Verification of Security Protocols

Transcription

1 Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008

2 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix Scheduled for 3 hours, but should be doable in shorter time. Counts 25% towards the course grade (270 points for assignments, 90 points for exam). The exam is closed book.

3 Exam How to prepare? Review the course notes, and the exercises (especially the pencil-and-paper exercises). Things you should know: Typical protocol goals and their informal meaning (e.g., secrecy, authenticity, key establishment, non-repudiation, anonymity, etc.). How to model protocols as informal narrations. The spi-calculus and its operational semantics. How to model protocols in the spi-calculus (agent roles, parallel sessions, external threat model, internal threat model, etc.). How to express core security goals in the spi-calculus (secrecy assertions, correspondence assertions, injective agreement, non-injective agreement, non-interference).

4 Exam Things you should know (cont.): Proof methods (type systems, BAN logic). You do not need to learn typing rules or BAN rules by heart. I will provide you with a handout with the rules that you need. You need to be able to apply the rules. Cryptographic primitives and what they can be used for (e.g., digital signatures for authentication, hashes for message integrity, nonces for injective agreement, nonces for timeliness, timestamps for timeliness, etc.). How to specify cryptographic primitives in generic spi/proverif. (constructors, reduction rules, equations). Testing equivalence, non-interference. Topics that won t come up in the exam: ProVerif s resolution method, the computational model.

5 Plan for Today We will talk about the Just Fast Keying (JFK) protocol, and a protocol analysis in the Applied Pi Calculus with help of ProVerif. JFK is a key establishment protocol, intended for use in IPsec. The JFK protocol has interesting security goals (in addition to secrecy and authenticity as usual): resistance against denial-of-service (DoS) attacks privacy of client and server against passive attackers privacy of either client or server against active attackers

6 References Today s class is based on the following articles: Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold: Just Fast Keying: Key Agreement in a Hostile Internet, [ABB + 04] Abadi, Blanchet, Fournet: Just Fast Keying in the Pi Calculus, [ABF07] The ProVerif sources for the JFK analysis are contained in the directory example/jfk of the ProVerif distribution.

7 JFK: Context JFK was designed to be used to set up a security association (SA) at the outset of an IPsec session. What is a security association? A set of security parameters including session keys, initialization vectors or digital certificates. Currently, this is established by the Internet Key Exchange (IKE) protocol. The IKE protocol has been criticized for several reasons. Most importantly: a high number of rounds (inefficiency) vulnerability to DoS attacks complexity of the protocol and its specification JFK improves on these shortcomings. Another proposed replacement of IKE is IKEv2.

8 Diffie Hellman Key Establishment: Initial Data JFK uses Diffie Hellman Key Establishment (DH): Publicly known initial data: p : a large prime g : a primitive root modulo p What is a primitive root modulo p? a number g such that all numbers in {1,..., p 1} can be generated by taking exponents of g modulo p. Or more technically: a generator of the multiplicative group of integers modulo p. The pair (p, g) is sometimes called the Diffie-Hellman group.

9 Diffie-Hellman Key Establishment (DH) A picks a random integer a A B : g a B picks a random integer b B A : g b A and B compute k = (g a ) b = g ab = (g b ) a (mod p) They use k as a session key. If g and p are chosen appropriately (e.g., p has to be large enough), then it is infeasible for someone other than A or B to learn k. Why? An attacker knows g, p, g a and g b. It is thought that learning g ab is as hard as learning a or b. But this amounts to taking the discrete logarithm modulo p, which is thought to be computationally intractable.

10 Lack of Authentication A picks a random integer a A B : g a B picks a random integer b B A : g b A and B compute k = (g a ) b = g ab = (g b ) a (mod p) They use k as a session key. The simple DH protocol is safe against eavesdroppers. However, it does not provide authentication. It is therefore not safe against active adversaries.

11 Station-to-Station (STS) The station-to-station protocol enriches DH with authentication: A picks random a 1. A B : g a B picks random b and computes k = g ab 2. B A : g b, {{ g b, g a } sb } k A computes k = g ba 3. A B : {{ g a, g b } sa } k STS achieves key establishment and mutual authentication. Furthermore, both A and B learn that the other one knows k, because messages 2 and 3 are encrypted with k. The protocol even protects against replays, because g a and g b serve as nonces. Many real protocols are variations of STS. These include IKE and JFK.

