Download presentation
Presentation is loading. Please wait.
1
Protocol Composition Logic (PCL): Part II Anupam Datta CS 259
2
Using PCL: Summary uModeling the protocol Program for each protocol role uModeling security properties Using PCL syntax Authentication, secrecy easily expressed uProving security properties Using PCL proof system Soundness theorem guarantees that provable properties hold in all protocol runs Example: C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell, A modular correctness proof of TLS and IEEE 802.11i, ACM CCS 2005
3
Challenge-Response programs (1) AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Challenge-Response programs (1) AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./27/9162321/slides/slide_3.jpg "Challenge-Response programs (1) AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
4
Challenge-Response Property (2) uSpecifying authentication for Initiator CR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )
![Challenge-Response Property (2) uSpecifying authentication for Initiator CR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )](http://images.slideplayer.com./27/9162321/slides/slide_4.jpg "Challenge-Response Property (2) uSpecifying authentication for Initiator CR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )")
5
Challenge-Response Proof(3)
6
Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness
7
Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server 802.11i Key Management 20 msgs in 4 components Goal: Divide and Conquer
8
Desiderata uNon-destructive combination Security guarantee for TLS in isolation must be preserved when run simultaneously with 4WAY Formalized as parallel composition u Additive combination Prove 4WAY security guarantee assuming TLS provides shared secret. Combine with separate proof of TLS guarantee. Formalized as sequential composition
9
Parallel Composition uDefinition: Q = Q 1 | Q 2 if the set of roles of Q is the union of the set of roles of Q 1 and Q 2 uExamples: On the internet many protocols run in parallel, e.g., SSL, IKE, Kerberos In 802.11i, TLS, 4WAY, GroupKey can be run in parallel
10
Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Honesty rule uProtocol independent reasoning Has(A, {m,n}) Has(A, m) Has(A, n) Still good: unaffected by composition All other axioms and proof rules for PCL
11
Proof Tree Axiom HON rule Other rules Proof step might fail Security property
12
Parallel Composition Theorem (1) uHonesty rule: roles R of Q. protocol steps A of R. Start(X) [ ] X [ A ] X Q |- Honest(X) uLemma: Let Q = Q 1 | Q 2. If Q 1 |- and Q 2 |- , then Q |- Proof idea: –Roles (Q) = Roles (Q 1 ) Roles(Q 2 )
13
Parallel Composition Theorem (2) uTheorem: Let Q = Q 1 | Q 2. If Q 1 |- , |- and Q 2 |- , then Q |- , where includes all invariants proved using Honesty rule Proof idea: –By Lemma, Q |- –Also, |- –Intuitively, the old proof tree for Q 1 still works
14
Proof Tree Axiom HON rule Other rules Security property |- Q 1 |- Q |- Bulk of proof reused Additional work to prove Q 2 |-
15
Example: Challenge-Response uInvariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) uAuthentication property of CR is preserved under parallel composition with any Q which satisfies this invariant InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Example: Challenge-Response uInvariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) uAuthentication property of CR is preserved under parallel composition with any Q which satisfies this invariant InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./27/9162321/slides/slide_15.jpg "Example: Challenge-Response uInvariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) uAuthentication property of CR is preserved under parallel composition with any Q which satisfies this invariant InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
16
Parallel Composition: Big Picture Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |- Q i |- Inv(Q) No explicit reasoning about attacker …
17
Desiderata uNon-destructive combination Security guarantee for TLS in isolation must be preserved when run simultaneously with 4WAY Formalized as parallel composition u Additive combination Prove 4WAY security guarantee assuming TLS provides shared secret. Combine with separate proof of TLS guarantee. Formalized as sequential composition
18
Example: ISO-9798-3 uAuthentication Similar to challenge-response Do we need to prove property from scratch? Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B}
19
Sequential Composition new x X, Y X, Y, g x send W, Z, w, A; receive Z, W, z, sig Y { w, z, W}; send W, Z, sig X { w, z, Z}; DH-Init CR-InitW, Z, w new x; send X, Y, g x, A; receive Y, X, z, sig Y { g x, z, X}; send X, Y, sig X { g x, z, Y}; X, YISO-Init Sequential composition of roles with term substitution
20
Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a )
![Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a )](http://images.slideplayer.com./27/9162321/slides/slide_20.jpg "Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a )")
21
Abstract challenge response uFree variables m and n instead of nonces Modal form: [ actions ] precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B) Authentication InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ] Same proof as previous lecture!
