Types for Security Protocols* - Language-Based Security group
Transcript of Types for Security Protocols* - Language-Based Security group
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Types for Security Protocols∗
Riccardo Focardi1 Matteo Maffei2
1Universita Ca’ Foscari Venezia, [email protected]
2Saarland University, [email protected]
SecCo’09September 5, 2009, Bologna
∗
Work partially supported by:Miur’07 Project SOFT: “Security Oriented Formal Techniques”
The initiative for excellence and the Emmy Noether program, Germany
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Security Protocols
Simple distributed algorithms providing some securityproperties
Network is assumed to be insecure
Worst-case scenario: Opponent controls the network
AliceM1
//
OpponentM′
2
oo
M′
1//
BobM2
oo
Cryptography protects information sent/received
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Basic cryptographic primitives
Alice Bob
Symmetric key k {|m|}sk
//
k
? Bob
Asymmetric key kpB
{|m|}akpB
//
kB
Alice ?
Signature kA [m]kA//
kvA
Assumption (Dolev-Yao): Encryption and decryption are possibleonly knowing the appropriate keys
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Type-based analysis of security protocols
[Lowe ′96]
||||
||||
|||
::
::
::
::
::
::
::
::
::
::
:[Volpano et al .′96]
}}}}
}}}}
}}}}
}}}}
}}}}
}}}
JJJJJJJJJJJJJ
Processcalculiwith
(symbolic)crypto
Imperativelanguageswith typesfor nonin-terference
[Abadi ′99]
qqqqqqqq
BBBB
BBBB
BBBB
BBBB
BB
Types [Askarov et al .′08]
llllllllllllllll
MMMMMMMMMMMM
Crypto
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
The Blanchet (Dennning-Sacco) protocol
Alice(A), kA Bob(B), kB
New k{|[A,B,k]kB |}a
kpA
oo
New m{|m|}s
k//
Aim: share a new secret m between A and B
1 Secrecy: A knows only B will learn m
2 Authentication: B knows m comes from A, and it is fresh
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Authentication-only variant
Alice(A), kA Bob(B)
New k{|A,B,k|}a
kpA
oo
New m{|m|}s
k//
Aim: A sends an authenticated message m to B
1
((
((
((
((
((
((
((
((
((
Secrecy: A knows only B will learn m
2 Authentication: B knows m comes from A, and it is fresh
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Secrecy attack on the protocol variant
Alice(A), kA Opponent(O)
New k{|A,B,k|}a
kpA
oo
New m{|m|}s
k//
O learns m
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typed spi-calculus
M, N, K ::= n | x | Kp | K v | {|M|}sK | {|M|}a
K | [M]K terms
P, Q, R, O ::= processes
N〈M〉.P outputN(x).P input0 stopP | Q parallel!P replication(νa : T ) P restrictionif M = N then P else Q conditionalcase M of {|x |}s
K in P sym decryptioncase M of {|x |}a
K in P asym decryptioncase M of [x ]K in P signature check
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Semantics, an example
k : T k : T
New m : T ′
{|m|}sk
//
P(m)
(νk : T ) ( (νm : T ′) c〈{|m|}sk〉 | c(x).case x of {|y |}s
k in P(y) )
→ (νk : T , m : T ′) case {|m|}sk of {|y |}s
k in P(y)if m 6∈ fn(P(y))
→ (νk : T , m : T ′) P(m)
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Security levels
Security lattice from Language-based Security(Secrecy/Integrity)
LL HH
HL
LH
L ⊑S H: public data can be considered as secret(protect more)
H ⊑I L: high-integrity data can be considered as low-integrity(trust less)
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Security-levels: an example
A, kA ?{|A,B,k|}a
kpA
oo
New m : LH{|m|}s
k//
A receives {|A, B, k|}ak
pA
as LL
k is thus considered LL
m must be at or below LL. In fact, LH ⊑ LL
Note:
m cannot be a secret (HH 6⊑ LL)it is unsafe to trust k (LL 6⊑ LH).
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Types
Types extends levels ℓ with types for keys
T ::= ℓ | µKℓ[T1, . . . ,Tn]
Key types specify the types T1, . . . ,Tn of what isencrypted/signed and the expected usage:
µ notation ℓ
Sym k HH
Enc kpA LH
Dec kA HH
Sig kB HH
Ver kvB LH
Opponents work at LL with LL keys, and encrypt/sign LL data
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing environment
Typing environment Γ
Binds names and variables to types
u1 : T1, . . . un : Tn ui 6= uj
We write Γ ⊢ u : T if u : T is in Γ
HH keys only:
Ti = µKℓ[. . .] implies ℓ = HH and µ ∈ {Sym, Dec, Sig}
Other key types are derived, e.g.
