Upload
dr-jayaraj-poroor
View
166
Download
0
Embed Size (px)
Citation preview
Towards more secure networks
using formal approaches
Dr. Jayaraj PoroorDependSoft [email protected]://dependsoft.com
Presented at Dr. C. R. Rao Institute of Advanced Studies
Jan 22, 2013
DependSoft
Roadmap for the talk
• Formal Methods
• Cryptographic Protocols
• Formal Modeling
• Modeling Language
• A Cryptographic handshake Protocol
• The ProVerif Tool
✓Motivate
✓ Key Ideas
✗ All details
1
2
3
4
5
6
DependSoft
Formal methods
• The art and science of describing and reasoning about computing systems using rigorous mathematical techniques having well-developed theoretical basis.
Alan Turing Von Neumann John McCarthy
Turing MachineBombe machine
Automata TheoryStored Program Computer
Artificial IntelligenceLISP
DependSoft
The bridge
THEORY PRACTICEFORMAL
METHODS
ComputabilityComplexity
ExpressivityAutomata
LogicsCalculi
Semantics
SpecificationDesign &DevelopmentSoftware &HardwareSystemsTools
DependSoft
Why do we need it?
• Gain precise understanding of computing systems▫ Ideas are developed with mathematical rigor
• Rigor pays off▫ Strong guarantees▫ Mechanization of synthesis and analysis
• Theory informs▫ Establishes the limits▫ Provides efficient algorithms
DependSoft
Reasoning about programs
• What is a correctness property?▫ Safety + Liveness
• Safety▫ Something bad will never happen.
• Liveness▫ Something good will eventually happen.
• Can be expressed mathematically.
Recognizing Safety and Liveness, Alpern and Schneider, Distributed Computing, 1986
DependSoft
Coffee/tea machine as a finite-state
automata
5
3sec
Now we can reason about safety and liveness!
1Reasoning … is nothing but reckoning, Thomas Hobbes, English Philosopher
DependSoft
What are they?
• Concurrent programs that interact via public channels to achieve security objectives.
• “3 lines programs that people still manage to get wrong,” Roger Needham.
• A critical component for ensuring security in today’s distributed systems.▫ e.g., SSL/TLS, SSH, IPSec, SRTP.
Gavin Lowe. 1995. An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56, 3 (November 1995), 131-133.
DependSoft
Narrating a simple cryptographic protocol
Many concurrent instances of A’s and B’s are possible
A Brequest, A’s public key
A B
B
Response encrypted with A’s public key
prepareresponse
ADecrypt responsewith A’s private key
No guarantee that the response came from B!
DependSoft
Security objectives
• Fairness
• Anonymity
• Availability1
1Jayaraj Poroor and Bharat Jayaraman, Denial of service attacks on Real-time media through Indirect Contention-in-Hosts, IEEE Internet Computing, 2009.
DependSoft
Formal reasoning
Finite state representation of a
cryptographic protocol
A
S
?
Attacker gets the secret!
Start state
Will attacker get the secret?
Is state A reachable from state S?
2
DependSoft
Modeling assumptions
• What are the capabilities of the attacker?
• What are the assumptions behind modeling cryptographic functions
▫ e.g., AES is cryptanalytically stronger than DES
DependSoft
The Dolev Yao model
• All-powerful Intruder▫ Channel is the Intruder▫ Intruder can read, modify, fabricate, replay,
analyze messages
• Perfect cryptography▫ Computational complexity abstracted out
Dolev, D.; Yao, A. C. (1983), "On the security of public key protocols", IEEE trans. on Information Theory IT-29: 198–208
IntruderAlice Bob
DependSoft
Modeling perfect cryptography
• Functions as symbolic terms
▫ senc(m,k) may be applied to any message m and key k
• Properties of functions as equations
▫ sdec(senc(m,k),k) = m
DependSoft
Equational reasoning
• Equations:
▫ mix(salt, water) may be applied to any salt
▫ mix(salt, empty) = salt
▫ heat(water) = empty
▫ heat(salt) = salt
▫ heat(mix(a,b)) = mix(heat(a),heat(b))
• What happens if we: heat(mix(salt,water))?
DependSoft
Equational reasoning
heat(mix(salt,water)) mix(heat(salt), heat(water))
mix(heat(salt), heat(water)) mix(heat(salt),empty)
mix(heat(salt),empty) mix(salt,empty)
mix(salt,empty) salt
DependSoft
Equational theory
• The set of equalities derivable under
▫ A set of equational axioms +
▫ Rules of equational reasoning (e.g., reflexivity, commutativity)
▫ Proof technique: Matching & rewriting
Klop, Term rewriting systems from Church-Rosser to Knuth-Bendix and beyond, LNCS, 90.
Don Knuth
DependSoft
Try out
• What do we get?
▫ sdec(sdec(senc(senc(m,k2),k1),k1) ,k2)
• Remember:
▫ sdec(senc(m,k),k) = m
DependSoft
Soundness & Completeness
• Tells us how a model and the reality (model’s intended meaning) are related.
MODEL REALITY
Soundness
Completeness
The Map is not the Territory!
