Protocol Composition Logic John Mitchell Stanford TECS Week2005

Five-Minute University uEverything you could remember, five years after graduating from University … ? Father Guido Sarducci

TECS Week Lectures Summary uModel checking This is a method you can use –Murphi, Prism, Mocha, … can be downloaded –The lecture and handouts explain the method uProtocol Examples SSS, key management, contract signing uOther methods and tools Isabelle (or PVS) theorem proving A specialized protocol logic –Put theorem-proving method in systematic form Connections with cryptography –Equational specifications, process calculus, probability

Intuition for protocol logic uReason about local information I chose a new number I sent it out encrypted I received it decrypted Therefore: someone decrypted it uIncorporate knowledge about protocol Protocol: Server only answers if sent a request If server not corrupt and –I receive an answer from the server, then –the server must have received a request

Intuition: Picture uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Protocol Private Data

Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol and –he must have received msg1 from Alice [protocol dependent] Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

Formalizing the Approach uLanguage for protocol description Write program for each role of protocol uProtocol logic State security properties Specialized form of temporal logic uProof system Formally prove security properties Supports modular proofs

Cords u Protocol programming language –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms –names, nonces, keys, encryption, … Actions –send, receive, pattern match, …

Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term

Actions and Cords u Actions send t; send a term t receive x; receive a term into variable x match t/p(x); match term t against p(x) uCord Sequence of actions uNotation Some match actions are omitted in slides receive sigB{A, n} means receive x; match x/sigB{A, n}

Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Execution Model uProtocol Cord gives program for each protocol role uInitial configuration Set of principals and keys Assignment of  1 role to each principal uRun new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B

Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) |  |  1   2 |  x  |   |   uExample After(a,b) =  (b   a)

Modal Formulas uAfter actions, postcondition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P  Note: same P in all formulas

Security Properties uAuthentication for Initiator CR |  [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) uShared secret NS |  [ InitNS(A, B) ] A Honest(B)  ( Has(X, m)  X=A  X=B )

Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R |  [ actions ] P  Some role of P in R does exactly actions and  is true in state after actions completed Q |  [ actions ] P  Q, R |  [ actions ] P  for all runs R of Q

Proof System uGoal: prove properties formally uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules

Sample axioms about actions uNew data [ new x ] P Has(P,x) [ new x ] P Has(Y,x)  Y=P uActions [ send m ] P  Send(P,m) uKnowledge [receive m ] P Has(P,m) uVerify [ match x/sig X {m} ] P  Verify(P,m)

Reasoning about knowledge uPairing Has(X, {m,n})  Has(X, m)  Has(X, n) uEncryption Has(X, enc K (m))  Has(X, K -1 )  Has(X, m)

Encryption and signature uPublic key encryption Honest(X)   Decrypt(Y, enc X {m})  X=Y uSignature Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m})

Sample inference rules uPreservation rules  [ actions ] P Has(X, t)  [ actions; action ] P Has(X, t) uGeneric rules  [ actions ] P   [ actions ] P   [ actions ] P   

Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

Honesty rule (rule scheme)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

Honesty rule (example use)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   Example use: –If Y receives a message from X, and Honest(X)  (Sent(X,m)  Received(X,m’)) then Y can conclude Honest(X)  Received(X,m’))

Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 1 1. A reasons about it’s own actions CR |- [ InitCR(A, B) ] A  Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – Honesty Honesty invariant CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x, Y})    New(X, y)  m= X, Y, {x, sig B {y, x, Y}}   Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 3 3. Use Honesty rule CR |- [ InitCR(A, B) ] A Honest(B)   Receive(B, {A,B,m}), InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- [ InitCR(A, B) ] A Honest(B)  Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Complete proof

What does proof tell us? u Soundness Theorem: If Q |-  then Q |=  If  is provable about protocol Q, then  is true about protocol Q. u  true in every run of Q Dolev-Yao intruder Unbounded number of participants

Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 1 1. A reasons about it’s own actions WCR |- [ InitWCR(A, B) ] A  Verify(A, sig B {m, n}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – Honesty Honesty invariant CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x})    New(X, y)  m= X, Z, {x, sig B {y, x}}   Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 3 3. Use Honesty rule WCR |- [ InitWCR(A, B) ] A Honest(B)   Receive(B, {Z,B,m}), InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Result uWCR does not have the strong authentication property for the initiator uCounterexample Intruder can forge senders and receivers identity in first two messages –A -> X(B)m –X(C) -> Bm –B -> X(C) n, sig B (m, n) –X(B) ->An, sig B (m, n)

Extensions uAdd Diffie-Hellman primitive Can prove authentication and secrecy for key exchange protocols (STS, ISO ) uAdd symmetric encryption, hashing Can prove authentication for ISO , SKID3

Composition Rules uProve assertions from invariants  |-  […]P  uInvariant weakening rule  |-  […]P     ’ |-  […]P  uProve invariants from protocol Q   Q’   Q  Q’   If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants

Combining protocols DH  Honest(X)  …CR  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication DH  CR   ’ ISO  Secrecy  Authentication =

Protocol Templates uProtocols with function variables instead of specific operations One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns

Extending Formalism uLanguage Extension Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid

Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO ISO SKID3 Abstraction Instantiation

Proof Structure Template axiomhypothesis Instance Discharge hypothesis

Modular proof techniques (2) uCombining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. uBenefits: Modular proofs of properties Formalization of protocol refinements

Refinement Example Revisited uTwo templates: Template 1: authentication + shared secret –(Preserves existing properties; proof reused) Template 2: identity protection (encryption) –(Adds new property) A  B: g a, A B  A: g b, E K { sig B {g a, g b, A} } A  B: E K { sig A {g a, g b, B} } Encrypt Signatures

A  B: g a, A B  A: g b, F(B,A,g b,g a ) A  B: G(A,B,g a,g b ) A  B: g a B  A: g b, F(B,g b,g a ), F’(B,g ab ) A  B: G(A,g a, g b ), G’(A,g ab ) AKE1AKE2 Shared secret Stronger authentication Identity protection for B Non-repudiation Shared secret Weaker authentication Identity protection for A Repudiability H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03] ISO , JFKi STS, JFKr, IKEv2, SIGMA Authenticated key exchange

Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress, mostly done SSL verification Wireless i uImplementation of logic Student project, using Isabelle

Symbolic vs Computational model uSuppose  |- [actions] X  If a protocol P satisfies invariants , then if X does actions,  will be true uSymbolic soundness No idealized adversary acting against “perfect” cryptography can make  fail uComputational soundness No probabilistic polytime adversary can make  fail with nonnegligible probability