Technical University of Denmark / Informatics and ... · Technical University of Denmark /...

Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems

Control Flow Analysisof Security Protocols (I)

Mikael Buchholtz

02913 – F2005 – Mikael Buchholtz – p. 1

History of Protocol AnalysisNeedham-Schroeder ’78

Dolev-Yao ’81

Algebraic viewof cryptography

Dolev-Yao ’81

Millen ’84, Meadows ’89, ...

State/transition model

Dolev-Yao ’81

Burrows-Abadi-Needham ’89, ...

Modal logics

Dolev-Yao ’81

Modal logics

Woo-Lam ’93

Lowe ’95

Language-based

Model checking of CSP

. . . LySa

Dolev-Yao ’81

Modal logics

Woo-Lam ’93

Lowe ’95

Language-based

. . . LySa

Thayer-Herzog-Guttman ’98, ...

Strand Spaces

Dolev-Yao ’81

Modal logics

Woo-Lam ’93

Lowe ’95

Language-based

. . . LySa

Thayer-Herzog-Guttman ’98, ...

Strand Spaces

Probabalistic/complexitytheoretic view

of cryptography Herzog ’03,Zunino-Degano ’04

Analysing a Protocol[Bodei-Buchholtz-Degano-Nielson-Nielson ’04]

1. Write the protocol in the process calculus LYSA

2. Specify an attacker

3. Analyse the protocol and the attacker usingcontrol flow analysis

4. Inspect the analysis result to determine(security) properties of the protocol.

LYSA for Symmetric CryptographyE ::= n name (n ∈ N )

x variable (x ∈ X )

{E1, · · · , Ek}E0encryption

P ::= 〈E1, · · · , Ek〉. P output

(E1, · · · , Ej; xj+1, · · · , xk). P input (with matching)

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P

decryption (with matching)

P1 | P2 parallel composition

(ν n)P introduce new name n

! P replication

0 terminated process

The Wide-mouthed-frog Protocol(without timestamps) [Burrows-Abadi-Needham ’89]

1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB

3. A → B : {mess}KAB

S Network

1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB

S Network

A, {B, KAB}KA

1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB

S Network

{A, KAB}KB

1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB

S Network{mess}KAB

SemanticsLYSA has a reduction semantics defined by tworelations

P → P ′ the reduction relation

P ≡ P ′ the structural congruence

(P →R P ′ parameterised reduction relation used inthe paper)

Reduction Relation P → P ′

◦◦

· · ·

Executions with the attacker

Reduction Relation P → P ′

◦◦

◦◦◦

· · ·

Executions

Reduction RelationP → P ′

(ν n)P → (ν n)P ′

∧ji=1 Ei = E ′

〈E1, · · · , Ek〉. P | (E ′

1, · · · , E′

j; xj+1, · · · , xk). Q →

P | Q[Ej+1/xj+1, · · · , Ek/xk]

P → P ′

P | Q → P ′ | Q

Structural CongruenceThe structural congruence, P ≡ Q, brings processes“on the right form” for the reduction relation

P ≡ Q ∧ Q → Q′ ∧ Q′ ≡ P ′

P → P ′

Structural CongruenceP ≡ P

P1 ≡ P2 ⇒ P2 ≡ P1

P1 ≡ P2 ∧ P2 ≡ P3 ⇒ P1 ≡ P3

P1 ≡ P2 ⇒ 〈E1, · · · , Ek〉. P1 ≡ 〈E1, · · · , Ek〉. P2

P1 ≡ P2 ⇒ (E1, · · · , Ej; xj+1, · · · , xk). P1 ≡

(E1, · · · , Ej; xj+1, · · · , xk). P2

P1 ≡ P2 ∧ P3 ≡ P4 ⇒ P1 | P3 ≡ P2 | P4

P1 ≡ P2 ⇒ (ν n)P1 ≡ (ν n)P2

P1 ≡ P2 ⇒ !P1 ≡ !P2

P1 ≡ P2 ⇒ decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P1 ≡

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P2

Structural CongruenceP1 ≡ P2 ifP1 and P2 are disciplined α-equivalent

P1 | P2 ≡ P2 | P1

(P1 | P2) | P3 ≡ P1 | (P2 | P3)

