A Formal Framework and Evaluation Method for Network Denial of Service Catherine Meadows Code 5543 Naval Research Laboratory Washington, DC 20375 [email protected] Abstract The SYN attack on TCP (see [24] for a more com- plete discussion) is a classic example of this type of Denial of service is becoming a growing concern. As attack. In TCP, a source host initiates the protocol our systems communicate more and more with others by sending a SYN (synchronization/start) message to that we know less and less, they become increasingly its destination. The destination host responds with a vulnerable to hostile intruders who may take advan- SYN ACK, and waits for am ACK of the SYN ACK. tageoftheveryprotocolsintendedfortheestablishment When it receivesit, the connection is established. The and authentication of communication to tie up our re- destination host keeps track of unacknowledged SYN sources and disable our servers. Since these attacks ACKs in a connection queue. When a SYN ACK is occur before parties are authenticated to each other, we acknowledged,it is removed from the queue. cannot rely upon enforcement of the appropriate access The SYN attackis simple. The attackersends SYN control policy to protect us (as is recommended in the messageswithfakesourceaddressestoitsvictim,which classic work of Gligor and Millen in [5, 18, 19]). In- then sends back SYN ACK messages which are never stead we must build our defenses, as much as possible, acknowledged. As a result, the victim’s connection into the protocols themselves. This paper shows how queue (cid:12)lls up, and TCP services are denied to legit- some principles that have already been used to make imate users. protocols more resistant to denial of service can be for- Although the SYN attackmakes use of the features malized, and indicates the ways in which existing cryp- of a particular protocol, it is easy to see how it could tographic protocol analysis tools could be modi(cid:12)ed to begeneralized. Anattackerinitiatesanauthentication operate within this formal framework. protocolwithitsintendedvictim,usingafakeidentity. Atsomepointintheprotocol,theattackersimplystops participating. Thevictimisleftwithanunmanageably 1 Introduction large number of uncompleted protocols on its hands, and shuts down operations. The victim cannot defend against this attack by refusing connections from the Denialofserviceisbecomingagrowingconcern. As attacker, since the attacker uses a fake identity, and our systems communicate more and more with others sometimes a number of di(cid:11)erent fake identities. that we know less and less, they become increasingly vulnerabletohostileintruderswhomaytakeadvantage Attackslikethiscanbefoiledbytheuseofgoodau- of the very protocols intended for the establishment thenticationprotocols. Buttwothingsneed tobekept and authentication of communication to tie up our re- in mind. First of all, such a protocol must provideau- sources and disable our servers. Since these attacks thentication from the very beginning. It is not enough occur before parties are authenticated to each other, that the destination host should be able to verify the we cannot rely upon enforcement of the appropriate originoftheSYNACKACKmessage. Itmustbeable access controlpolicy to protect us (as is recommended to verify the origin of the SYN message as well. This in the classic work of Gligor and Millen in [5, 18, 19]). is in contrast to such de(cid:12)nitions of protocol security Instead we must build our defenses, as much as possi- as are found in [3], in which correctness is de(cid:12)ned in ble, into the protocols themselves. termsoftheguaranteesthatmustholdiftheentirepro- Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 1999 2. REPORT TYPE 00-00-1999 to 00-00-1999 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER A Formal Framework and Evaluation Method for Network Denial of 5b. GRANT NUMBER Service 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory,Code 5543,4555 Overlook Avenue, REPORT NUMBER SW,Washington,DC,20375 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 11 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 tocol completes. Thus the requirements for protection col is developed that uses signed Lamport hash chains against denial of service appear to be much stronger [13] to play the role of cookies in providing the weak than usual authentication requirements. authentication,whiledigitalsignaturesareusedtopro- On the other hand, strong authentication itself can vide the strong authentication. Since the hash chains be ahookfordenial of serviceattacks,sincethe mech- are precomputed and pre-authenticated, a member of anisms used to provide it are computationally intense. the chain can be inserted in a signed message without For example, suppose that the SYN message was pro- havingtoincludeaninitialcookieexchangeinthepro- tected by a digital signature. An attacker could send tocol. Thus the participants gain the weak assurance a number of bogus SYN messages with incorrect sig- without having to include a pair of cookie exchange natures, and the victim would use up its resources in messages in each instance of the protocol. The strong verifying the signatures instead of in storing the SYN assurancecanthen begainedwithin thesamemessage messages in the connection queue. The results, how- by verifying the digital signature. A separate protocol ever, would be similar. is needed to set up the hash chains, but this