Formal Verification - ECE Student Information - University of Limerick
Formal Verification - ECE Student Information - University of Limerick
Formal Verification - ECE Student Information - University of Limerick
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Formal</strong> <strong>Verification</strong> – An Imperative<br />
Step in the Design <strong>of</strong> Security<br />
Protocols<br />
Tom C<strong>of</strong>fey<br />
Data Communication Security Laboratory<br />
Department <strong>of</strong> Electronic and Computer Engineering<br />
<strong>University</strong> <strong>of</strong> <strong>Limerick</strong><br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 1
Overview<br />
♦ Cryptographic Protocols & <strong>Verification</strong><br />
♦ Logic Based <strong>Verification</strong><br />
♦ Case Study 1: The BCY Protocol & <strong>Verification</strong>,<br />
Including a New Attack on BCY<br />
♦ Case Study 2: Analysis the Needham-Shroeder<br />
protocol using C<strong>of</strong>fey-Saidha Logic<br />
♦ Conclusion<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 2
Cryptographic Security Protocols<br />
♦ Mobile and fixed networks are trusted with<br />
highly sensitive information.<br />
♦ Security protocols are required to ensure the<br />
security <strong>of</strong> both the network infrastructure itself<br />
and the information that runs through it.<br />
♦ These security protocols can be thought <strong>of</strong> as the<br />
keystones <strong>of</strong> a secure architecture.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 3
Cryptographic Protocols<br />
Basic cryptographic protocols allow agents to:<br />
• authenticate each other<br />
• ensure the authenticity <strong>of</strong> data and services<br />
• generate and distribute cryptographic keys, including<br />
fresh session keys, for confidential communication<br />
Building on such basic cryptographic protocols, more<br />
advanced services are achieved such as:<br />
• non-repudiation<br />
• fairness<br />
• electronic payment<br />
• electronic contract signing<br />
• anonymous channels and blind signatures<br />
•etc<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 4
Cryptographic Protocols<br />
♦ Protocols are complex<br />
♦ Failure <strong>of</strong>ten result <strong>of</strong> subtle defect(s), e.g.<br />
Needham-Schröder, BCY<br />
♦ Hard to get it “right”<br />
♦ Need systematic way <strong>of</strong> finding defects =><br />
formal methods<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 5
How It Usually Is …<br />
Protocol Design<br />
Publication<br />
More Publication<br />
<strong>Verification</strong><br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 6
How It Should Be …<br />
Protocol Design<br />
<strong>Verification</strong><br />
Publication<br />
Re-Design Protocol<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 7
<strong>Formal</strong> <strong>Verification</strong> Techniques<br />
♦ State-Space Searching<br />
• Generally comprising exhaustive testing or scenario<br />
analysis, involve examining the protocol in search <strong>of</strong><br />
security breaches<br />
♦ Algebraic Term Rewriting and Theorem Proving<br />
♦ <strong>Verification</strong> Logics·<br />
• Involve a process <strong>of</strong> deductive reasoning, whereby the<br />
desired protocol goals are deduced by applying a set <strong>of</strong><br />
axioms and inference rules to the assumptions and<br />
message exchanges <strong>of</strong> the protocol.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 8
Logic Based <strong>Verification</strong><br />
♦ Based on modal logics <strong>of</strong> belief/knowledge.<br />
♦ Involve process <strong>of</strong> deductive reasoning.<br />
