NPG Workshop - Stanford University

Download Report

Transcript NPG Workshop - Stanford University 

Security Analysis of
Network Protocols
John Mitchell
Stanford University
Computer Security Research
?
Semantic
Assurance
Cyber
Strategy
Auto
Forensics
Intrusion
Tolerance
Cyber Sensor
Exploitation
Privacy
Autonomic
Response
IA
Sensors
OODA
Situational
Understanding
Cyber
Survivable
Control Panel
Network
Infrastructures
Course
of Action
Projection
Lifecycle
Attacks
Malicious
Code
Protective
Mechanisms
Intrusion
Detection
Open Source
Strategies
Crypto
Web
Services
Security of
Mobile Agents
Composable
Trust
Policy
Physical
Security
Formalized
Design
Dynamic
Coalitions
Insider
MDS/MLS
Law
Enforcement
Policy
?
Security Protocols
Challenge-response
• ISO 9798-1,2,3; Needham-Schroeder, …
Authentication
• Kerberos
Key Exchange
• SSL handshake, IKE, JFK, IKEv2,
Wireless and mobile computing
• Mobile IP, WEP, 802.11i
Electronic commerce
• Contract signing, SET, electronic cash, …
Needham-Schroeder Protocol
{ A, NonceA }
A
Kb
{ NonceA, NonceB } K
{ NonceB} Kb
a
B
Result: A and B share two private numbers
not known to any observer without Ka-1, Kb-1
Anomaly in Needham-Schroeder
[Lowe]
{ A, Na } Ke
A
E
{ Na, Nb } Ka
{ Nb } Ke
Evil agent E tricks
honest A into revealing
private key Nb from B.
Evil E can then fool B.
{ Na, Nb }
{ A, Na }
Ka
B
Kb
Needham-Schroeder Lowe
{ A, NonceA }
A
Kb
{ NonceA, B, NonceB }
{ NonceB}
Kb
Authentication?
Secrecy?
Replay attack
Forward secrecy?
Denial of service?
Identity protection?
Ka
B
IKE subprotocol from IPSEC
m1
A, (ga mod p)
A
B, (gb mod p), signB(m1,m2)
m2
signA(m1,m2)
Result: A and B share secret gab mod p
Analysis involves probability, modular exponentiation,
complexity, digital signatures, communication networks
B
Kerberos Protocol
Kc
KDC
Ktgs
{C}Kt S {C,
Kt}Ktgs
Ticket
1
Client
{Ks}Kt
Ticket
2
{C,
Ks}Kv
TGS
Kv
Service
Protocol layer over TCP/IP
http
telnet
ftp
Application
nntp
SSL
Transport
Internet
(TCP)
(IP)
Network interface
Physical layer
Common use: https
= http over SSL
Handshake Protocol
ClientHello
CS
C, VerC, SuiteC, NC
ServerHello
SC
VerS, SuiteS, NS, signCA{ S, KS }
ClientVerify
CS
signCA{ C, VC }
{ VerC, SecretC } K
S
signC { Hash( Master(NC, NS, SecretC) + Pad2 +
Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) }
(Change to negotiated cipher)
ServerFinished S  C { Hash( Master(NC, NS, SecretC) + Pad2 +
Hash( Msgs + S + Master(NC, NS, SecretC) + Pad1))
} Master(NC, NS, SecretC)
ClientFinished C  S
{ Hash( Master(NC, NS, SecretC) + Pad2 +
Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1))
} Master(NC, NS, SecretC)
Mobile IPv6 Architecture
Mobile Node (MN)
IPv6
Direct connection via
binding update
Corresponding Node (CN)
Home Agent (HA)
 Authentication is a
requirement
 Early proposals weak
Wireless Authentication:
Robust Security Network Association
Pre-RSNA
Poor Security
• 802.11 Authentication
• Wired Equivalent Protocol
• CRC MIC (Message Integrity Code)
RSNA
Better Security
• 802.1x Authentication
• Key Management
• Improved MIC scheme, data encryption
RSNA Sub-protocols
Wireless
Access Point
Radius Server
Ethernet
Laptop computer
(1) MAC Disabled, Port Blocked
802.11 Association
