Shaohui Wang (aka Vincent) [email protected] Computer and Information Science University of Pennsylvania November 6, 2015
Download ReportTranscript Shaohui Wang (aka Vincent) [email protected] Computer and Information Science University of Pennsylvania November 6, 2015
Shaohui Wang (aka Vincent) [email protected] Computer and Information Science University of Pennsylvania November 6, 2015 An Example: A Variant of the Otway-Rees Protocol Formal Modeling of Cryptographic Protocols Properties of the Otway-Rees Protocol Variant Proofs in Details (Optional) Conclusions 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 2 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 3 Goal: To establish a session key between A and B for communication 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 4 A Spy Acts According to the Protocol Rules, but Can • • • • Overhear the traffic in the protocol Intercept events in protocol events Forge new messages from her existing knowledge Send fraudulent messages to other agents Forging of New Messages • A spy can analyze her known set of messages, including decrypting messages if she knows the key. • She can form fraudulent messages out of this analysis. • Formally, she sends messages from the set of synth(analz H). Assumptions • A spy can act as an honest agent. • A spy can also send fraudulent messages . • Should the spy hold somebody’s key, communications between other agents should not suffer. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 5 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 6 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 7 Model Components in a Cryptographic Protocol • Messages—as sets of (uninterpreted) identities E.g., {| A, B, Na |}, {| A, Na, Crypt K Na |} • Operations on messages—as inductively defined operators analz, parts, synth • Events—as logical formulas based on primitives E.g., Says A B {| Na, A, B, Crypt Ka {| Na, A, B |} |} Describe Behaviors of Components with Traces / Rules • Communication session—as a trace of events • Behaviors of components—as rules under which an existing trace can be extended State and Prove Properties • E.g., never can a nonce generated by two different agents • Caution: stating the correct theorems is crucial! 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 8 A message is one of • • • • • • • Agent—A, B, Spy, S, etc. Number—1, 2, 3, etc. (Guessable) Nonce—Na, Nb, Na’, etc. (Non-guessable) Key—Ka, Kb, Kab, etc. Tuple / Compound Message—{| Na, A, B |} Hash—Hash X, where X is a message Encryption—Crypt K X, or {| X |}K An event is one of • Says A B X where A and B are agents and X is a message • Note A X where A is an agent and X is a message 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 9 A trace is a sequence of events • E.g., An empty sequence [] of events is a trace • E.g., [Says A B X, Notes Spy X, Says B S {| Nb, A, B, X |} ] is a trace Protocol behaviors are described with allowed rules for trace construction • Protocol Specific Rules • Standard Rules Nil rule: [] is a trace Fake rule: a spy can send a fraudulent message – Need the parts, analz, and synth operators to define fraudulent message (next slides) Oops rule: a spy can take note of a compromised key 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 10 If evs is a trace, Na is a fresh nonce and B is an agent distinct from A and S, then evs may be extended with the event • Says A B {| Na, A, B, {| Na, A, B |}Ka |} 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 11 If evs is a trace with an event of the form • Says A’ B {| Na, A, B, X |} and Nb is a fresh nonce and B extended with the event S, then evs may be • Says B S {| Na, A, B, X, Nb, {| Na, A, B |}Kb |} 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 12 If evs is a trace with an event of the form • Says B’ S {| Na, A, B, {| Na, A, B |}Ka, Nb, {| Na, A, B |}Kb |} and Kab is a fresh key and B extended with the event S, then evs may be • Says S B {| Na, {| Na, Kab |}Ka, {| Nb, Kab |}Kb |} 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 13 If evs contains the two events • Says B S {| Na, A, B, X’, Nb, {| Na, A, B |}Kb |} • Says S’ B {| Na, X, {| Nb, K |}Kb |} and A B, then evs may be extended with the event • Says B A {| Na, X |} 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 14 The Empty List • [] is a trace If evs is a trace, X synth(analz H) is a fraudulent message and B Spy, then evs maybe extended with the event • Says Spy B X If evs is a trace and S distributed the session key K in a run involving the nonces Na and Nb, then evs may be extended with the event • Notes Spy {| Na, Nb, K |} 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 15 Definition • The set parts H is obtained from H by repeatedly adding the components of compound message and the bodies of encrypted messages • Not including the key K in Crypt K X unless K is part of X. • Represents the set of all components of H that are potentially recoverable. Example • parts{ {| A, Na, Crypt K X |} } = { {| A, Na, Crypt K X |}, A, Na, Crypt K X, X } Properties 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 16 Definition • The set analz H is obtained from H by repeatedly adding the component of compound messages and by decrypting messages whose keys are in analz H. • Represents the most that could be gleaned from H without breaking ciphers. Example • analz{ {| Na |}Ka } = { {| Na |}Ka } • analz{ {| {| Na |}Ka, Ka-1 |} } = { {| {| Na |}Ka, Ka-1 |}, {| Na |}Ka, Ka-1, Na } Properties 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 17 Definition • The set synth H models the messages a spy could build up from elements of H by repeatedly adding agent names, forming compound messages and encrypting with keys contained in H. Example • synth{ {| K |} } = { A, {| A, K |}, Crypt K A, {| A, Crypt K (Crypt K A) |}, …. } (essentially unbound) Properties 