Embed Size (px)
Citation preview
i613 Algebraic Formal Methods10. Model checking of
trans‐based system specifications
Kazuhiro Ogata (JAIST)
Outline of lecture
• Invariant model checking
• Authentication protocol
• Specification of NSPK, an authentication protocol
• Model checking that NSPK enjoys the nonce secrecy property
2
Invariant model checking (1)
3
State machine M is <S,I,T> s.t. S is a set of states, I ⊆ S (the set of initial states), and T ⊆ S × S (transition relations).
Let p be a predicate over S.
p is invariant w.r.t. M iff p holds in all reachable states R from I.
Invariant model checking is to verify or falsify that p is invariant w.r.t. M by exhaustively traversing R.
S
I
R
Invariant model checking (2)
4
Let SPEC be a trans‐based specification of M in which Config is the sort corresponding to S, c be a term of Config corresponding to a state in I, and C be a variable of Config.
open SPEC .… red search c =(1,*)=>* C suchThat ¬p(C) .
close
Invariant model checking (especially for falsification) can be performed by the following search:
Invariant boundedmodel checking can also be conducted if a natural number k is used instead of * in (1,*).
Authentication protocol (1)
5
Whom am I communicating with?
Alice Bob?
… Bob ?
!?
I am communicating with Bob.
!
Authentication protocol (2)
6
Public‐key cryptography
(closed)
(opened)
encrypted
decryptedplaintext ciphertext (cipher)
public key private key
Nonce
Principals Main players in a protocol such as Alice & Bob.
Each nonce is used at most once.
Cryptographically secure (pseudo‐)random numbers can be used as nonces.
Authentication protocol (3)
7
{nAlice,Alice}pubkey(Bob)
challenge
{nAlice,nBob}pubkey(Alice)
responce
{nBob}pubkey(Bob)
confirmation
Roger M. Needham, Michael D. Schroeder: Using Encryption for Authentication in Large Networks of Computers. Commun. ACM 21(12): 993‐999 (1978)
Needham‐Schroeder Public‐Key (NSPK) authentication protocol
Alice (initiator) Bob (responder)
Authentication protocol (4)
8
Cathy {… n …}k
If k is the Cathy’s public key, she can also obtain n.
Cathy can obtain any message {… n …}k flowing in the open network.
Intruder
Cathy may not be distinguished from other principals.
She can counterfeit messages based on those messages and nonces.
{n,Alice}pubkey(Bob)
Authentication protocol (5)
9
Cathy is never able to obtain nAlice nor nBob.
The principals who know nAlice and/or nBob are only Alice and Bob.
Nonce secrecy proeprty One property NSPK should enjoy
Specification of NSPK (1)
10
mod! SET(X :: TRIV) {[Elt.X < Set]op emp : -> Set {constr}op _ _ : Set Set -> Set {constr assoc comm id: emp}op _\in_ : Elt.X Set -> Boolop _=<_ : Set Set -> Boolvars E E' : Elt.Xvars S S' : Seteq E E = E .…
}
Specification of NSPK (2)
11
eq E \in emp = false .eq E \in E S' = true .ceq E \in E' S' = E \in S' if not(E = E') .eq emp =< S' = true .eq (E S =< S') = (E \in S') and (S =< S') .ceq (S = S') = (S =< S') and (S' =< S)
if not((S :is Elt.X) and (S' :is Elt.X)) .
The condition is needed to prevent a circular definition of _\in_ and _=_ that may lead to infinite rewrite steps.
Specification of NSPK (3)
12
mod* RANDOM-NUMBER {pr(PNAT)op seed : -> PNatop next : PNat -> PNatvars R R' : PNateq (next(R) = seed) = false .eq (next(R) = next(R')) = (R = R') . }
Each model is a permutation of natural numbers:
seed, next(seed), next(next(seed)), …
From a security point of view, however, predictable permutations are not acceptable: 0, 1, 2, … 99, …, 0, 199, …, 100, …
Unpredictableness is implicitly described in the specification of NSPK, which works for model checking and theorem proving.
Specification of NSPK (4)
13
mod! INTRUDER { [Intruder]op intrdr : -> Intruder {constr} }
mod* PRINCIPAL { [Prin] }
mod! PRIN&INTRDR { pr(INTRUDER) pr(PRINCIPAL)[Intruder Prin < Prin&Intrdr]var I : Intruder var P : Prin var PI : Prin&Intrdreq (I = P) = false .eq (I = PI) and (PI = P) = false . }
mod! PRIN-SET {pr(SET(PRINCIPAL) * {sort Set -> PrinSet,
op emp -> noPrin } ) }
Specification of NSPK (5)
14
mod! NONCE principal-sort Nonce { pr(RANDOM-NUMBER) pr(PRIN&INTRDR)[Nonce]op n : Prin&Intrdr Prin&Intrdr PNat -> Nonce {constr}op gen : Nonce -> Prin&Intrdrop forWhom : Nonce -> Prin&Intrdrvars PI1 PI2 PI1' PI2' : Prin&Intrdr vars R R' : PNateq (n(PI1,PI2,R) = n(PI1',PI2',R')) = (PI1 = PI1') and (PI2 = PI2') and (R = R') .eq gen(n(PI1,PI2,R)) = PI1 .eq forWhom(n(PI1,PI2,R)) = PI2 . }
nAlice and nBob is denoted by n(Alice,Bob,r1) and n(Bob,Alice,r2).
mod! NONCE-SET {pr(SET(NONCE) * {sort Set -> NonceSet, op emp -> noNonce } ) }
nBobnAlice
Specification of NSPK (6)
15
mod! CIPHER1 { pr(NONCE)[Cipher1]op c1 : Prin&Intrdr Nonce Prin&Intrdr -> Cipher1 {constr}op non : Cipher1 -> Nonceop gen : Cipher1 -> Prin&Intrdrvars PI QI PI' QI' : Prin&Intrdrvars N N' : Nonceeq non(c1(QI,N,PI)) = N . eq gen(c1(QI,N,PI)) = PI . … }
The ciphertext in the message is denoted by c1(Bob,n(Alice,Bob,r1),Alice).
{nAlice,Alice}pubkey(Bob)
challenge
Specification of NSPK (7)
16
mod! MESSAGE1 { pr(CIPHER1)[Msg1]op m1 : Prin&Intrdr Prin&Intrdr Prin&Intrdr Cipher1 -> Msg1 {constr}… }
{nAlice,Alice}pubkey(Bob)
challenge
The message is denoted by m1(Alice,Alice,Bob,c1(Bob,n(Alice,Bob,r1),Alice)).
mod! MESSAGE principal-sort Msg {pr(MESSAGE1) pr(MESSAGE2) pr(MESSAGE3)[Msg1 Msg2 Msg3 < Msg]eq (M1:Msg1 = M2:Msg2) = false .eq (M1:Msg1 = M3:Msg3) = false .eq (M2:Msg2 = M3:Msg3) = false . }
Specification of NSPK (8)
17
mod! NETWORK {pr(SET(MESSAGE) * {sort Set -> Network, op emp -> noMsg } )op _\in_ : Cipher1 Network -> Boolop _\in_ : Cipher2 Network -> Bool…eq CIPH1 \in noMsg = false .eq CIPH1 \in m1(C,S,D,CIPH1') NW
= if CIPH1 = CIPH1' then true else CIPH1 \in NW fi .eq CIPH1 \in M2 NW = CIPH1 \in NW .eq CIPH1 \in M3 NW = CIPH1 \in NW . … }
m1(Alice,Alice,Bob,c1(Bob,n(Alice,Bob,r1),Alice))
Specification of NSPK (9)
18
mod! OBSERVABLE-VALUE principal-sort OVal {pr(NETWORK) …[OVal]op (nw:_) : Network -> OVal {constr}op (rand:_) : PNat -> OVal {constr}op (nonces:_) : NonceSet -> OVal {constr}op (prins:_) : PrinSet -> OVal {constr} … }
nw: all messages sent (put into the network)
rand: the random number used (generated) next
nonces: all nonces gleaned by the intruder (Cathy)
prins: all non‐intruder principals such as Alice and Bob
Specification of NSPK (10)
19
mod! CONFIG { pr(PNAT)pr(SET(OBSERVABLE-VALUE)
