Proving Security Protocols Correct
-
Upload
lawrence-paulson -
Category
Technology
-
view
51 -
download
0
description
Transcript of Proving Security Protocols Correct
![Page 1: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/1.jpg)
Proving Security Protocols Correct
Lawrence C. Paulson
Computer Laboratory
![Page 2: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/2.jpg)
How Detailed Should a Model Be?
concrete abstract
too detailed
not usable not credible
too simple
``proves''everything
``attacks''everything
publications
1 L. C. Paulson
![Page 3: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/3.jpg)
Case Study: the Plight of Monica and Bill
2 L. C. Paulson
![Page 4: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/4.jpg)
A,Na,Sid,Pa
client serverclient hello
Nb,Sid,Pb
server hello
cert(B,Kb)
server certificate
cert(A,Ka)
client certificate
{PMS}Kb
client key exchange
{Hash(Nb,B,PMS)}Ka-1
certificate verify
{Finished}clientK(Na,Nb,M)
client finished
M = PRF(PMS,Na,Nb)
Finished = Hash(M,messages)
{Finished}serverK(Na,Nb,M)
server finished
An Internet SecurityProtocol (TLS)
3 L. C. Paulson
![Page 5: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/5.jpg)
Why Are Security Protocols Often Wrong?
• they are TRIVIAL programs built from simpleprimitives, BUT they are complicated by
• concurrency
• a hostile environment– a bad user controls the network
• obscure concepts
• vague specifications– we have to guess what is wanted
4 L. C. Paulson
![Page 6: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/6.jpg)
Typical Protocol Goals
• Authenticity: who sent it?
• Integrity: has it been altered?
• Secrecy: who can receive it?
• Anonymity
• Non-repudiation . . .
all SAFETY properties
5 L. C. Paulson
![Page 7: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/7.jpg)
What Are Session Keys?
• used for a single session
• not safeguarded forever
• distributed using long-term keys
• could eventually become compromised
• can only be trusted if FRESH
6 L. C. Paulson
![Page 8: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/8.jpg)
Freshness, or Would You Eat This Fish?
wine: six years old
fish: ? weeks old
7 L. C. Paulson
![Page 9: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/9.jpg)
Packaging a Session Key for Bill
{|K , A, Nb|}Kb
session key
person it's shared with nonce specified
by Bill: proof of freshness
sealed using Bill's key
8 L. C. Paulson
![Page 10: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/10.jpg)
A Bad Variant of the Otway-Rees Protocol
3: Na, {|Na, Kab|}Ka,
{|Nb, Kab|}Kb
1: Na, A, B, {|Na, A, B|}Ka
B
S
A
2: Na, A, B, {|Na, A, B|}Ka,
Nb, {|Na, A, B|}Kb
4: Na, {|Na, Kab|}Ka
9 L. C. Paulson
![Page 11: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/11.jpg)
A Splicing Attack with Interleaved Runs
1. A → CB : Na, A, B, {|Na, A, B|}Ka
1′. C → A : Nc, C, A, {|Nc, C, A|}Kc
2′. A → CS : Nc, C, A, {|Nc, C, A|}Kc, Na′, {|Nc, C, A|}Ka
2′′. CA → S : Nc, C, A, {|Nc, C, A|}Kc, Na, {|Nc, C, A|}Ka
3′. S → CA : Nc, {|Nc, Kca|}Kc, {|Na, Kca|}Ka
4. CB → A : Na, {|Na, Kca|}Ka
Alice thinks the key Kca is sharedwith Bill, but it's shared with Carol!
10 L. C. Paulson
![Page 12: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/12.jpg)
A Bad Variant of the Yahalom Protocol
2: B, Nb, {|A, Na|}Kb
B
S
A1: A, Na
3: {|B, Kab, Na, Nb|}Ka,
{|A, Kab|}Kb
4: {|A, Kab|}Kb, {|Nb|}Kab
11 L. C. Paulson
![Page 13: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/13.jpg)
A Replay Attack
}
1. CA → B : A, Nc
2. B → CS : B, Nb, {|A, Nc|}Kb
4. CA → B : {|A, K |Kb, {|Nb|}K
Carol has broken the old key, K. She makes Bill think it is shared with Alice.
12 L. C. Paulson
![Page 14: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/14.jpg)
Verification Method I: Authentication Logics
BAN logic: Burrows, Abadi, Needham (1989)
Short proofs using high-level primitives:
Nonce N is fresh
Key Kab is good
Agent S can be trusted
• good for freshness
• not-so-good for secrecy or splicing attacks
13 L. C. Paulson
![Page 15: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/15.jpg)
Verification Method II: State Enumeration
Specialized tools (Meadows)
General model-checkers (Lowe)
Model protocol as a finite-state system
• automatically finds splicing attacks
• freshness is hard to model
Try using formal proof!
14 L. C. Paulson
![Page 16: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/16.jpg)
Why An Operational Model?
• good fit to informal protocol proofs: inductive
• simple foundations
• readable protocol specifications
• easily explained to security experts
• easily mechanized using Isabelle
15 L. C. Paulson
![Page 17: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/17.jpg)
An Overview of Isabelle
• uses higher-order logic as a logical framework
• generic treatment of inference rules
• logics supported include ZF set theory & HOL
• powerful simplifier & classical reasoner
• strong support for inductive definitions
16 L. C. Paulson
![Page 18: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/18.jpg)
Overview of the Model
• Traces of events
– A sends B message X
– A receives X
– A stores X
• A powerful attacker
– is an accepted user
– attempts all possible splicing attacks
– has the same specification in all protocols
17 L. C. Paulson
![Page 19: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/19.jpg)
Agents and Messages
agent A, B, . . . = Server | Friend i | Spy
messageX,Y, . . . = Agent A
| Nonce N
| Key K
| {|X, X′|} compound message
| Crypt K X
free algebras: we assume PERFECT ENCRYPTION
18 L. C. Paulson
![Page 20: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/20.jpg)
Functions over Sets of Messages
• parts H : message components
Crypt K X 7→ X
• analz H : accessible components
Crypt K X, K−1 7→ X
• synth H : expressible messages
X, K 7→ Crypt K X
RELATIONS are traditional, but FUNCTIONS give usan equational theory
19 L. C. Paulson
![Page 21: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/21.jpg)
Operational Definition: analz H
Crypt K X ∈ analz H K−1 ∈ analz H
X ∈ analz H
X ∈ H
X ∈ analz H
{|X,Y|} ∈ analz H
X ∈ analz H
{|X,Y|} ∈ analz H
Y ∈ analz H
Typical derived law:
analz G ∪ analz H ⊆ analz(G ∪ H)
20 L. C. Paulson
![Page 22: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/22.jpg)
Operational Definition: synth H
X ∈ H
X ∈ synth HAgent A ∈ synth H
X ∈ synth H Y ∈ synth H
{|X,Y|} ∈ synth H
X ∈ synth H K ∈ H
Crypt K X ∈ synth H
• agent names can be guessed
• nonces & keys cannot be!
21 L. C. Paulson
![Page 23: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/23.jpg)
A Few Equations
parts(parts H) = parts H transitivity
analz(synth H) = analz H ∪ synth H “cut elimination”
Symbolic Evaluation:
analz({Crypt K X} ∪ H) ={Crypt K X} ∪ analz({X} ∪ H) if K−1 ∈ analz H
{Crypt K X} ∪ analz H otherwise
22 L. C. Paulson
![Page 24: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/24.jpg)
What About Freshness?
23 L. C. Paulson
![Page 25: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/25.jpg)
Modelling Attacks and Key Losses
If X ∈ synth(analz(spies evs))
may add Says Spy B X (Fake rule)
If the server distributes session key K
may add Notes Spy {|Na, Nb, K |} (Oops rule)
Nonces show the TIME of the loss
24 L. C. Paulson
![Page 26: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/26.jpg)
Overview of Results
• facts proved by induction & classical reasoning
• simplifying analz H : case analysis, big formulas
• handles REAL protocols: TLS, Kerberos, . . .
• lemmas reveal surprising protocol features
• failed proofs can suggest attacks
Proofs require days or weeks of effort
Generalizing induction formulas is hard!
25 L. C. Paulson
![Page 27: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/27.jpg)
The Recursive Authentication Protocol
• designed in industry (APM Ltd)
• novel recursive structure: variable length
• VERIFIED by Paulson– assuming perfect encryption
• ATTACKED by Ryan and Schneider– using the specified encryption (XOR)
Doesn’t proof give certainty? Not in the real world!
26 L. C. Paulson
![Page 28: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/28.jpg)
So Then, How Detailed Should a Model Be?
• detailed enough to answer the relevantquestions
• abstract enough to fit our budget
• model-checking is almost free(thanks to Lowe, Roscoe, Schneider)
• formal proofs give more, but cost more
27 L. C. Paulson
![Page 29: Proving Security Protocols Correct](https://reader034.fdocuments.in/reader034/viewer/2022042701/559e1a641a28abcf5b8b45c1/html5/thumbnails/29.jpg)
Don’t let theory displace reality