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 18 Monotonic Idempotent Equations Equivalencies 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 19 parts analz • The set of keys that can decrypt messages in H • Defining analz (the case for Crypt) 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 20 She has some initial knowledge She updates her knowledge on the fly • The server S knows the shared keys for everyone • Each agent knows his own key • The Spy knows keys of a set of bad agents 11/6/2015 • Initially she only has her initial knowledge • If she overheard an event Says A B X, she learns X • If she overheard an event Notes A X and knows the key for A, she learns X The Inductive Approach to Verifying Cryptographic Protocols 21 What we have now • The behaviors of agents / server / spy are described by rules • The interaction is modeled as a trace of events What to do next • State properties on the any trace that can be constructed according to the protocol rules E.g., secret keys remain secret, i.e., A’s key is known to the Spy if and only if A is a bad agent. Formal description: • Prove them! Most of the time with induction! 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 23 The set of natural numbers is inductively defined • 0 , and n Suc n . To prove a property P on all natural numbers • Prove P(0), and P(n) P(Suc n). A cryptographic session trace is inductively defined • [] is a trace • ev#evs is a trace if evs is a trace, and ev is the new message allowed by the protocol To prove a property P on a trace • Prove P[], and P(evs) 11/6/2015 P(ev#evs) for all allowed ev. The Inductive Approach to Verifying Cryptographic Protocols 24 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 25 For a given protocol, we need establish a few properties • Correctness of the protocol To do so, different types of supporting lemmas are needed • • • • • • Possibility Properties Forwarding Lemmas Regularity Lemmas Unicity Theorems Secrecy Theorems Authenticity Theorems We prove families of these lemmas and draw a conclusion • If the key correctness theorems can be proved, the protocol is safe • When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 26 Synopsis • If A tries to establish a session with B, finally the message BA : Na, {| Na, Kab |}Ka will be sent. English Description • For all agents A and B, distinct from each other and from the server, there is a key Kab, a nonce Na, and a trace such that the final message BA : Na, {| Na, Kab |}Ka is sent. Proof Idea • Successively applying the protocol rules and checking all the preconditions of the rules are satisfied. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 27 Synopsis • Once a message is learnt, an agent can forward an unknown item in the message. Example • If a spy sees this message, she learns the message X. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 28 Synopsis • Once a message is known to the spy, something happens… • In the form of “X parts(spies evs) …” Example • Secret keys remain secret. • I.e., once A’s key is known to the spy, we know A is a bad agent. • 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 29 Synopsis • Uniqueness of session keys and nonces Example • If the Server ever tells Agent B that this message is uniquely formed with the messages B, Na, Nb, X. • Formally, it is 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 30 Synopsis • A spy cannot reveal other keys with an known key and existing trace. E.g., the Session Key Compromise Theorem • If K can be obtained with the help of a session key K’ and previous traffic, then either K = K’ or K can be obtained from the traffic alone. • If the server distributes a session key Kab to A and B, then the spy (hence other agents) never gets this key. Formal Description • For an arbitrary trace evs, where is an arbitrary set of session keys, not necessarily in the trace evs. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 31 Synopsis • The protocol is correct from the server’s viewpoint. English Description • If the server distributes a session key to agents A and B, and the key is not lost in an Oops event, then the key is unavailable to the spy. Formally, • • and • implies 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 32 Synopsis • If a message appears to be from an agent A, then it is precisely A who sent this message. An agent must guarantee that his certificate is authentic. In the correct version of the Otway-Rees Protocol • If a trace contains an event and if A is uncompromised and has previously sent then the Server should have sent a correct instance of step 3 with some Nonce Nb. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 33 In the modified version of the Otway-Rees Protocol • The authenticity property cannot be proved. • This indicates possible attacks. • Although A has sent and received correct messages in step 1 and step 4, the event trace doesn’t show the server has sent the correct form of message back to CB. 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 34 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 35 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 36 The Inductive Approach to Cryptographic Protocols Verification • We first formally model the cryptographic protocol Components, Behaviors • We then describe the properties of the protocol based on event trace Pitfall: it is a challenge to state the correct theorems E.g., in the Otway-Rees protocol, only the secrecy theorems are not enough, but the authenticity theorems are needed as well • We prove the theorems With the help of possibly a family of other supporting theorems The proofs are heavily based on “proof by induction” • And make a conclusion If the key correctness theorems can be proved, the protocol is safe When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 37 Thank you! 11/6/2015 The Inductive Approach to Verifying Cryptographic Protocols 38