!1
Uncompromised key:
– Key used only in accordance with protocol
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 4
+ +
A{|N1, A|}K?? !
{|N1, A|}KB !B
•!""
"{|N1, N2|}KA "
{|N1, N2|}KA •!""
•!""
{|N2|}K?? !{|N2|}KB !•
!""
Assume A’s private key K!1A uncompromised
KA, KB Public (asymmetric) keys of A, B
N1, N2 Nonces, one-time random bitstrings
{|t|}K Encryption of t with K
N1 "N2 New shared secret
Whoops
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 5
+ +
If ?? = P ,
A{|N1, A|}KP !P
•!""
{|N1, A|}KB !B
•!
"""""""""
"{|N1, N2|}KA •
!""
•!""
{|N2|}KP !P
•!""
{|N2|}KB !•!
"""""""""
(Gavin Lowe)
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 6
+ +
A{|N1, A|}KB !
{|N1, A|}KB !B
•!""
"{|N1, N2, B|}KA "
{|N1, N2, B|}KA •!""
•!""
{|N2|}KB !{|N2|}KB !•
!""
KA, KB Public (asymmetric) keys of A, B
N1, N2 Nonces, one-time random bitstrings
{|t|}K Encryption of t with K
N1 "N2 New shared secret
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 7
+ +
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 8
+ +
If ?? = P ,
A{|N1, A|}KP !P
•!""
{|N1, A|}KB !B
•!
"""""""""
"{|N1, N2|}KA •
!""
•!""
{|N2|}KP !P
•!""
{|N2|}KB !•!
"""""""""
(Gavin Lowe)
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 9
+ +
Who was duped?
– Not A: Meant to share N1, N2 with P– B: Thinks he shares N1, N2 only with A" Secrecy failed: P knows values" Authentication failed:
A had no run with B
How? A o!ered P a service:– Gave P nonce N1– Promised to translate
{|N1, N |}KAto {|N |}KP
An “unintended service”– Attacker needs to compute some value" N2 in this case
– But legitimate party creates such a value
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 10
+ +
AA, N1 ! A, N1 !B
•!
""""""""
"{|N2, N1, A|}
K!1B "
{|N2, N1, A|}K!1
B •!
""""""""
•!
"""""""" {|N #1, N2, B|}
K!1A !
{|N #1, N2, B|}
K!1A !•
!
""""""""
Signatures only
Mere authentication
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 11
+ +
Respondent B gets only two messages
– Clearly A, N1 is “junk”" It has no authenticating force
– Other term received is the only challenge
Attacker needs to create
{|N #1, N2, B|}
K!1A
Only {|N #1, N2, B|}
K!1A
requires work
What services are useful?
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 12
+ +
• x, n1 !y
•"{|n2, n1, x|}
K!1y "
{|n2, n1, x|}K!1
y •!
""""""
•!
"""""" {|n#1, n2, y|}K!1
x! •
May rename in-bound variables
Shown in lower caseto emphasize status
as variables
Want to produce {|N #1, N2, B|}
K!1A
for some N #1
Can use A as respondent, B, N2 in-boundi.e. use substitution [A/y, B/x, N2/n1]
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 13
+ +
xx, n1 ! x, n1 !y
•!
""""""""
"{|n2, n1, x|}
K!1y "
{|n2, n1, x|}K!1
y •!
""""""""
•!
"""""""" {|n#1, n2, y|}K!1
x !{|n#1, n2, y|}
K!1x !•
!
""""""""
x, y, n1, n2, n#1 are variables
Possible behaviors are all substitution instances
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 14
+ +
PA, Np !B
P "{|N2, Np, A|}
K!1B •
!
"""""
P
!""
B, N2 !A
P "{|N1, N2, B|}
K!1A •
!
"""""
P
!
"""" {|N1, N2, B|}K!1
A !B
!
"""""""""""""""""""""
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 15
+ +
A executed a signature
– “Entity authentication” for A may holddepending what that means
But A was not initiatorin any run with B
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 16
+ +
Identify and discard “junk” messages
– They don’t contribute to authentication– Remaining incoming messages: “Challenge”– Adversary needs to synthesize them
Look for unintended services
– Criterion: Can they build challenge messages?
Combine unintended services
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 17
+ +
A B S
• A #•
•!""
$ N2 •!""
•!""
{|N2|}KAS #•!""
•!""
{|A, {|N2|}KAS|}KBS #•
•!""
${|N2|}KBS •
!""
Woo-Lam protocol
A and {|N2|}KASare junk terms to B
{|N2|}KBSonly non-junk term
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 18
+ +
A B S
•$ N2
•!
"""""{|N2|}KAS #
{|A, {|N2|}KAS|}KBS #•
${|N2|}KBS •
!
"""""
Both could produce {|nonce|}key
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 19
+ +
B P B S
• B #•• A#•
•$N2 •!""
•!
"""""""""""""
$ N2 •!""
• G#•!
""""""""
•!""
{|A, G|}KBS#•
•!
""""""""""""""""{|N2|}KBS #•
!"""
•!"""{|G#|}KBS#
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 20
+ +
AN1 !B
•!""
"{|N1, N2|}KAB •
!""
•!""
N2 !•!""
What are the junk terms for B?
For A?
Which terms have the “authenticating force”?
What are the services?
Is there an attack?
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 21
+ +
• n1 !y
•"{|n1, n2|}Kxy "
{|n1, n2|}Kxy •!
"""""
•!
