Security%20Analysis%20of%20Network%20Protocols:%20Logical%20and%20Computational%20Methods

1
Security Analysis of Network Protocols Logical
and Computational Methods

• John Mitchell
• Stanford University

ICALP and PPDP, 2005
2
Outline

• Protocols
• Some examples, some intuition
• Symbolic analysis of protocol security
• Models, results, tools
• Computational analysis
• Communicating Turing machines, composability
• Combining symbolic, computational analysis
• Some alternate approaches
• Protocol Composition Logic (PCL)
• Symbolic and computational semantics

3
Many Protocols

• Authentication
• Kerberos
• Key Exchange
• SSL/TLS handshake, IKE, JFK, IKEv2,
• Wireless and mobile computing
• Mobile IP, WEP, 802.11i
• Electronic commerce
• Contract signing, SET, electronic cash,

4
Mobile IPv6 Architecture
Mobile Node (MN)
Direct connection via binding update
Corresponding Node (CN)

• Authentication is a requirement
• Early proposals weak

Home Agent (HA)
5
802.11i Wireless Authentication
Supplicant UnAuth/UnAssoc 802.1X Blocked No Key
Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK
802.11 Association
MSK
4-Way Handshake
Group Key Handshake
6
IKE subprotocol from IPSEC

• A, (ga mod p)
• B, (gb mod p)

, signB(m1,m2) signA(m1,m2)
A
B
Result A and B share secret gab mod p
Analysis involves probability, modular
exponentiation, complexity, digital signatures,
communication networks

7
Needham-Schroeder Protocol

• A, NonceA
• NonceA, NonceB
• NonceB

Kb
A
B
Ka
Kb
Result A and B share two private numbers not
known to any observer without Ka-1, Kb-1
8
Anomaly in Needham-Schroeder
Lowe
A, Na
Ke
A
E
Na, Nb
Ka
Nb
Ke
A, Na
Na, Nb
Evil agent E tricks honest A into
revealing private key Nb from B.
Kb
Ka
B
Evil E can then fool B.
9
Run of a protocol
B
A
Correct if no security violation in any run
10
Protocol analysis methods

• Cryptographic reductions
• Bellare-Rogaway, Shoup, many others
• UC Canetti et al, Simulatability BPW
• Prob poly-time process calculus LMRST
• Symbolic methods
• Model checking
• FDR Lowe, Roscoe, , Murphi M, Shmatikov, ,
• Symbolic search
• NRL protocol analyzer Meadows
• Theorem proving
• Isabelle Paulson , Specialized logics BAN,

See papers in PPDP, ICALP proceedings for
references
11
The Symbolic Model

• Messages are algebraic expressions
• Nonce, Encrypt(K,M), Sign(K,M),
• Adversary
• Nondeterministic
• Observe, store, direct all communication
• Break messages into parts
• Encrypt, decrypt, sign only if it has the key
• Example ?K1, Encrypt(K1, hi) ?
• ? K1, Encrypt(K1, hi) ?
  hi
• Send messages derivable from stored parts

12
Many formulations

• Word problems Dolev-Yao, Dolev-Even-Karp,
• Each protocol step is symbolic function from
  input message to output message cancellation law
  dkekx x
• Rewrite systems CDLMS
• Each protocol step is symbolic function from
  state and input message to state and output
  message
• Logic programming Meadows NRL Analyzer
• Each protocol step can be defined by logical
  clauses
• Resolution used to perform reachability search
• Constraint solving Amadio-Lugiez,
• Write set constraints defining messages known at
  step i
• Strand space model MITRE
• Partial order (Lamport causality), reasoning
  methods
• Process calculus CSP, Spi-calculus, applied ?,
  )
• Each protocol step is process that reads, writes
  on channel
• Spi-calculus use ? for new values, private
  channels, simulate crypto

13
Complexity results (see Cortier et al)
Bounded of sessions Unbounded number of sessions Unbounded number of sessions
Bounded of sessions Without nonces With nonces
Co-NP complete General undecidable General undecidable
Co-NP complete Bounded msg length DEXP-time complete Bounded msg length undecidable
Co-NP complete Tagged exptime Tagged decidable
Co-NP complete One-copy DEXP-time complete
Co-NP complete Ping-pong protocols Ptime Ping-pong protocols Ptime
Additional results for variants of basic model
(AC, xor, modular exp, )
14
Many protocol case studies

• Murphi Shmatikov, He,
• SSL, Contract signing, 802.11i,
• Meadows NRL tool
• Participation in IETF, IEEE standards
• Many important examples
• Paulson inductive method Scedrov et al
• Kerberos, SSL, SET, many more
• Protocol logic
• BAN logic and successors (GNY, SvO, )
• DDMP

