PCL: A Logic for Proving Security of Industrial Network Protocols

1
PCL A Logic for Proving Security of Industrial
Network Protocols

• Anupam Datta
• CMU
• May 2007

2
Perspective

• Theoretical basis for security practice
• Security models
• Analysis and design methods
• Application to real systems
• Concepts and methods from
• Logic and programming languages, specification
  and verification, cryptography, philosophy,
  economics

3
Projects

• Security of network protocols 2001-07
• Protocol Composition Logic
• Perfect cryptography model
• Proof techniques
• Composition theorems, Templates
• Complexity-theoretic model
• Privacy
• Logic of Privacy and Utility Oakland06, CSF07

Today
4
Projects (2)

• Theory of Cryptography
• Concurrent composition, security specification
  methods (games, simulation)
• Using probabilistic polynomial time process
  calculus WITS04, TCC05, TCC06
• Software System Security
• Trusted computing, software diversity

5
Security Protocol Analysis

• Network security protocols
• Industry Standards (IETF, IEEE)
• SSL/TLS - web authentication
• IPSec - corporate VPNs
• Mobile IPv6 routing security
• Kerberos - network authentication
• GDOI secure group communication
• 802.11i - wireless LAN security
• Method for their security analysis
• Goal Security proof in some model

6
Protocol Composition Logic

• Intuition
• Formalism
• Protocol programming language
• Protocol logic
• Proof System
• Example
• Signature-based challenge-response
• Proof techniques
• Cryptographic soundness

Formulated by Datta, Derek, Durgin, Mitchell,
Pavlovic
7
Example Challenge-Response
m, A
n, sigB m, n, A
A
B
sigA m, n, B

• Alice reasons if Bob is honest, then
• only Bob can generate his signature
• if Bob generates a signature of the form sigBm,
  n, A,
• he sends it as part of msg2 of the protocol, and
  
• he must have received msg1 from Alice
• Alice deduces Received (B, msg1) ? Sent (B, msg2)

8
Formalizing the Approach

• Language for protocol description
• Arrows-and-messages are informal.
• Protocol Operational Semantics
• How does the protocol execute?
• Protocol logic
• Stating security properties.
• Proof system
• Formally proving security properties.

9
Protocol Programming Language

• A protocol is described by specifying a program
  for each role
• Server receive x new n send x, n
• Building blocks
• Terms (think messages)
• names, nonces, keys, encryption,
• Actions (operations on terms)
• send, receive, pattern match,

10
Terms

• t c constant term
• x variable
• N name
• K key
• t, t tupling
• sigKt signature
• encKt encryption
• Example x, sigBm, x, A is a term

11
Actions

• send t send a term t
• receive x receive a term into variable x
• match t/p(x) match term t against p(x)
• A program is a sequence of actions
• Notation
• we often omit match actions
• receive sigBA, n receive x match x/sigBA, n

12
Challenge-Response Programs
m, A
n, sigB m, n, A
A
B
sigA m, n, B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
13
Protocol Execution

• Initial configuration
• Protocol is a finite set of roles
• Set of principals and keys
• Assignment of ?1 role to each principal
• Run

Process calculus operational semantics
send xB
new x
A
receive xB
receive zB
B
send zB
new z
C
14
Attacker capabilities

• Controls complete network
• Can read, remove, inject messages
• Fixed set of operations on terms
• Pairing
• Projection
• Encryption with known key
• Decryption with known key

Commonly referred to as Dolev-Yao attacker
15
PCL Syntax

• Action formulas
• a Send(P,t) Receive (P,t) Verify(P,T)
• Formulas
• ? a Has(P,t) Honest(N) ?? ?1? ?2
  ?x ?
• a lt a
• Modal formula
• ? actions P ?
• Example
• Has(X, secret) ? ( X A ? X B)

Specifying secrecy
16
Challenge-Response Property

• Specifying authentication for Initiator
• true InitCR(A, B) A Honest(B) ?
• (
• Send(A, A,B,m) ?
• Receive(B, A,B,m) ?
• Send(B, B,A,n, sigB m, n, A) ?
• Receive(A, B,A,n, sigB m, n, A)
• )

