The University of Birmingham School of Computer Science. Research Student Monitoring Group Report 2

Transcription

1 The University of Birmingham School of Computer Science Research Student Monitoring Group Report 2 Name of student: Loretta Mancini Name of supervisor and other members of thesis group: Eike Ritter, Jon Rowe, Mark Ryan Date of report: 14th October 2010 Working title: Protocol verification in pervasive systems Introduction to research topic Pervasive Systems consist of a variety of devices, often produced from different manufacturers, interacting and communicating, usually through wireless connections, with each other and with a variety of systems providing a range of services. They are characterised by the ability of sensing their physical whereabouts and use the gathered environmental data to customize their behaviour. Pervasive Systems involve a high degree of complexity due to the high number of devices interacting and communicating to each other, the mobility of devices, the context awareness, the reactive context dependent behaviour, the interactivity with the user, the real-time requirements, the variety of offered services. Moreover pervasive computing is often used in critical area (e.g. road safety [24], health care [3]) making security, reliability, safety and liveness primary requirements. We believe the success of pervasive systems deployment depends not only on the ability to build, secure, maintain and augment interoperable systems but as well on the possibility to give some level of confidence about the system properties and offered services. Formal verification approaches can give users and system developers confidence about the level of reliability, security, safety and usability of the system. Formal definition of the properties of a system and their verification can moreovere give a better understanding of the system itself and help finding and fixing flaws. In this thesis we will focus on the formal verification of security protocols in pervasive systems, taking inspiration from case studies of concrete protocols, and aiming at the same time to obtain more general results that will eventually make it possible

2 to extend the use of automatic proof tools to the verification of a wider range of security properties for selected classes of processes. We will use process calculi enabling us to abstract from implementation details and give a high level description of the interaction, communication and synchronisation of the protocols participants. To ease the modelling of cryptographic protocols we will mainly use the applied pi calculus [2, 26], an extension of the pi-calculus, enriched with a set of function names, variables and equational theory. Work done so far This thesis is part of the EPSRC founded project Verifying interoperability requirements in pervasive Systems. More specifically we are here interested in security requirements. We will take inspiration from pervasive system case studies aiming to find challenging issues with respect to the existent techniques in the area of formal verification of security protocols. We found Vehicular Ad-hoc Networks (VANETs) an interesting example of pervasive system recently catching attention and investment of both industry and governments. Therefore we started exploring the problem of security in VANETs and focused our attention on the related privacy issues. In fact, providing privacy friendly services seems to be, at the same time, a primary concern for the deployment of VANETs, since it is vital for the users acceptance of the system, and a challenging issue, since strong accountability is required for liability purposes. The problem of privacy in vehicular network is linked to the fact that frequent broadcasts of a vehicle s position are required to enable the development of safety related applications. These messages containing a vehicle s position are authenticated i.e. contain a certificate, that is a sort of identifier that makes possible to trace vehicles routes. Location privacy is a major concern in VANETs, in fact simply by listening to the broadcast messages, using inexpensive wireless devices, external attackers can link vehicles consecutively occupied positions with the possibility of targeting specific vehicles or mapping the entire traffic in the monitored zone. Different approaches have been proposed in literature to provide location privacy while ensuring accountability in VANETs. They can be classified in: multiplepseudonyms-based, group signature based and hybrid. Multiple-pseudonyms-based approaches consist in having set of short-live pseudonyms and changing them following some protocol specific policy. Group signature based approches achieve privacy for free thanks to the properties of group signatures. Hybrid approaches combine the use of multiple pseudonyms with symmetric, group or identity based encryption, so to create a mix zone or to improve pseudonym management. The most accepted approaches result to be the multiple pseudonyms based ones, this is due to the fact that group signatures based cryptographic schemes introduce a high verification overhead. The high amount of received messages and the time sensitivity of safety applications make efficiency of signature verification critical in VANETs. Therefore we focused our attention on multiple pseudonyms based approaches.

