Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic."— Presentation transcript:

1 Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic

2 Goals uProtocol derivation Build security protocols by combining parts from standard sub-protocols uProof of correctness Prove protocols correct using logic that follows steps of derivation Current state of our art: derivation and correctness proofs not quite in sync

3 Example 1 uDiffie-Hellman X  Y: g x Y  X: g y Shared secret (with someone) –X deduces: Knows(Z,g xy ) כֿ Knows(Z,y) Authenticated Identity Protection

4 Example 2 uChallenge Response: A  B: m, A B  A: n, sig B {n, m, A} A  B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Created (B, n) Λ Sent (B, msg2) Identity Protection

5 Composition uISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g b, g a, A} A  B: sig A {g a, g b, B} Shared secret g ab Authenticated Identity Protection

6 Refinement uEncrypt signatures: A  B: g a, A B  A: g b, E K {sig B {g b, g a, A}} A  B: E K {sig A {g a, g b, B}} Shared secret g ab Authenticated Identity Protection

7 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

8 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S c(m) r(m) A B A: “B was alive after m was generated.” B: “X wants to talk, and knows that I am alive.” [A and B know each other.]

9 E B (m) m A B A: “B was alive after m was generated.” B: “X wants to talk, and knows that I am alive.” [A and B know each other.] Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

10 E B (m) m A B E A (n) n Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

11 E B (m) A B m,E A (n) n Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

12 E B (m) A B E A (m,n) E B (n) Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S

13 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m) A B

14 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m) A B n S A (n)

15 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m),n A B S A (n)

16 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m),n,n A B S A (n),m

17 Basic challenge-response CR CR-E CR-S 1 CR-E 1 NSL 0 STS 0 CR-S m S B (m,n),n A B S A (n,m) B: “A wants to talk, was alive after n was generated and knows that I am alive after m.” [A and B know each other.] A: “B accepts session, was alive after m was generated and knows that I am alive after n.”

18 STS family m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

19 m=g x, n=g y k=g xy m S B (m,n),n S A (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities STS P RFK

20 m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 m n, H mn m, n, H mn,S A (m,n) S B (n,m) symmetric hash JFK protect identities STS P RFK

21 m=g x, n=g y k=g xy m C B, S B (m,n),n C A, S A (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STSP

22 m=g x, n=g y k=g xy m n, H mn m, n, H mn,C A, S A (m,n) C B, S B (n,m) STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS+

23 m=g x, n=g y k=g xy m n, C B, H mn m, n, H mn,C A, S A (m,n) S B (n,m) STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

24 m=g x, n=g y k=g xy m n, C B, E k (S B (n, m)) C A, E k (S A (m,n)) m=g x n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

25 m n, H mn m, n, H mn, C A, E k (S A (m,n)) C B, E k (S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder JFK 0 STS PH JFK protect identities symmetric hash RFK STS P

26 m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 m n, C B, H mn m, n, H mn, C A,E k (S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy JFK protect identities symmetric hash RFK STS P

27 m n, E k (C B, S B (n, m)) E k (C A, S A (m,n)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 JFK 1 distribute certificates cookie open responder symmetric hash JFK 0 STS PH JFK protect identities RFK STS P

28 m n, H mn m, n, H mn, E k (C A, S A (m,n)) E k (C B, S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

29 m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK m n, C B, H mn m, n, H mn, E k (C A, S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy STS P

30 m n, H mn m, n, H mn, E k (C A,S A (m,n)), #(I) E k (C B,S B (n, m)), #(R) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

31 Protocol logic uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data

32 Example (over used) { A, Nonce a } { Nonce a, … } KaKa Kb AB uAlice assumes that only Bob has Kb -1 u Alice generated Nonce a and knows that some X decrypted first message u Since only X knows Kb -1, Alice knows X=Bob

33 More subtle example: Bob’s view { A, Nonce a } { Nonce a, B, Nonce b } { Nonce b } KaKa Kb AB u Bob assumes that Alice follows protocol u Since Alice responds to second message, Alice must have sent the first message

34 Execution model uProtocol “Program” for each protocol role uInitial configuration Set of principals and key Assignment of  1 role to each principal uRun xx zz  {x} B  ({x} B )  {z} B  decr A B C ({z} B ) Position in run

35 Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) |  |  1   2 |  x  |  |  uExample After(a,b) =  (b   a)

36 Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P 

37 Example: Bob’s view of NSL uBob knows he’s talking to Alice [ recv encrypt( Key(B),  A,m  ); new n; send encrypt( Key(A),  m, B, n  ); recv encrypt( Key(B), n ) ] B Honest(A)  Csent(A, msg1)  Csent(A, msg3) where Csent(A, …)  Created(A, …)  Sent(A, …) msg1msg3

38 Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P 

39 Soundness of composition rule uFormula  [ S ] P  uMeans For any sequence of actions S’ If [ S’ ] P  then [ S’S ] P  uTherefore  [ S ] P   [ T ] P   [ ST ] P 

40 Application DH + CR = ISO 9798-3 uInitiator role of DH [ new a ] I Fresh(I, g a )  HasAlone(I, a) uInitiator role of CR Fresh(I, m) [send … receive … B… send] Honest(B)  ActionsInOrder(…) uCombination Substitute g a for m in CR Apply composition rule, persistence Obtain assertion about ISO initiator

41

42

43 Additional issues uReasoning about honest principals Invariance rule, called “honesty rule” uPreservation of invariants under composition If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

44 Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

45 OLD Honesty rule (rule scheme)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

46 Honesty rule uPreliminary: basic sequence of actions B is a basic sequence of S if S = S 1 BS 2 and B, S 2 begin with read uRule [ ] X  For all B  BasicSeq(Q).  [B] X  Q |- Honest(X)   uExample Honest(X)  (Sent(X, m2)  Recd(X, m1))

47 Treatment of Invariants uProve assertions from invariants  |-  […] P  uInvariant weakening rule  |-  […] P     ’ |-  […] P  uProve invariants from protocol Q |-  Q’ |-  Q  Q’ |-  If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants

48 Conclusions uComposition  [ S ] P   [ T ] P   [ ST ] P  uInvariant combination  |-  […] P     ’ |-  […] P  Q |-  Q’ |-  Q  Q’ |- 

Download ppt "Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Logic for Computer Security Protocols John Mitchell Stanford University.

Logic for Computer Security Protocols John Mitchell Stanford University.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Similar presentations

Ads by Google