Shaohui Wang (aka Vincent) [email protected] Computer and Information Science University of Pennsylvania November 6, 2015
Download
Report
Transcript Shaohui Wang (aka Vincent) [email protected] Computer and Information Science University of Pennsylvania November 6, 2015
Shaohui Wang (aka Vincent)
[email protected]
Computer and Information Science
University of Pennsylvania
November 6, 2015
An Example: A Variant of the Otway-Rees Protocol
Formal Modeling of Cryptographic Protocols
Properties of the Otway-Rees Protocol Variant
Proofs in Details (Optional)
Conclusions
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
2
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
3
Goal: To establish a session key between A and B for communication
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
4
A Spy Acts According to the Protocol Rules, but Can
•
•
•
•
Overhear the traffic in the protocol
Intercept events in protocol events
Forge new messages from her existing knowledge
Send fraudulent messages to other agents
Forging of New Messages
• A spy can analyze her known set of messages, including
decrypting messages if she knows the key.
• She can form fraudulent messages out of this analysis.
• Formally, she sends messages from the set of synth(analz H).
Assumptions
• A spy can act as an honest agent.
• A spy can also send fraudulent messages .
• Should the spy hold somebody’s key, communications between
other agents should not suffer.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
5
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
6
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
7
Model Components in a Cryptographic Protocol
• Messages—as sets of (uninterpreted) identities
E.g., {| A, B, Na |}, {| A, Na, Crypt K Na |}
• Operations on messages—as inductively defined operators
analz, parts, synth
• Events—as logical formulas based on primitives
E.g., Says A B {| Na, A, B, Crypt Ka {| Na, A, B |} |}
Describe Behaviors of Components with Traces / Rules
• Communication session—as a trace of events
• Behaviors of components—as rules under which an existing
trace can be extended
State and Prove Properties
• E.g., never can a nonce generated by two different agents
• Caution: stating the correct theorems is crucial!
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
8
A message is one of
•
•
•
•
•
•
•
Agent—A, B, Spy, S, etc.
Number—1, 2, 3, etc. (Guessable)
Nonce—Na, Nb, Na’, etc. (Non-guessable)
Key—Ka, Kb, Kab, etc.
Tuple / Compound Message—{| Na, A, B |}
Hash—Hash X, where X is a message
Encryption—Crypt K X, or {| X |}K
An event is one of
• Says A B X
where A and B are agents and X is a message
• Note A X
where A is an agent and X is a message
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
9
A trace is a sequence of events
• E.g., An empty sequence [] of events is a trace
• E.g., [Says A B X, Notes Spy X, Says B S {| Nb, A, B, X |} ]
is a trace
Protocol behaviors are described with allowed rules
for trace construction
• Protocol Specific Rules
• Standard Rules
Nil rule: [] is a trace
Fake rule: a spy can send a fraudulent message
– Need the parts, analz, and synth operators to define fraudulent
message (next slides)
Oops rule: a spy can take note of a compromised key
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
10
If evs is a trace, Na is a fresh nonce and B is an
agent distinct from A and S, then evs may be
extended with the event
• Says A B {| Na, A, B, {| Na, A, B |}Ka |}
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
11
If evs is a trace with an event of the form
• Says A’ B {| Na, A, B, X |}
and Nb is a fresh nonce and B
extended with the event
S, then evs may be
• Says B S {| Na, A, B, X, Nb, {| Na, A, B |}Kb |}
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
12
If evs is a trace with an event of the form
• Says B’ S {| Na, A, B, {| Na, A, B |}Ka, Nb, {| Na, A, B |}Kb |}
and Kab is a fresh key and B
extended with the event
S, then evs may be
• Says S B {| Na, {| Na, Kab |}Ka, {| Nb, Kab |}Kb |}
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
13
If evs contains the two events
• Says B S {| Na, A, B, X’, Nb, {| Na, A, B |}Kb |}
• Says S’ B {| Na, X, {| Nb, K |}Kb |}
and A
B, then evs may be extended with the event
• Says B A {| Na, X |}
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
14
The Empty List
• [] is a trace
If evs is a trace, X synth(analz H) is a fraudulent
message and B Spy, then evs maybe extended
with the event
• Says Spy B X
If evs is a trace and S distributed the session key K
in a run involving the nonces Na and Nb, then evs
may be extended with the event
• Notes Spy {| Na, Nb, K |}
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
15
Definition
• The set parts H is obtained from H by
repeatedly adding the components of
compound message and the bodies of
encrypted messages
• Not including the key K in Crypt K X unless
K is part of X.
• Represents the set of all components of H
that are potentially recoverable.
Example
• parts{ {| A, Na, Crypt K X |} } = { {| A, Na,
Crypt K X |}, A, Na, Crypt K X, X }
Properties
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
16
Definition
• The set analz H is obtained from H by
repeatedly adding the component of
compound messages and by decrypting
messages whose keys are in analz H.
• Represents the most that could be gleaned
from H without breaking ciphers.
Example
• analz{ {| Na |}Ka } = { {| Na |}Ka }
• analz{ {| {| Na |}Ka, Ka-1 |} } = { {| {| Na |}Ka,
Ka-1 |}, {| Na |}Ka, Ka-1, Na }
Properties
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
17
Definition
• The set synth H models the
messages a spy could build up from
elements of H by repeatedly adding
agent names, forming compound
messages and encrypting with keys
contained in H.