P | 0 ≡ P

(ν n)0 ≡ 0

(ν n)(ν n′)P ≡ (ν n′)(ν n)P

(ν n)(P1 | P2) ≡ P1 | (ν n)P2 if n 6∈ fn(P1)

!P ≡ P | !P

The Semantics at Work

((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0

≡ ((ν m)〈m〉. 0) | (; x). 〈n, x〉. 0

≡ (ν m)(〈m〉. 0 | (; x). 〈n, x〉. 0)

((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0

≡ ((ν m)〈m〉. 0) | (; x). 〈n, x〉. 0

≡ (ν m)(〈m〉. 0 | (; x). 〈n, x〉. 0)

→ (ν m)(0 | 〈n, m〉. 0)

((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0

≡ ((ν m)〈m〉. 0) | (; x). 〈n, x〉. 0

≡ (ν m)(〈m〉. 0 | (; x). 〈n, x〉. 0)

→ (ν m)(0 | 〈n, m〉. 0)

≡ 0 | (ν m)〈n, m〉. 0

≡ (ν m)〈n, m〉. 0

Algebraic View of Cryptography[Dolev-Yao ’81]

For example, to model

encrypt as EK(P ) and decrypt as DK(C) suchthat DK(EK(m)) = m and nothing else

Symmetric Cryptography in LYSA

Encryption:{E1, · · · , Ek}E0

Decryption:

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P

Semantics models perfect cryptography:

∧ji=0 Ei = E ′

decrypt {E1, · · · , Ek}E0as {E ′

1, · · · , E′

j; xj+1, · · · , xk}E′

→ P [Ej+1/xj+1, · · · , Ek/xk]

Asymmetric Cryptography in LYSA

Keys:(ν± m)P introduces two keys m+, m− in P

Encryption:{|E1, · · · , Ek|}E0

Decryption:

decrypt E as {|E1, · · · , Ej; xj+1, · · · , xk|}E0in P

Decryption with private key:

∧ji=1 Ei = E ′

decrypt {|E1, · · · , Ek|}m+ as {|E ′

1, · · · , E′

j; xj+1, · · · , xk|}m− in P

→ P [Ej+1/xj+1, · · · , Ek/xk]

Signature validation public key:

∧ji=1 Ei = E ′

decrypt {|E1, · · · , Ek|}m− as {|E ′

1, · · · , E′

j; xj+1, · · · , xk|}m+ in P

→ P [Ej+1/xj+1, · · · , Ek/xk]

(In the paper these two rules are merged into one)02913 – F2005 – Mikael Buchholtz – p. 16

E ::= . . . . . .

m+, m− public and private keys

{|E1, · · · , Ek|}E0asymmetric encryption

P ::= . . . . . .

(ν± m)P key pair creation

decrypt E as {|E1, · · · , Ej; xj+1, · · · , xk|}E0in

asymmetric decryption

The Analysis

◦◦

◦◦◦

· · ·

Executions

The Analysis

◦◦

◦◦◦

· · ·

Executions

Analysis

The Analysis

◦◦

◦◦◦

· · ·

Executions

Analysis

Analysis ComponentsNetwork messages: Variable bindings:κ ∈ P(V∗) ρ : X → P(V)

where values from V are variable-free terms i.e.