♦ E.g. BAN, GNY, C<strong>of</strong>fey-Saidha, AUTLOG.<br />
♦ Produce short concise pro<strong>of</strong>s.<br />
♦ Identified a number <strong>of</strong> faulty protocols.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 9
Logic-Based Protocol <strong>Verification</strong><br />
• Computationally Feasible:<br />
• Good at detecting both passive and active attacks on<br />
protocols<br />
• Reasonably easy to apply<br />
• Good at forcing protocol designers to explicitly state the<br />
goals and assumptions <strong>of</strong> their protocols.<br />
• If not done then protocol specifications can be<br />
misinterpreted leading to an incorrect analysis.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 10
Logic-Based Protocol <strong>Verification</strong><br />
Accomplished by deductive reasoning based on ‘the application <strong>of</strong> valid rules<br />
<strong>of</strong> inference to sets <strong>of</strong> valid axioms (application <strong>of</strong> logical postulates)’<br />
• <strong>Formal</strong>ly express protocol steps in the language <strong>of</strong> the logic<br />
• <strong>Formal</strong>ly express the desired protocol goals in the language <strong>of</strong> the<br />
logic<br />
• <strong>Formal</strong>ly express protocol assumptions in the language <strong>of</strong> the logic.<br />
• Starting with the initial protocol assumptions, build up logical<br />
statements after each protocol step using the logical axioms and<br />
inference rules<br />
• Compare these logical statements with the desired protocol goals, to<br />
see if the goals are achieved<br />
If goals can be deduced then protocol is valid, if not then protocol is invalid<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 11
Logic Based Protocol <strong>Verification</strong><br />
Informal Protocol<br />
Specification<br />
Logic-Based <strong>Verification</strong> Process<br />
Protocol<br />
Sprecification in<br />
Language <strong>of</strong> Logic<br />
Specification <strong>of</strong><br />
Initial<br />
Assumptions<br />
Specification <strong>of</strong><br />
Protocol Goals<br />
Application <strong>of</strong><br />
Logical Postulates<br />
1. Protocol <strong>Formal</strong>isation<br />
♦<br />
♦<br />
♦<br />
<strong>Verification</strong><br />
Result<br />
<strong>Formal</strong>isation <strong>of</strong> Protocol Steps.<br />
Specification <strong>of</strong> Initial Assumptions.<br />
Specification <strong>of</strong> Protocol Goals.<br />
2. Application <strong>of</strong> Axioms and Inference Rules<br />
♦<br />
Using a process <strong>of</strong> deductive reasoning establish if goals <strong>of</strong><br />
protocols are proven<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 12
Results <strong>of</strong> <strong>Verification</strong><br />
♦ Deriviation Exists:<br />
• Protocol secure within limitations <strong>of</strong> used logic<br />
♦ No Deriviation Exists:<br />
• Protocol fails to achieve goals<br />
• Pro<strong>of</strong> hints at missing assumptions and/or faults in<br />
protocol design<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 13
Case Study1:<br />
Review <strong>of</strong> Beller Chang and Yacobi<br />
Protocol by C<strong>of</strong>fey,Dojen and Flanagan<br />
Reference:<br />
T.C<strong>of</strong>fey, R. Dojen, T. Flanagan, “ <strong>Formal</strong><br />
<strong>Verification</strong>-an imperative step in the design <strong>of</strong><br />
security protocols”, in: Computer Networks, Vol.43,<br />
No.5, pp 601-618, Elsevier Science. (2003)<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 14
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
The BCY Protocol<br />
