Download presentation
Presentation is loading. Please wait.
1
Logics for Security Protocols Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy
2
Protocol Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Protocol LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Process Calculi … Applied -calculus BAN, PCLMurphi, AVISPA Paulson, MSR
3
Inductive Method: Pros & Cons uAdvantages Reason about infinite runs, message spaces Trace model close to protocol specification Can “prove” protocol correct uDisadvantages Does not always give an answer Failure does not always yield an attack Still trace-based properties only Labor intensive –Must be comfortable with higher-order logic Proofs are very long –4000 steps for Otway-Rees session key secrecy
4
Protocol Logics uBAN Logic A Logic of Authentication by Michael Burrows, Martin Abadi, Roger Needham (1989) uHistorically, the first logic for reasoning about security protocols uSyntax and proof system (axioms and rules) for proving authentication properties (semantics added in a later paper)
5
BAN Logic (1) uAdvantages Proofs are relatively short (~ 2-3 pages) –cf. Paulson’s inductive proofs Proofs follow protocol design intuition –cf. model-checking, low-level theorem-proving Relatively easy to use –Still taught widely in security courses No explicit reasoning about traces and intruder –cf. Paulson’s inductive proofs
6
BAN Logic (2) uDisadvantages Not sound wrt now accepted model of protocol execution and attack –Protocols “proved” secure may be insecure e.g. NS was proved secure using BAN Protocols are modeled using logical formulas (idealization step) as opposed to state machines or programs Many uses of non-standard logical concepts –Jurisdiction, control, “belief”, messages = propositions Only authentication properties, not secrecy Applicable to restricted classes of protocols See Harper’s slides on BAN from 15-819 (linked from course web page)
7
Today uProtocol Composition Logic (PCL) Developed over the last few years (2001-07) Retain advantages of BAN; rectify deficiencies Semantic model similar to Paulson’s Inductive Method New proof techniques –Modular proofs –Cryptographic soundness uReading tip Start from the example in Section 5 of the assigned reading Protocol Composition Logic (PCL) by A. Datta, A. Derek, J. C. Mitchell, A. Roy (2007)
8
Protocol Composition Logic uA logic for proving security of network protocols uIllustrates use of programming language methods in computer security Concurrency theory –Network protocols are concurrent programs Floyd-Hoare style logic –Before-after assertions 15-812: Semantics of programming languages
9
Roadmap uIntuition uFormalism Protocol programming language Protocol logic Proof System uExample Signature-based challenge-response uProof techniques Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic
10
Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol, and –he must have received msg1 from Alice uAlice deduces: Received (B, msg1) Λ Sent (B, msg2)
11
Formalizing the Approach uLanguage for protocol description Arrows-and-messages are informal. uProtocol Operational Semantics How does the protocol execute? uProtocol logic Stating security properties. uProof system Formally proving security properties.
12
Protocol Programming Language uA protocol is described by specifying a “program” for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think “messages”) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …
![Protocol Programming Language uA protocol is described by specifying a program for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think messages ) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …](http://images.slideplayer.com./17/5360813/slides/slide_12.jpg "Protocol Programming Language uA protocol is described by specifying a program for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think messages ) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …")
13
Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term
14
Actions send t;send a term t receive x;receive a term into variable x match t/p(x);match term t against p(x) uA program or cord is a sequence of actions uNotation: we often omit match actions receive sig B {A, n} = receive x; match x/sig B {A, n}
15
Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./17/5360813/slides/slide_15.jpg "Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
16
Protocol Execution Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of 1 role to each principal Run (trace) new x send {x} B receive {x} B A B C receive {z} B new z send {z} B Process calculus operational semantics
17
Process Calc. Op. Semantics uCord space is a multiset of cords uCords may react via communication via internal actions uSample reaction steps: Communication: [send t; S] X | [receive x; T] Y [S] X | [T(t/x) ] Y Matching: [ match p(t)/p(x); S ] X [S(t/x) ] X
18
Attacker capabilities uControls complete network Can read, remove, inject messages uFixed set of operations on terms Pairing Projection Encryption with known key Decryption with known key … Commonly referred to as “Dolev-Yao” attacker
19
PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy
![PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy](http://images.slideplayer.com./17/5360813/slides/slide_19.jpg "PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy")
20
Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) ) Semantics: Property must hold in all protocol traces (similar to Paulson’s Inductive Method)
![Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) ) Semantics: Property must hold in all protocol traces (similar to Paulson’s Inductive Method)](http://images.slideplayer.com./17/5360813/slides/slide_20.jpg "Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) ) Semantics: Property must hold in all protocol traces (similar to Paulson’s Inductive Method)")
21
PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
![PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q](http://images.slideplayer.com./17/5360813/slides/slide_21.jpg "PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q")
22
Proof System uGoal: formally prove security properties uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules
23
Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)
![Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)](http://images.slideplayer.com./17/5360813/slides/slide_23.jpg "Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)")
24
Reasoning about knowledge uPairing Has(X, {m,n}) Has(X, m) Has(X, n) uEncryption Has(X, enc K (m)) Has(X, K -1 ) Has(X, m)
25
Encryption and signature uPublic key encryption Honest(X) Decrypt(Y, enc X {m}) X=Y uSignature Honest(X) Verify(Y, sig X {m}) m’ (Send(X, m’) Contains(m’, sig X {m})
26
Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P
![Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P ](http://images.slideplayer.com./17/5360813/slides/slide_26.jpg "Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P ")
27
Honesty rule (example use) roles R of Q. protocol steps A of R. Start(X) [ ] X [ A ] X Q |- Honest(X) Example use: –If Y receives a message m from X, and –Honest(X) (Sent(X,m) Received(X,m’)) –then Y can conclude Honest(X) Received(X,m’)) Proved using honesty rule
28
Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth
![Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth](http://images.slideplayer.com./17/5360813/slides/slide_28.jpg "Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth")
29
Correctness of CR – step 1 1. A reasons about her own actions CR |- true [ InitCR(A, B) ] A Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
30
Correctness of CR – step 2 2. Properties of signatures CR |- true [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Recall signature axiom
31
Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps
![Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps](http://images.slideplayer.com./17/5360813/slides/slide_31.jpg "Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps")
32
Correctness of CR – step 3 3. Use Honesty invariant CR |- true [ InitCR(A, B) ] A Honest(B) Receive(B, {A,B,m}),… InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
33
Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- true [ InitCR(A, B) ] A Honest(B) Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Nonces are “fresh” random numbers
34
We have a proof. So what? u Soundness Theorem: if Q |- then Q |= If is a theorem then is a valid formula u holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder
35
Thanks ! Questions?
Similar presentations