V ::= n | {V1, · · · , Vk}V0| {|V1, · · · , Vk|}V0

Example

〈A, B, {mess}K〉. 0 | (A, B; x). 0

〈A, B, {mess}K〉 ∈ κ

{mess}K ∈ ρ(x)02913 – F2005 – Mikael Buchholtz – p. 19

Analysis Judgements

ρ, κ |= P

reads: “ρ and κ are valid analysis estimates for P ”

Example

def= 〈A〉. 0 | (; x). 0 P2

def= 〈A, B〉. 0 | (B; x). 0

κa = {〈A, B〉}

ρa = [x 7→ ∅]

κb = {〈A〉}

ρb = [x 7→ {A}]

κc = {〈A〉, 〈B〉}

ρc = [x 7→ {A, B}]

Analysing Restriction!(ν n)〈n〉. 0

≡ (ν m)〈m〉. 0 | (ν o)〈o〉. 0 | (ν p)〈p〉. 0 |

(ν q)〈q〉. 0 | (ν r)〈r〉. 0 | . . . |

!(ν n)〈n〉. 0

Each name, n, is assigned a canonical name bnc

The semantics uses disciplined α-equivalence:

(ν n)P is α-equivalent to (ν n′)P ′

and bnc = bn′c

For examplebmc = boc = bpc = bqc = brc = . . . = bnc

Analysing Restriction!(ν n)〈n〉. 0 ≡ (ν m)〈m〉. 0 | (ν o)〈o〉. 0 | (ν p)〈p〉. 0 |

(ν q)〈q〉. 0 | (ν r)〈r〉. 0 | . . . |

!(ν n)〈n〉. 0

and bnc = bn′c

Analysing Restriction!(ν n)〈n〉. 0 ≡ (ν m)〈m〉. 0 | (ν o)〈o〉. 0 | (ν p)〈p〉. 0 |

(ν q)〈q〉. 0 | (ν r)〈r〉. 0 | . . . |

!(ν n)〈n〉. 0

and bnc = bn′c

Canonical Names and VariablesNetwork messages: Variable bindings:κ ∈ P(bVc∗) ρ : bXc → P(bVc)

Example

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0)

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n1)〈n1, n1〉. 0 | (; x1, y1). 0→

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0)≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n2)〈n2, n2〉. 0 | (; x2, y2). 0 →

but bnc = bn1c = bn2c = . . .

Example

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) ≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n1)〈n1, n1〉. 0 | (; x1, y1). 0

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0)≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n2)〈n2, n2〉. 0 | (; x2, y2). 0 →

Example

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) ≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n1)〈n1, n1〉. 0 | (; x1, y1). 0 →

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0)

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n2)〈n2, n2〉. 0 | (; x2, y2). 0 →

Example

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) ≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n1)〈n1, n1〉. 0 | (; x1, y1). 0 →

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) ≡

(!(ν n)〈n, n〉. 0) | (!(; x, y). 0) | (ν n2)〈n2, n2〉. 0 | (; x2, y2). 0 →

but bnc = bn1c = bn2c = . . .02913 – F2005 – Mikael Buchholtz – p. 22

The Analysis

of the Attacker

◦◦

◦◦◦

· · ·

Executions

Analysis

The Analysis

of the Attacker

◦◦

◦◦◦

· · ·

Executions

Analysis

Protocol Scenarios

NetworkS

In LySa: A | B | S

Protocol Scenarios

NetworkS

In LySa: A | B | S | M

legitimate part of system the attacker

Protocol Scenarios

NetworkS

In LySa: A | B | S | M

legitimate part of system the attacker

We write the legitimate part of the system

The attacker will be handled using the analysis

Protocols Scenarios

NetworkS M

Protocols Scenarios

NetworkS M

AiA3A2A1

BiB3B2B1

Protocols Scenarios

NetworkS M

AiA3A2A1

BiB3B2B1

KB1KBi

Meta LevelE ::= ni1···ik Indexed names

xi1···ik Indexed variables. . .

P ::= . . .

|i∈S Indexed parallel(νi∈S ni)P Indexed restriction(ν±i∈S ni)P Indexed key pair restrictionlet X ⊆ S in P Declare set

Example

|i∈{1,2,3} 〈messi〉. 0 V 〈mess1〉. 0 | 〈mess2〉. 0 | 〈mess3〉. 002913 – F2005 – Mikael Buchholtz – p. 26

Analysing a Protocol1. Write the protocol in the process calculus LYSA

2. Specify an attacker

3. Analyse the protocol and the attacker usingcontrol flow analysis

4. Inspect the analysis result to determine(security) properties of the protocol.

For Next TimeWrite one or two protocols from Appendix A of[BBDNN04] in LYSA

Things to consider:

The use of pattern matching,The use of restriction (ν n)P

Scenarios (number of principals, sharing keys,etc.)

