These are the slides to my first B.Sc. term paper- AVISPA, 2006.
These slides are presented to the
Department of Electrical Engineering and Information Sciences
of the Ruhr-University of Bochum
Chair of Network and Data Security
of the Ruhr-University of Bochum,
Horst-Görtz Institute,
Prof. Jörg Schwenk
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Automated Validation of Internet Security Protocols and Applications (AVISPA) , slides
1. Automated Validation
of
Internet Security Protocols and Applications (AVISPA)
University of Bochum
Krassen Deltchev
2. The Problem
Requirements on Internet Security Protocols
complex
sophisticated
Analyze of Protocols by hand
error-prone
incomplete
time-consuming
2
12.07.2006 Automated Validation of Internet Security Protocols and A
2
3. Formal Methods for Security Protocol Analysis
Computational Models
Formal Models
Logic-based (e.g., BAN Logic [BAN89] )
Algebraic-based (e.g., NRL Protocol Analyser)
Inductive Proofs (Lawrence C. Paulson)
Model Checking (e.g., AVISPA OFMC)
Finite-State machines
Constraint-based
3
12.07.2006 Automated Validation of Internet Security Protocols and A
3
4. Theoretical approaches : Dolev-Yao Intruder Model
The Dolev-Yao intruder [DY83]
Intruder has full controll over the network
Intruder can play role(s) of (normal) principals
Intruder cannot break cryptography
Unsatifying:
naively enumerates all intruder‘s messages
leads to enormous branching of the search tree
Standard Dolev-Yao abstraction lacks
cryptographic justification
Some Security Protocols secure in Dolev-Yao
model, become insecure using some provable crypto-
primitives
4
12.07.2006 Automated Validation of Internet Security Protocols and A
4
5. Theoretical approaches: Methodology
Model Checkers:
General:
System behaviour, modelled as a (finite) state transition system
System properties, expressed by state satisfaction relations
State space exploration – attack trace
Safety properties:
Safety: check, that certain undesirable properties never occur
Liveness: check, that certain desirable propertis do eventually
occur
Verify effective at finding flaws:
No guarantee for correctness due to ‚artificial‘ finite bounds
Problem can be probably solved by infinity-state model
checking; based on symbolic methods and abstractions
5
12.07.2006 Automated Validation of Internet Security Protocols and A
5
6. Model checkers: Example Implementations
Maude
Not exclusively a security protocol model checker
Instead of, it is an executable specification language, which
is based on rewriting logic
Hermes
check secrecy properties of protocols
Tested on 15 of the Clark/Jacob library [CJ97]
Finds attacks on 6 of 8 protocols
AVISPA
Uses two languages for protocol specification
Tested on 46 of 51 protocols of Clark/Jacob library
Finds attacks on all 32 of the 46 tested protocols
6
12.07.2006 Automated Validation of Internet Security Protocols and A
6
7. AVISPA
Automated Validation of Internet Security Protocols and Applications
Developement of automatic analysis
techniques, based on Model Checking
Provide tools, capable to solve industrial
problems
Compatible to common operating systems
Web-based Platform independent realisation
see, http://avispa-project.org/
7
12.07.2006 Automated Validation of Internet Security Protocols and A
7
8. AVISPA: Architecture
HLPSL: High Level Protocol
Specification Language
HLPSL2IF: Translator to IF
Format
IF: The Intermediate Format
Language
Translator to Subtools
OFMC (On-The-Fly-Model-
Checker) [MVO05]
ATSE (CL-based attack
searcher)
SATMC (SAT-based Model
checker)
TA4SP(Tree Automata-
based Protocol Analyser)
OF: The output format
8
12.07.2006 Automated Validation of Internet Security Protocols and A
8
9. HLPSL
High Level Protocol Specification Language
Specification
knowledge required of each agent,
participating in the protocol
knowledge and abilities of the intruder
sequence of messages, required by the
protocol
set of sessions (or instantiations) of the
protocol
9
12.07.2006 Automated Validation of Internet Security Protocols and A
9
10. IF
Intermediate Format Specification Language
Protocol modelled as a
transition system
States:local states of honest
agents and current knowledge
of the intruder
Transitions:actions of the
honest agents and the
intruder
Security properties:attack
predicate on states
The .if file contains protocol-
independent
declarations( operator
symbols,algebraic
properties,intruder model )
10
12.07.2006 Automated Validation of Internet Security Protocols and A
10
11. Lazy Intruder Model
represents optimisation search technique
without excluding any attacks [BMV04]
exploits the fact, that certain
parts of the intruder‘s messages are irrelevant
for the receiver
Data constructors build data without
evaluating their arguments
Allow one to represent and compute with
infinite data (e.g., streams or infinite
trees), generating arbitrary prefixes of data on
demand
11
12.07.2006 Automated Validation of Internet Security Protocols and A
11
12. HLPSL on SSL/TLS: TLS Handshake
Basic Role: alice (Client A)
role alice(A, B : agent, % that the server must send back Pa. (Essentially
H, PRF, KeyGen: hash_func, % modelling that the client makes only one offer.)