Example
• synth{ {| K |} } = { A, {| A, K |}, Crypt K
A, {| A, Crypt K (Crypt K A) |}, …. }
(essentially unbound)
Properties
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
18
Monotonic
Idempotent
Equations
Equivalencies
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
19
parts
analz
• The set of keys that can decrypt messages in H
• Defining analz (the case for Crypt)
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
20
She has some initial
knowledge
She updates her knowledge
on the fly
• The server S knows the
shared keys for everyone
• Each agent knows his own
key
• The Spy knows keys of a set
of bad agents
11/6/2015
• Initially she only has her initial
knowledge
• If she overheard an event
Says A B X, she learns X
• If she overheard an event
Notes A X and knows the key
for A, she learns X
The Inductive Approach to Verifying Cryptographic Protocols
21
What we have now
• The behaviors of agents / server / spy are described by
rules
• The interaction is modeled as a trace of events
What to do next
• State properties on the any trace that can be constructed
according to the protocol rules
E.g., secret keys remain secret, i.e., A’s key is known to the Spy if
and only if A is a bad agent.
Formal description:
• Prove them!
Most of the time with induction!
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
23
The set of natural numbers is inductively defined
• 0
, and n
Suc n
.
To prove a property P on all natural numbers
• Prove P(0), and P(n)
P(Suc n).
A cryptographic session trace is inductively defined
• [] is a trace
• ev#evs is a trace if
evs is a trace, and
ev is the new message allowed by the protocol
To prove a property P on a trace
• Prove P[], and P(evs)
11/6/2015
P(ev#evs) for all allowed ev.
The Inductive Approach to Verifying Cryptographic Protocols
24
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
25
For a given protocol, we need establish a few properties
• Correctness of the protocol
To do so, different types of supporting lemmas are
needed
•
•
•
•
•
•
Possibility Properties
Forwarding Lemmas
Regularity Lemmas
Unicity Theorems
Secrecy Theorems
Authenticity Theorems
We prove families of these lemmas and draw a
conclusion
• If the key correctness theorems can be proved, the protocol is
safe
• When a proof for the theorems cannot be obtained, possible
attacks to cryptography protocols could be found from the proof
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
26
Synopsis
• If A tries to establish a session with B, finally the message
BA : Na, {| Na, Kab |}Ka will be sent.
English Description
• For all agents A and B, distinct from each other and from
the server, there is a key Kab, a nonce Na, and a trace
such that the final message BA : Na, {| Na, Kab |}Ka is
sent.
Proof Idea
• Successively applying the protocol rules and checking all
the preconditions of the rules are satisfied.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
27
Synopsis
• Once a message is learnt, an agent can forward an
unknown item in the message.
Example
• If a spy sees this message, she learns the message X.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
28
Synopsis
• Once a message is known to the spy, something
happens…
• In the form of “X parts(spies evs)
…”
Example
• Secret keys remain secret.
• I.e., once A’s key is known to the spy, we know A is a bad
agent.
•
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
29
Synopsis
• Uniqueness of session keys and nonces
Example
• If the Server ever tells Agent B that
this message is uniquely formed with the messages B, Na,
Nb, X.
• Formally, it is
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
30
Synopsis
• A spy cannot reveal other keys with an known key and existing
trace.
E.g., the Session Key Compromise Theorem
• If K can be obtained with the help of a session key K’ and
previous traffic, then either K = K’ or K can be obtained from
the traffic alone.
• If the server distributes a session key Kab to A and B, then the
spy (hence other agents) never gets this key.
Formal Description
• For an arbitrary trace evs,
where is an arbitrary set of session keys, not necessarily in
the trace evs.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
31
Synopsis
• The protocol is correct from the server’s viewpoint.
English Description
• If the server distributes a session key to agents A and B,
and the key is not lost in an Oops event, then the key is
unavailable to the spy.
Formally,
•
• and
• implies
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
32
Synopsis
• If a message appears to be from an agent A, then it is precisely
A who sent this message.
An agent must guarantee that his certificate is authentic.
In the correct version of the Otway-Rees Protocol
• If a trace contains an event
and if A is uncompromised and has previously sent
then the Server should have sent a correct instance of step 3
with some Nonce Nb.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
33
In the modified version of the Otway-Rees Protocol
• The authenticity property cannot be proved.
• This indicates possible attacks.
• Although A has sent and received correct messages in step 1 and
step 4, the event trace doesn’t show the server has sent the correct
form of message back to CB.
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
34
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
35
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
36
The Inductive Approach to Cryptographic Protocols
Verification
• We first formally model the cryptographic protocol
Components, Behaviors
• We then describe the properties of the protocol based on
event trace
Pitfall: it is a challenge to state the correct theorems
E.g., in the Otway-Rees protocol, only the secrecy theorems are
not enough, but the authenticity theorems are needed as well
• We prove the theorems
With the help of possibly a family of other supporting theorems
The proofs are heavily based on “proof by induction”
• And make a conclusion
If the key correctness theorems can be proved, the protocol is safe
When a proof for the theorems cannot be obtained, possible
attacks to cryptography protocols could be found from the proof
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
37
Thank you!
11/6/2015
The Inductive Approach to Verifying Cryptographic Protocols
38