Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June 28, 2004

Project Goals Protocol derivation Build security protocols by combining and refining parts from basic protocols. Proof of correctness Prove protocols correct using logic that follows steps of derivation.

Outline Background Derivation System [CSFW03] Compositional Logic [CSFW01,CSFW03] Abstraction and Refinement Methods Applications Conclusions and Future Work

Example Construct protocol with properties: Shared secret Authenticated Identity Protection Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

Component 1 Shared secret (with someone) A deduces: Knows(Y, g ab )  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection A  B: g a B  A: g b Diffie Hellman

Component 2 Shared secret Authenticated A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Challenge-Response

Composition Shared secret: g ab Authenticated Identity Protection m := g a n := g b A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} ISO

Refinement Shared secret: g ab Authenticated Identity Protection A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

Outline Background Derivation System Compositional Logic Abstraction and Refinement Methods Applications Conclusions and Future Work

AB Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific] Alice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

Formalism Cord calculus Protocol programming language Protocol logic Expressing protocol properties Proof system Proving protocol properties Symbolic (“Dolev-Yao”) model

AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Proof System Sample Axioms: Reasoning about possession: Has(A, {m} K )  Has(A, K)  Has(A, m) Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: Honest(X)   Decrypt(Y, enc X {m})  X=Y Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m}) Protocol-specific Rule: Honesty/Invariance rule Soundness Theorem: Every provable formula is valid

Outline Background Derivation System Compositional Logic Abstraction and Refinement Methods Applications Conclusions and Future Work

Protocol Templates Protocols with function variables instead of specific cryptographic operations Idea: One template can be instantiated to many protocols Advantages: proof reuse design principles/patterns

Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO ISO SKID3 Abstraction Instantiations

Extending Formalism Language Extensions: Add function variables to term language for cords and logic (HOL) Semantics: Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables Soundness Theorem: Every provable formula is valid

Abstraction-Instantiation Method(1) Characterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. Benefit: Proof reuse

Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO ,3, SKID3) Satisfies hypotheses => Guarantees mutual authentication

Proof Structure Template axiomhypothesis Instance Discharge hypothesis Proof reuse

Abstraction-Instantiation Method(2) Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. Benefits: Modular proofs of properties Formalization of protocol refinements

Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

Authenticated key exchange A  B: g a, A B  A: g b, F(B,A,g b,g a ) A  B: G(A,B,g a,g b ) A  B: g a B  A: g b, F(B,g b,g a ), F’(B,g ab ) A  B: G(A,g a, g b ), G’(A,g ab ) AKE1AKE2 Shared secret Stronger authentication Identity protection for B Non-repudiation Shared secret Weaker authentication Identity protection for A Repudiability H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03] ISO , JFKi STS, JFKr, IKEv2, SIGMA

More examples… Authenticated Key Exchange: Template for JFKr, STS, IKE, IKEv2 Key Computation: Template for Diffie-Hellman, UM, MTI/A, MQV Combining these templates

Synthesis: STS-MQV STS PH cookie STS P MQV CPH MQV CP MQV C key conf. MQV RFK protect identities DH STS RFK symmetric hash MTI/A UM MTI C UM C MTI CP UM CP MTI CPH UM CPH MTI RFK UM RFK authenticate

Conclusions Abstraction-Instantiation using protocol templates: Single proof for similar protocols from common template Multiple protocol properties from different templates Logical foundation: Add function variables to protocol language and logic Applications: CR template: ISO ,3, SKID3 Identity protection refinement in JFK Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE Synthesis: DH-MQV + STS-JFKr

Future Work Done: Derivation idea successfully applied to large set of protocol examples Rigorous treatment of composition, refinement in protocol logic Work In Progress: Tool support for derivation system and logic Formalization of protocol transformations More applications