Security Analysis of Network Protocols
John MitchellStanford University
Computer Security Research
Malicious Code
MDS/MLS
SituationalUnderstanding
OODA
Semantic Assuranc
e
FormalizedDesign
IntrusionDetection
IASensors
SurvivableNetwork
Infrastructures
PhysicalSecurity
AutonomicResponse
PolicyCourseof ActionProjection
AutoForensics
Cyber Control Panel
DynamicCoalitions
Law Enforcement Policy
ProtectiveMechanisms
Crypto
ComposableTrust
Open SourceStrategies
Cyber SensorExploitation
IntrusionTolerance
CyberStrategy
Lifecycle Attacks
Insider
?
?
Security of Mobile Agents
Privacy
Web Services
Security Protocols
Challenge-response• ISO 9798-1,2,3; Needham-Schroeder, …
Authentication• Kerberos
Key Exchange• SSL handshake, IKE, JFK, IKEv2,
Wireless and mobile computing• Mobile IP, WEP, 802.11i
Electronic commerce• Contract signing, SET, electronic cash, …
Needham-Schroeder Protocol
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}
Ka
Kb
Result: A and B share two private numbers
not known to any observer without Ka-1, Kb-1
A B
Kb
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }
{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.
Evil E can then fool B.
[Lowe]
Needham-Schroeder Lowe
{ A, NonceA }
{ NonceA, B, NonceB }
{ NonceB}
Ka
Kb
A BKb
Authentication?Secrecy?Replay attackForward secrecy?Denial of service?Identity protection?
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod p
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
Ticket 2
Ticket 2
Ticket 1
Ticket 1
Kerberos Protocol
Client
KDC
Service
TGS
{Kt}Kc
C TGS
{Ks}Kt
{C}Kt S
{C}Ks
Ktgs
Kc
Kv
{C, Ks}Kv
{C, Kt}Ktgs
{C, Ks}Kv
{C, Kt}Ktgs
Protocol layer over TCP/IP
Network interface
Transport (TCP)
Physical layer
Internet (IP)
Applicationtelnet
http ftp
nntp
SSL
Common use: https = http over SSL
Handshake Protocol
ClientHello CS C, VerC, SuiteC, NC
ServerHello S C VerS, Suite, SuiteSS, N, NSS,, signCA{ S, KS, KSS }
ClientVerify C S signCA{ C, VC }
{ VerC, SecretC }
signC { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NNSS, SecretC) + Pad1)) }
(Change to negotiated cipher)
ServerFinished S C { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash( Msgs + S + Master(NC, NNSS, SecretC) + Pad1)) }
ClientFinished C S { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NNSS, SecretC) + Pad1)) }
KSS
Master(NC, NSS, SecretC)
Master(NC, NSS, SecretC)
Mobile IPv6 Architecture
IPv6
Mobile Node (MN)
Corresponding Node (CN)
Home Agent (HA)
Direct connection via binding update
Authentication is a requirement
Early proposals weak
Wireless Authentication:Robust Security Network Association
Pre-RSNA Poor Security • 802.11 Authentication• Wired Equivalent Protocol• CRC MIC (Message Integrity Code)
RSNA Better Security• 802.1x Authentication• Key Management• Improved MIC scheme, data encryption
RSNA Sub-protocols
Ethernet
Access Point
Radius ServerLaptop computer
Wireless
4-way Key management
802.11 Association
802.11x Authentication
(1 )MAC Disabled, Port Blocked
(2 )MAC Enabled, Port Blocked
(3 )MAC Enabled, Port Blocked, PMK generated in STA and AS
AS move PMK to AP
Secure Communication
(4 )MAC Enabled, Port Allowed, PTK := KCK|KEK|TK
Optimistic contract signing
Trusted third party can force contract• Third party can declare contract binding if presented with first two messages.
A B
I am going to sign the contract
I am going to sign the contract
Here is my signature
Here is my signature
BA
m1= sign(A, c, hash(r_A) )
sign(B, m1, hash(r_B) )r_A
r_B
Agree
A BNetwork
T
Abort
???
Resolve Attack?