3 We analysed in particular the Cmix protocol, a protocol inspired from the mix zones concept introduced by Beresford and Stajano [8] in the context of location aware applications; the basic idea is to create, with the help of the road side infrastructure, cryptographic mix zones at road intersections. The Cmix protocol has been formally studied by Dahl, Delaune and Steel [16] with respect to an observational equivalence based characterisation of privacy. Despite the analysis being effective in highlighting not so obvious details about the role of timing in the execution of the protocol; the high level of abstraction makes difficult to figure out how well the model matches the actual protocol. In particular, we find the encoding of locations and the resulting privacy property definition too rigid and overall it is difficult to understand if the attacks found on the model actually reflect attacks on the real protocol. These considerations motivated us to give a model of the protocol so to closely mimic the actual scenario. Case Study Analysis. The model obtained will allow us to test the Cmix protocol against the satisfiability of privacy related properties such as the untraceability, unlinkability and anonymity properties formalised in applied pi calculus by Arapinis et al. [4, 5]. In particular we aim to prove that the proposed model of the protocol satisfies the unlinkability property. The unlinkability property is defined in term of a non standard trace equivalence hence is not currently supported by automated proof tools and is difficult to manually prove. We will exploit both proof techniques, using different approaches to go around the mentioned difficulty: Manual proof. Even if not trivial, bisimilarity is more suited for a manual proof than trace equivalence. So we can focus on proving strong unlinkability that is defined through bisimilarity. In fact, in [5] Arapinis et al. prove that strong unlinkability implies unlinkability. Automated proof. We believe the automated proof tool (Proverif [9]) could be used to prove that the Cmix protocol satisfies untraceability. To obtain the desired result we will then have to prove (manually) that untraceability implies unlinkability. Extension to General Protocol Verification Issues. We aim to prove that the unlinkability property is decidable for a subclass of processes of the applied pi calculus. We identified several issues to be solved in order to achieve the mentioned decidability result: The unlinkability and anonymity properties mentioned above are defined as trace equivalence based properties and make use of annotations. The use of annotations makes them, to some extent, difficult to reason with. Hence we started in parallel to design an extension of applied pi calculus aimed to ease in general the analysis of protocol against properties defined through annotations (e.g. correspondence properties). The proposed extension is meant to be only syntactic, in fact its purpose is to ease the analysis of properties that make use of annotation without changing the intended semantic of the calculus. Accordingly we gave a draft proof showing that the equivalences obtained

4 for processes of our extension (we called it annotated applied pi calculus ) coincide with the original ones. The unlinkability property will have to be redefined in the annotated applied pi calculus. Recent works show the decidability of trace equivalence of protocols represented through constraint systems (e.g. [7, 14, 13, 15]), we will take advantage of these results extending and adapting them so to prove the decidability of the unlinkability property. Reviewed literature Formal Verification of Pervasive Systems. [3] Overview of verification of pervasive system techniques with reference to a case study application for care at home. VANETs. [30] Pioneer paper about vehicular networks and related security issues. They describe a VANETs architecture and two possible applications. Referring to the proposed architecture and applications they discuss the challenges involved in deploying, and securing vehicular networks. [23] An overview of VANETs security. Several challenges from the security point of view are highlighted. In particular the issues of secure positioning and privacy are exploited and some solutions are informally discussed, e.g. the broadcast of authenticated positions from trusted road infrastructure devices is proposed as possible solution to the problem of secure positioning, while the introduction of anonymization services and the use of group signatures are discussed in relation to the privacy problem. [25] A security architecture for VANETs is proposed and the opportunity of different possible solutions is discussed. The problem of public key infrastructure deployment, authentication of participant vehicles, certificate revocation and privacy are exploited. [24] Introduction to the VANETs network model and definition of VANETs applications categories depending on their purpose. The paper focuses on safety applications and describes the basic safety messaging protocol. It highlights possible attacks and security requirements and discusses possible solution for public key infrastructure, key revocation and change of pseudonyms.