To be presented on slides next time:Starting 9.30! (February 18th)

(Try to parse your LySa through the LySatool?)

Technical University of Denmark / Informatics and ... · Technical University of Denmark /...

Documents

Transcript of Technical University of Denmark / Informatics and ... · Technical University of Denmark /...

Dynamic Optimization - Technical University of DenmarkDynamic Optimization Niels Kj˝lstad Poulsen Informatics and Mathematical Modelling The Technical Unversity of Denmark Latest

Statisticalevaluationoffeatures inclassiﬁcationproblemswith ...Technical University of Denmark Informatics and Mathematical Modelling Building 321, DK-2800 Kongens Lyngby, Denmark

Jonas Stenbæk Hegner s052574 · 2012-11-06 · Technical University of Denmark Informatics and Mathematical Modelling Building 321, DK-2800 Kongens Lyngby, Denmark Phone +45 45253351,

Linear Programming - Technical University of Denmark · Linear Programming – the simple Wyndor Glass example Thomas Stidsen tks@imm.dtu.dk Informatics and Mathematical Modeling

Technical University of Denmark

DENMARK TECHNICAL UNIVERSITY UTM-DTU (Technical University of Denmark) International Summer Course.

Final Program - redoxtech.com · 1DTU- Physics, Technical University of Denmark, Kgs. Lyngby, Denmark 2DTU-Nanotech, Technical University of Denmark, Kgs. Lyngby, Denmark 12:20 –

Introduction to Formal LanguagesIntroduction to Formal Languages Martin Franzle¨ Informatics and Mathematical Modelling The Technical University of Denmark 02140 Languages and Parsing,

Visions of The Virtual Slaughterhouse Søren G. Erbou Ph.D. student Informatics and Mathematical Modelling Technical University of Denmark Danish Meat Research.

Courseware Introduction to Multiprocessor System-on-Chip Prof. Jan Madsen Informatics and Mathematical Modeling Technical University of Denmark Richard.

DENMARK TECHNICAL COLLEGE DENMARK, SOUTH CAROLINA ...€¦ · 30/06/2016 · financial position of the business-type activities of Denmark Technical College, Denmark, South Carolina,

Ambient Occlusion - Using Ray-tracing and Texture Blending · Technical University of Denmark Informatics and Mathematical Modelling Building 321, DK-2800 Kongens Lyngby, Denmark

Object / Data Source Mapping Layer · Kgs. Lyngby 2003 Technical University of Denmark Informatics and Mathematical Modelling Building 321, DK-2800 Lyngby, Denmark Phone +45 45253351,

immoptibox - Technical University of Denmark · 2011. 4. 11. · DTU Informatics, IMM Technical University of Denmark Version 2.2. November 2010 The toolbox contains a number of functions

WP6: Static Analysis Presented by Flemming Nielson Informatics and Mathematical Modelling Technical University of Denmark at the 3nd review of DEGAS in.

Stochastic Modelling of Hydrologic Systemshenrikmadsen.org/wp-content/uploads/2014/10/Ph.D._thesis... · 2014-10-31 · Technical University of Denmark Informatics and Mathematical

Courseware Basics of Real-Time Scheduling Jan Madsen Informatics and Mathematical Modelling Technical University of Denmark Richard Petersens Plads, Building.

Technical University of Denmark (DTU) - Publications - DTU ...orbit.dtu.dk/en/publishers/technical-university-of-denmark-dtu(f7c... · Technical University of Denmark (DTU) - Publications

Open Issues in Design Informatics · Open Issues in Design Informatics Chris McMahon Technical University of Denmark Department of Mechanical Engineering Abstract Design informatics—the

INSTITUTE OF TECHNICAL INFORMATICS