Ka, Ks: public_key, %% Ks is the public key of a T3P (ie. CA)
SND, RCV: channel (dy))
played_by A 2. State = 2
def= / RCV(Nb'.Sid.Pa.{B.Kb'}_(inv(Ks)))
=|>
local Na, Sid, Pa, PMS: text, State' := 3
Nb: text, / PMS' := new()
State: nat, / M' := PRF(PMS'.Na.Nb')
Finished: hash(hash(text.text.text).agent.agent.text.text.text), / Finished' := H(PRF(PMS'.Na.Nb').A.B.Na.Pa.Sid)
ClientK, ServerK: hash(agent.text.text.hash(text.text.text)), / ClientK' := KeyGen(A.Na.Nb'.PRF(PMS'.Na.Nb'))
Kb: public_key, / ServerK' := KeyGen(B.Na.Nb'.PRF(PMS'.Na.Nb'))
M: hash(text.text.text) / SND({PMS'}_Kb'.
{A.Ka}_(inv(Ks)).
const sec_clientk, sec_serverk : protocol_id {H(Nb'.B.PMS')}_(inv(Ka)).
{H(PRF(PMS'.Na.Nb').
init State := 0 A.B.Na.Pa.Sid)
transition }_KeyGen(A.Na.Nb'.PRF(PMS'.Na.Nb')))
1. State = 0 / witness(A,B,na_nb2,Na.Nb')
/ RCV(start)
=|> 4. State = 3
State' := 2 / RCV({Finished}_ServerK)
/ Na' := new() =|>
/ Pa' := new() State' := 5
/ Sid' := new() / request(A,B,na_nb1,Na.Nb)
/ SND(A.Na'.Sid'.Pa') / secret(ClientK,sec_clientk,{A,B})
% Since we abstract away from the negotiation / secret(ServerK,sec_serverk,{A,B})
% of cryptographic algorithms, here I simply assume end role
12
12.07.2006 Automated Validation of Internet Security Protocols and A
12
13. HLPSL on SSL/TLS(2): TLS Handshake
Basic Role: bob (Server B)
role bob(A, B : agent, 2. State = 3
H, PRF, KeyGen: hash_func, / RCV({PMS'}_Kb.{A.Ka'}_(inv(Ks)).
Kb, Ks: public_key, {H(Nb.B.PMS')}_(inv(Ka')).
SND, RCV: channel (dy)) {H(PRF(PMS'.Na.Nb).
played_by B A.B.Na.Pa.Sid)
def= }_KeyGen(A.Na.Nb.PRF(PMS'.Na.Nb)))
=|>
local Na, Nb, Sid, Pa, PMS: text, State' := 5
State: nat, / SND({H(PRF(PMS'.Na.Nb).