12 Vulnerability to DoS Attacks A picks random a 1. A B : g a B picks random b and computes k = g ab 2. B A : g b, {{ g b, g a } sb } k A computes k = g ba 3. A B : {{ g a, g b } sa } k This simple variant of STS is vulnerable to DoS attacks. Why? Both exponentiation and public key cryptography (in this case digital signing) are computationally expensive. If an attacker deliberately swamps server B with huge amounts of message 1, then B will have to do huge amounts of computation. The problem is that B has to do this expensive computation in his very first message. The attacker has to do no significant work to trigger this. JFK resists against DoS attacks to some extent.

13 Diffie-Hellman in ProVerif Diffie-Hellman can be represented in ProVerif like this: data g/0. fun exp/2. equation exp(exp(g,x),y) = exp(exp(g,y),x). Note that this is an equation rather than a reduction rule. Fortunately, this is an equation that ProVerif can deal with.

14 Keyed Hashes (MACS) Recall that hashes are a tool to ensure message integrity: A B : M, hash(m) B knows that M has not been altered Keyed hashes (aka message authentication codes, MACS) are a tool to ensure both message integrity and authenticity: K is a shared secret of A and B A B : M, hash{k }(M) B knows that M has not been altered and that it comes from B Like hashes, perfect keyed hashes are one-way functions (in both arguments). B knows that M comes from A because A is the only other agent who knows K.

15 Keyed Hashes in ProVerif Representing keyed hashes in ProVerif is easy: fun keyedhash/2. (* No destructor *)

16 JFK: Design Goals Secrecy of established session keys. Forward Secrecy of established session keys (i.e., compromise of long-term keys should not affect secrecy of the session keys already in use). Privacy: hide the identities of initiator and responder as far as possible. Memory DoS: it must resist memory exhaustion attacks. Computation DoS: it must resist CPU exhaustion attacks. Efficiency: it must be efficient w.r.t. computation, bandwith and number of rounds. Non-negotiated: it must avoid complex negotiations over cryptographic capabilities. Simplicity: it must be as simple as possible within the constraints of the requirements.

17 Privacy Against Eavesdroppers JFKr guarantees privacy of both initiator and responder against passive eavesdroppers. (JFKi only of initiator.) This is achieved by never sending data that can be tied to one of the agents in plain. In particular the following are never send in plain: agent ids public keys or public key certificates for the agents messages signed by the agents Note that STS already provides privacy of both agents against passive eavesdroppers: The only messages that could be tied to agents are the signed messages. But these are encrypted under the DH key.

18 Privacy Against Active Attackers STS protects A s privacy against active attackers, but not B s. Why not B s? An active attacker could pose as A. He would receive message 2, could decrypt it, and then know that B is at the other end. Generally, in a protocol that provides mutual authentication by digital signatures, at most one agent can protect his privacy against active adversaries: the agent who authenticates first won t have privacy. There are two versions of JFK: JFKr protects the responder s privacy against active attackers. JFKi protects the initiator s privacy against active attackers.

19 Resistance Against Memory DoS Attacks Protocols typically build up state, i.e., they store data from early protocol actions that is needed later in the protocol (e.g., nonces or session ids are stored for later checks). In Memory DoS attacks, an attacker starts many parallel session with a server, causing the server to build up state and exhaust his memory. To protect servers against such attacks JFK avoids building up state before clients have authenticated themselves.

20 Anti-DoS Cookies Anti-DoS Cookies are a technique to resist against Memory DoS attacks: Instead of storing sessions state, the server sends all its state to the client, together with a MAC of the state. This MAC is called an Anti-DoS cookie. The MAC key is only known to the server itself. In his reply, the client must send the server s session state and the MAC back to the server.

21 Anti-DoS Cookie: Example 1. I R : N I, g i 2. R I : N I, N R, g r, hash{k R }(g i, g r, N I, N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, N I, N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) The MAC key K R is only known to R. hash{k R }(g i, g r, N R,,I) is an Anti-DoS cookie. But... an attacker could mount a Computation DoS attack, by replaying message 3 many times! To avoid such a replay attack, R caches the Anti-DoS cookies and accepts each cookie only once.

22 Resistance Against Computation DoS Attacks 1. I R : N I, g i 2. R I : N I, N R, g r, hash{k R }(g i, g r, N I, N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, N I, N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) JFK uses the following measures to resist against Computation DoS: JFK allows a single DH exponential g r to be reused in several sessions. JFK avoids expensive public key cryptography in the responder s first reply.

23 Resistance to Computation DoS: Hashed Nonces To further raise the bar against DOS attacks, JFK makes the initiator send a hashed nonce in messages 1 and 2: 1. I R : hash(n I ), g i 2. R I : hash(n I ), N R, g r, hash{k R }(g i, g r, hash(n I ), N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, hash(n I ), N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) This measure is effective in environments where attackers can eavesdrop and inject messages but cannot modify messages in flight (e.g. certain wireless networks). It prevents that an attacker can copy data from messages 1 and 2 to build a valid-looking message 3 with bogus authentication data (in order to force R to make an expensive check).

