Modeling and Verification of Cryptographic Protocols Using
Download
Report
Transcript Modeling and Verification of Cryptographic Protocols Using
网络安全认证协议形式化分析
肖 美 华
南昌大学信息工程学院(南昌,330029)
中国科学院软件研究所计算机科学重点实验室(北京,100080)
Organization
Introduction
Related Work
Formal System Notation
Intruders Algorithmic Knowledge Logic
Verification Using SPIN/Promela
Conclusion
2015/7/18
第二十次全国计算机安全学术交流会
2
Introduction
Cryptographic protocols are protocols that use
cryptography to distribute keys and authenticate
principals and data over a network.
Formal methods, a combination of a mathematical
or logical model of a system and its requirements,
together with an effective procedure for
determining whether a proof that a system satisfies
its requirements is correct.
Model;
Requirement (Specification);
Verification.
2015/7/18
第二十次全国计算机安全学术交流会
3
Introduction (cont.)
In cryptographic protocols, it is very crucial to
ensure:
Messages meant for a principal cannot be
read/accessed by others (secrecy);
Guarantee genuineness of the sender of the message
(authenticity);
Integrity;
Non-Repudiation (NRO, NRR);
Fairness, etc.
2015/7/18
第二十次全国计算机安全学术交流会
4
Related Work
Techniques of verifying security properties of the cryptographic protocols can be broadly
categorized:
methods based on belief logics (BAN Logic)
π-calculus based models
state machine models (Model Checking)
Model checking advantages (compare with theory proving):
automatic; counterexample if violation
Use LTL (Linear temporal logic ) to specify properties
FDR (Lowe); Mur (Mitchell);
Interrogator (Millen); Brutus (Marrero)
SPIN (Hollzmann)
theorem prover based methods (NRL, Meadows)
methods based on state machine model and theorem prover (Athena, Dawn)
Type checking
ISCAS, LOIS, …(in China)
2015/7/18
第二十次全国计算机安全学术交流会
5
Notation
(1) Messages
a ∈Atom ::= C | N | k |
m ∈ Msg ::= a | m• m | {m}k
(2) Contain Relationship (⊑)
m⊑a≜m=a
m ⊑ m1• m2 ≜ m = m1• m2 ∨ m ⊑ m1∨ m ⊑ m2
m ⊑ {m1}k ≜ m = {m1}k ∨ m ⊑ m1
Submessage: sub-msgs(m) ≜ {m’ ∈ Msg | m’ ⊑ m }
2015/7/18
第二十次全国计算机安全学术交流会
6
Notation
(3) Derivation (⊦, Dolev-Yao model)
m∈B ⇒B⊦m
B ⊦ m ∧ B ⊦ m’ ⇒ B ⊦ m• m’ (pairing)
B ⊦ m• m’ ⇒ B ⊦ m ∧ B ⊦ m’ (projection)
B ⊦ m ∧ B ⊦ k ⇒ B ⊦ {m}k (encryption)
B ⊦ {m}k ∧ B ⊦ k-1 ⇒ B ⊦ m (decryption)
2015/7/18
第二十次全国计算机安全学术交流会
7
Notation
(4) Properties
Lemma 1. B ⊦ m ∧ B ⊆ B’ ⇒ B’ ⊦ m
Lemma 2. B ⊦ m’∧ B ∪ {m’ } ⊦ m ⇒ B ⊦ m
Lemma 3. B ⊦ m ∧ X ⊑ m ∧ B ⊬ X ⇒ (Y: Y ∈ sub-msgs(m) : X
⊑ Y∧ B ⊦ Y)∧ (b: b ∈ B : Y ⊑ b)∧ (Z, k: Z ∈ Msg ∧ k ∈
Key : Y = {Z}k ∧ B ⊬ k-1)
Lemma 4. (k, b: k ∈ Key ∧ b ∈ B : k ⊑ b ∧ A ⊬ k ∧ A∪B ⊦ k)∨
(z: z ∈ sub-msgs(x) : a ⊑ z ∧ A ⊦ z)∨ (b: b ∈ B: a ⊑ b∧ A ⊬
a)
2015/7/18
第二十次全国计算机安全学术交流会
8
Logic of Algorithmic Knowledge
Definition 1. Primitive propositions P0s for security:
p, q ∈ P0s ::=
sendi (m)
Principal i sent message m
recvi (m)
Principal i received message m
hasi (m)
Principal i has message m
2015/7/18
第二十次全国计算机安全学术交流会
9
Logic of Algorithmic Knowledge
Definition 2. An interpreted security system S = (R, ∏R), where ∏R
is a system for security protocols, and ∏R is the following
interpretation of the primitive propositions in R.
∏R(r, m) (sendi (m)) = true iff j such that send (j, m) ∈ ri (m)
∏R(r, m) (recvi (m)) = true iff recv(m) ∈ ri (m)
∏R(r, m) (hasi (m)) = true iff m’ such that m ⊑ m’ and recv(m’ ) ∈
ri (m)
2015/7/18
第二十次全国计算机安全学术交流会
10
Logic of Algorithmic Knowledge
Definition 3. An interpreted algorithmic security system (R, ∏R,
A1, A2,…, An ), where R is a security system, and ∏R is the
interpretation in R, Ai is a knowledge algorithm for principal i.
