A formal approach for automated reasoning about off-line and undetectable on-line guessing (short paper)

Starting from algebraic properties that enable guessing lowentropy secrets, we formalize guessing rules for symbolic verification. The rules are suited for both off-line and on-line guessing and can distinguish between them. We add our guessing rules as state transitions to protocol models that are input to model checking tools. With our proof-of-concept implementation we have automatically detected guessing attacks in several protocols. Some attacks are especially significant since they are undetectable by protocol participants, as they cause no abnormal protocol behavior, a case not previously addressed by automated techniques. 1 Motivation and related work As password-based authentication continues to be used in practice and weak passwords are still chosen by users, detecting protocols subject to guessing attacks is a topic of high interest in security. In this paper we address the problem of formalizing a previously introduced approach to detect guessing attacks in a manner suitable for implementation in an automated verification toolset. We use IF (Intermediate Format), a specification language that can be handled by model checkers such as OFMC (Open Source Fixedpoint Model-Checker) [3] and SATMC (SAT-based Model Checker) [2] from the AVISPA toolset. A previous intention of integrating guessing rules in OFMC exists in [9], which gives a formalization for off-line guessing attacks. In comparison, our contribution proposes a different formalism (our guessing rules are based on a different reasoning), which allows us to handle both on-line and off-line attacks. Our guessing rules are implemented at the level of the IF description language, without requiring the modification of the back-end model checkers. Other concrete implementations of guessing detection rules are by Corin et al. [7], Lowe [13] who used Casper/FDR and Blanchet [5] in ProVerif, a verifier based on Prolog rules. Our implementation is based on IF, a specification language which can be handled by several back-end model checkers, notably OFMC and SATMC, which thus gain the ability of detecting guessing attacks. Other theoretical foundations ? This work is supported in part by FP7-ICT-2007-1 project 216471, AVANTSSAR: Automated Validation of Trust and Security of Service-oriented Architectures for reasoning on guessing attacks exist. Abadi et al. [1] use the indistinguishability of two terms, deduced by static equivalence, to formalize guessing. Equational theories for the applied pi-calculus are used by Corin et al. in [6], while Baudet [4] uses a constraint solving algorithm for an equational theory. Our guessing rules are based on the pseudo-randomness properties of one-way functions. We consider two cases of guessing: first, when the adversary knows the image of a one-way function computed on the secret and other known input; second, when the adversary knows the image of a trapdoor function (encryption) with a key that depends on the secret, and can establish relations on its input. As one-way functions are pseudo-random, the output for a wrong secret cannot match any previously known value, thus a correct guess can be verified. Most prior work addresses only off-line guessing, considering the low-entropy secret large enough to prevent guessing, or that unsuccessful attempts can be blocked. However, in some on-line attacks the protocol behavior is indistinguishable from normal. These attacks are undetectable by participants and especially dangerous. They are also realistic, as one of our case studies, a Norwegian ATM system, illustrates. Undetectable on-line attacks have also been the focus of Ding and Horster [8], but without a formalization or automated detection. 2 Formalization of guessing rules To express the feasibility of guessing, we use the concept of strongly distinguishing functions [10], which cannot give the same output for two different secrets when these are paired with sufficiently many input choices. Definition 1. Given σ ∈ {0, 1}, we call a function f(σ, x) strongly distinguishing in the first argument after q queries, if given any q distinct values {x1, x2, ..., xq}, ∀s1 6= s2 the probability that f(s1, xi) = f(s2, xi) for all i = 1 .. q is at most 2−k, i.e., ∀s1 6= s2 . P r[f(s1, xi) = f(s2, xi), i = 1 .. q] ≤ 2−k. Using strongly distinguishing functions, we have characterized the conditions for an intruder’s guess in a guessing lemma [10]. However, due to its algebraic rather than symbolic formulation, it cannot be directly implemented in a formal verification tool. Therefore, we will link the concept of strongly distinguishing function (in one query) with a symbolic protocol description. Protocol descriptions contain terms, which are either atomic or composed. Atomic terms are variables, constants or numbers; composed terms are formed by applying pair, crypt, inv and other predefined operators on atomic terms. Facts are predicates defined over terms, such as iknows, state, contains, etc. Definition 2. We call a symbolic protocol description P a triple composed of an initial state, a set of transition rules and a set of attack states, i.e., P = (InitialState,TransitionRule∗,AttackState∗), where: i) the initial state is a conjunction of ground facts, ii) a transition rule has the form LHS ⇒ RHS where LHS and RHS are conjunctions of facts, and LHS may also contain a negated fact and a condition (a conjunction of term equalities and inequalities), iii) an attack state is a conjunction of facts with a condition (like a LHS ). To reason about guessing, we define derivation rules P `r T , denoting that term T can be derived from term set P using rule r. Rule `ihears Term denotes that a term has been overheard by the intruder during protocol execution. Denote the set of symbols (constants or variables) appearing in Term by S(Term). If s ∈ S(Term) is such a symbol, we also write Term `part s. Let Term `s←gen(s′) Term ′ denote that Term ′ is obtained by substituting any occurrence of the symbol s in Term with a fresh symbol s′ 6∈ S(Term). For instance, crypt(s,m) `s←gen(s′) crypt(s′,m). As a particular case, we write Term `s←igen(s′) Term ′ if s is substituted by a fresh value chosen by the intruder. Consider a valuation function v defined on atomic terms with algebraic values, and extended to composed terms through function and operator application. We now relate our symbolic reasoning to the algebraic properties of the protocol. Definition 3. A symbolic protocol description P is called algebraically dependent on symbol s, denoted P dep s if for any term Term such that `ihears Term and Term `part s, and considering Term ′ such that Term `s←gen(s′) Term ′, for any valuation v such that v(s) 6= v(s′), we have v(Term) 6= v(Term ′). Given s ∈ S(Term), denote by O s (·) the oracle corresponding to the function obtained by making s a variable in Term and keeping other parts of it constant, e.g., O s (·) is the oracle corresponding to f(s) = crypt(s,m). Lemma 1. The symbolic protocol description P is algebraically dependent on s, i.e., P dep s, if and only if any function f obtained as O s (·) where s ∈ S(Term) and `ihears Term is strongly distinguishing in one query. Lemma 1 relates a symbolic protocol description with the algebraic notion of strongly distinguishing function in one query. Since injective functions are strongly distinguishing in one query, any symbolic protocol description in which a symbol s occurs only in the body of a injective (bijective) function is algebraically dependent on s. In practice, this covers a large class of protocols, since most cryptographic functions are bijective (even hash functions, if one assumes they are collision-free in the inputs that a protocol participant can provide). Definition 4. An adversary observes an oracle for a secret s if it hears a term that contains s. The adversary controls an oracle for secret s if by replacing s in a term with a fresh s′ (rule `s←igen(s′)) the adversary knows the new term. `ihears Term ∧ Term `part s⇒ observes(O s (·)) (1) `ihears Term ∧ Term `s←igen(s′) Term ′∧ `iknows Term ′ ⇒ controls(O s (·)) (2) Lemma 2. Consider a symbolic protocol description P such that P dep s. If an adversary observes and controls an oracle for a low-entropy secret s then the adversary can guess the secret s, i.e., observes(O s (·)) ∧ controls(O s (·))⇒ iguess(s) (3) The adversary can also guess if it observes messages encrypted with a key computed as a strongly distinguishing function on the secret, controls the corresponding decryption oracle, and can establish a relation to one or several parts of the encrypted messages. We formalize this case in what follows. Definition 5. We call s-dependent an encryption or decryption oracle that uses a key containing s. An adversary that hears the encryption of some message with a key that contains s is said to observe an s-dependent encryption oracle. Moreover, we say that he controls the corresponding s-dependent decryption oracle if by replacing s in the encryption key with a fresh s′ known to him the adversary can decrypt arbitrary messages encrypted with the new key, i.e., `ihears {M}K ∧K `part s⇒ observes(O{M}K s (·)) (4) {M}K `s ← igen(s′) M ← gen(M′) {M }K′∧ `iknows M ′ ⇒ controls(O {M}K−1 s (·)) (5) Here, {M}K is the encryption of message M with key K. To keep relation (5) simple, we’ve left implicit that the adversary must overhear the term {M}K and the encryption key must contain s, i.e., `ihears {M}K ∧K `part s as a premise. This is of course needed for the question of controlling the oracle to make sense. To express a relation between encrypted inputs we first need a derivation rule to produce all distinct messages M that satisfy a property Fact(M), by concatenating them into term T , denoted Fact `concat T . For example, (`ihears M) `concat T yields a term T that is the concatenation of all distinct terms for which `ihears M holds. Similarly, (`ihears {M}K ∧ K `part s) `concat T produces the