Ka: public_key A.B.Na.Pa.Sid)
}_KeyGen(B.Na.Nb.PRF(PMS'.Na.Nb)))
init State := 1 / request(B,A,na_nb2,Na.Nb)
end role
transition
1. State = 1
/ RCV(A.Na'.Sid'.Pa')
=|>
State' := 3
/ Nb' := new()
/ SND(Nb'.Sid'.Pa'.{B.Kb}_(inv(Ks)))
/ witness(B,A,na_nb1,Na'.Nb')
13
12.07.2006 Automated Validation of Internet Security Protocols and A
13
14. HLPSL on SSL/TLS(3):
Roles Session/Environment/Goal and OF
goal
role session(A,B: agent,
secrecy_of sec_clientk,sec_serverk % Addresses G7
Ka, Kb, Ks: public_key, %Alice authenticates Bob on na_nb1
H, PRF, KeyGen: hash_func) authentication_on na_nb1 % Addresses G1, G2, G3, G7, G10
def= %Bob authenticates Alice on na_nb2
authentication_on na_nb2 % Addresses G1, G2, G3, G7, G10
local SA, SB, RA, RB: channel (dy) end goal
composition
alice(A,B,H,PRF,KeyGen,Ka,Ks,SA,RA)
/ bob(A,B,H,PRF,KeyGen,Kb,Ks,SB,RB) OF log file :
% OFMC
end role % Version of 2006/02/13
SUMMARY
role environment() SAFE
def= DETAILS
BOUNDED_NUMBER_OF_SESSIONS
const na_nb1, na_nb2 : protocol_id, PROTOCOL
h, prf, keygen : hash_func, /home/avispa/web-interface-computation/./tempdir/workfile5wUPBB.if
a, b : agent, GOAL
ka, kb, ki, ks : public_key as_specified
BACKEND
intruder_knowledge = { a, b, ka, kb, ks, ki, inv(ki), OFMC
{i.ki}_(inv(ks)) } COMMENTS
STATISTICS
composition parseTime: 0.00s
session(a,b,ka,kb,ks,h,prf,keygen) searchTime: 0.33s
/ session(a,i,ka,ki,ks,h,prf,keygen) visitedNodes: 201 nodes
/ session(i,b,ki,kb,ks,h,prf,keygen) depth: 7 plies
end role
14
12.07.2006 Automated Validation of Internet Security Protocols and A
14
15. Conclusion
AVISPA tool is still under developement,but shows an
adequate approach regarding analysing of internet
security protocols
especially the implementation of the Lazy-Intruder-Model in the IF-
Specification and OFMC
using HLPSL, multisessions can be simulated and well defined
The AVISPA tool has the following achievements:
Every protocol can be specified and well modelled in HLPSL and
dynamically changed / adapted regarding newer security issues
There is a chance for developing and implementing newer security
protocols
Easy-to-use
15
12.07.2006 Automated Validation of Internet Security Protocols and A
15
16. The End
Thank you!
e-mail: Krassen.Deltchev@ruhr-uni-bochum.de
16
12.07.2006 Automated Validation of Internet Security Protocols and A
16
17. Automated analysis of Security protocols
References
[CJ97] John Clark and Jeremy [MVO05] Automated Validation
Jacob. A survey of authentication of Security Protocols(AVASP),
protocol literature : Version 1.0., Mördersheim/Vigano’/Oheimb
November 1997 apr. 2005
http://www-users.cs.york.ac.uk/ [BMV04] OFMC: A symbolic
jac/papers/drareview.ps.gz model checker for security
[M94] Catherine Meadows: Formal protocols,
Verification of Cryptographic Basin/Mördersheim/Vigano’
Protocols: A Survey. ASIACRYPT dec 2004
1994 [BB] Remote Timing Attacks
[TA02] Servey in Formal Analysis of are Practical, Brumley/Boneh
Security Properties of Cryptographic [CHVV] Password Interception
Protocols,Tarigan 2002 in a SSL/TLS Channel,
[DY83] D. Dolev, A. Yao, On the Canvel/Hiltgen/Vaudenay/
Security of Public Key Protocols, Vuagnoux
IEEE Trans. on Information Theory, [KPR] Attacking RSA-based
1983 Sessions in SSL/TLS,
[BAN89] Michael Burrows, Martin Klima/Pokorny’/Rosa
Abadi, and Roger Needham. A logic [WS] Analysis of the SSL 3.0
of authentication. Technical protocol,
Report 39, Digital Systems Wagner/Schneider
Research Center, february 1989
[AJ04] Three Tools for Model-
RFC 2246 "The TLS Protocol
Checking Security protocols, Version 1.0" , jan 1999
Arruda/Juma, jan 2004
17
12.07.2006 Automated Validation of Internet Security Protocols and A
17