Download presentation
Presentation is loading. Please wait.
1
PCL: A Logic for Proving Security of Industrial Network Protocols Anupam Datta CMU May 2007
2
Perspective uTheoretical basis for security practice Security models Analysis and design methods Application to real systems uConcepts and methods from Logic and programming languages, specification and verification, cryptography, philosophy, economics
3
Projects uSecurity of network protocols [2001-07] Protocol Composition Logic –Perfect cryptography model –Proof techniques Composition theorems, Templates –Complexity-theoretic model uPrivacy Logic of Privacy and Utility [Oakland06, CSF07] Today
![Projects uSecurity of network protocols [ ] Protocol Composition Logic –Perfect cryptography model –Proof techniques Composition theorems, Templates –Complexity-theoretic model uPrivacy Logic of Privacy and Utility [Oakland06, CSF07] Today](http://images.slideplayer.com./27/9178574/slides/slide_3.jpg "Projects uSecurity of network protocols [ ] Protocol Composition Logic –Perfect cryptography model –Proof techniques Composition theorems, Templates –Complexity-theoretic model uPrivacy Logic of Privacy and Utility [Oakland06, CSF07] Today")
4
Projects (2) uTheory of Cryptography Concurrent composition, security specification methods (games, simulation) Using probabilistic polynomial time process calculus [WITS04, TCC05, TCC06] uSoftware System Security Trusted computing, software diversity
![Projects (2) uTheory of Cryptography Concurrent composition, security specification methods (games, simulation) Using probabilistic polynomial time process calculus [WITS04, TCC05, TCC06] uSoftware System Security Trusted computing, software diversity](http://images.slideplayer.com./27/9178574/slides/slide_4.jpg "Projects (2) uTheory of Cryptography Concurrent composition, security specification methods (games, simulation) Using probabilistic polynomial time process calculus [WITS04, TCC05, TCC06] uSoftware System Security Trusted computing, software diversity")
5
Security Protocol Analysis uNetwork security protocols Industry Standards (IETF, IEEE) –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication –802.11i - wireless LAN security uMethod for their security analysis Goal: Security proof in some model
6
Protocol Composition Logic uIntuition uFormalism Protocol programming language Protocol logic Proof System uExample Signature-based challenge-response uProof techniques uCryptographic soundness Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic
7
Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol, and –he must have received msg1 from Alice uAlice deduces: Received (B, msg1) Λ Sent (B, msg2)
8
Formalizing the Approach uLanguage for protocol description Arrows-and-messages are informal. uProtocol Operational Semantics How does the protocol execute? uProtocol logic Stating security properties. uProof system Formally proving security properties.
9
Protocol Programming Language uA protocol is described by specifying a “program” for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think “messages”) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …
![Protocol Programming Language uA protocol is described by specifying a program for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think messages ) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …](http://images.slideplayer.com./27/9178574/slides/slide_9.jpg "Protocol Programming Language uA protocol is described by specifying a program for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think messages ) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …")
10
Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term
11
Actions send t;send a term t receive x;receive a term into variable x match t/p(x);match term t against p(x) uA program is a sequence of actions uNotation: we often omit match actions receive sig B {A, n} = receive x; match x/sig B {A, n}
12
Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./27/9178574/slides/slide_12.jpg "Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
13
Protocol Execution Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of 1 role to each principal Run new x send {x} B receive {x} B A B C receive {z} B new z send {z} B Process calculus operational semantics
14
Attacker capabilities uControls complete network Can read, remove, inject messages uFixed set of operations on terms Pairing Projection Encryption with known key Decryption with known key … Commonly referred to as “Dolev-Yao” attacker
15
PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy
![PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy](http://images.slideplayer.com./27/9178574/slides/slide_15.jpg "PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | Verify(P,T) | … uFormulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | … uModal formula [ actions ] P uExample Has(X, secret) ( X = A X = B) Specifying secrecy")
16
Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )
![Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )](http://images.slideplayer.com./27/9178574/slides/slide_16.jpg "Challenge-Response Property uSpecifying authentication for Initiator true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) )")
17
PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
![PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q](http://images.slideplayer.com./27/9178574/slides/slide_17.jpg "PCL: Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed irrespective of actions executed by other agents concurrently Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q")
18
Proof System uGoal: formally prove security properties uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules
19
Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)
![Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)](http://images.slideplayer.com./27/9178574/slides/slide_19.jpg "Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x) Y=P uActions true [ send m ] P Send(P,m) uVerify true [ match x/sig X {m} ] P Verify(P,m)")
