1. Protocol Composition Logic II
18739A: Foundations of Security and Privacy
Protocol Composition Logic II
Anupam Datta
Fall 2009

2. Proving Protocols Secure in PCL
Model protocol using programming language
Specify security property in logic
Prove that protocol has property using proof system (axioms and proof rules)
Example:
Signature-based challenge response discussed in class, recitation
Homework 2 requires you to work through a similar proof
Similar deductive reasoning works for practical protocols – SSL, IEEE i, Kerberos (optional reading)

3. Background Reading in Logic
Sections of Dynamic Logic by Harel, Kozen and Tiuryn provides a clear introduction to classical propositional and first-order logic
Covered in recitation this week
Please drop by during office hours if you have questions
Some of you already have

4. Today Brief discussion of PCL semantics and soundness
Proof techniques illustrated by JFK example

5. PCL Example Formulas 1. true [ new x ]P Has(Y,x)  Y=P
2. true [ new x, send x ]P Has(Y,x)  Y=P

6. PCL: Semantics Protocol Q Satisfaction Q, R |  [ actions ] P 
Defines set of roles (e.g, initiator, responder)
Run R of Q is sequence of actions by principals following roles, plus attacker
Satisfaction
Q, R |  [ actions ] P 
If some role of P in R does exactly actions starting from state where  is true, then  is true in state after actions completed irrespective of actions executed by other agents concurrently
Q |  [ actions ] P 
Q, R |  [ actions ] P  for all runs R of Q

7. PCL Example Formulas Semantics
1. true [ new x ]P Has(Y,x)  Y=P
For all protocols Q
Q |= true [ new x ]P Has(Y,x)  Y=P
This axiom is sound
2. true [ new x;send x ]P Has(Y,x)  Y=P
This formula is not a sound axiom

8. Soundness Theorem
Theorem: If Q |- , then Q |= 
Every provable property of Q holds in all runs of protocol Q.
Usually established by showing that every axiom is sound and every rule preserves validity

9. Proof Tree for
Q|- 
Axiom
Rules 

10. Today Brief discussion of PCL semantics and soundness
Proof techniques illustrated by JFK example

11. JFK Protocol Recall earlier lecture about JFK design
Today we will describe corresponding PCL proof techniques
Goal: Support modular protocol design and analysis
(Major problem in computer security)

12. Ingredient 1: Diffie-Hellman
A  B: ga
B  A: gb
Shared secret: gab
Authentication

13. Ingredient 2: Challenge-Response
A  B: m, A
B  A: n, sigB{m, n, A}
A  B: sigA{m, n, B}
Shared secret
Authentication

14. DH + Challenge-Response
ISO protocol:
A  B: ga, A
B  A: gb, sigB{ga, gb, A}
A  B: sigA{ga, gb, B}
Shared secret: gab
Authentication
m := ga
n := gb
Obtained by substituting Diffie-Hellman exponentials for the fresh terms m and n in the challenge-response protocol.

15. PCL Proof Techniques Modular Proofs Parallel Composition
Sequential Composition

16. Parallel Composition of Protocols
The parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2.
Example:
IKEv2 | SSL

17. Compositional Proofs: Intuition
Alice reasons: if Bob is honest, then:
only Bob can generate his signature protocol independent
if Bob generates a signature of the form sigB{m, n, A}, protocol dependent
he sends it as part of msg2 of the protocol, and
he must have received msg1 from Alice
Protocol dependent reasoning
Could break under composition (Bob’s signature from one protocol could be used to attack another protocol)
Only protocol dependent PCL proof rule: honesty rule
Protocol independent reasoning
Unaffected by composition
All axioms and proof rules except the honesty rule

18. Proof Tree Q1 | Q2 |- Inv Q1 |- Inv Inv |-Auth Inv Auth
Bulk of proof reused
Additional work to prove Q1 |Q2 |- Inv
Inv
Axiom
HON rule
Security property
Auth
Other rules

19. Parallel Composition TheoremIF
Q1 satisfies security property  in isolation
Q2 respects the invariants  of Q1 used in the proof of security property 
THEN
Q1 | Q2 also satisfies security property 

20. Honesty Rule & Parallel Composition
A in ProtocolSteps of Q
Start(X) [ ]X   [ A ]X 
Q |- Honest(X)  
If Q1 |- Honest(X)   and Q2 |- Honest(X)  , then
Q1 | Q2 |- Honest(X)  
Observation:
Protocol Steps of Q1 | Q2 =
Protocol Steps of Q1  Protocol Steps of Q2

21. Sequential Composition of Protocols
Run protocols in sequence
Examples
Key exchange followed by secure sessions that use the exchanged key
Diffie-Hellman followed by Challenge-Response = ISO

