Formally Analysing a Security Protocol for Replay Attacks

Formally Analysing a Security Protocol for Replay Attacks

Formally Analysing a Security Protocol for Replay Attacks Benjamin W. Long School of Information Technology and Electrical Engineering The University of Queensland, 4072, Australia [email protected] Colin J. Fidge School of Software Engineering and Data Communications Queensland University of Technology, 4001, Australia c.fi[email protected] Abstract We are in an age that requires us to follow rigorous devel- opment processes. For example, the Common Criteria [31], The Kerberos-One-Time protocol is a key distribution an international standard for development and evaluation of protocol promoted for use with Javacards to provide secure security systems, requires formal methods to be used in or- communication over the GSM mobile phone network. From der to obtain the highest level of assurance (EAL7). inspection we suspected a replay attack was possible on the In this paper we take advantage of the Object-Z [11] protocol. To check this, we formally specified the proto- specification language and the SAL [9] model checker to col using Object-Z and then analysed its behaviour in the presence of an attacker using the Symbolic Analysis Lab- • present a formal specification of the Kerberos-One- oratory’s model checker. To produce accurate results effi- Time protocol; ciently, our formalism included an abstraction of the pro- • tocol’s data structures that captured just those character- produce the suspected replay attack, thus verifying its istics that we believed made the protocol vulnerable. Ulti- existence; and mately, the model checker’s analysis confirmed our suspi- • prove that a suggested fix will prevent this or similar cions about the protocol’s weakness. attacks from occurring. 1 Introduction 2 Related work The GSM (Global System for Mobile Communications) Work already done in formal analysis of security mobile phone network currently connects over two billion protocols is dominated by trace-based methods such as subscribers using wireless technology. Every mobile phone CSP/FDR [24], the spi calculus [1], Murϕ [20], and uses a Subscriber Identification Module (SIM) which is a the purpose built Interrogator [19] and Brutus [7] model smart card that enables the phone to access the network. checkers. Logics [21, 22] including the specialised BAN Cimato [6] derived the Kerberos-One-Time protocol and logic [5] and TAPS [8] theorem prover have also been suggested that its implementation could be used in conjunc- well researched. Other purpose-built methods include the tion with a GSM Javacard (a GSM SIM that executes Java NRL Protocol Analyzer [17], the AVISPA security protocol code) to provide secure communication. model checker [3], and strand spaces [30] supported by the Inspection of the proposed protocol led us to believe that Athena tool [26]. a replay attack could potentially occur. Replay attacks [29] Meadows [18] states that most of the attention has been occur when an intruder copies an encrypted message and paid to the design of languages for evaluating security, replays it in a different protocol instance. If the receiving whereas, the ability to specify their desired behaviour is also agent does not realise the message is from a previous in- important. Similarly, Gollmann [12] observes that high- stance and continues to participate in the protocol, security level abstract protocol specifications may not be precise may be compromised. enough for implementers. Proceedings of the 2006 Australian Software Engineering Conference (ASWEC’06) 1530-0803/06 $20.00 © 2006 IEEE General purpose state-based formalisms such as B [2], contains the new session key, the first password (the value Z [27], and VDM [4] have seldom been used for proto- H t (w) of the seed after being hashed t times), and a times- col analysis despite the potential for accurate modelling of tamp T . message content and agent behaviour allowed by their rich, In step 3 Alice forwards the ticket to Bob in order to expressive data structures. establish communication with him. She also sends an au- Previously, we demonstrated the value of using the Z thenticator — a segment encrypted with the new session and Object-Z formal specification languages for verifying key KAB that contains her identity A and the password. By attacks on security protocols due to the expressive nature of decrypting the authenticator using the new session key and these notations [15, 16]. More recently, Smith and Wild- checking that the content of the authenticator is consistent man [25] showed how Z specifications can be analysed us- with that of the ticket, Bob confirms that Alice is the initiat- ing the SAL model checker. Their research highlighted the ing agent. As long as Bob stores all received authenticators similarities and compatibility between the formal styles