Page 1
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Types for Security Protocols∗
Riccardo Focardi1 Matteo Maffei2
1Universita Ca’ Foscari Venezia, [email protected]
2Saarland University, [email protected]
SecCo’09September 5, 2009, Bologna
∗
Work partially supported by:Miur’07 Project SOFT: “Security Oriented Formal Techniques”
The initiative for excellence and the Emmy Noether program, Germany
R. Focardi, M. Maffei Types for Security Protocols
Page 2
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Security Protocols
Simple distributed algorithms providing some securityproperties
Network is assumed to be insecure
Worst-case scenario: Opponent controls the network
AliceM1
//
OpponentM′
2
oo
M′
1//
BobM2
oo
Cryptography protects information sent/received
R. Focardi, M. Maffei Types for Security Protocols
Page 3
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Basic cryptographic primitives
Alice Bob
Symmetric key k {|m|}sk
//
k
? Bob
Asymmetric key kpB
{|m|}akpB
//
kB
Alice ?
Signature kA [m]kA//
kvA
Assumption (Dolev-Yao): Encryption and decryption are possibleonly knowing the appropriate keys
R. Focardi, M. Maffei Types for Security Protocols
Page 4
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Type-based analysis of security protocols
[Lowe ′96]
||||
||||
|||
::
::
::
::
::
::
::
::
::
::
:[Volpano et al .′96]
}}}}
}}}}
}}}}
}}}}
}}}}
}}}
JJJJJJJJJJJJJ
Processcalculiwith
(symbolic)crypto
Imperativelanguageswith typesfor nonin-terference
[Abadi ′99]
qqqqqqqq
BBBB
BBBB
BBBB
BBBB
BB
Types [Askarov et al .′08]
llllllllllllllll
MMMMMMMMMMMM
Crypto
R. Focardi, M. Maffei Types for Security Protocols
Page 5
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
The Blanchet (Dennning-Sacco) protocol
Alice(A), kA Bob(B), kB
New k{|[A,B,k]kB |}a
kpA
oo
New m{|m|}s
k//
Aim: share a new secret m between A and B
1 Secrecy: A knows only B will learn m
2 Authentication: B knows m comes from A, and it is fresh
R. Focardi, M. Maffei Types for Security Protocols
Page 6
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Authentication-only variant
Alice(A), kA Bob(B)
New k{|A,B,k|}a
kpA
oo
New m{|m|}s
k//
Aim: A sends an authenticated message m to B
1
((
((
((
((
((
((
((
((
((
Secrecy: A knows only B will learn m
2 Authentication: B knows m comes from A, and it is fresh
R. Focardi, M. Maffei Types for Security Protocols
Page 7
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Secrecy attack on the protocol variant
Alice(A), kA Opponent(O)
New k{|A,B,k|}a
kpA
oo
New m{|m|}s
k//
O learns m
R. Focardi, M. Maffei Types for Security Protocols
Page 8
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typed spi-calculus
M, N, K ::= n | x | Kp | K v | {|M|}sK | {|M|}a
K | [M]K terms
P, Q, R, O ::= processes
N〈M〉.P outputN(x).P input0 stopP | Q parallel!P replication(νa : T ) P restrictionif M = N then P else Q conditionalcase M of {|x |}s
K in P sym decryptioncase M of {|x |}a
K in P asym decryptioncase M of [x ]K in P signature check
R. Focardi, M. Maffei Types for Security Protocols
Page 9
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Semantics, an example
k : T k : T
New m : T ′
{|m|}sk
//
P(m)
(νk : T ) ( (νm : T ′) c〈{|m|}sk〉 | c(x).case x of {|y |}s
k in P(y) )
→ (νk : T , m : T ′) case {|m|}sk of {|y |}s
k in P(y)if m 6∈ fn(P(y))
→ (νk : T , m : T ′) P(m)
R. Focardi, M. Maffei Types for Security Protocols
Page 10
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Security levels
Security lattice from Language-based Security(Secrecy/Integrity)
LL HH
HL
LH
L ⊑S H: public data can be considered as secret(protect more)
H ⊑I L: high-integrity data can be considered as low-integrity(trust less)
R. Focardi, M. Maffei Types for Security Protocols
Page 11
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Security-levels: an example
A, kA ?{|A,B,k|}a
kpA
oo
New m : LH{|m|}s
k//
A receives {|A, B, k|}ak
pA
as LL
k is thus considered LL
m must be at or below LL. In fact, LH ⊑ LL
Note:
m cannot be a secret (HH 6⊑ LL)it is unsafe to trust k (LL 6⊑ LH).