""""""n2 ! •
To dupe initiator A, send back nonce N1 to A as respondentI.e. use substitution [A/y, N1/n1, KAB/Kxy]Resulting term {|N1, N2|}KAB
tricks A as initiator
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 22
+ +
AN1 !B
•!""
"{|N1, N2, B|}KAB •
!""
•!""
N2 !•!""
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 23
+ +
Signature: Na %# { Na }K!1
Encryption: Na %# { Na }KDecryption: { Na }K %# NaTranslation: { Na }K %# { Na }K"
Examples:
– Signature service: ISO reject protocol– Encryption service: Woo-Lam– Decryption service: None
(too obvious?)– Key-translation service: NS PK
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 24
+ +
Given a protocol, and assuming all cryptography perfect, find
– What secrecy properties– What authentication properties
the protocol achievesFind counterexamples to other properties
– Unintended services useful
What does perfect cryptography mean?
– No collisions– Need key to make encrypted value– Need key to decrypt and recover plaintext
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 25
+ +
Try to break it
– When you get stuckyou’ll see why it’s right
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 26
+ +
A{|N1, A|}KB !
{|N1, A|}KB !B
•!"""
"{|N1, N2|}KA "
{|N1, N #|}KA •!"""
•!""
{|N2|}KB ! •!""
Assume A, B’s private keys K!1A , K!1
B uncompromised
KA, KB Public (asymmetric) keys of A, B
N1, N2 Nonces, one-time random bitstrings
{|t|}K Encryption of t with K
N1 !N2 New shared secretDoes N # = N2? Yes, there are no available services!
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 27
+ +
How to break a protocol
– Try to prove it correct– Where you get stuck, look for trouble– Specifically, look for unintended services to produce
non-junk terms expected by regular principals
How to prove a protocol correct
– Try to break it– See what unintended services must be used– “Read o!” authentication properties
Strand spaces: make these ideas precise,justify method
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 28
+ +
work done jointly withJavier Thayer and Jonathan Herzog
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 29
+ +
Send, receive events on strands called “nodes”
– Positive for send– Negative for receive
Bundle B: Finite graph of nodes and edgesrepresenting causally well-founded execution;Edges are arrows #, &– For every reception 't in B, there’s a unique
transmission +t where+t # 't
– When nodes ni & ni+1 on same strand,if ni+1 in B, then ni in B
– B is acyclic
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 30
+ +
A{|Na, A|}KP !P
•!""
{|Na, A|}KB !B
•!
"""""""""
"{|Na, Nb|}KA •
!""
•!""
{|Nb|}KP !P
•!""
{|Nb|}KB !•!
"""""""""
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 31
+ +
Bundle precedence ordering (Bn (B n# means sequence of 0 or more arrows #, &
lead from n to n#
(B is a partial order by acyclicity
(B is well-founded by finiteness
Bundle induction: Every non-empty subset of Bhas (B-minimal membersReasoning about protocols combines
– Bundle induction– Induction on message structure
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 32
+ +
D
"{|Na, A|}KP !•
K•
K!1P
!•!
""""
E
•!
""""""Na, A!•
K•
KB!•
!
""""
•!"""
{|Na, A|}KB !"
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 33
+ +
Terms freely generated from
– Names, texts– Nonces– Keys
using the operators:
– Concatenation t0, t1
– Encryption with a key {|t0|}K
Other algebras also interestingbut today we’ll use the free one
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 34
+ +
Subterm relation #least transitive, reflexive relation with
g # g, hh # g, hh # {|h|}K
N.B. K # {|h|}K implies K # h
Represents contents of message, not how it’s constructedt originates at n1 means
n1 is a transmission (+)t # term(n1)if n0 & · · ·& n1, then t )# term(n0)
Unique origination, non-origination formalizea probabilistic assumption
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 35
+ +
Suppose:
– Bundle B contains a strand Resp[A, B, Na, Nb]– K!1
A non-originating
– Nb originates uniquely in B– Nb )= Na
Then:
– There is a strand Init[A, B, Na, Nb] in B
Authentication: correspondence assertions (of form *+)(This is false for NS)
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 36
+ +
"{|Na, Nb, B|}KA "
!""
M!? E
•Nb !•
K•
KB!•
!
""""
•!"""
{|Nb|}KB !"!
"""""""""""""""""""""""""
Guessing a private key (e.g. K!1A )
similarly improbable
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 37
+ +
Suppose:
– Bundle B contains a strand Resp[A, B, Na, Nb]– K!1
A , K!1B non-originating
– Nb originates uniquely in BThen:
– There is no node n , B with term(n) = Nb
Form: *This also is false for NS
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 38
+ +
To break a protocol, you
– Discard junk terms– Identify unintended services– Match services against non-junk goals
Core strand space ideas:
– Behaviors (regular or adversary) are strands– Executions are bundles– Unique origination and non-origination
Security goals:
– Authentication asserts existence of matching strand– Secrecy asserts non-existence of “disclosing” nodes– Premises concern n.o., u.o., existence of strands, inequalities
Tomorrow: How would you prove these goals?
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 39
+ +
M K
• T ! • K !
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 40
+ +
Eh !•K !•
!""
•!""
{|h|}K !D
{|h|}K !•K!1
!•!""
•!""
h !
Formalizes notion of ideal cryptography
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 41
+ +
Cg !•h !•
!""
•!""
g, h !
Sg, h !•
•!""
g !
•!""
h !
+ 2004.2.11 NPS Protocol Exchange, Feb 2004 42