An Interface Specification Language for Automatically Analyzing Cryptographic Protocols

Similar documents
A HOL Extension of GNY for Automatically Analyzing. Cryptographic Protocols. Stephen H. Brackin ESC/ENS

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods

Extending CAPSL for Logic-Based Verifications

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Outline More Security Protocols CS 239 Computer Security February 6, 2006

CSE BAN Logic Presentation

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Authentication Handshakes

SEMINAR REPORT ON BAN LOGIC

CSC 474/574 Information Systems Security

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Logic of Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Security Handshake Pitfalls

Logics of authentication

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Security Handshake Pitfalls

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Extensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle

User Authentication Protocols

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Security protocols and their verification. Mark Ryan University of Birmingham

Cryptographic Protocols 1

Formal Methods for Assuring Security of Computer Networks

Computer Networks & Security 2016/2017

User Authentication Protocols Week 7

Lecture 19: cryptographic algorithms

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Lecture 15: Cryptographic algorithms

UNIT - IV Cryptographic Hash Function 31.1

CS Protocol Design. Prof. Clarkson Spring 2017

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Grenzen der Kryptographie

Mechanising BAN Kerberos by the Inductive Method

Security Handshake Pitfalls

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

On the Security of a Certificateless Public-Key Encryption

Lecture 1: Course Introduction

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Diffie-Hellman. Part 1 Cryptography 136

Introduction to Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture 1: Perfect Security

Implementing Cryptography: Good Theory vs. Bad Practice

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Session key establishment protocols

Summary on Crypto Primitives and Protocols

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Session key establishment protocols

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

CS 161 Computer Security

CS 395T. Analyzing SET with Inductive Method

Network Security (NetSec)

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

Robbing the Bank with a Theorem Prover

Formal Methods for Security Protocols

Introduction to Cryptography. Ramki Thurimella

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Security. Communication security. System Security

Outline Key Management CS 239 Computer Security February 9, 2004

Security in ECE Systems

CS Protocols. Prof. Clarkson Spring 2016

Cryptography: More Primitives

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CPSC 467: Cryptography and Computer Security

CS November 2018

Securing Internet Communication: TLS

Proving who you are. Passwords and TLS

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Chapter 9: Key Management

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Chapter 10 : Private-Key Management and the Public-Key Revolution

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Data Integrity. Modified by: Dr. Ramzi Saifan

Core Security Services and Bootstrapping in the Cherubim Security System

Lecture 4: Authentication Protocols

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Secure Multiparty Computation

Secure digital certificates with a blockchain protocol

HOST Authentication Overview ECE 525

Overview of Cryptography

Elements of Security

Automotive Security An Overview of Standardization in AUTOSAR

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Brief Introduction to Provable Security

Authentication in Distributed Systems

Cryptography and Network Security Chapter 14

Distributed ID-based Signature Using Tamper-Resistant Module

Data Security and Privacy. Topic 14: Authentication and Key Establishment

What did we talk about last time? Public key cryptography A little number theory

Cryptography. Lecture 12. Arpita Patra

Transcription:

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols Internet Society Symposium on Network and Distributed System Security February 10-11, 1997 San Diego Princess Resort, San Diego, CA Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 (607) 277-8211 or (607) 277-2739 brackin@arca.com Supported by Arca Systems, Inc., by ESC/AXS through PRISM, and by Rome Laboratory Page - 1

Overview of Talk Problem and basic solution idea Cryptographic protocols and network model Protocol failure, TMN example Belief logics Examples of what the Automatic Authentication Protocol Analyzer (AAPA) can do Interface Specification Language (ISL) TMN specification Terminal output, failed-goals files, other files High points of (unnamed) commercial application Plans for the future Thorough, but still fast and automatic, analyses Good-guy deductions vrs. Bad-guy searches Lessons for protocol users and designers Page - 2

Cryptographic Protocols and Network Model Goal: Secure communication over insecure networks Networks, principals, and messages No other communications Worst case: enemy can read, or be true source, of everything Confidentiality and authentication Tools for achieving goal Shared or confirmable secrets Symmetric- and public-key encryption Effectively 1-to-1 hash functions Timestamps, nonces, signatures, etc. Protocols Distributed algorithms carried out by stages Abort if something not as expected Page - 3

Protocol Failure Example: TMN (Tatebayeshi-Matsuzaki-Newman) key-distribution protocol 1. A -> S: A, S, B, {SkA}Rsa(PkS) 2. S -> B: S, B, A 3. B -> S: B, S, A, {SkB}Rsa(PkS) 4. S -> A: S, A, B, {SkB}Xor(SkA) ISL notation, but more-or-less standard Published (CRYPTO 89), recommended by experts It s wrong, and has lots of company Page - 4

Belief Logics Formalize authentication reasoning that assumes Page - 5 Good encryption and hash functions Correct distributions of secrets Sample deduction If P believes only P and Q know K, and P receives an M that K decrypts to something meaningful, then P believes Q sent M -- though not necessarily recently or to P AAPA s BGNY logic Derived from Gong-Needham-Yahalom (GNY) logic Sending, receiving, belief, freshness, conveyence, shared secrets, possession, recognizability, trustworthiness, not-fromhere checks, message extensions, feasibility constraints Many extensions and corrections to GNY (e.g., stages, keyexchange functions, hash codes as keys)