DependSoft
Unsoundness
Route Exits
A route exists from B to A is a theoremprovable in our model
however
But route from B to A does notExist in Reality
DependSoft
Limits of Dolev-Yao models
• Could be computationally unsound
▫ A provably secure protocol could be computationally breakable (e.g., use of DES)
• Incomplete
▫ A secure protocol need not be provable in the model
▫ undecidable in general for unbounded sessions
3Soundness Limits of Dolev-Yao Models, Backus, Pfitzmann, Waidner, FCC, 2006
DependSoft
Modeling requirements
• Modeling the domain
▫ Unforgeable fresh secrets, nonces
▫ Symbolic encoding of cryptographic functions
⚫enc(M,k), dec(M, pk(k))
⚫dec(enc(m,k),k) = m
⚫xor(xor(m,k),k) = m
• Concurrency and communication
▫ Client parallel with Server
▫ out(channel, encrypted msg), in(channel, msg)
DependSoft
Computational calculus
• Succinct language for studying a particular class of computation
• Results in well-developed theory▫ Can prove properties of programs
• e.g., λ-calculus: sequential functional-style computation▫ Influenced functional language development over
last 5 decades
Alonzo Church
DependSoft
π-calculus
• Communication & concurrency are primitive operations
• Milner, Parrow, Walker, 89
• Numerous extensions, applications
▫ Distributed systems
▫ Programming languages
▫ Biomolecular systems
▫ Cryptographic protocols
Robin Milner
DependSoft
A multithreaded echo server in Java
http://www.javareference.com/jrexamples/viewexample.jsp?id=47
DependSoft
Multithreaded echo server in π-
calculus
let Echo = in(echo, (client,msg));out(client,msg);0
Two threads: Echo | Echo
Three threads: Echo | Echo | Echo
Unbounded threads: !Echo
!in(echo, (client,msg));out(client,msg);0
DependSoft
Sending a fresh name
• Java:
▫ Read from random sources
▫ Write to socket etc.,
• π-calculus:
▫ new n; out(channel,n)
DependSoft
The complete π-calculus language
• A process P, Q is
▫ 0
▫ in(c, x); P
▫ out(c, v); P
▫ P | Q
▫ new n; P
▫ if u = v then P else Q
▫ !P
DependSoft
Execution: Informal vs Formal
G. Plotkin, A Structural Approach to Operational Semantics (1981)
Gordon Plotkin
Java Program
Compiler
Byte code
Executions
JVM
π-calculusProgram
OperationalSemantics
Rules
TransitionGraph
DependSoft
Sample execution steps
in(echo, (c,x));out(c,x);0 | out(echo, (ret,3));in(ret,y);out(prn,y);0
out(ret,3);0 | in(ret,y).out(prn,y);0
0 | out(prn,3);0
reduction
reduction
DependSoft
A naïve handshake protocol
Bruno Blanchett and Ben Smyth, ProVerif 1.86pl3: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial, Dec 2011
A Bpk(skA)
A B
B
(pk(skB),k)sign( , skB)aenc( , pk(skA))
generate key k
A Bsenc(s,k)
pk(skB) known
DependSoft
Handshake protocol properties
• Secrecy
▫ Secret s is known only to A and B
• Authentication of A to B
▫ If B believes he has shared key k with A
▫ then B was indeed communicating with A
▫ and A has the shared key k.
• Authentication of B to A
DependSoft
Murphy’s law in cyber security!
CENTER FOR
CYBER
SECURITY
If an attack can happen, it will
DependSoft
Man-in-the-middle attack
A B
I
A B
pk(skI)I B
aenc(sign((pk(skB),k),skB),pk(skI))I B
pk(skA)
A
aenc(sign((pk(skB),k),skB),pk(skA))
senc(s,k)
DependSoft
Short bio
• Follows Dolev-Yao model▫ CryptoVerif: Computational Model
• Input language: Applied π-calculus
• Reconstructs attacks▫ Sound when trace is given
• Successfully verified complex protocols/systems▫ TPM, TLS, JFK, Plutus, electronic voting
Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. CSFW-14, June 2001.
DependSoft
ProVerif: attack types
• Reachability properties
▫ Secrecy
• Correspondence assertions
▫ authentication
• Observational equivalence
▫ non-interference
DependSoft
Symmetric encryption
Constructor name
argument types
Result type
Destructor name
Typed variables
DependSoft
Horn clause representation
• P(x) if Q1(x) and Q2(x) … and Qn(x)
• grandparent(x,z) if parent(x,y) and parent(y,z)
• attacker(m) if attacker(senc(m,k)) and attacker(k)
• Horn clause logic
▫ Basis for logic programming
▫ Resolution Proof: Unification & Search
DependSoft
Model components
• Constructors & Destructors for:
▫ Symmetric encryption
▫ Asymmetric encryption
▫ Digital signature
• Process definitions for:
▫ clientA
▫ serverB
DependSoft
Conclusion• Formal Methods
▫ Rigorous Methods = Theory + Practice
• Cryptographic Protocols▫ Fruit-flies of formal methods research
• Formal Modeling▫ The Dolev-Yao model
• Modeling Language▫ Applied Pi-calculus
• A Cryptographic handshake Protocol▫ Man-in-the-middle vulnerability
• The ProVerif Tool▫ Uses Horn-clause logic, sound if trace is given
Thank You. Questions?
1
2
3
4
5
6