* {sort Set -> Config, op emp -> void } )op #nw : Config -> Pnatop #nonces : Config -> PNat…op nonces : Config -> NonceSetop msgs : Config -> Network…ceq nonces((nonces: NS) C) = NS if #nonces(C) = z .ceq nonces((nonces: NS) C) = noNonce if not(#nonces(C) = z) .ceq nonces(C) = noNonce if #nonces(C) = z . ... }
mod! PNAT { [PZero PNzNat < Pnat]op z : -> PZero {constr}op s : PNat -> PNzNat {constr}… }
Specification of NSPK (11)
20
mod! NSPK-INIT { inc(CONFIG)op init : PrinSet -> Configvar PS : PrinSeteq init(PS)
= (nw: noMsg) (rand: seed) (nonces: noNonce) (prins: PS) . }
init(Alice Bob) = (nw: noMsg) (rand: next(seed)) (nonces: noNonce) (prins: (Alice Bob))
Specification of NSPK (12)
21
mod! NSPK-CHALLENGE1 { inc(CONFIG) …ctrans [challenge1] : (nw: NW) (rand: R) (nonces: NS) (prins: (P Q PS))=> (nw: (m1(P,P,Q,c1(Q,n(P,Q,R),P)) NW))
(rand: next(R)) (nonces: NS) (prins: (P Q PS)) if not(P = Q) . }
m1(P,P,Q,c1(Q,n(P,Q,R),P))Challenge1
Specification of NSPK (13)
22
mod! NSPK-CHALLENGE2 { inc(CONFIG) …trans [challenge2] : (nw: NW) (rand: R) (nonces: NS) (prins: (P PS))=> (nw: (m1(P,P,intrdr,c1(intrdr,n(P,intrdr,R),P)) NW))
(rand: next(R)) (nonces: (n(P,intrdr,R) NS)) (prins: (P PS)) . }
m1(P,P,intrdr,c1(intrdr,n(P,intrdr,R),P))Challenge2
Challenge2n(P,intrdr,R)
Specification of NSPK (14)
23
mod! NSPK-CHALLENGE3 { inc(CONFIG) …trans [challenge3] : (nw: NW) (rand: R) (nonces: NS) (prins: (Q PS))=> (nw: (m1(intrdr,intrdr,Q,c1(Q,n(intrdr,Q,R),intrdr)) NW))
(rand: next(R)) (nonces: NS) (prins: (Q PS)) . }
m1(intrdr,intrdr,Q,c1(Q,n(intrdr,Q,R),intrdr))Challenge3
Specification of NSPK (15)
24
mod! NSPK-RESPONSE { inc(CONFIG) …trans [Response] : (nw: (m1(PI',PI,QI,c1(QI,N,PI)) NW))(rand: R) (nonces: NS) (prins: PS)=> (nw: (m2(QI,QI,PI,c2(PI,N,n(QI,PI,R)))
m1(PI',PI,QI,c1(QI,N,PI)) NW))(nonces: (if PI = intrdr then n(QI,PI,R) N NS else NS fi))(rand: next(R)) (prins: PS) . }
m1(PI',PI,QI,c1(QI,N,PI)) m2(QI,QI,PI,c2(PI,N,n(QI,PI,R)))m1(PI',PI,QI,c1(QI,N,PI))
Response
elseif PI = intrdrthen
Responsen(QI,PI,R)
N
Specification of NSPK (16)
25
mod! NSPK-CONFIRMATION { inc(CONFIG) …trans [Confirmation] : (rand: R) (nonces: NS) (prins: PS)(nw: (m2(QI',QI,PI,c2(PI,N,N')) m1(PI,PI,QI,c1(QI,N,PI)) NW))=> (nw: (m3(PI,PI,QI,c3(QI,N')) m2(QI',QI,PI,c2(PI,N,N'))
m1(PI,PI,QI,c1(QI,N,PI)) NW))(nonces: (if QI = intrdr then N' NS else NS fi))(rand: R) (prins: PS) . }
m1(PI,PI,QI,c1(QI,N,PI))
m2(QI',QI,PI,c2(PI,N,N'))m3(PI,PI,QI,c3(QI,N'))
Confirmation
elseif QI = intrdrthen N'
m1(PI,PI,QI,c1(QI,N,PI))m2(QI',QI,PI,c2(PI,N,N'))
Confirmation
Specification of NSPK (17)
26
mod! NSPK-FAKE21 { inc(CONFIG) …ctrans [fake21] : (nw: NW) (rand: R) (nonces: (N N' NS)) (prins: (P Q PS))=> (nw: (m2(intrdr,Q,P,c2(P,N,N')) NW))(rand: R) (nonces: (N N' NS)) (prins: (P Q PS))
if not(N = N') and not(P = Q) . }
m2(intrdr,Q,P,c2(P,N,N'))Fake21
Fake21
N N'N N'
Specification of NSPK (18)
27
