Technical University of Denmark / Informatics and ... · Technical University of Denmark /...

Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems

Control Flow Analysisof Security Protocols (I)

Mikael Buchholtz

02913 – F2005 – Mikael Buchholtz – p. 1


History of Protocol AnalysisNeedham-Schroeder ’78

Dolev-Yao ’81

Algebraic viewof cryptography




Dolev-Yao ’81


Millen ’84, Meadows ’89, ...

State/transition model




Dolev-Yao ’81




Burrows-Abadi-Needham ’89, ...

Modal logics




Dolev-Yao ’81





Modal logics

Woo-Lam ’93

Lowe ’95

Language-based

Model checking of CSP

. . . LySa




Dolev-Yao ’81





Modal logics

Woo-Lam ’93

Lowe ’95

Language-based


. . . LySa

Thayer-Herzog-Guttman ’98, ...

Strand Spaces




Dolev-Yao ’81





Modal logics

Woo-Lam ’93

Lowe ’95

Language-based


. . . LySa

Thayer-Herzog-Guttman ’98, ...

Strand Spaces

Probabalistic/complexitytheoretic view

of cryptography Herzog ’03,Zunino-Degano ’04



Analysing a Protocol[Bodei-Buchholtz-Degano-Nielson-Nielson ’04]

1. Write the protocol in the process calculus LYSA

2. Specify an attacker

3. Analyse the protocol and the attacker usingcontrol flow analysis

4. Inspect the analysis result to determine(security) properties of the protocol.



LYSA for Symmetric CryptographyE ::= n name (n ∈ N )

x variable (x ∈ X )

{E1, · · · , Ek}E0encryption

P ::= 〈E1, · · · , Ek〉. P output

(E1, · · · , Ej; xj+1, · · · , xk). P input (with matching)

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P

decryption (with matching)

P1 | P2 parallel composition

(ν n)P introduce new name n

! P replication

0 terminated process



The Wide-mouthed-frog Protocol(without timestamps) [Burrows-Abadi-Needham ’89]

1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB

3. A → B : {mess}KAB

A

B

S Network

KA

KB




1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB


A

B

S Network

A, {B, KAB}KA




1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB


A

B

S Network

{A, KAB}KB




1. A → S : A, {B, KAB}KA

2. S → B : {A, KAB}KB


A

B

S Network{mess}KAB



SemanticsLYSA has a reduction semantics defined by tworelations

P → P ′ the reduction relation

P ≡ P ′ the structural congruence

(P →R P ′ parameterised reduction relation used inthe paper)



Reduction Relation P → P ′

◦◦

◦

◦

◦

◦

◦◦

◦

· · ·

· · ·

· · ·

· · ·

· · ·

Executions with the attacker



Reduction Relation P → P ′

◦◦

◦

◦

◦

◦◦◦

◦

· · ·

· · ·

· · ·

· · ·

· · ·

Executions




Reduction RelationP → P ′

(ν n)P → (ν n)P ′

∧ji=1 Ei = E ′

i

〈E1, · · · , Ek〉. P | (E ′

1, · · · , E′

j; xj+1, · · · , xk). Q →

P | Q[Ej+1/xj+1, · · · , Ek/xk]

P → P ′

P | Q → P ′ | Q



Structural CongruenceThe structural congruence, P ≡ Q, brings processes“on the right form” for the reduction relation