24 The Protocol JFKr 1. I R : hash(n I ), g i 2. R I : hash(n I ), N R, g r, grpinfo R, cookie 3. I R : N I, N R, g i, g r, cookie, e I, h I 4. R I : e R, h R grpinfo R = responder s choice of DH group g and algorithms cookie = hash{k R }(g r, hash(n I ), N R, I) K u = hash{g ir }(N I, N R, u) for u = a, e, v (K v is the established session key) sa z = additional parameters for IP security association (for z = I, R) ID z = agent id and signature verification key (for z = I, R) ID R = preference for R s signature verification key e I = {ID I, ID R, sa I, s I } Ke s I = { N I, N R, g i, g r, grpinfo R } sk I h I = hash{k a }(tag I, e I ) e R = {ID R, sa R, s R } Ke s R = { g r, N R, g i, N I } sk R h R = hash{k a }(tag R, e R )

25 Analysis in the Applied Pi-calculus Abadi, Blanchet, Fournet model JFKr in the applied pi-calculus and do a detailed protocol analysis, with the help of ProVerif. I ll sketch some interesting aspects of their model and analysis. For details see [ABF07] and the ProVerif sources in examples/jfk in the ProVerif distribution.

26 Modeling a Cache in ProVerif Caches are modeled as sets. Sets are defined as a cons-lists with a membership predicate. data emptyset/0. data consset/2. pred member/2. clauses member:x,consset(x,y); member:x,y -> member:x,consset(z,y). Note that ProVerif supports defined predicates. Defined predicates can be used in conditionals and in queries.

27 Modeling Statelessness To account for statelessness up to message 3, the responder is modeled as the parallel composition of two processes: R = R 1 R 3 where R 1 = responder process receiving message 1 and sending message 2 R 3 = responder process receiving message 3 and sending message 4 In this manner, process R 3 does not depend on any data received or generated before message 3.

28 Analysis for DoS Resistance ABF show a theorem that (informally) says this: When a responder does an expensive DH-exponentiation (g i ) r, a round trip must have happened previously (in the same session). This means that an attacker cannot trigger the responder s expensive DH-computation by sending a single message. This theorem is not trivial, because the responder is defined by parallel composition. (R = R 1 R 3 rather than R = R 1 ; R 3.) In order to prove this theorem, ABF prove a transformation lemma that a system with R = R 1 R 3 is observationally equivalent to a system with R = R o 1 ; Ro 3 where Ro 1 and Ro 3 are obtained from R 1 and R 3 by replacing the Anti-DoS cookie by local state.

29 Secrecy and Authenticity ABF prove secrecy and authenticity properties: Standard secrecy of the established session key. Forward secrecy of the establish session key: to this end, they publish the longterm signing key after a complete run of JFK, and show that the established session keys still satisfy standard secrecy. They prove various authenticity results, i.e., that certain events only happen if several other events have happened before that.

30 Identity Protection In their pi-calculus model, ABF use public keys as agent ids (i.e, if ka is A s secret keypair, then the public signature verification key dec(ka) is used as A s id). They reduce identity protection to non-interference: For instance, to show that the identity of responders is protected against active adversaries, they show that the following system satisfies non-interference, if x and y are are drawn from the private names ka and kb: System(x, y) where x, y are used as keypairs of two responders In other words, they show the following observational equivalences: System(kA, kb) System(kB, ka) System(kA, ka) System(kB, kb)

31 ProVerif: Restricting Non-interference Queries ProVerif allows to restrict non-interference queries to a set of particular values (in this case ka and kb): private free x,y. private free ka, kb. noninterf x among (ka,kb), y among (ka,kb).

32 Conclusion JFK can be viewed as a variant of the STS protocol. However, it adds many features to STS in order to resist DoS attacks. As a result, JFK is quite complicated, although it has only four messages and is much simpler than IKE. Its analysis in the applied pi-calculus is particularly interesting, because it analyzes properties that are not often analyzed by protocol verification tools (e.g., DoS resistance), and because it models the protocol in much detail (e.g., modeling caching).

33 That s It That s it for this semester. Thanks for your attention! Don t forget the exam on June 30, 14:00.

34 References William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioannidis, Angelos D. Keromytis, and Omer Reingold. Just fast keying: Key agreement in a hostile internet. ACM Transactions on Information and System Security, 7(2): , Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just fast keying in the pi calculus. ACM Transactions on Information and System Security, 10(3), 2007.