Upload
benjamin-rumney
View
215
Download
2
Tags:
Embed Size (px)
Citation preview
Recent Methods and Problems inAuthentication Protocol Analysis
Jonathan Millen
SRI International
Menlo Park, CA, USA
WADIS '03
December 6, 2003
Outline
Background– What is cryptographic protocol analysis
– Why is it a hard problem
– Overview of analysis approaches
Recent Work– Strand spaces
– Digression - group management protocol analysis
– The constraint solver
– Continuing research problems
Resources
CAPSL Web Site – www.csl.sri.com/users/millen/capsl
Bibliography – capsl/protsec.bib (references like [AB99])
Clark-Jacob Library– www.cs.york.ac.uk/security/Publications.html
– capsl/library.html
SPORE Library (Comon)– www.lsv.ens-cachan.fr/spore
Constraint solver tutorial and Prolog code– capsl/constraints.html
Ryan-Schneider text, Crypto. Protocol Analysis: CSP
Cryptosystems
Cryptosystem: algorithm for encrypting plaintext into ciphertext, and decrypting, using keys.
Cryptographic protocol: exchange of messages for distributing keys or applying a cryptosystem to data.
Symmetric-key cryptosystem: the same key is used for encrypting and decrypting.– Examples: DES, IDEA, Skipjack, Blowfish, RC4, AES (Rijndael)
Public-key cryptosystem: different keys are used for encrypting and decrypting. The encryption key may be made public.– Examples: RSA, El Gamal, Elliptic curve
– Diffie-Hellman (key agreement)
Cryptographic Protocols
For key distribution: provide two parties with keys suitable for private or authenticated communication
For authentication: to provide one party with assurance that a message was sent by another party in the same session.
For other purposes: fair exchange, auctions, voting,… Examples
– SSL - in browsers (now TLS)
– Kerberos - remote unitary login
– EKE, SRP - password based
– Cybercash - electronic commerce
– IKE, ISAKMP, JFK – by IETF
New ones are continually proposed
The Security Threat:Active Attacker
Attacker can:-intercept all messages-modify addresses and data
Attacker cannot:-encrypt or decrypt without the key
Protocol Vulnerabilities - Ground Rules
"Attacker" synonyms:– intruder, spy, saboteur, penetrator, enemy, adversary
Attacker can intercept any message– Ability to read, record, misdeliver any message
– Method: sniffers, and intrusions in firewalls or routers
Attacker can introduce new messages– Construct messages using primitive operations
– Falsify (unencrypted) source, destination addresses
Strong encryption assumption: an attacker cannot decrypt any message without the key.
Attacker is a legitimate network user with a name, key, etc. Other users follow the protocol This is often called the “Dolev-Yao” model [DY83]
Example - Needham-Schroeder
The Needham-Schroeder symmetric-key protocol [NS78]A S: A, B, Na
S A: {Na, B, Kc, {Kc, A}K(B) }K(A)
A B: {Kc, A}K(B)
B A: {Nb}Kc
A B: {Nb-1}Kc
A, B are “principals;” S is a trusted key server K(A) is a secret key shared by A and S {X, Y}K means: X concatenated with Y, encrypted with K Na, Nb are “nonces;” fresh (not used before) Kc is a fresh connection key Denning-Sacco replay attack in 1981 [DS81]
Denning-Sacco Attack
Assume that the attacker has recorded a previous session, and compromised the connection key Kc used in that session.
… first part omitted
A B: {Kc, A}K(B) attacker replay of old message
B A: {Nb}Kc
A B: {Nb-1}Kc forged by attacker
B now believes he shares a fresh secret key Kc with A. Denning-Sacco moral: use a timestamp (calendar clock value) to
detect replay of old messages. – Better use of nonces could also work
Folklore - Attack Terms
Replay: record and later re-introduce a message or part Masquerading: pretending to be another party
– Forge source address
Man-in-the-middle: pass messages through to another session A X B
Oracle: take advantage of normal protocol responses as encryption and decryption “services”
Type confusion: substitution of a different type of message field (e.g., key vs. nonce)
Parallel attack: takes advantage of two or more concurrent protocol runs of the same role, different sessions
Design Principles
Abadi-Needham “prudent engineering practice” paraphrased– See [AN94]; also Anderson and Needham [AN95]
1. Every message should say what it means.
2. The conditions for a message to be acted on should be clearly set out.
3. Mention the principal’s name explicitly in the message if it is essential to the meaning.
4. Be clear as to why encryption is being done.
5. Don’t assume a principal knows the content of encrypted material that is signed by that principal.
6. Be clear on what properties you are assuming about nonces.
7. Predictable quantities used for challenge-response should be protected from replay.
More Design Principles
8. Timestamps must take into account local clock variation and clock maintenance mechanisms.
9. A key may have been used recently, yet be old.
10. If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used.
11. The protocol designer should know which trust relations his protocol depends on.
Good advice, but…– Are you sure when you have followed all of them?
