Transcript Slide 1
Symbolic Simulation of
Tunneling Protocols
Carl A. Gunter, Matthew Jacobs, Gaurav Shah,
Mark-Oliver Stehr (UIUC), and
Alwyn Goodloe
HCES 2004
Overview
Motivating problem from wireless security.
Solution by composing secure tunnels.
Software engineering and modeling.
Future plans.
Wireless Security
Why is wireless security any different from
wired security?
Resource constraints.
Increased risk to confidentiality.
Value of the network link.
Wireless Security Efforts
Layer 1 (Physical)
Spread spectrum
Layer 2 (Link)
802.11x – 802.11(b) WEP, 802.11(g)
CDMA 2000
GPRS
GPRS
Server
GGSN
SGSN
RADIUS
Attacker
Network Layer Wireless Security
We propose that security be addressed at the
network layer.
Advantages
Independent of underlying link layer.
Overcomes many of the problems of layer 2
solutions.
Leverages extensive experience, s/w, and h/w
support from Ipsec for VPNs.
Disadvantage
Need set up protocols.
Protocols for Tunnel Composition
We have been investigating protocols for
composing IPSec security tunnels.
Given a scenario we ask:
What tunnels should we establish
What properties should these tunnels have.
Develop protocols that compose these
tunnels into a satisfactory solution.
Lots of messy details to consider in order to
get the composition to work.
Toward Network Layer Security
Suppose we have three parties: client, server,
network access server (NAS).
The client wishes to securely access the server.
We will assume that the client has a relationship
with the NAS and the server, but the NAS does
not have a relationship to the server.
The Client will have to authenticate itself to both the
NAS and the server.
Network Layer Wireless Security
Problem
Similar problem to GPRS above.
The NAS does not protect the client from
attacking incoming traffic.
Being forced to pay for service you never
used is worse than denial of service.
How About a Firewall
Why Not a Firewall
A stateful firewall can be programmed to
allow only traffic from the address to which
a connection has been made.
The firewall can not see the contents of
the IPSec traffic. Resulting in minimum
protection.
L3A Protocol Principles
The user’s traffic should travel in DOS
resistant IPSec tunnels.
These IPSec tunnels should be set up
using DOS resistant protocols.
The NAS should ensure that when the
accounting system logs traffic as being
from a user it is actually from that user.
Authenticate incoming traffic.
L3A Architecture
L3A Protocol Components
L3A protocol that sets up the six tunnels.
SIKE Key Exchange protocol (X509 +
DOS protection).
Very simple. Does not use two party key
generation.
No guarantee of perfect forward secrecy.
Assumes existence of public key
infrastructure.
L3A Protocol Overview
Client
NAS
Server
Key Exchange
SIKE
A
B
rA, SPI(n,0)
rA,rB, SPI(n,m), certB, cookieA
Where CookieA = VersionSecret | Hash([rA,rB,IPA, SPI(n,m)],Secret)
certA,cookieA, DA, Ps(a,DA)
Where DA = [rA, IPB, SPI(n,m)]
DB, Ps(b,DB)
Where DB = [rB, IPA, rA, SPI(n,m), Pe(A, K)]
Methodology
An English language description
resembling an IETF RFC is produced.
A formal specification is written in Maude.
Systems are modeled using membership
equational logic and rewriting logic.
Symbolic simulation has been our main
debugging aid.
We feel the design is now relatively
stable.
Maude Model of L3A
Our Maude model seeks to apply good SE
techniques to modeling the L3A protocol.
Documentation and proper configuration control.
Accent is on verifying design.
Component interaction was our primary concern.
Modeled the various components and layers.
IP, IPSec, L3A, …..
Symbolic simulation highlights the unexpected
interactions.
Overview of Module Interaction
L3A
SIKE
setkey
PKI
IP SEC
IP
SIKE Test
Setkey
L3A Test
Concrete
L3a Test
Abstract
L3A
L3A
Abstract
PKI
SIKE
Security Policy
IP SEC
Security Assoc
IP
Routing Table
State
IP Message
Message
Modeling Uncovered Problems
Problems arose from interactions among
the components.
Numerous iterations were required to resolve
problems resulting from when the IP Sec
databases are updated.
When things are not done right packets can
slip into partially setup tunnels.
We Didn’t Model
Timeouts and resends.
Lost Messages.
Periodic updates to the secret used to generate
the cookie.
Fragmentation.
Can be the source of DOS attacks.
UDP layer. Ports not mentioned at all in the
model.
Attacks.
Formally verify SIKE/L3A. TBD.
Implementation
Platform. X86 running FreeBSD. C, Python, and TLS
crypto libraries.
Radius server to be used for accounting.
Will demonstrate that our protocol can be implemented
using available technology.
We will seek to validate the implementation against the
Maude model.
The protocol is very deterministic.
Should be able to match a run of the simulation against a run of
the actual protocol modulo some specific field values.
The process for less deterministic protocols is more challenging.
Future Work
Continue work on composition of security
tunnels.
Perform formal verification of SIKE.
We assert that the composition of DOS
resistant tunnels is DOS resistant.
Existing formal methods lack the tools to
reason about DOS.
We plan on working toward filling this void
in the formal methods toolkit.