Sample AAPA Analysis: ISL (1) /* Tatebayashi, Matsuzaki, Newman (TMN) Protocol */ DEFINITIONS: PRINCIPALS: A,B,S; PRIVATE KEYS: ^PkS; PUBLIC KEYS: PkS; SYMMETRIC KEYS: SkA,SkB; ENCRYPT FUNCTIONS: Xor,Rsa; Xor WITH ANYKEY HASINVERSE Xor WITH ANYKEY; Rsa WITH PkS HASINVERSE Rsa WITH ^PkS; Page - 6

Sample AAPA Analysis: ISL (2) INITIALCONDITIONS: A Received Xor,Rsa,A,B,S,PkS,SkA; A Believes (Fresh SkA; PublicKey S Rsa PkS; SharedSecret A S SkA; Trustworthy B; Trustworthy S); B Received Xor,Rsa,A,B,S,PkS,SkB; B Believes (Fresh SkB; PublicKey S Rsa PkS; SharedSecret A B SkB; Trustworthy A; Trustworthy S); S Received Xor,Rsa,^PkS; S Believes (PrivateKey S Rsa ^PkS; Trustworthy A; Trustworthy B); Page - 7

Sample AAPA Analysis: ISL (3) PROTOCOL: 1. A->S : A,S,B,{SkA}Rsa(PkS); 2. S ->B : S,B,A; 3. B ->S : B,S,A,{SkB}Rsa(PkS) (SharedSecret A B SkB); 4. S ->A : S,A,B,{SkB}Xor(SkA) (SharedSecret A B SkB); GOALS: 1. S Possesses SkA; 3. S Possesses SkB; S Believes SharedSecret A B SkB; 4. A Possesses SkB; A Believes SharedSecret A B SkB; Page - 8

Sample AAPA Analysis: Terminal Output Creating theory tmn Beginning tmn proofs Initializing globals Proving default goals, stage 1 Retrying failed default goals, stage 1 Proving user goals, stage 1 Proving default goals, stage 2 Proving user goals, stage 2 Proving default goals, stage 3 Retrying failed default goals, stage 3 Proving user goals, stage 3 User-goal failure, stage: 3! Goal statement: S Believes (SharedSecret A B SkB); Page - 9

Sample AAPA Analysis:.fail file (1) /* ######## Failed default goal from stage 3: ######## */ S Believes (B Conveyed {SkB}Rsa(PkS) (SharedSecret A B SkB)); /* ============ Unproved subgoals: =========== */ S Believes (S Recognizes SkB); S Believes (SharedSecret S B SkB); S Believes (Fresh {SkB}Rsa(PkS) (SharedSecret A B SkB)); /* ============= Proved subgoals: ============ */ S Received {SkB}Rsa(PkS) (SharedSecret A B SkB); S Possesses Rsa,UNPkS; S Believes (PrivateKey S Rsa UNPkS); Page - 10

Sample AAPA Analysis:.fail file (2) /* ######## Failed default goal from stage 1: ######## */ S Believes (A Conveyed {SkA}Rsa(PkS)); /* ============ Unproved subgoals: =========== */ S Believes (S Recognizes SkA); S Believes (SharedSecret S A SkA); S Believes (Fresh {SkA}Rsa(PkS) (SharedSecret A S SkA)); /* ============= Proved subgoals: ============ */ S Received {SkA}Rsa(PkS); S Possesses Rsa,UNPkS; S Believes (PrivateKey S Rsa UNPkS); Page - 11

Sample AAPA Analysis: Other Files Have a.thms file giving ISL versions of all theorems In TMN case, all interesting theorems are proved subgoals In other cases, useful for figuring out what happened Have option of producing Higher Order Logic (HOL) theory of protocol HOL translation of ISL input Optional outputs mainly used for debugging AAPA Page - 12

AAPA Analysis of Commercial Protocols Customer requested confidentiality Protocols moderately complicated, and huge Roughly 100 items or subitems in some messages Most of detail irrelevant to AAPA analysis -- but which? Biggest formally analyzed examples known to author Results of analyses of two protocols Did not find failures in protocols Found omissions, errors and inconsistencies in documentation Produced basis for much better documentation AAPA additions necessary for effort ISL abbreviation capacity (X = Y as in C) New diagnostics for feasibility failures Page - 13

Page - 14 Plans for the Future Belief logics vs. attack construction Simplicity and speed vs. thoroughness and rigor How to gain one without losing the other: Replace searches with using theorems about searches Research program Find failed protocols in literature Analyze them with AAPA For failures AAPA misses, ask where belief logic allowed false beliefs during attacks Adjust logic and repeat process; time always polynomial User interfaces Use CAPSL (Common Authentication Protocol Specification Language) by Millen and protocol-analysis community Make sure ISL virtues survive in CAPSL

Lessons for Protocol Users and Designers Protocol failure is a little-known, but very real problem Easy design problem is actually a weak link About half of published protocols fail -- estimate based on Lowe s and my own experiences An AAPA analysis is worth performing Finds common failures Gives overview, corrects documentation, identifies information flows, and identifies trust assumptions It s fast and cheap A near-future AAPA could make protocol failure, for practical purposes, into a solved problem Page - 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback