Formal Methods in Security Protocols Analysis

Transcription

1 Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte

2 Big Picture Biggest Problem - rapid growth of interconnectivity - opens doors to cyber attacks Best tool - security mechanisms - security protocols play an essential role Full Control Insecure network Therefore Therefore future improvements depend highly on our ability to analyse security protocols

3 This talk is about Network security protocols Become a central concern And formal methods for their security analysis Security proof in some model; or Identify attacks

4 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

5 Security Protocol Security Protocols use cryptographic primitives as building blocks to achieve security goals such as authentication, confidentiality, and integrity. consists of a set of rules which determine the exchange of messages between two or more participants. Protocol steps n : A B : M A sends M to B according to the n th protocol step. A, B principals, M message

6 Security Protocol Security Protocol Program distributed over network Use cryptography to achieve goal Attacker Read, intercept, replace messages, and remember their contents Correctness Attacker cannot learn protected secret or cause incorrect protocol completion

7 A Simple Protocol { A, N A } K B { N A, N B } K A A { N B } K B B K B = pk(b), K B -1 = sk(b) K A = pk(a), K A -1 = sk(a) Needham-Schroeder Public Key Protocol

8 Run of a protocol A Initiate Respond B Attacker C D Correct if no security violation in any run

9 Many other security protocols Challenge-response ISO ,2,3; Needham-Schroeder, Authentication Kerberos Key Exchange SSL handshake, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP, i Electronic commerce Contract signing, SET, electronic cash,

10 Motivation Why do we need security protocol analysis even after we constructed security protocols with so much care? Error-prone Security protocols are intricate and attackers are powerful Non-optimal may contain unnecessary operations

11 Examples of protocol flaws IKE [Meadows; 1999] Reflection attack; fix adopted by IETF WG IEEE i [He, Mitchell; 2004] DoS attack; fix adopted by IEEE WG GDOI [Meadows, Pavlovic; 2004] Composition attack; fix adopted by IETF WG Kerberos V5 [Scedrov et al; 2005] Identity misbinding attack; fix adopted by IETF WG How to addresses these shortcomings.

12 the answer is. use automatic verification approach to analysis security protocol Good domain for formal methods Active research area since early 80 s

13 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

14 Central Problems 1 2 Identify security Model system properties Protocol Property See if properties are preserved under attack 4 Analysis Tool Security proof or attack Answer: the protocol is correct or not Attacker model 3 Model adversary

15 Security Analysis Methodology Security Properties authentication,secrecy,etc Analysis Tool Formal Methods Security proof or attack Answer the protocol is correct or not Security Protocols NS,Kerberos,etc. Attacker Model Complete control over network Perfect crypto 1 Specifies the security protocols to be verified as input 2 Specifies the desired security properties as requirement 3 Use Attacker Model to model adversary 4 The protocol analysis tool analyzes the input protocols using formal methods See if the security properties are preserved under attack 5 Output the result: the procol is flawed or it is correct

16 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

17 Four Stanford approaches Finite-state analysis Case studies: find errors, debug specifications Symbolic execution model: Multiset rewriting Identify basic assumptions Study optimizations, prove correctness Complexity results Process calculus with probability and complexity More realistic intruder model Interaction between protocol and cryptography Equational specification and reasoning methods Protocol logic Axiomatic system for modular proofs of protocol properties

18 Some other projects and tools Exhaustive finite-state analysis FDR, based on CSP Search using symbolic representation of states Meadows: NRL Analyzer, Millen: Interrogator Prove protocol correct Paulson s Inductive method, others in HOL, PVS, MITRE -- Strand spaces Process calculus approach: Abadi-Gordon spicalculus, applied pi-calculus, Type-checking method: Gordon and Jeffreys, Many more this is just a small sample

19 Protocol Analysis Techniques Security Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Cryptographic Models Model Checking Protocol Logics Process Calculi Theorem Proving Probabilistic Interactive TM Probabilistic process calculi Probabilistic I/O automata FDR, Murphi, Athena, NRL, Brutus, OFMC BAN, PCL Spi-calculus, Applied π-calculus Inductive Method, Automating BAN, TAPS, Automating PCL Bug Finding Correctness Proofs

20 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

21 The Athena aims to provide a method to: generates a proof if the protocol is actually RIGHT generates a counterexample if the protocol is actually WRONG

22 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

23 Strand Space Model Answer Problem 1: Specifies the security protocols model security protocols and their execution graphical representation of execution Simple and intuitive A suitable framework for... formal specifications of security properties... proving correctness of protocols Thayer, Herzog, Guttman [THG98]

24 Defining Strand Spaces Message: ground term in free algebra Strand: sequence of nodes Node is labeled with +/- message Bundle: causal partial ordering of nodes in strands strand space:is a collection of strands Example: (The global view) { A, N A } K B { N A, N B } K A A { N B } K B B

25 Defining Strand Spaces(cont d) { A, N A } K B KA { N A, N B } B s view of the protocol { A, N A } K B {N B } K B A s view of the protocol { N A, N B } K A {N B } K B + { A, N A } K B -{ N A, N B } K A + {N B } K B Strand represents a sequence of actions (i.e, signed messages ±m) of an instance of a role + means principal sends this message - means principal receives this message A s (trace of his) strand

26 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

27 Security Properties in this Logic Answer Problem 2: Specifies the desired security properties Authentication Secrecy A value v is secret in a strand space S if, for every bundle C that contains S, there does not exist a node n C, such that term(n)=v

