Protocol Composition Logic II Anupam Datta Fall A: Foundations of Security and Privacy

Protocol Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Protocol LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Process Calculi … Applied  -calculus BAN, PCLMurphi, AVISPA Paulson, MSR

Protocol Composition Logic uIntuition uFormalism Protocol programming language Protocol logic Proof System uExample Signature-based challenge-response uProof techniques TODAY

Example: JFK Protocol uRecall earlier lecture about JFK design uToday we will describe corresponding proof techniques

Ingredient 1: Diffie-Hellman A  B: g a B  A: g b Shared secret: g ab Authentication Identity protection

Ingredient 2: Challenge-Response A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret Authentication Identity protection

DH + Challenge-Response ISO protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: g ab Authentication Identity protection m := g a n := g b Formalized as sequential composition

Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: g ab Authentication Identity protection Formalized using abstraction-refinement

uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

Parallel Composition of Protocols uThe parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2. uExample: IKEv2 | SSL

Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 …” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Invariant rule uProtocol independent reasoning Axiom stating unforgeability of signatures Still good: unaffected by composition All other axioms and proof rules for PCL

Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth Q1 |- Inv Inv Bulk of proof reused Additional work to prove Q2 |- Inv Q1 | Q2 |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]

Parallel Composition Theorem IF Q1 satisfies security property  in isolation Q2 respects the invariants  of Q1 used in the proof of security property  THEN Q1 | Q2 also satisfies security property 

Sequential Composition of Protocols uRun protocols in sequence uExamples Key exchange followed by secure sessions that use the exchanged key Diffie-Hellman followed by Challenge- Response = ISO

ISO Key Exchange uAuthentication Do we need to prove it from scratch?  Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Goal: Combine proofs of Diffie-Hellman and challenge- response sub-protocols

Abstract challenge response uFree variables m and n instead of nonces  Modal form:  [ actions ]  precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B)  Authentication uSecrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a ) uDiffie-Hellman property: uCan compute g ab given g a and b or g b and a uCannot compute g ab given g a and g b

Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

Composition: DH+CR = ISO Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

Definition of Sequential Composition

Sequential Composition Theorem uBoth protocols should satisfy each other’s invariants (similar to parallel composition) uPost-condition of first should match pre- condition of second protocol

uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

Protocol Templates uProtocols with function variables instead of specific cryptographic operations uIdea: One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns [DDMP CSF’04]

Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO ISO SKID3 Instantiations

Extending Formalism uLanguage Extensions Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid

Abstraction-Instantiation Method(1) uCharacterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. uBenefit: Proof reuse

Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO ,3, SKID3) Satisfies hypotheses => Guarantees mutual authentication

Proof Structure Template axiomhypothesis Instance Discharge hypothesis Proof reuse

Abstraction-Instantiation Method(2) uCombining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. uBenefits: Modular proofs of properties Formalization of protocol refinements

Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

Summary uPCL – Logic for security protocols Sound wrt symbolic and cryptographic models High-level short proofs: 2-3 pages uProof techniques Modular/compositional proofs Generic template-style proofs uProofs of industrial protocols IEEE i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) uImplementation not done

Thanks ! Questions?

Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server i Key Management  20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]