Symbolic Simulation of Symbolic Simulation of Tunneling ProtocolsTunneling Protocols

Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), andMark-Oliver Stehr (UIUC), and

Alwyn GoodloeAlwyn Goodloe

HCES 2004HCES 2004

OverviewOverview

Motivating problem from wireless security.Motivating problem from wireless security.

Solution by composing secure tunnels.Solution by composing secure tunnels.

Software engineering and modeling. Software engineering and modeling.

Future plans. Future plans.

Wireless SecurityWireless Security

Why is wireless security any different from Why is wireless security any different from wired security?wired security? Resource constraints.Resource constraints. Increased risk to confidentiality.Increased risk to confidentiality. Value of the network link.Value of the network link.

Wireless Security EffortsWireless Security Efforts

Layer 1 (Physical)Layer 1 (Physical) Spread spectrumSpread spectrum

Layer 2 (Link)Layer 2 (Link) 802.11x – 802.11(b) WEP, 802.11(g)802.11x – 802.11(b) WEP, 802.11(g) CDMA 2000CDMA 2000 GPRSGPRS

SGSN

Server

RADIUS

GGSN

Attacker

GPRSGPRS

Network Layer Wireless SecurityNetwork Layer Wireless Security

We propose that security be addressed at the We propose that security be addressed at the network layer.network layer.

AdvantagesAdvantages Independent of underlying link layer.Independent of underlying link layer. Overcomes many of the problems of layer 2 Overcomes many of the problems of layer 2

solutions.solutions. Leverages extensive experience, s/w, and h/w Leverages extensive experience, s/w, and h/w

support from Ipsec for VPNs.support from Ipsec for VPNs.

DisadvantageDisadvantage Need set up protocols. Need set up protocols.

Protocols for Tunnel CompositionProtocols for Tunnel Composition

We have been investigating protocols for We have been investigating protocols for composing IPSec security tunnels.composing IPSec security tunnels.Given a scenario we ask:Given a scenario we ask: What tunnels should we establish What tunnels should we establish What properties should these tunnels have.What properties should these tunnels have.

Develop protocols that compose these Develop protocols that compose these tunnels into a satisfactory solution.tunnels into a satisfactory solution. Lots of messy details to consider in order to Lots of messy details to consider in order to

get the composition to work.get the composition to work.

Toward Network Layer SecurityToward Network Layer Security

Suppose we have three parties: client, server, Suppose we have three parties: client, server, network access server (NAS). network access server (NAS).

The client wishes to securely access the server.The client wishes to securely access the server.

We will assume that the client has a relationship We will assume that the client has a relationship with the NAS and the server, but the NAS does with the NAS and the server, but the NAS does not have a relationship to the server.not have a relationship to the server. The Client will have to authenticate itself to both the The Client will have to authenticate itself to both the

NAS and the server.NAS and the server.

Network Layer Wireless SecurityNetwork Layer Wireless Security

Laptop

Server

Authentication

Authentication and Encryption

NAS

ProblemProblem

Similar problem to GPRS above.Similar problem to GPRS above.

The NAS does not protect the client from The NAS does not protect the client from attacking incoming traffic.attacking incoming traffic.

Being forced to pay for service you never Being forced to pay for service you never used is worse than denial of service.used is worse than denial of service.

How About a FirewallHow About a Firewall

Laptop

Server

Authentication

Authentication and Encryption

NAS

Firewall

Why Not a FirewallWhy Not a Firewall

A stateful firewall can be programmed to A stateful firewall can be programmed to allow only traffic from the address to which allow only traffic from the address to which a connection has been made. a connection has been made.

The firewall can not see the contents of The firewall can not see the contents of the IPSec traffic. Resulting in minimum the IPSec traffic. Resulting in minimum protection.protection.

L3A Protocol PrinciplesL3A Protocol Principles

The user’s traffic should travel in DOS The user’s traffic should travel in DOS resistant IPSec tunnels.resistant IPSec tunnels.

These IPSec tunnels should be set up These IPSec tunnels should be set up using DOS resistant protocols. using DOS resistant protocols.

The NAS should ensure that when the The NAS should ensure that when the accounting system logs traffic as being accounting system logs traffic as being from a user it is actually from that user.from a user it is actually from that user. Authenticate incoming traffic. Authenticate incoming traffic.

L3A ArchitectureL3A Architecture

Laptop

Server

Authentication Authentication

Authentication and Encryption

NAS

L3A Protocol ComponentsL3A Protocol Components

L3A protocol that sets up the six tunnels.L3A protocol that sets up the six tunnels.

