Infinite State AMC-Model Checking for Cryptographic Protocols
Model Checking for Security Protocols
description
Transcript of Model Checking for Security Protocols
Model Checking for Security Protocols
Will Marrero, Edmund Clarke, Shomesh Jha
Needham-Schroeder Protocol (circa 1996)
Purpose: Authenticate Participants
}..{.: ANBABA a K B
}..{.: ba KNNABABA
}.{.: b KNBABAB
Assumptions
Perfect Encryption The decryption key must be known to encrypt No encryption collisions
Proof offer no protection from poor encryption implementation!
212121 21}{}{ KKmmmm KK
Intruder’s Ability
Interception Ex:
Impersonation Ex:
Legitimate Participant Ex:
Compromise Temporary Secrets But those secrets should not be revealed by
protocol
AKba NNABAIB }..{.:)(
BKANaBABAI }..{.:)(
IKa ANIAIA }..{.:
Security Properties
Secrecy Tracked by two sets in global state
Correspondence “If A believes it has completed two protocol runs
with principal B, then principal B must have at least begun two protocol runs with principal A.”
Tracked by counters in global state
SxSyS
Atomic Messages
Keys Ex:
Principal Names Ex: A, B, I
Nonces Ex:
Data
IBA KKK ,,
ba NN ,
Messages and Atomic Messages Given A a set of atomic messages, M the set
of all messages is defined inductively:
MmAkMmMmmAmAm
MaAa
k
}{2121
Closure of Messages
Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)
MBBB,
BmBkBm
BmBkBm
BmBmBmm
BmmBmBm
BmBm
k
k
1
2121
2121
}{
}{
Principals
A 4-Tuple N the name of the principal p a process given as a sequence of actions to
be performed is a set of known messages, generally
infinite, but from a finite generator set. B a set of bindings from variables in p to
messages in I
BIpN ,,,
MI
Initial Knowledge
For the intruder
BIpZ ,,, 1,,,,,, IIBA KKKKIBAI
Global State
A 5-Tuple is the product of the individual principals
(including the intruder) difference between number of
times A has initiated a protocol and the number of times B has finished responding
difference between number of times A has begun responding and the number of times B has finished initiating
tsri SSCC ,,,,
),( BACr
),( BACi
Global State Continued
A 5-Tuple a set of safe secrets. Remains
constant. a set of temporary secrets. New
secrets generated during the run of the protocol.
The last four values check security constraints.
MSs
MSt
tsri SSCC ,,,,
}..{.: ANBABA a K B }.{.: b KNBABA
B }..{.: ba KNNABAB
A
Process
Internal Actions
NEWNONCE(var) NEWSECRET(var)
][var
,,,,,,
valBBvalII
BIpABIpA
valSSvalBB
valII
BIpABIpA
tt
][var
,,,,,,
Internal Actions
GETSECRET(val) – Intruder Only
valSSvalII
Sval
BIpZBIpZ
tt
t
,,,,,,
Internal Actions
A calls BEGINIT(B),
B calls ENDRESPOND(A)
BEGRESPOND/ENDINIT Symmetric on
otherwise
0, if1,,
BAC
errorBAC
BAC iii
otherwise
defined is , if1
1,,
BACBACBAC ii
i
),( BACr
Communication Actions
Send and receives are synchronized A process can only send a message if it unifies
with a receive message Sender must be able to sculpt a message
that matches all existing bindings and expectations
How does the intruder sculpt such a message?
Model Checking Algorithm
Finding a needle in a haystack Decidability of when is probably
infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption)
ZIZIs
BmBkBm
BmBkBm
BmBmBmm
BmmBmBm
BmBm
k
k
1
2121
2121
}{
}{
Expanding RulesShrinking Rules
Normalized Derivation
Following algorithm is guaranteed to terminate and decide :
Start with a generator setApply all possible shrinking rulesTry all possible sequences of expanding
rules until word size is equal to s
Proves existence
ZIs
An Efficient Approach
When adding a message to I in :Apply all possible shrinking rulesRemove ‘redundant messages’Result is minimal generator
Can recursively attempt to build
BIpN ,,,
Im
Verification and Attack
Verification and Attack
The lack of correspondence trace reveals the following attack: