1. Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005

2. Outline Part I: Overview Motivation Central problems –Divide and Conquer paradigm –Combining logic and cryptography Results Part II: Glimpses of technical machinery Divide and Conquer Paradigm –Protocol Derivation System –Protocol Composition Logic Combining logic and cryptography –Complexity-theoretic foundations

3. This talk is about… uIndustrial network protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Group –802.11i - wireless security uAnd methods for their security analysis Security proof in some model; or Identify attacks

4. Motivating Example { A, Nonce a } { Nonce a, Nonce b } { Nonce b } KaKa Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb [Needham-Schroeder78]

5. Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe96]

6. Characteristics of protocols uRelatively simple distributed programs 5-7 steps, 3-10 fields per message (per component) uMission critical Security of data, credit card numbers, … uSubtle Concurrency: attack may combine data from many sessions Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s

7. Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof

8. Classifying Attacks uImplementation bugs Buffer overflow, format string vulnerabilities uCryptography breaks IEEE 802.11b (WEP encryption), GSM cell phone uProtocol flaws Needham-Schroeder, IKE, IEEE 802.11i Focus on protocol flaws assuming “strong crypto” Complexity-theoretic characterization of “strong crypto”

9. IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association EAP/802.1X/RADIUS Authentication 4-way handshake Group key handshake Data communication Divide-and-conquer paradigm Combining logic and cryptography Uses crypto: encryption, hash,…

10. Divide-and-Conquer paradigm uResult: Protocol Derivation System Incremental protocol construction uResult: Protocol Composition Logic (PCL) Compositional correctness proofs uRelated work: [Heintze-Tygar96], [Lynch99], [Sheyner- Wing00], [Canetti01], … Composition is a hard problem in security Central Problem 1

11. Combining logic and cryptography uSymbolic model [DY84] - Perfect cryptography assumption + Idealization => tools and techniques uComplexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation uResult: Computational PCL + Logical proof methods + Complexity-theoretic crypto model uRelated work: [Mitchell-Scedrov et al 98-04], [Abadi- Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio- Warinschi04] Central Problem 2

12. Applied to industrial protocols uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) uIKEv2 [IETF Internet Draft; 2004] uTLS/SSL [RFC 2246; 1999] uKerberos V5 [IETF Internet Draft; 2004] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) Many More: STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO- 9798-3, NSL,…

13. IPSec uWidely deployed: Corporate VPNs uProvides secrecy and integrity uIKEv2 is the IPSec key exchange protocol Internet IP layer host-to-host security

14. IKEv2 [IETF ID 2004] IKE_AUTH (Authenticate) IKE_CHILD_SA (Rekey) I  R: HDR, SAi1, g i, Ni R  I: HDR, SAr1, g r, Nr IKE_INIT (Exchange key material) I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} Modular proofs Multi-mode (Unified “template” proof) Properties: authentication, shared secret, identity & DoS protection, repudiability Multi-mode protocol: authenticator can use either signature or pre- shared key

15. Mobile IPv6 [IETF ID 2004] StanfordWisconsin Home address Care of address Correspondent Node Change of location Authentication DoS issues Protocol breaks if attacker controls complete network

16. GDOI [RFC 3547, 2003] Secure group communication Composition attack Fix adopted by IETF WG Communicating in a group can be difficult… Public network Group controller

17. Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol logic Computational Protocol logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

18. Outline Part I: Overview Part II: Glimpses of technical machinery Divide and conquer paradigm –Protocol Derivation System –Protocol Composition Logic Combining logic and cryptography –Complexity-theoretic foundations

19. Protocol Derivation System uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

20. Component 1 Shared secret (with someone) –A deduces: Knows(Y, g ab )  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection A  B: g a B  A: g b Diffie Hellman

21. Component 2 Shared secret Authenticated –A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Challenge-Response

22. Composition Shared secret: g ab Authenticated Identity Protection DoS Protection m := g a n := g b A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} ISO-9798-3 Technically: sequential composition with variable substitution

23. Refinement Shared secret: g ab Authenticated Identity Protection DoS Protection A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures Technically: term replacement/function variable substitution

