Design and Verification of Specialised Security Goals for Protocol Families
Total Page:16
File Type:pdf, Size:1020Kb
PhD-FSTM-2020-38 The Faculty of Sciences, Technology and Medicine DISSERTATION Defense held on 10/09/2020 in Esch-sur-Alzette to obtain the degree of DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE by Zach SMITH Born on 22 April 1990 in Peterborough, (United Kingdom) DESIGN AND VERIFICATION OF SPECIALISED SECURITY GOALS FOR PROTOCOL FAMILIES Dissertation defense committee Dr Sjouke Mauw, dissertation supervisor Professor, Université du Luxembourg Dr Peter Y A Ryan, Chair Professor, Université du Luxembourg Dr Rolando Trujillo-Rasúa, Vice Chair Deakin University Dr Cas Cremers Professor, CISPA Heimholtz Center for Information Security Dr Steve Kremer Inria Nancy ii “The case for my life, then, or for that of any one else who has been a mathematician in the same sense in which I have been one, is this: that I have added something to knowledge, and helped others to add more; and that these somethings have a value which differs in degree only, and not in kind, from that of the creations of the great mathematicians or of any of the other artists, great or small, who have left some kind of memorial behind them.” G. H. Hardy iii Abstract Design and Verification of Specialised Security Goals for Protocol Families by Zach SMITH Communication Protocols form a fundamental backbone of our modern information networks. These protocols provide a framework to describe how agents - Computers, Smartphones, RFID Tags and more - should structure their communication. As a result, the security of these protocols is implicitly trusted to protect our personal data. In 1997, Lowe presented ‘A Hierarchy of Authentication Specifications’, formalis- ing a set of security requirements that might be expected of communication protocols. The value of these requirements is that they can be formally tested and verified against a protocol specification. This allows a user to have confidence that their communications are protected in ways that are uniformly defined and universally agreed upon. Since that time, the range of objectives and applications of real-world protocols has grown. Novel requirements - such as checking the physical distance between participants, or evolving trust assumptions of intermediate nodes on the network - mean that new attack vectors are found on a frequent basis. The challenge, then, is to define security goals which will guarantee security, even when the nature of these attacks is not known. In this thesis, a methodology for the design of security goals is created. It is used to define a collection of specialised security goals for protocols in multiple different families, by considering tailor-made models for these specific scenarios. For complex requirements, theorems are proved that simplify analysis, allowing the verification of security goals to be efficiently modelled in automated prover tools. v Acknowledgements The acknowledgements section of this thesis could easily take up more space than the thesis itself, were I to give everyone the thanks that they truly deserve. Thanks to Sjouke, my supervisor, for supporting me these years. I have learned a lot from him, and some of it related to research, too. His advice and patience as I fumbled my way through the various problems faced during my stay is greatly appreciated. Thanks to the people who worked closely with me. Most notable is Jorge, my officemate for a majority of my PhD. I think my most productive days were spent with him, discussing the details of our research. Thanks also to Hyunwoo and Taekyoung Kwon at Seoul National University, who took a chance inviting me to work with them after I stumbled into their office, searching for a desk to work at as I raced to meet a deadline while travelling (the submission in question was later rejected). Finally, thanks to Ioana, Steve and Helen at the University of Surrey. One of the best parts of my PhD has been feeling what it is like to work in multiple different roles in these different groups, and I will treasure this experience greatly. Thanks also to my other coathors - Rolando, Hugo, Ross, Ihor, Selin, Junghwan, Gyeongjae and Taejoong. Thanks to the members of the SaToSS group at the University of Luxembourg, especially the other PhDs, with whom I have formed some close friendships. I am fortunate to have been in a successful group that continues to grow, to the point where the list of names is somewhat extensive. Thanks in particular to Cui and Ninghan, who helped distract me by helping me learn Mandarin Chinese, and to Olga, Alex and Stas, who have given me useful support and advice. Thanks to my advisory team - Cas Cremers and Rolando Trujillo Rasua - who gave me assistance and advice throughout my research. Their guidance in starting my journey in research was of great help. Finally, thanks to my mom and my friends, who have given me the support I needed to make it through these years. vii Contents 1 Introduction1 1.1 Security Protocols...............................1 1.2 Security Goals.................................2 1.3 Research Questions..............................6 1.4 Contributions.................................8 1.5 Layout.....................................9 2 A Multiset Rewriting Model 13 2.1 Fundamentals................................. 