ACCESS – distributed management group
Formal Verification of Security
Protocols – an Introduction
Mads Dam
KTH/CSC
Security Protocols
• Two or more parties
• Communication over insecure network
• Active adversary can
Alice
– Intercept messages
– Forge messages
– Replay messages
• Cryptography is countermeasure
– Encrypt data
– Sign and authenticate data
– Exchange secret keys
– Generate nonces and time stamps
Bob
Charlie
Eve
Security Objectives
Goal: To preserve some desired property as far as possible
in face of attack
Confidentiality:
• Secrecy of message, secrecy of bits
• Anonymity, privacy
Integrity:
• Authenticity
• Distributed agreement
• Survivability
Availability:
• Denial of service prevention
Security Analysis
• Model system
Granularity, adversary access paths
• Model adversary
Memory, computational power, observational power
• Identify security properties of interest
• Examine if properties preserved under attack
• Result:
– Under given assumptions about the system and the
adversary, no attack of a certain form will destroy the
property we’re after
– Unconditional security is not possible
Modelling Decisions
• Modelling the system
– Single or multiple sessions, several concurrent runs
– Accuracy of computation and communication model
– Real or idealized crypto?
• How powerful is the attacker?
– Simple replays
– Block messages
– Decompose, reassemble and resend messages
– Statistical analysis, traffic analysis?
– Timing behaviour?
• Accuracy of security properties
Needham-Schroeder Key Exchange
{A,NA}KB
A
{NA,NB}KA
{NB}KB
B
NA, NB: Nonces, freshly generated random numbers
KA, KB: Public keys
• {M}KA: Encryption of M readable only to by A
• Since only A possesses secret key KA-1
Goal of protocol: Mutual authentication, establishment of
shared secret (NA,NB)
NSPK - Objectives
• Responder correctly authenticated
If A believes she has authenticated B, and B is honest,
then B believes he has authenticated A
• Initiator correctly authenticated
If B believes he has authenticated A, and A is honest,
then A believes she has authenticated B
• Nonce secrecy
At the end of the protocol, if A and B are both honest
(and in particular do not overtly reveal NA and NB to a
third party) then (NA, NB) is a secret shared between A
and B
Lowe’s Attack
Man-in-the-middle attack
{A,NA}KE
A
{NA,NB}KA
{A,NA}KB
E
{NA,NB}KA
B
{NB}KE
Dishonest E tricks A into revealing B’s session key NB
Note: Attack purely based on protocol functionality, not
crypto dependent
G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995
Verification Approaches
Cryptographic analysis:
• Protocol security reduced to number-theoretic
assumptions
Model checking:
• Build state transition graphs for some system instances
and check as well as possible
Theorem proving:
• Phrase problem as idealized mathematical problem
(perfect crypto, other simplifications) and prove it
Process modelling approach:
• Model system as communicating processes, use
equational reasoning
Other: temporal logics, logics of knowledge and belief
Cryptographic Protocol Analysis
Security reduced to number-theoretic assumptions, e.g.:
• Hardness of prime factorization
• Diffie-Hellman: Hard to compute g given g and g, for
,  2 Zq random
Universally composable security [Canetti]
• Replace subprotocols by idealized versions while
preserving security
Successfully analyze complex protocols, e.g. [Wikström]
Analysis complex and highly error-prone
Computationally sound formal analysis
• Cf. [Rogaway-Abadi], currently active area
R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001
D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005
M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002
Model Checking
Idea: System modelled as communicating finite state
machines
• Bounded state spaces
• Bounded state variable domains
• Communication by shared state variables or message
passing
Query as state reachability problem
...
...
• Is ”bad” state reachable?
...
Automated state space traversal
• Hashing: 1 bit per state suffices
• Subject to probabilistic accuracy
Examples: SPIN, SMV, Mur
Limitations of Finite State Methods
Everything must be fixed:
• Number of participants
• Participants behaviour
So no ”unknown” transitions, no open systems
• Number of sessions
• Message space
No encrypt(encrypt(...(encrypt(...)) ...))
• Memory
Of honest party, of attacker, or communication channel
Really, this is ”just” very comprehensive simulation
Model Checking Security Protocols
1. Model protocol entities and network
Initiator and responder as fsa’s
Network as shared variable (SMV, Mur)
- Or as bounded buffer (SPIN)
2. Model adversary
Typically one control state, bounded memory
- Intercept messages
- Store and recall messages
- Bounded generation of new messages, using
observed and initial data (typically: Public keys)
3. Determine ”bad” states and hope for termination
Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998
Process-Oriented Models
Model ”real” and idealized system as concurrent processes
Ideal system: SPEC
Real system: IMPL
Observational congruence:
SPEC ¼ IMPL
• No observational difference between SPEC and IMPL
• SPEC and IMPL are observationally ”the same”
• Congruence:
SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL]
in any context C[-]
• Even a hostile one ) security for unknown attackers!
