Title: Security%20Analysis%20of%20Network%20Protocols:%20Logical%20and%20Computational%20Methods
1Security Analysis of Network Protocols Logical
and Computational Methods
- John Mitchell
- Stanford University
ICALP and PPDP, 2005
2Outline
- Protocols
- Some examples, some intuition
- Symbolic analysis of protocol security
- Models, results, tools
- Computational analysis
- Communicating Turing machines, composability
- Combining symbolic, computational analysis
- Some alternate approaches
- Protocol Composition Logic (PCL)
- Symbolic and computational semantics
3Many Protocols
- Authentication
- Kerberos
- Key Exchange
- SSL/TLS handshake, IKE, JFK, IKEv2,
- Wireless and mobile computing
- Mobile IP, WEP, 802.11i
- Electronic commerce
- Contract signing, SET, electronic cash,
4Mobile IPv6 Architecture
Mobile Node (MN)
Direct connection via binding update
Corresponding Node (CN)
- Authentication is a requirement
- Early proposals weak
Home Agent (HA)
5802.11i Wireless Authentication
Supplicant UnAuth/UnAssoc 802.1X Blocked No Key
Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK
802.11 Association
MSK
4-Way Handshake
Group Key Handshake
6IKE subprotocol from IPSEC
- A, (ga mod p)
- B, (gb mod p)
, signB(m1,m2) signA(m1,m2)
A
B
Result A and B share secret gab mod p
Analysis involves probability, modular
exponentiation, complexity, digital signatures,
communication networks
7Needham-Schroeder Protocol
- A, NonceA
- NonceA, NonceB
- NonceB
Kb
A
B
Ka
Kb
Result A and B share two private numbers not
known to any observer without Ka-1, Kb-1
8Anomaly in Needham-Schroeder
Lowe
A, Na
Ke
A
E
Na, Nb
Ka
Nb
Ke
A, Na
Na, Nb
Evil agent E tricks honest A into
revealing private key Nb from B.
Kb
Ka
B
Evil E can then fool B.
9Run of a protocol
B
A
Correct if no security violation in any run
10Protocol analysis methods
- Cryptographic reductions
- Bellare-Rogaway, Shoup, many others
- UC Canetti et al, Simulatability BPW
- Prob poly-time process calculus LMRST
- Symbolic methods
- Model checking
- FDR Lowe, Roscoe, , Murphi M, Shmatikov, ,
- Symbolic search
- NRL protocol analyzer Meadows
- Theorem proving
- Isabelle Paulson , Specialized logics BAN,
See papers in PPDP, ICALP proceedings for
references
11The Symbolic Model
- Messages are algebraic expressions
- Nonce, Encrypt(K,M), Sign(K,M),
- Adversary
- Nondeterministic
- Observe, store, direct all communication
- Break messages into parts
- Encrypt, decrypt, sign only if it has the key
- Example ?K1, Encrypt(K1, hi) ?
- ? K1, Encrypt(K1, hi) ?
hi - Send messages derivable from stored parts
12Many formulations
- Word problems Dolev-Yao, Dolev-Even-Karp,
- Each protocol step is symbolic function from
input message to output message cancellation law
dkekx x - Rewrite systems CDLMS
- Each protocol step is symbolic function from
state and input message to state and output
message - Logic programming Meadows NRL Analyzer
- Each protocol step can be defined by logical
clauses - Resolution used to perform reachability search
- Constraint solving Amadio-Lugiez,
- Write set constraints defining messages known at
step i - Strand space model MITRE
- Partial order (Lamport causality), reasoning
methods - Process calculus CSP, Spi-calculus, applied ?,
) - Each protocol step is process that reads, writes
on channel - Spi-calculus use ? for new values, private
channels, simulate crypto
13Complexity results (see Cortier et al)
Bounded of sessions Unbounded number of sessions Unbounded number of sessions
Bounded of sessions Without nonces With nonces
Co-NP complete General undecidable General undecidable
Co-NP complete Bounded msg length DEXP-time complete Bounded msg length undecidable
Co-NP complete Tagged exptime Tagged decidable
Co-NP complete One-copy DEXP-time complete
Co-NP complete Ping-pong protocols Ptime Ping-pong protocols Ptime
Additional results for variants of basic model
(AC, xor, modular exp, )
14Many protocol case studies
- Murphi Shmatikov, He,
- SSL, Contract signing, 802.11i,
- Meadows NRL tool
- Participation in IETF, IEEE standards
- Many important examples
- Paulson inductive method Scedrov et al
- Kerberos, SSL, SET, many more
- Protocol logic
- BAN logic and successors (GNY, SvO, )
- DDMP
15Computational model I
Alice
Bob
oracle tape
oracle tape
Adversary
input tape
work tape
Bellare-Rogaway, Shoup,
16Computational model II
Turing machine
Turing machine
Adversary
Turing machine
Turing machine
Canetti,
17Computational security encryption
- Passive adversary
- Semantic security
- Chosen ciphertext attacks (CCA1)
- Adversary can ask for decryption before receiving
a challenge ciphertext - Chosen ciphertext attacks (CCA2)
- Adversary can ask for decryption before and after
receiving a challenge ciphertext
18Passive Adversary
Challenger
Attacker
19Chosen ciphertext CCA1
Challenger
Attacker
20Chosen ciphertext CCA2
Challenger
Attacker
21Slide R Canetti
Protocol execution
P2
P1
?