SIKE Key Exchange protocol (X509 + SIKE Key Exchange protocol (X509 + DOS protection).DOS protection). Very simple. Does not use two party key Very simple. Does not use two party key

generation.generation. No guarantee of perfect forward secrecy.No guarantee of perfect forward secrecy. Assumes existence of public key Assumes existence of public key

infrastructure. infrastructure.

L3A Protocol OverviewL3A Protocol Overview

ClientNAS

Server

Key ExchangeKey ExchangeSIKESIKE

AB

rA, SPI(n,0)

rA,rB, SPI(n,m), certB, cookieA

certA,cookieA, DA, Ps(a,DA)

Where DA = [rA, IPB, SPI(n,m)]

Where CookieA = VersionSecret | Hash([rA,rB,IPA, SPI(n,m)],Secret)

DB, Ps(b,DB)

Where DB = [rB, IPA, rA, SPI(n,m), Pe(A, K)]

Methodology Methodology

An English language description An English language description resembling an IETF RFC is produced.resembling an IETF RFC is produced.A formal specification is written in Maude.A formal specification is written in Maude. Systems are modeled using membership Systems are modeled using membership equational logic and rewriting logic.equational logic and rewriting logic.Symbolic simulation has been our main Symbolic simulation has been our main debugging aid. debugging aid. We feel the design is now relatively We feel the design is now relatively stable.stable.

Maude Model of L3AMaude Model of L3A Our Maude model seeks to apply good SE Our Maude model seeks to apply good SE techniques to modeling the L3A protocol.techniques to modeling the L3A protocol. Documentation and proper configuration control. Documentation and proper configuration control.

Accent is on verifying design. Accent is on verifying design.

Component interaction was our primary concern.Component interaction was our primary concern.

Modeled the various components and layers.Modeled the various components and layers. IP, IPSec, L3A, …..IP, IPSec, L3A, …..

Symbolic simulation highlights the unexpected Symbolic simulation highlights the unexpected interactions.interactions.

Overview of Module InteractionOverview of Module InteractionL3A

PKI

SIKE

IP SEC

IP

setkey

Security Assoc

State Message

IP SECSecurity Policy

SIKEPKI

L3A AbstractL3A

L3a Test Abstract

L3A Test ConcreteSIKE Test

IP

Routing TableIP Message

Setkey

Modeling Uncovered ProblemsModeling Uncovered Problems

Problems arose from interactions among Problems arose from interactions among the components. the components. Numerous iterations were required to resolve Numerous iterations were required to resolve

problems resulting from when the IP Sec problems resulting from when the IP Sec databases are updated.databases are updated.

When things are not done right packets can When things are not done right packets can slip into partially setup tunnels. slip into partially setup tunnels.

We Didn’t ModelWe Didn’t Model

Timeouts and resends.Timeouts and resends.Lost Messages.Lost Messages.Periodic updates to the secret used to generate Periodic updates to the secret used to generate the cookie.the cookie.Fragmentation.Fragmentation. Can be the source of DOS attacks.Can be the source of DOS attacks.

UDP layer. Ports not mentioned at all in the UDP layer. Ports not mentioned at all in the model. model. Attacks.Attacks.Formally verify SIKE/L3A. TBD.Formally verify SIKE/L3A. TBD.

ImplementationImplementationPlatform. X86 running FreeBSD. C, Python, and TLS Platform. X86 running FreeBSD. C, Python, and TLS crypto libraries.crypto libraries.

Radius server to be used for accounting.Radius server to be used for accounting.

Will demonstrate that our protocol can be implemented Will demonstrate that our protocol can be implemented using available technology.using available technology.We will seek to validate the implementation against the We will seek to validate the implementation against the Maude model. Maude model.

The protocol is very deterministic.The protocol is very deterministic. Should be able to match a run of the simulation against a run of Should be able to match a run of the simulation against a run of

the actual protocol modulo some specific field values.the actual protocol modulo some specific field values. The process for less deterministic protocols is more challenging. The process for less deterministic protocols is more challenging.

Future WorkFuture Work

Continue work on composition of security Continue work on composition of security tunnels.tunnels.Perform formal verification of SIKE.Perform formal verification of SIKE.We assert that the composition of DOS We assert that the composition of DOS resistant tunnels is DOS resistant. resistant tunnels is DOS resistant. Existing formal methods lack the tools to Existing formal methods lack the tools to reason about DOS.reason about DOS.We plan on working toward filling this void We plan on working toward filling this void in the formal methods toolkit.in the formal methods toolkit.