Types for Security Protocols* - Language-Based Security group

IntroductionA Simple Case Study

Secrecy and integrity typesConclusion

Types for Security Protocols∗

Riccardo Focardi1 Matteo Maffei2

1Universita Ca’ Foscari Venezia, [email protected]

2Saarland University, [email protected]

SecCo’09September 5, 2009, Bologna

∗

Work partially supported by:Miur’07 Project SOFT: “Security Oriented Formal Techniques”

The initiative for excellence and the Emmy Noether program, Germany

R. Focardi, M. Maffei Types for Security Protocols



Security Protocols

Simple distributed algorithms providing some securityproperties

Network is assumed to be insecure

Worst-case scenario: Opponent controls the network

AliceM1

//

OpponentM′

2

oo

M′

1//

BobM2

oo

Cryptography protects information sent/received




Basic cryptographic primitives

Alice Bob

Symmetric key k {|m|}sk

//

k

? Bob

Asymmetric key kpB

{|m|}akpB

//

kB

Alice ?

Signature kA [m]kA//

kvA

Assumption (Dolev-Yao): Encryption and decryption are possibleonly knowing the appropriate keys




Type-based analysis of security protocols

[Lowe ′96]

||||

||||

|||

::

::

::

::

::

::

::

::

::

::

:[Volpano et al .′96]

}}}}

}}}}

}}}}

}}}}

}}}}

}}}

JJJJJJJJJJJJJ

Processcalculiwith

(symbolic)crypto

Imperativelanguageswith typesfor nonin-terference

[Abadi ′99]

qqqqqqqq

BBBB

BBBB

BBBB

BBBB

BB

Types [Askarov et al .′08]

llllllllllllllll

MMMMMMMMMMMM

Crypto




The Blanchet (Dennning-Sacco) protocol

Alice(A), kA Bob(B), kB

New k{|[A,B,k]kB |}a

kpA

oo

New m{|m|}s

k//

Aim: share a new secret m between A and B

1 Secrecy: A knows only B will learn m

2 Authentication: B knows m comes from A, and it is fresh




Authentication-only variant

Alice(A), kA Bob(B)

New k{|A,B,k|}a

kpA

oo

New m{|m|}s

k//

Aim: A sends an authenticated message m to B

1

((

((

((

((

((

((

((

((

((

Secrecy: A knows only B will learn m

2 Authentication: B knows m comes from A, and it is fresh




Secrecy attack on the protocol variant

Alice(A), kA Opponent(O)

New k{|A,B,k|}a

kpA

oo

New m{|m|}s

k//

O learns m




Typed spi-calculusSecurity levelsTypesA secrecy result

Typed spi-calculus

M, N, K ::= n | x | Kp | K v | {|M|}sK | {|M|}a

K | [M]K terms

P, Q, R, O ::= processes

N〈M〉.P outputN(x).P input0 stopP | Q parallel!P replication(νa : T ) P restrictionif M = N then P else Q conditionalcase M of {|x |}s

K in P sym decryptioncase M of {|x |}a

K in P asym decryptioncase M of [x ]K in P signature check





Semantics, an example

k : T k : T

New m : T ′

{|m|}sk

//

P(m)

(νk : T ) ( (νm : T ′) c〈{|m|}sk〉 | c(x).case x of {|y |}s

k in P(y) )

→ (νk : T , m : T ′) case {|m|}sk of {|y |}s

k in P(y)if m 6∈ fn(P(y))

→ (νk : T , m : T ′) P(m)





Security levels

Security lattice from Language-based Security(Secrecy/Integrity)

LL HH

HL

LH

L ⊑S H: public data can be considered as secret(protect more)

H ⊑I L: high-integrity data can be considered as low-integrity(trust less)





Security-levels: an example

A, kA ?{|A,B,k|}a

kpA

oo

New m : LH{|m|}s

k//

A receives {|A, B, k|}ak

pA

as LL

k is thus considered LL

m must be at or below LL. In fact, LH ⊑ LL

Note:

m cannot be a secret (HH 6⊑ LL)it is unsafe to trust k (LL 6⊑ LH).





Types

Types extends levels ℓ with types for keys

T ::= ℓ | µKℓ[T1, . . . ,Tn]

Key types specify the types T1, . . . ,Tn of what isencrypted/signed and the expected usage:

µ notation ℓ

Sym k HH

Enc kpA LH

Dec kA HH

Sig kB HH

Ver kvB LH

Opponents work at LL with LL keys, and encrypt/sign LL data





Typing environment

Typing environment Γ

Binds names and variables to types

u1 : T1, . . . un : Tn ui 6= uj

We write Γ ⊢ u : T if u : T is in Γ

HH keys only:

Ti = µKℓ[. . .] implies ℓ = HH and µ ∈ {Sym, Dec, Sig}

Other key types are derived, e.g.

