Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005."— Presentation transcript:

1 Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005

2 Outline Part I: Overview Motivation Central problems –Divide and Conquer paradigm –Combining logic and cryptography Results Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

3 This talk is about… uNetwork security protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Group –802.11i - wireless security uAnd methods for their security analysis Security proof in some model; or Identify attacks

4 Characteristics of protocols uRelatively simple distributed programs 5-7 steps, 3-10 fields per message (per component) uMission critical Security of data, credit card numbers, … uSubtle Concurrency: attack may combine data from many sessions Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s

5 Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof “Forty-two,” said Deep Thought, with infinite majesty and calm. - D. Adams, HGG, 1979

6 Classifying Attacks uImplementation bugs Buffer overflow, format string vulnerabilities uCryptography breaks IEEE 802.11b (WEP encryption) uProtocol flaws Needham-Schroeder, IKE, IEEE 802.11i Focus on protocol flaws assuming “strong crypto” Complexity-theoretic characterization of “strong crypto”

7 IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association EAP/802.1X/RADIUS Authentication 4-way handshake Group key handshake Data communication Divide-and-conquer paradigm Combining logic and cryptography Uses crypto: encryption, hash,…

8 Divide-and-Conquer paradigm uResult: Protocol Derivation System [DDMP03-05] Incremental protocol construction uResult: Protocol Composition Logic (PCL) [DDDMP01-05] Compositional correctness proofs uRelated work: [Heintze-Tygar96], [Lynch99], [Sheyner- Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

9 Combining logic and cryptography uSymbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques uComplexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation uResult: Computational PCL [DDMST05] + Logical proof methods + Complexity-theoretic crypto model uRelated work: [Mitchell-Scedrov et al 98-04], [Abadi- Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio- Warinschi04] Central Problem 2

10 Applied to industrial protocols uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] uIKEv2 [IETF Internet Draft; 2004] [Aron et al] uTLS/SSL [RFC 2246; 1999] [He et al] uMobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] uKerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

11 Tool support uIsabelle implementation of PCL [Kempston et al] PCL syntax and proof system encoded into Isabelle, a generic theorem-prover Machine-checkable axiomatic proofs Use Isabelle’s first-order reasoner uProtocol Derivation Assistant [Anlauff et al] Graphical support tool for protocol derivations

12 IPSec uWidely deployed: Corporate VPNs uProvides secrecy and integrity uIKEv2 is the IPSec key exchange protocol Internet IP layer host-to-host security

13 IKEv2 [IETF ID 2004] IKE_AUTH (Authenticate) IKE_CHILD_SA (Rekey) I  R: HDR, SAi1, g i, Ni R  I: HDR, SAr1, g r, Nr IKE_INIT (Exchange key material) I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} Modular proofs Multi-mode (Unified “template” proof) Properties: authentication, shared secret, identity & DoS protection, repudiability Multi-mode protocol: authenticator can use either signature or pre- shared key

14 Mobile IPv6 [IETF ID 2004] StanfordWisconsin Home address Care of address Correspondent Node Change of location Authentication DoS issues Protocol breaks if attacker controls complete network

15 GDOI [RFC 3547, 2003] Secure group communication Composition attack Fix adopted by IETF WG Communicating in a group can be difficult… Public network Group controller

16 Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol logic Computational Protocol logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

17 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

18 AB uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

19 Reasoning method uReason about local information I know my own actions uIncorporate knowledge of protocol Honest people faithfully follow protocol uNo explicit reasoning about intruder Absence of bad action expressed as a positive property of good actions –E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

20 Formalism uCord calculus Protocol programming language Execution model ( Symbolic/“Dolev-Yao”) uProtocol logic Expressing protocol properties uProof system Proving protocol properties Soundness theorem

21 AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

22 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

23 Proof System uSample Axioms: Reasoning about possession: –[receive m ] A Has(A,m) –Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: –Honest(X)  Decrypt(Y, enc X {m})  X=Y –Honest(X)  Verify(Y, sig X {m})   m’ (Send(X, m’)  Contains(m’, sig X {m}) uSoundness Theorem: Every provable formula is valid

24 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

25 Reasoning about Composition uNon-destructive Combination: Ensure combined parts do not interfere –In logic: invariance assertions uAdditive Combination: Accumulate security properties of combined parts, assuming they do not interfere –In logic: before-after assertions

