SAT-based Verifiction of NSPKT Protocol Including Delays in the Network

Transcription

1 SAT-based Verifiction of NSPKT Protocol Including Delays in the Network Czestochowa University of Technology Cardinal Stefan Wyszynski University MMFT2017

2

3 Importance of Security Protocols Key point of security systems Used in many areas Errors in: structure, operations, security Specification and verification importance Need for the complete formal model IT market development sets new requirements

4 New Challenges Detailed analysis of the protocol Tailor-made security The importance of time

5 World Leaders AVISPA ProVerif Scyther VerIcs PRISM

6 Basic elements Protocol definition (with time aspect) α 1 = (S, R, L), α 2 = (τ, D, X, G, tc) (1)

7 Example: Needham-Schroeder Public Key Protocol α 1 = (α1, 1 α1), 2 α1 1 = (A; B; τ A I A KB ), α1 2 = (τ 1; D 1; {τ A, I A, K B}; {τ A}; τ 1 + D 1 τ A L), α 2 = (α2, 1 α2), 2 α2 1 = (B; A; τ B τ A KA ), α2 2 = (τ 2; D 2; {τ B, τ A, K A}; {τ B}; τ 2 + D 2 τ A L τ 2 + D 2 τ B L), α 3 = (α3, 1 α3), 2 α3 1 = (A; B; τ B KB ), α3 2 = (τ 3; D 3; {τ A, K B}; { }; τ 3 + D 3 τ A L τ 3 + D 3 τ B L).

8 Automata Model Network of synchronized timed automata for NSPK protocol

9 Automata Model Network of synchronized timed automata for NSPK protocol

10 Automata Model Network of synchronized timed automata for NSPK protocol

11 Automata Model Network of synchronized timed automata for NSPK protocol

12 Automata Model Network of synchronized timed automata for NSPK protocol

13 Time dependencies Message composing time Duration of k-step T c = T sz + T g (2) T k = T sz + T g + D + T dsz (3) T min k = T sz + T g + D min + T dsz (4) T max k = T sz + T g + D max + T dsz (5)

14 Time dependencies Session time T ses = T min ses = T max ses = n T k (6) k=1 n k=1 n k=1 T min k (7) T max k (8)

15 Time dependencies Lifetime in single step where: k step number, T out k = n i=k n number of all steps in protocol, T max i maximum time of step execution. T max i (9)

16 Steps of Procedure Writing protocol in ProToc language. Generating a set of protocol executions. Generating a network of timed automata. Generating a formulas for SAT-Solver. SAT-Solver testing. Saving results to a file.

17 Selected SAT-solvers

18 Experimental results for NSPK protocol Time assumptions: Delays in D = 0, 15[tu], lifetime Lf = 2[tu]

19 Susceptibility to Attack Protocol NSPK will be vulnerable to attack if in the first step: D Lf in the second step: D Lf /4 in the last step: D Lf /5

20 Experimental results for NSPK protocol, with time restrictions Time assumptions: Delay in the following steps D 1 = 10, 1[tu], D 2 = 2, 6[tu], D 3 = 2, 1[tu], lifetime Lf = 10[tu]

21 Presented method can be used for fast and simple protocol verification. With the implemented tool, we can not only find the attack on the protocol, but also check if the protocol makes sense. Shown time constraints, enable us to determine the protocol time frame in which it is vulnerable to attack. This is one of the steps to accurately show the strengths and weaknesses of security protocols.

22 I Armando, A., et. al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Proc. of 17th Int. Conf. on Computer Aided Verification (CAV 05), vol of LNCS, pp , Springer (2005) Burrows M., Abadi M., Needham R.: A Logic of Authentication, In: Proceedings of the Royal Society of London A, vol. 426, pp , (1989) Cremers, C.: The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols, In: Proceedings of the 20th International Conference on Computer Aided Verification, Princeton, USA, pp (2008) Dolev, D. and Yao, A.: On the security of public key protocols. In: IEEE Transactions on Information Theory, 29(2), pp (1983) M., Penczek W.: Applying Timed Automata to Model Checking of Security Protocols, in ed. J. Wang, Handbook of Finite State Based Models and Applications, pp , CRC Press, Boca Raton, USA (2012) Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-key Protocol Using fdr., In:TACAS, LNCS, Springer, pp (1996) Needham, R. M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM, 21(12), (1978) Paulson L.: Inductive Analysis of the Internet Protocol TLS, TR440, University of Cambridge, Computer Laboratory (1998)