A Comparison and Combination of Theory Generation and Model Checking for Security Protocol Analysis

1
A Comparison and Combination of Theory Generation
and Model Checking for Security Protocol Analysis

• By Nicholas J. Hopper, Sanjit A. Seshia,
  Jeannette M. Wing
• Presentation by Heather Goldsby

2
Overview

• Tools
• BRUTUS
• RVChecker
• Protocols
• Dolev-Yao
• Tatabayeshi-Matsuzaki-Newman
• Combination

3
BRUTUS

• Model checker
• State-space analysis
• Covered by
• Ali Ebnenasir
• Zhenxiao Yang

4
RVChecker

• Theory generation
• Based on Belief Logics (BAN)
• Concept
• Finite representation of theory
• Generated by set of rules and assumptions
• Check for set membership

5
RVChecker

• Theory Generation Overview
• Everything is finite, thus theory is finite
• Starting with assumptions and messages
• Apply only shrinking rules
• To test whether formula is part of theory
• Backwards chaining using growing rules

6
RVChecker

• RV logic
• Extension of BAN
• Explicit interpretation
• Idealization step
• Fails to consider other interpretations
• Hidden assumptions about safety of message
• Responsibility
• Account for principals irresponsible behavior

7
RVChecker

• Explicit Interpretation
• Allows for explicit idealization of the protocol
• Interpretation must match pattern
• M matches all or part of a concrete message
• M represents its intended meaning

P lt M P lt M P ? Q M P ? Q M P ? Q ? M P ? Q ? M
if P sees M, then P sees M if P believes Q said M, then P believes Q said M if P believes Q says M, then P believes Q says M
8
RVChecker

• Responsibility
• Honesty
• Sending principal believes any interpretation of
  message they sent
• Expressed through legit rules
• Signed any message encrypted under private or
  shared key is signed

P ? Q M P ? Q M Q? M Q? signed(M, Ms, P, Q) Q? legit(Ms)
If P believes Q said M, then P believes Q said M If Q believes M and Q believes the message is signed, then Q believes M is legit
9
RVChecker

• Responsibility
• Secrecy
• Safe for the intruder to see a message
• Expressed through maysee rules
• P ? Q maysee (X,Y)
• P ? Q maysee X
• If P believes Q maysee (X,Y), then P believes Q
  maysee X

10
RVChecker

• Protocol Analysis Theory Generation
• Specification supplied
• messages, interpretation rules, principals,
  belief goals for the principals, initial
  assumptions
• Theory generation applied to assumptions
• For each message Mi, receiver Ri
• formula Ri lt Mi is added
• Theory generation is re-applied
• Secrecy is checked
• Honesty is checked
• Each belief goal is checked for set inclusion

11
Tatabayeshi-Matsuzaki-Newman Protocol

• A ? S S.A.B.RaKs
• A sends a message to Server S consisting of S, A,
  B, and it session key Ra encrypted under Ks
• S ? B B.S
• Server S sends a message to principal B
  consisting of B, S
• B ? S S.B.A.RbKs
• Principal B sends a message to server S
  consisting of S, B, A, and its session key Rb
  encrypted under Ks
• S ? A A.S.B.Ra ? Rb
• Server S sends a message to principal A
  consisting of A, S, B, and the exclusive or of
  the session key of A and the session key of B.
• Protocol Flaws
• Secrecy
• Authentication
• Simmons

12
Dolev-Yao Protocol

• A ? B A.MKb.AKb.B
• Principal A sends principal B a message
  consisting of A, M encrypted under key Kb, A,
  encrypted under key Kb and B
• B ? A B.MKa.B Ka.A
• Principal B sends principal A a message
  consisting of B, M encrypted under key Ka, B,
  encrypted under key Ka and A
• Protocol Flaws
• Secrecy
• Authentication

13
BRUTUS Dolev-Yao analysis

• INITIATOR internal (begin-initiate, b)
• send lta,b,MKb,aKbgt
• receive ltb,a,MKa,bKagt
• internal (end-initiate, b)
• RESPONDER receive lta,b,MKb,aKbgt
• internal (begin respond, a)
• send ltb,a,MKa,bKagt
• internal (end respond, a)

14
BRUTUS Dolev-Yao analysis

• Secrecy
• Check property ?(I Knows M)
• BRUTUS catches error (property false)
• B listens for 2 sessions
• A initiates one session

A Intruder I _
B Init(B) Send(A,B,Kb(A,Kb(M)))
send(I,B,Kb(I,Kb(A,Kb(M)))) recv(I,B,Kb(
I,Kb(A,Kb(M)))) Send(B,I,Ki(B,Ki(A,Kb(M))))
recv(B,I,Ki(B,Ki(A,Kb(M))))
send(I,B,Kb(I,Kb(M))) Recv(I,B,Kb(I,Kb(M))) Send(B
,I,Ki(B,Ki(M))) recv(B,I,Ki(B,Ki(M)))
knows (M)
15
BRUTUS Dolev-Yao analysis

• Authentication
• Check properties
• 1. If A finishes initiating a message to B
• B responded to this message at an earlier point
  in time
• 2. If B finishes responding to a message from A
• A initiated sending this message at an earlier
  point in time
• BRUTUS catches error (property false)
• More than 1 session

A Intruder I _
B Send(B,I,Ki(B,Ki(M)))
recv(B,I,Ki(B,Ki(M))) Recv(B,A,Ka(B,Ka(M)))
A thinks it is communicating w/ B while really it
is communicating with I B thinks it is
communicating w/ I (It really is communicating w/
I)
16
RVChecker Dolev-Yao analysis

• Authentication
• Desired belief goals
• A ? B ? (A ? M))
• A believes B says that it is A who says M
• B ? A ? M
• B believes it is A who says M
• RVChecker finds - beliefs are not in the protocol
• Fixable by encryption

17
RVChecker Dolev-Yao analysis

• Secrecy
• Flaw
• comes from double encryption
• Lack of authentication (shown on previous slide)
• RVChecker does not find flaw

18
Comparison
System Dolev-Yao Auth Dolev-Yao Secrecy TMN Auth/ Secrecy TMN Simmons/Key
RVChecker YES NO YES YES
BRUTUS YES YES YES NO
19
Comparison

• RVChecker
• Fully automated
• High level
• Assumptions attacks?
• Conservative approach to security

• BRUTUS
• Fully automated
• State-space explosion
• Complicated counter-example
• Number of protocol sessions needed
• Considers all principals to be honest

How much previous knowledge of protocols is
necessary?
20
Combination

• Assumptions to Counterexamples
• RVChecker identifies assumptions
• Search for counterexamples using BRUTUS
• For assumption held by A
• If A believes something about its own behavior
• Intruder plays role of A
• Model extra sessions of other principals
• If A believes something about principal B
• Intruder plays role of B
• Model extra sessions of A

21
Combination

• Counterexamples to Assumptions
• BRUTUS identifies counter examples
• RVChecker then isolates assumptions
• Model entire counter example trace as a protocol
• Add assumptions until goal properties satisfied
• Find assumptions about I playing the role of Q
• Indicate assumptions made about Q
• Discovers how I subverted the protocol

22
Combination Dolev-Yao
A Intruder I _
B Init(B) Send(A,B,Kb(A,Kb(M)))
send(I,B,Kb(I,Kb(A,Kb(M)))) recv(I,B,Kb(I
,Kb(A,Kb(M)))) Send(B,I,Ki(B,Ki(A,Kb(M))))
recv(B,I,Ki(B,Ki(A,Kb(M))))
send(I,B,Kb(I,Kb(M))) Recv(I,B,Kb(I,Kb(M))) Send(B
,I,Ki(B,Ki(M))) recv(B,I,Ki(B,Ki(M)))
knows (M) Recv(B,A,Ka(B,Ka(M)))
23
Combination Dolev-Yao

• Counterexamples to Assumptions
• New assumptions necessary
• I ? I maysee M
• I ? B maysee M
• B ? I maysee M
• Shows B must believe it is ok for the Intruder to
  see message M

24
References

• Nicholas J. Hopper, Sanjit A. Seshia, and
  Jeannette M. Wing. A comparison and combination
  of theory generation and model checking for
  security protocol analysis. In Proceedings of
  Workshop on Formal Methods and Security, April
  2000.
• D. Kindred. Theory Generation for Security
  Protocols. PhD thesis, Carnegie Mellon
  University, 1999.
• D. Kindred and J.M. Wing. Fast, automatic
  checking of security protocols. In Second USENIX
  Workshop on Electronic Commerce, pages 41-52,
  Oakland, California, November 1996. USENIX.
• Edmund Clarke, Somesh Jha, and Will Marrero. A
  machine checkable logic of knowledge for
  specifying security properties of electronic
  protocols. In Workshop on Formal Methods and
  Security Protocols, Indianapolis, Indiana, June
  1998.
• E.M. Clarke, S. Jha, and W. Marrero. Using state
  space exploration and a natural deduction style
  message derivation engine to verify security
  protocols. In Proceedings of the IFIP Working
  Conference on Programming Concepts and Methods
  PROCOMET, 1998.