needs to executed much less often. The approach that has been taken to resolve these con(cid:13)icting requirements has been to use weak authen- As we can see, the assurance o(cid:11)ered by these pro- tication when the protocol is initiated, but stronger tocols can increase in two ways. First of all, it can authenticationas it completes. Thus the protocolpro- increase monotonically as each message is sent. In the vides protection against a weak attacker in its ini- cookieexchange,thereceiverofacookiehasnowayof tial stages without leaving itself vulnerable to denial verifyingthatthecookieitreceivesisgenuine,sonoas- of service attacks that take advantage of strong au- suranceis o(cid:11)eredat this stage. As the remainingmes- thentication, while still ultimately protecting the pro- sagesarereceivedandveri(cid:12)ed,however,theamountof tocol against spoo(cid:12)ng by a strong attacker. This does assuranceincreases. Theotherwayinwhichtheassur- not leave the protocol completely invulnerable against ance can increase is as a messageis veri(cid:12)ed, as in [11], a denial of service attack by a strong opponent, but in which all messages are both signed and include a it means that that opponent will have to work much chained hash. When apartyreceivesa message,it can harder, having (cid:12)rst to break the weak authentication verifythechainedhashtodetermineitsfreshness;then mechanisms. itcanverifythedigitalsignaturetodeterminethatthe message is not only recent but authentic. Aclassicexampleofthisapproachiso(cid:11)eredbyPho- turis [10]. A Photuris exchange begins with an inter- The level of di(cid:14)culty of the protocol execution also changeofcookies. Acookieisauniquenoncecomputed increases with the level of assurance. The cookie ex- fromthenamesofthesendingandreceivingpartiesand changes in Photuris proceed with a very low degree of local secret information available only to the sender. assurance; however, cookie generation is intended to Thusonlythesendercanorigniateacookiethatitwill be cheap, so the risk to denial of service is lessened. accept, and only the originator of a cookie can verify But the protection against denial of service provided that is genuine. Also, the cookiegenerationand veri(cid:12)- byincludingcookiesinthelatermessagesissomewhat cation methods are required to be fast, to make them higher, and it gives the receivers of the messages the lessvulnerabletodenialofserviceattacks. Afterinitia- con(cid:12)dence necessary to proceed to the next, more ex- tor and responder exchange cookies, both cookies are pensive stage of the authentication. Likewise for the included in all further messages. When either party protocolin [11], veri(cid:12)cationof chained hashes is cheap receives a message, it (cid:12)rst veri(cid:12)es the cookie. With compared to signature veri(cid:12)cation. this it gets the assurance that the message must have We see that the type of assurancewe must attempt beensentafterthecookiewasgenerated,andbysome- to gain here is somewhat di(cid:11)erent from that the type one who was able to see the cookie. Thus the receiver of results that we attempt to prove to show that a knows that, if no intruder with the capability to gen- protocol satis(cid:12)es its authentication goals. For an au- erate new messages out of recent messages is present, thentication protocol, we generally only need to prove then the message is genuine. Once this level of assur- that its requirements are satis(cid:12)ed when the protocol ance is attained, the receiver performs the rest of the completes. Moreover, we attempt to prove that the veri(cid:12)cation to achieve a higher degree of assurance. protocol is sound against the attacks of a uniformly Cookiesprovideanadd-onthatcanbeusedtomake strong intruder. But in order to prove that a proto- anexistingprotocolmoreresistanttodenialofservice. col is secure against denial of service attacks, we must But it is also possible to use these same principals as show that it satis(cid:12)es the necessary properties at each the basis for the design of an entire protocol. This is step of the way. Moreover, the assumptions about the what is done by Kent et al. in [11], in which a proto- intruder’s strengths that we consider may vary as the protocol proceeds. [7]. Brie(cid:13)y,aprotocolis fail-stopifanybogusmessage Thus the process of assuring that a protocol is se- (that is, a replay or a message manufactured by the cureagainst denial of service is potentially much more intruder)canbe detected, andthe protocolhaltsupon complex than the problem of assuring that a proto- detection. col satis(cid:12)es its authentication requirements. However, Fail-stop protocols have some of the desirable fea- the underlying process, showing that certain authenti- tures of a denial-of-service-resistant protocol. How- cation goals are achieved in the face of attack by an ever, in order to achieve the fail-stop property, they intruder who possesses certain capabilities, is similar must make use of strong authentication rightfrom the to that used to show that a protocol satis(cid:12)es its au- beginning. This makes fail-stop protocols potentially thentication requirements. Thus it should be possible vulnerabletodenialofserviceattacksinwhichthetar- to apply many of the tools and techniques that have get is forced to use up resources verifying bogus mes- been developed for the veri(cid:12)cation of authentication sages. Thus weneed tomodify ourconceptoffail-stop properties to the analysis of denial of service. In this in order to make it applicable to our needs. However, paperweprovideaframeworkforevaluatingaprotocol we will do so in the manner we suggested earlier in forresistancetodenialof serviceattacksin awaythat this paper, by modifying our notion of an intruder’s is intended to allow us to make maximal use of these capability. tools. 2.1 Alice-and-Bob Specifications and Causal Se- The remainder of the paper is organized as follows. quencing In Section 2 we motivate and present the framework. InSection3weapplytheframeworktoanexample. In Section4wediscussthewaysinwhichexistingsecurity In this paper we will be making use of the popu- protocolanalysistoolsand methods could be modi(cid:12)ed lar \Alice-and-Bob" speci(cid:12)cation style. This has been to verify protocols within this framework. criticized as confusing the description of what should happen with what actually does happen [6]. But in 2 The Framework thiscase,adescriptionofwhatdoeshappenwhichcan bemadetocorrespondtoadescriptionofwhatshould Our construction of the framework begins with the happenisexactlywhatwewant,somuchsothatweare observation that any point at which during a protocol ledtoaformalde(cid:12)nitionofwhatwewillcallannotated execution at which a responder may accept a bogus Alice-and-Bob speci(cid:12)cations. message as genuine could be used to launch a denial of service attack. If a bogus initial message could be De(cid:12)nition 1 An Alice-and-Bob speci(cid:12)cation is a se- acceptedasgenuine,anattacksuchastheSYNattack quence of statements of the form A ! B : M where would be possible, in which the target wastes its re- A and B are processes and M is a message. sources storing and responding to bogus messages. If a bogus intermediate message is accepted, this could Since we are interested in how messages are pro- cause the target to waste even more of its resourcesto cessed, as well as what messages are sent, we need to get to that point in the protocol. Finally, if a bogus annotate our Alice-and-Bob speci(cid:12)cations to include (cid:12)nal message is accepted as genuine, this could give message processing steps. rise to a particularly insidious denial of service attack in which a principal believes that it has been provided De(cid:12)nition 2 An annotated Alice-and-Bob speci(cid:12)ca- a service (e.g. a key shared with another party) when tion is a sequence of statements of the form A ! B : in fact this service was not provided. We will refer to T1;:::;Tk k M k O1;:::;On where A and B are pro- thesetypesofattacksasservice spoo(cid:12)ngattacks. Simi- cesses, M is a message, and T1;:::;Tk and O1, ..., On larconcernsexistforthecaseoftheinitiator,although are sequences of operations performed by A and B, re- these are not as strong here, since a denial of service spectively. attack would in most cases require the initiator to ini- tiate a large number of protocols, which the attacker The sequence T1;:::;Tk precedingthe messagein an thensubverts. Thisisnotimpossible, butitisnotcer- annotated Alice-and-Bob speci(cid:12)cation represents the tainly not as likely as the attacker initiating a large sequence of operations performed by A in producing number of protocols. M, while the sequence O1;:::;On represents the se- The fact that a certain degree of guarantee must quenceofoperationsperformedbyB inprocessingand be achieved at each step of the way naturally leads us verifying M. We now look at the make-up of a line in to Gong and Syverson’s concept of fail-stop protocols an Alice-and-Bob protocol more closely. De(cid:12)nition 3 Let L = A ! B : T1;:::;Tk k M De(cid:12)nition 4 Let S be a system of distributed pro- k O1;:::;On be a line in an annotated Alice-and-Bob cesses that communicate by sending messages. Let E speci(cid:12)cation. We say that X is an event occurring in be a temporally ordered sequence of events in S, where L if E consistsof internalevents, sending of messages, and receiving of messages. If a and b are two events from 1. X is one of the Ti or Oj, or; E, then b is causally-after a if: 2. X is ‘A sends M to B’ or ‘B receives M from A’. 1. a and b occur at the same process, and a precedes We say that the events T1;:::;Tk and ‘A sends M to b; B’ occur at A and the events ‘B receives M from A’, O1;:::;On occur at B. There are two types of events: 2. a is the sending of a message by one process, and b is the receiving of the same message by another normalevents and veri(cid:12)cationevents (also called veri- process, or; (cid:12)cationoperations). Normaleventscanoccurateither sender or receiver, and have only one outcome : suc- 3. there is an event c such that c is causally-after a cess. Veri(cid:12)cation events occur only at the receiver. A and b is causally-after c. veri(cid:12)cation operation can have two outcomes, success or failure. If the operation succeeds, then B engages in We say that E1 is causally-after E2 if E2 causally- the next event in L; if the operation fails, B stops does precedes E1. notengage in thenextevent, and stops participating in WenotethatnotionsverysimilartoLamport’shave the protocol. We also attach at the end of each line a found fruitful application in the analysis of crypto- special eventcalledanaccepteventwhich describesB’s graphic protocols, most notably in the de(cid:12)nition of deciding to proceed with the protocol after successfully strand spaces [4]. However, for our purposes, we verifying a message. will need