CHAPTER 4 SECURITY VERIFICATION
4.3 IDKE M ODELED IN C ASPER
4.3.2 Finding an Attack with Casper/FDR
The basic IDKE protocol has only been minimally modified by removing a single identifier from one message, as shown below:
1. nAR MN : nAR‐ID, PK nAR
2. MN nAR : pAR‐ID, PK(nAR), nAR‐ID, MN‐ID, pAR‐ID 3. nAR pAR : nAR‐ID, PK(nAR), nAR‐ID, MN‐ID, pAR‐ID 4. pAR nAR : K , pAR‐ID, MN‐ID
6. MN→nAR : na, nAR‐ID
Protocol 3: Basic Version with removed MN‐ID (Insecure)
The corresponding Casper implementation of Protocol 3 is described as:
#Protocol description
0. -> N : M
P -> N : {ksms, P}{pkn}. However, the protocol is insecure as the FDR has found a trace of an attack. The attack is interpreted by CasperFDR as stated in Figure 19.
The system level trace of the attack discovers the actual vulnerability of the protocol.
Casper attaches an “I” to indicate that an intruder claims to be a different instance.
Initialising; please wait.... Ready.
Casper version 1.8 Parsing...
Type checking...
Consistency checking...
Writing output...
Output written to /home/IDKE_v1.11h.csp Done
Starting FDR
Checking /home/IDKE_v1.11h.csp
Checking assertion SECRET_M::SECRET_SPEC [T= SECRET_M::SYSTEM_S No attack found
Checking assertion SECRET_M::SEQ_SECRET_SPEC [T= SECRET_M::SYSTEM_S_SEQ No attack found
Checking assertion AUTH1_M::AuthenticateRESPONDERToINITIATORAgreement_na [T= AUTH1_M::SYSTEM_1
Attack found:
Top level trace:
MobileNode believes (s)he is running the protocol, taking role RESPONDER, with NewAR, using data items Na
NewAR believes (s)he has completed a run of the protocol, taking role INITIATOR, with PrevAR, using data items Na
System level:
0. -> NewAR : PrevAR 1. I_NewAR -> MobileNode : NewAR, PKN 1. NewAR -> I_PrevAR : NewAR, PKN
2. MobileNode -> I_NewAR : PrevAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
2. I_PrevAR -> NewAR : PrevAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
3. I_NewAR -> PrevAR : NewAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
4. PrevAR -> I_NewAR : {KSMS, PrevAR}{PKN}
3. NewAR -> I_PrevAR : NewAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
4. I_PrevAR -> NewAR : {KSMS, PrevAR}{PKN}
5. NewAR -> I_PrevAR : {KNEW, NewAR}{KSMS}
5. I_NewAR -> MobileNode : {KNEW, NewAR}{KSMS}
6. MobileNode -> I_NewAR : {Na, NewAR}{KNEW}
6. I_PrevAR -> NewAR : {Na, NewAR}{KNEW}
Checking assertion AUTH2_M::AuthenticateSERVERToINITIATORAgreement_ksms [T=
AUTH2_M::SYSTEM_2
No attack found
Done
Figure 19: CasperFDR Output – Attack on Minimized Version
When leaving out the MN‐identifier in line 4, the intruder can break the protocol by combining interleave‐ and man‐in‐the‐middle‐attacks.
The attack is illustrated at a high‐level that describes what property has been broken and which undesired state has been finally reached:
MobileNode believes (s)he is running the protocol, taking role RESPONDER, with NewAR, using data items Na
NewAR believes (s)he has completed a run of the protocol, taking role INITIATOR, with PrevAR, using data items Na
The MN runs the protocol acting as RESPONDER, which is an instance of MobileNode. The nAR acts as INITIATOR, which is an instance of NewAR. Casper only gives information on the role of the failed run of the protocol. In the following example, the runs that are needed to break the protocol are marked in different colors. In the runs between the main run the assignments could switch.
In the first two stages of the main run, the intruder takes the role of an “nAR”,
I_NewAR and contacts the MN by sending message 1. It is also assumed that the intruder is aware of the IDKE protocol and has realized that the nAR is offering a service to the MN. This fact has been modeled by the intruder as he possesses the knowledge that an AR exists called NewAR with a public key PKN (as part of the
IntruderKnowledge specification in the Casper file).
0. -> NewAR : PrevAR 1. I_NewAR -> MobileNode : NewAR, PKN
In the second run, the Intruder Mallory pretends to be the pAR (I_PrevAR).
Meanwhile, the first protocol run continues and the intruder receives message 1 claiming to be the pAR:
1. NewAR -> I_PrevAR : NewAR, PKN
The MN has no reason to be suspicious and answers in accordance with the protocol (message 2). The Intruder, Mallory, now possesses a token (the content that authenticates the MN which was sent via the nAR to the pAR) and can continue the second run by sending message 2:
2. MobileNode -> I_NewAR : PrevAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
2. I_PrevAR -> NewAR : PrevAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
Actually, the token has simply been redirected to NewAR by the intruder.
Mallory, also pretending to be a nAR “I-NewAR”, forwards the token to PrevAR, in order to receive an answer from PrevAR.
3. I_NewAR -> PrevAR : NewAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
4. PrevAR -> I_NewAR : {KSMS, PrevAR}{PKN}
Mallory uses the information received from PrevAR since he played this role in the second protocol run. Hence, once he has received message 3 of the second protocol run, he knows the correct answer and can respond appropriately by sending message 4.
Incidentally, this behavior cannot only be attained by starting different runs of the protocol, but by also reflecting and interleaving messages.
3. NewAR -> I_PrevAR : NewAR, {PKN, NewAR, MobileNode, PrevAR}{KSMS}
4. I_PrevAR -> NewAR : {KSMS, PrevAR}{PKN}
Finally, Mallory stores the content of message 5 that he has received in the role of pAR and then forwards it by taking on the role of nAR to MobileNode (message 5).
5. NewAR -> I_PrevAR : {KNEW, NewAR}{KSMS}
5. I_NewAR -> MobileNode : {KNEW, NewAR}{KSMS}
The response of MobileNode (message 6) is also then forwarded to NewAR.
6. MobileNode -> I_NewAR : {Na, NewAR}{KNEW}
6. I_PrevAR -> NewAR : {Na, NewAR}{KNEW}
Hence, the communication continues with Mallory taking on both the roles of,
I_PrevAR and the I_NewAR by simply forwarding the messages gathered in the different protocol runs, Mallory can derange the authentication between MN and nAR. This is possible since MN and nAR are unable to detect that they were both communicating with Mallory. Thus, the protocol property of authentication has been broken. However, this attack does not discover any secret, but it could lead to massive security holes, if further communications are based on the trust in the identity of the corresponding parties.
The use of the Casper/FDR approach in order to reduce the possibility of over‐
engineered protocols, assists in understanding why certain information is necessary.
In the case of line 4, P -> N : {ksms, P, M}{pkn}, NewAR would be able to detect the above mentioned attack since the identifier of the MN is confirmed by the PrevAR. The nAR in line 0 is instructed to obtain the key from the pAR and thus, is also able to detect the attack.