Transcript Verification of Authentication Protocols: the Past and the

Verification of Authentication
Protocols:
the Past and the Present
Why do we need to verify protocols even
after we constructed them with so much
care?
•There is a database of possible attacks on
protocols, but new types of attacks crop up
as history shows over and over again
•We need methods which are suitable to
finding previously unknown attacks
Example: Needham-Schroeder’s PK
protocol
•Originally created in 1978
•It took 15 years to find man-in-the-middle attack
•Formal logic (BAN) could not find the attack, i.e. the
protocol was proven to be correct!
•It takes less than 1 min to find the attack using modelchecking approach. The coding part takes no more
than 1 hour.
The Protocol’s Description
•A
•B
•A
B: {NA,A}PKB
A: {NA, NB} PKA
B: {NB} PKB
The Man-in-the-Middle Attack
•A
•C
•B
•C
•A
•C
C: {NA,A} PKC
B: {NA,A} PKB
C: {NA, NB} PKA
A: {NA, NB} PKA
C: {NB} PKC
B: {NB} PKB
Man-in-the-Middle Attack (cont’d)
•Discovery published in 1993 (15 years after the protocol
was designed) by Gavin Lowe (Oxford, UK).
•Initially found manually
•Fixed and proved in 1995 using a combination of FDR
(automated model-checking) and logical reasoning. The
corrected version is called Needhame-Schroeder-Lowe PK
protocol. The only modification is the 2nd message includes
identity of B
SPIN and forward search techniques
•SPIN is a model-checking software based on Hoare’s
CSP (communicating sequential processes) model
•One models the processes of legitimate users and the
intruder. Intruder comes with Dolev-Yao capabilities
and incorporates all malicious users. Intruder also has
a legitimate identity.
•SPIN will go through all possible interleavings of
steps taken by users and see if any red flags are raised
•This is a forward search technique, i.e. the processes
that will participate are known in advance and all
possible trails of interactions are modeled and checked
Problems with forward search
techniques
•In authentication involving 2 users it is enough only to
model legitimate users A and B and the intruder C, but
one has to choose how many parallel sessions A and B are
allowed to start. Therefore, negative result does not
completely confirm that the protocol is secure
•The state-space explodes exponentially with additional
parallel sessions. One has to limit them to 2 or 3. As a
result, one has to resort to other methods to extend
negative result to the protocol (for example using logical
reasoning)
Motivation for Backward Search
• Let us look at the Needham-Schroeder’s protocol
• Receiver B needs to receive M1= {NANY, A}PKB and M2=
{NB}PKB to successfully authenticate A.
• M2 can be generated by anyone who has the nonce. If it’s
generated by someone other than intruder, attack will not
succeed. For intruder to generate M2, it needs to receive
NB in {N?, NB}PKI or {NB, N?}PKI or {NB}PKI
• To generate {N?, NB}PKI we need B to know that Intruder is
trying to authenticate itself. This is not what we want
Motivation for Backward Search
(cont’d)
• To generate {NB, N?}PKI , the intruder had to have initiated
authentication with process “?” and have passed it {NB,
Intruder}PK?. This message can be generated only by the
intruder and it needs to have NB. We encounter a cycle
• To generate {NB}PKI, some user X has to initiate
communication with the intruder.
• X needs to receive {NX, NB}PKX. This message can be
generated only by B. In turn, B will need to receive {NX,
A}PKB.
• {NX, A}PKB can not be generated by X, since it’s trying to
contact Intruder. Therefore this message has to be
generated by the intruder.
• For intruder to generate {NX, A}PKB , it needs to have the
nonce which will be sent by X in its first message.
• Conclusion: we need one receiver B process, and one
process X trying to initiate authentication with intruder.
We can let X=A
Strand Spaces: building causal dependencies
1. Start with an initial set of causal dependencies and
messages.
2. If a message is causally dependent on a message
not present in the set, add that message
3. Continue until all dependencies are satisfied
4. Check which strands are contained in the resulting
set.
Strands: what are they?
A’s strand would be
+{NA,A}PKB
-{NA, NB, B} PKA
+{NB} PKB
+{NA, NB, B} PKA
-{NB} PKB
B’s strand is
-{NA,A}PKB
Strands: what are they? (Cont’d)
A bundle formed by these strands is
+{NA,A}PKB
-{NA, NB, B} PKA
+{NB} PKB
-{NA,A}PKB
+{NA, NB, B} PKA
-{NB} PKB
This is a bundle for a legitimate run of the protocol and it is
complete in the sense that on each strand all previous messages
are included, and every message received in the bundle is actually
sent in the bundle
Strands: what are intruder’s strands?
Intruder strands have to be more flexible since it does not follow
the protocol.
