Type Checking for Protocol Security: A Cryptyc Approach - Prof. Dan S. Wallach, Study notes of Computer Science

The use of type checking for validating security protocols through the cryptyc language. The authors discuss the challenges of protocol validation and introduce the concept of using types to direct the proof of security properties. The document also covers the mathematical foundations of cryptyc, its syntax, and the process of checking robustness through nonces and typing rules.

Typology: Study notes

Pre 2010

Uploaded on 08/16/2009

koofers-user-zn1
koofers-user-zn1 🇺🇸

10 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Validating Security Protocols
Through Type Checking
Eric Allen and Brian Stoler
COMP 527: Computer Systems Security
December 4, 2001
Protocol validation is hard.
We’d like to prove that our protocols are secure.
Requires a particular notion of proof and security.
Automated theorem proving (e.g. BAN Logic).
May not converge!
Can be slow.
No explicit model for the set of possible attacks.
Model Checking.
Can be slow.
Validation via Type Checking
User annotates protocol with types.
Types direct the proof of security properties.
Localized analysis: components can be verified
independently.
Takes time linear in the size of the protocol!
Mathematical Foundations
Pi calculus (Milner, 1999).
Spi calculus (Abadi and Gordon, 1999).
Cryptyc (Gordon and Jeffrey, 2001).
pf3
pf4
pf5

Partial preview of the text

Download Type Checking for Protocol Security: A Cryptyc Approach - Prof. Dan S. Wallach and more Study notes Computer Science in PDF only on Docsity!

Validating Security ProtocolsThrough Type Checking Eric Allen and Brian StolerCOMP 527: Computer Systems SecurityDecember 4, 2001

Protocol validation is hard. ♦^ We’d like to

prove

that our protocols are

secure.

  • Requires a particular notion of

proof

and

security.

♦^ Automated theorem proving (e.g. BAN Logic).– May not converge!– Can be slow.– No explicit model for the set of possible attacks. ♦^ Model Checking.– Can be slow.

Validation via Type Checking User annotates protocol with

types.

– Types direct the proof of security properties.– Localized analysis: components can be verifiedindependently.– Takes time linear in the size of the protocol!

Mathematical Foundations ♦^ Pi calculus

(Milner, 1999).

♦^ Spi calculus

(Abadi and Gordon, 1999).

♦^ Cryptyc

(Gordon and Jeffrey, 2001).

Cryptyc Language Syntax ♦A program has one client process andany number of server processes.^ – client

name

{^

statement*

  • server

name

socket

{^

statement

Cryptyc Language Syntax ♦^ new

message

♦^ connect

server-process socket

♦^ input

socket pattern

♦^ output

socket message

♦^ decrypt

message pattern

An Example Process^ client Sender {

connect Receiver socket;new msg;output socket {msg}key; } server Receiver socket {

input socket ctext;decrypt ctext {msg}key; }

What are we trying to prove? ♦^ Protocol is

safe.

– Protocol works correctly on its own (without anopponent). ♦ Protocol is

robustly safe.

– Protocol works correctly even in the presence of anarbitrary opponent process.– The opponent needn’t adhere to our type system!!! ♦ Still need to formalize “works correctly”.

Adding nonce to example^ client

Sender

connect

Receiver

socket;

input

socket

nonce;

new^

msg; begin

msg; output

socket

{msg

,^ nonce

}key;

} server

Receiver

socket

new^

nonce; output

socket

nonce;

input

socket ctext; decrypt

ctext {msg

,^ nonce’

}key;

check

nonce

is^

nonce’;

end^

msg;

}

Types to the Rescue ♦^ Need more annotations to help with proof.– Need to correlate nonces with

effects

: events

occuring during process execution.– Nonces are assigned types parameterized byeffects.– A Nonce type specifies the event it validates.

Types to the Rescue ♦^ Added syntax:^ – cast

nonce

to^

nonce’

: Nonce(

effect

  • check

nonce

is

nonce’

: Nonce(

effect*

Typing Rules ♦^ Each process is examined independently. ♦^ Statements are considered in reverse order, withthe effects of each statement accumulated. ♦^ A process type checks if the accumulated effectset is empty.

Effect Rules^ end

e^

^ add

[end

e ]

begin

e^

^ subtract

[end

e ]

cast

n^ to

n’ :Nonce(

e )^

^ add

[e]

check

n^ is

n’ :Nonce(

e )^ 

subtract

[e]

add^

[check

n ]

new

n^

^ subtract

[check

n ]

Type Checking Sender client

Sender

connect

Receiver

socket;

input

socket

nonce;

new^

msg; begin

msg; cast

nonce

is^

nonce’:Nonce(end msg)

output

socket

{msg,

nonce’}key;

[end^ msg

[]]

[]

Type Checking Receiver^ server

Receiver

socket

new^

nonce; output

socket

nonce;

input

socket

ctext;

decrypt

ctext {msg,

nonce’}key;

check

nonce

is^

nonce’:Nonce(end msg);

end^

msg; }

[end^ msg

]^

[check

nonce

[] ]

Implementation ♦^ Gordon and Jeffrey’s implementation:^ cryptyc.cs.depaul.edu. ♦^ We have reimplemented Cryptyc.– Separated parsing and type-checking phases.– More sophisticated error reporting.– More extensible.

Adding Asymmetric Protocols ♦^ In asymmetric protocols, trust may increase asnew information arises. ♦^ An agent may prove identity by sending back anonce encrypted with a public key ♦^ Add

trust effects

to account for state of trust

during a protocol ♦ Trust effects added by

trust

statements, removed

by^ witness

statements

Adding Asymmetric Protocols ♦^ In asymmetric protocols, nonce handshakesmay always proceed as follows:– Challenge in the clear– Response encrypted

Adding Asymmetric Protocols ♦^ In asymmetric protocols, nonce handshakesmay take other forms ♦^ Introduce new challenge/response types