mod! NSPK-FAKE21a { inc(CONFIG) …ctrans [fake21a] : (nw: NW) (rand: R) (nonces: (N N' NS)) (prins: (P PS))=> (nw: (m2(intrdr,intrdr,P,c2(P,N,N')) NW))
(rand: R) (nonces: (N N' NS)) (prins: (P PS))if not(N = N') . }
mod! NSPK-FAKE21b { inc(CONFIG) …ctrans [fake21b] : (nw: NW) (rand: R) (nonces: (N N' NS)) (prins: (Q PS))=> (nw: (m2(intrdr,Q,intrdr,c2(intrdr,N,N')) NW))
(rand: R) (nonces: (N N' NS)) (prins: (Q PS))if not(N = N') . }
Specification of NSPK (19)
28
mod! NSPK-FAKE22 { inc(CONFIG) …ctrans [fake22] : (nw: (m2(QI',QI,PI,C2) NW))(rand: R) (nonces: NS) (prins: (P Q PS))=> (nw: (m2(intrdr,Q,P,C2) m2(QI',QI,PI,C2) NW))
(rand: R) (nonces: NS) (prins: (P Q PS))if not(P = Q) . }
m2(intrdr,Q,P,C2)Fake22
m2(QI',QI,PI,C2)m2(QI',QI,PI,C2)
Specification of NSPK (20)
29
mod! NSPK-FAKE22a { inc(CONFIG) …trans [fake22a] : (nw: (m2(QI',QI,PI,C2) NW))(rand: R) (nonces: NS) (prins: (P PS))=> (nw: (m2(intrdr,intrdr,P,C2) m2(QI',QI,PI,C2) NW))
(rand: R) (nonces: NS) (prins: (P PS)) . }
mod! NSPK-FAKE22b { inc(CONFIG) …trans [fake22b] : (nw: (m2(QI',QI,PI,C2) NW))(rand: R) (nonces: NS) (prins: (Q PS))=> (nw: (m2(intrdr,Q,intrdr,C2) m2(QI',QI,PI,C2) NW))
(rand: R) (nonces: NS) (prins: (Q PS)) . }
Specification of NSPK (21)
30
mod! INV { inc(CONFIG)op nonSec : Config Nonce -> Boolvar C : Config var N : Nonceeq nonSec(C,N) = N \in nonces(C)
implies( gen(N) = intrdr or forWhom(N) = intrdr ) . }
Nonce secrecy property (NSP) can be rephrased as follows: any nonce gleaned by the intruder has been generated by the intruder or a non‐intruder principal that wanted to authenticate the intruder.
generated by the intrudergenerated by a non‐intruder principal that wanted to authenticate the intruder
Model checking NSP for NSPK (1)
31
open NSPK + INV .ops p q : -> Prin . eq (p = q) = false .var N : Nonce var NS : NonceSet var C : Configred init(p q) =(1,*)=>* ((nonces: (N NS)) C)
suchThat (not nonSec((nonces: (N NS)) C,N)) .close
A counterexample is found.
Note that this search was not feasible with CafeOBJ, and then was done with Maude, a language sibling of CafeOBJ.
mod! NSPK { inc(NSPK-INIT)inc(NSPK-CHALLENGE1)…inc(NSPK-FAKE22) … }
Model checking NSP for NSPK (2)
32
m1(Alice,Alice,Cathy,c1(Cathy,n(Alice,Cathy,seed),Alice))
m1(Cathy,Alice,Bob,c1(Bob,n(Alice,Cathy,seed),Alice))
m2(Bob,Bob,Alice,c2(Alice,n(Alice,Cathy,seed),
n(Bob,Alice,next(seed)))
m2(Cathy,Cathy,Alice,c2(Alice,n(Alice,Cathy,seed),
n(Bob,Alice,next(seed)))
m3(Alice,Alice,Cathy,c3(Cathy,n(Bob,Alice,next(seed)))
Challenge2
Fake11b
ResponceFake22a
Confirmation
Gavin Lowe: An Attack on the Needham‐Schroeder Public‐Key Authentication Protocol. Inf. Process. Lett. 56(3): 131‐133 (1995)
Summary
• Invariant model checking
• Authentication protocol
• Specification of NSPK, an authentication protocol
• Model checking that NSPK enjoys the nonce secrecy property
33