Some of intruder’s strands are:
•+{t} where t is any text message
•-g where g is any message
•-{K}
-h
+{h}K which means that
if intruder receives a key and a message, it can
encrypt the message and send it out
Similarly, strands that combine 2 messages into one can be
defined as well as those decrypting message
Building a bundle for NSL
Suppose we have an acyclic bundle S that contains one run of B’s
strand. We would like to prove that this bundle will also contain a
run of A’s strand with corresponding nonces.
We start with the assumption that S contains the strand
-{NA,A}PKB
+{NA, NB, B} PKA
-{NB} PKB
We assume that NA NB and that NB uniquely originates in S on
some strand. We want to prove that S must contain the strand
+{NA,A}PKB
-{NA, NB, B} PKA
+{NB} PKB
Building a bundle for NSL
1. S must contain node +{NB} PKB. First we prove that this node
is the only node that contains NB which does not include
message {NA, NB, B} PKA. And causally leads to -{NB} PKB We
also prove that node +{NB} PKB does not lie on an intruder’s
strand. Let L denote the legitimate strand on which node
+{NB} PKB lies.
2. All preceding nodes on L must also be in S. One can easily
show that node -{NA, NB, B} PKA must precede +{NB} PKB on
L, and that this node corresponds to +{NA, NB, B} PKA
Building a bundle for NSL
As a result, S must contain the following:
+{NA, NB, B} PKA
-{NA,A}PKB
+{NA, NB, B} PKA
+{NB} PKB
-{NB} PKB
Building a bundle for NSL
Also, we can see that the upper strand must be A’s and therefore
the picture becomes:
+{NA,A}PKB
+{NA, NB, B} PKA
-{NA,A}PKB
+{NA, NB, B} PKA
+{NB} PKB
-{NB} PKB
This proves that S must contain corresponding strand of A
Building a bundle for NSL
Finally, we can show that we have only 1 strand with the same
signature as the upper one. This shows uniqueness, i.e. the upper
strand is not a replay.
How does this help us?
1. One need to be ADD-free and have good analytical abilities to
analyze even a simple protocol like NSL!
2. Analysis of 5-step protocols can be published as monographs
3. One can do it with a pencil and paper by using logic without
strand spaces
4. We can use model-checkers , let the program run for a week
and come back for a result which is 99% accurate
5. Can we automate this strand-space approach?
D.Song’s Athena: automation of the
strand-space approach
1. If the search terminates, a negative/positive result is produced.
2. The search does not always terminate but works for most
useful protocols
3. State-explosion problem is alleviated through avoidance of
asynchronous composition (i.e. going through all possible
interleavings).
4. States may contain free-variables. Storage/CPU are thus more
efficiently used since free variable states and their transitions
represent infinitely many variable-free states/transitions.
5. Athena determines on-the-fly how many sessions need to be
initiated.
D.Song’s Athena: automation of the
strand-space approach
1. The idea is the following: given the strand of B, we look for
all possible completions of this strand to a bundle and see if
one of them does not contain corresponding strand of A.
2. Note that in the previous presentation there is a subtle issue:
we ignore forwarding of messages by the intruder.
3. To ignore such situations we introduce the notion of goalbinding: if a message M1 has to be triggered by content T, we
would “bind” M1 to the “minimal” positive node from which
one can derive T.
4. Note that in a bundle every node that needs to be “binded” is
actually “binded” within the bundle itself.
Athena: states
1. Suppose we start with a strand s. Let the set containing s be
called C. Each time we add nodes to C, we make sure that
given a node nC the nodes preceding n on its strand are also
included. In this way, C is a “semi-bundle”: it’s backward
closed under
but not necessarily under
2. Note that a bundle is a particular case of a “semi-bundle”, and
if a “semi-bundle” C has no “unbound” goals, then generally
it’s also a bundle (in some degenerate cases intruder’s strands
need to be added).
3. The “semi-bundles” encapsulate the notion of “state”
Athena: state-transitions
1. State-transitions map a “semi-bundle” C to a finite set of other
semi-bundles that can be derived by causally completing C
2. To construct the next state, for each unbound goal we find a
way to bind it. This way we produce a new semi-bundle. The
set of all such semi-bundles is the next state. Note that free
variables may arise in the next state
3. The algorithm itself works by expanding the semi-bundle to
its maximum and seeing whether the result satisfies our needs.
What if the expansion does not terminate?
4. Additional techniques for early detection of unreachability can
speed up the process
Conclusions
1. Forward-search model-checking has limited effectiveness.
2. Backward-search avoids many of the previous problems but is
harder (slightly) to code. In addition, it may not finish at all.
3. Manual methods of proving correctness can not be trusted
completely (BAN logic for example), and one has to be
patient and careful to verify the proofs.
4. Why not create protocols which are easily analyzed instead?
5. AGVI—Automatic Generation, Verification and
Implementation of Security Protocols.