MSR A Framework for Security Protocols and their Meta-Theory

Transcription

1 MSR A Framework for Security Protocols and their Meta-Theory Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, NRL Washington DC Dept. of Information Science University of Tokyo March 12 th, 2001

2 Outline I. Mis-specification languages II. MSR Overview Typing Access control Execution Properties Example III.The most powerful attacker Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 2

3 Part I Mis-Specification Languages MSR, a Framework for Security Protocols and their Meta-Theory 3

4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR, a Framework for Security Protocols and their Meta-Theory 4

5 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR, a Framework for Security Protocols and their Meta-Theory 5

6 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR, a Framework for Security Protocols and their Meta-Theory 6

7 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Powerful Applies to a wide class of protocols Insightful Gives insight about protocols MSR, a Framework for Security Protocols and their Meta-Theory 7

8 Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb MSR, a Framework for Security Protocols and their Meta-Theory 8

9 How does it do? Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 9

10 Strands {n A, A} kb {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb MSR, a Framework for Security Protocols and their Meta-Theory 10

11 How do they do? Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 11

12 MSR 1.x - Initiator Nonce generation π A0 (A) L 0 (A), π A0 (A) Message transmission L 0 (A), π A1 (B) n A. L 1 (A,B,n A ), N({n A,A} kb ), π A1 (B) L 1 (A,B,n A ), N({n A,n B } ka ) L 2 (A,B,n A,n B ) L 2 (A,B,n A,n B ) L 3 (A,B,n A,n B ), N({n B } kb ) where π A0 (A) = Pr(A), PrvK(A,k A -1 ) π A1 (B) = Pr(B), PubK(B,k B ) MSR, a Framework for Security Protocols and their Meta-Theory 12

13 MSR 1.x - Responder Role state predicate π B0 (B) L 0 (B), π B0 (B) L 0 (A), π B1 (A), N({n A,A} kb ) L 1 (A,B,n A ), π B1 (A) L 1 (A,B,n A ) n B. L 2 (A,B,n A,n B ), N({n A,n B } ka ) L 2 (A,B,n A,n B ), N({n B } kb ) L 3 (A,B,n A,n B ) where π B0 (B) = Pr(B), PrvK(B,k B -1 ) π B1 (A) = Pr(A), PubK(A,k A ) Persistent Info. MSR, a Framework for Security Protocols and their Meta-Theory 13

14 How did we do? Flow Role-based Constituents Persistent info. Environment In part Goals Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 14

15 How will we do? Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 15

16 Part II MSR MSR, a Framework for Security Protocols and their Meta-Theory 16

17 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR, a Framework for Security Protocols and their Meta-Theory 17

18 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e MSR, a Framework for Security Protocols and their Meta-Theory 18

19 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR, a Framework for Security Protocols and their Meta-Theory 19

20 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Subsumes persistent information Static Local Mandatory MSR, a Framework for Security Protocols and their Meta-Theory 20

21 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR, a Framework for Security Protocols and their Meta-Theory 21

22 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR, a Framework for Security Protocols and their Meta-Theory 22

23 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR, a Framework for Security Protocols and their Meta-Theory 23

24 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR, a Framework for Security Protocols and their Meta-Theory 24

25 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR, a Framework for Security Protocols and their Meta-Theory 25

26 Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR, a Framework for Security Protocols and their Meta-Theory 26

27 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) MSR, a Framework for Security Protocols and their Meta-Theory 27

28 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A :pubka N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) MSR, a Framework for Security Protocols and their Meta-Theory 28

29 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable MSR, a Framework for Security Protocols and their Meta-Theory 29

30 Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Fully static Decidable Gives meaning to Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 30

31 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR, a Framework for Security Protocols and their Meta-Theory 31

32 Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules MSR, a Framework for Security Protocols and their Meta-Theory 32

33 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) MSR, a Framework for Security Protocols and their Meta-Theory 33

34 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR, a Framework for Security Protocols and their Meta-Theory 34

35 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 35

36 Part III The Most Powerful Attacker MSR, a Framework for Security Protocols and their Meta-Theory 36

37 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR, a Framework for Security Protocols and their Meta-Theory 37

38 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! MSR, a Framework for Security Protocols and their Meta-Theory 38

39 Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data MSR, a Framework for Security Protocols and their Meta-Theory 39

40 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR, a Framework for Security Protocols and their Meta-Theory 40

41 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR, a Framework for Security Protocols and their Meta-Theory 41

42 DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 42

43 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR, a Framework for Security Protocols and their Meta-Theory 43

44 Encoding of P, S, Σ P Remove roles anchored on I S Map I s state / mem. pred. using M I Σ Remove I s role state pred.; add M I MSR, a Framework for Security Protocols and their Meta-Theory 44

45 Encoding of R No encoding on structure of R Lacks context! Encoding on AC-derivation for R A :: Σ R Associate roles from P DY to each AC rule MSR, a Framework for Security Protocols and their Meta-Theory 45

46 Completeness proof Induction on execution sequence Simulate every step with P DY Rule application Induction on AC-derivation for R Every AC-derivation maps to execution sequence relative to P DY Rule instantiation AC-derivations preserved Encoding unchanged MSR, a Framework for Security Protocols and their Meta-Theory 46

47 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR, a Framework for Security Protocols and their Meta-Theory 47

48 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 48

49 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR, a Framework for Security Protocols and their Meta-Theory 49