P ≡ Q ∧ Q → Q′ ∧ Q′ ≡ P ′

P → P ′



Structural CongruenceP ≡ P

P1 ≡ P2 ⇒ P2 ≡ P1

P1 ≡ P2 ∧ P2 ≡ P3 ⇒ P1 ≡ P3

P1 ≡ P2 ⇒ 〈E1, · · · , Ek〉. P1 ≡ 〈E1, · · · , Ek〉. P2

P1 ≡ P2 ⇒ (E1, · · · , Ej; xj+1, · · · , xk). P1 ≡

(E1, · · · , Ej; xj+1, · · · , xk). P2

P1 ≡ P2 ∧ P3 ≡ P4 ⇒ P1 | P3 ≡ P2 | P4

P1 ≡ P2 ⇒ (ν n)P1 ≡ (ν n)P2

P1 ≡ P2 ⇒ !P1 ≡ !P2

P1 ≡ P2 ⇒ decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P1 ≡

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P2



Structural CongruenceP1 ≡ P2 ifP1 and P2 are disciplined α-equivalent

P1 | P2 ≡ P2 | P1

(P1 | P2) | P3 ≡ P1 | (P2 | P3)

P | 0 ≡ P

(ν n)0 ≡ 0

(ν n)(ν n′)P ≡ (ν n′)(ν n)P

(ν n)(P1 | P2) ≡ P1 | (ν n)P2 if n 6∈ fn(P1)

!P ≡ P | !P



The Semantics at Work

((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0




((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0

≡ ((ν m)〈m〉. 0) | (; x). 〈n, x〉. 0

≡ (ν m)(〈m〉. 0 | (; x). 〈n, x〉. 0)




((ν n)〈n〉. 0) | (; x). 〈n, x〉. 0

≡ ((ν m)〈m〉. 0) | (; x). 〈n, x〉. 0

≡ (ν m)(〈m〉. 0 | (; x). 〈n, x〉. 0)

→ (ν m)(0 | 〈n, m〉. 0)



Algebraic View of Cryptography[Dolev-Yao ’81]

For example, to model

encrypt as EK(P ) and decrypt as DK(C) suchthat DK(EK(m)) = m and nothing else



Symmetric Cryptography in LYSA

Encryption:{E1, · · · , Ek}E0

Decryption:

decrypt E as {E1, · · · , Ej; xj+1, · · · , xk}E0in P

Semantics models perfect cryptography:

∧ji=0 Ei = E ′

i

decrypt {E1, · · · , Ek}E0as {E ′

1, · · · , E′

j; xj+1, · · · , xk}E′

0

in P

→ P [Ej+1/xj+1, · · · , Ek/xk]



Asymmetric Cryptography in LYSA

Keys:(ν± m)P introduces two keys m+, m− in P

Encryption:{|E1, · · · , Ek|}E0

Decryption:

decrypt E as {|E1, · · · , Ej; xj+1, · · · , xk|}E0in P




Decryption with private key:

∧ji=1 Ei = E ′

i

decrypt {|E1, · · · , Ek|}m+ as {|E ′

1, · · · , E′

j; xj+1, · · · , xk|}m− in P

→ P [Ej+1/xj+1, · · · , Ek/xk]

Signature validation public key:

∧ji=1 Ei = E ′

i

decrypt {|E1, · · · , Ek|}m− as {|E ′

1, · · · , E′

j; xj+1, · · · , xk|}m+ in P

→ P [Ej+1/xj+1, · · · , Ek/xk]

(In the paper these two rules are merged into one)02913 – F2005 – Mikael Buchholtz – p. 16



E ::= . . . . . .

m+, m− public and private keys

{|E1, · · · , Ek|}E0asymmetric encryption

P ::= . . . . . .

(ν± m)P key pair creation

decrypt E as {|E1, · · · , Ej; xj+1, · · · , xk|}E0in

asymmetric decryption



The Analysis

◦◦

◦

◦

◦

◦◦◦

◦

· · ·

· · ·

· · ·

· · ·

· · ·

Executions



The Analysis

◦◦

◦

◦

◦

◦◦◦

◦

· · ·

· · ·

· · ·

· · ·

· · ·

Executions

Analysis



Analysis ComponentsNetwork messages: Variable bindings:κ ∈ P(V∗) ρ : X → P(V)

where values from V are variable-free terms i.e.