26 Proof steps (Intuition) uProtocol independent reasoning Has(A, {m,n})  Has(A, m)  Has(A, n) Still good: unaffected by composition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Technically: Protocol-specific proof steps use invariants Invariants must be preserved for safe composition

27 Invariants uReasoning about honest principals Invariance rule, called “honesty rule” uPreservation of invariants under composition If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

28 Honesty Rule (Induction) uDefinition A protocol step begins with receive, ends before next receive uRule [ ] X   B  ProtocolSteps(Q).  [B] X  Q  Honest(X)   uExample CR  Honest(X)  (Sent(X, m 2 )  Received(X, m 1 ))

29 Diffie-Hellman: Property uFormula [ new a ] A Fresh(A, g a ) uExplanation Modal form: [ actions ] P  Actions: [ new a ] A Postcondition: Fresh(A, g a )

30 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

31 Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

32 Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  … Sequential and parallel composition theorems

33 Composition Rules uInvariant weakening rule  |-  […] P     ’ |-  […] P  uSequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  uProve invariants from protocol Q   Q’   Q  Q’  

34 Composition: Big Picture Different from: Assume-guarantee in distributed computing [MC81] Universal Composability [C01, PW01] Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |-  Q i |- Inv(Q) No reasoning about attacker …

35 Outline Part I: Overview Part II: Protocol Composition Logic Compositional Reasoning Complexity-theoretic foundations

36 Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

37 Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success…

38 Main Result uComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption uSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model

39 Computational PCL uSyntax Expressing security properties uProof System Proving security properties Soundness Theorem uSemantics Complexity-theoretic Model –Attacker – any PPT algorithm –Meaning of security properties

40 Example 1 AB A, B, {n, A} B B, A, n uSecurity Property - authentication [Initiator Program] A Honest(B)  ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )

41 Example 2 AB A, B, {n, A} B uSecurity Property - secrecy [Initiator Program] A Honest(B)  (  X (X  A,B)  Indistinguishable(X,n)

42 Logic Syntax

43 Proof System

44 Soundness of proof system uInformation-theoretic reasoning [new u] X (Y  X)  Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X )   Decrypts(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uAsymptotic calculations         Sum of two negligible functions is a negligible function Reduction to IND-CCA2-secure encryption scheme

45 Complexity-theoretic semantics uQ |=  if  A  D  f negligible function  n 0  n > n 0 s.t. Fix protocol Q, PPT adversary A, security parameter n Vary random bits used by all programs Obtain set of equi- probable traces, T(Q,A,n) T(  ) T(Q,A,n) |T(  )|/|T(Q,A,n)| > 1 –f(n) Represents probability

46 Inductive Semantics uConsider set of traces T(Q,A,n) T(  1   2 ) = T(  1 )  T(  2 ) T(  1   2 ) = T(  1 )  T(  2 ) T(   ) = T(  ) Semantics of formulas are transformers on probability distribution over traces

47 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

48 Current Work uInvestigate nature of logic Propositional fragment not classical  represents conditional probability – complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy Probability close to ½ instead of 1 Not a trace property uExtend logic More primitives: signature, hash functions,… Remove current syntactic restrictions on formulas u Information-theoretic semantics Only probability; no complexity

49 Summary uMethodology: Divide-and-conquer paradigm in security Combining logic and cryptography uApplications: IEEE 802.11i (Attack! Fix adopted by IEEE WG) GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] Mobile IPv6 [RFC 3775; 2004] (New Attack!)

50 Protocol analysis spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol logic Computational Protocol logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

51 Publications in dissertation uA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] Abstraction and refinement in protocol derivation [CSFW04] uA. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05] uA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence- based definitions of protocol security [WITS04]

52 Other publications uA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security [TCC05] uM. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols [CSFW05] uA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition [MFPS03] uA. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality [In submission] uC. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]

53 Acknowledgements uJohn Mitchell uDan Boneh, David Dill, Rajeev Motwani, Stanley Peters uDusko Pavlovic, Andre Scedrov uAnte Derek, Ajith Ramanathan uRalf Kuesters, Vitaly Shmatikov, Mathieu Turuani, Bogdan Warinschi, Andrei Aron, Dan Auerbach, Changhua He, Cary Kempston, Arnab Roy, Mukund Sundararajan uFamily, friends, …

Download ppt "Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell.

An Update on Network Protocol Security Stanford University Stanford Computer Forum, 2007 Anupam DattaJohn Mitchell.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.

Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Similar presentations

Ads by Google