22. Goal: Combine proofs of Diffie-Hellman and challenge-response
ISO Key Exchange
ga, A
gb, sigB {ga, gb, A} A B
sigA {ga, gb, B}
Authentication
Do we need to prove it from scratch?
Shared secret: gab
Goal: Combine proofs of Diffie-Hellman and challenge-response

23. Abstract Challenge Response (ACR)
InitACR(A, X, m) = [
send A, X, {m};
receive X, A, {x, sigX{m, x,A}};
send A, X, sigA{m, x, X}}; ]
RespACR(B, n) = [
receive Y, B, {y};
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}}; ]
Free variables m and n instead of nonces
Modal form:  [ actions ] 
precondition: Fresh(A,m)
actions: [ InitACR ]A
postcondition: Honest(B)  Authentication

24. Diffie Hellman (DH) Modal form:  [ actions ]  precondition: true
InitDH(A, X) = [
new a;
] <A,X,ga>
RespDH(B) = [
new b;
] <B, gb>
Modal form:  [ actions ] 
precondition: true
actions: [ InitDH ]A
postcondition: Fresh(A, ga)

25. Composition: DH+ACR = ISO-9798-3
Compose DH and ACR roles in sequence to obtain ISO roles by subsituting output <A,X,ga> of InitDH for input parameters and (A,X,m) of InitACR
InitDH(A, X) = [
new a;
] <A,X,ga>;
InitACR(A, X, m) = [
send A, X, {m};
receive X, A, {x, sigX{m, x,A}};
send A, X, sigA{m, x, X}}; ]
InitISO(A, X) = [
new a;
send A, X, {ga};
receive X, A, {x, sigX{ga, x, A}};
send A, X, sigA{ga, x, X}}; ]
Similarly for RespDH and RespACR
RespISO = RespDH ; RespACR

26. Sequential Composition Theorem
Both protocols should satisfy each other’s invariants (similar to parallel composition)
Post-condition of first should match pre-condition of second protocol

27. Thanks !
Questions?

28. Additional slides
The following slides explain the abstraction-refinement paper by Datta et al, which is part of the reading for this lecture.
CMU

29. Ingredient 3: Encryption
Encrypt signatures to protect identities:
A  B: ga, A
B  A: gb, EK{sigB{ga, gb, A}}
A  B: EK{sigA{ga, gb, B}}
Shared secret: gab
Authentication
Identity protection
B’s identity is protected against passive adversaries.

30. PCL Proof Techniques Modular Proofs Generic Template-style Proofs
Parallel Composition
Sequential Composition
Generic Template-style Proofs
Function variables
Higher-order logic extension

31. Protocol Templates
Protocols with function variables instead of specific cryptographic operations
Idea: One template can be instantiated to many protocols
Advantages:
Proof reuse
Design principles/patterns
[DDMP CSF’04]

32. Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m)
A  B: G(A,B,n,m)
A  B: m
B  A: n,EKAB(n,m,B)
A  B: EKAB(n,m)
A  B: m
B  A: n,HKAB(n,m,B)
A  B: HKAB(n,m,A)
A  B: m
B  A: n, sigB(n,m,A)
A  B: sigA(n,m,B)
ISO
ISO
SKID3
Instantiations

33. Extending Formalism Language Extensions Semantics Soundness Theorem
Add function variables to term language for programs and logic
Semantics
Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables
Soundness Theorem
Every provable formula is valid

34. Abstraction-Instantiation Method(1)
Characterizing protocol concepts
Step 1: Under hypotheses about function variables and invariants, prove security property of template
Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit:
Proof reuse
Entailment

35. Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m)
A  B: G(A,B,n,m)
Step 1:
Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…
Property: Mutual authentication
Step 2:
Instantiate F() to signature, keyed hash, encryption (ISO ,3, SKID3)
Satisfies hypotheses => Guarantees mutual authentication

36. Proof Structure Discharge hypothesis axiom hypothesis Proof reuse
Instance
Template

37. Abstraction-Instantiation Method(2)
Combining protocol templates
If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both.
Benefits:
Modular proofs of properties
Formalization of protocol refinements

38. Refinement Example Revisited
Encrypt Signatures
A  B: ga, A
B  A: gb, EK {sigB {ga, gb, A}}
A  B: EK {sigA {ga, gb, B}}
Two templates:
Template 1: authentication + shared secret
(Preserves existing properties; proof reused)
Template 2: identity protection (encryption)
(Adds new property)

39. Summary PCL – Logic for security protocols Proof techniques
Sound wrt symbolic and cryptographic models
High-level short proofs: 2-3 pages
Proof techniques
Modular/compositional proofs
Generic template-style proofs
Proofs of industrial protocols
IEEE i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress)