Verifying Second-Level Security Protocols G.Bella, C.Longo, L.C.Paulson UNIVERSITÀ di CATANIA Dipartimento di Matematica e Informatica Proc. of TPHOLs 2003, these days in Rome Certified e-mail delivery Hmm, must send him an e-mail but in such a way that he can t claim I didn t OK, I ll send it using that certified e-mail protocol Then I ll get a receipt when he sees the message! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 2
Certified e-mail delivery Hmm, an e-mail from her what a weird protocol though damn it! It means she now has a receipt that I have read her message! At least she couldn t get that receipt until I opened her email! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 3 Goals in distributed systems Complex security goals: certified e-mail, contract-signing, non-repudiation, delegation Basic security goals: confidentiality, authentication, integrity. Basic communication goals: routing, transmission of raw byte streams Different goals require different kinds of protocol. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 4
A hierarchy of protocols complex security protocols classical security protocols transport protocols verified! verified! 0 th -level first-level second-level verified?? Each protocol relies upon underlying protocols. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 5 A hierarchy of protocols complex security protocols (second-level security protocols) classical security protocols (first-level security protocols) transport protocols (0 th -level protocols) verified! verified! verified?? 0 th -level first-level second-level Each protocol relies upon underlying protocols. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 6
Definition relies upon goals A second-level security protocol is: a protocol that assumes the goals of underlying authentication protocols in order to achieve its own goals. Essentially carbon-copied from actual protocol designs. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 7 Protocol Hierarchy? It entirely depends on design. Hierarchical (third level) How to verify? CE SCE SSL SSL CE SCE Flat (first level) Verified! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 8
Certified e-mail (Abadi et al.) Abbreviations: Steps: This is a second-level protocol: it refers to SSL. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 9 How the protocol works Sender S sends the message, encrypted using a session key, to recipient R. If R wants to proceed, R asks the Trusted Third Party (TTP) for the key. The TTP releases the key to R and simultaneously gives a receipt to S. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 10
Verifying second-level protocols Shmatikov and Mitchell have model-checked a contract-signing protocol Abadi and Blanchet have verified the certified e-mail protocol using Blanchet s verifier Creese et al. advance that a DY attacker may be exaggerated in ubiquitous environments (FAST 2003) G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 11 Our contribution Identify the concept of second-level protocols Enrich our inductive approach to 1. model the goals of first-level protocols 2. adapt Dolev-Yao s threat model 3. express and verify the protocol goals G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 12
Primitive events -Asends message X to B -Breceives message X from network -Astores message X as an internal state change Fine for first-level protocols. And for second-level? G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 13 Basic operators G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 14
Specifying a protocol inductively Protocol DAP G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 15 1. Modelling underlying goals Authentication: allow references to sender by event, otherwise forbidden. Reception event naturally hides sender. Confidentiality: use followed by. Reception is not guaranteed in general. Guaranteed delivery: impose introduction of reception event. If also confidential, impose. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 16
Modelling authentication Allow receiver s explicit reference to sender: G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 17 Modelling confidentiality Just replaced events?! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 18
YES: look at knows G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 19 Modelling Guaranteed Delivery Combination of conf. and g.d. simpler to model than just G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 20
2. Adapting the threat model What s the threat model for second-level protocols?? Simply Dolev-Yao, assuming that the firstlevel protocol works. The Spy can also use the protocol. The formalisation of the goals just shown yields this threat model naturally. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 21 Example: formalising message 2 Query/response mechanism between sender and receiver. Hides a Hash of receiver s pwd. R sends message to TTP on channel that is SSL protected and delivery guaranteed. The message magically reaches TTP. Threat model: Spy sees message received by R but not that noted by TTP. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 22
3. Modelling the new goals Consider an e-mail m, its delivery receipt d, a sender S, an intended recipient R. Goals of certified e-mail delivery (abstract version): Must be made precise given a specific protocol. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 23 Example: sender s guarantee 1 Session key available to Spy (receiver might be Spy). Even then, S gets his receipt! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 24
Example: sender s guarantee 2 Receiver gets session key legitimately (receiver might be Spy). Even then, S gets his receipt! G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 25 Guarantees proved also for receiver The receiver will get the key if the sender s receipt exists The receiver (who may be the Spy) does not get the key until the sender gets his receipt Minor: if neither peer is compromised, then the protocol keeps session key secure G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 26
Differences from earlier proofs Distrust of peer, who may be dishonest Spy s knowledge no longer the main issue: new reasoning methods needed Issues in the modelling of secure channels G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 27 Found anomaly Receiver initiates from step 2, quoting arbitrary sender and building two identical hashes Session succeds and sender gets receipt about email he never sent Caused by absent authentication of sender with TTP. Solution: insert sender s password into certificate S2TTP. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 28
Found anomaly 2 Receiver claims that email was sent years ago, hence irrelevant Receiver may be truthful or not: problem either way Solution: TTP include timestamp in delivery receipt. G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 29 Conclusions Second-level protocols are not difficult to verify The use of logic lets us express security properties abstractly and naturally A general-purpose proof tool (Isabelle) lets us modify the model without resorting to programming Abadi et al. s email protocol verified Proof scripts available G.Bella, C.Longo, L.C.Paulson: Verifying Second-Level Security Protocols 30