R. Focardi, M. Maffei Types for Security Protocols
Page 12
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Types
Types extends levels ℓ with types for keys
T ::= ℓ | µKℓ[T1, . . . ,Tn]
Key types specify the types T1, . . . ,Tn of what isencrypted/signed and the expected usage:
µ notation ℓ
Sym k HH
Enc kpA LH
Dec kA HH
Sig kB HH
Ver kvB LH
Opponents work at LL with LL keys, and encrypt/sign LL data
R. Focardi, M. Maffei Types for Security Protocols
Page 13
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing environment
Typing environment Γ
Binds names and variables to types
u1 : T1, . . . un : Tn ui 6= uj
We write Γ ⊢ u : T if u : T is in Γ
HH keys only:
Ti = µKℓ[. . .] implies ℓ = HH and µ ∈ {Sym, Dec, Sig}
Other key types are derived, e.g.
Γ ⊢ K : DecKℓC ℓI [T ]
Γ ⊢ Kp : EncKLℓI [T ]
R. Focardi, M. Maffei Types for Security Protocols
Page 14
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Subtyping ≤
If Γ ⊢ M : T and T ≤ T ′ then Γ ⊢ M : T ′
≤ extends the four-points lattice with
µKℓ[T ] ≤ ℓ
i.e., keys can be regarded as data at the appropriate level ℓ
Example: publishing a public key as plaintext
New kA : EncKHH [T ] kpA
//
kpA has type DecKLH [T ] ≤ LH ≤ LL and can be sent on the
network
R. Focardi, M. Maffei Types for Security Protocols
Page 15
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing the pi-calculus fragment
Γ ⊢ 0Γ ⊢ P Γ ⊢ Q
Γ ⊢ P | Q
Γ ⊢ P
Γ ⊢!P
Γ, a : T ⊢ P
Γ ⊢ (νa : T ) P
Γ ⊢ M : T Γ ⊢ N : T ′ Γ ⊢ P Γ ⊢ Q
Γ ⊢ if M = N then P else Q
Γ, x : LL ⊢ P Γ ⊢ N : T
Γ ⊢ N(x).P
Γ ⊢ M : LL Γ ⊢ P Γ ⊢ N : T
Γ ⊢ N〈M〉.P
Note: Cryptographic operations are the only interesting ones
R. Focardi, M. Maffei Types for Security Protocols
Page 16
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Ciphertexts and signatures
Γ ⊢ K : SymKℓC ℓI [T ] Γ ⊢ M : T
Γ ⊢ {|M|}sK : LℓI
Similarly for {|M|}aKp
Example:
c : T ⊢ (νk : SymKHH [HH], m : HH) c〈{|m|}sk〉
[M]K has secrecy level LS(T ), i.e., the secrecy level of T
Example:
m : HL [m]kA//
is not safe since LS(HL) = H
R. Focardi, M. Maffei Types for Security Protocols
Page 17
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Decryption and signature check
Γ ⊢ M : T Γ ⊢ K : SymKℓ[T ] Γ, x : T ⊢ P
Γ ⊢ case M of {|x |}sK in P
Similarly for [x ]KExample
k : SymKHH [HH] ⊢ c(y).case y of {|x |}sk in P
whenever P is typed under the assumption x : HH
Decrypting {|M|}aKp requires to type P under x : LL and x : T
?
{|m|}akpB
//
��
TTTTTT
x : LL x : T
R. Focardi, M. Maffei Types for Security Protocols
Page 18
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Technique 1: a la Needham-Schroeder protocol
New nA : HH
{|nA|}akpA
oo
New m : HH
{|m,nA|}akpB
//
XXXXXXXX
��
xm : LL, xnA: LL xm : HH, xnA
: HH
if nA = xnAthen P else 0
Since LL 6≤ HH in the left branch it is nA 6= xnA
P is only type-checked under xm : HH, xnA: HH
R. Focardi, M. Maffei Types for Security Protocols
Page 19
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Technique 2: high-integrity ciphertexts
k : SymKHH [LH] k : SymKHH [LH]
New m : HH
{|{|m|}akpB
|}sk
//
x{|m|}akpB
: LH
xm : HH
We type-check twice only if the integrity of the ciphertext is L
R. Focardi, M. Maffei Types for Security Protocols
Page 20
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
A secrecy result
Definition (P preserves secrecy)
∀O, P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L
Theorem (Secrecy for ⊢)
Let Γ ⊢ P with img(Γ) = {LL}. Then P preserves secrecy
The theorem is based on
Proposition (Opponent typability)
Let O be an opponent and let fn(O) = {a}. Then a : LL ⊢ O.