15
Computational model I
Alice
Bob
oracle tape
oracle tape
Adversary
input tape
work tape
Bellare-Rogaway, Shoup,
16
Computational model II
Turing machine
Turing machine
Adversary
Turing machine
Turing machine
Canetti,
17
Computational security encryption

• Passive adversary
• Semantic security
• Chosen ciphertext attacks (CCA1)
• Adversary can ask for decryption before receiving
  a challenge ciphertext
• Chosen ciphertext attacks (CCA2)
• Adversary can ask for decryption before and after
  receiving a challenge ciphertext

18
Passive Adversary
Challenger
Attacker
19
Chosen ciphertext CCA1
Challenger
Attacker
20
Chosen ciphertext CCA2
Challenger
Attacker
21
Slide R Canetti

• Protocol security

Protocol execution
P2
P1
?
P4
P3
22
Universal composability
Slide Y Lindell
also reactive simulatability BPW, see
DKMRS
?
IDEAL
REAL
23
Can we have best of both worlds?
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, nondeterminism (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques automation - Hand-proofs are difficult, error-prone no automation
24
Some relevant approaches

• Simulation framework
• Backes, Pfitzmann, Waidner
• Correspondence theorems
• Micciancio, Warinschi
• Kapron-Impagliazzo logics
• Abadi-Rogaway passive equivalence
• ? (K2,01K3) , ? (101K2,K5 )K2,
  K6K4K5 ? ?
• ? ? (K2, ? ) , ? (101K2,K5 )K2, ?
  K5 ? ?
• ? ? (K1, ? ) , ? (101K1,K5 )K1, ?
  K5 ? ?
• ? ? (K1,K1K7) , ? (101K1,K5 )K1,
  K6K7K5 ? ?
• Proposed as start of larger plan for
  computational soundness

Abadi-Rogaway00, , Adao-Bana-Scedrov05
25
Symbolic methods ? compl results

• Pereira and Quisquater, CSFW 2001, 2004
• Studied authenticated group Diffie-Hellman
  protocols
• Found symbolic attack in Cliques SA-GDH.2
  protocol
• Proved no protocol of certain type is secure, for
  gt3 participants
• Micciancio and Panjwani, EUROCRYPT 2004
• Lower bound for class of group key establishment
  protocols using purely Dolev-Yao reasoning
• Model pseudo-random generators, encryption
  symbolically
• Lower bounds is tight matches a known protocol

26
Rest of talk Protocol composition logic
Honest Principals, Attacker
Protocol
Private Data
Send
Receive

• Alices information
• Protocol
• Private data
• Sends and receives

Logic now has symbolic and computational semantics
27
Example

• A, Noncea
• Noncea,

Kb
A
B
Ka

• Alice assumes that only Bob has Kb-1
• Alice generated Noncea and knows that some X
  decrypted first message
• Since only X knows Kb-1, Alice knows XBob

28
More subtle example Bobs view

• A, Noncea
• Noncea, B, Nonceb
• Nonceb

Kb
A
B
Ka
Kb

• Bob assumes that Alice follows protocol
• Since Alice responds to second message, Alice
  must have sent the first message

29
Execution model

• Protocol
• Program for each protocol role
• Initial configuration
• Set of principals and key
• Assignment of ?1 role to each principal
• Run

Position in run
?x
?xB?
A
(zB)
(xB)
decr
B
?zB?
?z
C
30
Formulas true at a position in run

• Action formulas
• a Send(P,m) Receive (P,m) New(P,t)
  
• Decrypt (P,t) Verify (P,t)
• Formulas
• ? a Has(P,t) Fresh(P,t) Honest(N)
• Contains(t1, t2) ?? ?1? ?2 ?x ?
• ?? ??
• Example
• After(a,b) ?(b ? ??a)

Notation in papers varies slightly
31
Modal Formulas

• After actions, condition
• actions P ? where P ?princ,
  role id?
• Before/after assertions
• ? actions P ?
• Composition rule
• ? S P ? ? T P ?
• ? ST P ?

Logic formulated DMP,DDMP Related to BAN,
Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
32
Example Bobs view of NSL

• Bob knows hes talking to Alice
• receive encrypt( Key(B), ?A,m? )
• new n
• send encrypt( Key(A), ?m, B, n? )
• receive encrypt( Key(B), n )
• B
• Honest(A) ? Csent(A, msg1) ? Csent(A, msg3)
• where Csent(A, ) ? Created(A, ) ? Sent(A, )

33
Proof System

• Sample Axioms
• Reasoning about possession
• receive m A Has(A,m)
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Reasoning about crypto primitives
• Honest(X) ? Decrypt(Y, enc(X, m)) ? XY
• Honest(X) ? Verify(Y, sig(X, m)) ?
• ? m (Send(X, m) ? Contains(m, sig(X,
  m))
• Soundness Theorem
• Every provable formula is valid in symbolic model

34
Modal Formulas

• After actions, condition
• actions P ? where P ?princ,
  role id?
• Before/after assertions
• ? actions P ?
• Composition rule
• ? S P ? ? T P ?
• ? ST P ?