Some History<br />
♦ Designed in 1993 by Beller, Chang, Yacobi<br />
[BCY93]<br />
♦ Review #1 in 1994 by Carlsen [Carlsen94]; flaws<br />
found, proposed corrections<br />
♦ Review #2 in 1996 by Mu, Varadharajan [MuVa96]<br />
; flaws found, proposed corrections<br />
♦ Review #3 in 2002 by Horn, Martin, Mitchell<br />
[HMM02]; commented on flaws<br />
♦ Review #4 in 2003 by C<strong>of</strong>fey, Dojen, Flanagan<br />
[CDF03]; Existing and new flaws found, proposed<br />
& verified corrections<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 15
CDF03 Research Paper<br />
♦ Protocols reviewed:<br />
• BCY<br />
• Carlsen-BCY<br />
• Mu-Varadharajan BCY<br />
• CDF-BCY<br />
♦ Logic Used<br />
• GNY [GNY 90]<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 16
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
The BCY Protocol<br />
♦ Designed to provide authentication in lowpower<br />
portable devices.<br />
♦ Combines Diffie-Hellman key exchange with<br />
Modular Square Root encryption (MSR).<br />
♦ Service provider has two public keys: Kvd+<br />
and Kvm+.<br />
♦ Certificates (denoted by {X 1 …X n }Ks-)<br />
contain components and hash, all signed.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 17
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
Protocol Notation<br />
U<br />
User<br />
Kx+<br />
Public Key <strong>of</strong> X<br />
V<br />
Service Provider<br />
Kx-<br />
Private Key <strong>of</strong> X<br />
S<br />
Certification Authority<br />
KK<br />
Key Encryption Key<br />
A<br />
Attacker<br />
SK<br />
Session Key<br />
r X<br />
Nonce generated by X<br />
{X}K<br />
X encrypted under K<br />
TS<br />
Expiration Time<br />
Kvd+,<br />
Kvm+.<br />
public keys <strong>of</strong> service<br />
provider<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 18
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
The BCY Protocol<br />
BCY1:V → U: {V, Kvd+,Kvm+}Ks-<br />
U computes: Y = {r U<br />
}Kvm+, KK={Kvd+}Ku-,<br />
SK = {r U<br />
}KK<br />
BCY2: U → V: Y, {{U,Ku+}Ks-}r U<br />
V computes: r U<br />
={Y}Kvm-, KK={Ku+}Kvd-,<br />
SK = {r U<br />
}KK<br />
BCY3:V → U: {dataV}SK<br />
BCY4: U → V: {dataU}SK<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 19
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
Weaknesses Identified by CDF<br />
in Original BCY Protocol<br />
1. U cannot derive that V’s public keys are valid.<br />
2. U cannot derive that the session key is a suitable shared<br />
secret with V.<br />
3. V cannot derive that U’s public key is valid.<br />
4. V cannot derive that the session key is fresh.<br />
5. V cannot derive that the session key is a suitable shared<br />
secret with U.<br />
6. U cannot derive that V conveyed dataV.<br />
7. V cannot derive that U conveyed dataU.<br />
8. V cannot derive that BCY4’ is fresh.<br />
In summary the BCY protocol provides neither authentication or<br />
key agreement<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 20
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
Weaknesses Identified by CDF<br />
in Carlsen’s BCY and Mu-Varadharajan’s BCY<br />
Protocols<br />
♦ Carlsen’s BCY protocol fails to provide<br />
authentication or key agreement<br />
♦ Mu-Varadharajan’s BCY protocol fails to<br />
provide authentication<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 21
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
CDFAttack on BCY<br />
CDF demonstrated execution <strong>of</strong> new attack on BCY<br />
protocols, allowing an adversary to impersonate a legitimate<br />
principal<br />
Pre:<br />
A knows r Uo , SK O ={r Uo }KK<br />
BCY1:V → A: {V, Kvd+,Kvm+}Ks-<br />
A computes Y = {r Uo<br />
}Kvm+<br />
BCY2: A → V: Y, {{U,Ku+}Ks-}r Uo<br />
