OPEN PROBLEMS IN PROTOCOL VERIFICATION

advertisement
OPEN PROBLEMS IN PROTOCOL
VERIFICATION
Catherine Meadows
Code 5543
Center for High Assurance Computer Systems
Naval Research Laboratory
Washington, DC 20375
meadows@itd.nrl.navy.mil
http://chacs.nrl.navy.mil
IN ORDER FOR FIELD TO
SURVIVE, NEED TO MAKE OUR
RESULTS USEFUL
• What research community has been doing in that
direction
–
–
–
–
–
Analyzing standards, etc.
Communicating results to people responsible
Works best when you can do this early on
Works best when you can get protocol writers involved
Would work best of all if you could get protocol writers
using the tools themselves
• What’s the next step
REQUIREMENT INPUT
• Most obvious way
– have protocol designers generate informal requirements
– translate them into your own formalism
– Problem: easy for misunderstanding or error to creep in
• Next step
– Develop formalism that is closestto how engineers
actually represent requirements
– Problem here: haven’t yet discovered any such suitable
notation for crypto protocols
– Closest thing: message flows
• Describes how protocol supposed to behave in absence of
intruder
• Challenge: Develop requirements language usable by
both protocol designers and protocol verifiers
WHAT IS A TYPE CONFUSION
ATTACK?
• Attack that relies on a principal’s inability between two
strings of two different types
– Hard to verify that type confusion attacks are realistic
– Depends on formatting of data
• What we show in this talk
– Example of a realistic type confusion attacks
– Outline of a technique for detecting type confusion
GDOI
• Protocol facilitating distribution of group keys by Group
Key Distribution Center (GCKS)
– Embodies SMuG framework and architecture
• Based on ISAKMP and IKE
– Standards developed for key exchange
– Used to distribute security associations
• Protocol uses
– IKE to distribute pairwise SAs
– Groupkey Pull Protocol initiated by member to distribute
KEK SAs to new group member
– Groupkey push Datagram to distribute KEK and TEK
SAs to existing group members
GDOI PROTOCOLS
Groupkey Pull Protocol
Initiator (Member)
Responder (GCKS)
--------------------------------HDR*, HASH(1), Ni, ID
-->
<-HDR*, HASH(2), Nr, SA
HDR*, HASH(3) [, KE_I] -->
[,CERT] [,POP_I]
<-HDR*, HASH(4), [KE_R,] SEQ,
KD [,CERT] [,POP_R]
CERT used to verify information about principals
POP used to verify possession of key provided in CERT
POP = signature on hash of Ni,Nr
Groupkey Push Message
Member
------
GCKS or Delegate
----------------
<---- HDR*, SEQ, SA, KD, [CERT,] SIG
POSSIBLE ATTACK
• In third message of groupkey pull protocol, GCKS signs
(NA,NB)
– NA member’s nonce, NB the GCKSs nonce
• Suppose
– Group member dishonest
• Then ...
DETAILS OF ATTACK
• Use fact that groupkey push message likely to end in a
random number
• Create fake groupkey push message:
– HDR, SEQ, SA, KD’
– Minus signature, part or all of random number at end of KD, and final
encryption
DISHONESTMEMBER --> GCKS :
HDR*, HASH(1), Ni = (HDR’, SEQ, SA, KD), ID
• GCKS sends back POP signature on (HDR’, SEQ, SA,
KD, Nr)
• Encrypt with KEK
• Results in authenticated fake groupkey push message
HOW TO AVOID THESE
• Require principals not to accept signed message unless
contains nonce contributed by that principal
– Not an option for group protocols
• Require different mechanisms for different apps.
– Examples
• Different signature keys for POP and groupkey
• Different hash function
• Keyed hash function with different keys
– Often the best option, but too much reliance on this
could lead to intractable key management problem
• Solution chosen: take signature over message and header
indicating type of message
– Similar to solution recommended by Heather, Lowe and
Schneider
WHY WORRY ABOUT TYPE
CONFUSION WHEN SEEMS EASY
TO AVOID IT?
• Can design protocols so that they are free of type
confusion, but what about protocols they interact with?
• A similar type confusion attack we found with NPA relied
upon interaction with ISAKMP, protocol GDOI built on top
of
• Type confusion analysis will help us determine whether or
not it is safe for two protocols to interact
– Carrying Herzog and Guttman’s work one step further
– They show protecting against harmful interaction boils
down to protecting against confusion between
messages
A CLOSER LOOK: WHEN IS
THE GDOI ATTACK POSSIBLE?
