Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Composition Logic John Mitchell Stanford CS2592008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protocol Composition Logic John Mitchell Stanford CS2592008."— Presentation transcript:

1 Protocol Composition Logic John Mitchell Stanford CS2592008

2 Intuition: Picture uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Protocol Private Data

3 Formalization uLanguage for protocol description Write program for each role of protocol uProtocol logic State security properties Specialized form of temporal logic uProof system Formally prove security properties Supports modular proofs

4 Challenge-Response roles AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

5 Execution Model uProtocol Sequential program for each protocol role uInitial configuration Set of principals and keys Assignment of  1 role to each principal uRun new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B

6 Security Properties uAuthentication for Initiator CR |  [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) uShared secret NS |  [ InitNS(A, B) ] A Honest(B)  ( Has(X, m)  X=A  X=B )

7 Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, RS |   [ actions ] P  If  at the end of trace R, and some role of P does exactly actions in S, then  is true after RS Q |   [ actions ] P  Q, R |   [ actions ] P  for all runs R of Q

8 Sample axioms about actions uNew data [ new x ] P Has(P,x) [ new x ] P Has(Y,x)  Y=P uActions [ send m ] P Send(P,m) uKnowledge [ receive m ] P Has(P,m) uVerify [ match x/sig X {m} ] P Verify(P,m)

9 Reasoning about posession uPairing Has(X, {m,n})  Has(X, m)  Has(X, n) uEncryption Has(X, enc K (m))  Has(X, K -1 )  Has(X, m)

10 Encryption and signature uPublic key encryption Honest(X)  Decrypt(Y, enc X {m})  X=Y uSignature Honest(X)  Verify(Y, sig X {m})   m’ (Send(X, m’)  Contains(m’, sig X {m})

11 Sample inference rules uPreservation rules  [ actions ] P Has(X, t)  [ actions; action ] P Has(X, t) uGeneric rules  [ actions ] P   [ actions ] P   [ actions ] P   

12 Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

13 Honesty rule (rule scheme)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

14 Honesty rule (example use)  roles R of Q.  initial segments A  R. Q |- [ A ] X  Q |- Honest(X)   Example use: –If Y receives a message from X, and Honest(X)  (Sent(X,m)  Received(X,m’)) then Y can conclude Honest(X)  Received(X,m’))

15 Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

16 Correctness of CR – step 1 1. A reasons about it’s own actions CR |- [ InitCR(A, B) ] A Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

17 Correctness of CR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B)   m’ (Send(B, m’)  Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

18 Correctness of CR – Honesty Honesty invariant CR |- Honest(X)  Send(X, m’)  Contains(m’, sig x {y, x, Y})   New(X, y)  m= X, Y, {x, sig B {y, x, Y}}  Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] “If an honest X sends m containing sig x {y, x, Y}, and X did not create y, then m is responders message and X received initiator’s message 1” Improvement: use message tags in place of  New(X, y) ; see lecture 6a slides

19 Correctness of CR – step 3 3. From Honesty rule CR |- [ InitCR(A, B) ] A Honest(B)  Receive(B, {A,B,m}), InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

20 Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- [ InitCR(A, B) ] A Honest(B)  Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

21 Complete formal proof

22 General Problem in Security uDivide-and-conquer is fundamental Decompose system requirements into parts Develop independent software modules Combine modules to produce required system uCommon belief: Security properties do not compose Difficult system development problem

23 Example protocol Protocol P1 A  B : {message} KB A  B : KA -1 uThis satisfies basic requirements Message is transmitted under encryption Revealing secret key KA -1 does not reveal message

24 Similar protocol Protocol P2 B  A : {message’} KA B  A : KB -1 uTransmits msg securely from B to A Message is transmitted under encryption Revealing secret key KB -1 does not reveal message

25 Composition P1; P2 uSequential composition of two protocols A  B : {message} KB A  B : KA -1 B  A : {message’} KA B  B : KB -1 uDefinitely not secure Eavesdropper learns both keys, decrypts messages

26 Composition Rules uProve assertions from invariants  |-  […]P  uInvariant weakening rule  |-  […]P     ’ |-  […]P  uProve invariants from protocol Q   Q’   Q  Q’   If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants

27 STS family m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

28 Example uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

29 Component 1 uDiffie-Hellman A  B: g a B  A: g b Shared secret (with someone) –A deduces: Knows(Y, g ab)  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection

30 Component 2 uChallenge Response: A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection

31 Composition uISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: gab Authenticated Identity Protection DoS Protection m := g a n := g b

32 Combining protocols DH  Honest(X)  …CR  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication DH  CR   ’ ISO  Secrecy  Authentication =

33 Protocol Templates uProtocols with function variables instead of specific operations One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns

34 Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Abstraction Instantiation

35 Sample projects using PCL uSimple key exchange STS family Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uLarger protocols SSL verification Wireless 802.11i JFK, IKEv2 Kerberos, including PKINIT, DHINIT

36 Protocol Analysis Techniques protocol security analysis Formal modelsComputational models Model checkingInductive method Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Finite-state checking Protocol logics … Symbolic analysis Finite processes, infinite attacker Finite processes, finite attacker Probabilistic model checking

37 Symbolic vs Computational model uSuppose  |- [actions] X  If a protocol P satisfies invariants , then if X does actions,  will be true uSymbolic soundness No idealized adversary acting against “perfect” cryptography can make  fail uComputational soundness No probabilistic polytime adversary can make  fail with nonnegligible probability

38 PCL  Computational PCL PCL Syntax Proof System Symbolic model Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model