P4
P3
22Universal composability
Slide Y Lindell
also reactive simulatability BPW, see
DKMRS
?
IDEAL
REAL
23Can we have best of both worlds?
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, nondeterminism (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques automation - Hand-proofs are difficult, error-prone no automation
24Some relevant approaches
- Simulation framework
- Backes, Pfitzmann, Waidner
- Correspondence theorems
- Micciancio, Warinschi
- Kapron-Impagliazzo logics
- Abadi-Rogaway passive equivalence
- ? (K2,01K3) , ? (101K2,K5 )K2,
K6K4K5 ? ? - ? ? (K2, ? ) , ? (101K2,K5 )K2, ?
K5 ? ? - ? ? (K1, ? ) , ? (101K1,K5 )K1, ?
K5 ? ? - ? ? (K1,K1K7) , ? (101K1,K5 )K1,
K6K7K5 ? ? - Proposed as start of larger plan for
computational soundness
Abadi-Rogaway00, , Adao-Bana-Scedrov05
25Symbolic methods ? compl results
- Pereira and Quisquater, CSFW 2001, 2004
- Studied authenticated group Diffie-Hellman
protocols - Found symbolic attack in Cliques SA-GDH.2
protocol - Proved no protocol of certain type is secure, for
gt3 participants - Micciancio and Panjwani, EUROCRYPT 2004
- Lower bound for class of group key establishment
protocols using purely Dolev-Yao reasoning - Model pseudo-random generators, encryption
symbolically - Lower bounds is tight matches a known protocol
26Rest of talk Protocol composition logic
Honest Principals, Attacker
Protocol
Private Data
Send
Receive
- Alices information
- Protocol
- Private data
- Sends and receives
Logic now has symbolic and computational semantics
27Example
Kb
A
B
Ka
- Alice assumes that only Bob has Kb-1
- Alice generated Noncea and knows that some X
decrypted first message - Since only X knows Kb-1, Alice knows XBob
28More subtle example Bobs view
- A, Noncea
- Noncea, B, Nonceb
- Nonceb
Kb
A
B
Ka
Kb
- Bob assumes that Alice follows protocol
- Since Alice responds to second message, Alice
must have sent the first message
29Execution model
- Protocol
- Program for each protocol role
- Initial configuration
- Set of principals and key
- Assignment of ?1 role to each principal
- Run
Position in run
?x
?xB?
A
(zB)
(xB)
decr
B
?zB?
?z
C
30Formulas true at a position in run
- Action formulas
- a Send(P,m) Receive (P,m) New(P,t)
- Decrypt (P,t) Verify (P,t)
- Formulas
- ? a Has(P,t) Fresh(P,t) Honest(N)
- Contains(t1, t2) ?? ?1? ?2 ?x ?
- ?? ??
- Example
- After(a,b) ?(b ? ??a)
Notation in papers varies slightly
31Modal Formulas
- After actions, condition
- actions P ? where P ?princ,
role id? - Before/after assertions
- ? actions P ?
- Composition rule
- ? S P ? ? T P ?
- ? ST P ?
Logic formulated DMP,DDMP Related to BAN,
Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
32Example Bobs view of NSL
- Bob knows hes talking to Alice
- receive encrypt( Key(B), ?A,m? )
- new n
- send encrypt( Key(A), ?m, B, n? )
- receive encrypt( Key(B), n )
- B
- Honest(A) ? Csent(A, msg1) ? Csent(A, msg3)
- where Csent(A, ) ? Created(A, ) ? Sent(A, )
33Proof System
- Sample Axioms
- Reasoning about possession
- receive m A Has(A,m)
- Has(A, m,n) ? Has(A, m) ? Has(A, n)
- Reasoning about crypto primitives
- Honest(X) ? Decrypt(Y, enc(X, m)) ? XY
- Honest(X) ? Verify(Y, sig(X, m)) ?
- ? m (Send(X, m) ? Contains(m, sig(X,
m)) - Soundness Theorem
- Every provable formula is valid in symbolic model
34Modal Formulas
- After actions, condition
- actions P ? where P ?princ,
role id? - Before/after assertions
- ? actions P ?
