Download presentation
Presentation is loading. Please wait.
1
Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005
2
Outline Part I: Overview Motivation Central problems –Divide and Conquer paradigm –Combining logic and cryptography Results Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations
3
This talk is about… uNetwork security protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Group –802.11i - wireless security uAnd methods for their security analysis Security proof in some model; or Identify attacks
4
Characteristics of protocols uRelatively simple distributed programs 5-7 steps, 3-10 fields per message (per component) uMission critical Security of data, credit card numbers, … uSubtle Concurrency: attack may combine data from many sessions Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s
5
Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof “Forty-two,” said Deep Thought, with infinite majesty and calm. - D. Adams, HGG, 1979
6
Classifying Attacks uImplementation bugs Buffer overflow, format string vulnerabilities uCryptography breaks IEEE 802.11b (WEP encryption) uProtocol flaws Needham-Schroeder, IKE, IEEE 802.11i Focus on protocol flaws assuming “strong crypto” Complexity-theoretic characterization of “strong crypto”
7
IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association EAP/802.1X/RADIUS Authentication 4-way handshake Group key handshake Data communication Divide-and-conquer paradigm Combining logic and cryptography Uses crypto: encryption, hash,…
8
Divide-and-Conquer paradigm uResult: Protocol Derivation System [DDMP03-05] Incremental protocol construction uResult: Protocol Composition Logic (PCL) [DDDMP01-05] Compositional correctness proofs uRelated work: [Heintze-Tygar96], [Lynch99], [Sheyner- Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1
9
Combining logic and cryptography uSymbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques uComplexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation uResult: Computational PCL [DDMST05] + Logical proof methods + Complexity-theoretic crypto model uRelated work: [Mitchell-Scedrov et al 98-04], [Abadi- Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio- Warinschi04] Central Problem 2
10
Applied to industrial protocols uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] uIKEv2 [IETF Internet Draft; 2004] [Aron et al] uTLS/SSL [RFC 2246; 1999] [He et al] uMobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] uKerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]
11
Tool support uIsabelle implementation of PCL [Kempston et al] PCL syntax and proof system encoded into Isabelle, a generic theorem-prover Machine-checkable axiomatic proofs Use Isabelle’s first-order reasoner uProtocol Derivation Assistant [Anlauff et al] Graphical support tool for protocol derivations
12
IPSec uWidely deployed: Corporate VPNs uProvides secrecy and integrity uIKEv2 is the IPSec key exchange protocol Internet IP layer host-to-host security
13
IKEv2 [IETF ID 2004] IKE_AUTH (Authenticate) IKE_CHILD_SA (Rekey) I R: HDR, SAi1, g i, Ni R I: HDR, SAr1, g r, Nr IKE_INIT (Exchange key material) I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} Modular proofs Multi-mode (Unified “template” proof) Properties: authentication, shared secret, identity & DoS protection, repudiability Multi-mode protocol: authenticator can use either signature or pre- shared key
14
Mobile IPv6 [IETF ID 2004] StanfordWisconsin Home address Care of address Correspondent Node Change of location Authentication DoS issues Protocol breaks if attacker controls complete network
15
GDOI [RFC 3547, 2003] Secure group communication Composition attack Fix adopted by IETF WG Communicating in a group can be difficult… Public network Group controller
16
Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur FDR NRL Athena Hand proofs Paulson BAN logic Spi-calculus Poly-time calculus Model checking Protocol logic Computational Protocol logic Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer
17
Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations
18
AB uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea
19
Reasoning method uReason about local information I know my own actions uIncorporate knowledge of protocol Honest people faithfully follow protocol uNo explicit reasoning about intruder Absence of bad action expressed as a positive property of good actions –E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques
20
Formalism uCord calculus Protocol programming language Execution model ( Symbolic/“Dolev-Yao”) uProtocol logic Expressing protocol properties uProof system Proving protocol properties Soundness theorem
21
AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]
22
Challenge Response: Property uModal form: [ actions ] P precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B) ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )
23
Proof System uSample Axioms: Reasoning about possession: –[receive m ] A Has(A,m) –Has(A, {m,n}) Has(A, m) Has(A, n) Reasoning about crypto primitives: –Honest(X) Decrypt(Y, enc X {m}) X=Y –Honest(X) Verify(Y, sig X {m}) m’ (Send(X, m’) Contains(m’, sig X {m}) uSoundness Theorem: Every provable formula is valid
24
Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations
25
Reasoning about Composition uNon-destructive Combination: Ensure combined parts do not interfere –In logic: invariance assertions uAdditive Combination: Accumulate security properties of combined parts, assuming they do not interfere –In logic: before-after assertions
26
Proof steps (Intuition) uProtocol independent reasoning Has(A, {m,n}) Has(A, m) Has(A, n) Still good: unaffected by composition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Technically: Protocol-specific proof steps use invariants Invariants must be preserved for safe composition
27
Invariants uReasoning about honest principals Invariance rule, called “honesty rule” uPreservation of invariants under composition If we prove Honest(X) for protocol 1 and compose with protocol 2, is formula still true?