Proposition (Subject reduction)
Let Γ ⊢ P. Then P → Q implies Γ ⊢ Q
R. Focardi, M. Maffei Types for Security Protocols
Page 21
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Proving the theorem
Theorem (Secrecy for ⊢)
Γ ⊢ P with img(Γ) = {LL} and
P | O →∗ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′) implies LC(T ) = L
1 By Opponent typability we have Γ′ ⊢ O and, sinceimg(Γ) = img(Γ′) = {LL} we obtain Γ′′ = Γ ∪ Γ′ ⊢ P | O
(Weakening)
2 By subject reduction Γ′′ ⊢ (νs : T ) (νa : T ) (P ′ | b〈s〉.P ′′)
3 Thus Γ′′, s : T , a : T ⊢ s : LL
⇒ T ≤ LL
⇒ LC (T ) = L.
R. Focardi, M. Maffei Types for Security Protocols
Page 22
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
Typing the case study
kA : DecKHH [HH] kB : SigKHH [LL, LL, Tk ]
νk : SymKHH [HH]{|[A,B,k]kB |}akpA
oo
νm : HH {|m|}sk
//
Γ ⊢ Alice
c(xe).xe : LL case xe of {|xs |}
akA
inxs : LL / xs : HH case xs of [xA, xB , xk ]kv
Bin
xA : LL, xB : LL, xk : Tk if A = xA then(νm : HH)
m : HH c〈{|m|}sxk〉
R. Focardi, M. Maffei Types for Security Protocols
Page 23
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
More examples (1)
kA : DecKHH [LL, LL, Tk ] kB : SigKHH [LH]
νk : SymKHH [HH][{|A,B,k|}akpA
]kBoo
νm : HH {|m|}sk
//
kA : DecKHH [LL, LL, Tk ]
νk : SymKHH [LH]{|A,B,k|}akpA
oo
νm : LH {|m|}sk
//
R. Focardi, M. Maffei Types for Security Protocols
Page 24
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Typed spi-calculusSecurity levelsTypesA secrecy result
More examples (2): Needham-Schroeder public-key
kA : DecKHH [HH, LL]
jA : DecKHH [HH]kB : DecKHH [HH, HH, LL]
νnB : HH{|nB ,B|}akpA
oo
νnA : HH {|nA,nB ,A|}akpB
//
{|nA|}ajpA
oo
R. Focardi, M. Maffei Types for Security Protocols
Page 25
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
Conclusion
A novel perspective on types for security protocols
many fundamental techniques from literature on processcalculi ... plus the expressiveness of language-basedsecrecy/integrity levels
full paper gives types for authentication and all the proofs.Downloadable athttp://www.infsec.cs.uni-sb.de/~maffei/publications/
types-for-security-protocols.pdf
part of a project for a research book on security protocols(Cortier, Kremer Eds.) Any feedback is really welcome!
R. Focardi, M. Maffei Types for Security Protocols
Page 26
IntroductionA Simple Case Study
Secrecy and integrity typesConclusion
A few references
M. Abadi.Secrecy by typing in security protocols.Journal of the ACM, 46(5):749–786, 1999.
M. Abadi and B. Blanchet.Secrecy types for asymmetric communication.Theoretical Computer Science, 298(3):387–415, 2003.
M. Abadi and A. D. Gordon.A calculus for cryptographic protocols: The spi calculus.Information and Computation, 148(1):1–70, 1999.
A. Askarov, D. Hedin, and A. Sabelfeld.Cryptographically-masked flows.Theoretical Computer Science, 402(2-3):82–101, August 2008.
M. Centenaro, R. Focardi, F. Luccio, and G. Steel.Type-based Analysis of PIN Processing APIs.In ESORICS’09. To appear.
R. Focardi, M. Maffei Types for Security Protocols