– Is the protocol guaranteed to be secure then?
– Is it optimal and/or minimal?
Formal Methods
Crypto Protocol Analysis
Formal Models Computational Models
Belief Logics Model Checking Inductive Proofs
Dolev-Yao(ideal encryption)
Probabilistic poly-timeRandom oracle(bit leakage)
BAN logicGNY, SvO, ...
Authentication,Nonrepudiation
State spaceexplorationSpecialized orgeneral-purposetools
By hand or usingverification tools
Why Protocol Analysis is Hard
Protocol Analysis is Undecidable
Several proofs– First undecidability proof by Even & Goldreich, [EG83]– Simpler use of Post Correspondence problem by Heintze & Tygar,
[HT96]
Undecidability comes from unboundedness in the model– Number of protocol instances (runs, sessions) is unbounded– Messages from attacker are unbounded in structural depth– Number of possible values for some data fields is infinite
BAN Logic
Papers– Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans.
Computer Systems 8(1), 1990 (also DEC SRC Research Rpt 39)
– Subsequent extensions, e.g., GNY logicGong, Needham, Yahalom, “Reasoning about belief in
cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy
Approach– Modal logic of belief plus specialized predicates and inference rules
Example: B believes A said (K is fresh)
Example: if A shares K with B and B sees {X}K then A said X
– Protocol messages are “idealized” into logical statements
– Objective is to prove that both parties share common beliefs
– Logic of “authentication”
– Elegant, popular
The Problem with BAN
Nessett noted problem [Nes90]– A B: {T, K}KA
-1
– Shared key K given away by encryption with private key of pair
– A can still believe A shares K with B
Secrecy failures may be subtle– Secrecy analysis must be prior to authentication proof
– Prove that good keys or shared secrets are not compromised during the protocol (due to an attack)
Logics like this address authentication, must use other techniques to verify confidentiality where assumed/needed
Early Specialized Model Checkers
Interrogator [MCF87, Mil95]– Prolog program
– Backward state search for attack from goal state pattern
– No guarantee of completeness or termination
NRL Protocol Analyzer [Mea91, Mea96a]– Prolog program
– Backward state search, plus
– Generation of "unreachable" languages
– No guarantee of completeness or termination
– Can sometimes prove a protocol correct
Application of software tools designed for hardware CADVerification by state space exploration - exhaustive on model
Like earlier Prolog tool approach, butSpecial algorithms (BDD, SAT, etc.)
Require finite model bounds on number of sessions, message structure, etc.
Fully automatic once protocol is encoded
Researchers: Roscoe [Ros95], using FDR (the first)
Mitchell, et al, using Murphi [MMS97]
Marrero, et al, using SMV [MCJ97]
Denker, et al, using Maude [DMT98]
… and more
General-Purpose Model CheckerApplications
Model-Checking Observations
Very effective at finding flaws, but No guarantee of correctness, due to artificial finite bounds
– Bound on message structure depth later found unnecessary
Setup and analysis is quick when done by experts– Automatic translation from simple message-list format to model-
checker input is possible [Lowe's Casper: Low98a]
Successful example: Lowe attack on Needham-Schroeder public-key protocol, using FDR [Low96]
Lowe Small-System Result
Theorem: if Assumptions 1-6 (below) are satisfied, then any secrecy breach can be demonstrated in a “small system” with only one instance of each role. [Low98b]
1. Functions that return keys are one-to-one (no key coincidence)
2. All short-term secrets are fresh
3. No long-term keys are (normally) sent (as data) in messages
4. Encrypted message components mention all roles
5. Encrypted message components are textually distinct
6. No temporary secrets (secrets must not be revealed after use)
Example: (Davis-Swick)A B: {B,T}sk(A,B)
B A: {T,A}sk(B,A)
– This satisfies the assumptions ifsk(A,B) sk(B,A) (for 1)
T is a recognizably different type from principal (for 5)
Recent Specialized Methods
Athena– Song/Berezin/Perrig [SBP01]
– ML program
– Uses strand-space model (free algebra, atomic keys)
– Special-purpose model checker
– Very fast
– Usually terminates, no fixed bound
Bounded-Process Decidable– Bounded set of legitimate processes
– Decidable despite no bound on message term complexity
– Shown NP-complete by Rusinowitch/Turuani [RT01]
– Constraint solver is in this category
Inductive Proofs Approach: like proofs of program correctness
– Induction to prove “loop invariant” State-transition model, objective is security invariant General-purpose specification/verification system support
– Kemmerer, using Ina Jo and ITP [Kem89] (the first)– Paulson, using Isabelle [Paul98] (the new wave)– Dutertre and Schneider, using PVS [DS97]– Bolignano, using Coq [Bol97]
Can also be done manually – Schneider, using CSP [Sch98]– Thayer et al, using Strand Spaces [THG98]– Spi calculus proofs (Abadi, Gordon, ...)
