Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Proving Properties of Security Protocols by Induction
1. Proving Security Protocols
1
L. C. Paulson
Proving Properties of Security Protocols by Induction
Lawrence C. Paulson
Computer Laboratory
University of Cambridge
3. Proving Security Protocols
3
An Inductive Approach
• Traces of events: A sends X to B
• Any number of interleaved runs
• Algebraic theory of messages
• A general attacker
• Modelling of accidents
• Mechanized proofs
L. C. Paulson
4. Proving Security Protocols
4
L. C. Paulson
Agents and Messages
agent
A, B, . . .
= Server | Friend i | Spy
msg
X, Y, . . .
= Agent A
|
Nonce N
|
Key K
|
{ X|
|X, }
|
Hash X
|
Crypt KX
5. Proving Security Protocols
5
L. C. Paulson
Processing Sets of Messages
Crypt KX
parts: message components
analz: message decryption
X
K −1
X
Crypt KX,
synth: message faking
Regularity lemmas stated using parts H
Secrecy theorems stated using analz H
Spoof messages drawn from synth(analz H)
X, K
Crypt KX
6. Proving Security Protocols
6
L. C. Paulson
Inductive Definition: parts H
X∈H
Crypt KX
X ∈ parts H
∈ parts H
X ∈ parts H
{ Y | ∈ parts H
|X, }
{ Y | ∈ parts H
|X, }
X ∈ parts H
Y ∈ parts H
parts G ∪ parts H
= parts(G ∪ H)
7. Proving Security Protocols
7
L. C. Paulson
Inductive Definition: analz H
Crypt KX
X∈H
∈ analz H
X ∈ analz H
K −1 ∈ analz H
X ∈ analz H
{ Y | ∈ analz H
|X, }
{ Y | ∈ analz H
|X, }
X ∈ analz H
Y ∈ analz H
analz G ∪ analz H
⊆ analz(G ∪ H)
8. Proving Security Protocols
8
L. C. Paulson
Inductive Definition: synth H
X∈H
Agent A
X ∈ synth H
∈ synth H
X∈H
Hash X
X ∈ synth H
∈ synth H
Y ∈ synth H
{ Y | ∈ synth H
|X, }
X ∈ synth H
Crypt KX
G ⊆ H =⇒ synth G ⊆ synth H
K∈H
∈ synth H
9. Proving Security Protocols
9
Simplification Laws
parts(parts H) = parts H
analz(analz H) = analz H idempotence
synth(synth H) = synth H
parts(analz H)
= analz(parts H) = parts H
parts(synth H)
= parts H ∪ synth H
analz(synth H)
= analz H ∪ synth H
synth(analz H)
= ??
L. C. Paulson
10. Proving Security Protocols
10
L. C. Paulson
Symbolic Evaluation of parts(ins XH)
ins XH
parts(ins(Key K)H)
parts(ins(Hash X)H)
parts(ins{
|X, Y | H)
}
parts(ins(Crypt KX)H)
= {X} ∪ H
= ins(Key K)(parts H)
= ins(Hash X)(parts H)
= ins{ Y | (parts(ins X(ins Y H)))
|X, }
= ins(Crypt KX)(parts(ins XH))
11. Proving Security Protocols
11
L. C. Paulson
Symbolic Evaluation of analz(ins XH)
analz(ins(Key K)H)
= ins(Key K)(analz H)
K ∈ keysFor(analz H)
analz(ins(Crypt KX)H)
=
ins(Crypt KX)(analz(ins XH))
K −1 ∈ analz H
ins(Crypt KX)(analz H)
otherwise
12. Proving Security Protocols
12
L. C. Paulson
Deductions from synth H
Nonce N
Key K
Crypt KX
∈ synth H =⇒ Nonce N ∈ H
∈ synth H =⇒ Key K ∈ H
∈ synth H =⇒ Crypt KX ∈ H
or
X ∈ synth H ∧ K ∈ H
A similar law for {
|X, Y |
}
∈ synth H
13. Proving Security Protocols
13
Spoof Messages: Limiting the Damage
Breaking down the spoof message:
{ Y | ∈ synth(analz H) ⇐⇒
|X, }
X ∈ synth(analz H) ∧ Y ∈ synth(analz H)
Eliminating the spoof message:
X ∈ synth(analz G) =⇒
parts(ins X
H) ⊆ synth(analz G) ∪ parts G ∪ parts H
L. C. Paulson
14. Proving Security Protocols
14
L. C. Paulson
The Shared-Key Model
Traces as lists of events:
Alice’s shared key:
Items already used in this trace:
Says A B X
