Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Logic for Computer Security Protocols John Mitchell Stanford University.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Security Analysis of Network Protocols John Mitchell Stanford University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Logic for Computer Security Protocols Ante Derek.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Protocol Composition Logic II Anupam Datta Fall A: Foundations of Security and Privacy.
Protocol Composition Logic John Mitchell Stanford TECS Week2005.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Protocol Composition Logic John Mitchell Stanford CS
Logics for Security Protocols Anupam Datta Fall A: Foundations of Security and Privacy.
Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
May 2002Patroklos Argyroudis1 A crash course in cryptography and network security Patroklos Argyroudis CITY Liberal Studies.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.
Key Exchange Protocols J. Mitchell CS Next few lectures uToday 1/17 Some possible projects Key exchange protocols and properties uTuesday 1/19.
COEN 351 E-Commerce Security Essentials of Cryptography.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
COEN 351 E-Commerce Security
Protocol Composition Logic (PCL): Part II Anupam Datta CS 259.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography (confidentiality) 8.3 Message integrity 8.4 End-point authentication.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Computer Communication & Networks
Protocol Composition Logic II
Logic for Computer Security Protocols
Just Fast Keying (JFK) Protocol
Protocol Composition Logic (PCL)
Logic for Computer Security Protocols
An Executable Model for Security Protocol JFKr
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic

Goals uProtocol derivation Build security protocols by combining parts from standard sub-protocols uProof of correctness Prove protocols correct using logic that follows steps of derivation Current state of our art: derivation and correctness proofs not quite in sync

Example 1 uDiffie-Hellman X  Y: g x Y  X: g y Shared secret (with someone) –X deduces: Knows(Z,g xy ) כֿ Knows(Z,y) Authenticated Identity Protection

Example 2 uChallenge Response: A  B: m, A B  A: n, sig B {n, m, A} A  B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Created (B, n) Λ Sent (B, msg2) Identity Protection

Composition uISO protocol: A  B: g a, A B  A: g b, sig B {g b, g a, A} A  B: sig A {g a, g b, B} Shared secret g ab Authenticated Identity Protection

Refinement uEncrypt signatures: A  B: g a, A B  A: g b, E K {sig B {g b, g a, A}} A  B: E K {sig A {g a, g b, B}} Shared secret g ab Authenticated Identity Protection

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S c(m) r(m) A B A: “B was alive after m was generated.” B: “X wants to talk, and knows that I am alive.” [A and B know each other.]

E B (m) m A B A: “B was alive after m was generated.” B: “X wants to talk, and knows that I am alive.” [A and B know each other.] Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

E B (m) m A B E A (n) n Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

E B (m) A B m,E A (n) n Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

E B (m) A B E A (m,n) E B (n) Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m) A B

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m) A B n S A (n)

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m),n A B S A (n)

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m),n,n A B S A (n),m

Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m,n),n A B S A (n,m) B: “A wants to talk, was alive after n was generated and knows that I am alive after m.” [A and B know each other.] A: “B accepts session, was alive after m was generated and knows that I am alive after n.”

STS family m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

m=g x, n=g y k=g xy m S B (m,n),n S A (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities STS P RFK

m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 m n, H mn m, n, H mn,S A (m,n) S B (n,m) symmetric hash JFK protect identities STS P RFK

m=g x, n=g y k=g xy m C B, S B (m,n),n C A, S A (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STSP

m=g x, n=g y k=g xy m n, H mn m, n, H mn,C A, S A (m,n) C B, S B (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS+

m=g x, n=g y k=g xy m n, C B, H mn m, n, H mn,C A, S A (m,n) S B (n,m) STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

m=g x, n=g y k=g xy m n, C B, E k (S B (n, m)) C A, E k (S A (m,n)) m=g x n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

m n, H mn m, n, H mn, C A, E k (S A (m,n)) C B, E k (S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 m n, C B, H mn m, n, H mn, C A,E k (S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy JFK protect identities symmetric hash RFK STS P

m n, E k (C B, S B (n, m)) E k (C A, S A (m,n)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder symmetric hash JFK 0 STS PH JFK protect identities RFK STS P

m n, H mn m, n, H mn, E k (C A, S A (m,n)) E k (C B, S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK m n, C B, H mn m, n, H mn, E k (C A, S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy STS P

m n, H mn m, n, H mn, E k (C A,S A (m,n)), #(I) E k (C B,S B (n, m)), #(R) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

Protocol logic uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data

Example (over used) { A, Nonce a } { Nonce a, … } KaKa Kb AB uAlice assumes that only Bob has Kb -1 u Alice generated Nonce a and knows that some X decrypted first message u Since only X knows Kb -1, Alice knows X=Bob

More subtle example: Bob’s view { A, Nonce a } { Nonce a, B, Nonce b } { Nonce b } KaKa Kb AB u Bob assumes that Alice follows protocol u Since Alice responds to second message, Alice must have sent the first message

Execution model uProtocol “Program” for each protocol role uInitial configuration Set of principals and key Assignment of  1 role to each principal uRun xx zz  {x} B  ({x} B )  {z} B  decr A B C ({z} B ) Position in run

Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) |  |  1   2 |  x  |  |  uExample After(a,b) =  (b   a)

Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P 

Example: Bob’s view of NSL uBob knows he’s talking to Alice [ recv encrypt( Key(B),  A,m  ); new n; send encrypt( Key(A),  m, B, n  ); recv encrypt( Key(B), n ) ] B Honest(A)  Csent(A, msg1)  Csent(A, msg3) where Csent(A, …)  Created(A, …)  Sent(A, …) msg1msg3

Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P 

Soundness of composition rule uFormula  [ S ] P  uMeans For any sequence of actions S’ If [ S’ ] P  then [ S’S ] P  uTherefore  [ S ] P   [ T ] P   [ ST ] P 

Application DH + CR = ISO uInitiator role of DH [ new a ] I Fresh(I, g a )  HasAlone(I, a) uInitiator role of CR Fresh(I, m) [send … receive … B… send] Honest(B)  ActionsInOrder(…) uCombination Substitute g a for m in CR Apply composition rule, persistence Obtain assertion about ISO initiator

Additional issues uReasoning about honest principals Invariance rule, called “honesty rule” uPreservation of invariants under composition If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

OLD Honesty rule (rule scheme)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

Honesty rule uPreliminary: basic sequence of actions B is a basic sequence of S if S = S 1 BS 2 and B, S 2 begin with read uRule [ ] X  For all B  BasicSeq(Q).  [B] X  Q |- Honest(X)   uExample Honest(X)  (Sent(X, m2)  Recd(X, m1))

Treatment of Invariants uProve assertions from invariants  |-  […] P  uInvariant weakening rule  |-  […] P     ’ |-  […] P  uProve invariants from protocol Q |-  Q’ |-  Q  Q’ |-  If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants

Conclusions uComposition  [ S ] P   [ T ] P   [ ST ] P  uInvariant combination  |-  […] P     ’ |-  […] P  Q |-  Q’ |-  Q  Q’ |- 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.