28 For NS Authentication The formula that needs to be checked is gamma n 1 : - { A 0, N a0 } K b0 protocol The NS protocol delta n 1 : + { A 0, N a0 } K b0 + { A, N A } K B -{ A, N A } K B n 2 : + { N a0, N b0 } K a0 n 2 : - { N a0, N b0 } K a0 -{ N A, N B } K A + {N A, N B } K A n 3 : - {N b0 } K b0 + {N B } K B, -{N B } K B n 3 : + {N b0 } K b0

29 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

30 The Penetrator Answer Problem 3: Model adversary participates in protocols via penetrator strands reflect the potentials of the penetrator penetrator is able to intercept and create messages (independent of the protocol) read and memorize all (not encrypted) message parts synthesize new messages built from his knowledge

31 The Penetrator Description of the intruder

32 Composing Strands to Bundles Regular strands Penetrator strands Intended protocol Attacker protocol

33 Penetrator s Work An Example Breaking into Needham-Schroeder protocol k A -{ N A, A } Kp + K p -1 -K p -1 Key K + N A, A Decryption D -N A, A -K B Key K + K B Man-in-the-middle attack + {N A, A } KB Encryption E pass messages through to another session A X B

34 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

35 Design of Model Checker Answer Problem 4: See if properties are preserved under attack Verification Algorithm Given a model P, check if it satisfies formula F It turns out to be state search problem

36 Design of Model Checker Verification Algorithm Given a model P, check if it satisfies formula F It turns out to be state search problem If provable Athena If not provable, then counter-example Obtain a formal proof of the protocol Obtain concrete attacks on the protocol Axioms Axioms Counter-example Agreement formula Agreement formula

37 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results

38 NSPK in Strand Space Model A strand B strand Penetrator strands +{n,a} k b -{n,r} k a -{n,a} k b +{n,r} k a {x} k x k -1 x k +{r} k b -{r} k b {x} k The NS protocol 1. A 2. B 3. A B :{ N A:{ N B :{ N A A B, A}, N } B B B } A Each primitive capability of the attacker is a penetrator strand Same set of attacker strands for every protocol

39 The NS protocol + { A, N A } K -{ A, N A } B K B NS Protocol -{N A, N B } K A + {N A, N B } K A + {N B } K B -{N B } K B Try to discover the flaw in NS Anomaly in NS gamma,delta k A

40 NS Example l 0 =gamma n 1 : - { A 0, N a0 } K b0 unbound goals n 2 : + { N a0, N b0 } K a0 n 3 : - {N b0 } K b0

41 l 1 n 1 : - { A 0, N a0 } K b0 n 2 : + { N a0, N b0 } K a0 E(ncription) n 4 : -K b0 n 5 : - N b0 unbound goals n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 3 unbound goals l 0 l 1 (3 unbound goal) l 2 (0 unbound goal) l 2 n 1 : - { A 0, N a0 } K b0 NS n4: + { A0, Na0 }Kb0 n 2 : + { N a0, N b0 } K a0 n 5 : - { N a0, N b0 } K a0 n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0

42 State Search for Needham-Shroeder l 0 l 1 n 1 : - { A 0, N a0 } K b0 E(ncription) n 4 : -K b0 l 1 (3) l 2 (0) n 2 : + { N a0, N b0 } K a0 n 5 : - N b0 l 3 (2) n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 l 4 (3) l 5 (2) l 6 (2) l 2 n 1 : - { A 0, N a0 } K b0 NS n4: + { A0, Na0 }Kb0 l 7 (2) n 2 : + { N a0, N b0 } K a0 n 5 : - { N a0, N b0 } K a0 l 8 (invalid,cycle) n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 l 9 (0)

43 l 9 NS gamma E(ncription) n 12 : -K b0 K(ey) n 7 D(ecription) K(ey) n 15 : -K I n 11 n 16 : -{A 0, N a0 } K I NS delta n 18 : + { A 0, N a0 } K b0 n 13 : - A 0, N a0 n 17 : + A 0, N a0 n 1 : - { A 0, N a0 } K b0 n 14 : + {A 0, N a0 } K b0 n 2 : + { N a0, N b0 } K a0 E(ncription) n 4 : -K b0 D(ecription) n 8 : -K I K(ey) n 7 :+K b0 n 9 : -{N b0 } K I K(ey) n 11 : +K I n 19 : - { N a0, N b0 } K a0 n 20 : + {N b0 } K b0 n 5 : - N b0 n 10 : + N b0 n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 Search procedure terminate and counter example found!!! Obtain concrete attacks on the protocol Axioms Counter-example : Man-in-the-middle attack gamma delta

44 NSPK Attack +{n,a} k e Anomaly in NS -{n,r} k a k e -1 {n,a} k b +{r} k e {n,a} k b k A +{n,r} k a -{r} k b

45 NSL verification The NSL protocol A B A B :{ N 1 A:{ N B :{ N 1, A} 2, N } B 2 B, B} A

46 Conclusions Practical protocols may contain errors Automated formal methods find bugs that humans overlook Variety of tools Model checking can find errors Proof method can show correctness Athena Closing gap between the model checking and proof method Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Secrity protocol analysis is a challenge Some subtleties are hard to formalize No absolute security Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

47 References [THG98] F.Javier Thayer, Jonathan C. Herzog, and Joshua D. Guttman. Strand spaces: Why is a security protocol correct? In Proceedings of 1998 IEEE Symposium on Security and Privacy, [Low96] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems, volume 1055 of Lecture Notes in Computer Science, pages Springer-Verlag, [Mil95] J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages IEEE Computer Society Press, [MMS97] J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using mur. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, [RN95] Stuart Russell and Peter Norvig. Artificial Intelligence: A Modern Approach. Prentice Hall Series in Artificial Intelligence, [HT96] N. Heintze and J. Tygar. A model for secure protocols and their compositions. IEEE Transactions on Software Engineering, 22(1):16 30, January 1996.