Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005."— Presentation transcript:

1 Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005

2 This talk is about… uIndustrial network security protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Group –802.11i - wireless security uAnd methods for their security analysis Security proof in some model; or Identify attacks Earlier talk by John Mitchell

3 Outline Part I: Overview Motivation Central problems –Divide and Conquer paradigm –Combining logic and cryptography Results Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

4 Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof

5 IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association EAP/802.1X/RADIUS Authentication 4-way handshake Group key handshake Data communication Divide-and-conquer paradigm Combining logic and cryptography Uses crypto: encryption, hash,…

6 Divide-and-Conquer paradigm uResult: Protocol Derivation System [DDMP03-05] Incremental protocol construction uResult: Protocol Composition Logic (PCL) [DDDMP01-05] Compositional correctness proofs uRelated work: [Heintze-Tygar96], [Lynch99], [Sheyner- Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

7 Combining logic and cryptography uSymbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques uComplexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation uResult: Computational PCL [DDMST05] + Logical proof methods + Complexity-theoretic crypto model uRelated work: [Mitchell-Scedrov et al 98-04], [Abadi- Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio- Warinschi04] Central Problem 2

8 Applied to industrial protocols uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] uIKEv2 [IETF Internet Draft; 2004] [Aron et al] uTLS/SSL [RFC 2246; 1999] [He et al] uMobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] uKerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

9 Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol logic Computational Protocol logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

10 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

11 AB uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

12 Reasoning method uReason about local information I know my own actions uIncorporate knowledge of protocol Honest people faithfully follow protocol uNo explicit reasoning about intruder Absence of bad action expressed as a positive property of good actions –E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

13 Formalism uCord calculus Protocol programming language Execution model ( Symbolic/“Dolev-Yao”) uProtocol logic Expressing protocol properties uProof system Proving protocol properties Soundness theorem

14 AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

15 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

16 Proof System uSample Axioms: Reasoning about possession: –[receive m ] A Has(A,m) –Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: –Honest(X)  Decrypt(Y, enc X {m})  X=Y –Honest(X)  Verify(Y, sig X {m})   m’ (Send(X, m’)  Contains(m’, sig X {m}) uSoundness Theorem: Every provable formula is valid

17 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

18 Reasoning about Composition uNon-destructive Combination: Ensure combined parts do not interfere –In logic: invariance assertions uAdditive Combination: Accumulate security properties of combined parts, assuming they do not interfere –In logic: before-after assertions

19 Proof steps (Intuition) uProtocol independent reasoning Has(A, {m,n})  Has(A, m)  Has(A, n) Still good: unaffected by composition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Technically: Protocol-specific proof steps use invariants Invariants must be preserved for safe composition

20 Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  … Sequential and parallel composition theorems

21 Composition Rules uInvariant weakening rule  |-  […] P     ’ |-  […] P  uSequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  uProve invariants from protocol Q   Q’   Q  Q’  

22 Composition: Big Picture Different from: Assume-guarantee in distributed computing [MC81] Universal Composability [C01, PW01] Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |-  Q i |- Inv(Q) No reasoning about attacker …

23 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

24 Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

25 Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success…

26 Soundness of proof system uInformation-theoretic reasoning [new u] X (Y  X)  Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X )   Decrypts(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uAsymptotic calculations         Sum of two negligible functions is a negligible function Reduction to IND-CCA2-secure encryption scheme

27 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

28 Summary uMethodology: Divide-and-conquer paradigm in security Combining logic and cryptography uApplications: IEEE 802.11i (Attack! Fix adopted by IEEE WG) GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] Mobile IPv6 [RFC 3775; 2004] (New Attack!)

29 Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol logic Computational Protocol logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

30 Selected Publications uA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] Secure Protocol Composition [MFPS03] Abstraction and refinement in protocol derivation [CSFW04] uA. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05] uC. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission] www.stanford.edu/~danupam

Download ppt "Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell.

An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.

Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Similar presentations

Ads by Google