Verifying Security Protocols - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Verifying Security Protocols

Description:

var M : Msg . var P : Principle . Eq M M = M . eq P P = P . Adding Rewrite rules ... var Ne : Nonce . vars E E1 E2 E3 E4 : Token . var Atts : AttributeSet. ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 32
Provided by: csU64
Category:

less

Transcript and Presenter's Notes

Title: Verifying Security Protocols


1
Verifying Security Protocols
  • Approach
  • Model protocols abstractly using executable
    specification language
  • Model intruders that attempt nondeterministically
    to "break in" to the protocols
  • Use model-checking to search for a break in

2
Encryption
  • One type is public/secret key pairs
  • Each agent has a pair and makes his public key
    known to the world
  • mK message m encrypted with key K
  • PK(x) x's public key
  • SK(PK(x)) x so
  • mPK(B) only B can decrypt the message

3
Security (Cryptographic) Protocols
  • Example
  • Message 1. A -gt B A,B,Na,BPK(B)
  • Message 2. B -gt A B,A,Na,NbPK(A)
  • Message 3. A -gt B A,B,NbPK(B)
  • To establish mutual authentication between
  • Initiator A
  • Responder B
  • That is, A knows he's talking to B and vice
    versa.
  • Na is a nonce.

4
Example attack
  • Message a.1 A-gtI A,I,Na,APK(I)
  • Message b.1 I(A) -gtB A,B,Na,APK(B)
  • Message b.2 B-gt I(A) B,A,Na,NbPK(A)
  • Message a.2 I-gtA I,A,Na,NbPK(A)
  • Message a.3 A-gtI A,I,NbPK(I)
  • Message b.3 I(A)-gtB A,B,NbPK(B)

5
Tool to Find these Attacks
  • First model an intruder for this general class of
    attacks
  • Nondeterministically do the following
  • Remember the contents of messages sent
  • Decrypt message contents when possible
  • Compose new messages from data obtained or
    freshly generated

6
Model Checking
  • Check whether the composition of
  • the protocol model
  • the intruder model
  • violates a property of interest
  • Example only agents A and B obtain Nb in the
    clear

7
Issues
  • The state space is infinite
  • How do we model check?
  • Use on-the-fly model checking and a 3-valued
    logic
  • Domain is true, false, unknown
  • true false unk
  • true true false unk
  • false false false false
  • unk unk false unk

8
CTL on the fly
  • Regular CTL assumes all states are enumerated
  • Algorithm works backwards
  • Label any state AF f1 if all successor states are
    labelled AF f1
  • On-the-fly algorithms compute truth value of a
    formula expanding state space on-the-fly
  • Algorithm must work forward
  • Use unknown

9
CTL Operators with 3-valued logic
  • Reduce all temporal operators to
  • A(F1 U F2), E(F1 U F2)
  • SAT(A(F1 U F2),S)
  • if S F2 then backtrack (true on this path)
  • else if (S F1) then return false
  • else if unk(S F1) then backtrack
  • else if leafState(S) then return
    false
  • else if maxDepth then
    backtrack
  • else continue

10
Handling Loops in the State Space
  • AF1 U F2 F2 v (F1 AX AF1 U F2)
  • Suppose the current state is S, if S F2 then
    backtrack
  • Suppose the next state, S1, has been visited
    previously
  • Then AF1 U F2 must be unknown in S1 so if S
    F1 backtrack and if (S F1) then return false

11
Caching States
  • The model-checker caches states in order to
  • Detect loops
  • Avoid re-exploration of states already checked

12
Maude
  • Declarative semantics based on rewriting logic
  • Extends algebraic specification to concurrent
    systems in which transitions are specified as
    rewrite rules
  • Flexible, allowing synchonous and asynchonous
    models of concurrency
  • The state of a concurrent system is specified as
    an algebraic data type by means of an equational
    specification
  • A signature and a set of conditional equations

13
Example
  • sorts Msg Principle Configuration .
  • subsort Msg Principle lt Configuration .
  • op none -gt Configuration .
  • op __ Configuration Configuration -gt
    Configuration assoc comm id none .
  • Unordered bag of Principles and Messages
  • var M Msg . var P Principle .
  • Eq M M M . eq P P P .

14
Adding Rewrite rules
  • op from_to__ Oid Oid Stuff -gt Msg .
  • op lt_Principle _gt Oid Attributes -gt
    Principle .
  • var A D Oid.
  • rl name
  • ((from A to D some-message)
  • lt D Principle some-attributes gt)
  • gt
  • lt D Principle updated-attributes gt .

15
A Protocol in Maude
  • sorts Msg Token Key Secret SecretList Principle
    NonceSeed .
  • subsort Secret lt SecretList .
  • subsort Principle Msg NonceSeed lt Configuration
    .
  • op secrets_ SecretList -gt Attribute .
  • op mySecrets_ SecretList -gt Attribute .
  • op _ MachineInt -gt NonceSeed .
  • op n MachineInt -gt Nonce .
  • op mtSecretList -gt SecretList .

16
Protocol in Maude cont'd
  • op SL SecretList SecretList -gt SecretList
    assoc comm id mtSecretList .
  • op _in_ MachineInt SecretList -gt Bool .
  • op _from_to__ MachineInt Oid Oid Token -gt
    Msg
  • op _,__ MachineInt Oid Key -gt Token .
  • op _,__ MachineInt MachineInt Key -gt Token .
  • op lt_Principle_gt Oid AttributeSet -gt
    Principle .
  • op __ MachineInt Key -gt Token .
  • op __ Oid MachineInt -gt Secret .
  • op key Oid -gt Key .
  • op key MachineInt Oid Oid -gt Key .