R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989
R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992
Example: Applied Pi
Based on pi-calculus [Milner-Parrow-Walker-92]
Processes communicate by synchronous handshaking
Values = channel names
c: Declares new name c
C
C
b
2
1
b
c b
c
A
c
a
3
c
a
B
A a
A
1: A has local c, passes c to B
2: B receives c, spawns node C with link b, passes c on
3: C receives c, B forgets b and c
B
B
Applied Pi
Applied pi adds equational theory of names
Example: theory of pairs and asymmetric encryption
• Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-),
enc(-,-)
• Equations:
fst(pair(x,y)) = x
snd(pair(x,y) = y
dec(enc(x,pk(y)),sk(y)) = x
Generation of random keys and nonces: Use  !!
Alice1(seedA,pkE) =
NA.comm!enc(pair(A,NA),pkE).Alice2(seedA,pkE,NA)
Alice2(seedA,pkE,NA) = ... etc ...
C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01
Applications
ProVerif: Constraint-based tool developed by B. Blanchet
Successfully used for verification of complex protocols in
applied pi
Examples:
Just Fast Keying – complex authentication protocol
Protocol for certified email
Rationale for success:
Very rudimentary control flow in protocols
No branching on secrets
Remaining challenges:
Multiple sessions/agents, richer control flow,
cryptographic soundness
M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07
M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer
Programming 2005
Epistemic Security Logics
Many security-related concepts are naturally phrased in
terms of knowledge:
– A should not know the secret data
– B should know the value received is the value sent
– B should know that C knows the value sent
– D should know that E does not know the vote cast
– F should not know that G and H shares the secret x
– ... etc. etc. ...
Epistemic logic: Formalization of modality A knows F
Agent
Property of agents state
M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990
What Is Cryptographic Knowledge?
Not trivial
Standard accounts are cryptographically omniscient:
If x = enc(y,z) then A knows x = enc(y,z)
Ruins all cryptographic security !!
What Is Cryptographic Knowledge?
State: Assignment of terms to variables
x = enc(y,pk(z))
y = pair(0,1)
z=c
All operations and public constants are one-way
computable
Different agents have access to different variables
A knows F in state s:
F holds at all global states s’ that A cannot distinguish
from s
What Is Cryptographic Knowledge?
State: Assignment of terms to variables
x = enc(y,pk(z))
Accessible to A
y = pair(0,1)
Not accessible to A
z=c
Not accessible to A
All operations and public constants are one-way
computable
Different agents have access to different variables
A knows F in state s:
F holds at all global states s’ that A cannot distinguish
from s
E.g.: A knows y = pair(0,1), :(A knows x  enc(k,pk(c’))
Results
A can distinguish global states s, s’:
Same equations hold for A in s and s’
Static equivalence in applied pi
Computationally justified semantics for BAN logic
Complete axiomatization of validity
For some theories, cryptographic soundness through link to
applied pi:
A knows F at s if and only if F holds at all states that are
computationally indistinguishable from s in sense of
cryptography
M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05
M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05
M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted
State of the Field
Single-session, approximate analysis of industry-scale
security protocols becoming feasible
- ”Static” protocols
- Limited control flow, no recursion, no concurrency
- Cf. Avispa project site
Cryptographic analysis remains complex and error-prone
Cryptographic soundness active research area
- May become feasible in limited applications
Main challenge, cf. ACCESS:
- Lifting analysis techniques to dynamic and concurrent
systems
Survivable Systems
Testing, diagnosis, repair, of large scale distributed systems
– how?
For given protocol, how to identify a faulty (random,
byzantine) node?
Bob
How to neutralize a faulty node?
For which fault models?
Random faults?
Alice
Byzantine faults?
Relative to given attack goal?
Goal: Probabilistic guarantees for
Charlie
fault detection and elimination
Eve
Confidential Aggregation?
Example: Epidemic protocols
At round 0:
Local estimate = local value
At round n+1:
Neighbours exchange + average
local estimates
Local value leaked at step 1
Or when local value changes
Is it possible to aggregate without
leaking information?
A
A
B
3
B
5
B
4
2
A
6
2
5
3