Full guarantee of correctness (with respect to model)– No bounds imposed– Proofs include secrecy– But they are usually hard work
Strand SpacesThayer, Herzog, Guttman [THG98] Message: ground term in free algebra
over symbolic constants, with pairs and encryptionMessage does not include "A B" header
Strand: sequence of nodes Node is labeled with +/- messageBundle: causal partial ordering of nodes in strands
+{n,a}kb
-{n,r}ka
+{r}kb
“A” strandExample: NSPK
“B” strand
-{n,a}kb
+{n,r}ka
Penetrator strands, forprimitive operations
Examples:
{x}k
k-1
x
x
y
{x,y}
Penetrator strandsare universal
Bundles
A bundle combines strands into a partial ordering– Nodes are ordered by internal strand sequence
– Nodes are also ordered by message delivery
Bundles are backward complete– Non-initial nodes have predecessor in strand
– Every received message must have been sent
{n,a}kx
{n,r}ka
{r}kx
{n,r}ka
kx-1
{n,a}
kb
{n,a}kb
Example: NSPK attack
Parametric Strand Specification
A B: {A,Na}pk(B)
B A: {Nb,Na}pk(A)
A B: {Nb}pk(B)
Protocol
A-role strand"A"(A,B,Na,Nb)
+{A,Na}pk(B)
-{Nb,Na}pk(A)
+{Nb}pk(B)
Semibundle: incomplete bundle, partially instantiated strands
Na is a noncegenerated by "A" roles
A, B, Na, Nb(initial capitals)are variables
Addresses lost
There's also a B-role strand
Suggested by [Son99]and [CDLMS00]
Example Spec
Yahalom protocol"A"(A,B,S,Na,Nb,K) =
+ {A,Na}
– {{B,K,Na,Nb}sk(A),{Nb}K}
"B"(A,B,S,Na,Nb,K,T) = – {A,Na}
+ {B,{A,Na,Nb}sk(B)}
– {T,{A,K}sk(B)}
+ {T,{Nb}K}
"S"(A,B,S,Na,Nb,K) = – {B,{A,Na,Nb}sk(B)}
+ {{B,K,Na,Nb}sk(A),{A,K}sk(B)}
A B: A, NaB S: B,{A,Na,Nb}sk(B)S B: {B,K,Na,Nb}sk(A), {A,K}sk(B)B A: {B,K,Na,Nb}sk(A), {Nb}K
Term T encrypted for A is just passed on
Characteristics of Spec Style
Keys may be constructed– Symmetric key may be any term, not just constants
– Public keys constructed with pk(A)
– Secret keys sk(A) assumed to be shared with server
Free term algebra (no term reductions or relations)– Advantage: WYSIWYG simplicity
– Can't specify decryption explicitly in protocol spec
– Some loss of generality (EV-freedom discussion)
Untyped– Advantage or disadvantage?
– Typing can be simulated with type-coercion functions
Don’t yet handle commutative operations (xor, exponentiation)
Free Term Algebra Question
Suppose that a protocol is expressible (in parametric strand style) using a free term algebra to represent encryption.
(Write e(X,K) for {X}K so we can introduce d(X,K) below)
Example strand: S(A,B,X,K) = -e({X,A},K) +e({X,B},K)
Assume that the attacker can perform decryption transformations as usual, such as: e(X,K), K X
Can new attacks be discovered by adding an explicit decryption operator with cancellation relations?
d(e(X,K),K) X e(d(X,K),K) X
Counterexample
+e(s,k)
“A” strand “B” strand
-e(e(X,c),k)
+X
Assumptions: s is a secret constantk is a secret keyc is a compromised keyX is a variable
Observation:if e(s,k) is acceptable as e(e(X,c),k)then s = e(X,c)and X = d(s,c)so the attacker can get s.
