Download presentation
Presentation is loading. Please wait.
1
Protocol Composition Logic (PCL)
CS 259 Protocol Composition Logic (PCL) Anupam Datta
2
Protocol Analysis Techniques
Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models Probabilistic Interactive TM Probabilistic process calculi Probabilistic I/O automata Computational PCL … Protocol Logics Model Checking Process Calculi Inductive Proofs … BAN, PCL FDR, Murphi Spi-calculus Paulson
3
PCL Highlights Mechanizable proofs of security for unbounded number of protocol runs Similar guarantees as Paulson’s Method; better than finite-state model-checking Codifies high-level reasoning principles used in protocol design, cf. Kaufman-Perlman-Speciner, Network Security Modular proof methods Cryptographic soundness
4
Modular Analysis / Composition
Auth Server Laptop Access Point EAP-TLS: Certificates to Authorization (PMK) (Shared Secret-PMK) 4WAY Handshake: PMK to Keys for data communication 802.11i Key Management 20 msgs in 4 components Group key: Keys for broadcast communication Data protection: AES based using above keys Goal: Divide and Conquer
5
Cryptographic Soundness
Cryptographers and logicians working in computer security don’t talk to each other (Disclaimer: Examples not representative) Goal: Logical methods for complexity-theoretic model of cryptography
6
Protocol Composition Logic: PCL
Intuition Formalism Protocol programming language Protocol logic Syntax Semantics Proof System Example Signature-based challenge-response Composition Cryptographic Soundness [Datta, Derek, Durgin, Mitchell, Pavlovic] [Datta, Derek, Mitchell, Pavlovic] [Datta, Derek, Mitchell, Shmatikov, Turuani]
7
PCL - Intuition Honest Principals, Protocol Attacker
Private Data Alice’s information Protocol Private data or keys Sends and receives
8
Example: Challenge-Response
m, A n, sigB {m, n, A} A B sigA {m, n, B} Alice reasons: if Bob is honest, then: only Bob can generate his signature [protocol independent] if Bob generates a signature of the form sigB{m, n, A}, he sends it as part of msg2 of the protocol, and he must have received msg1 from Alice [protocol specific] Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
9
Logic: Background Logic Proof System Syntax Formulas Semantics Truth
p, p q, (p q), p q Semantics Truth Model, M = {p = true, q = false} M |= p q Proof System Axioms and proof rules Provability p (q p) p p q q Soundness Theorem Provability implies truth Axioms and proof rules hold in all “relevant” models
10
Formalizing the Approach
Protocol Programming Language Syntax for writing protocol code Precise description of protocol execution Protocol Composition Logic (PCL) Syntax for stating security properties Trace-based semantics Proof system Formally proving security properties Soundness Theorem First logic for security protocols Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
11
Protocol programming language
A protocol is described by specifying a program for each role Server = [receive x; new n; send {x, n}] Building blocks Terms (think “messages”) names, nonces, keys, encryption, … Actions (operations on terms) send, receive, pattern match, …
12
Terms Example: x, sigB{m, x, A} is a term t ::= c constant term
x variable N name K key t, t tupling sigK{t} signature encK{t} encryption Example: x, sigB{m, x, A} is a term
13
Actions send t; send a term t
receive x; receive a term into variable x match t/p(x); match term t against p(x) A program is just a sequence of actions Notation: we often omit match actions receive sigB{A, n} = receive x; match x/sigB{A, n}
14
Challenge-Response programs
m, A n, sigB {m, n, A} A B sigA {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] < > RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] < >
15
Execution Model Initial Configuration, IC Run
Set of principals and keys Assignment of 1 role to each principal Run Interleaving of actions of honest principals and attacker starting from IC Position in run new x send {x}B A receive {x}B receive {z}B Process calculus operational semantics B new z send {z}B C
16
Formulas true at a position in run
Action formulas a ::= Send(P,t) | Receive (P,t) | New(P,t) | Decrypt (P,t) | Verify (P,t) Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | a < a Modal formula [ actions ] P Example Has(X, secret) ( X = A X = B) Specifying secrecy
17
Semantics Protocol Q Satisfaction Q, R | [ actions ] P
Defines set of roles (e.g., initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker Satisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
![Semantics Protocol Q Satisfaction Q, R | [ actions ] P ](http://slideplayer.com./slide/14881956/91/images/17/Semantics+Protocol+Q+Satisfaction+Q%2C+R+%7C%EF%80%BD+%EF%81%B1+%5B+actions+%5D+P+%EF%81%AA.jpg "Defines set of roles (e.g., initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker. Satisfaction. Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed. Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q.")
