ACCESS – distributed management group Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC Security Protocols • Two or more parties • Communication over insecure network • Active adversary can Alice – Intercept messages – Forge messages – Replay messages • Cryptography is countermeasure – Encrypt data – Sign and authenticate data – Exchange secret keys – Generate nonces and time stamps Bob Charlie Eve Security Objectives Goal: To preserve some desired property as far as possible in face of attack Confidentiality: • Secrecy of message, secrecy of bits • Anonymity, privacy Integrity: • Authenticity • Distributed agreement • Survivability Availability: • Denial of service prevention Security Analysis • Model system Granularity, adversary access paths • Model adversary Memory, computational power, observational power • Identify security properties of interest • Examine if properties preserved under attack • Result: – Under given assumptions about the system and the adversary, no attack of a certain form will destroy the property we’re after – Unconditional security is not possible Modelling Decisions • Modelling the system – Single or multiple sessions, several concurrent runs – Accuracy of computation and communication model – Real or idealized crypto? • How powerful is the attacker? – Simple replays – Block messages – Decompose, reassemble and resend messages – Statistical analysis, traffic analysis? – Timing behaviour? • Accuracy of security properties Needham-Schroeder Key Exchange {A,NA}KB A {NA,NB}KA {NB}KB B NA, NB: Nonces, freshly generated random numbers KA, KB: Public keys • {M}KA: Encryption of M readable only to by A • Since only A possesses secret key KA-1 Goal of protocol: Mutual authentication, establishment of shared secret (NA,NB) NSPK - Objectives • Responder correctly authenticated If A believes she has authenticated B, and B is honest, then B believes he has authenticated A • Initiator correctly authenticated If B believes he has authenticated A, and A is honest, then A believes she has authenticated B • Nonce secrecy At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal NA and NB to a third party) then (NA, NB) is a secret shared between A and B Lowe’s Attack Man-in-the-middle attack {A,NA}KE A {NA,NB}KA {A,NA}KB E {NA,NB}KA B {NB}KE Dishonest E tricks A into revealing B’s session key NB Note: Attack purely based on protocol functionality, not crypto dependent G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995 Verification Approaches Cryptographic analysis: • Protocol security reduced to number-theoretic assumptions Model checking: • Build state transition graphs for some system instances and check as well as possible Theorem proving: • Phrase problem as idealized mathematical problem (perfect crypto, other simplifications) and prove it Process modelling approach: • Model system as communicating processes, use equational reasoning Other: temporal logics, logics of knowledge and belief Cryptographic Protocol Analysis Security reduced to number-theoretic assumptions, e.g.: • Hardness of prime factorization • Diffie-Hellman: Hard to compute g given g and g, for , 2 Zq random Universally composable security [Canetti] • Replace subprotocols by idealized versions while preserving security Successfully analyze complex protocols, e.g. [Wikström] Analysis complex and highly error-prone Computationally sound formal analysis • Cf. [Rogaway-Abadi], currently active area R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001 D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005 M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002 Model Checking Idea: System modelled as communicating finite state machines • Bounded state spaces • Bounded state variable domains • Communication by shared state variables or message passing Query as state reachability problem ... ... • Is ”bad” state reachable? ... Automated state space traversal • Hashing: 1 bit per state suffices • Subject to probabilistic accuracy Examples: SPIN, SMV, Mur Limitations of Finite State Methods Everything must be fixed: • Number of participants • Participants behaviour So no ”unknown” transitions, no open systems • Number of sessions • Message space No encrypt(encrypt(...