BA Net
T sigT (m1, m2)
m1
???
m2 A
T
Asokan-Shoup-Waidner protocol
If not alreadyresolved
a1
sigT (a1,abort)
BA
PCSA(text,B,T)
PCSB(text,A,T)
sigA(text)
sigB(text)
Agree
A BNetwork
T
m1 = PCSA(text,B,T)
Abort
???
Resolve Attack
BA Net
T PCSA(text,B,T)
sigB(text)
PCSA(text,B,T)
???
PCSB(text,A,T) B
T
sigT(abort)
abort AND sigB(text) abort
Leaked by T
Garay, Jakobsson, MacKenzie
STS Family Derivation
m=gx, n=gy
k=gxy
STS0H
STSa STSaH
STSHSTS
STS0
STSPH
JFK1
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFKi
protect identities
JFKr
STSP
Properties: Certificates from CA Shared secret: gab
Identity protection DoS protection Reverse ID protection
Protocol Analysis
Computational approaches (insightful, no tools…)
• Proof methods of Bellare-Rogaway, Mauer• Canetti, Backes-Pfitzmann-Waidner
BAN and related axiomatic approaches Methods grounded in symbolic execution
• Assume perfect cryptography• Protocol determines set of traces
– Arbitrary number of principals plus intruder
• Enumerate, search, or reason about this set
Run of protocol
A
BInitiate
Respond
C
D
Correct if no security violation in any run
Attacker
Explicit Intruder Method
Intruder Model
AnalysisTool
Formal Protocol
Informal Protocol
Description
Find error?Assurance?
Automated Finite-State Analysis
Define finite-state system• Bound on number of steps• Finite number of participants• Nondeterministic adversary with finite options
Pose correctness condition• Can be simple: authentication and secrecy• Can be complex: contract signing
Exhaustive search using “verification” tool• Error in finite approximation Error in protocol• No error in finite approximation ???
State Reduction on N-S Protocol
1706
17277
514550
980
6981
155709
58222
3263
1
10
100
1000
10000
100000
1000000
1 init
1 resp
2 init
1 resp
2 init
2 resp
Base: handoptimizationof model
CSFW:eliminatenet, maxknowledgeMergeintrud send,princ reply
Model Checking Studies
Standard academic benchmarks• Needham-Schroeder, TMN, Kerberos-
Realistic network protocols• SSL 3.0, with resumption protocol
Contract signing protocols• Asokan-Shoup-Waidner, Garay-Jakobsson-MacKenzie
Wireless networking• Authenticated Mobile IPv6 • 802.11i
CS259 Term Projects
iKP protocol family Electronic voting XML Security
IEEE 802.11i wireless handshake protocol
Onion Routing Electronic Voting
Secure Ad-Hoc Distance Vector Routing
An Anonymous Fair Exchange E-commerce Protocol
Key Infrastructure
Secure Internet Live Conferencing
Windows file-sharing protocols
Analysis Methods
Modelin
g d
eta
il
Numbe
r of
sess
ions
Complexity of protocol
Protocol analysis spectrum
Low High
Hig
hL
ow
Mo
de
ling
de
tail
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
Strand spaces
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Multiset rewriting with
Protocol logic
Protocol derivation
Protocol derivation• Build security protocols by combining
parts from standard sub-protocols. Proof of correctness
• Prove protocols correct using logic that follows steps of derivation.