A free term algebra can't see this.
Remarks
What's missing: ability to decrypt something that was not encrypted
Generality is restored if e(X,K) is disallowed for any variable X
Spec is "EV-free" if this restriction is satisfied
(OK to have X in context, e.g., e({X,a},K))
"On the freedom of decryption," Millen, IPL 86(2003)
All this applies to public key encryption too (Lynch)
Why use free term algebra model?
Analysis advantages: efficient constraint solving, proof of completeness and termination
EV-freedom is realistic
But free algebras still can't handle group management protocols...
Multicast Group Management
Multicast group members share a group key A suite of protocols is used to perform different tasks
– Addition of a new member to the group (rekey)
– Deletion of a member from the group (rekey)
– Merge two groups or split one into two
– Distribute new group key
– Application-dependent tasks
Different methods for key distribution– Group Diffie-Hellman, key hierarchy, …
Secrecy objectives– Backward access control: new members can't read old messages
– Forward access control: deleted members can't read new messages
Group Diffie-Hellman
Steiner-Tsudik-Waidner 1996Finite-field arithmetic; uses exponentiation mod pConstant base g for exponentiationsr1, r2, etc. are private random contributionsLast party (M3 in this example) multicastsGroup key gr1r2r3 computed by each party
M1 M3
g,gr1 gr2,gr1,gr1r2
M2
gr2r3,gr1r3
"upflow"
"downflow"
Need for Authentication
Attacker can misdeliver upflow message as downflow
Party computes wrong group key, something public
This is a problem for two-party Diffie Hellman also
First attempt at solution: AGDH (Authenticated)– Assume pairwise shared keys
– Include key with downflow terms
gr2r3k13,gr1r3k23
– Insufficient: Pereira-Quisquater attack [PQ01]
M1
g,gr1
g,gr1
M1 computes group key as gr1
Attacker
Pereira-Quisquater Attack
M2
gr2,gr1,gr1r2g,gr1M4
_,gr2,gr2,_
_,gr2r4k24,gr2r4k34
M2
gs2,gr2r4,gr2r4s2
_,gr2r4k24
g,gr2r4
Second round, M3 (malicious) has been deleted
s2 is new privatecontribution from M2
M2 computes new group keyas gr2r4s2 (compromised)
M3 gets gr2r4
The analysis technique has not yet been put into tools.
Bounded-Process Decidable CaseCrypto Protocol Analysis
Formal Models Computational Models
Belief Logics Model Checking Inductive Proofs
Dolev-Yao(ideal encryption)
Probabilistic poly-timeRandom oracle(bit leakage)
Bounded-process decidableFinite-state
Antti Huima, 1999Symbolic states(extended abstract)
Inspired subsequent work:Amadio-LugiezBorealeFiore-AbadiRusinowitch-Turuani (NP-complete)Millen-ShmatikovBasin
Constraint Solving
Millen-Shmatikov [MS01] Bounded-process decidable Two-phase approach
– Use the protocol spec to generate algebraic "constraint" sets
– Use inference rules to solve constraint sets
Constraint Solving
1. Parametric strand specification for protocol
2. Choose N strand instances (small N)
3. Enumerate possible node orderings (strand interleavings)
4. Generate a constraint set for each ordering
5. Solve constraint set (finds attack) or prove unsolvable (N-secure)
6. No attack in any constraint set with N? Try N+1
Example Spec
NSPK protocol– "A"(A,B,Na,Nb) =
+ {A,Na}pk(B)– {Na,Nb}pk(A)+ {Nb}pk(B)
– "B"(A,B,Na,Nb) = – {A,Na}pk(B)+ {Na,Nb}pk(A)– {Nb}pk(B)
A B: {A,Na}pk(B)B A: {Na,Nb}pk(A)A B: {Nb}pk(B)
Caution: variable scope is localto a strand. The "A" strand valueof A is not necessarily equal to the "B" strand value of A (in a bundle).