5 [12] They propose the use of group signatures to self certify pseudonyms, this allows vehicles to efficiently generate pseudonyms without affecting the accountability properties of the system. They propose several optimisation strategies to overcome the limitation of slow verification time of group signatures. Privacy in VANETs [28] Analysis of the privacy requirements in vehicular networks and of the different available approaches towards proving privacy. [18] They propose a pseudonym change protocol based on mix context. The protocol is based on the idea that the level of privacy achieved by vehicles when changing pseudonyms ia higher if they share the same context with a high number of neighboring vehicles. Hence they proposse to trigger pseudonym changes only when the entropy (calculated depending on the actual context) is above a given threshold. [10] Hybrid approach to the problem of privacy in vehicular networks using multiple pseudonyms and publick key encryption for vehicle to vehicle and vehicle to infrastructure communications. As a part of the proposed model, a protocol for pairwise symmetric key establishment between pair vehicles and a protocol enabling of group communication of neighboring vehicles are presented. [27] The paper introduces the CARAVAN protocol to enhance location privacy of vehicles traveling in geographical proximity. The algorithm uses a combination of group signatures and silent periods to provide privacy when accessing location based service applications.due to the use of silent periods CARAVAN protocol is not suitable for safety related applications. [21] They discuss a security framework for vehicular network based on group signatures and role-based access control. [22] They propose a model for preserving privacy based on group signatures for vehicle tovehicle communications and Identity based signatures for RSU to vehicle communications. [29] The use of Temporary Anonymous Certified Keys (TACKs) is proposed. TACKs are obtained with the aid of road infrastructure devices when passing from a geographic region to an other, using a group signatures based protocol to ensure privacy. Mix Zones and CMix protocol [8] Introduces the concept of Mix Zone in the context of a location aware pervasive application. [17] Introduces the Cmix Zones protocol as a mechanism to create mix zones at road intersections and enhance location privacy in VANETs. Gives a model for strong and weak adversary and test the level of location privacy achieved by the Cmix protocol through a simulation of the proposed network and attacker models.

6 [11] Analysis of mix zones based models for changing pseudonyms. Defines probabilistic adversary tracking strategy and introduces a metric to quantify a vehicle level of privacy. They simulate the model using a realistic road scenario and show the privacy achieved by vehicles depending on the strength of the attacker measured by the number of monitored intersections. Their results are relevant as the analysis is independent from the specific protocol adopted to create the mix zone. [16] Formal analysis of the Cmix protocol using an observational equivalence based definition of privacy and Proverif tool. Formal verification techniques. [2] Introduces the applied pi calculus as a flexible calculus to reason about security protocols. Applied pi calculus is an extension of pi calculus that enriches it adding functions, value passing and equations. [26] A tutorial style introduction to security protocols analysis in applied pi calculus. They show how to formalise and verify different properties using a range of equivalence and trace based techniques. [15] They show that observational equivalence is decidable for a subclass of applied pi calculus processes (bounded and determinate) and a general class of equational theories. They restrict the class of applied pi calculus processes to the determinate ones, in fact on determinate processes observational equivalence with trace equivalence. The decidability of trace equivalence can be reduced to the problem of deciding symbolic equivalence of constraint systems. Hence observational equivalence can be reduced to the symbolic equivalence of finitely many pair of constraint systems (the ones obtained when symbolically representing the involved pair of applied pi calculus processes). Symbolic equivalence is decidable for subterm convergent theories as proved in [7]. [7] Shows the decidability of satisfiability and equivalence of constraint systems where the equational theory is presented by convergent subterm rewriting systems. [14] They show that any constraint system can be transformed in a simpler one (possibly many simpler ones) called solved form, preserving all the solutions of the original system. As a consequence, they prove decidability of the existence of key cycles. They show as well that the same technique can be used to prove decidability of authentication-like properties. [13] They present an algorithm that decides the symbolic equivalence of constraint systems in the case of signatures, symmetric and asymmetric encryptions (hence can be used to decide trace equivalence based properties of cryptographic protocols). [5] They give formal definitions of unlinkability and anonymity properties in applied pi calculus and apply them to a case study. They show that unlinkability does

