13 Server, who is in charge of all public keys. |
19 Server, who is in charge of all public keys. |
14 |
20 |
15 The model assumes that no fraudulent certificates are present, but it does |
21 The model assumes that no fraudulent certificates are present, but it does |
16 assume that some private keys are to the spy. |
22 assume that some private keys are to the spy. |
17 |
23 |
18 Abstracted from "The TLS Protocol, Version 1.0" by Tim Dierks and Christopher |
24 REMARK. The event "Notes A {|Agent B, Nonce PMS|}" appears in ClientCertKeyEx, |
19 Allen, Transport Layer Security Working Group, 21 May 1997, |
|
20 INTERNET-DRAFT draft-ietf-tls-protocol-03.txt |
|
21 |
|
22 NOTE. The event "Notes A {|Agent B, Nonce M|}" appears in ClientCertKeyEx, |
|
23 CertVerify, ClientFinished to record that A knows M. It is a note from A to |
25 CertVerify, ClientFinished to record that A knows M. It is a note from A to |
24 herself. Nobody else can see it. In ClientCertKeyEx, the Spy can substitute |
26 herself. Nobody else can see it. In ClientCertKeyEx, the Spy can substitute |
25 his own certificate for A's, but he cannot replace A's note by one for himself. |
27 his own certificate for A's, but he cannot replace A's note by one for himself. |
26 |
28 |
27 The note is needed because of a weakness in the public-key model. Each |
29 The Note event avoids a weakness in the public-key model. Each |
28 agent's state is recorded as the trace of messages. When the true client (A) |
30 agent's state is recorded as the trace of messages. When the true client (A) |
29 invents M, he encrypts M with B's public key before sending it. The model |
31 invents PMS, he encrypts PMS with B's public key before sending it. The model |
30 does not distinguish the original occurrence of such a message from a replay. |
32 does not distinguish the original occurrence of such a message from a replay. |
31 |
33 |
32 In the shared-key model, the ability to encrypt implies the ability to |
34 In the shared-key model, the ability to encrypt implies the ability to |
33 decrypt, so the problem does not arise. |
35 decrypt, so the problem does not arise. |
34 *) |
36 *) |
35 |
37 |
36 TLS = Public + |
38 TLS = Public + |
37 |
39 |
38 consts |
40 consts |
39 (*Client, server write keys. They implicitly include the MAC secrets.*) |
41 (*Pseudo-random function of Section 5*) |
|
42 PRF :: "nat*nat*nat => nat" |
|
43 |
|
44 (*Client, server write keys implicitly include the MAC secrets.*) |
40 clientK, serverK :: "nat*nat*nat => key" |
45 clientK, serverK :: "nat*nat*nat => key" |
|
46 |
41 certificate :: "[agent,key] => msg" |
47 certificate :: "[agent,key] => msg" |
42 |
48 |
43 defs |
49 defs |
44 certificate_def |
50 certificate_def |
45 "certificate A KA == Crypt (priK Server) {|Agent A, Key KA|}" |
51 "certificate A KA == Crypt (priK Server) {|Agent A, Key KA|}" |
46 |
52 |
47 rules |
53 rules |
|
54 inj_PRF "inj PRF" |
|
55 |
48 (*clientK is collision-free and makes symmetric keys*) |
56 (*clientK is collision-free and makes symmetric keys*) |
49 inj_clientK "inj clientK" |
57 inj_clientK "inj clientK" |
50 isSym_clientK "isSymKey (clientK x)" (*client write keys are symmetric*) |
58 isSym_clientK "isSymKey (clientK x)" (*client write keys are symmetric*) |
51 |
59 |
52 (*serverK is similar*) |
60 (*serverK is similar*) |
66 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
74 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
67 "[| evs: tls; B ~= Spy; |
75 "[| evs: tls; B ~= Spy; |
68 X: synth (analz (sees Spy evs)) |] |
76 X: synth (analz (sees Spy evs)) |] |
69 ==> Says Spy B X # evs : tls" |
77 ==> Says Spy B X # evs : tls" |
70 |
78 |
71 SpyKeys (*The spy may apply clientK & serverK to nonces he's found*) |
79 SpyKeys (*The spy may apply PRF, clientK & serverK to available nonces*) |
72 "[| evs: tls; |
80 "[| evsSK: tls; |
73 Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evs |] |
81 Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evsSK |] |