25
RV logic Legit Rules

• P ? Q ? M Q ? M Q ? signed(M,Ms,P,Q)
• P ? Q ? M Q ? legit(Ms)
• If P believes Q says M, If Q believes M and Q
  believes the
• then P believes Q says M message is signed,
  then Q believes Ms
• is legit
• P lt M Q ? M
• P lt M Q ? legit(M)
• If P sees M, If Q believes M
• then P sees M then Q believes M is legit

26
RV logic maysee rules

• P lt Q ?K?R
• P ? Q maysee K
• If P sees K, the shared key of Q and R, then P
  believes Q maysee K
• P lt Q maysee Y
• P ? Q maysee Y
• If P sees Q maysee , then P believes Q maysee Y
• P ? Q maysee (X,Y)
• P ? Q maysee X
• If P believes Q maysee (X,Y) then P believes Q
  maysee X

• P lt K?Q
• P? Z maysee K
• If P sees public key K for Q, then P believes Z
  maysee K
• P lt K1?Q K1 K2-1
• P ? Q maysee K2
• If P sees public key K1 for Q and key K1 is eqaul
  to secret key K2, then P believes Q maysee K2
• P ? Q maysee X
• P ? Q maysee XK
• If P believes Q maysee X then P belives Q maysee
  X encrypted by key K

27
RV logic maysee rules

• P ? Z maysee X
• P ? Q maysee X
• If P belives Z maysee X, then P believes Q maysee
  X
• P ? Q maysee X P ? Q maysee X
• P ? Q maysee X.Y
• If P believes Q maysee X and P believes Q maysee
  X, then P believes Q maysee X.Y

• P ? Q maysee X P ? K?R
• P ? Z maysee XK
• If P belives Q maysee X and P believes K is the
  public key of R, then P believes Z maysee X
  encrypted under key K
• Plt Q ?YR
• P ? Q maysee Y
• If P sees Y the shared secret between Q and R,
  then P believes Q maysee Y
• P lt Q lt Y
• P ? Q maysee Y
• If P sees Q sees Y,then P believes Q maysee Y

• P ? Q maysee X P ? R maysee X P ? Q ?K?R
• P ? Z maysee XK
• If P believes Q maysee X and P believes R maysee
  X and P believes K is the shared key between Q
  and R, then P believes Z maysee X encrypted under
  K

28
RVChecker

• Finite Model
• Finite number of entities
• Parties communicating
• Messages exchanged
• Types of messages
• Encryption and decryption keys
• Finite number of rules of inference
• Grow in a controlled manner

29
RVChecker

• Inference Rules
• S-rules (shrinking rules)
• Conclusion same size or smaller than premises
• Each variable in conclusion occurs in premises
• E.g.
• G-rules (growing rules)
• Conclusion larger than each premise
• Each variable in conclusion occurs in premises
• E.g.
• Rewrites (same size)
• A pair of formulas f1, f2
• Any occurrence of f1 can be replaced with f2
• f1, f2 are the same size and have the same
  variables
• E.g.

30
RVChecker

• Theory Generation
• Modeled as directed a cyclical graph
• Roots assumptions and messages
• 1. Apply S-rules to generate new formulas
• Can apply G or R rules to generate premises for
  S-rules
• 2. Show completeness
• Backwards chaining with G-Rules R-rules

31
BRUTUS - TMN analysis

• INITIATOR
• internal (begin-initiate, B)
• send ltA,S,B,RAKsgt
• receive lts,A,b,RbRagt
• internal (end-initiate, b)
• RESPONDER
• receive lts,B,agt
• internal(begin-respond, a)
• sendltB, s, a, RBKsgt
• internal (end-respond, a)

• SERVER
• receive lta,S,b,RaKsgt
• internal (begininitiate, b)
• send ltb, S, agt
• receive lt b, S, a, RbKsgt
• internal (end-initiate, b)
• internal (begin-respond, a)
• send ltS,a,b,RaRbgt
• initiate (end-respond, a)

NOTE The authentication property is not shown
for this protocol because it is the same as the
Dolev-Yao protocol. BRUTUS catches the error
32
BRUTUS TMN analysis

• Secrecy
• Check properties
• ?(I Knows NB)
• I cannot read messages passed between A and B
• ?(I Knows NB) ? ?(I Knows NA)
• I cannot masquerade as S while communicating with
  A
• BRUTUS catches error (both properties false)
• 2 sessions

33
BRUTUS TMN analysis

• A Intruder I S B
• Init(B)
• Send(A,S,B,(Ra)Ks)
• recv(A,S,B,(Ra)Ks)
• send(I,B,A)
• knows((Ra)Ks)
• Recv(I,B,A)
• Send(B,I,A,(b)Ki)
• recv(B,I,A,(Rb)Ki)
• knows(Rb)
• send(I,S,A,(Ri)Ks)
• recv(I,S,A,(Ri)Ks)
• send(S,A,I)
• recv(S,A,I)
• send(A,S,I,(Ra)Ks)
• recv(A,S,I,(Ra)Ks)
• send(S,I,A,(Ra)Ri)

34
RVChecker TMN analysis

• Authentication
• Desired belief goals
• A ? A ?Rb? B
• B ? A ?Rb? B
• A ? B ? A ?Rb? B
• B ? A ? A ?Rb? B
• RVChecker finds - beliefs are not in the protocol