Example
Construct protocol with properties:• Shared secret • Authenticated• Identity Protection• DoS Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
Component 1
Diffie-Hellman A B: ga
B A: gb
• Shared secret (with someone)– A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
• Authenticated• Identity Protection• DoS Protection
Component 2
Challenge Response: A B: m, A B A: n, sigB {m, n, A}
A B: sigA {m, n, B}
• Shared secret (with someone)• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection• DoS Protection
Composition
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {ga, gb, A}
A B: sigA {ga, gb, B}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
m := ga
n := gb
Refinement
Encrypt signatures: A B: ga, A B A: gb, EK {sigB {ga, gb, A}}
A B: EK {sigA {ga, gb, B}}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
Transformation
Use cookie: JFK core protocolA B: ga, A
B A: gb, hashKB {gb, ga}
A B: ga, gb, hashKB {gb, ga}
EK {sigA {ga, gb, B}}
B A: gb, EK {sigB {ga, gb, A}}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
STS Family Derivation
m=gx, n=gy
k=gxy
STS0H
STSa STSaH
STSHSTS
STS0
STSPH
JFK1
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFKi
protect identities
JFKr
STSP
Properties: Certificates from CA Shared secret: gab
Identity protection DoS protection Reverse ID protection
Protocol logic (Implicit intruder method)
Alice’s information• Protocol• Private data• Sends and receives
Honest Principals,Attacker
Send
Receive
Protocol
Private Data
Intuition
Reason about local information• I chose a new number• I sent it out encrypted• I received it decrypted • Therefore: someone decrypted it
Incorporate knowledge about protocol• Protocol: Server only sends m if it got m’• If server not corrupt and I receive m
signed by server, then server received m’
Execution Model
Protocol• “Program” for each protocol role
Initial configuration• Set of principals and key• Assignment of 1 role to each principal
Run
new x
send {x}B
receive {x}B
A
B
C
Position in run
receive {z}B
new z
send {z}B
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N)
| Contains(t1, t2) | | 1 2 | x | |
ExampleAfter(a,b) = (b a)
Modal Formulas
After actions, postcondition [ actions ] P where P = princ, role id
Before/after assertions [ actions ] P
Composition rule
[ S ] P [ T ] P
[ ST ] P
Note: same P in all formulas
Proof System
Sample Axioms:• Reasoning about knowledge:
– Has(A, encX{m}) Has(A, K) Has(A, m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m}) m’ (Send(X, m’) Contains(m’, sigX{m})
Inference Rule• Persistence rules, …• Honesty/Invariance rule
Soundness Theorem: • Every provable formula is valid
Bidding conventions (motivation)
Blackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces
Reasoning • If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
Correctness of NSL
Bob knows he’s talking to Alice[ recv encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); recv encrypt( Key(B), n ) ] B
Honest(A) Csent(A, msg1) Csent(A, msg3)
where Csent(A, …) Created(A, …) Sent(A, …)
msg1
msg3
Composition Rules
Prove assertions from invariants |- […]P
Invariant weakening rule |- […]P ’ |- […]P
Prove invariants from protocol Q Q’ Q Q’
If combining protocols, extend assertions to combined
invariants
Use honesty (invariant) rule to show that both protocols
preserve assumed invariants
Combining protocols
DH Honest(X) … CR Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy AuthenticationDH CR ’
ISO Secrecy Authentication
=
Protocol Templates
Protocols with function variables instead of specific operations• One template can be instantiated to
many protocols Advantages:
• proof reuse• design principles/patterns
Example
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)
A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B)
A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)
A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Abstraction
Instantiation
Proof Structure
Template
axiom
hypothesis
Instance
Discharge hypothesis
Sample projects using this method
Key exchange• STS family, JFK, IKEv2• Diffie-Hellman -> MQV• GDOI [Meadows, Pavlovic]
Work in progress• SSL verification• Wireless 802.11i
Symbolic vs Computational model
Suppose |- [actions]X • If a protocol P satisfies invariants , then
if X does actions, will be true Symbolic soundness
• No idealized adversary acting against “perfect” cryptography can make fail
Computational soundness• No probabilistic polytime adversary can
make fail with nonnegligible probability
Conclusions
Security Protocols• Subtle, critical, prone to error
Analysis methods• Model checking
– Practically useful; brute force is a good thing– Limitation: find errors in small configurations
• Protocol derivation– Systematic development of certain classes of
protocols• Proof methods
– Time-consuming to use general logics– Special-purpose logics can be sound, useful
• Cryptographic foundations– Scientific challenge; currently hot area
Collaborators on work described
Former and current students• Vitaly Shmatikov, Ulrich Stern• Nancy Durgin, Anupam Datta, Ante Derek• Ajith Ramanathan, Changhua He, …
Outside Stanford• Andre Scedrov (U Penn)• Patrick Lincoln (SRI)• Dusko Pavlovic (Kestrel)