2015/7/18
第二十次全国计算机安全学术交流会
11
Algorithm knowledge logic
AiDY(hasi(m),l) ≜ K = keyof(l)
for each recv(m’) in l do
if submsg(m, m’, K) then
return “Yes”
return “No”
submsg(m, m’, K) ≜ if m = m’ then
return true
if m’ is {m1}k and k-1 ∈ K then
return submsg(m, m1, K)
if m’ is m1 .m2 then
return submsg(m, m1, K) ∨ submsg(m, m2, K)
return false
2015/7/18
第二十次全国计算机安全学术交流会
12
Cont.
getkeys(m, K) ≜ if m ∈ Key then
return {m}
if m’ is {m1}k and k-1 ∈ K then
return getkeys(m1, K)
if m’ is m1 .m2 then
return getkeys(m1, K) ∪ getkeys(m2, K)
return {}
keysof(l) ≜ K ← initkeys(l)
loop until no change in K
k ←∪getkeys(m, K) (when recv(m) ∈ l )
return K
2015/7/18
第二十次全国计算机安全学术交流会
13
Verification Using SPIN/Promela
SPIN is a highly successful and widely used software modelchecking system based on "formal methods" from Computer
Science. It has made advanced theoretical verification methods
applicable to large and highly complex software systems.
In April 2002 the tool was awarded the prestigious System
Software Award for 2001 by the ACM.
SPIN uses a high level language to specify systems descriptions,
including protocols, called Promela (PROcess MEta LAnguage).
2015/7/18
第二十次全国计算机安全学术交流会
14
BAN-Yahalom Protocol
[1] A→B: A, Na
[2] B→S: B, Nb, {A, Na}Kbs
[3] S→A: Nb, {B, Kab, Na}Kas , {A, Kab, Nb}Kbs
[4] A→B: {A, Kab, Nb}Kbs , {Nb}Kab
2015/7/18
第二十次全国计算机安全学术交流会
15
Attack 1
(intruder impersonates Bob to Alice)
α.1 A→I(B): A, Na
β.1 I(B)→A: B, Na
β.2 A→I(S): A, Na’, {B, Na}Kas
γ.2 I(A)→S: A, Na, {B, Na}Kas
γ.3 S→I(B): Na, {A, Kab, Na}Kas , {B, Kab, Na}Kbs
α.3 I(S)→A: Ne, {B, Kab, Na}Kas , {A, Kab, Na}Kbs
α.4 A→I(B): {A, Kab, Nb}Kbs , {Ne}Kab
2015/7/18
第二十次全国计算机安全学术交流会
16
Attack 2
(intruder impersonates Alice)
α.1 A→B: A, Na
α.2 B→S: B, Nb, {A, Na}Kbs
β.1 I(A)→B: A, (Na, Nb)
β.2 B→I(S): B, Nb’, {A, Na, Nb}Kas
α.3 (Omitted)
α.4 I(A)→B: {A, Na, Nb}Kbs , {Nb}Na
2015/7/18
第二十次全国计算机安全学术交流会
17
Attack 3
α.1 A→B: A, Na
α.2 B→S: B, Nb, {A, Na}Kbs
β.1 I(B)→A: B, Nb
β.2 A→I(S): A, Na’, {B, Nb}Kas
γ.2 I(A)→S: A, Na, {B, Nb}Kas
β.3 S→I(B): Na, {A, Kab’, Nb}Kbs , {B, Kab’, Na}Kas
δ.3 I(S)→A: Nb, {B, Kab’, Na}Kas , {A, Kab’, Nb}Kbs
α.4 A→B: {A, Kab’, Nb}Kbs , {Nb}Kab’
2015/7/18
第二十次全国计算机安全学术交流会
18
Optimization strategies
Using static analysis and syntactical reordering techniques
The two techniques are illustrated using BAN-Yahalom
verification model as the benchmark.
describe the model as Original version to which static analysis
and the syntactical reordering techniques are not applied,
the static analysis technique is only used as Fixed version(1),
both the static analysis and the syntactical reordering
techniques are used as Fixed version(2).
2015/7/18
第二十次全国计算机安全学术交流会
19
Experimental results show the effectiveness
Protocol Model
Configuration
2015/7/18
With type flaws
No type flaws
States
Trans.
States
Trans.
Original version
1580
2065
549
697
Fixed version(1)
712
1690
405
379
Fixed version(2)
433
512
225
243
第二十次全国计算机安全学术交流会
20
Needham-Schroeder Authentication Protocol
2015/7/18
第二十次全国计算机安全学术交流会
21
Attack to N-S Protocol
2015/7/18
第二十次全国计算机安全学术交流会
(found by SPIN)
22
Conclusion
(1)
(2)
(3)
(4)
based on a logic of knowledge algorithm, a formal description of
the intruder model under Dolev-Yao model is constructed;
a study on verifying the security protocols following above using
model checker SPIN, and three attacks have been found
successfully in only one general model about BAN-Yahalom
protocol;
some search strategies such as static analysis and syntactical
reordering are applied to reduce the model checking complexity
and these approaches will benefit the analysis of more protocols.
Scalibility
In any case, having a logic where we can specify the abilities of intruders
is a necessary prerequisite to using model-checking techniques.
2015/7/18
第二十次全国计算机安全学术交流会
23
Thanks!
2015/7/18
第二十次全国计算机安全学术交流会
24