b1
b2
b3
mb2
mb1
mb3
a1
a2
a3
ma1
ma3
ma2
Choose Strand Instances
a1
a2
a3
b1
b2
b3
ma1
mb2
ma3
mb1
ma2
mb3
A-roleinstances
B-roleinstances
Zero, one, two, ormore instances per role(not necessarily the same)
Secrecy teststrand
?s
s is the secret
If a bundle exists withthis strand, s is compromised
Constraint Set Generation
a1
a2
a3
b1
b2
b3
+ma1
+mb2
+ma3
-mb1
-ma2
-mb3
1. Enumerate all linear node orderings consistent with strands
b'1
b'2
b'3
+m'b2
-m'b1
-m'b3
a1 b1 b'1 b'2 b2 a2 a3 b3 b'3 with message ordering
+ma1 -mb1 -m'b1 +m'b2 +mb2 -ma2 +ma3 -mb3 -m'b3
Phase I: Constraint Set Generation
mb1: ma1
m'b1: ma1
ma2: ma1,m'b2,mb2
mb3: ma1,m'b2,mb2,ma3
m'b3: ma1,m'b2,mb2,ma3
2. One constraint for each received message
+ma1 -mb1 -m'b1 +m'b2 +mb2 -ma2 +ma3 -mb3 -m'b3
Constraint m1: m2, m3, … means that m1 is derivableusing available operations (by the attacker) from themessages m2, m3, … and from constants known to theattacker. These are term closure constraints.
Derivation Constraint Example
A B: A original protocol
"A"(A) = +A; "B"(A) = -A strand spec
{+a, -A} semibundle
+a -A interleaving
A: a the constraint
How Many Interleavings?
For two strands of sizes m and n nodes, there are choose(m+n,n) different orderings (binomial coefficient)
Send optimization: +m1, -m2,… has at least as many solutions as -m2, +m1, …
Therefore always choose send nodes first (order doesn't matter)
Common path optimization (Corin, Etalle) Constraint differentiation (Basin, et al. ACM CCS '03)
Common Path Optimization
Node orderings have common initial subsequences Unsolvability of initial subsequence implies unsolvability of extensions Test solvability at every step to avoid fruitless extensions Implementation by Corin and Etalle, U. Twente, Holland Significant speed improvement
A+a1
-a2
+a3
-a4
B-b1
+b2
-b3
+a1 -b1 +b2 -a2 +a3 -b3 -a4
+a1 -b1 +b2 -a2 +a3 -a4 -b3
Failure at a2 eliminates second sequence
Phase II: Constraint Set Solution
Initialconstraint set
No rule isapplicable
• • • • • •
apply every possible transformation ruleto first m:T where m is not a variable
var1 : T1• • •
varN : TN
Simple set:always satisfiable!
or
Some Transformation Rules
{x, y} : T––––––– (pair)x : Ty : T
{x}y : T–––––– (senc)x : Ty : T
T is any set of terms[{y}z] is a marked encryption to prevent rule looping(elim) rule based on origination, monotonicity properties
Synthesis Analysis Other
x : {y, z},T–––––––– (split)x : y, z, T
x : {y}z, T––––––––– (sdec)z : [{y}z], Tx : y, z, T
x : z, T–––––– (unify)
unifies x, zpartial solution
x : v, T–––––– (elim) x : T if v is a variable
Example CS Run in Prolog
Trace:recv([a,e])send([a,na] * pk(e))recv([a,na] * pk(b))send([na,nb] * pk(a))recv([na,nb] * pk(a))send(nb * pk(e))recv(nb * pk(b))
recv(nb)
semibundle([Sa,Sb,St]) :- strand(roleA,A,B,na,Nb,Sa), strand(roleB,A,B,Na,nb,Sb),strand(test,nb,St).
?- semibundle(B),search(B,[]).
AVISPA Tools and Interface
AVISPA members
ETH ZurichOn-the-fly model checker (OFMC) constraint solver
INRIA/CASSISCASRUL (CL)
U. Genova(SAT) model checker
Also Siemens AG
Spec in High Level Protocol Spec Language; three analyzers
Some New Directions
Extension of decidable protocol analysis to (group) Diffie-Hellman and other associative-commutative operations– At SRI and independently at INRIA
Application of type theory to authentication protocol proofs– Type-safe implies attacker-unsafe; dependent types
– Abadi-Blanchet, Debbabi-Mejri, Jeffrey
Derivation/composition of secure protocols– Datta-Derek-Mitchell-Pavlovic
– Composition/transformation/refinement of functional components
– Proof rules based on cord calculus (something like strand space)
Use of computationally ideal crypto primitives– Backes-Pfitzmann-Waidner (IBM Zurich)
– Special crypto interface with implementation proved "ideal"
– Can we use these operations for Dolev-Yao analysis?