(2) MAC Enabled, Port Blocked
802.11x Authentication
(3) MAC Enabled, Port Blocked, PMK generated in STA and AS
AS move PMK to AP
4-way Key management
(4) MAC Enabled, Port Allowed, PTK := KCK|KEK|TK
Secure Communication
Optimistic contract signing
I am going to sign the contract
I am going to sign the contract
A
Here is my signature
B
Here is my signature
Trusted third party can force contract
• Third party can declare contract binding if
presented with first two messages.
Asokan-Shoup-Waidner protocol
Agree
Abort
m1= sign(A, c, hash(r_A) )
A
sign(B, m1, hash(r_B) )
r_A
???
sigT (a1,abort)
T
Attack?
m1
m2
A Net
a1
B
r_B
Resolve
B
A
B
A
???
T
sigT (m1, m2)
T
Network
If not already
resolved
Garay, Jakobsson, MacKenzie
Agree
Abort
PCSA(text,B,T)
A
PCSB(text,A,T)
sigA(text)
A
m1 = PCSA(text,B,T)
???
B
sigB(text
)
A(text,B,T)
PCSB(text,A,T)
Attack
B
B
sigT(abort)
???
T
Network
T
Resolve PCS
A Net
B
PCSA(text,B,T)
sigB(text)
abort AND
sigB(text)
T
Leaked by T
abort
STS Family Derivation
STS0
cookie
STS0H
distribute
certificates
open
responder
STSa
STSaH
JFK0
STSH
JFK1
STSPH
JFKi
m=gx, n=gy
k=gxy
STS
protect
identities
STSP
symmetric
hash
JFKr
Properties:
 Certificates from CA
ab
 Shared secret: g
 Identity protection
 DoS protection
 Reverse ID protection
Protocol Analysis
Computational approaches
(insightful, no tools…)
• Proof methods of Bellare-Rogaway, Mauer
• Canetti, Backes-Pfitzmann-Waidner
 BAN and related axiomatic approaches
Methods grounded in symbolic execution
• Assume perfect cryptography
• Protocol determines set of traces
– Arbitrary number of principals plus intruder
• Enumerate, search, or reason about this set
Run of protocol
Initiate
A
Respond
B
Attacker
C
D
Correct if no security violation in any run
Explicit Intruder Method
Informal
Protocol
Description
Find error?
Assurance?
Formal
Protocol
Intruder
Model
Analysis
Tool
Automated Finite-State Analysis
Define finite-state system
• Bound on number of steps
• Finite number of participants
• Nondeterministic adversary with finite options
Pose correctness condition
• Can be simple: authentication and secrecy
• Can be complex: contract signing
Exhaustive search using “verification” tool
• Error in finite approximation  Error in protocol
• No error in finite approximation  ???
State Reduction on N-S Protocol
1000000
514550
155709
100000
17277
6981
10000
1000
100
1706
980
3263
222
58
10
1
1 init
1 resp
2 init
2 init
1 resp 2 resp
Base: hand
optimization
of model
CSFW:
eliminate
net, max
knowledge
Merge
intrud send,
princ reply
Model Checking Studies
Standard academic benchmarks
• Needham-Schroeder, TMN, Kerberos-
Realistic network protocols
• SSL 3.0, with resumption protocol
Contract signing protocols
• Asokan-Shoup-Waidner, Garay-Jakobsson-MacKenzie
Wireless networking
• Authenticated Mobile IPv6
• 802.11i
CS259 Term Projects
iKP protocol family
Electronic voting
XML Security
IEEE 802.11i wireless
handshake protocol
Onion Routing
Electronic Voting
Secure Ad-Hoc
Distance Vector
Routing
An Anonymous Fair
Exchange
E-commerce Protocol
Secure Internet Live
Conferencing
Windows file-sharing
protocols
Key Infrastructure
Modeling detail
Analysis Methods
Complexity of protocol
High
Hand proofs