7 not imply anonymity and give an concrete example of this showing that the protocol used by French RFID e-passport preserves anonimity, but does not preserve unlinkability. [4] Gives definition of weak and strong untraceablity properties in applied pi calculus and illustrates them using RFID tag related examples. [9] They introduce the concept of biprocess i.e. processes that differ only in the choice of some term, and prove observational equivalence of biprocesses is decidable for a bounded number of session, resulting in the implementation of the automated proof tool Proverif. Presentations I have given so far two talks on the subject of security and privacy in vehicular ad-hoc networks: I held a session of the computer security seminar of the school of computer science during which I introduced the topic of VANETs security. I focused on the issues related to privacy and in particular I presented protocols illustrating the different privacy preserving approaches proposed in literature, as for example Cmix [17], TACKs[29] and CARAVAN [27]. I gave a similar talk during a project meeting in Liverpool in that occasion I focused on the Cmix protocol and the model we developed for it. Attended Schools and Conferences During the past few months I had the opportunity of attending two schools. The first school attended, MGS2010 (Midlands Graduate School), is a school on theoretical foundation of computer science, I found particularly interesting the course on separation logic, a calculus to reason about memory location usage in programming. I recently attended FOSAD2010 (10th International School on Foundations of Security Analysis and Design) where many courses focused on anonymity and privacy issues, one of the courses in particular presented privacy oriented cryptographic protocols, while other discussed system oriented solution like mixes and onion routing and explaind the bayesian approaches to the traffic analysis of anonymous communications. More theoretical courses gave an overview of symbolic verification of security protocols and present recent results obtained in proving the computational soundness of such methods. In an attempt of looking for more case studies, I attended a small one day conference SMART 2010 on smart technologies with talks of different nature on health care intelligent systems, energy management system, intelligent transport (VANETs).

8 The talks were more business than research oriented, anyway what emerged from the audience was a serious concern about the potential privacy threat introduced by smart (pervasive) systems. I regularly attend CompSecSem talks, a series of talks organised by the security group of the School of Computer Science (University of Birmingham), where new research topics and ideas are presented by members of the security group and invited speakers. Timetable and Future Work The unlinkability property will be defined in the proposed extension of applied pi calculus (by end of October 2010). A formal proof of Cmix protocol unlinkability property will be given (by the end of November 2010). More case studies will have to be considered, with respect to the anonyminity and unlinkability issues in pervasive systems. (by the end of December 2010). The decidability of the unlinkability property will be proved (by the end of January 2011). The formal study of security properties (other than privacy related ones) in the context of pervasive systems will be considered in support of the thesis proposal (by end of january 2011). References [1] Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, Edinburgh, United Kingdom, July 17-19, IEEE Computer Society, [2] Martín Abadi and Cédric Fournet. Mobile values, new names, and secure communication. SIGPLAN Not., 36(3): , [3] Myrto Arapinis, Muffy Calder, Louise Denis, Michael Fisher, Philip D. Gray, Savas Konur, Alice Miller, Eike Ritter, Mark Ryan, Sven Schewe, Chris Unsworth, and Rehana Yasmin. Towards the verification of pervasive systems. ECEASST, 22, [4] Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark Ryan. M.: Untraceability in the applied pi calculus. In In: proc. of the 1st Int. Workshop on RFID Security and Cryptography, [5] Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark Ryan. Analysing unlinkability and anonymity using the applied pi calculus. In CSF [1], pages

