Model Checking for Security Protocols

Will Marrero, Edmund Clarke, Shomesh Jha

Needham-Schroeder Protocol (circa 1996)

Purpose: Authenticate Participants

}..{.: ANBABA a K B

}..{.: ba KNNABABA

}.{.: b KNBABAB

Assumptions

Perfect Encryption The decryption key must be known to encrypt No encryption collisions

Proof offer no protection from poor encryption implementation!

212121 21}{}{ KKmmmm KK

Intruder’s Ability

Interception Ex:

Impersonation Ex:

Legitimate Participant Ex:

Compromise Temporary Secrets But those secrets should not be revealed by

protocol

AKba NNABAIB }..{.:)(

BKANaBABAI }..{.:)(

IKa ANIAIA }..{.:

Security Properties

Secrecy Tracked by two sets in global state

Correspondence “If A believes it has completed two protocol runs

with principal B, then principal B must have at least begun two protocol runs with principal A.”

Tracked by counters in global state

SxSyS

Atomic Messages

Keys Ex:

Principal Names Ex: A, B, I

Nonces Ex:

Data

IBA KKK ,,

ba NN ,

Messages and Atomic Messages Given A a set of atomic messages, M the set

of all messages is defined inductively:

MmAkMmMmmAmAm

MaAa

k

}{2121

Closure of Messages

Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)

MBBB,

BmBkBm

BmBkBm

BmBmBmm

BmmBmBm

BmBm

k

k

1

2121

2121

}{

}{

Principals

A 4-Tuple N the name of the principal p a process given as a sequence of actions to

be performed is a set of known messages, generally

infinite, but from a finite generator set. B a set of bindings from variables in p to

messages in I

BIpN ,,,

MI

Initial Knowledge

For the intruder

BIpZ ,,, 1,,,,,, IIBA KKKKIBAI

Global State

A 5-Tuple is the product of the individual principals

(including the intruder) difference between number of

times A has initiated a protocol and the number of times B has finished responding

difference between number of times A has begun responding and the number of times B has finished initiating

tsri SSCC ,,,,

),( BACr

),( BACi

Global State Continued

A 5-Tuple a set of safe secrets. Remains

constant. a set of temporary secrets. New

secrets generated during the run of the protocol.

The last four values check security constraints.

MSs

MSt

tsri SSCC ,,,,

}..{.: ANBABA a K B }.{.: b KNBABA

B }..{.: ba KNNABAB

A

Process

Internal Actions

NEWNONCE(var) NEWSECRET(var)

][var

,,,,,,

valBBvalII

BIpABIpA

valSSvalBB

valII

BIpABIpA

tt

][var

,,,,,,

Internal Actions

GETSECRET(val) – Intruder Only

valSSvalII

Sval

BIpZBIpZ

tt

t

,,,,,,

Internal Actions

A calls BEGINIT(B),

B calls ENDRESPOND(A)

BEGRESPOND/ENDINIT Symmetric on

otherwise

0, if1,,

BAC

errorBAC

BAC iii

otherwise

defined is , if1

1,,

BACBACBAC ii

i

),( BACr

Communication Actions

Send and receives are synchronized A process can only send a message if it unifies

with a receive message Sender must be able to sculpt a message

that matches all existing bindings and expectations

How does the intruder sculpt such a message?

Model Checking Algorithm

Finding a needle in a haystack Decidability of when is probably

infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption)

ZIZIs

BmBkBm

BmBkBm

BmBmBmm

BmmBmBm

BmBm

k

k

1

2121

2121

}{

}{

Expanding RulesShrinking Rules

Normalized Derivation

Following algorithm is guaranteed to terminate and decide :

Start with a generator setApply all possible shrinking rulesTry all possible sequences of expanding

rules until word size is equal to s

Proves existence

ZIs

An Efficient Approach

When adding a message to I in :Apply all possible shrinking rulesRemove ‘redundant messages’Result is minimal generator

Can recursively attempt to build

BIpN ,,,

Im

Verification and Attack

Verification and Attack

The lack of correspondence trace reveals the following attack: