Transcript Slide 1
Symbolic Simulation of Tunneling Protocols Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), and Alwyn Goodloe HCES 2004 Overview Motivating problem from wireless security. Solution by composing secure tunnels. Software engineering and modeling. Future plans. Wireless Security Why is wireless security any different from wired security? Resource constraints. Increased risk to confidentiality. Value of the network link. Wireless Security Efforts Layer 1 (Physical) Spread spectrum Layer 2 (Link) 802.11x – 802.11(b) WEP, 802.11(g) CDMA 2000 GPRS GPRS Server GGSN SGSN RADIUS Attacker Network Layer Wireless Security We propose that security be addressed at the network layer. Advantages Independent of underlying link layer. Overcomes many of the problems of layer 2 solutions. Leverages extensive experience, s/w, and h/w support from Ipsec for VPNs. Disadvantage Need set up protocols. Protocols for Tunnel Composition We have been investigating protocols for composing IPSec security tunnels. Given a scenario we ask: What tunnels should we establish What properties should these tunnels have. Develop protocols that compose these tunnels into a satisfactory solution. Lots of messy details to consider in order to get the composition to work. Toward Network Layer Security Suppose we have three parties: client, server, network access server (NAS). The client wishes to securely access the server. We will assume that the client has a relationship with the NAS and the server, but the NAS does not have a relationship to the server. The Client will have to authenticate itself to both the NAS and the server. Network Layer Wireless Security Problem Similar problem to GPRS above. The NAS does not protect the client from attacking incoming traffic. Being forced to pay for service you never used is worse than denial of service. How About a Firewall Why Not a Firewall A stateful firewall can be programmed to allow only traffic from the address to which a connection has been made. The firewall can not see the contents of the IPSec traffic. Resulting in minimum protection. L3A Protocol Principles The user’s traffic should travel in DOS resistant IPSec tunnels. These IPSec tunnels should be set up using DOS resistant protocols. The NAS should ensure that when the accounting system logs traffic as being from a user it is actually from that user. Authenticate incoming traffic. L3A Architecture L3A Protocol Components L3A protocol that sets up the six tunnels. SIKE Key Exchange protocol (X509 + DOS protection). Very simple. Does not use two party key generation. No guarantee of perfect forward secrecy. Assumes existence of public key infrastructure. L3A Protocol Overview Client NAS Server Key Exchange SIKE A B rA, SPI(n,0) rA,rB, SPI(n,m), certB, cookieA Where CookieA = VersionSecret | Hash([rA,rB,IPA, SPI(n,m)],Secret) certA,cookieA, DA, Ps(a,DA) Where DA = [rA, IPB, SPI(n,m)] DB, Ps(b,DB) Where DB = [rB, IPA, rA, SPI(n,m), Pe(A, K)] Methodology An English language description resembling an IETF RFC is produced. A formal specification is written in Maude. Systems are modeled using membership equational logic and rewriting logic. Symbolic simulation has been our main debugging aid. We feel the design is now relatively stable. Maude Model of L3A Our Maude model seeks to apply good SE techniques to modeling the L3A protocol. Documentation and proper configuration control. Accent is on verifying design. Component interaction was our primary concern. Modeled the various components and layers. IP, IPSec, L3A, ….. Symbolic simulation highlights the unexpected interactions. Overview of Module Interaction L3A SIKE setkey PKI IP SEC IP SIKE Test Setkey L3A Test Concrete L3a Test Abstract L3A L3A Abstract PKI SIKE Security Policy IP SEC Security Assoc IP Routing Table State IP Message Message Modeling Uncovered Problems Problems arose from interactions among the components. Numerous iterations were required to resolve problems resulting from when the IP Sec databases are updated. When things are not done right packets can slip into partially setup tunnels. We Didn’t Model Timeouts and resends. Lost Messages. Periodic updates to the secret used to generate the cookie. Fragmentation. Can be the source of DOS attacks. UDP layer. Ports not mentioned at all in the model. Attacks. Formally verify SIKE/L3A. TBD. Implementation Platform. X86 running FreeBSD. C, Python, and TLS crypto libraries. Radius server to be used for accounting. Will demonstrate that our protocol can be implemented using available technology. We will seek to validate the implementation against the Maude model. The protocol is very deterministic. Should be able to match a run of the simulation against a run of the actual protocol modulo some specific field values. The process for less deterministic protocols is more challenging. Future Work Continue work on composition of security tunnels. Perform formal verification of SIKE. We assert that the composition of DOS resistant tunnels is DOS resistant. Existing formal methods lack the tools to reason about DOS. We plan on working toward filling this void in the formal methods toolkit.