20
Reasoning about knowledge uPairing Has(X, {m,n}) Has(X, m) Has(X, n) uEncryption Has(X, enc K (m)) Has(X, K -1 ) Has(X, m)
21
Encryption and signature uPublic key encryption Honest(X) Decrypt(Y, enc X {m}) X=Y uSignature Honest(X) Verify(Y, sig X {m}) m’ (Send(X, m’) Contains(m’, sig X {m})
22
Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P
![Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P ](http://images.slideplayer.com./27/9178574/slides/slide_22.jpg "Sample inference rules uFirst-order logic rules uGeneric rules [ actions ] P [ actions ] P [ actions ] P ")
23
Honesty rule (example use) roles R of Q. protocol steps A of R. Start(X) [ ] X [ A ] X Q |- Honest(X) Example use: –If Y receives a message m from X, and –Honest(X) (Sent(X,m) Received(X,m’)) –then Y can conclude Honest(X) Received(X,m’)) Proved using honesty rule
24
Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth
![Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth](http://images.slideplayer.com./27/9178574/slides/slide_24.jpg "Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B) Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sig B {m, n, A}}}) Receive(A, {B,A,{n, sig B {m, n, A}}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Auth")
25
Correctness of CR – step 1 1. A reasons about her own actions CR |- true [ InitCR(A, B) ] A Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
26
Correctness of CR – step 2 2. Properties of signatures CR |- true [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Recall signature axiom
27
Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps
![Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps](http://images.slideplayer.com./27/9178574/slides/slide_27.jpg "Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps")
28
Correctness of CR – step 3 3. Use Honesty invariant CR |- true [ InitCR(A, B) ] A Honest(B) Receive(B, {A,B,m}),… InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
29
Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- true [ InitCR(A, B) ] A Honest(B) Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Nonces are “fresh” random numbers
30
We have a proof. So what? u Soundness Theorem: if Q |- then Q |= If is a theorem then is a valid formula u holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder
31
uModular Proofs uGeneric Template-style Proofs PCL Proof Techniques
32
Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server 802.11i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]
![Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]](http://images.slideplayer.com./27/9178574/slides/slide_32.jpg "Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]")
33
Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 …” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Invariant rule uProtocol independent reasoning Axiom stating unforgeability of signatures Still good: unaffected by composition All other axioms and proof rules for PCL
34
Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth TLS |- Inv Inv Bulk of proof reused Additional work to prove 4WAY |- Inv TLS | 4WAY |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]
![Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth TLS |- Inv Inv Bulk of proof reused Additional work to prove 4WAY |- Inv TLS | 4WAY |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]](http://images.slideplayer.com./27/9178574/slides/slide_34.jpg "Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth TLS |- Inv Inv Bulk of proof reused Additional work to prove 4WAY |- Inv TLS | 4WAY |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]")
35
Generic Template-style Proofs uProtocols with function variables instead of specific cryptographic operations One template can be instantiated to many protocols Proof of template yields proofs for instances uMotivating example: IKEv2: two instances based on symmetric and public-key cryptography
36
Protocol Template A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) A B: m B A: n,E KAB (n,m,B) A B: E KAB (n,m) A B: m B A: n,H KAB (n,m,B) A B: H KAB (n,m,A) A B: m B A: n, sig B (n,m,A) A B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Instantiations
37
Template Proof Method uCharacterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. uBenefit: Proof reuse uSingle protocol can be instance of multiple templates allowing modular proofs
38
Proof Structure Templat e axiomhypothesis Instance Additional work to discharge hypotheses Bulk of proof reused
39
Extending Formalism uLanguage Extensions Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid
40
PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ± Proof System± Soundness Theorem (Reduction) [BPW, MW,…]
![PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ± Proof System± Soundness Theorem (Reduction) [BPW, MW,…]](http://images.slideplayer.com./27/9178574/slides/slide_40.jpg "PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ± Proof System± Soundness Theorem (Reduction) [BPW, MW,…]")
41
Complexity-theoretic semantics uQ |= if adversary A distinguisher D negligible function f n 0 n > n 0 s.t. [[ ]](T,D,f) T(Q,A,n) |[[ ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces [DDMST05]
42
PCL: Proof System uProperty of signature: Honest(X) Verifies(Y, m, X) Signed(X, m) uSoundness proof: uAssume axiom not valid A D negligible f n0 n > n0 s.t. [[ ]](T, D, f(n))|/|T| < 1 –f(n) uConstruct attacker A’ that uses A, D to break CMA- secure signature scheme uStandard cryptographic reduction [DDMST05, DDMW06]
43
Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem
44
Summary uPCL – Logic for security protocols Sound wrt symbolic and cryptographic models High-level short proofs: 2-3 pages uProof techniques Modular/compositional proofs Generic template-style proofs uProofs of industrial protocols IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) uImplementation not done
45
Thanks ! Questions?
Similar presentations