74 ==> Says Spy B {| Key (clientK(NA,NB,M)), |
82 ==> Says Spy B {| Nonce (PRF(M,NA,NB)), |
75 Key (serverK(NA,NB,M)) |} # evs : tls" |
83 Key (clientK(NA,NB,M)), |
|
84 Key (serverK(NA,NB,M)) |} # evsSK : tls" |
76 |
85 |
77 ClientHello |
86 ClientHello |
78 (*XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
87 (*(7.4.1.2) |
|
88 XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
79 It is uninterpreted but will be confirmed in the FINISHED messages. |
89 It is uninterpreted but will be confirmed in the FINISHED messages. |
80 As an initial simplification, SESSION_ID is identified with NA |
90 As an initial simplification, SESSION_ID is identified with NA |
81 and reuse of sessions is not supported.*) |
91 and reuse of sessions is not supported. |
82 "[| evs: tls; A ~= B; Nonce NA ~: used evs |] |
92 May assume NA ~: range PRF because CLIENT RANDOM is 32 bytes |
83 ==> Says A B {|Agent A, Nonce NA, Agent XA|} # evs : tls" |
93 while MASTER SECRET is 48 byptes (6.1)*) |
|
94 "[| evsCH: tls; A ~= B; Nonce NA ~: used evsCH; NA ~: range PRF |] |
|
95 ==> Says A B {|Agent A, Nonce NA, Number XA|} # evsCH : tls" |
84 |
96 |
85 ServerHello |
97 ServerHello |
86 (*XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
98 (*7.4.1.3 of the TLS Internet-Draft |
87 NA is returned in its role as SESSION_ID. A CERTIFICATE_REQUEST is |
99 XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
88 implied and a SERVER CERTIFICATE is always present.*) |
100 NA is returned in its role as SESSION_ID. |
89 "[| evs: tls; A ~= B; Nonce NB ~: used evs; |
101 SERVER CERTIFICATE (7.4.2) is always present. |
90 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs |] |
102 CERTIFICATE_REQUEST (7.4.4) is implied.*) |
91 ==> Says B A {|Nonce NA, Nonce NB, Agent XB, |
103 "[| evsSH: tls; A ~= B; Nonce NB ~: used evsSH; NB ~: range PRF; |
|
104 Says A' B {|Agent A, Nonce NA, Number XA|} : set evsSH |] |
|
105 ==> Says B A {|Nonce NA, Nonce NB, Number XB, |
92 certificate B (pubK B)|} |
106 certificate B (pubK B)|} |
93 # evs : tls" |
107 # evsSH : tls" |
94 |
108 |
95 ClientCertKeyEx |
109 ClientCertKeyEx |
96 (*CLIENT CERTIFICATE and KEY EXCHANGE. The client, A, chooses M, |
110 (*CLIENT CERTIFICATE (7.4.6) and KEY EXCHANGE (7.4.7). |
97 the pre-master-secret. She encrypts M using the supplied KB, |
111 The client, A, chooses PMS, the PREMASTER SECRET. |
98 which ought to be pubK B, and also with her own public key, |
112 She encrypts PMS using the supplied KB, which ought to be pubK B. |
99 to record in the trace that she knows M (see NOTE at top).*) |
113 We assume PMS ~: range PRF because a clash betweem the PMS |
100 "[| evs: tls; A ~= B; Nonce M ~: used evs; |
114 and another MASTER SECRET is highly unlikely (even though |
101 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
115 both items have the same length, 48 bytes). |
102 : set evs |] |
116 The Note event records in the trace that she knows PMS |
103 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce M)|} |
117 (see REMARK at top).*) |
104 # Notes A {|Agent B, Nonce M|} |
118 "[| evsCX: tls; A ~= B; Nonce PMS ~: used evsCX; PMS ~: range PRF; |
105 # evs : tls" |
119 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
|
120 : set evsCX |] |
|
121 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce PMS)|} |
|
122 # Notes A {|Agent B, Nonce PMS|} |
|
123 # evsCX : tls" |
106 |
124 |
107 CertVerify |
125 CertVerify |
108 (*The optional CERTIFICATE VERIFY message contains the specific |
126 (*The optional CERTIFICATE VERIFY (7.4.8) message contains the |
109 components listed in the security analysis, Appendix F.1.1.2; |
127 specific components listed in the security analysis, F.1.1.2. |
110 it also contains the pre-master-secret. Checking the signature, |
128 It adds the pre-master-secret, which is also essential! |
111 which is the only use of A's certificate, assures B of A's presence*) |
129 Checking the signature, which is the only use of A's certificate, |