18
Challenge-Response Property
Specifying authentication for Initiator CR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}}) Receive(A, {B,A,{n, sigB {m, n, A}}}) ) Authentication as “matching conversations” [Bellare-Rogaway93]
19
Proof System Goal: Formally prove security properties Axioms
Simple formulas provable by hand Inference rules Proof steps Theorem Formula obtained from axioms by application of inference rules
20
Sample axioms about actions
New data true [ new x ]P Has(P,x) true [ new x ]P Has(Y,x) Y=P Actions true [ send m ]P Send(P,m) Knowledge true [receive m ]P Has(P,m) Verify true [ match x/sigX{m} ] P Verify(P,m)
21
Reasoning about knowledge
Pairing Has(X, {m,n}) Has(X, m) Has(X, n) Encryption Has(X, encK(m)) Has(X, K-1) Has(X, m)
22
Encryption and signature
Public key encryption Honest(X) Decrypt(Y, encX{m}) X=Y Signature Honest(X) Verify(Y, sigX{m}) m’ (Send(X, m’) Contains(m’, sigX{m})
23
Sample inference rules
First-order logic rules Generic rules [ actions ]P [ actions ]P [ actions ]P
24
Bidding conventions (motivation)
Blackwood response to 4NT 5§ : 0 or 4 aces 5¨ : 1 ace 5© : 2 aces 5ª : 3 aces Reasoning If my partner is following Blackwood, then if she bid 5©, she must have 2 aces
25
Honesty rule (rule scheme)
roles R of Q. protocol steps A of R. Start(X) [ ]X [ A ]X Q |- Honest(X) This is a finitary rule: Typical protocol has 2-3 roles Typical role has 1-3 receives Only need to consider A waiting to receive Protocol invariants proved by induction
26
Honesty rule (example use)
roles R of Q. protocol steps A of R. Start(X) [ ]X [ A ]X Q |- Honest(X) Example use: If Y receives a message m from X, and Honest(X) (Sent(X,m) Received(X,m’)) then Y can conclude Honest(X) Received(X,m’)) Proved using honesty rule
27
Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) (
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] CR |- true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}}) Receive(A, {B,A,{n, sigB {m, n, A}}}) ) Authentication as “matching conversations” [Bellare-Rogaway93]
![Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) (](http://slideplayer.com./slide/14881956/91/images/27/Correctness+of+CR+CR+%7C-+true+%5B+InitCR%28A%2C+B%29+%5D+A+Honest%28B%29+%EF%83%89+%28.jpg "InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] CR |- true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}}) Receive(A, {B,A,{n, sigB {m, n, A}}}) ) Authentication as matching conversations [Bellare-Rogaway93]")
28
Correctness of CR – step 1
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] 1. A reasons about her own actions CR |- true [ InitCR(A, B) ] A Verify(A, sigB {m, n, A})
29
Correctness of CR – step 2
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] 2. Properties of signatures CR |- true [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n, A}) Recall signature axiom
30
Correctness of CR – Honesty
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x, Y}) New(X, y) m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}}) Induction over protocol steps
31
Correctness of CR – step 3
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] 3. Use Honesty invariant CR |- true [ InitCR(A, B) ] A Honest(B) Receive(B, {A,B,m}),…
32
Correctness of CR – step 4
InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] 4. Use properties of nonces for temporal ordering CR |- true [ InitCR(A, B) ] A Honest(B) Auth Nonces are “fresh” random numbers
33
Complete proof
34
We have a proof. So what? Soundness Theorem:
If Q |- then Q |= If is a theorem then is a valid formula holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder
35
Using PCL: Summary Modeling the protocol Modeling security properties
Program for each protocol role Modeling security properties Using PCL syntax Authentication, secrecy easily expressed Proving security properties Using PCL proof system Soundness theorem guarantees that provable properties hold in all protocol runs Example: C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell, A modular correctness proof of TLS and IEEE i, ACM CCS 2005
36
Challenge-Response programs (1)
m, A n, sigB {m, n, A} A B sigA {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] < > RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] < >
37
Challenge-Response Property (2)
Specifying authentication for Initiator CR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}}) Receive(A, {B,A,{n, sigB {m, n, A}}}) )
38
Challenge-Response Proof (3)
39
Weak Challenge-Response
m n, sigB {m, n} A B sigA {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ]
40
Correctness of WCR – step 1
InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ] 1. A reasons about it’s own actions WCR |- [ InitWCR(A, B) ] A Verify(A, sigB {m, n})
41
Correctness of WCR – step 2
InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ] 2. Properties of signatures WCR |- [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n, A})
42
Correctness of WCR – Honesty
InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ] Honesty invariant WCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x}) New(X, y) Z (m= X, Z, {x, sigB{y, x}} Receive(X, {Z, X, {y, Z}}))
43
Correctness of WCR – step 3
InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ] 3. Use Honesty rule WCR |- [ InitWCR(A, B) ] A Honest(B) Z (Receive(B, {Z,B,m}), …)
44
Result WCR does not have the strong authentication property for the initiator Counterexample Intruder can forge sender’s and receiver’s identity in first two messages A -> X(B) m X(C) -> B m B -> X(C) n, sigB(m, n) X(B) ->A n, sigB(m, n)
Similar presentations