something a little di(cid:11)erent. An Alice-and- Bob speci(cid:12)cation of a cryptographic protocol can be Forexample,considerthecaseinwhichAcomputes thought of as giving of a requirements speci(cid:12)cation in a digital signature over B’s name and a nonce, and terms of what events should causally-precede others. sends the result to B, together with its own name and We thus de(cid:12)ne desirably-precedes (or desirably-after), B’s. The resulting annotated speci(cid:12)cation would look as follows: like this: A ! B : De(cid:12)nition 5 1. If A ! B : R1;:::;Rm k M k computenonce1; storenonce1; storename1; sign1k O1;:::;On appears then the event in which B re- A;B;SA(B;NA)) k ceives M desirably-precedes any of the Oi, and Oi checkname2; storenonce2; storename2; checksig1; desirably-precedes any of the Oj for which i<j; accept1 where computenonce denotes A’s computing a nonce, 2. If A ! B : R1;:::;Rm k M k O1;:::;On appears storenonceandstorenamedenoteA(respectively,B)s then any Ri desirably-precedes the event in which storing its nonce and B’s (respectively, A’s), name for A sends M and Ri desirably-precedes any of the future reference, sign denotes A’s computing a digi- Rj whenever i<j; tal signature, checkname denotes the checking for the presenceofB’sname, andchecksig denotesthecheck- 3. If A ! B : R1;:::;Rm k M k O1;:::;On precedes ing of A’s digital signature. B ! Y : S1;:::;Sp k N k T1;:::;Tk then On We now want to use our annotated Alice-and-Bob desirably-precedes S1; speci(cid:12)cations to help us give our requirements for a 4. If A ! B : R1;:::;Rm k M k O1;:::;On appears cryptographic protocol. For this, as in [7], we use a then theeventinwhich AsendsM toB desirably- notion very similar to Lamport’s notion of causally- precedes the event in which B receives M from A, precedes [12]. The only di(cid:11)erence between our notion and; andLamport’sis that Lamportwasdealing with asit- uationinwhich,althoughmessagescouldbedelayedor 5. If E1 desirably-precedes E2 and E2 desirably- lost, they were not spoofed, redirected, or altered by precedes E3 then E1 desirably-precedes E3. a hostile intruder. Thus, Lamport used the notion of causally-before to describe what actually happened in Note that our de(cid:12)nition of desirably-precedes as- hisenvironment,whilewewillmerelyuseittodescribe sumes that a principal will not start creating a mes- what we would like to happen in our environment. sageitwantstosenduntilithas(cid:12)nishedprocessingall For motivation, we (cid:12)rst give Lamport’s de(cid:12)nition: relevant messages it has received. This assumption is reasonable when we are attempting to avoid denial of De(cid:12)nition 7 We say that the event B receives M serviceattacks: aprincipalshouldnotriskwastingre- from A in a cryptographic protocol has occurred if the sourceson creatinga messageuntil it has veri(cid:12)edthat program fragment Pr(B)[A ! B : M] has executed the messages it has received are genuine. successfully. We say thatM has beeninterferedwith if 2.2 Fail-StopProtocols the event B receives M from A occurs but some event desirably-preceding it did not. A fail-stop protocol is one that provides a certain Notethat thefact thatB receivesM fromAoccurs degreeofsecurityagainstattack. Thus, inordertode- does not mean the B actually received M from A or (cid:12)ne a fail-stop protocol, we need (cid:12)rst to say what an anyoneelse. ItsimplymeansthatBreceivedamessage attack is. But an attack describes a behavior of the atthe pointat whichit wasexpectingthe messageM, implemented protocol that deviates from its require- and it is ready to perform a set of tests to determine ments. An Alice-and-Bob speci(cid:12)cation describes the whetherthe messagewasgenuinelyM. Thusalthough desired behavior very well; what we need to supply as weusetheterm\interferedwith"tobeconsistentwith well the derivation of an implementation of a protocol the language in [7], we note that it covers not only from an Alice-and-Bob speci(cid:12)cation as follows. This messages that were tampered with, but fake messages will allow us to make clear the di(cid:11)erence between ac- generated by an intruder. tual and required behavior. Wearenowreadyforthede(cid:12)nitionoffail-stopfrom [7], modi(cid:12)ed slightly to take into account our slightly De(cid:12)nition 6 Animplementation of an Alice-and-Bob di(cid:11)erent de(cid:12)nition of an event. speci(cid:12)cation is a set of programs, one for each partic- ipant in the protocol. We say that the program corre- De(cid:12)nition 8 An Alice-and-Bob speci(cid:12)cation of a sponding to A implements A and refer to it at Pr(A). cryptographic protocol is fail-stop if, whenever a mes- Multiple copies of this program can exist and can be sage is interfered with, then no accept event desirably- running on behalf of di(cid:11)erent principals. Pr(A) has after the receiving of that message will occur. the following properties: 1. For each instance of A ! B : R1;:::;Rm k M k We have as yet said nothing yet about our assump- O1;:::;On in the protocol there are corresponding tions about an intruder’s capabilities. In most of the portion of Pr(A) describing A performing the op- literature on cryptographic protocol analysis, the as- erations R1;:::;Rm and sending the resulting mes- sumptions that are made about what an intruder can sage to B. When we can avoid confusion, we do are the same. An intruder is assumed to be able to will refer to these as Pr(A)[A ! B : M] and