V ::= n | {V1, · · · , Vk}V0| {|V1, · · · , Vk|}V0

Example

〈A, B, {mess}K〉. 0 | (A, B; x). 0

〈A, B, {mess}K〉 ∈ κ

{mess}K ∈ ρ(x)02913 – F2005 – Mikael Buchholtz – p. 19


Analysis Judgements

ρ, κ |= P

reads: “ρ and κ are valid analysis estimates for P ”

Example

P1

def= 〈A〉. 0 | (; x). 0 P2

def= 〈A, B〉. 0 | (B; x). 0

κa = {〈A, B〉}

ρa = [x 7→ ∅]

κb = {〈A〉}

ρb = [x 7→ {A}]

κc = {〈A〉, 〈B〉}

ρc = [x 7→ {A, B}]



Analysing Restriction!(ν n)〈n〉. 0

≡ (ν m)〈m〉. 0 | (ν o)〈o〉. 0 | (ν p)〈p〉. 0 |

(ν q)〈q〉. 0 | (ν r)〈r〉. 0 | . . . |

!(ν n)〈n〉. 0

Each name, n, is assigned a canonical name bnc

The semantics uses disciplined α-equivalence:

(ν n)P is α-equivalent to (ν n′)P ′

and bnc = bn′c

For examplebmc = boc = bpc = bqc = brc = . . . = bnc



Analysing Restriction!(ν n)〈n〉. 0 ≡ (ν m)〈m〉. 0 | (ν o)〈o〉. 0 | (ν p)〈p〉. 0 |

(ν q)〈q〉. 0 | (ν r)〈r〉. 0 | . . . |

!(ν n)〈n〉. 0

Each name, n, is assigned a canonical name bnc

The semantics uses disciplined α-equivalence:

(ν n)P is α-equivalent to (ν n′)P ′

and bnc = bn′c

For examplebmc = boc = bpc = bqc = brc = . . . = bnc



The Analysis

of the Attacker

◦◦

◦

◦

◦

◦◦◦

◦

· · ·

· · ·

· · ·

· · ·

· · ·

Executions

Analysis

n1 n2

n3

bnic




Protocol Scenarios

NetworkS

A

B

In LySa: A | B | S

|



Protocol Scenarios

NetworkS

A

B

M

In LySa: A | B | S | M

legitimate part of system the attacker



Protocol Scenarios

NetworkS

A

B

M

In LySa: A | B | S | M

legitimate part of system the attacker

We write the legitimate part of the system

The attacker will be handled using the analysis



Protocols Scenarios

NetworkS M

A

B

KA

KB



Protocols Scenarios

NetworkS M

AiA3A2A1

BiB3B2B1



Protocols Scenarios

NetworkS M

AiA3A2A1

BiB3B2B1

KA1

KAi

KB1KBi



Meta LevelE ::= ni1···ik Indexed names

xi1···ik Indexed variables. . .

P ::= . . .

|i∈S Indexed parallel(νi∈S ni)P Indexed restriction(ν±i∈S ni)P Indexed key pair restrictionlet X ⊆ S in P Declare set

Example

|i∈{1,2,3} 〈messi〉. 0 V 〈mess1〉. 0 | 〈mess2〉. 0 | 〈mess3〉. 002913 – F2005 – Mikael Buchholtz – p. 26


Analysing a Protocol1. Write the protocol in the process calculus LYSA

2. Specify an attacker

3. Analyse the protocol and the attacker usingcontrol flow analysis

4. Inspect the analysis result to determine(security) properties of the protocol.



For Next TimeWrite one or two protocols from Appendix A of[BBDNN04] in LYSA

Things to consider:

The use of pattern matching,The use of restriction (ν n)P

Scenarios (number of principals, sharing keys,etc.)

To be presented on slides next time:Starting 9.30! (February 18th)

(Try to parse your LySa through the LySatool?)


Technical University of Denmark / Informatics and ... · Technical University of Denmark /...

Documents

Transcript of Technical University of Denmark / Informatics and ... · Technical University of Denmark /...