9 [6] Vijay Atluri, Peng Ning, and Wenliang Du, editors. Proceedings of the 3rd ACM Workshop on Security of ad hoc and Sensor Networks, SASN 2005, Alexandria, VA, USA, November 7, ACM, [7] Mathieu Baudet. Deciding security of protocols against off-line guessing attacks. In CCS 05: Proceedings of the 12th ACM conference on Computer and communications security, pages 16 25, New York, NY, USA, ACM. [8] Alastair R. Beresford and Frank Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing, 2:46 55, [9] Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pages , Chicago, IL, June IEEE Computer Society. [10] M. Burmester, E. Magkos, and V. Chrissikopoulos. Strengthening privacy protection in vanets. pages , oct [11] Levente Buttyán, Tamás Holczer, and István Vajda. On the effectiveness of changing pseudonyms to provide location privacy in vanets. In ESAS 07: Proceedings of the 4th European conference on Security and privacy in ad-hoc and sensor networks, pages , Berlin, Heidelberg, Springer-Verlag. [12] Giorgio Calandriello, Panos Papadimitratos, Jean-Pierre Hubaux, and Antonio Lioy. Efficient and robust pseudonymous authentication in vanet. In VANET 07: Proceedings of the fourth ACM international workshop on Vehicular ad hoc networks, pages 19 28, New York, NY, USA, ACM. [13] Vincent Cheval, Hubert Comon-Lundh, and Stéphanie Delaune. Automating security analysis: Symbolic equivalence of constraint systems. In Giesl and Hähnle [19], pages [14] Hubert Comon-Lundh, Véronique Cortier, and Eugen Zălinescu. Deciding security properties for cryptographic protocols. application to key cycles. ACM Trans. Comput. Logic, 11(2):1 42, [15] Véronique Cortier and Stéphanie Delaune. A method for proving observational equivalence. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF 09), pages , Port Jefferson, NY, USA, July IEEE Computer Society Press. [16] Morten Dahl, Stéphanie Delaune, and Graham Steel. Formal analysis of privacy for vehicular mix-zones. In Gritzalis et al. [20], pages [17] Julien Freudiger, Maxim Raya, Mrk Flegyhzi, Panos Papadimitratos, and Jean- Pierre Hubaux. Mix-Zones for Location Privacy in Vehicular Networks. In ACM Workshop on Wireless Networking for Intelligent Transportation Systems (WiN-ITS), Vancouver, 2007.

10 [18] M. Gerlach and F. Guttler. Privacy in vanets using changing pseudonyms - ideal and real. pages , apr [19] Jürgen Giesl and Reiner Hähnle, editors. Automated Reasoning, 5th International Joint Conference, IJCAR 2010, Edinburgh, UK, July 16-19, Proceedings, volume 6173 of Lecture Notes in Computer Science. Springer, [20] Dimitris Gritzalis, Bart Preneel, and Marianthi Theoharidou, editors. Computer Security - ESORICS 2010, 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, Proceedings, volume 6345 of Lecture Notes in Computer Science. Springer, [21] Jinhua Guo, J.P. Baugh, and Shengquan Wang. A group signature based secure and privacy-preserving vehicular communication framework. pages , may [22] Xiaodong Lin, Xiaoting Sun, Pin-Han Ho, and Xuemin Shen. Gsis: A secure and privacy-preserving protocol for vehicular communications. Vehicular Technology, IEEE Transactions on, 56(6): , nov [23] Bryan Parno and Adrian Perrig. Challenges in securing vehicular networks. In Proceedings of the Fourth Workshop on Hot Topics in Networks (HotNets-IV), November [24] Maxim Raya and Jean-Pierre Hubaux. The security of vehicular ad hoc networks. In Atluri et al. [6], pages [25] Maxim Raya, Panos Papadimitratos, and Jean-Pierre Hubaux. Securing Vehicular Communications. IEEE Wireless Communications Magazine, Special Issue on Inter-Vehicular Communications, 13(5):8 15, [26] Mark Ryan and Ben Smyth. Applied pi calculus. In Véronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols, chapter 6. IOS Press, to be published. [27] Krishna Sampigethaya, Leping Huang, Mingyan Li, Radha Poovendran, Kanta Matsuura, and Kaoru Sezaki. Caravan: Providing location privacy for vanet. In in Embedded Security in Cars (ESCAR, [28] Florian Schaub, Zhendong Ma, and Frank Kargl. Privacy requirements in vehicular communication systems. In CSE 09: Proceedings of the 2009 International Conference on Computational Science and Engineering, pages , Washington, DC, USA, IEEE Computer Society. [29] Ahren Studer, Elaine Shi, Fan Bai, and Adrian Perrig. Tacking together efficient authentication, revocation, and privacy in vanets. In SECON 09: Proceedings of the 6th Annual IEEE communications society conference on Sensor, Mesh and Ad Hoc Communications and Networks, pages , Piscataway, NJ, USA, IEEE Press.

11 [30] Magda El Zarki, Sharad Mehrotra, Gene Tsudik, and Nalini Venkatasubramanian. Security issues in a future vehicular network. In In European Wireless, pages , 2002.