read all tra(cid:14)c, delete and modify tra(cid:14)c, have access Pr(A)[Ri]. to system operations such as the encryption functions used, to be in collusion with some legitimate users of 2. For each instance of C ! A : R1;:::;Rm the system, and possibly have access to compromised k M k O1;:::;On, there are corresponding por- sessionkeysandothersecretsfrompreviousexecutions tions of Pr(A) describing A receiving a message. oftheprotocol. Inourcase,ofcourse,weareinterested performing the operations O1;:::;On on a received in intruders with di(cid:11)erent capabilities: message, and halting if any of the veri(cid:12)cation op- erations fail. When we can avoid confusion, we De(cid:12)nition 9 We de(cid:12)ne an intruder action to be an will refer to these as Pr(A)[B ! A : M] and event engaged in by an intruder that a(cid:11)ects messages Pr(A)[Oi]. receivedbylegitimateparticipantsinaprotocol. Wede- (cid:12)ne an intruder capability to be a set of actions avail- 3. If both E1 and E2 occur at A, and E1 desirably- precedes E2, then Pr(A)[E1] always executes be- able to an intruder, partially ordered by set inclusion. fore Pr(A)[E2]. We do not list the types of capabilities available to We do not go any further into describing a pro- theintruder,sinceatthispointwedonotwanttolimit cedure for deriving implementations from annotated ourselves. However,exampleswouldincludesuchcases Alice-and-Bob speci(cid:12)cations, but we note that a num- as an intruder who could send messages but not read ber of tools, such as Casper [16] and the CAPSL-to- messages that were not addressed to it, an intruder NRL translator [1] already exist that provide such a who could send and read messages but not block mes- functionality by translating high-level Alice-and-Bob- sages,anintruderwhocouldsend,read,andblockmes- style speci(cid:12)cations into process algebra and state ma- sages,butcouldnotreplacetheblockedmessageswith chine speci(cid:12)cations. other messages in real time, and so forth. We might alsowant to include actionsoutside the usual intruder (cid:12)nal accept event) to be the cost of performing all the model, such as the ability to break certain classes of veri(cid:12)cation steps on that message, as well as the cost cryptosystems. of sending the next message, if any. De(cid:12)nition 10 Let (cid:0) be a function from the set of De(cid:12)nition 12 A function (cid:14) from the set of events de- events de(cid:12)ned by an annotated Alice-and-Bob speci(cid:12)- (cid:12)ned by an annotated Alice-and-Bob speci(cid:12)cation P to cation P to a set of intruder capabilities. We refer to a cost set C which is 0 on the accept events is called (cid:0) as an intruder capability function. We say that P an event cost function. is fail-stop with respect to (cid:0) if, for each event E in the system, if an intruder of capability (cid:0)(E) interferes Wenowde(cid:12)netwofunctionsbasedoncostfunctions. with any message desirably-causally-preceding E, then Onedescribesthecostofprocessingasinglemessagein neither E nor any events desirably-after E will occur. aprotocol. Theotherdescribesthecostofaprincipal’s reaching a given point in the protocol. The idea behind an intruder capability function is that,foreachaccepteventE,anintruderofcapability De(cid:12)nition 13 Let P be an annotated Alice-and-Bob (cid:0)(E) should not be able to cause E to occur by using protocol, let C be a cost set, and let (cid:14) be an event cost its capabilities to manipulate the system. function de(cid:12)ned on P and C. We de(cid:12)ne the message If we set (cid:0)(E) to be the usual intruder capability acceptance cost function associated with (cid:14) to be the 0 whenever E is an accept event, and the null capability function(cid:14) on eventsfollowing thereceipt of a message forallotherevents,thenthereadercanverifythatour as follows: de(cid:12)nition of fail-stop is equivalent to Gong and Syver- If the line A ! B : O1;:::Ok k M k V1;:::;Vn son’s. In the case of denial of service, though, we may appears in P, then for each event Vj: 0 want(cid:0) to be graduallyincreasingwith respect to (cid:12)nal (cid:14) (Vj) = (cid:14)(V1)+:::+(cid:14)(Vj). veri(cid:12)cation events. For example, in the Photuris pro- Wede(cid:12)netheprotocolengagementcostfunctionas- tocol, the intruder capability associated with the (cid:12)rst sociated with (cid:14) to be the function (cid:1) de(cid:12)ned on accept acceptevents,whichonlyconcernthecookieexchange, events as follows: would be the ability to read and block messages, but If the line A ! B : O1;:::Ok k M k V1;:::;Vn nothing else, while the intruder capability associated appears in the protocol, where Vn is the accept event, with the laterevents is greater. We would alsowant(cid:0) then: tobegraduallyincreasingwithrespecttoanysequence 0 0 0 of veri(cid:12)cation events on a single line of an annotated 1. If there are no lines B ! X : O1;:::Ok k M 0 0 Alice-and-Bobspeci(cid:12)cation,sincetheamountofassur- k V1;:::;Vn such that Vn immediately desirably- 0 ance gained after each check done on a single message precedesO1, then (cid:1)(Vn)is thesumof all the costs should increase the con(cid:12)dence in that message. ofalloperationsoccurringatB desirably-preceding Intruder capability functions tell us only half the Vn; story, however. We also need a way of calculating the 0 0 0 expenseofexecutingeachprotocolstep. Inordertodo 2. If there is a line B ! X : O1;:::Ok k M 0 0 this, we need to de(cid:12)ne a cost