Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Similar presentations


Presentation on theme: "Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."— Presentation transcript:

1 Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy

2 Protocol Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Protocol LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Process Calculi … Applied  -calculus BAN, PCLMurphi, AVISPA Paulson, MSR

3 Protocol Composition Logic uIntuition uFormalism Protocol programming language Protocol logic Proof System uExample Signature-based challenge-response uProof techniques TODAY

4 Example: JFK Protocol uRecall earlier lecture about JFK design uToday we will describe corresponding proof techniques

5 Ingredient 1: Diffie-Hellman A  B: g a B  A: g b Shared secret: g ab Authentication Identity protection

6 Ingredient 2: Challenge-Response A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret Authentication Identity protection

7 DH + Challenge-Response ISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: g ab Authentication Identity protection m := g a n := g b Formalized as sequential composition

8 Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: g ab Authentication Identity protection Formalized using abstraction-refinement

9 uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

10 Parallel Composition of Protocols uThe parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2. uExample: IKEv2 | SSL

11 Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 …” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Invariant rule uProtocol independent reasoning Axiom stating unforgeability of signatures Still good: unaffected by composition All other axioms and proof rules for PCL

12 Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth Q1 |- Inv Inv Bulk of proof reused Additional work to prove Q2 |- Inv Q1 | Q2 |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]

13 Parallel Composition Theorem IF Q1 satisfies security property  in isolation Q2 respects the invariants  of Q1 used in the proof of security property  THEN Q1 | Q2 also satisfies security property 

14 Sequential Composition of Protocols uRun protocols in sequence uExamples Key exchange followed by secure sessions that use the exchanged key Diffie-Hellman followed by Challenge- Response = ISO-9798-3

15 ISO-9798-3 Key Exchange uAuthentication Do we need to prove it from scratch?  Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Goal: Combine proofs of Diffie-Hellman and challenge- response sub-protocols

16 Abstract challenge response uFree variables m and n instead of nonces  Modal form:  [ actions ]  precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B)  Authentication uSecrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

17 Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a ) uDiffie-Hellman property: uCan compute g ab given g a and b or g b and a uCannot compute g ab given g a and g b

18 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

19 Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

20 Definition of Sequential Composition

21 Sequential Composition Theorem uBoth protocols should satisfy each other’s invariants (similar to parallel composition) uPost-condition of first should match pre- condition of second protocol

22 uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

23 Protocol Templates uProtocols with function variables instead of specific cryptographic operations uIdea: One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns [DDMP CSF’04]

24 Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2 ISO-9798-3SKID3 Instantiations

25 Extending Formalism uLanguage Extensions Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid

26 Abstraction-Instantiation Method(1) uCharacterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. uBenefit: Proof reuse

27 Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO- 9798-2,3, SKID3) Satisfies hypotheses => Guarantees mutual authentication

28 Proof Structure Template axiomhypothesis Instance Discharge hypothesis Proof reuse

29 Abstraction-Instantiation Method(2) uCombining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. uBenefits: Modular proofs of properties Formalization of protocol refinements

30 Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

31 Summary uPCL – Logic for security protocols Sound wrt symbolic and cryptographic models High-level short proofs: 2-3 pages uProof techniques Modular/compositional proofs Generic template-style proofs uProofs of industrial protocols IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) uImplementation not done

32 Thanks ! Questions?

33 Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server 802.11i Key Management  20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]


Download ppt "Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."

Similar presentations


Ads by Google