Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004."— Presentation transcript:

1 Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004

2 Contributions Protocol derivation Build security protocols by combining parts from standard sub-protocols. Proof of correctness Prove protocols correct using logic that follows steps of derivation.

3 Outline Derivation System [CSFW03] Motivating examples Main concepts Benefits Compositional Logic [CSFW01,CSFW03] Formalizing Composition [MFPS03] Formalizing Refinements [CSFW04] Conclusions and Future Work

4 Example Construct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

5 Component 1 Shared secret (with someone) A deduces: Knows(Y, g ab )  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection A  B: g a B  A: g b Diffie Hellman

6 Component 2 Shared secret Authenticated A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Challenge-Response

7 Composition Shared secret: g ab Authenticated Identity Protection DoS Protection m := g a n := g b A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} ISO-9798-3

8 Refinement Shared secret: g ab Authenticated Identity Protection DoS Protection A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

9 Transformation Shared secret: g ab Authenticated Identity Protection DoS Protection A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, E K {sig A {g a, g b, B}}, hash KB {g b, g a } B  A: g b, E K {sig B {g a, g b, A}} Use cookie: JFK core protocol

10 Derivation Framework Protocols are constructed from: components by applying a series of: composition, refinement and transformation operations. Properties accumulate as a derivation proceeds. Examples: STS, ISO-9798-3, JFKi, JFKr, IKE, GDOI, Kerberos, Needham-Schroeder,…

11 Benefits and Directions Modular analysis of protocols. Organization of protocols into taxonomies. Underpin protocol design principles and patterns. Protocol synthesis.

12 Outline Derivation System Compositional Logic [CSFW01,CSFW03] Main idea Syntax, semantics and proof system Formalizing Composition Formalizing Refinements Conclusions and Future Work

13 Alice’s information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data Protocol Logic: Main idea

14 AB Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific] Alice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Example: Challenge-Response

15 Protocol “Program” for each protocol role Initial configuration Set of principals and key Assignment of  1 role to each principal Run new xsend{x} B recv{x} B send{z} B A B C Position in run Execution Model new z recv{z} B

16 Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) Formulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) |  |  1   2 |  x  |  |  Example After(a,b) =  (b   a) Formulas true at a position in run

17 Modal Formulas After actions, postcondition [ actions ] P  where P =  princ, role id  If P does ‘actions’, starting from initial state, then  holds in resulting state Before/after assertions  [ actions ] P  If  holds in some state, and P does ‘actions’, then  holds in resulting state

18 Diffie-Hellman: Property Formula [ new a ] A Fresh(A, g a ) Explanation Modal form: [ actions ] P  Actions: [ new a ] A Postcondition: Fresh(A, g a )

19 Challenge Response: Property Modal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

20 Proof System Sample Axioms: Reasoning about knowledge: [receive m ] A Has(A,m) Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: Honest(X)   Decrypt(Y, enc X {m})  X=Y Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m}) Soundness Theorem: Every provable formula is valid

21 Outline Derivation System Compositional Logic Formalizing Composition [MFPS03] Formalizing Refinements Conclusions and Future Work

22 Central Issues Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere In logic: before-after assertions Non-destructive Combination: Ensure combined parts do not interfere In logic: invariance assertions

23 Proof steps (Intuition) Protocol independent reasoning Has(A, {m,n})  Has(A, m)  Has(A, n) Still good: unaffected by composition Protocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Protocol-specific proof steps use invariants

24 Invariants Reasoning about honest principals Invariance rule, called “honesty rule” Preservation of invariants under composition If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

25 Honesty Rule Definition A basic sequence of actions begins with receive, ends before next receive Rule [ ] X  For all B  BasicSeq(Q).  [B] X  Q  Honest(X)   Example CR  Honest(X)  (Sent(X, m 2 )  Recd(X, m 1 ))

26 Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication =

27 Composition Rules Invariant weakening rule  |-  […] P     ’ |-  […] P  Sequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  Prove invariants from protocol Q   Q’   Q  Q’  

28 Outline Derivation System Compositional Logic Formalizing Composition Formalizing Refinements [CSFW04] Conclusions and Future Work

29 Protocol Templates Protocols with function variables instead of specific cryptographic operations (Higher-order extension of protocol logic) Idea: One template can be instantiated to many protocols Advantages: proof reuse design principles/patterns

30 Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3

31 Abstraction-Instantiation Method(1) Characterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. Benefit: Proof reuse

32 Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypothesis: Function F(B,A,n,m) can be computed only by B Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO- 9798-2,3, SKID3) Satisfies hypothesis => Guarantees mutual authentication

33 Abstraction-Instantiation Method(2) Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. Benefits: Modular proofs of properties Formalization of protocol refinements

34 Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

35 More examples… Authenticated Key Exchange: Template for JFKi, ISO-9798-3. Template for JFKr, STS, IKE, IKEv2 Key Computation: Template for Diffie-Hellman, UM, MTI/A, MQV Combining these templates

36 Synthesis: STS-MQV STS PH cookie STS P MQV CPH MQV CP MQV C key conf. MQV RFK protect identities DH STS RFK symmetric hash MTI/A UM MTI C UM C MTI CP UM CP MTI CPH UM CPH MTI RFK UM RFK authenticate

37 Outline Derivation System Compositional Logic Formalizing Composition Formalizing Refinements Conclusions and Future Work

38 Conclusions Protocol Derivation System: Systematizes the practice of building protocols from standard sub-protocols. Useful for: Modular protocol analysis Underpinning protocol design principles and patterns Organizing related protocols in taxonomies Protocol synthesis Protocol Logic: Correctness proofs follow derivation steps. Rigorous treatment of composition, refinement.

39 Work in Progress Derivation System: Development of taxonomies Tool support based on especs Protocol Logic: Formalization of transformations Automation of proofs

40 Publications A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Abstraction and Refinement in Protocol Derivation [CSFW04] Secure Protocol Composition [MFPS03] A Derivation System for Security Protocols and its Logical Formalization[CSFW03] N. Durgin, J. C. Mitchell, D. Pavlovic. A Compositional Logic for proving Security Properties of Protocols [CSFW01,JCS03] C. Meadows, D. Pavlovic. Deriving, Attacking and Defending the GDOI Protocol Web page: http://www.stanford.edu/~danupam/logic-derivation.html

Download ppt "Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.

Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.

Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.
Security Analysis of Network Protocols John Mitchell Stanford University.

Security Analysis of Network Protocols John Mitchell Stanford University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Similar presentations

Ads by Google