Professional Documents
Culture Documents
Li Zhiwei
Aidong Lu
Weichao Wang
Therefore
Therefore future improvements depend highly on
our ability to analyse security protocols
This talk is about…
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Security Protocol
• Security Protocols use cryptographic primitives
as building blocks to achieve security goals
such as authentication, confidentiality, and
integrity.
• Protocol steps
n: A→B: M
“A sends M to B according to the n’ th protocol step.”
A, B principals, M message
Security Protocol
Security Protocol
Program distributed over network
Use cryptography to achieve goal
Attacker
Read, intercept, replace messages, and
remember their contents
Correctness
Attacker cannot learn protected secret or
cause incorrect protocol completion
A Simple Protocol
{ A, NA }KB
{ N A , NB } KA
{ NB } KB
A B
Initiate
B
Respond
A
Attacker
• Error-prone
• Security protocols are intricate and attackers are
powerful
• Non-optimal
• may contain unnecessary operations
Examples of protocol flaws
IKE [Meadows; 1999]
Reflection attack; fix adopted by IETF WG
IEEE 802.11i [He, Mitchell; 2004]
DoS attack; fix adopted by IEEE WG
GDOI [Meadows, Pavlovic; 2004]
Composition attack; fix adopted by IETF WG
Kerberos V5 [Scedrov et al; 2005]
Identity misbinding attack; fix adopted by IETF WG
How to addresses these
shortcomings….
the answer is ….
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Central Problems
1 2 Identify security
Model system properties
Protocol
Property
3
Security proof or attack Model
adversary
Answer:
the protocol is
correct or not
Security Analysis Methodology
Security Properties
authentication,secrecy,etc Answer
Formal Security proof the protocol is
Analysis Tool Methods or attack correct or not
Security Protocols
NS,Kerberos,etc.
Attacker Model
Complete control over network
Perfect crypto
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Four “Stanford” approaches
Finite-state analysis
Case studies: find errors, debug specifications
Symbolic execution model: Multiset rewriting
Identify basic assumptions
Study optimizations, prove correctness
Complexity results
Process calculus with probability and complexity
More realistic intruder model
Interaction between protocol and cryptography
Equational specification and reasoning methods
Protocol logic
Axiomatic system for modular proofs of protocol
properties
Some other projects and tools
Dolev-Yao
Formal Models (perfect cryptography) Cryptographic Models
Probabilistic Interactive TM
Probabilistic process calculi
Model Checking Protocol Logics Process Calculi …
Theorem Proving
Probabilistic I/O automata
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
The Athena aims to provide a method to:
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Strand Space Model
• Answer Problem 1:
Specifies the security protocols
• model security protocols and their execution
• graphical representation of execution
• Simple and intuitive
• A suitable framework for
• ... formal specifications of security properties
• ... proving correctness of protocols
Example:
(The global view)
{ A, NA }KB
{ N A , NB } KA
{ NB } KB
A B
Defining Strand Spaces(cont’d)
{ A, NA }KB
B‘s view of the protocol
{ NA , NB }
KA { A, NA }KB
{NB} KB
{ NA, NB } KA
A‘s view of the protocol
{NB } KB
+ { A, NA }KB
- { NA , N B } KA
Strand represents a sequence of actions (i.e, signed
messages ±m) of an instance of a role
+ {NB } + means principal sends this message
KB
- means principal receives this message
A‘s (trace of his) strand
Outline
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Security Properties in this Logic
• Answer Problem 2:
Specifies the desired security properties
• Authentication
• Secrecy
• A value v is secret in a strand space S if, for every
bundle C that contains S, there does not exist a node
n∈C , such that term(n)=v
For NS Authentication
The formula that needs to be checked is
gamma delta
protocol
n1: - { A0, Na0 }Kb0 The NS protocol n1: + { A0, Na0 }Kb0
+ { A, NA }KB - { A, NA }KB
n2: + { Na0 , Nb0 } Ka0 n2: - { Na0 , Nb0 } Ka0
- { NA , NB } KA + {NA, NB } KA
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
The Penetrator
• Answer Problem 3:
Model adversary
• participates in protocols via penetrator
strands
• reflect the potentials of the penetrator
• penetrator is able to
• intercept and create messages (independent of the
protocol)
• read and memorize all (not encrypted) message parts
• synthesize new messages built from his “knowledge”
The Penetrator
Description of the intruder
Composing Strands to Bundles
Regular strands Penetrator strands
kA
- { NA, A }Kp
+ Kp-1 - Kp-1
Key K
+ NA, A - NA , A
Decryption D Key K
- KB + KB
+ {NA, A }KB
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
Design of Model Checker
Answer Problem 4:
See if properties are preserved under attack
• Verification Algorithm
• Given a model P, check if it satisfies formula F
• It turns out to be state search problem
Design of Model Checker
• Verification Algorithm
• Given a model P, check if it satisfies formula F
• It turns out to be state search problem
Athena
If not provable,
If provable then counter-example
Obtain a formal proof of the protocol Obtain concrete attacks on the protocol
Counter-example
Axioms Axioms
Part I: Overview
Motivation
Why Security Protocols Analysis?
Central problems
Security Analysis Methodology
Current Analysis Techniques
Part II: Athena Alogrithm
Strand Spaces Model
Security Properties
Penetrator Strands
Design of Model Checker
Experiment Results
NSPK in Strand Space Model
“A” strand “B” strand “Penetrator” strands
{x}k
+{n,A}kb -{n,A}kb
x
k-1
-{n,r}ka +{n,r}ka k
x
{x}k
+{r}kb -{r}kb
+ {NB } KB - {NB } KB
Anomaly in NS
gamma,delta
kA
l0=gamma
NS Example
n1: - { A0, Na0 }Kb0
unbound goals
n2: + { Na0 , Nb0 } Ka0
3 unbound goals
l0 l1 E(ncription)
n1: - { A0, Na0 }Kb0 n4: -Kb0
l4(3)
l5(2)
l2
l6(2) n1: - { A0, Na0 }Kb0
NS
n4: + { A0, Na0 }Kb0
l7(2)
n2: + { Na0 , Nb0 } Ka0 n5: - { Na0 , Nb0 } Ka0
gamma |− delta
NSPK Attack
+{n,A}ke
ke-1
{n,A}
-{n,r}ka
Anomaly in NS
kb
+{r}ke {n,A}kb
kA
+{n,r}ka
-{r}kb
NSL verification
The NSL protocol
1. A → B : {N1 , A}B
2. B → A : {N1 , N 2 , B}A
3. A → B : {N 2 }B
Conclusions
[Mil95] J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium
on Security and Privacy, pages 251–260. IEEE Computer Society Press, 1995.
[RN95] Stuart Russell and Peter Norvig. Artificial Intelligence: A Modern Approach.
Prentice Hall Series in Artificial Intelligence, 1995.
[HT96] N. Heintze and J. Tygar. A model for secure protocols and their compositions.
IEEE Transactions on Software Engineering, 22(1):16–30, January 1996.