shrK A
used evs
Reading the traffic (with the help of lost keys):
spies (Says A B X
# evs) = {X} ∪ spies evs
spies []
= {shrK A | A ∈ lost}
15. Proving Security Protocols
15
L. C. Paulson
The Simplified Otway-Rees Protocol
1. A → B : N a, A, B, { a, A, B| Kas
|N
}
2. B → S : N a, A, B, { a, A, B| Kas , N b, { a, A, B| Kbs
|N
}
|N
}
3. S → B : N a, { a, Kab| Kas , { b, Kab| Kbs
|N
}
|N
}
|N
}
4. B → A : N a, { a, Kab| Kas
16. Proving Security Protocols
16
L. C. Paulson
Inductively Defining the Protocol, 1–2
1. If evs is a trace and N a is unused, may add
Says A B { a, A, B, Crypt(shrK A){ a, A, B| |
|N
|N
}}
2. If evs has Says A
B { a, A, B, X| and N b is unused, may
|N
}
add
Says B Server { a, A, B, X, N b, Crypt(shrK B){ a, A, B| |
|N
|N
}}
B doesn’t know the true sender & can’t read X
17. Proving Security Protocols
17
L. C. Paulson
Inductively Defining the Protocol, 4
4. If evs contains the events
Says B Server { a, A, B, X
|N
Says S
, N b, Crypt(shrK B){ a, A, B| |
|N
}}
B { a, X, Crypt(shrK B){ b, K| |
|N
|N
}}
may add
Says B A { a, X|
|N
}
Rule applies only if nonces agree, etc.
18. Proving Security Protocols
18
Modelling Attacks and Accidents
Fake. If X
∈ synth(analz(spies evs)), may add
Says Spy B X
Oops. If server distributes key K , may add
Says A Spy { a, N b, K|
|N
}
Nonces show the time of the loss
L. C. Paulson
19. Proving Security Protocols
19
Regularity & Unicity
• Agents don’t talk to themselves
• Secret keys are never lost (except initially)
• Nonces & keys uniquely identify creating message
Easily proved by induction & simplification of parts
L. C. Paulson
20. Proving Security Protocols
20
Secrecy
• Keys, if secure, are never encrypted using any session keys
• Distributed keys remain confidential — to recipients!
• Yahalom: nonce N b remains secure
Simplification of analz: case analysis, big formulas
L. C. Paulson
21. Proving Security Protocols
21
L. C. Paulson
An Attack
1. A → B×: N a, A, B, { a, A, B| Kas
|N
}
1 . C → A : N c, C, A, { c, C, A| Kcs
|N
}
|N
}
|N
}
2 . A → S× : N c, C, A, { c, C, A| Kcs , N a , { c, C, A| Kas
|N
}
|N
}
2 . CA → S : N c, C, A, { c, C, A| Kcs , N a, { c, C, A| Kas
3 . S → A× : N c, { c, Kca| Kcs , { a, Kca| Kas
|N
}
|N
}
4. CB → A : N a, { a, Kca| Kas
|N
}
22. Proving Security Protocols
22
L. C. Paulson
New Guarantees of Fixed Protocol
B can trust the message if he sees
Says S
B { a, X, Crypt(shrK B){ b, K| |
|N
|N
}}
Says B Server { a, A, B, X , Crypt(shrK B){ a, N b, A, B| |
|N
|N
}}
A can trust the message if she sees
Says B
A { a, Crypt(shrK A){ a, K| |
|N
|N
}}
Says A B { a, A, B, Crypt(shrK A){ a, A, B| |
|N
|N
}}
23. Proving Security Protocols
23
Statistics
• 200 theorems about 10 protocol variants
(3 × Otway-Rees, 2 × Yahalom, Needham-Schroeder, . . .)
• 110 laws proved concerning messages
• 2–9 minutes CPU time per protocol
• few hours or days human time per protocol
• over 1200 proof commands in all
L. C. Paulson
24. Proving Security Protocols
24
Conclusions
• A feasible method of analyzing protocols
• Guarantees proved in a clear framework
• Complementary to other methods:
– Finite-state: finding simple attacks automatically
– Belief logics: freshness analysis
• Related work by Dominique Bolignano
L. C. Paulson