V computes r U<br />
= r Uo ={Y}Kvm-,<br />
KK={Ku+}Kvd-, SK O = {r Uo<br />
}KK<br />
BCY3:V → A: {dataV}SK<br />
BCY4: A → V: {dataU}SK<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 22
Case Study 1:The BCY Protocol Review by CDF [CDF 03]<br />
Results <strong>of</strong> C<strong>of</strong>fey-Dojen-Flanagan Review<br />
♦ <strong>Verification</strong> <strong>of</strong> BCY protocol exposed 8 failed protocol<br />
goals. The Protocol provides neither authentication or key<br />
agreement<br />
♦ Carlsen’s BCY protocol fails to provide authentication<br />
or key agreement<br />
♦ Mu-Varadharajan’s BCY protocol fails to provide<br />
authentication<br />
♦ Demonstrated execution <strong>of</strong> new attack on BCY<br />
protocols, allowing an adversary to impersonate a<br />
legitimate principal<br />
♦ Proposed & verified corrections (CDF-BCY)<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 23
Case Study2:<br />
Analysing the Security <strong>of</strong> Needham-<br />
Shroeder Protocol using C<strong>of</strong>fey-Saidha<br />
Logic<br />
Reference:<br />
[CS97] T.C<strong>of</strong>fey, P. Saidha, “Logic for verifying<br />
security protocols”, in: IEE Proc - Computers and<br />
Digital Techniques 144 (1) pp28–32. (1997)<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 24
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
C<strong>of</strong>fey-Saidha logic<br />
[CS1997] T.C<strong>of</strong>fey, P. Saidha, “Logic for verifying security protocols”, in: IEE Proc -<br />
Computers and Digital Techniques 144 (1) pp28–32. (1997)<br />
•A formal technique<br />
- can be used to verify public-key cryptographic protocols.<br />
• A modal logics <strong>of</strong> knowledge and belief<br />
- can analyse the evolution <strong>of</strong> both knowledge and belief during a protocol<br />
execution.<br />
- useful in addressing issues <strong>of</strong> both security and trust<br />
• Logic is capable <strong>of</strong> modelling a wide-range <strong>of</strong> public-key<br />
cryptographic protocols.<br />
- fair-exchange, non-repudiation, key establishment, authentication and<br />
zero-knowledge, etc.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 25
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
C<strong>of</strong>fey-Saidha logic theory<br />
• A <strong>Formal</strong> Language<br />
Allows protocol facts to be expressed in a form which<br />
can be manipulated by the logic.<br />
• A Set <strong>of</strong> Inference Rules<br />
Allow new facts to be deduced from already known<br />
facts.<br />
• A Set <strong>of</strong> Axioms<br />
<strong>Formal</strong> expression <strong>of</strong> facts applying to the logic.<br />
• <strong>Formal</strong> Semantics<br />
Specify whether logical statements will be true or false<br />
in practice.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 26
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Language operators:<br />
The C<strong>of</strong>fey-Saidha Logic<br />
Language Syntax Summary<br />
K Σ,t Φ: knowledge (propositional) L Σ,t x: knowledge (predicate)<br />
B Σ,t Φ: belief<br />
S(Σ,t,x): emission R(Σ,t,x): reception<br />
C(x, y): ‘contains’<br />
e(x, k Σ ): encryption function d(x,k Σ -1): decryption function<br />
a,b,c,,,: variables Φ: an arbitary statement<br />
Σ and Ψ: arbitary entities i and j: range over entities<br />
ENT: the set <strong>of</strong> all entities t, t', t''... Time<br />
k Σ : public key <strong>of</strong> entity Σ k Σ -1: private key <strong>of</strong> entity Σ<br />
Classical logical connectives include:<br />
∧: conjunction. ∈: membership <strong>of</strong> set.<br />
∨ : disjunction.<br />
/ : set exclusion.<br />
