Towards more secure networks using formal approaches Dr. Jayaraj Poroor DependSoft Consulting jayaraj@ dependsoft.com http://dependsoft.com Presented at Dr. C. R. Rao Institute of Advanced Studies Jan 22, 2013
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Towards more secure networks
using formal approaches
Dr. Jayaraj PoroorDependSoft [email protected]://dependsoft.com
Presented at Dr. C. R. Rao Institute of Advanced Studies
Jan 22, 2013
DependSoft
Roadmap for the talk
• Formal Methods
• Cryptographic Protocols
• Formal Modeling
• Modeling Language
• A Cryptographic handshake Protocol
• The ProVerif Tool
✓Motivate
✓ Key Ideas
✗ All details
1
2
3
4
5
6
DependSoft
Formal Methods
DependSoft
Formal methods
• The art and science of describing and reasoning about computing systems using rigorous mathematical techniques having well-developed theoretical basis.
Alan Turing Von Neumann John McCarthy
Turing MachineBombe machine
Automata TheoryStored Program Computer
Artificial IntelligenceLISP
DependSoft
The bridge
THEORY PRACTICEFORMAL
METHODS
ComputabilityComplexity
ExpressivityAutomata
LogicsCalculi
Semantics
SpecificationDesign &DevelopmentSoftware &HardwareSystemsTools
DependSoft
Why do we need it?
• Gain precise understanding of computing systems▫ Ideas are developed with mathematical rigor
• Rigor pays off▫ Strong guarantees▫ Mechanization of synthesis and analysis
• Theory informs▫ Establishes the limits▫ Provides efficient algorithms
DependSoft
Reasoning about programs
• What is a correctness property?▫ Safety + Liveness
• Safety▫ Something bad will never happen.
• Liveness▫ Something good will eventually happen.
• Can be expressed mathematically.
Recognizing Safety and Liveness, Alpern and Schneider, Distributed Computing, 1986
DependSoft
Coffee/tea machine as a finite-state
automata
5
3sec
Now we can reason about safety and liveness!
1Reasoning … is nothing but reckoning, Thomas Hobbes, English Philosopher
DependSoft
Cryptographic
Protocols
DependSoft
What are they?
• Concurrent programs that interact via public channels to achieve security objectives.
• “3 lines programs that people still manage to get wrong,” Roger Needham.
• A critical component for ensuring security in today’s distributed systems.▫ e.g., SSL/TLS, SSH, IPSec, SRTP.
Gavin Lowe. 1995. An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56, 3 (November 1995), 131-133.
DependSoft
Narrating a simple cryptographic protocol
Many concurrent instances of A’s and B’s are possible
A Brequest, A’s public key
A B
B
Response encrypted with A’s public key
prepareresponse
ADecrypt responsewith A’s private key
No guarantee that the response came from B!
DependSoft
Security objectives
• Secrecy
• Strong secrecy
• Origin Authentication
DependSoft
Security objectives
• Integrity
• Authenticated key exchange
• Non-repudiation
DependSoft
Security objectives
• Fairness
• Anonymity
• Availability1
1Jayaraj Poroor and Bharat Jayaraman, Denial of service attacks on Real-time media through Indirect Contention-in-Hosts, IEEE Internet Computing, 2009.
DependSoft
The fruit flies of formal methods
research!
Is ToIs LikeIs To
DependSoft
Formal reasoning
Finite state representation of a
cryptographic protocol
A
S
?
Attacker gets the secret!
Start state
Will attacker get the secret?
Is state A reachable from state S?
2
DependSoft
Formal Modeling
of
Cryptographic Protocols
DependSoft
Modeling assumptions
• What are the capabilities of the attacker?
• What are the assumptions behind modeling cryptographic functions
▫ e.g., AES is cryptanalytically stronger than DES
DependSoft
Be specific!
