Automated Validation of Internet Security Protocols and Applications Shared cost RTD (FET open) project IST-2001-39252 The AVISPA Project: Automated Validation of Internet Security Protocols and Applications 62th IETF Minneapolis March 2005 Alessandro Armando AI-Lab, DIST – University of Genova, Italy
27
Embed
The AVISPA Project: Automated Validation of Internet Security Protocols and Applications
62th IETF Minneapolis March 2005. The AVISPA Project: Automated Validation of Internet Security Protocols and Applications. Alessandro Armando AI-Lab, DIST – University of Genova, Italy. Motivation. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Automated Validation of Internet Security Protocols and ApplicationsShared cost RTD (FET open) project IST-2001-39252
The AVISPA Project:Automated Validation of Internet Security Protocols
and Applications
62th IETF
Minneapolis
March 2005
Alessandro ArmandoAI-Lab, DIST – University of Genova, Italy
62th IETF, MinneapolisMarch 10, 2005 2
A. Armando
Motivation
• The number and scale of new security protocols under development is out-pacing the human ability to rigorously analyze and validate them.
• To speed up the development of the next generation of security protocols and to improve their security, it is of utmost importance to have
– tools that support the rigorous analysis of security protocols
– by either finding flaws or establishing their correctness.
• Optimally, these tools should be completely automated, robust, expressive, and easily usable, so that they can be integrated into the protocol development and standardization processes.
62th IETF, MinneapolisMarch 10, 2005 3
A. Armando
Context
• A number of (semi-)automated protocol analyzers have been proposed, BUT
• Automatic anaysis limited to small and medium-scale protocols
– scaling up to large-scale Internet security protocols is a considerable challenge, both scientific and technological;
• Each tool comes with its own specification language and user interface;
62th IETF, MinneapolisMarch 10, 2005 4
A. Armando
Objectives of AVISPA
• Develop a rich specification language for formalizing industrial strength security protocols and their properties.
• Advance state-of-the-art analysis techniques to scale up to this complexity.
• Develop an integrated tool supporting the protocol designer in the debugging and validation of security protocols: the AVISPA Tool.
• Assess the tool on a large collection of practically relevant, industrial protocols.
• Migrate this technology to companies and standardisation organisations.
62th IETF, MinneapolisMarch 10, 2005 5
A. Armando
The AVISPA Tool
• Push-button security protocol analyzer
• Supports the specification security protocols and properties via a rich protocol specification language
• Integrates different back-ends implementing a variety of state-of-the-art automatic analysis techniques.
• User interaction facilitated by:
– Emacs mode
– Web interface
• To the best of our knowledge, no other tool exhibits the same level of scope and robustness while enjoying the same performance and scalability.
62th IETF, MinneapolisMarch 10, 2005 6
A. Armando
Architecture of the AVISPA Tool
62th IETF, MinneapolisMarch 10, 2005 7
A. Armando
The Dolev-Yao Intruder Model
D-Y Intruder may:• Intercept/emit messages• Decrypt/encrypt with known key (Black-box perfect crypto)• Split/form messages• Use public information• Generate fresh data
channel: data + Control msgs
trustworthydevice
trustworthydevice
{A, nA} KeyB {A, nI} KeyB
A, nI, KeyA, KeyB
Intruder Knowledge
62th IETF, MinneapolisMarch 10, 2005 8
A. Armando
The Back-ends
• The On-the-fly Model-Checker (OFMC) performs protocol analysis by exploring the transition system in a demand-driven way.
• The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving with powerful simplification heuristics and redundancy elimination techniques.
• The SAT-based Model-Checker (SATMC) builds a propositional formula encoding all the possible attacks (of bounded length) on the protocol and feeds the result to a SAT solver.
• TA4SP (Tree Automata based on Automatic Approximations for th Analysis of Security Protocols) approximates the intruder knowledge by using regular tree languages.
62th IETF, MinneapolisMarch 10, 2005 9
A. Armando
The High Level Protocol Specification Language (HLPSL)
• Role-based language:
– a role for each (honest) agent
– parallel and sequential composition glue roles together
• The HLPSL enjoys both
– a declarative semantics based on a fragment of the Lamport’s Temporal Logic of Actions and
– an operational semantics based on a translation into a rewrite-base formalism: the Intermediate Format (IF).
• Intruder is modeled by the channel(s) over which the communication takes places.
62th IETF, MinneapolisMarch 10, 2005 10
A. Armando
Basic Roles
role Basic_Role (…)
played_by … def=
owns {θ: Θ}
local {ε}
init Init
accepts Accept
transition
event1 action1
event2 action2
…
end role
role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
General Pattern Initiator Role in NSPK
62th IETF, MinneapolisMarch 10, 2005 11
A. Armando
Composed Roles: Parallel Composition
role Par_Role (…)
def=
owns {θ:Θ}
local {ε}
init Init
accepts Accept
composition
A B
end role
Pattern Example
role Kerberos (..) composition Client /\ Authn_Server /\ TGS /\ Serverend role
62th IETF, MinneapolisMarch 10, 2005 12
A. Armando
Composed Roles: Sequential Composition
role Seq_Role (…)
def=
owns {θ:Θ}
local {ε}
init Init
accepts Accept
composition
A ; B
end role
General Pattern Example
role Alice (..) establish_TLS_Tunnel(server_ authn_only); present_credentials; main_protocol(request, response)end role
62th IETF, MinneapolisMarch 10, 2005 13
A. Armando
The AVISPA Web Interface
The AVISPA Tool can be freely accessed at the URL
http://www.avispa-project.org/web-interface
The interface features:
• A simple editor for HLSPL specifications
• Basic/Expert user modes
• Attacks are graphically rendered with message-sequence charts
62th IETF, MinneapolisMarch 10, 2005 14
A. Armando
62th IETF, MinneapolisMarch 10, 2005 15
A. Armando
The AVISPA Library
• We have selected a substantial set of security problems associated with protocols that have recently been or are currently being standardized by the IETF.
• We have formalized in HLPSL a large subset of these protocols; the result of this specification effort is the AVISPA Library.
• At present the AVISPA Library comprises 112 security problems derived from 33 protocols.
• We have thoroughly assessed the AVISPA Tool by running it against the AVISPA Library.