Γ ⊢ K : DecKℓC ℓI [T ]

Γ ⊢ Kp : EncKLℓI [T ]





Subtyping ≤

If Γ ⊢ M : T and T ≤ T ′ then Γ ⊢ M : T ′

≤ extends the four-points lattice with

µKℓ[T ] ≤ ℓ

i.e., keys can be regarded as data at the appropriate level ℓ

Example: publishing a public key as plaintext

New kA : EncKHH [T ] kpA

//

kpA has type DecKLH [T ] ≤ LH ≤ LL and can be sent on the

network





Typing the pi-calculus fragment

Γ ⊢ 0Γ ⊢ P Γ ⊢ Q

Γ ⊢ P | Q

Γ ⊢ P

Γ ⊢!P

Γ, a : T ⊢ P

Γ ⊢ (νa : T ) P

Γ ⊢ M : T Γ ⊢ N : T ′ Γ ⊢ P Γ ⊢ Q

Γ ⊢ if M = N then P else Q

Γ, x : LL ⊢ P Γ ⊢ N : T

Γ ⊢ N(x).P

Γ ⊢ M : LL Γ ⊢ P Γ ⊢ N : T

Γ ⊢ N〈M〉.P

Note: Cryptographic operations are the only interesting ones





Ciphertexts and signatures

Γ ⊢ K : SymKℓC ℓI [T ] Γ ⊢ M : T

Γ ⊢ {|M|}sK : LℓI

Similarly for {|M|}aKp

Example:

c : T ⊢ (νk : SymKHH [HH], m : HH) c〈{|m|}sk〉

[M]K has secrecy level LS(T ), i.e., the secrecy level of T

Example:

m : HL [m]kA//

is not safe since LS(HL) = H





Decryption and signature check

Γ ⊢ M : T Γ ⊢ K : SymKℓ[T ] Γ, x : T ⊢ P

Γ ⊢ case M of {|x |}sK in P

Similarly for [x ]KExample

k : SymKHH [HH] ⊢ c(y).case y of {|x |}sk in P

whenever P is typed under the assumption x : HH

Decrypting {|M|}aKp requires to type P under x : LL and x : T

?

{|m|}akpB

//

��

TTTTTT

x : LL x : T





Technique 1: a la Needham-Schroeder protocol

New nA : HH

{|nA|}akpA

oo

New m : HH

{|m,nA|}akpB

//

XXXXXXXX

��

xm : LL, xnA: LL xm : HH, xnA

: HH

if nA = xnAthen P else 0

Since LL 6≤ HH in the left branch it is nA 6= xnA

P is only type-checked under xm : HH, xnA: HH





Technique 2: high-integrity ciphertexts

k : SymKHH [LH] k : SymKHH [LH]

New m : HH

{|{|m|}akpB

|}sk

//

x{|m|}akpB

: LH

xm : HH

We type-check twice only if the integrity of the ciphertext is L





A secrecy result

Definition (P preserves secrecy)

∀O, P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L

Theorem (Secrecy for ⊢)

Let Γ ⊢ P with img(Γ) = {LL}. Then P preserves secrecy

The theorem is based on

Proposition (Opponent typability)

Let O be an opponent and let fn(O) = {a}. Then a : LL ⊢ O.

Proposition (Subject reduction)

Let Γ ⊢ P. Then P → Q implies Γ ⊢ Q





Proving the theorem

Theorem (Secrecy for ⊢)

Γ ⊢ P with img(Γ) = {LL} and

P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L

1 By Opponent typability we have Γ′ ⊢ O and, sinceimg(Γ) = img(Γ′) = {LL} we obtain Γ′′ = Γ ∪ Γ′ ⊢ P | O

(Weakening)

2 By subject reduction Γ′′ ⊢ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′)

3 Thus Γ′′, s : T , a : T ⊢ s : LL

⇒ T ≤ LL

⇒ LC (T ) = L.





Typing the case study

kA : DecKHH [HH] kB : SigKHH [LL, LL, Tk ]

νk : SymKHH [HH]{|[A,B,k]kB |}akpA

oo

νm : HH {|m|}sk

//

Γ ⊢ Alice

c(xe).xe : LL case xe of {|xs |}

akA

inxs : LL / xs : HH case xs of [xA, xB , xk ]kv

Bin

xA : LL, xB : LL, xk : Tk if A = xA then(νm : HH)

m : HH c〈{|m|}sxk〉





More examples (1)

kA : DecKHH [LL, LL, Tk ] kB : SigKHH [LH]

νk : SymKHH [HH][{|A,B,k|}akpA

]kBoo

νm : HH {|m|}sk

//

kA : DecKHH [LL, LL, Tk ]

νk : SymKHH [LH]{|A,B,k|}akpA

oo

νm : LH {|m|}sk

//





More examples (2): Needham-Schroeder public-key

kA : DecKHH [HH, LL]

jA : DecKHH [HH]kB : DecKHH [HH, HH, LL]

νnB : HH{|nB ,B|}akpA

oo

νnA : HH {|nA,nB ,A|}akpB

//

{|nA|}ajpA

oo




Conclusion

A novel perspective on types for security protocols

many fundamental techniques from literature on processcalculi ... plus the expressiveness of language-basedsecrecy/integrity levels

full paper gives types for authentication and all the proofs.Downloadable athttp://www.infsec.cs.uni-sb.de/~maffei/publications/

types-for-security-protocols.pdf

part of a project for a research book on security protocols(Cortier, Kremer Eds.) Any feedback is really welcome!


http://www.infsec.cs.uni-sb.de/~maffei/publications/

types-for-security-protocols.pdf



A few references

M. Abadi.Secrecy by typing in security protocols.Journal of the ACM, 46(5):749–786, 1999.

M. Abadi and B. Blanchet.Secrecy types for asymmetric communication.Theoretical Computer Science, 298(3):387–415, 2003.

M. Abadi and A. D. Gordon.A calculus for cryptographic protocols: The spi calculus.Information and Computation, 148(1):1–70, 1999.

A. Askarov, D. Hedin, and A. Sabelfeld.Cryptographically-masked flows.Theoretical Computer Science, 402(2-3):82–101, August 2008.

M. Centenaro, R. Focardi, F. Luccio, and G. Steel.Type-based Analysis of PIN Processing APIs.In ESORICS’09. To appear.


Types for Security Protocols* - Language-Based Security group

Documents