DependSoft
The Dolev Yao model
• All-powerful Intruder▫ Channel is the Intruder▫ Intruder can read, modify, fabricate, replay,
analyze messages
• Perfect cryptography▫ Computational complexity abstracted out
Dolev, D.; Yao, A. C. (1983), "On the security of public key protocols", IEEE trans. on Information Theory IT-29: 198–208
IntruderAlice Bob
DependSoft
Modeling perfect cryptography
• Functions as symbolic terms
▫ senc(m,k) may be applied to any message m and key k
• Properties of functions as equations
▫ sdec(senc(m,k),k) = m
DependSoft
Equational reasoning
• Equations:
▫ mix(salt, water) may be applied to any salt
▫ mix(salt, empty) = salt
▫ heat(water) = empty
▫ heat(salt) = salt
▫ heat(mix(a,b)) = mix(heat(a),heat(b))
• What happens if we: heat(mix(salt,water))?
DependSoft
Equational reasoning
heat(mix(salt,water)) mix(heat(salt), heat(water))
mix(heat(salt), heat(water)) mix(heat(salt),empty)
mix(heat(salt),empty) mix(salt,empty)
mix(salt,empty) salt
DependSoft
Equational theory
• The set of equalities derivable under
▫ A set of equational axioms +
▫ Rules of equational reasoning (e.g., reflexivity, commutativity)
▫ Proof technique: Matching & rewriting
Klop, Term rewriting systems from Church-Rosser to Knuth-Bendix and beyond, LNCS, 90.
Don Knuth
DependSoft
Try out
• What do we get?
▫ sdec(sdec(senc(senc(m,k2),k1),k1) ,k2)
• Remember:
▫ sdec(senc(m,k),k) = m
DependSoft
Soundness & Completeness
• Tells us how a model and the reality (model’s intended meaning) are related.
MODEL REALITY
Soundness
Completeness
The Map is not the Territory!
DependSoft
Unsoundness
Route Exits
A route exists from B to A is a theoremprovable in our model
however
But route from B to A does notExist in Reality
DependSoft
Incompleteness
Road ExistsNo route exists in our map
however
DependSoft
Limits of Dolev-Yao models
• Could be computationally unsound
▫ A provably secure protocol could be computationally breakable (e.g., use of DES)
• Incomplete
▫ A secure protocol need not be provable in the model
▫ undecidable in general for unbounded sessions
3Soundness Limits of Dolev-Yao Models, Backus, Pfitzmann, Waidner, FCC, 2006
DependSoft
Modeling Language
DependSoft
Modeling requirements
• Modeling the domain
▫ Unforgeable fresh secrets, nonces
▫ Symbolic encoding of cryptographic functions
⚫enc(M,k), dec(M, pk(k))
⚫dec(enc(m,k),k) = m
⚫xor(xor(m,k),k) = m
• Concurrency and communication
▫ Client parallel with Server
▫ out(channel, encrypted msg), in(channel, msg)
DependSoft
Computational calculus
• Succinct language for studying a particular class of computation
• Results in well-developed theory▫ Can prove properties of programs
• e.g., λ-calculus: sequential functional-style computation▫ Influenced functional language development over
last 5 decades
Alonzo Church
DependSoft
π-calculus
• Communication & concurrency are primitive operations
• Milner, Parrow, Walker, 89
• Numerous extensions, applications
▫ Distributed systems
▫ Programming languages
▫ Biomolecular systems
▫ Cryptographic protocols
Robin Milner
DependSoft
A multithreaded echo server in Java
http://www.javareference.com/jrexamples/viewexample.jsp?id=47
DependSoft
Multithreaded echo server in Java (2)
DependSoft
Multithreaded echo server in π-
calculus
let Echo = in(echo, (client,msg));out(client,msg);0
Two threads: Echo | Echo
Three threads: Echo | Echo | Echo
Unbounded threads: !Echo