17
Protocol in Maude cont'd
  • ops I S A B -gt Oid .
  • vars P Q P' Q' R' Oid .
  • vars K K' Key .
  • vars Sl Sl' SecretList .
  • vars N N' Nc Na Nb MachineInt .
  • var Ne Nonce .
  • vars E E1 E2 E3 E4 Token .
  • var Atts AttributeSet .
  • var Conf Configuration .

18
Protocol in Maude cont'd
  • crl NSE_step1
  • (1 from P to Q Na,P key(Q))
  • lt Q Principle secrets Sl, mySecrets
    Sl', Atts gt
  • Nb
  • gt
  • (2 from Q to P Na,Nb key(P))
  • lt Q Principle secrets SL((P Na),Sl),
    mySecrets SL((P Nb),Sl'), Atts gt
  • Nb 1
  • if not(P in Sl) .

19
Protocol in Maude cont'd
  • crl NSE_step2
  • (2 from Q to P Na,Nb key(P))
  • lt P Principle mySecrets SL((Q
    Na),Sl), secrets Sl', Atts gt
  • gt
  • (3 from P to Q Nb key(Q))
  • lt P Principle mySecrets SL((Q
    Na),Sl), secrets SL((Q Nb),Sl'), Atts gt
  • if not(Na in Sl) or not(Nb in Sl) .

20
Protocol in Maude cont'd
  • rl NSE_step3
  • (3 from P to Q Nb key(Q))
  • lt Q Principle mySecrets SL((P
    Nb),Sl), Atts gt
  • gt
  • lt Q Principle mySecrets SL((P
    Nb),Sl), Atts gt .

21
Example run of the Protocol
  • Initial Configuration
  • lt A Principle mySecrets none , secrets
    none gt
  • lt B Principle mySecrets none, secrets
    none gt
  • (1 from A to B 1,Akey(B))
  • 2

22
Example cont'd
  • Final Configuration
  • lt A Principle secrets (B 1),mySecrets
    (B 2) gt
  • lt B Principle secrets (A 1),mySecrets
    (A 2) gt
  • 3

23
Simple Example of Nondeterminism in Maude
  • mod ND-INT is including MACHINE-INT .
  • sort NdInt .
  • subsort MachineInt lt NdInt .
  • op _?_ NdInt NdInt -gt NdInt assoc comm .
  • var N MachineInt . var ND NdInt .
  • eq N ? N N .
  • rl choice N ? ND gt N .
  • endm

24
Example rewrites
  • rew (1 ? 5 ? 2 ? 1 ? 5) (3 ? 11 ? 7 ? 3 ? 11)
    .
  • 4 (default rewrite strategy)
  • We can think of each possible rewrite application
    as a different possible transition from the
    "state" above
  • Maude provides a way of getting at these
    different transitions
  • This is what the model checker uses

25
An Intruder in Maude
  • crl rememberPrinciples
  • lt P Principle Atts gt
  • lt I Principle startAgents As,
  • agents As', Atts' gt
  • gt
  • lt P Principle Atts gt
  • lt I Principle startAgents AS(As,P),
  • agents AS(As',P),
    Atts' gt
  • if not(P in As) .

26
Intruder cont'd
  • crl rememberTokens
  • (N from P to Q E)
  • lt I Principle tokens Ts, Atts gt
  • gt
  • (N from P to Q E)
  • lt I Principle tokens TS(Ts,E),Atts gt
  • if not(myToken(I,E)) and not(E in Ts) .

27
Intruder Cont'd
  • crl rememberNonces
  • (N from P to Q E)
  • lt I Principle nonces Ns, Atts gt
  • gt
  • (N from P to Q E)
  • lt I Principle nonces NS(noncesIn(E),Ns),
    Atts gt
  • if not(Na in Ns) and myToken(I,E) .

28
Intruder Cont'd
  • crl genMessage1
  • lt I Principle agents AS(P,Q,As),
  • nonces NS(Na,Ns), Atts gt
  • lt Q Principle mySecrets Sl, Atts' gt
  • gt
  • lt I Principle agents AS(P,Q,As), nonces
    NS(Na,Ns), Atts gt
  • lt Q Principle mySecrets Sl, Atts' gt
  • (1 from Q to P Na,Qkey(P))
  • if not(P in Sl) and not((1 from Q to P
    Na,Qkey(P)) in Ms) .

29
Intruder Cont'd
  • crl genMessage3
  • lt I Principle agents AS(P,Q,As), tokens
    TS(E,Ts), Atts gt
  • gt
  • lt I Principle agents AS(P,Q,As), tokens
    TS(E,Ts), Atts gt
  • (2 from P to Q E)
  • if not ((2 from P to Q E) in Ms) .

30
Why Maude?
  • Maude enable protocols, intruders, and
    verification tools like model-checkers to be
    specified at a high level
  • Enables clean separation of protocol, intruder,
    and fault models
  • declarative semantics, module composition
    algrebra
  • Maude is reflective
  • one module can operate on another

31
Reflection is powerful
  • The module checker uses reflection
  • enables different rewrite strategies to be
    controlled dynamically
  • Opens the possibility of automatically generating
    all or part of an intruder
  • Enables analyses such as partial order reduction
    to be done in maude
  • Enables simple interface with theorem provers
  • Enables high-level specification and execution of
    complex algorithms
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Verifying Security Protocols" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!