35
Application DH CR ISO 9798-3

• Initiator role of DH
• new a I Fresh(I, ga) ? HasAlone(I, a)
• Initiator role of CR
• Fresh(I, m) send receive B send
• Honest(B) ? ActionsInOrder()
• Combination
• Substitute ga for m in CR
• Apply composition rule, persistence
• Obtain assertion about ISO initiator

36
Additional issues

• Reasoning about honest principals
• Invariance rule, called honesty rule
• Preserve invariants under composition
• If we prove Honest(X) ? ? for protocol 1 and
  compose with protocol 2, is formula still true?

37
Composing protocols
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive

ISO ? Secrecy ? Authentication
38
Main results in ICALP Proceedings

• Computational PCL
• Symbolic logic for proving security properties of
  network protocols using public-key encryption
• Soundness Theorem
• If a property is provable in CPCL, then property
  holds in computational model with overwhelming
  asymptotic probability.
• Benefits
• Symbolic proofs about computational model
• Computational reasoning in soundness proof
  (only!)
• Different axioms rely on different crypto
  assumptions

39
PCL ? Computational PCL

• Syntax, proof rules mostly the same
• But not sure about propositional connectives
• Significant difference
• Symbolic knowledge
• Has(X,t) X can produce t from msgs that have
  been observed, by symbolic algorithm
• Computational knowledge
• Possess(X,t) can produce t by ppt algorithm
• Indistinguishable(X,t) can distinguish from
• random
  in ppt
• More subtle system some axioms rely on CCA2,
  some are info-theoretically true, etc.

40
Complexity-theoretic semantics

• Q ? if ? adversary A ? distinguisher D ?
  negligible function f ? n0 ?n gt n0 s.t.

Fraction represents probability
?(T,D,f(n))/T gt 1 f(n)

• Fix protocol Q, PPT adversary A
• Choose value of security parameter n
• Vary random bits used by all programs
• Obtain set TT(Q,A,n) of equi-probable traces

T(Q,A,n)
?(T,D,f)
41
Inductive Semantics

• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ? ? (T,D,?) T - ? (T,D,?)
• Implication uses conditional probability
• ?1 ? ?2 (T,D,?) ??1 (T,D,?)
• ? ?2
  (T,D,?)
• where T
  ?1 (T,D,?)

Formula defines transformation on probability
distributions over traces
42
Soundness of proof system

• Example axiom
• Source(Y,u,mX) ? ?Decrypts(X, mX) ?
  Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z, u)
• Proof idea crypto-style reduction
• Assume axiom not valid
• ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
• ?(T,D,f)/T lt 1
  f(n)
• Construct attacker A that uses A, D to break
  IND-CCA2 secure encryption scheme
• Conditional implication essential

Parts of proof are similar to Micciancio,
Warinschi
43
Applications of PCL

• IKE, JFK family key exchange
• IKEv2 in progress
• 802.11i wireless networking
• SSL/TLS, 4way handshake, group handshake
• Kerberos v5 Cervesato et al
• GDOI Meadows,
  Pavlovic
• Future work
• Use CPCL to understand computational security of
  these protocols, reliance on specific crypto
  properties

44
Advantages of Computational PCL

• High-level reasoning
• Prove properties of protocols without explicit
  reasoning about probability, asymptotic
  complexity
• Sound for real crypto
• Composability
• PCL is designed for protocol composition
• Identify crypto assumptions needed

45
Future Work

• Investigate nature of propositional fragment
• Non-classical ? involves some conditional
  probability
• complexity-theoretic reductions
• connections with probabilistic logics (e.g.
  Nilsson86)
• Generalize reasoning about secrecy
• Extend logic
• More primitives signature, hash functions,
• Remove current syntactic restrictions on formulas
• Information-theoretic semantics (thanks to A
  Scedrov)
• Only probability no complexity
• Other fundamental problems
• See Kapron-Impagliazzo, etc.

46
Conclusion

• Symbolic model supports useful analysis
• Tools, case studies, high-level proofs
• Computational model more correct
• More accurately reflects realistic attack
• Two approaches can be combined
• Several current projects and approaches
• One example computational semantics for symbolic
  protocol logic

47
Credits

• Collaborators
• M. Backes, A. Datta, A. Derek, N. Durgin, C. He,
  
• R. Kuesters, D. Pavlovic, A. Ramanathan, A.
  Roy,
• A. Scedrov, V. Shmatikov, M. Sundararajan, V.
  Teague,
• M. Turuani, B. Warinschi,
• More information
• References in PPDP, ICALP proceedings
• Web page on Protocol Composition Logic
• http//www.stanford.edu/danupam/logic-derivation.
  html
• My web site for related projects not discussed
• Science is a social process

48
(No Transcript)