(encrypt(...)) ...)) • Memory Of honest party, of attacker, or communication channel Really, this is ”just” very comprehensive simulation Model Checking Security Protocols 1. Model protocol entities and network Initiator and responder as fsa’s Network as shared variable (SMV, Mur) - Or as bounded buffer (SPIN) 2. Model adversary Typically one control state, bounded memory - Intercept messages - Store and recall messages - Bounded generation of new messages, using observed and initial data (typically: Public keys) 3. Determine ”bad” states and hope for termination Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998 Process-Oriented Models Model ”real” and idealized system as concurrent processes Ideal system: SPEC Real system: IMPL Observational congruence: SPEC ¼ IMPL • No observational difference between SPEC and IMPL • SPEC and IMPL are observationally ”the same” • Congruence: SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL] in any context C[-] • Even a hostile one ) security for unknown attackers! R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989 R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992 Example: Applied Pi Based on pi-calculus [Milner-Parrow-Walker-92] Processes communicate by synchronous handshaking Values = channel names c: Declares new name c C C b 2 1 b c b c A c a 3 c a B A a A 1: A has local c, passes c to B 2: B receives c, spawns node C with link b, passes c on 3: C receives c, B forgets b and c B B Applied Pi Applied pi adds equational theory of names Example: theory of pairs and asymmetric encryption • Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-), enc(-,-) • Equations: fst(pair(x,y)) = x snd(pair(x,y) = y dec(enc(x,pk(y)),sk(y)) = x Generation of random keys and nonces: Use !! Alice1(seedA,pkE) = NA.comm!enc(pair(A,NA),pkE).Alice2(seedA,pkE,NA) Alice2(seedA,pkE,NA) = ... etc ... C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01 Applications ProVerif: Constraint-based tool developed by B. Blanchet Successfully used for verification of complex protocols in applied pi Examples: Just Fast Keying – complex authentication protocol Protocol for certified email Rationale for success: Very rudimentary control flow in protocols No branching on secrets Remaining challenges: Multiple sessions/agents, richer control flow, cryptographic soundness M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07 M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming 2005 Epistemic Security Logics Many security-related concepts are naturally phrased in terms of knowledge: – A should not know the secret data – B should know the value received is the value sent – B should know that C knows the value sent – D should know that E does not know the vote cast – F should not know that G and H shares the secret x – ... etc. etc. ... Epistemic logic: Formalization of modality A knows F Agent Property of agents state M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990 What Is Cryptographic Knowledge? Not trivial Standard accounts are cryptographically omniscient: If x = enc(y,z) then A knows x = enc(y,z) Ruins all cryptographic security !! What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z)) y = pair(0,1) z=c All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s What Is Cryptographic Knowledge? State: Assignment of terms to variables x = enc(y,pk(z)) Accessible to A y = pair(0,1) Not accessible to A z=c Not accessible to A All operations and public constants are one-way computable Different agents have access to different variables A knows F in state s: F holds at all global states s’ that A cannot distinguish from s E.g.: A knows y = pair(0,1), :(A knows x enc(k,pk(c’)) Results A can distinguish global states s, s’: Same equations hold for A in s and s’ Static equivalence in applied pi Computationally justified semantics for BAN logic Complete axiomatization of validity For some theories, cryptographic soundness through link to applied pi: A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05 M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05 M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted State of the Field Single-session, approximate analysis of industry-scale security protocols becoming feasible - ”Static” protocols - Limited control flow, no recursion, no concurrency - Cf. Avispa project site Cryptographic analysis remains complex and error-prone Cryptographic soundness active research area - May become feasible in limited applications Main challenge, cf. ACCESS: - Lifting analysis techniques to dynamic and concurrent systems Survivable Systems Testing, diagnosis, repair, of large scale distributed systems – how? For given protocol, how to identify a faulty (random, byzantine) node? Bob How to neutralize a faulty node? For which fault models? Random faults? Alice Byzantine faults? Relative to given attack goal? Goal: Probabilistic guarantees for Charlie fault detection and elimination Eve Confidential Aggregation? Example: Epidemic protocols At round 0: Local estimate = local value At round n+1: Neighbours exchange + average local estimates Local value leaked at step 1 Or when local value changes Is it possible to aggregate without leaking information? A A B 3 B 5 B 4 2 A 6 2 5 3