39 Chosen ciphertext CCA2 ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 c D(c) c  E(m j ) D(c)

40 Computational model I [Bellare-Rogaway, Shoup, …] Adversary input tape work tape oracle tape “Alice”“Bob”

41 Computational model II [Canetti, …] Turing machine Adversary

42 Computational model III [Micciancio-Warinschi, …] Program Program program Adversary In(c, x).Send(…) | In(d,y).new z. Send(…y z..) | In(c, encrypt(k,…)). …

43 Some general issues uComputational PCL Symbolic logic for proving security properties of network protocols that use cryptography uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability uBenefits Retain compositionality Symbolic proofs about computational model Probability, complexity theory in soundness proof (only!) Different axioms rely on different crypto assumptions –Competing symbolic  computational methods generally requires strong crypto assumptions

44 PCL  Computational PCL uSyntax, proof rules mostly the same Retain compositional approach But some issues with propositional connectives… uSignificant differences Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indist(X,t) : cannot distinguish from rand value in ppt More subtle system –Some axioms rely on CCA2, some info-theoretically sound, etc.

45 Recall Execution Model uProtocol Sequential program for each protocol role uInitial configuration Set of principals and keys Assignment of  1 role to each principal uRun new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B

46 Computational Traces uComputational trace contains Symbolic actions of honest parties Mapping of symbolic variables to bitstrings Send-receive actions (only) of the adversary uRuns of the protocol Set of all possible traces –Each tagged with random bits used to generate trace –Tagging  set of equi-probable traces

47 Complexity-theoretic semantics uGiven protocol Q, adversary A, security parameter n, define T=T(Q,A,n), set of all possible traces [[  ]](T) a subset of T that respects  in a specific way uIntuition:  valid when [[  ]](T) is an asymptotically overwhelming subset of T

48 Semantics of trace properties uDefined in a straight forward way [[ Send(X, m) ]](T) All traces t  T such that t contains a Send(msg) action by X the bistring value of msg is the bitstring value of m

49 Inductive Semantics u[[  1   2 ]] (T) = [[  1 ]] (T)  [[  2 ]] (T) u[[  1   2 ]] (T) = [[  1 ]] (T)  [[  2 ]] (T) u[[   ]] (T) = T - [[  ]] (T) Implication uses form of conditional probability u[[  1   2 ]] (T) = [[   1 ]] (T)  [[  2 ]] (T’) where T’ = [[  1 ]] (T) This seems needed for reduction proofs. What is logic of this  ?

50 Semantics of Indistinguishable uNot a trace property uIntuition: Indist(X, m) holds if no algorithm can distinguish m from a random value, given X’s view of the run Protocol Attacker CD mView(X) if b then m else rand b’ [[Indist(X, m)]] (T, D,  ) = T if | #(t: b=b’)-|T|/2 | < 

51 Validity of a formula Q |=  if  adversary A  distinguisher D  negligible function f  n 0 s.t.  n > n 0 [[  ]](T,D,f) T(Q,A,n) |[[  ]](T,D,f(n)) | / |T| > 1 – f(n) Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces Fraction of traces where “  is true”

52 Advantages of Computational PCL uHigh-level reasoning, sound for “real crypto” Prove properties of protocols without explicit reasoning about probability, asymptotic complexity uComposability PCL is designed for protocol composition Composition of individual steps –Not just coarser composition available with UC/RSIM uCan identify crypto assumptions needed ISO-9798-3 [DDMW2006] Note: existing deployed protocols may have weak security properties, assuming realistic but weak security properties of primitives they use

53 CPCL analysis of Kerberos V5 u Kerberos has a staged architecture First stage generates a nonce and sends it encrypted Second stage uses nonce as key to encrypt another nonce Third stage uses second-stage nonce to encrypt other msgs u Secrecy Logic proves “GoodKey” property of both nonces u Authentication Proved assuming encryption provides ciphertext integrity u Modular proofs using composition theorems Applies to DHINIT, which is outside scope of competing approaches

54 Challenges for computational reasoning uMore complicated adversary Actions of computational adversary do not have a simple inductive characterization uMore complicated messages Computational messages are arbitrary sequences of bits, without an inductively defined syntactic structure uDifferent scheduler Simpler “non-preemptive” scheduling is typically used in computational models (change symbolic model for equiv) uPower of induction ? Indistinguishability, other non-trace-based properties appear unsuitable as inductive hypotheses Solution: prove trace property inductively and derive secrecy

55 Current and Future Work uInvestigate nature of propositional fragment Non-classical implication related to conditional probability –complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy Work in progress, thanks to Arnab Need to incorporate insight of “Rackoff’s attack” uExtend logic More primitives: signature, hash functions,… u Complete case studies Produce correctness proofs for all widely deployed standards uCollaborate on Foundational work – please join us ! Implementation and case studies – please help us !

56 Conclusions uProtocol design is tricky and error-prone Model checking can find errors Proof method can show correctness uModular analysis is a challenge uClosing gap between logical analysis and cryptography Symbolic model supports useful tools Computational model more informative –Includes probability, complexity –Does not require strong cryptographic assumptions Two approaches can be combined –Several current projects and approaches [BPW, MW, Blan, CH, …] –One example: computational semantics for symbolic protocol logic uResearch area coming of age Interactions with and impact on industry

57 Credits uCollaborators M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague, M. Turuani, B. Warinschi, … uMore information Web page on Protocol Composition Logic –http://crypto.stanford.edu/protocols/ Science is a social process

Download ppt "Protocol Composition Logic John Mitchell Stanford CS2592008."

Similar presentations

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Logic for Computer Security Protocols John Mitchell Stanford University.

Logic for Computer Security Protocols John Mitchell Stanford University.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.

Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Similar presentations

Ads by Google