28
Honesty Rule (Induction) uDefinition A protocol step begins with receive, ends before next receive uRule [ ] X B ProtocolSteps(Q). [B] X Q Honest(X) uExample CR Honest(X) (Sent(X, m 2 ) Received(X, m 1 ))
29
Diffie-Hellman: Property uFormula [ new a ] A Fresh(A, g a ) uExplanation Modal form: [ actions ] P Actions: [ new a ] A Postcondition: Fresh(A, g a )
30
Challenge Response: Property uModal form: [ actions ] P precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B) ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )
31
Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants
32
Composing protocols DH Honest(X) … ’’ |- Secrecy ’ |- Authentication ’ |- Secrecy ’ |- Authentication ’ |- Secrecy Authentication [additive] DH CR ’ [nondestructive] ISO Secrecy Authentication = CR Honest(X) … Sequential and parallel composition theorems
33
Composition Rules uInvariant weakening rule |- […] P ’ |- […] P uSequential Composition |- [ S ] P |- [ T ] P |- [ ST ] P uProve invariants from protocol Q Q’ Q Q’
34
Composition: Big Picture Different from: Assume-guarantee in distributed computing [MC81] Universal Composability [C01, PW01] Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |- Q i |- Inv(Q) No reasoning about attacker …
35
Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations
36
Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds
37
Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ± Proof System ± Complexity-theoretic model Semantics Talk so far… Leverage PCL success…
38
Main Result uComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption uSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model
39
Computational PCL uSyntax Expressing security properties uProof System Proving security properties Soundness Theorem uSemantics Complexity-theoretic Model –Attacker – any PPT algorithm –Meaning of security properties
40
Example 1 AB A, B, {n, A} B B, A, n uSecurity Property - authentication [Initiator Program] A Honest(B) ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )
41
Example 2 AB A, B, {n, A} B uSecurity Property - secrecy [Initiator Program] A Honest(B) ( X (X A,B) Indistinguishable(X,n)
42
Logic Syntax
43
Proof System
44
Soundness of proof system uInformation-theoretic reasoning [new u] X (Y X) Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X ) Decrypts(X, {m} X ) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u) uAsymptotic calculations Sum of two negligible functions is a negligible function Reduction to IND-CCA2-secure encryption scheme
45
Complexity-theoretic semantics uQ |= if A D f negligible function n 0 n > n 0 s.t. Fix protocol Q, PPT adversary A, security parameter n Vary random bits used by all programs Obtain set of equi- probable traces, T(Q,A,n) T( ) T(Q,A,n) |T( )|/|T(Q,A,n)| > 1 –f(n) Represents probability
46
Inductive Semantics uConsider set of traces T(Q,A,n) T( 1 2 ) = T( 1 ) T( 2 ) T( 1 2 ) = T( 1 ) T( 2 ) T( ) = T( ) Semantics of formulas are transformers on probability distribution over traces
47
Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem
48
Current Work uInvestigate nature of logic Propositional fragment not classical represents conditional probability – complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy Probability close to ½ instead of 1 Not a trace property uExtend logic More primitives: signature, hash functions,… Remove current syntactic restrictions on formulas u Information-theoretic semantics Only probability; no complexity
49
Summary uMethodology: Divide-and-conquer paradigm in security Combining logic and cryptography uApplications: IEEE 802.11i (Attack! Fix adopted by IEEE WG) GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] Mobile IPv6 [RFC 3775; 2004] (New Attack!)
50
Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur FDR NRL Athena Hand proofs Paulson BAN logic Spi-calculus Poly-time calculus Model checking Protocol logic Computational Protocol logic Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer
51
Publications in dissertation uA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] Abstraction and refinement in protocol derivation [CSFW04] uA. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05] uA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence- based definitions of protocol security [WITS04]
52
Other publications uA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security [TCC05] uM. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols [CSFW05] uA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition [MFPS03] uA. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality [In submission] uC. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]
53
Acknowledgements uJohn Mitchell uDan Boneh, David Dill, Rajeev Motwani, Stanley Peters uDusko Pavlovic, Andre Scedrov uAnte Derek, Ajith Ramanathan uRalf Kuesters, Vitaly Shmatikov, Mathieu Turuani, Bogdan Warinschi, Andrei Aron, Dan Auerbach, Changhua He, Cary Kempston, Arnab Roy, Mukund Sundararajan uFamily, friends, …
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.