112 "[| evs: tls; A ~= B; |
130 assures B of A's presence*) |
113 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
131 "[| evsCV: tls; A ~= B; |
114 : set evs; |
132 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
115 Notes A {|Agent B, Nonce M|} : set evs |] |
133 : set evsCV; |
|
134 Notes A {|Agent B, Nonce PMS|} : set evsCV |] |
116 ==> Says A B (Crypt (priK A) |
135 ==> Says A B (Crypt (priK A) |
117 (Hash{|Nonce NB, certificate B KB, Nonce M|})) |
136 (Hash{|Nonce NB, certificate B KB, Nonce PMS|})) |
118 # evs : tls" |
137 # evsCV : tls" |
119 |
138 |
120 (*Finally come the FINISHED messages, confirming XA and XB among |
139 (*Finally come the FINISHED messages (7.4.8), confirming XA and XB |
121 other things. The master-secret is the hash of NA, NB and M. |
140 among other things. The master-secret is PRF(PMS,NA,NB). |
122 Either party may sent its message first.*) |
141 Either party may sent its message first.*) |
123 |
142 |
124 (*The occurrence of Crypt (pubK A) {|Agent B, Nonce M|} stops the |
143 (*The occurrence of Notes A {|Agent B, Nonce PMS|} stops the |
125 rule's applying when the Spy has satisfied the "Says A B" by |
144 rule's applying when the Spy has satisfied the "Says A B" by |
126 repaying messages sent by the true client; in that case, the |
145 repaying messages sent by the true client; in that case, the |
127 Spy does not know M and could not sent CLIENT FINISHED. One |
146 Spy does not know PMS and could not sent CLIENT FINISHED. One |
128 could simply put A~=Spy into the rule, but one should not |
147 could simply put A~=Spy into the rule, but one should not |
129 expect the spy to be well-behaved.*) |
148 expect the spy to be well-behaved.*) |
130 ClientFinished |
149 ClientFinished |
131 "[| evs: tls; A ~= B; |
150 "[| evsCF: tls; |
132 Says A B {|Agent A, Nonce NA, Agent XA|} : set evs; |
151 Says A B {|Agent A, Nonce NA, Number XA|} : set evsCF; |
133 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
152 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
134 : set evs; |
153 : set evsCF; |
135 Notes A {|Agent B, Nonce M|} : set evs |] |
154 Notes A {|Agent B, Nonce PMS|} : set evsCF; |
|
155 M = PRF(PMS,NA,NB) |] |
136 ==> Says A B (Crypt (clientK(NA,NB,M)) |
156 ==> Says A B (Crypt (clientK(NA,NB,M)) |
137 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
157 (Hash{|Nonce M, |
138 Nonce NA, Agent XA, |
158 Nonce NA, Number XA, Agent A, |
139 certificate A (pubK A), |
159 Nonce NB, Number XB, Agent B|})) |
140 Nonce NB, Agent XB, Agent B|})) |
160 # evsCF : tls" |
141 # evs : tls" |
|
142 |
161 |
143 (*Keeping A' and A'' distinct means B cannot even check that the |
162 (*Keeping A' and A'' distinct means B cannot even check that the |
144 two messages originate from the same source. B does not attempt |
163 two messages originate from the same source. *) |
145 to read A's encrypted "note to herself".*) |
|
146 ServerFinished |
164 ServerFinished |
147 "[| evs: tls; A ~= B; |
165 "[| evsSF: tls; |
148 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs; |
166 Says A' B {|Agent A, Nonce NA, Number XA|} : set evsSF; |
149 Says B A {|Nonce NA, Nonce NB, Agent XB, |
167 Says B A {|Nonce NA, Nonce NB, Number XB, |
150 certificate B (pubK B)|} |
168 certificate B (pubK B)|} |
151 : set evs; |
169 : set evsSF; |
152 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce M)|} |
170 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|} |
153 : set evs |] |
171 : set evsSF; |
|
172 M = PRF(PMS,NA,NB) |] |
154 ==> Says B A (Crypt (serverK(NA,NB,M)) |
173 ==> Says B A (Crypt (serverK(NA,NB,M)) |
155 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
174 (Hash{|Nonce M, |
156 Nonce NA, Agent XA, Agent A, |
175 Nonce NA, Number XA, Agent A, |
157 Nonce NB, Agent XB, |
176 Nonce NB, Number XB, Agent B|})) |
158 certificate B (pubK B)|})) |
177 # evsSF : tls" |
159 # evs : tls" |
|
160 |
178 |
161 (**Oops message??**) |
179 (**Oops message??**) |
162 |
180 |
163 end |
181 end |