13 2.2 Modelling Methodology........................... 18 Bibliography 18 I RFID Protocols 23 3 Distance Bounding Protocols 25 3.1 Introduction to Distance Bounding..................... 26 3.2 Modelling Distance Bounding........................ 28 3.3 Distance Bounding Security......................... 36 3.4 Verifying Distance Bounding Protocols................... 44 3.5 Case Study: TREAD Protocol........................ 48 4 Relations on Security Properties 53 4.1 Introduction to Relations........................... 54 4.2 Collusion and Irreversibility......................... 56 4.3 Post-Collusion Security............................ 59 4.4 Terrorist Fraud on Distance Bounding Protocols............. 62 4.5 Case Study: ISO/IEC 14443 Protocols................... 70 4.6 Results and Conclusions........................... 73 5 Desynchronisation Resistance 77 5.1 Introduction to Key Updating Protocols.................. 78 5.2 A Framework for Key Updating Protocols................. 79 5.3 Defining and Proving Desynchronisation Resistance........... 83 5.4 Case Study: Grouping protocol of Sundaresan et al............ 88 5.5 Case Study: A Two Round Grouping Protocol.............. 88 Bibliography 91 viii II Multiparty Protocols 103 6 Path Protocols 105 6.1 Introduction to Path Protocols........................ 106 6.2 A Framework for Path Protocols...................... 108 6.3 Security Goals for Path Protocols...................... 112 6.4 Case Study: Lightning Network....................... 117 6.5 A Path-Integral Payment Network Protocol................ 120 6.6 Tamarin Implementations.......................... 123 7 TLS and Middleboxes 127 7.1 The TLS Protocol Suite............................ 128 7.2 Middlebox-Enabled TLS Schemes...................... 130 7.3 Case Study: mbTLS.............................. 135 7.4 The maTLS Protocol............................. 137 7.5 Security Verification.............................. 147 7.6 maTLS Implementation & Evaluation................... 148 8 Accountable Proxying 153 8.1 Introduction to LoRaWAN.......................... 154 8.2 Threat Model and Security Goals...................... 155 8.3 Case Study: LoRaWAN 1.0.......................... 157 8.4 Case Study: LoRaWAN 1.1.......................... 161 8.5 A Proposal for a Novel Join Procedure................... 172 8.6 Conclusions.................................. 176 Bibliography 177 9 Conclusion 187 ix List of Figures 2.1 Rules which define the Dolev-Yao adversary................ 17 3.1 Three timing scenarios of a challenge/response round.......... 27 3.2 A representation of Hancke and Kuhn’s protocol............. 29 3.3 Rules for message deduction......................... 33 3.4 Start, Intruder and Network rules...................... 33 3.5 Formalization of Hancke and Kuhn’s protocol............... 35 3.6 A protocol rule that leads to incorrect traces................ 37 3.7 Prototype of rules that lead to well-formed protocols........... 39 3.8 The Tamarin lemma dbsec.......................... 47 3.9 The Tamarin restriction at_most_once.................... 48 3.10 The Tamarin restriction equality...................... 48 3.11 The TREAD protocol.............................. 49 3.12 A representation of the TREAD protocol.................. 49 3.13 A mafia fraud on TREAD with asymmetric encryption.......... 51 3.14 A distance hijacking on TREAD with symmetric encryption....... 51 4.1 The DBToy protocol............................... 59 4.2 Specification rules of the DBToy protocol.................. 60 4.3 Decomposing traces with collusion..................... 60 4.4 Post-collusion attack on Toy protocol.................... 62 4.5 Output of collusion rule generating tool, run against the Brands- Chaum protocol................................ 66 4.6 Identifying Leak collusion rules in a protocol............... 67 4.7 Applying Collusion Rules.......................... 68 4.8 Mastercard’s PayPass protocol........................ 71 5.1 The grouping protocol of Sundaresan et al................. 89 5.2 Attack on EPC grouping protocol...................... 90 5.3 Two-rounds grouping proof protocol.................... 92 5.4 Attack on two-rounds grouping protocol................. 93 6.1 Example of skipping attack on a path protocol.............. 106 6.2 A simple message forwarding protocol..................