of for the lifetime of the ticket, the timestamp enables Bob to Z and SAL. Additionally, Rushby [23] has already used the determine if this third message has been replayed. SAL model checker to verify the Needham-Schroeder Pro- Finally, Bob acknowledges the fact that he received the tocol. In this paper we combine these principles and show correct key for communication by replying with a modi- how to use SAL for automated verification of an Object-Z fied version of the password in step 4. Alice can use this security protocol specification. message to confirm that Bob has received the session key since the original password in step 3 can be accessed only 3 Review of the Kerberos-One-Time protocol by someone with key KBS . The original Kerberos protocol [28] aimed to establish 3.2 Continuation of the protocol new session keys for confidential communication between protocol agents. However, subsequent communication us- Subsequent communication from Alice follows in the ing these keys was potentially subject to replay attacks [13]. second phase of the protocol in which Alice includes the In order to ensure replay attacks are not possible, a freshness password, this time hashed t − i times where i is the ith identifier must be included in each message. The Kerberos- message after initialisation. One-Time protocol [6] was derived from integration of the → : , { , t−i ( )} Kerberos protocol [28] and Lamport’s one time password A B A i H w KAB scheme [14] as a method of ensuring such freshness. The protocol consists of two phases as discussed in the follow- Bob will authenticate the message based on the one time ing sections. password scheme in which he hashes the password i times and compares the result with the original password received t 3.1 Establishing a session key H (w). When all passwords for this seed have expired, i.e., when The following protocol describes the first phase in which i equals the maximum number of times the seed w may be a session key is established between two agents, Alice A used, Bob will not accept any more messages until the seed and Bob B, via a trusted third party, Sam S. has been renewed. However, if a message of the following form is sent, where w is a new seed for a new chain of one time passwords, there is no need to start the protocol from 1. A → S : A, {B}KAS t initialisation again [6]. 2. S → A : {B, KAB , w}KAS , {A, B, KAB , H (w), T }KBS t t A → B : A, {A, H (w)}K , {A, B, KAB , H (w), T }K 3. AB BS t−i t t ( ), ( )} A → B : {i, H w H w KAB 4. B → A : B, {H (w)+1}KAB Alice initiates the protocol by sending message 1 to Sam, containing her identity A and Bob’s identity B, indicating 3.3 A potential weakness that she wishes to establish a secure session key with Bob. Bob’s identity is encrypted (denoted by ‘{}’) using the key According to Cimato, the use of a session key should be KAS shared by Alice and Sam. restricted to a short time period, avoiding the possibility of Sam responds to Alice’s request in step 2 with two en- cryptanalytic attacks and limiting the number of messages crypted messages. The first is encrypted for Alice and con- compromised if the key is derived [6]. tains a new randomly generated session key KAB for com- Bob’s behaviour is consistent with this requirement as munication with Bob and a seed w for authentication pur- we are told that on receiving message 3, which contains the poses. The second message (or ticket) encrypted for Bob new session key, Bob checks the timestamp T to ensure the Proceedings of the 2006 Australian Software Engineering Conference (ASWEC’06) 1530-0803/06 $20.00 © 2006 IEEE message was not replayed. However, we found it strange 4.2 Defining supporting functions that Alice does not make a similar check for freshness when she receives the key in step 2. This inconsistency led us To complete the set of basic data structures defined to wonder whether the protocol was susceptible to a replay above, we specify various functions on messages to produce attack. The following sections demonstrate the approach to encrypted, hashed, and acknowledgement items. formal analysis taken to confirm our suspicion. The strongest behaviour required of the encryption func- tion for our model is that, given any key, a unique encrypted 4 Specifying the protocol in Object-Z item will be produced for each supplied message. This be- haviour is captured by the following function enc in which Object-Z [11] is an object-oriented formal specification an injective function is used to ensure unicity. language in which set theory and logic is used to describe : → ( ) the internal states of system classes and the behaviour of enc KEY MSG ENC class operations on those states. The advantage of using The one time password scheme relies on multiple hash- Object-Z for specifying security protocols is that it enables ing of the seed.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us