Γ ⊢ K : DecKℓC ℓI [T ]
Γ ⊢ Kp : EncKLℓI [T ]
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Subtyping ≤
If Γ ⊢ M : T and T ≤ T ′ then Γ ⊢ M : T ′
≤ extends the four-points lattice with
µKℓ[T ] ≤ ℓ
i.e., keys can be regarded as data at the appropriate level ℓ
Example: publishing a public key as plaintext
New kA : EncKHH [T ] kpA
//
kpA has type DecKLH [T ] ≤ LH ≤ LL and can be sent on the
network
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing the pi-calculus fragment
Γ ⊢ 0Γ ⊢ P Γ ⊢ Q
Γ ⊢ P | Q
Γ ⊢ P
Γ ⊢!P
Γ, a : T ⊢ P
Γ ⊢ (νa : T ) P
Γ ⊢ M : T Γ ⊢ N : T ′ Γ ⊢ P Γ ⊢ Q
Γ ⊢ if M = N then P else Q
Γ, x : LL ⊢ P Γ ⊢ N : T
Γ ⊢ N(x).P
Γ ⊢ M : LL Γ ⊢ P Γ ⊢ N : T
Γ ⊢ N〈M〉.P
Note: Cryptographic operations are the only interesting ones
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Ciphertexts and signatures
Γ ⊢ K : SymKℓC ℓI [T ] Γ ⊢ M : T
Γ ⊢ {|M|}sK : LℓI
Similarly for {|M|}aKp
Example:
c : T ⊢ (νk : SymKHH [HH], m : HH) c〈{|m|}sk〉
[M]K has secrecy level LS(T ), i.e., the secrecy level of T
Example:
m : HL [m]kA//
is not safe since LS(HL) = H
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Decryption and signature check
Γ ⊢ M : T Γ ⊢ K : SymKℓ[T ] Γ, x : T ⊢ P
Γ ⊢ case M of {|x |}sK in P
Similarly for [x ]KExample
k : SymKHH [HH] ⊢ c(y).case y of {|x |}sk in P
whenever P is typed under the assumption x : HH
Decrypting {|M|}aKp requires to type P under x : LL and x : T
?
{|m|}akpB
//
��
TTTTTT
x : LL x : T
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Technique 1: a la Needham-Schroeder protocol
New nA : HH
{|nA|}akpA
oo
New m : HH
{|m,nA|}akpB
//
XXXXXXXX
��
xm : LL, xnA: LL xm : HH, xnA
: HH
if nA = xnAthen P else 0
Since LL 6≤ HH in the left branch it is nA 6= xnA
P is only type-checked under xm : HH, xnA: HH
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Technique 2: high-integrity ciphertexts
k : SymKHH [LH] k : SymKHH [LH]
New m : HH
{|{|m|}akpB
|}sk
//
x{|m|}akpB
: LH
xm : HH
We type-check twice only if the integrity of the ciphertext is L
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
A secrecy result
Definition (P preserves secrecy)
∀O, P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L
Theorem (Secrecy for ⊢)
Let Γ ⊢ P with img(Γ) = {LL}. Then P preserves secrecy
The theorem is based on
Proposition (Opponent typability)
Let O be an opponent and let fn(O) = {a}. Then a : LL ⊢ O.
Proposition (Subject reduction)
Let Γ ⊢ P. Then P → Q implies Γ ⊢ Q
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Proving the theorem
Theorem (Secrecy for ⊢)
Γ ⊢ P with img(Γ) = {LL} and
P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L
1 By Opponent typability we have Γ′ ⊢ O and, sinceimg(Γ) = img(Γ′) = {LL} we obtain Γ′′ = Γ ∪ Γ′ ⊢ P | O
(Weakening)
2 By subject reduction Γ′′ ⊢ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′)
3 Thus Γ′′, s : T , a : T ⊢ s : LL
⇒ T ≤ LL
⇒ LC (T ) = L.
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing the case study
kA : DecKHH [HH] kB : SigKHH [LL, LL, Tk ]
νk : SymKHH [HH]{|[A,B,k]kB |}akpA
oo
νm : HH {|m|}sk
//
Γ ⊢ Alice
c(xe).xe : LL case xe of {|xs |}
akA
inxs : LL / xs : HH case xs of [xA, xB , xk ]kv
Bin
xA : LL, xB : LL, xk : Tk if A = xA then(νm : HH)
m : HH c〈{|m|}sxk〉
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
More examples (1)
kA : DecKHH [LL, LL, Tk ] kB : SigKHH [LH]
νk : SymKHH [HH][{|A,B,k|}akpA
]kBoo
νm : HH {|m|}sk
//
kA : DecKHH [LL, LL, Tk ]
νk : SymKHH [LH]{|A,B,k|}akpA
oo
νm : LH {|m|}sk
//
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
More examples (2): Needham-Schroeder public-key
kA : DecKHH [HH, LL]
jA : DecKHH [HH]kB : DecKHH [HH, HH, LL]
νnB : HH{|nB ,B|}akpA
oo
νnA : HH {|nA,nB ,A|}akpB
//
{|nA|}ajpA
oo
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Conclusion
A novel perspective on types for security protocols
many fundamental techniques from literature on processcalculi ... plus the expressiveness of language-basedsecrecy/integrity levels
full paper gives types for authentication and all the proofs.Downloadable athttp://www.infsec.cs.uni-sb.de/~maffei/publications/
types-for-security-protocols.pdf
part of a project for a research book on security protocols(Cortier, Kremer Eds.) Any feedback is really welcome!
R. Focardi, M. Maffei Types for Security Protocols
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
A few references
M. Abadi.Secrecy by typing in security protocols.Journal of the ACM, 46(5):749–786, 1999.
M. Abadi and B. Blanchet.Secrecy types for asymmetric communication.Theoretical Computer Science, 298(3):387–415, 2003.
M. Abadi and A. D. Gordon.A calculus for cryptographic protocols: The spi calculus.Information and Computation, 148(1):1–70, 1999.
A. Askarov, D. Hedin, and A. Sabelfeld.Cryptographically-masked flows.Theoretical Computer Science, 402(2-3):82–101, August 2008.
M. Centenaro, R. Focardi, F. Luccio, and G. Steel.Type-based Analysis of PIN Processing APIs.In ESORICS’09. To appear.
R. Focardi, M. Maffei Types for Security Protocols