model checking for security protocols
DESCRIPTION
Model Checking for Security Protocols. Will Marrero, Edmund Clarke, Shomesh Jha. Needham-Schroeder Protocol (circa 1996). Purpose: Authenticate Participants. Assumptions. Perfect Encryption The decryption key must be known to encrypt No encryption collisions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/1.jpg)
Model Checking for Security Protocols
Will Marrero, Edmund Clarke, Shomesh Jha
![Page 2: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/2.jpg)
Needham-Schroeder Protocol (circa 1996)
Purpose: Authenticate Participants
}..{.: ANBABA a K B
}..{.: ba KNNABABA
}.{.: b KNBABAB
![Page 3: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/3.jpg)
Assumptions
Perfect Encryption The decryption key must be known to encrypt No encryption collisions
Proof offer no protection from poor encryption implementation!
212121 21}{}{ KKmmmm KK
![Page 4: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/4.jpg)
Intruder’s Ability
Interception Ex:
Impersonation Ex:
Legitimate Participant Ex:
Compromise Temporary Secrets But those secrets should not be revealed by
protocol
AKba NNABAIB }..{.:)(
BKANaBABAI }..{.:)(
IKa ANIAIA }..{.:
![Page 5: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/5.jpg)
Security Properties
Secrecy Tracked by two sets in global state
Correspondence “If A believes it has completed two protocol runs
with principal B, then principal B must have at least begun two protocol runs with principal A.”
Tracked by counters in global state
SxSyS
![Page 6: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/6.jpg)
Atomic Messages
Keys Ex:
Principal Names Ex: A, B, I
Nonces Ex:
Data
IBA KKK ,,
ba NN ,
![Page 7: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/7.jpg)
Messages and Atomic Messages Given A a set of atomic messages, M the set
of all messages is defined inductively:
MmAkMmMmmAmAm
MaAa
k
}{2121
![Page 8: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/8.jpg)
Closure of Messages
Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)
MBBB,
BmBkBm
BmBkBm
BmBmBmm
BmmBmBm
BmBm
k
k
1
2121
2121
}{
}{
![Page 9: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/9.jpg)
Principals
A 4-Tuple N the name of the principal p a process given as a sequence of actions to
be performed is a set of known messages, generally
infinite, but from a finite generator set. B a set of bindings from variables in p to
messages in I
BIpN ,,,
MI
![Page 10: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/10.jpg)
Initial Knowledge
For the intruder
BIpZ ,,, 1,,,,,, IIBA KKKKIBAI
![Page 11: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/11.jpg)
Global State
A 5-Tuple is the product of the individual principals
(including the intruder) difference between number of
times A has initiated a protocol and the number of times B has finished responding
difference between number of times A has begun responding and the number of times B has finished initiating
tsri SSCC ,,,,
),( BACr
),( BACi
![Page 12: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/12.jpg)
Global State Continued
A 5-Tuple a set of safe secrets. Remains
constant. a set of temporary secrets. New
secrets generated during the run of the protocol.
The last four values check security constraints.
MSs
MSt
tsri SSCC ,,,,
![Page 13: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/13.jpg)
}..{.: ANBABA a K B }.{.: b KNBABA
B }..{.: ba KNNABAB
A
Process
![Page 14: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/14.jpg)
Internal Actions
NEWNONCE(var) NEWSECRET(var)
][var
,,,,,,
valBBvalII
BIpABIpA
valSSvalBB
valII
BIpABIpA
tt
][var
,,,,,,
![Page 15: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/15.jpg)
Internal Actions
GETSECRET(val) – Intruder Only
valSSvalII
Sval
BIpZBIpZ
tt
t
,,,,,,
![Page 16: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/16.jpg)
Internal Actions
A calls BEGINIT(B),
B calls ENDRESPOND(A)
BEGRESPOND/ENDINIT Symmetric on
otherwise
0, if1,,
BAC
errorBAC
BAC iii
otherwise
defined is , if1
1,,
BACBACBAC ii
i
),( BACr
![Page 17: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/17.jpg)
Communication Actions
Send and receives are synchronized A process can only send a message if it unifies
with a receive message Sender must be able to sculpt a message
that matches all existing bindings and expectations
How does the intruder sculpt such a message?
![Page 18: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/18.jpg)
Model Checking Algorithm
![Page 19: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/19.jpg)
Finding a needle in a haystack Decidability of when is probably
infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption)
ZIZIs
BmBkBm
BmBkBm
BmBmBmm
BmmBmBm
BmBm
k
k
1
2121
2121
}{
}{
Expanding RulesShrinking Rules
![Page 20: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/20.jpg)
Normalized Derivation
Following algorithm is guaranteed to terminate and decide :
Start with a generator setApply all possible shrinking rulesTry all possible sequences of expanding
rules until word size is equal to s
Proves existence
ZIs
![Page 21: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/21.jpg)
An Efficient Approach
When adding a message to I in :Apply all possible shrinking rulesRemove ‘redundant messages’Result is minimal generator
Can recursively attempt to build
BIpN ,,,
Im
![Page 22: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/22.jpg)
Verification and Attack
![Page 23: Model Checking for Security Protocols](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816345550346895dd3d3a7/html5/thumbnails/23.jpg)
Verification and Attack
The lack of correspondence trace reveals the following attack: