Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
StatVerif: Modelling protocols that involvepersistent state
Mark D. RyanUniversity of Birmingham
Joint work with Myrto Arapinis, Stephanie Delaune, SteveKremer, Joshua Phillips and Graham Steel
7–8 December 2011
Outline
The ProVerif method
Protocols with persistent state
The TPM
StatVerif
Verifying cryptographic protocols
“Provable/computationalsecurity”
1 Computationally bounded(polynomial) attacker
2 Exact cryptographicoperations on bitstrings
3 Bitstring (more concrete)model
4 Prove difficulty of violatingsecurity property isequivalent to solving a hardproblem
“Formal/symbolic methods”
1 Idealised (worst case)attacker
2 Idealised (best case) perfectcryptography
3 Symbolic (more abstract)model of protocol
4 Prove impossibility ofviolating security propertywithin the model
Attacker model
We model a very powerful attacker, with “Dolev-Yao” capabilities:
it completely controls thecommunication channels, so it is ableto record, alter, delete, insert, redirect,reorder, and reuse past or currentmessages, and inject new messages.(The network is the attacker.)
manipulate data in arbitrary ways,including applying crypto operationsprovided has the necessary keys.
It controls dishonest participants.
“It’s always better to assume the worst. Assume your adversaries are better
than they are. Assume science and technology will soon be able to do things
they cannot yet. Give yourself a margin for error. Give yourself more security
than you need today.” - Bruce Schneier
Coding protocols as processes
Original handshake protocol:
let Server =
in (ch, pkC’);
new k;
out (ch, enc(pkC’, sign(skS, k ) ));
in (ch, m);
0.
Handshake protocol
S Cnew k
encpkC (signskS (k))−−−−−−−−−−−→
senck (s)←−−−−−−−−−−−
The handshake protocol in full
free ch.
(* Public key cryptography *)
fun pk/1.
fun enc/2. fun dec/2.
equation dec(x, enc(pk(x), y) ) = y.
(* Signatures *)
fun sign/2. fun checksign/2. fun getmess/1. fun ok/0.
equation checksign(pk(x), sign(x,y)) = ok.
equation getmess(sign(x,y)) = y.
(* Shared-key cryptography *)
fun senc/2. fun sdec/2.
equation sdec(senc(x,y),x) = y.
The handshake protocol in full 2
let Server =
in (ch, pkC’);
new k;
out (ch, enc(pkC’, sign(skS, k ) ));
in (ch, m);
0.
let Client =
in (ch, pkS’);
in (ch, m);
let m’ = dec(skC, m) in
if checksign(pkS’, m’) = ok then
let k’ = getmess(m) in
if pkS’ = pkS then
out (ch, senc(k’, s)).
Security properties
The applied pi calculus can model the following:
Reachability properties (e.g., secrecy)
Correspondence assertions (e.g., authentication)
Observational equivalence (e.g., strong secrecy; for instance,ballot secrecy; )
Handshake protocol - analysis
S I Cnew k new s
pkC←−−−−−−−−−−−pkM←−−−−−−−−−−−
encpkM(signskS (k))−−−−−−−−−−−→
encpkC (signskS (k))−−−−−−−−−−−→
senck (s)←−−−−−−−−−−−
C publishes her public key
I starts a session with S
I learns signskS(k) and k
I replays signskS(k) in asession with S
I is able to output secrect s
Adversary process I
in (c, xPK);
out (c, pkM);
in (c, y);let sig = decskM(y) in
out (c, encxPK (sig));in (c, z);
out (c, sdecgetmsg(sig)(z))
Protocols withpersistent state
Persistent state
Agents that have persistent state:
Web servers, database servers, . . .
Hardware tokens
Smart cards: capabilities, . . .RFID tags: their identity, . . .TPM: PCR values, session nonces, . . .HSM: PIN codes, . . .
Trusted party in contract signing protocols
VANETs
. . .
The trusted platform module
Digital rightsmanagement
unforgeable
config
uration re
port
Secure environment
Richard StallmanCreator of GNU, Emacs,
GCC, GPL, the FreeSoftware Foundation
“With a plan they call trustedcomputing, large mediacorporations, together withcomputer companies such asMicrosoft and Intel, areplanning to make yourcomputer obey them instead ofyou.”
He calls it “treacherouscomputing”.
Ross AndersonProfessor of ComputerSecurity, University of
Cambridge
“TC can support remotecensorship. In its simplest form,applications may be designed todelete pirated music under remotecontrol.”
“In 2010 President Clinton mayhave two red buttons on her desk -one that sends the missiles toChina, and another that turns offall the PCs in China.”
He also talks of commercialbullying, economic warfare andpolitical censorship.
Secure environment
Attestationfrom cloud
Cloud server
Platform configuration registers
The TPM has 24 platformconfiguration registers, PCRs.
Updating a PCR
The command TPM Extend(PCR p, Data x)effects the assignment
p := SHA-1(p || x)
StatVerif
StatVerif syntax: processes
P, Q ::= processesout(M, N); P outputin(M, x); P inputP | Q parallel composition!P replicationnew a; P restrictionlet x = g(M1, . . . ,Mn) in P else Q destructor applicationif M = N then P else Q conditional
[s 7→ M] state cellread s as x ; P reads := M; P writelock; P begin locked sectionunlock; P end locked section
Coding processes as Horn clauses: ProVerif
let Server =
in (ch, x);
new n;
out (ch, enc(k, (x,n) ));
attacker:x → attacker:enc(k[], (x,n[x]) );
attacker:u,x → attacker:u,enc(k[], (x,n[x]) );
Coding processes as Horn clauses: StatVerif
let Server =
in (ch, x);
new n;
out (ch, enc(k, (x,n) ));
attacker:x → attacker:enc(k[], (x,n[x]) );
attacker:u,x → attacker:u,enc(k[], (x,n[x]) );
Assignments
let Server =
in (ch, x);
u := h(u,x);
attacker:u,x ∧ attacker:u,y → attacker:h(u,x),y;
The Horn clauses representation
The translation of a StatVerif process generates clauses builtaround the following two predicates
att(M, N) means that state M is reachable and in that statethe attacker knows the value N;
mes(M, K , N) means that state M is reachable and in thatstate the value N is available on channel K .
Attacker clauses: constructors and destructors
The attacker can build new messages by applying anyconstructor to messages he knows.
For each constructor f (M1, . . . ,Mn)att(xs, M1) ∧ · · · ∧ att(xs, Mn)→ att(xs, f (M1, . . . ,Mn))Asymmetric encryptionatt(xs, xk) ∧ att(xs, xm)→ att(xs, aenc(xk , xm))
The attacker can analyse messages by applying anydestructor to messages he knows .
For each destructor g(M1, . . . ,Mn)→ Matt(xs, M1) ∧ · · · ∧ att(xs, Mn)→ att(xs, M)
Asymmetric-key decryptionatt(xs, xk) ∧ att(xs, aenc(pbk(xk), xm))→ att(xs, xm)
Attacker clauses: public channels
The attacker can send messages on public channels
att(xs, xc) ∧ att(xs, xm)→ mes(xs, xc , xm)
The attacker can eavesdrop on public channels
att(xs, xc) ∧mes(xs, xc , xm)→ att(xs, xm)
Attacker clauses: public state cells
Consider the protocol new m; ([s1 7→ M1] | · · · | [sn 7→ Mn] | P)
The attacker can read from public state cells
For all i ∈ {1, . . . , n}att((xs1, . . . , xsn), si [])→ att((xs1, . . . , xsn), xsi )
The attacker can write to public state cells
For all i ∈ {1, . . . , n}att((xs1, . . . xsi , . . . , xsn), si [])∧att((xs1, . . . , xsi , . . . , xsn), ysi )∧mes((xs1, . . . , xsi , . . . , xsn), zc , zm)→ mes((xs1, . . . , ysi , . . . , xsn), zc , zm)
att((xs1, . . . xsi , . . . , xsn), si [])∧att((xs1, . . . , xsi , . . . , xsn), ysi )∧att((xs1, . . . , xsi , . . . , xsn), zm)→ att((xs1, . . . , ysi , . . . , xsn), zm)
Protocol clauses
J0KρH`φµ = ∅JQ1 | Q2KρH`φfalse = JQ1Kρ H`φfalse ∪ JQ2KρH`φfalseJ!QKρH`φfalse = JQKρH`φfalse
Jnew a; QKρH`φµ = JQK(ρ ∪ {a 7→ a[`]})H`φµ
JQK(ρ ∪ {a 7→ attn[]})H`φµif a ∈ bn(P)
otherwise
Jin(M, x); QKρH`φfalse = JQK(ρ ∪ {x 7→ x, vs1 7→ vs1, . . . , vsn 7→ vsn}) H′ (x :: `) φ falsewhere φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh
and H′ = H ∧ mes(φ0, ρ(M), x)Jin(M, x); QKρH`φtrue = JQK(ρ ∪ {x 7→ x})(H ∧ mes(φ, ρ(M), x))(x :: `)φtrueJout(M, N); QKρH`φµ = {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ JQKρH`φµ
Jlet x = g(M1, . . . ,Mn) in Q1 else Q2KρH`φµ =S
JQ1K((ρσ) ∪ {x 7→ p′σ′})(Hσ)(`σ)(φσ)µ |g(p′1, . . . , p′n) → p′ ∈ def (g) and (σ, σ′) mgus and
M1ρσ = p′1σ′, . . . ,Mnρσ = p′nσ
′ff∪ JQ2KρH`φµ
Jif M = N then Q1 else Q2KρH`φµ = JQ1K(ρσ)(Hσ)(`σ)(φσ)µ ∪ JQ2KρH`φµ where σ = mgu(ρ(M), ρ(N))Jlock; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn})H`φ0true
where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn freshJunlock; QKρH`φtrue = JQKρH`φfalse
Jsi := M; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm})H`φfalse∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn),and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn)
with vs1, . . . , vsn, vc, vm fresh
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true
∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),
and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
Jread si as x ; QKρH`φfalse = JQK(ρ ∪ {x 7→ vsi , vs1 7→ vs1, . . . , vsi 7→ vsi , . . . , vsn 7→ vsn,vc 7→ vc, vm 7→ vm})(H ∧ mes(φ0, vc, vm))`φfalse
where φ0 = (vs1, . . . , vsi , . . . , vsn),with vs1, . . . , vsi , . . . , vsn, vc, vm fresh
Jread si as x ; QKρH`φtrue = JQK(ρ ∪ {x 7→ Mi , vc 7→ vc, vm 7→ vm})(H ∧ mes(φ, vc, vm))`φtruewhere φ = (M1, . . . ,Mi , . . . ,Mn) and vc, vm fresh
Protocol clauses
J0KρH`φµ = ∅JQ1 | Q2KρH`φfalse = JQ1Kρ H`φfalse ∪ JQ2KρH`φfalseJ!QKρH`φfalse = JQKρH`φfalse
Jnew a; QKρH`φµ = JQK(ρ ∪ {a 7→ a[`]})H`φµ
JQK(ρ ∪ {a 7→ attn[]})H`φµif a ∈ bn(P)
otherwise
Jin(M, x); QKρH`φfalse = JQK(ρ ∪ {x 7→ x, vs1 7→ vs1, . . . , vsn 7→ vsn}) H′ (x :: `) φ falsewhere φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh
and H′ = H ∧ mes(φ0, ρ(M), x)Jin(M, x); QKρH`φtrue = JQK(ρ ∪ {x 7→ x})(H ∧ mes(φ, ρ(M), x))(x :: `)φtrueJout(M, N); QKρH`φµ = {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ JQKρH`φµ
Jlet x = g(M1, . . . ,Mn) in Q1 else Q2KρH`φµ =S
JQ1K((ρσ) ∪ {x 7→ p′σ′})(Hσ)(`σ)(φσ)µ |g(p′1, . . . , p′n) → p′ ∈ def (g) and (σ, σ′) mgus and
M1ρσ = p′1σ′, . . . ,Mnρσ = p′nσ
′ff∪ JQ2KρH`φµ
Jif M = N then Q1 else Q2KρH`φµ = JQ1K(ρσ)(Hσ)(`σ)(φσ)µ ∪ JQ2KρH`φµ where σ = mgu(ρ(M), ρ(N))Jlock; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn})H`φ0true
where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn freshJunlock; QKρH`φtrue = JQKρH`φfalse
Jsi := M; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm})H`φfalse∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn),and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn)
with vs1, . . . , vsn, vc, vm fresh
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true
∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),
and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
Jread si as x ; QKρH`φfalse = JQK(ρ ∪ {x 7→ vsi , vs1 7→ vs1, . . . , vsi 7→ vsi , . . . , vsn 7→ vsn,vc 7→ vc, vm 7→ vm})(H ∧ mes(φ0, vc, vm))`φfalse
where φ0 = (vs1, . . . , vsi , . . . , vsn),with vs1, . . . , vsi , . . . , vsn, vc, vm fresh
Jread si as x ; QKρH`φtrue = JQK(ρ ∪ {x 7→ Mi , vc 7→ vc, vm 7→ vm})(H ∧ mes(φ, vc, vm))`φtruewhere φ = (M1, . . . ,Mi , . . . ,Mn) and vc, vm fresh
Assignments
Jsi := M; QKρH`φfalse = JQKρ′H`φfalse∪{H ∧mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vs i−1, vs i , vs i+1, . . . , vsn),and φ1 = (vs1, . . . , vs i−1, ρ(M), vs i+1, . . . , vsn)with vs1, . . . , vsn, vc, vm freshand ρ′ = ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm}
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true∪{H ∧mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
Main result
Theorem (The StatVerif compiler is correct)
Let M be a message. Let P be a protocol of the form
new m; ([s1 7→ M1] | · · · | [sn 7→ Mn] | Q)
Clauses(P) ` secrecy(M) ⇒ P |= secrecy(M)
If ∀K the fact att(K , M) is not derivable from Clauses(P), then Ppreserves the secrecy of M.
Some clauses for commands of the TPM
TPM Read: att(xp, x)→ att(xp, xp)
TPM CreateWrapKey:att(xp, xpcr ) ∧ key(xp, xsk , xpk , xp)→
att(xp, 〈pk(bindk[xpcr ]), wrap(xpk , bindk[xpcr ], tpmpf[], xpcr )〉)
TPM LoadKey2:att(xp, pk(xkey )) ∧ att(xp, wrap(xpk , xkey , tpmpf[], xpcr )) ∧key(xp, xsk , xpk , xp)→
key(xp, xkey , pk(xkey ), xpcr )
TPM Unbind:att(xp, aenc(xpk , xdata)) ∧ key(xp, xsk , xpk , xp)→ att(xp, xdata)
TPM Extend:att(xp, xv ) ∧ att(xp, x)→ att(h(xp, xv ), x)key(xp, xsk , xpk , xpcr ) ∧ att(xp, xv )→ key(h(xp, xv ), xsk , xpk , xpcr )
Making ProVerif work on the Horn clauses
Safe abstraction: Replace
att(xp, xv ) ∧ att(xp, x)→att(h(xp, xv ), x)
with n instances, in which xp is
zero[]
h(zero[], x1)
h(h(zero[], x1), x2)
h(h(h(zero[], x1), x2), x3)
. . .
Current and future work
Prototype implementation by Joshua Phillips
More case studiesUMTS protocols,RFID protocols,. . .
Extension to authentication properties
Extension to observational equivalence
Abstractions