Poly-time calculus
Multiset rewriting with 
Spi-calculus 
Athena Paulson
 NRL
Strand spaces
BAN logic
Low
Modeling detail
Protocol analysis spectrum


Protocol logic
Model checking

FDR
Low
High
Protocol complexity

Murj
Protocol derivation
Protocol derivation
• Build security protocols by combining
parts from standard sub-protocols.
Proof of correctness
• Prove protocols correct using logic that
follows steps of derivation.
Example
Construct protocol with properties:
•
•
•
•
Shared secret
Authenticated
Identity Protection
DoS Protection
Design requirements for IKE, JFK,
IKEv2 (IPSec key exchange protocol)
Component 1
Diffie-Hellman
A  B: ga
B  A: gb
• Shared secret (with someone)
– A deduces:
Knows(Y, gab)  (Y = A) ۷ Knows(Y,b)
• Authenticated
• Identity Protection
• DoS Protection
Component 2
Challenge Response:
A  B: m, A
B  A: n, sigB {m, n, A}
A  B: sigA {m, n, B}
• Shared secret (with someone)
• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection
• DoS Protection
Composition
ISO 9798-3 protocol:
A  B: ga, A
B  A: gb, sigB {ga, gb, A}
A  B: sigA {ga, gb, B}
•
•
•
•
Shared secret: gab
Authenticated
Identity Protection
DoS Protection
m := ga
n := gb
Refinement
Encrypt signatures:
A  B: ga, A
B  A: gb, EK {sigB {ga, gb, A}}
A  B: EK {sigA {ga, gb, B}}
•
•
•
•
Shared secret: gab
Authenticated
Identity Protection
DoS Protection
Transformation
Use cookie: JFK core protocol
A  B: ga, A
B  A: gb, hashKB {gb, ga}
A  B: ga, gb, hashKB {gb, ga}
EK {sigA {ga, gb, B}}
B  A: gb, EK {sigB {ga, gb, A}}
•
•
•
•
Shared secret: gab
Authenticated
Identity Protection
DoS Protection
STS Family Derivation
STS0
cookie
STS0H
distribute
certificates
open
responder
STSa
STSaH
JFK0
STSH
JFK1
STSPH
JFKi
m=gx, n=gy
k=gxy
STS
protect
identities
STSP
symmetric
hash
JFKr
Properties:
 Certificates from CA
ab
 Shared secret: g
 Identity protection
 DoS protection
 Reverse ID protection
Protocol logic
Protocol
(Implicit intruder method)
Honest Principals,
Attacker
Private
Data
 Alice’s information
• Protocol
• Private data
• Sends and receives
Intuition
Reason about local information
•
•
•
•
I chose a new number
I sent it out encrypted
I received it decrypted
Therefore: someone decrypted it
Incorporate knowledge about protocol
• Protocol: Server only sends m if it got m’
• If server not corrupt and I receive m
signed by server, then server received m’
Execution Model
Protocol
• “Program” for each protocol role
Initial configuration
• Set of principals and key
• Assignment of 1 role to each principal
Run
A
B
C
new x
Position in run
send {x}B
receive {x}B
new z
receive {z}B
send {z}B
Formulas true at a position in run
Action formulas
a ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas
j ::= a | Has(P,t) | Fresh(P,t) | Honest(N)
| Contains(t1, t2) | j | j1 j2 | x j
| j | j
Example
After(a,b) = (b  a)
Modal Formulas
After actions, postcondition
[ actions ] P j
where P = princ, role id
Before/after assertions
j [ actions ] P 
Composition rule
j[S]P
 [T]P
j [ ST ] P 
Note: same P
in all formulas
Proof System
Sample Axioms:
• Reasoning about knowledge:
– Has(A, encX{m})  Has(A, K)  Has(A, m)
– Has(A, {m,n})  Has(A, m)  Has(A, n)
• Reasoning about crypto primitives:
– Honest(X)  Decrypt(Y, encX{m})  X=Y
– Honest(X)  Verify(Y, sigX{m}) 
 m’ (Send(X, m’)  Contains(m’, sigX{m})
Inference Rule
• Persistence rules, …
• Honesty/Invariance rule
Soundness Theorem:
• Every provable formula is valid
Bidding conventions
(motivation)
Blackwood response to 4NT
– 5 : 0 or 4 aces
– 5 : 1 ace
– 5 : 2 aces
– 5 : 3 aces
Reasoning
• If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
Correctness of NSL
Bob knows he’s talking to Alice
[ recv encrypt( Key(B), A,m );
new n;
msg1
send encrypt( Key(A), m, B, n );
recv encrypt( Key(B), n )
]B
msg3
Honest(A)  Csent(A, msg1)  Csent(A, msg3)
where Csent(A, …)  Created(A, …)  Sent(A, …)
Composition Rules
Prove assertions from invariants
 |- j […]P 
Invariant weakening rule
 |- j […]P 
  ’ |- j […]P 
If combining protocols, extend
assertions to combined invariants
Prove invariants from protocol
Q
Q’  
Q  Q’  
Use honesty (invariant) rule to show
that both protocols preserve
assumed invariants
Combining protocols

’
DH  Honest(X)  …
CR  Honest(X)  …
 |- Secrecy
’ |- Authentication
’ |- Secrecy
’ |- Authentication
’ |- Secrecy  Authentication
=
DH  CR  ’
ISO  Secrecy  Authentication
Protocol Templates
Protocols with function variables
instead of specific operations
• One template can be instantiated to
many protocols
Advantages:
• proof reuse
• design principles/patterns
Example
Challenge-Response Template
A  B: m
B  A: n, F(B,A,n,m)
A  B: G(A,B,n,m)
A  B: m
B  A: n,EKAB(n,m,B)
A  B: EKAB(n,m)
ISO-9798-2
A  B: m
B  A: n,HKAB(n,m,B)
A  B: HKAB(n,m,A)
SKID3
Instantiation
Abstraction
A  B: m
B  A: n, sigB(n,m,A)
A  B: sigA(n,m,B)
ISO-9798-3
Proof Structure
Discharge hypothesis
axiom
hypothesis
Template
Instance
Sample projects using this method
Key exchange
• STS family, JFK, IKEv2
• Diffie-Hellman -> MQV
• GDOI
[Meadows, Pavlovic]
Work in progress
• SSL verification
• Wireless 802.11i
Symbolic vs Computational model
Suppose  |- [actions]X j
• If a protocol P satisfies invariants ,
then if X does actions, j will be true
Symbolic soundness
• No idealized adversary acting against
“perfect” cryptography can make j fail
Computational soundness
• No probabilistic polytime adversary can
make j fail with nonnegligible probability
Conclusions
Security Protocols
• Subtle, critical, prone to error
Analysis methods
• Model checking
– Practically useful; brute force is a good thing
– Limitation: find errors in small configurations
• Protocol derivation
– Systematic development of certain classes of
protocols
• Proof methods
– Time-consuming to use general logics
– Special-purpose logics can be sound, useful
• Cryptographic foundations
– Scientific challenge; currently hot area
Collaborators on work described
Former and current students
• Vitaly Shmatikov, Ulrich Stern
• Nancy Durgin, Anupam Datta, Ante Derek
• Ajith Ramanathan, Changhua He, …
Outside Stanford
• Andre Scedrov (U Penn)
• Patrick Lincoln (SRI)
• Dusko Pavlovic (Kestrel)