function. k V1;:::;Vn such that Vn immediately desirably- 0 precedes O1, then (cid:1)(Vn) is the sum of the costs of De(cid:12)nition 11 A cost set C is a partially ordered set all operations occurring at B desirably-preceding 0 with partial order <together with a function +from C Vn, plus the sum of the costs of the Oi,. (cid:2) C to C such that + is associative and commutative, and x + y (cid:21) max(x,y), along with an zero element 0 Thus the message acceptance cost represents the such that x = 0 + x = x + 0, for all x in C. costofreachingacertainpointinacceptingamessage, while the protocol engagement cost represents the to- Examplesofcostcouldbethingsliketimeormoney, tal cost of accepting a message in terms of both the in which case + is simple addition. Or it could be a cost of processing it and the costs of any events that roughestimatesuchasadivisioninto\easy"or\hard," are necessarily engaged in as a result of accepting the in which case x + y is simply the maximum of x and message. y. In general, we would expect the cost of a veri(cid:12)- Our construction of message acceptance and proto- cation event to express the expense of performing the col engagementcosts re(cid:13)ects two ways in which denial veri(cid:12)cation, the cost of sending a message to express of service attacks can proceed. One is by sending a the expense involved in preparing that message, and principal a bogus message at any point in the proto- the cost of accepting a message (that is, the cost of a col, and having the victim waste resources processing it. This is protected against by performing the rela- 4. Verifythattheprotocolisfail-stopwithrespectto tively cheap veri(cid:12)cation events (cid:12)rst upon receiving a (cid:0). message, and should be re(cid:13)ected in the message ac- ceptance costs. In particular, we would like the costs Note that Step 3a) allows us to reason about the to start out cheap, and only become more expensive abilityofaprotocoltopreventanintruderfrommount- towards the end of the message. The other is to per- ing a denial-of-service attack by causing a legitimate suade a principal to waste resources participating in a principal to waste resources processing a message be- bogus instance of the protocol; this can be defended fore it has been able to verify that it could not have against by performing cheap veri(cid:12)cation and compu- been spoofed by an intruder of a certain capability. tation events early in the protocol, and should be re- Step3b) allowsustoreasonabouttheabilityofapro- (cid:13)ected in the protocol engagement costs. tocoltopreventanintruderfrommountingadenial-of- We are now ready to relate cost and intruder capa- serviceattackbycausingalegitimateprincipaltowaste bility functions. resources participating in a protocol up to receiving a particular message and responding to it, before it has De(cid:12)nition 14 Let C be a cost set and G an intruder been able to verify that that message could not have capability set. We de(cid:12)ne a tolerance relation de(cid:12)ned been spoofed by an intruder of a certain capability. by a protocol designer to be the subset of C (cid:2)G con- sisting of all pairs (c,g) such that the protocol designer 3 Example: The Station-to-Station is willing to tolerate a situation in which an e(cid:11)ort of Protocol cost c that provides security against an intruder of ca- 0 0 pability g but no greater. We say that (c,g ), is within Inthissectionweshowhowwecanapplyourframe- the tolerance relation if there is a (c,g) in the relation 0 0 work to the Station to Station protocol of Di(cid:14)e, van such that c (cid:20)c and g (cid:21)g. Oorschot, and Wiener. This protocol was designed with message economy rather than denial of service We do not put any constraints on the tolerance re- in mind, so, not surprisingly, it turns out not to meet lation, since we believe it may vary from situation to the demands of our framework. However, the frame- situation. workcanhelpusidentifyareasofweaknessandsuggest We can now describe the procedure for evaluating possible improvements from the denial of service per- whether or not a protocol is secure against denial of spective. service using the following steps: The protocol uses Di(cid:14)e-Hellman for key genera- tion and digital signatures for authentication. It in- 1. Decide what your cost function is, and what you volves a number of di(cid:11)erent operations, to which we assumethevariouscapabilitiesoftheintrudercan assign costs as follows: exponentiation over a (cid:12)nite be. (cid:12)eld during the protocol execution (expensive), repre- sented by exp, exponentiation over a (cid:12)nite (cid:12)eld which 2. Decide what yourtolerancerelation is: how much canbeprecomputed(medium),representedbypreexp, are you willing to spend to provide a certain level computation and veri(cid:12)cation of digital signatures (ex- of security, and how much insecurity are you will- pensive), represented by sign and checksig, single ingtoputupwithgivenacertainamountofcost? key encryption and decryption (medium), represented 3. Calculate an intruder capability function (cid:0) such by encrypt and decrypt, checking for the presence of that: names and retrieving nonces (cheap), represented by checkname and retrievenonce, and storing of names a) If E1 is an event immediately preceding a ver- and nonces (medium), represented by storename and i(cid:12)cation event E2, in a line of a protocol, then 0 storenonce. Wede(cid:12)nea+operationoncostsbyX+Y ((cid:14) (E2),(cid:0)(E1)) is in the tolerance relation. This = max(X;Y), where expensive > medium > cheap > means, that, if M is the message received in the 0. lineinwhichE1 andE2appear,thecostofge0tting Next, let ZP be the integers modulo P for some to the point where E2 succeeds or fails is (cid:14) (E2), P, let (cid:11) be a generator of the multiplicative group of andnointruderofcapability(cid:0)(E1)willhavebeen ZP, let (cid:11)x denote (cid:11) raised to the x’th power mod P, able to successfully interfere with M after E1 has XB(cid:1)XA XA(cid:1)XB let K = (cid:11) = (cid:11) , let EK represent single (cid:12)nished executing. key encryption with key K, and SB denote a digital b) If E isan acceptevent, then ((cid:1)(E),(cid:0)(E)) isin signature obtained using B’s private key. We can now the tolerance relation. use our notation to describe the protocol as follows: 1. A!B :preexp1 k attack, where I is the intruder, and IZ is the intruder XA (cid:11) k impersonating Z: storenonce1;storename1;accept1: XA 1. A!IB : (cid:11) 2. B !A : XA preexp1;sign1;exp1;encrypt1 k 2. IC !B : (cid:11) XB XB XA (cid:11) ; EK(SB((cid:11) ;(cid:11) )) k XB XB XA 3. B !IC :(cid:11) ; EK(SB((cid:11) ;(cid:11) )) checkname1; retrievenonce1; exp2; decrypt1; checksig1; accept2: 4. IB !A:(cid:11)XB; EK(SB((cid:11)XB;(cid:11)XA)) XA XB 5. A!IB :K(SA((cid:11) ;(cid:11) )) 3. A!B : retrievenonce2;sign2; encrypt2 k At this point A is convinced that it is sharing a XA XB EK(SA((cid:11) ;(cid:11) )) k key with B, although B knows nothing about this; if checkname2; retrievenonce2; decrypt2; B received A’s (cid:12)nal message it would reject it, since checksig2; accept4: it is expecting a response from C. Note that all this attack requires is an intruder with the ability to inter- Since we are dealing with a protocol that has al- cept messages intended for B, and to forward them to ready been developed, rather than designing one from B as messages from C. It does not need to be capa- scratch,wewillproceedinanordersomewhatdi(cid:11)erent bleofperforminganycryptographicoperationssuchas than that recommended in the last section. First, we exponentiation or the checking of a digital signature. will determine the values of the cost functions. Sec- Since this is an attack against the initiator, not the ondly, we determine the intruder capability function responder, it is potentially less useful for tying up re- withrespecttowhichtheprotocolisfail-stop. Wewill sources; the victim must decide to initiate an instance usethistodeterminealikelysetoftolerancerelations, of the protocol before the attack can be mounted. and discuss their signi(cid:12)cance to the protocol. (Note that a successful denial-of-service attack using We(cid:12)rstnotethatprotocolengagementcostfunction this vulnerability would require the initiator to start isexpensiveforallaccept events. Forthe (cid:12)rst,the re- the protocol not once, but many times.) On the other sponder B must compute the Di(cid:14)e-Hellman key and hand,itcanbethoughtofasaservicespoo(cid:12)ngattack, sign a message. For the second, the initiator A must since A thinks it shares a key with B, when in fact it check a signature, compute a Di(cid:14)e-Hellman key and does not. sign a message. For the third, B must check a signa- Wenowdiscusswhatthevaluesof(cid:0)fortheveri(cid:12)ca- ture. For the message acceptance cost functions, none tionevents. The(cid:12)rstveri(cid:12)cationeventischeckname1. isde(cid:12)nedforthe(cid:12)rstmessage,sinceitcontainsnover- Sincenoveri(cid:12)cationisdonebeforethenameischecked, i(cid:12)cationevents. ForthesecondthecostofB’schecking the associated (cid:0) is the intruder with the powers of a thenameischeap,whilethecostofB’sperformingthe non-maliciousnetwork. However,sincenoeventexcept signatureis expensive. Likewise forthe third message: the reception of the message precedes checkname1 at thecostofA’scheckinganameischeap,whilethecost that line, and the cost of checkname1 itself is quite of its checking a signature is expensive. low, the pair (c,g) computed should be well within How does the intruder capability function fare for any tolerance relation. The next veri(cid:12)cation event is the accept events? Clearly, since the (cid:12)rst message is checksig1. Themessageacceptancecostofchecksig1is notauthenticatedatall,itprotectsonlyagainstavery expensive; however (cid:0)(decrypt1), the immediately pre- weak intruder, so best we can take (cid:0)(accept1) to be is ceding event, is an intruder who is not able to forge the intruder with the powers of a non-malicious net- B’s return address and prevent messages from reach- work, or an intruder with the capability of sending a ingtheirdestinations, in otherwords arelativelyweak message. Anyintruderwhocouldcreateanacceptable- intruder. This pair would probably not be within looking return address should be able to defeat the most tolerance relations. The next veri(cid:12)cation event protocol at this point. We can take (cid:0)(accept3) to the is checkname2. Again, the message acceptance cost intruder with full powers (we have veri(cid:12)ed this using of checkname2 is cheap, while the assurance provided theNRLProtocolAnalyzer). Whatissurprising,how- before checkname2 is executed is against an intruder ever, is (cid:0)(accept2). We would expect this to also be with the powers of a non-malicious network. Again, an intruder with full powers, but as a matter of fact the associated