Model Checking for Security Protocols

1
Model Checking for Security Protocols

• Will Marrero, Edmund Clarke, Shomesh Jha

2
Needham-Schroeder Protocol (circa 1996)

• Purpose Authenticate Participants

3
Assumptions

• Perfect Encryption
• The decryption key must be known to encrypt
• No encryption collisions
• Proof offer no protection from poor encryption
  implementation!

4
Intruders Ability

• Interception
• Ex
• Impersonation
• Ex
• Legitimate Participant
• Ex
• Compromise Temporary Secrets
• But those secrets should not be revealed by
  protocol

5
Security Properties

• Secrecy
• Tracked by two sets in global state
• Correspondence
• If A believes it has completed two protocol runs
  with principal B, then principal B must have at
  least begun two protocol runs with principal A.
• Tracked by counters in global state

6
Atomic Messages

• Keys
• Ex
• Principal Names
• Ex A, B, I
• Nonces
• Ex
• Data

7
Messages and Atomic Messages

• Given A a set of atomic messages, M the set of
  all messages is defined inductively

8
Closure of Messages

• Let be a subset of messages
• The closure of is defined by
• 
  (pairing)
• 
  (projection)
• 
  (encryption)
• 
  (decryption)

9
Principals

• A 4-Tuple
• N the name of the principal
• p a process given as a sequence of actions to be
  performed
• is a set of known messages, generally
  infinite, but from a finite generator set.
• B a set of bindings from variables in p to
  messages in I

10
Initial Knowledge

• For the intruder

11
Global State

• A 5-Tuple
• is the product of the individual principals
  (including the intruder)
• difference between number of
  times A has initiated a protocol and the number
  of times B has finished responding
• difference between number of
  times A has begun responding and the number of
  times B has finished initiating

12
Global State Continued

• A 5-Tuple
• a set of safe secrets. Remains
  constant.
• a set of temporary secrets. New
  secrets generated during the run of the protocol.
• The last four values check security constraints.

13
Process
14
Internal Actions

• NEWNONCE(var)

• NEWSECRET(var)

15
Internal Actions

• GETSECRET(val) Intruder Only

16
Internal Actions

• A calls BEGINIT(B),
• B calls ENDRESPOND(A)
• BEGRESPOND/ENDINIT
• Symmetric on

17
Communication Actions

• Send and receives are synchronized
• A process can only send a message if it unifies
  with a receive message
• Sender must be able to sculpt a message that
  matches all existing bindings and expectations
• How does the intruder sculpt such a message?

18
Model Checking Algorithm
19
Finding a needle in a haystack

• Decidability of when is probably
  infinite?
• Normalized Derivation
• 
  (pairing)
• 
  (projection)
• 
  (encryption)
• 
  (decryption)

Expanding Rules
Shrinking Rules
20
Normalized Derivation

• Following algorithm is guaranteed to terminate
  and decide
• Start with a generator set
• Apply all possible shrinking rules
• Try all possible sequences of expanding rules
  until word size is equal to s
• Proves existence

21
An Efficient Approach

• When adding a message to I in
• Apply all possible shrinking rules
• Remove redundant messages
• Result is minimal generator
• Can recursively attempt to build

22
Verification and Attack
23
Verification and Attack

• The lack of correspondence trace reveals the
  following attack