∀ : universal quantification. ∃ : existential quantification.<br />
¬ : complementation. : theorem.<br />
→: implication.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 27
The CS Logic<br />
Inference Rules<br />
Rules to allow new facts to be deduced from already known facts:<br />
R1: From ├ p and ├ (p → q) infer ├ q<br />
R2: (a) From ├ p infer ├ K Σ,t p<br />
(b) From ├ p infer ├ B Σ,t p<br />
R3: From (p ∧ q) infer p<br />
R4: From p and q infer (p ∧ q)<br />
R5: From p infer (p ∨ q)<br />
R6: From ¬(¬p) infer p<br />
R7: From (from p infer q) infer (p → q)<br />
R1 states that if schema p can be deduced and (p → q) can be deduced, then q can<br />
also be deduced. R2 consists <strong>of</strong> the Generalisation rules which state that if p is a<br />
theorem, then knowledge and belief in p are also theorems<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 28
The CS Logic<br />
Axioms underlying assumptions<br />
• Communication environment is hostile<br />
• Public key system is ideal<br />
- d(e(x,k Σ ), k Σ<br />
-1)<br />
= x and e(d(x,k Σ<br />
-1<br />
),k Σ ) = x.<br />
• Public keys valid, if<br />
- Validity period is not exceeded<br />
- private keys know only to rightful owner<br />
• Crypto-system is collision free<br />
- it is not possible to create same ciphertext from two different<br />
pieces <strong>of</strong> plaintext<br />
• Entity which encrypts/decrypts data knows the data<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 29
CS Logic<br />
Axioms<br />
A1: (a) ∃t∃p∃q(K Σ,t<br />
p ∧ K Σ,t<br />
(p → q) → K Σ,t<br />
q)<br />
(b) ∃t∃p∃q(B Σ,t<br />
p ∧ B Σ,t<br />
(p → q) → B Σ,t<br />
q)<br />
A2: ∃t∃p(K Σ,t<br />
p → p)<br />
A3: (a) ∃t∃x∃i,i∈{ENT}(L i,t<br />
x →∀t',t'≥t L i,t'<br />
x)<br />
(b) ∃t∃x∃i,i∈{ENT}(K i,t<br />
x →∀t',t'≥t K i,t'<br />
x)<br />
(c) ∃t∃x∃i,i∈{ENT}(B i,t<br />
x →∀t',t'≥t B i,t'<br />
x)<br />
A4: ∃t∃x∃y(∃i,i∈{ENT}L i,t y ∧ C(y,x) →∃j,j∈{ENT}L j,t<br />
x)<br />
A5: ∃t∃x( S(Σ,t,x) → L Σ,t<br />
x ∧∃i,i∈{ENT/Σ}∃t',t'>t R(i,t',x) )<br />
A6: ∃t∃x( R(Σ,t,x) → L Σ,t<br />
x ∧∃i,i∈{ENT/Σ}∃t',t'
CS Logic Axioms<br />
Example<br />
A5: ∃t∃x( S(Σ,t,x) → L Σ,t<br />
x ∧∃i,i∈{ENT/Σ}∃t',t'>t R(i,t',x) )<br />
The emission axiom (A5) states that: if Σ sends a message x at time t,<br />
then Σ knows x at time t and some entity i other than will receive x<br />
at time t' subsequent to t.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 31
CS Logic<br />
Axioms<br />
Example<br />
The A8 axioms refer to the impossibility <strong>of</strong> encrypting or decrypting a<br />
message without knowledge <strong>of</strong> the correct key.<br />
A8: (a) ∃t∃x∃i,i∈{ENT}( ¬L i,t k Σ<br />
∧∀t',t'
Needham-Schroeder public key Protocol<br />
Needham, Schroeder “Using encryption for authentication in large<br />
networks <strong>of</strong> computers”, Communications <strong>of</strong> the ACM 21 (12) pp 993–999.<br />
1978.<br />
•Well known authentication protocol<br />
•Easily understood protocol<br />
•Known flaw in protocol<br />
Flaw revealed in [BAN89] M. Burrows, M. Abadi, R. Needham,<br />
“A logic <strong>of</strong> authentication”, in: ACM Operating System Review<br />
23 (5) pp1–13 (1989)<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 33
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Needham-Schroeder public key Protocol<br />
(1) A,B<br />
AS<br />
(4) B, A<br />
(2) {B, k B }k<br />
-1<br />
AS (5) {A, k A }k<br />
-1<br />
AS<br />
(3) {A, n A }k B<br />
A<br />
(6) {n A, n B }k A<br />
(7) {n B }k B<br />
B<br />
Notation:<br />
A, B: principals<br />
AS:<br />
trusted authentication server<br />
k AS , k<br />
-1<br />
AS : public and private keys <strong>of</strong> AS<br />