- Composition rule
- ? S P ? ? T P ?
- ? ST P ?
35Application DH CR ISO 9798-3
- Initiator role of DH
- new a I Fresh(I, ga) ? HasAlone(I, a)
- Initiator role of CR
- Fresh(I, m) send receive B send
- Honest(B) ? ActionsInOrder()
- Combination
- Substitute ga for m in CR
- Apply composition rule, persistence
- Obtain assertion about ISO initiator
36Additional issues
- Reasoning about honest principals
- Invariance rule, called honesty rule
- Preserve invariants under composition
- If we prove Honest(X) ? ? for protocol 1 and
compose with protocol 2, is formula still true?
37Composing protocols
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive
ISO ? Secrecy ? Authentication
38Main results in ICALP Proceedings
- Computational PCL
- Symbolic logic for proving security properties of
network protocols using public-key encryption - Soundness Theorem
- If a property is provable in CPCL, then property
holds in computational model with overwhelming
asymptotic probability. - Benefits
- Symbolic proofs about computational model
- Computational reasoning in soundness proof
(only!) - Different axioms rely on different crypto
assumptions
39PCL ? Computational PCL
- Syntax, proof rules mostly the same
- But not sure about propositional connectives
- Significant difference
- Symbolic knowledge
- Has(X,t) X can produce t from msgs that have
been observed, by symbolic algorithm - Computational knowledge
- Possess(X,t) can produce t by ppt algorithm
- Indistinguishable(X,t) can distinguish from
- random
in ppt - More subtle system some axioms rely on CCA2,
some are info-theoretically true, etc.
40Complexity-theoretic semantics
- Q ? if ? adversary A ? distinguisher D ?
negligible function f ? n0 ?n gt n0 s.t.
Fraction represents probability
?(T,D,f(n))/T gt 1 f(n)
- Fix protocol Q, PPT adversary A
- Choose value of security parameter n
- Vary random bits used by all programs
- Obtain set TT(Q,A,n) of equi-probable traces
T(Q,A,n)
?(T,D,f)
41Inductive Semantics
- ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
(T,D,?) - ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
(T,D,?) - ? ? (T,D,?) T - ? (T,D,?)
- Implication uses conditional probability
- ?1 ? ?2 (T,D,?) ??1 (T,D,?)
- ? ?2
(T,D,?) - where T
?1 (T,D,?)
Formula defines transformation on probability
distributions over traces
42Soundness of proof system
- Example axiom
- Source(Y,u,mX) ? ?Decrypts(X, mX) ?
Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z, u) - Proof idea crypto-style reduction
- Assume axiom not valid
- ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
- ?(T,D,f)/T lt 1
f(n) - Construct attacker A that uses A, D to break
IND-CCA2 secure encryption scheme - Conditional implication essential
Parts of proof are similar to Micciancio,
Warinschi
43Applications of PCL
- IKE, JFK family key exchange
- IKEv2 in progress
- 802.11i wireless networking
- SSL/TLS, 4way handshake, group handshake
- Kerberos v5 Cervesato et al
- GDOI Meadows,
Pavlovic - Future work
- Use CPCL to understand computational security of
these protocols, reliance on specific crypto
properties
44Advantages of Computational PCL
- High-level reasoning
- Prove properties of protocols without explicit
reasoning about probability, asymptotic
complexity - Sound for real crypto
- Composability
- PCL is designed for protocol composition
- Identify crypto assumptions needed
45Future Work
- Investigate nature of propositional fragment
- Non-classical ? involves some conditional
probability - complexity-theoretic reductions
- connections with probabilistic logics (e.g.
Nilsson86) - Generalize reasoning about secrecy
- Extend logic
- More primitives signature, hash functions,
- Remove current syntactic restrictions on formulas
- Information-theoretic semantics (thanks to A
Scedrov) - Only probability no complexity
- Other fundamental problems
- See Kapron-Impagliazzo, etc.
46Conclusion
- Symbolic model supports useful analysis
- Tools, case studies, high-level proofs
- Computational model more correct
- More accurately reflects realistic attack
- Two approaches can be combined
- Several current projects and approaches
- One example computational semantics for symbolic
protocol logic
47Credits
- Collaborators
- M. Backes, A. Datta, A. Derek, N. Durgin, C. He,
- R. Kuesters, D. Pavlovic, A. Ramanathan, A.
Roy, - A. Scedrov, V. Shmatikov, M. Sundararajan, V.
Teague, - M. Turuani, B. Warinschi,
- More information
- References in PPDP, ICALP proceedings
- Web page on Protocol Composition Logic
- http//www.stanford.edu/danupam/logic-derivation.
html - My web site for related projects not discussed
- Science is a social process
48(No Transcript)