• Depends upon relationship between types and lengths of
data used in the two messages
• First message contains two random strings Ni and Nr
– Only Nr recognizable by message generator
• Second message contains a string of recognizable and
random fields F, followed by a random string S
• Constraints are
– Length(Ni) ≥ Length (F)
– Length(Nr) ≤ Length(S)
– Length(Ni) + Length(Nr) = Length(F) + Length(S)
SOLUTION WILL HAVE THREE PARTS
• Definition of type, and type local to a principal
• Definition of game between intruder and signer of a
message
• Procedure for determining whether or not intruder can win
DEFINITION OF TYPE AND
MESSAGE TYPE
• A type is either a set of bit-strings, or a random variable whose
domain is bit-strings
• A message type is a function from lists of bit-strings to types such
that:
– < x1,.., xk > e Domain(R) iff < x1,.., xk-1 > e Domain(R) and xk e R < x1,..,
xk >
– R(i) is defined where I is the empty string
– For now will assume all message types bounded
• Idea is that type of k’th term determined by value of previous k-1
terms
– Example: x1 = “nonce”, X2 = 16-bit integer N, x3 = integer of length
N
• We say that < x1,.., xk > e R when < x1,.., xk > e Dom(R)
• A subtype of R is a restriction of R to some subset of its domain
DEFINITION OF LOCAL TYPE
• A type local to A is a type such that A can determine
whether or not a bit-string is in the type
– A’s name: consists of one value
– All names: consists of all values having name format
– A nonce of length N generated by A: a random variable
w. uniform distribution over terms of length N
– A nonce of length N generated by B: all terms of length
N
• A local message type is a message type from bit-strings to
local types
EXAMPLE
• M = <NONCEI,NONCEA> where NONCEI is a nonce of length
2^16 generated by I and NONCEA nonce of lengt 2^16
generated by A
• Message type local to A is
– R(i) = all integers of length 2^16
– R(NONCEI) = random variable w. uniform distribution over
integers of length 2^16
• N = <nonce,Length,RANDA> where Length is a field of lenth 32,
and RANDA is a nonce of length LENGTH, both generated by A
• Message type local to B is
– S(i) = nonce
– S(nonce) = all integers of length 32
– S(<nonce,N>) = all integers of length N
GAME BETWEEN INTRUDER, A
AND B
•
•
•
Intruder and A play a game in which intruder tries to make A sign a
message of type local to A R that is also type local to B S
One goes first, generates a sequence of terms
The other goes second, generating a list of terms
– May or may not have seen terms previously generated by other
•
•
•
•
Continue in this fashion until done
A’s strategy: obey the rules of the protocol
I’s strategy: maximize chance of producing a message of type S
For purposes of exposition, will assume that terms generated in order
they appear in the message
•
IN our example, I tries to choose NONCEI to maximize probability that
<NONCEI,NONCEB> will be confused with <nonce,N,RANDA>
THE ZIPPER: A PROCEDURE FOR
DETECTING TYPE CONFUSION
Construct tree with nodes of the form
[{<x1|| … ||xk, R’, S’>}, C, p] where
– C set of constraints on lengths
– R’ subtype of R such that <x1,…,xk> in
domain(R)
– S’ subtype of S consisting of all elements s
such that x1 || … || xk a prefix of support s
and constraints from C satisfied
– p is a probability greater than some chosen
number q
START CONSTRUCTING TREE
• Root node is [{<I,R,S>},f,1]
• Construct constraints as follows:
–
–
–
–
C1 = l(x1) ≤ l(y1)
C2 = l(x1) > l(y2), l(x1) ≤ l(y1 + y2)
…
Cm = l(x1) > l(y1 + … + ym-1), l(x1) ≤ l(y1 + … + ym)
• For each constraint Ci, and each possible x1, find
R’ = { r e R | r satisfies Ci & probability of there existing
member s of S satisfying Ci whose support agrees with R
on x1 is p >= q}
• New node is [{<x1,R’,S’>},Ci,max({p})]
NODES IN EXAMPLE
• C1 =l(NONCEI ≤ l(nonce)
–
probability of a match is 1 if NONCEI chosen to
be prefix of nonce, negligible otherwise, so
choose NONCEI a prefix of nonce
• C2 = l(NONCEI) > l(nonce), l(NONCEI) ≤ l(nonce +
N)
– Probability of match is 1 if NONCEI has nonce as
prefix, neglible otherwise, so chose NONCEI with
nonce as prefix
• C3 = l(NONCEI) > l(nonce + N), l(NONCEI) ≤
l(nonce + N + RANDA)
– Probability of match is 1 if NONCE 1 has nonce
and N as prefix, and l(NONCE1) - l(nonce) - l(N)) ≤
N
CONTINUE TO CONSTRUCT TREE
• Given node [ {<x1||x2…||xk, R”, S”>}, C, v]
• Suppose that l(x1+ … + xk) ≤ l(y1+…+yj) appears in C
• New set of constraints is
C U {l(x1 + … + xk+1) ≤ l(y1 + … + yj)}
C U {l(x1 + … + xk+1) > l(y1 + … + yj),
l(x1 + … + xk+1) ≤ l(y1 + … + yj+1)}
…
C U {l(x1 + … + xk+1) > l(y1 + … + ym-1),
l(x1 + … + xk+1) ≤ l(y1 + … + ym)}
If k +1 = n, last one should be an equality
• For each new C, find all < x1,.., xk+1 > such that probability of
finding member of S” with x1 ||…||xk in prefix is p such that pv >
q
• New node is [ {< x1 || x2,…|| xk+1, R’’’, S”’>}, C’, max(pv)] where
R’’’ and S’’’ agree on x1 || x2,…|| xk+1
LOOK AT EXAMPLE AGAIN
• C1 =l(NONCEI ≤ l(nonce)
– Add l(NONCEI + NONCEA) ≤ l(nonce), won’t work,
nothing left to match rest of message
– Only one that could work is l(NONCEI + NONCEA) =
l(nonce + N + RANDA)
• Requires random variable to have its own length minus
length of leftover bit of “nonce” appearing at designated
point
• You can calculate the probability
• C3 = l(NONCEI) > l(nonce + N), l(NONCEI) ≤ l(nonce
+ N + RANDA)
– Add l(NONCEI + NONCEA) = l(nonce + N + RANDA)
– Requires NONCE A to be confused with portion of
RANDA of same length as NONCEA
• Works because type of RANDA is all numbers of that
length
CONCLUSION -- WHAT’S
NEXT?
• Look around for more type confusion examples
– How well do our results apply?
– probably best to look in cases where protocols interact
• Refine procedure?
– Difficulty -- we’re looking for examples of bad typing
systems, not good ones
• Implement?
Download