pair (c,g) should be well within any it is somewhat weaker. As was shown by Lowe in [15], tolerance relation. Finally, the last veri(cid:12)cation event the event accept2 is vulnerable against the following is checksig2. Again, the message acceptance cost of checksig2 isexpensive,but theassuranceprovidedun- although the properties guaranteed by these logics are tilchecksig2hasbeenexecutedsuccessfullyisrelatively currently cast in terms of beliefs in the properties of weak: it is onlystrong againstan intruderwhocannot keysandmessages,notpropertiesoftheintruder,there forge A’s address and prevent messages from reaching doesnotseemtobeanyinherentreasonwhytheycould their destinations. notberecastasstatementsaboutwhatcapabilitiesthe ThustheStation-to-Stationprotocol,asitstands,is intruder is supposed to have. For example, consider a vulnerabletodenialofserviceattacksinseveralplaces. message that contains a fresh sub-element, such as a In the (cid:12)rst message, an intruder who is capable of do- cookie. Thatmessageisauthenticifweassumethethe ing nothing more than sending messages could send intruderisnotabletoreadandmodifymessagesinreal a bogus message and cause the responder to waste re- time. On the other hand, a signed message containing sourcesrespondingtoit. Likewise,sincetheonlycheap a fresh sub-element is authenticated in the face of a interim checks on the last two messages are weak, an stronger intruder. intruderwhoiscapableoffakingreturnaddressescould Wenextconsidertoolsthatmakeuseofstateexplo- causeeitherinitiatororrespondertowasteresourcesin ration techniquesin someformorthe other. These in- processing a bogus message. Finally, though less seri- cludemodelcheckerssuchasFDR/Casper[16]orMur(cid:30) ously, a somewhat more capable intruder could mount [22],specializedtoolssuchastheInterrogator[20]that Lowe’sattackandconvinceaninitiatorthat it is shar- providemuchofthesamecapabilitybut are(cid:12)ne-tuned ingakeywitharesponderwhenitdoesnot,andwhen for cryptographic protocol analysis, and tools such as theresponderisnotevenexpectingamessagefromthe the NRL Protocol Analyzer [17] that combine state initiator. exploration with a limited theorem-proving capabil- There are a number of ways in which this proto- ity. What all of these tools have in common is that col could be strengthened against denial of service at- at some point their designers implemented the stan- tacks. First, a cookie exchangecould be done initially, dardintrudermodelaspartofthetool. Thus,inorder to introduce some weak authentication before the ma- tomakeuseofourframework,itwouldbenecessaryto jormessageexchangestarts,asisdoneintheIKEpro- have the option to replace the standard intruder with tocol [8], which uses a protocol based on the station- intruders of di(cid:11)erent strengths. This should not be to-stationprotocol. Secondly,ifcookiesareincludedin too di(cid:14)cult, since all these tools model the intruder second and third messages, checking them could pro- as an independent state machine; all that is needed is vide weak authentication for these as well (as is also to replace this state machine with another. Similarly, done by IKE). Weak authentication could also be pro- most usesoftheorem proverstoanalyzecryptographic XA XB vided by including both (cid:11) and (cid:11) in the second protocols (e.g. Paulson [23]), include an independent andthird messages,sothateitherpartyY couldcheck speci(cid:12)cation of an intruder; thus it should be straight- XY for the presence of (cid:11) before proceeding with the forward to deal with intruders of various strengths for more expensive veri(cid:12)cation steps. Finally, Lowe’s at- theorem provers as well as state exploration tools. tackcouldbepreventedbyincludingtheidentityofthe Another issue remains to be considered, however. intended receiver in the signed part of the message, as Usually, when we attempt to prove security of crypto- is recommended in [15]. graphic protocols,we examine only a handful or prop- erties,e.g.,thattwopartiesalwaysagreeonakey,that 4 Applicability of Existing Tools and the key is not a replay, that the key remains secret, Models and so forth. In the case of denial of service, we are attempting to prove at least one goal for each accept Inthissection,weconsiderhowsomeoftheexisting event (and thus for each message sent), as well as one tools and methods could be applied within our frame- goalforeachveri(cid:12)cationevent. Thustheworkinvolved work. could be multiplied several times. The model checkers We begin with belief logics. To look at them, we have an advantage here; since model checkers verify would not expect belief logics such as BAN [2] to be whether ornot a programsatis(cid:12)es its speci(cid:12)cation, all veryusefulwithinourframework. Theyuseanimplicit the user has to do is write a speci(cid:12)cation in terms of model of the intruder, and guarantee properties such all the security goals that are relevant to a particular as freshness and authentication, not immunity against intruder strength, and run the protocol together with intrudersofvariousstrengths. However,likeourframe- that intruder. Thus it may be possible to proceed so work,BAN and similar logics are used to analyze pro- that theamountofworkreallyonlyincreasesbyafac- tocols incrementally; one sees what degree of security torequaltothenumberofintruderstrengthsinvolved. is provided by each message as it is processed. And, In thecaseoftoolssuchastheoremproversandthe