!in(echo, (client,msg));out(client,msg);0
DependSoft
Sending a fresh name
• Java:
▫ Read from random sources
▫ Write to socket etc.,
• π-calculus:
▫ new n; out(channel,n)
DependSoft
The complete π-calculus language
• A process P, Q is
▫ 0
▫ in(c, x); P
▫ out(c, v); P
▫ P | Q
▫ new n; P
▫ if u = v then P else Q
▫ !P
DependSoft
Execution: Informal vs Formal
G. Plotkin, A Structural Approach to Operational Semantics (1981)
Gordon Plotkin
Java Program
Compiler
Byte code
Executions
JVM
π-calculusProgram
OperationalSemantics
Rules
TransitionGraph
DependSoft
Sample execution steps
in(echo, (c,x));out(c,x);0 | out(echo, (ret,3));in(ret,y);out(prn,y);0
out(ret,3);0 | in(ret,y).out(prn,y);0
0 | out(prn,3);0
reduction
reduction
DependSoft
A Cryptographic
Handshake protocol
DependSoft
A naïve handshake protocol
Bruno Blanchett and Ben Smyth, ProVerif 1.86pl3: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial, Dec 2011
A Bpk(skA)
A B
B
(pk(skB),k)sign( , skB)aenc( , pk(skA))
generate key k
A Bsenc(s,k)
pk(skB) known
DependSoft
Handshake protocol properties
• Secrecy
▫ Secret s is known only to A and B
• Authentication of A to B
▫ If B believes he has shared key k with A
▫ then B was indeed communicating with A
▫ and A has the shared key k.
• Authentication of B to A
DependSoft
Murphy’s law!
DependSoft
Murphy’s law in cyber security!
CENTER FOR
CYBER
SECURITY
If an attack can happen, it will
DependSoft
Man-in-the-middle attack
A B
I
A B
pk(skI)I B
aenc(sign((pk(skB),k),skB),pk(skI))I B
pk(skA)
A
aenc(sign((pk(skB),k),skB),pk(skA))
senc(s,k)
DependSoft
The fix
5
A Bpk(skA)
A B(pk(skA),pk(skB),k)sign( , skB)aenc( , pk(skA))
A Bsenc(s,k)
DependSoft
The ProVerif tool
DependSoft
Short bio
• Follows Dolev-Yao model▫ CryptoVerif: Computational Model
• Input language: Applied π-calculus
• Reconstructs attacks▫ Sound when trace is given
• Successfully verified complex protocols/systems▫ TPM, TLS, JFK, Plutus, electronic voting
Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. CSFW-14, June 2001.
DependSoft
ProVerif: attack types
• Reachability properties
▫ Secrecy
• Correspondence assertions
▫ authentication
• Observational equivalence
▫ non-interference
DependSoft
Symmetric encryption
Constructor name
argument types
Result type
Destructor name
Typed variables
DependSoft
Horn clause representation
• P(x) if Q1(x) and Q2(x) … and Qn(x)
• grandparent(x,z) if parent(x,y) and parent(y,z)
• attacker(m) if attacker(senc(m,k)) and attacker(k)
• Horn clause logic
▫ Basis for logic programming
▫ Resolution Proof: Unification & Search
DependSoft
Model components
• Constructors & Destructors for:
▫ Symmetric encryption
▫ Asymmetric encryption
▫ Digital signature
• Process definitions for:
▫ clientA
▫ serverB
DependSoft
The system
6
DependSoft
Conclusion• Formal Methods
▫ Rigorous Methods = Theory + Practice
• Cryptographic Protocols▫ Fruit-flies of formal methods research
• Formal Modeling▫ The Dolev-Yao model
• Modeling Language▫ Applied Pi-calculus
• A Cryptographic handshake Protocol▫ Man-in-the-middle vulnerability
• The ProVerif Tool▫ Uses Horn-clause logic, sound if trace is given
Thank You. Questions?
1
2
3
4
5
6
DependSoft
Asymmetric encryption
DependSoft
Digital Signature
DependSoft
The client
DependSoft
The server
DependSoft
Other Modeling languages/tools
• Murphi
• FDR/CSP
• BAN Logic
• AVISPA
• CryptoVerif
Related Documents