24. Transformation Shared secret: g ab Authenticated Identity Protection DoS Protection A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, E K {sig A {g a, g b, B}}, hash KB {g b, g a } B  A: g b, E K {sig B {g a, g b, A}} Use cookie: JFK core protocol Technically: program transformation

25. Tool Support (PDA)

26. Outline Part I: Overview Part II: Glimpses of technical machinery Divide and conquer paradigm –Protocol Derivation System –Protocol Composition Logic Combining logic and cryptography –Complexity-theoretic foundations

27. AB uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

28. Reasoning method uReason about local information I know my own actions uIncorporate knowledge of protocol Honest people faithfully follow protocol uNo explicit reasoning about intruder Absence of bad action expressed as a positive property of good actions –E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

29. Formalism uCord calculus Protocol programming language Execution model ( Symbolic/“Dolev-Yao”) uProtocol logic Expressing protocol properties uProof system Proving protocol properties Soundness theorem

30. AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

31. Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

32. Proof System uSample Axioms: Reasoning about possession: –[receive m ] A Has(A,m) –Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: –Honest(X)  Decrypt(Y, enc X {m})  X=Y –Honest(X)  Verify(Y, sig X {m})   m’ (Send(X, m’)  Contains(m’, sig X {m}) uSoundness Theorem: Every provable formula is valid

33. Reasoning about Composition uNon-destructive Combination: Ensure combined parts do not interfere –In logic: invariance assertions uAdditive Combination: Accumulate security properties of combined parts, assuming they do not interfere –In logic: before-after assertions

34. Proof steps (Intuition) uProtocol independent reasoning Has(A, {m,n})  Has(A, m)  Has(A, n) Still good: unaffected by composition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Technically: Protocol-specific proof steps use invariants Invariants must be preserved for safe composition

35. Composing protocols DH  Honest(X)  …  (Invariant) ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  … Sequential and parallel composition theorems

36. Composition Rules uInvariant weakening rule  |-  […] P     ’ |-  […] P  uSequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  uProve invariants from protocol Q   Q’   Q  Q’   Also have proof method for class of refinements & transformations

37. Applications uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) uIKEv2 [IETF Internet Draft; 2004] uTLS [RFC 2246; 1999] uKerberos V5 [IETF Internet Draft; 2004] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) Many More: STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO- 9798-3, NSL,…

38. Tool Support uIsabelle Proof Assistant for PCL Encode syntax and proof system of PCL into a generic theorem-prover consts PSend :: "[thread,CTerm] => o" syntax PSend :: "[threadI,CTermlist] => actformI" ("Send'(_,_')") axioms AA1S: "{P, X[send t], Send(X,t)}" REC : "Receive(X,t) --> Has(X,t)" Rule: SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|] ==> {P, X[S1 ; S2], R}"

39. Sample proof (forward reasoning) lemma "{P,X[new t; send t],Has(X,t) & Send(X,t)}"; proof -; have A: "{P,X[new t; send t],Has(X,t)}"; apply (rule G3); apply (rule SEQ); apply (rule AA1N); apply (rule P1N); apply (blast); apply (rule ORIG); done; uUse PCL axioms and rules to carry out proofs uUse Isabelle’s first-order reasoner

40. Outline Part I: Overview Part II: Glimpses of technical machinery Divide and conquer paradigm –Protocol Derivation System –Protocol Composition Logic Combining logic and cryptography –Complexity-theoretic foundations

41. Symbolic model [NS78,DY84] Complexity-theoretic model [GM84] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

42. Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success Idea: Use same logical proof methods for complexity-theoretic cryptography

43. Our result uComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption uSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model Logical methods for complexity-theoretic cryptography

44. Soundness of proof system uInformation-theoretic reasoning [new u] X (Y  X)  Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X )   Decrypts(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uAsymptotic calculations         Sum of two negligible functions is a negligible function Reduction to CCA2-secure encryption scheme

45. Summary uMethodology: Divide-and-conquer paradigm in security Combining logic and cryptography uApplications: IEEE 802.11i (Attack! Fix adopted by IEEE WG) GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004]

46. Research Directions uBring automated tools and techniques to industrial protocol design uFormal methods and cryptography uComposition of secure systems uApply similar techniques to other kinds of security mechanisms Web services uSoftware analysis of secure systems Model-checking C code