concatenation of all distinct messages that are encrypted with a key that contains s. Also, let T `split 〈T ′.T ′′〉 denote that T ′ and T ′′ are derived by splitting T into disjoint subsets of terms (at least one of them non-empty). The second guessing rule requires powerful capabilities: to find a relation between two terms (the relates fact) the adversary can use any available operators: pair, crypt, etc., as well as his Dolev-Yao abilities, fake, overhear, etc. Thus, for deciding relates the adversary can perform any transition allowed by the symbolic protocol description P. The following definition models this intuition. Definition 6. An adversary can relate two terms T ′ and T ′′ of a symbolic protocol description P if by adding T ′ to the adversary knowledge he can derive T ′′ (denoted T `DY (P)T ′′) using all its abilities over P. T ′ `DY (P) T ′′ ⇒ relates(T ′, T ′′) (6) Lemma 3. Let P be a symbolic protocol description such that P dep s. If the adversary observes one or more s-dependent encryption oracles for which he controls the corresponding decryption oracles and can relate parts of the encrypted messages then the adversary can guess the secret, i.e., observes(O{M}K s (·)) ∧ controls(O {M}K−1 s (·)) `concat T ∧ T `split 〈T ′.T ′′〉 ∧ relates(T ′, T ′′)⇒ guess(s) (7) 3 Implementation and experimental results Our formalization of the guessing calculus makes it amenable to an implementation where where states are sets of terms, and transitions are given as rewrite rules, as in the IF protocol specification language. Derivations such as `ihears , `part, `s←gen(s′), `split yield corresponding IF facts. These are combined into rules to establish the relations observes and controls, and ultimately, guessing. We use an adversary model with standard Dolev-Yao abilities: the adversary can fake new messages, intercept sent messages or overhear them. Moreover, the adversary has the standard computational abilities: he can encrypt and decrypt if he knows the corresponding key, and he can pair and decompose messages. Based on this model we want to express rules for the adversary’s ability to observe and control oracles. To decide whether a composed term represents an oracle, we need to determine if it contains the secret to be guessed. By overhearing such a term, the adversary observes the oracle. Further, to decide controls, we start from terms containing the secret, construct new terms in which the secret is replaced by a different value and test if the adversary knows them, and thus controls the oracle for the function derived from the term. For secret containment (the derivation `part in our theory) we define the containsSec fact, which is true for all terms containing the secret. For secret replacement (derivation `s←gen(s′)), we define the replaceSec fact which replaces any secret from the guessableSecrets set with a replacement secret. With these helper facts defined, the observes and controls abilities are easily derived. Observing an oracle is modeled as ihears(T).containsSec(T, SList), where SList is the list of guessable secrets, while controlling an oracle is specified as replaceSec(T, Tnew).iknows(TNew) (where pairing with . means fact conjunction in IF). Explicit observes and controls predicates are not necessary; for efficiency, the above expressions are directly embedded into the guessing rules. Guessing multiple secrets. To enable guessing in such scenarios, secrets already guessed must be used in subsequent guesses. However, this cannot be expressed by a simple chaining of the guesses, since adding new knowledge to the intruder cannot be done dynamically in the attack condition. Our simple and effective solution expresses the guessing rule (based on the observes and controls abilities) as transition of the protocol itself. As a result, any guessed value is added to iknows. Being protocol-independent, this rule can be inserted in any protocol specification and enables chaining multiple guesses. Distinguishing detectable from undetectable on-line attacks. As a first intuition, if guessing takes place after a participant reached a final state, then guessing goes undetected for that participant. This intuition is wrong, as the same participant may have another instance still running. To distinguish undetectable from detectable on-line guessing attacks, we need to express that all participant instances have successfully completed. We can do this by adding the PIDs of all started instances to a set, adding their termination to the intruder knowledge and checking the match in the attack condition. Alternatively, simply matching the count of started and finished instances suffices. MS-CHAP and NTLM. These are two simple, well known protocols from Microsoft, vulnerable but still frequent in practice even today. MS-CHAP is used for remote user authentication and has two versions. NTLM is used with SMB to access remote printers, files etc. and has three versions: NTLMv1, NTLMv2 and NTLMv2-Session. Figure 1 presents MS-CHAP v2 and NTLM v2-Session.