![Abstract challenge response uFree variables m and n instead of nonces Modal form: [ actions ] precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B) Authentication InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ] Same proof as previous lecture!](http://images.slideplayer.com./27/9162321/slides/slide_21.jpg "Abstract challenge response uFree variables m and n instead of nonces Modal form: [ actions ] precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B) Authentication InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ] Same proof as previous lecture!")
22
Sequencing Rule [ S ] P [ T ] P [ ST ] P uIs this rule sound?
![Sequencing Rule [ S ] P [ T ] P [ ST ] P uIs this rule sound](http://images.slideplayer.com./27/9162321/slides/slide_22.jpg "Sequencing Rule [ S ] P [ T ] P [ ST ] P uIs this rule sound")
23
Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants
24
Sequential Composition: Picture DH |- Honest(X) … ’’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [DH-Init; CR-Init] P DH|- ’ CR |- ’ ISO |- [ISO-Init] P CR |- Honest(X) … ISO = DH;CR |- ’ Non-destructive Additive
![Sequential Composition: Picture DH |- Honest(X) … ’’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [DH-Init; CR-Init] P DH|- ’ CR |- ’ ISO |- [ISO-Init] P CR |- Honest(X) … ISO = DH;CR |- ’ Non-destructive Additive](http://images.slideplayer.com./27/9162321/slides/slide_24.jpg "Sequential Composition: Picture DH |- Honest(X) … ’’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [ DH-Init ] P ’ |- [ CR-Init ] P ’ |- [DH-Init; CR-Init] P DH|- ’ CR |- ’ ISO |- [ISO-Init] P CR |- Honest(X) … ISO = DH;CR |- ’ Non-destructive Additive")
25
Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness
26
Computational PCL uSymbolic proofs about complexity- theoretic model of cryptographic protocols
27
Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds
![Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds.](http://images.slideplayer.com./27/9162321/slides/slide_27.jpg "Two worlds.")
28
Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ± Proof System ± Complexity-theoretic model Semantics Talk so far… Leverage PCL success…
29
Main Result uComputational PCL Symbolic logic for proving security properties of network protocols using public-key encryption uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. uBenefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions
30
ISO-9798-3 Key Exchange Shared secret to be used as key: AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Roughly: A, B have g ab and for everyone else it is indistinguishable from a random key g r
31
Central axioms uCryptographic security property of signature scheme Unforgeability (used for authentication) uCryptographic security property of Diffie-Hellman function DDH (used to prove secrecy)
32
CMA-Secure Signatures ChallengerAttacker mi Sig(Y,mi) Sig(Y,m) Attacker wins if m mi Attacker - any probabilistic polynomial time program; wins if above probability is non-negligible
33
Decisional Diffie-Hellman Let a, b, c be chosen at random from a group G with generator g. Then the two distributions and are computationally indistinguishable (no polynomial time attacker can tell them apart)
34
Complete Proof
35
PCL Computational PCL uSyntax, proof rules mostly the same But not sure about propositional connectives… uSignificant difference Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
36
Complexity-theoretic semantics uQ |= if adversary A distinguisher D negligible function f n 0 n > n 0 s.t. [[ ]](T,D,f) T(Q,A,n) [[ ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces
37
Inductive Semantics [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ ]] (T,D, ) = T - [[ ]] (T,D, ) Implication uses conditional probability [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T’,D, ) where T’ = [[ 1 ]] (T,D, ) Formula defines transformation on probability distributions over traces
![Inductive Semantics [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ ]] (T,D, ) = T - [[ ]] (T,D, ) Implication uses conditional probability [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T’,D, ) where T’ = [[ 1 ]] (T,D, ) Formula defines transformation on probability distributions over traces](http://images.slideplayer.com./27/9162321/slides/slide_37.jpg "Inductive Semantics [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T,D, ) [[ ]] (T,D, ) = T - [[ ]] (T,D, ) Implication uses conditional probability [[ 1 2 ]] (T,D, ) = [[ 1 ]] (T,D, ) [[ 2 ]] (T’,D, ) where T’ = [[ 1 ]] (T,D, ) Formula defines transformation on probability distributions over traces")
38
Soundness of proof system uExample axiom Source(Y,u,{m}X) Decrypts(X, {m}X) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u) uProof idea: crypto-style reduction Assume axiom not valid: A D negligible f n 0 n > n 0 s.t. [[ ]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme Conditional implication essential
39
Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem
40
Summary: PCL uFormalism Protocol programming language Protocol logic –Syntax – stating security properties –Semantics – meaning of security properties Proof System –proving security properties uExamples Signature-based challenge-response, ISO, 802.11i uComposition Modular proofs uComputational Soundness Symbolic proofs about complexity-theoretic model
41
Thanks Questions?
Similar presentations