n A and n B : secret nonces generated by A and B<br />
{A, n A }k B : encryption <strong>of</strong> {A, nA} using k B<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 34
Needham-Schroeder public key Protocol<br />
(4) B,A<br />
(1) A,B<br />
AS<br />
(3) e({nA,A},k<br />
B )<br />
(2) d({k B ,B},k AS<br />
-1 )<br />
(5) d({k<br />
A ,A},k<br />
-1<br />
AS )<br />
A<br />
(6) e({nA,nB},k A )<br />
(7) e({nB},k B )<br />
B<br />
In the Needham-Schroeder authentication scheme, two principals, A and B, obtain each<br />
other's public keys from a trusted authentication server AS, and exchange two secret<br />
nonces, nA and nB, for the purpose <strong>of</strong> mutual authentication.<br />
It is assumed that both A and B know the public key k AS<br />
<strong>of</strong> the AS, and that they trust<br />
the AS to distribute good public keys. That is, if a principal knows that a message has<br />
just been sent to it by AS, then it will trust the public key contained in that message.<br />
The objectives <strong>of</strong> messages 1, 2, 4 and 5 are to provide A and B with each other's<br />
public keys. Messages 3, 6 and 7 exchange the secret nonce information between A and<br />
B. Message 6 should satisfy A that its origin was B and similarly, message 7 should<br />
satisfy B that its origin was A.<br />
In the analysis which follows, tn refers to the time at the end <strong>of</strong> protocol step n. Thus,<br />
t0 is the time at the start <strong>of</strong> the protocol execution and t7 is the time at the protocol<br />
conclusion.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 35
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Verifying Needham-Schroeder Protocol<br />
using the CS Logic<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 36
<strong>Verification</strong> Procedure<br />
Informal Protocol<br />
Specification<br />
Protocol<br />
Sprecification in<br />
Language <strong>of</strong> Logic<br />
Logic-Based <strong>Verification</strong> Process<br />
<strong>Verification</strong> Specification <strong>of</strong> Procedure<br />
Initial<br />
Assumptions<br />
Specification <strong>of</strong><br />
Protocol Goals<br />
Application <strong>of</strong><br />
Logical Postulates<br />
1. Protocol <strong>Formal</strong>isation<br />
♦<br />
♦<br />
♦<br />
<strong>Verification</strong><br />
Result<br />
<strong>Formal</strong>isation <strong>of</strong> Protocol Steps.<br />
Specification <strong>of</strong> Initial Assumptions.<br />
Specification <strong>of</strong> Protocol Goals.<br />
2. Application <strong>of</strong> Axioms and Inference Rules<br />
♦<br />
Using a process <strong>of</strong> deductive reasoning establish if goals <strong>of</strong><br />
protocols are proven<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 37
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
<strong>Formal</strong>isation <strong>of</strong> Protocol Steps<br />
Protocol Specification in Language <strong>of</strong> CS Logic<br />
Steps<br />
i. K AS,t1 ( R (AS, t 1 , (A, B)))<br />
ii. K A,t2 (R (A, t2, d({B, k B ), k<br />
-1<br />
AS )))<br />
iii. K B,t3 (R ( B, t3, e({A, n A }, k B )))<br />
iv. K AS,t4 ( R (AS, t4, (B, A)))<br />
v. K B,t5 (R (B, t5, d({A, k A ), k<br />
-1<br />
AS )))<br />
vi. K A,t6 (R ( A, t6 , e({n A, n B }, k A )))<br />
vii. K B,t7 (R ( B, t7, e({n B }, k B )))<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 38
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
<strong>Formal</strong>isation <strong>of</strong> Initial Assumptions<br />
i. L A,t0<br />
(k AS<br />
)<br />
Aii. L B,t0 (k AS<br />
)<br />
Aiii. L AS,t0 (k A<br />
)<br />
Aiv. L AS,t0 (k B<br />
)<br />
Av. K A,t0 (∀i,i{ENT}, ∀t,t
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
<strong>Formal</strong>isation <strong>of</strong> Protocol Goals<br />
G i. K A,t2<br />
(∃t, t0
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Application <strong>of</strong> the Logical Postulates<br />
The logical statements are build up after each<br />
protocol step (steps 1-7) using the logical axioms and<br />
inference rules. These logical statements are<br />
compared with the desired protocol goals, to see if the<br />
goals are achieved.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 41
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Analysis Results<br />
Result 1<br />
Goal i: K A,t2 (∃t, t0
Case Study 2: Analysis <strong>of</strong> NS Protocol using CS Logic<br />
Analysis Results<br />
Result 2<br />
Goal iii : K A,t6 (∃t, t0
Concluding Remarks<br />
♦ Security protocols are complex, flaws <strong>of</strong>ten subtle.<br />
♦ Introduction to logic based verification.<br />
♦ Case Study 1:<strong>Verification</strong> <strong>of</strong> BCY’93 exposes 8 failed<br />
protocol goals, also failures in Carlsen’s BCY and Mu-<br />
Varadharajan’s BCY. Demonstrated execution <strong>of</strong> new<br />
attack on BCY protocols.<br />
♦ Case Study 2: Analysis <strong>of</strong> Needham-Shroeder protoocol<br />
illustrated the detection <strong>of</strong> known weakness and also<br />
revealed two new missing hypotheses from the initial<br />
protocol assumptions <strong>of</strong> the N-S protocol.<br />
♦ Flaws highlight importance <strong>of</strong> formal verification…..<br />
‘formal vedification is an imperative step in the design<br />
<strong>of</strong> security protocols’<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 44
References<br />
[BAN89] M. Burrows, M. Abadi, R. Needham, “A logic <strong>of</strong> authentication”, in: ACM Operating System<br />
Review 23 (5) (1989) 1–13.<br />
[BCY93] M.J. Beller, L.F. Chang, Y. Yacobi, “Privacy and authentication on a portable communications<br />
system”, IEEE Journal on Selected Areas in Communications 11 (6) 821–829. (1993)<br />
[Carlsen94] U. Carlsen, “Optimal privacy and authentication on a portable communications system”, in:<br />
ACM Operating Systems Review, 28 (3) pp16–23. (1994)<br />
[CDF 03] T.C<strong>of</strong>fey, R. Dojen, T. Flanagan, “ <strong>Formal</strong> <strong>Verification</strong>-an imerative step in the design <strong>of</strong> security<br />
protocols”, in: Computer Networks, Vol.43, No.5, pp 601-618, Elsevier Science. (2003)<br />
[CS97] T.C<strong>of</strong>fey, P. Saidha, “Logic for verifying security protocols”, in: IEE Proc - Computers and Digital<br />
Techniques 144 (1) pp28–32. (1997)<br />
[GNY 90] L. Gong, R. Needham, R. Yahalom, “Reasoning about belief in cryptographic protocols”, in:<br />
Proceedings <strong>of</strong> 1990 IEEE Computer Society Synopsis on Research in Security and Privacy, pp. 234–248.<br />
(1990).<br />
[MuVa96] Y. Mu, V. Varadharajan, “On the design <strong>of</strong> security protocols for mobile communications”, in:<br />
<strong>Information</strong> Security and Privacy, Lecture Notes in Computer Science, vol. 1172, Springer, Berlin,, pp.<br />
134–145.(1996).<br />
[HMM02] G. Horn, K. Martin, C. Mitchell, “Authentication protocols for mobile network environment<br />
value-added services”, in: IEEE Transactions on Vehicular Technology 51 (2002) 383–392.<br />
[NS78] Needham, R.M., Schroeder M.D., “Using encryption for authentication in large networks <strong>of</strong><br />
computers”, in: Communications <strong>of</strong> the ACM 21 (12) pp 993–999. 1978.<br />
Tom C<strong>of</strong>fey - Nov14 2007 <strong>Formal</strong> verification - an imperative step in sec. prot. design 45