17
PCL Semantics

• Protocol Q
• Defines set of roles (e.g, initiator,
  responder)
• Run R of Q is sequence of actions by principals
  following roles, plus attacker
• Satisfaction
• Q, R ? ? actions P ?
• If some role of P in R does exactly actions
  starting from state where ? is true, then ? is
  true in state after actions completed
  irrespective of actions executed by other agents
  concurrently
• Q ? ? actions P ?
• Q, R ? ? actions P ? for all runs R of Q

18
Proof System

• Goal formally prove security properties
• Axioms
• Simple formulas provable by hand
• Inference rules
• Proof steps
• Theorem
• Formula obtained from axioms by application of
  inference rules

19
Sample axioms about actions

• New data
• true new x P Has(P,x)
• true new x P Has(Y,x) ? YP
• Actions
• true send m P Send(P,m)
• Verify
• true match x/sigXm P Verify(P,m)

20
Reasoning about knowledge

• Pairing
• Has(X, m,n) ? Has(X, m) ? Has(X, n)
• Encryption
• Has(X, encK(m)) ? Has(X, K-1) ? Has(X, m)

21
Encryption and signature

• Public key encryption
• Honest(X) ? Decrypt(Y, encXm) ? XY
• Signature
• Honest(X) ? Verify(Y, sigXm) ?
• ? m (Send(X, m) ? Contains(m, sigXm)

22
Sample inference rules

• First-order logic rules
• ? ? ? ? ?
• Generic rules
• ? actions P ? ? actions P ?
• ? actions P ? ? ?

23
Honesty rule (example use)

• ?roles R of Q. ? protocol steps A of R.
• Start(X) X ? ? A X ?
• Q - Honest(X) ? ?
• Example use
• If Y receives a message m from X, and
• Honest(X) ? (Sent(X,m) ? Received(X,m))
• then Y can conclude
• Honest(X) ? Received(X,m))

Proved using honesty rule
24
Correctness of CR
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• CR - true InitCR(A, B) A Honest(B) ?
• Send(A, A,B,m) ?
• Receive(B, A,B,m) ?
• Send(B, B,A,n, sigB m, n, A) ?
• Receive(A, B,A,n, sigB m, n, A)

Auth
25
Correctness of CR step 1
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• 1. A reasons about her own actions
• CR - true InitCR(A, B) A
• Verify(A, sigB m, n, A)

26
Correctness of CR step 2
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• 2. Properties of signatures
• CR - true InitCR(A, B) A Honest(B) ?
• ? m (Send(B, m) ? Contains(m, sigB m, n, A)

Recall signature axiom
27
Correctness of CR Honesty
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• Invariant proved with Honesty rule
• CR - Honest(X) ?
• Send(X, m) ? Contains(m, sigx y, x, Y) ? ?
  New(X, y) ?
• m X, Y, x, sigBy, x, Y ? Receive(X, Y, X,
  y, Y)

Induction over protocol steps
28
Correctness of CR step 3
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• 3. Use Honesty invariant
• CR - true InitCR(A, B) A Honest(B) ?
• Receive(B, A,B,m),

29
Correctness of CR step 4
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B

• 4. Use properties of nonces for temporal ordering
• CR - true InitCR(A, B) A Honest(B) ? Auth

Nonces are fresh random numbers
30
We have a proof. So what?

• Soundness Theorem
• if Q - ? then Q ?
• If ? is a theorem then ? is a valid formula
• ? holds in any step in any run of protocol Q
• Unbounded number of participants
• Dolev-Yao intruder

31
PCL Proof Techniques

• Modular Proofs
• Generic Template-style Proofs

32
Modular Analysis / Composition
Auth Server
Laptop
Access Point
(Shared Secret-PMK)
802.11i Key Management ?20 msgs in 4 components
HSDDM CCS05 -gt TISSEC Special Issue
33
Compositional Proofs Intuition

• Protocol specific reasoning
• if honest Bob generates a signature of the form
• sigB m, n, A,
• he sends it as part of msg2
• Could break Bobs signature from one protocol
  could be used to attack another
• PCL proof system Invariant rule
• Protocol independent reasoning
• Axiom stating unforgeability of signatures
• Still good unaffected by composition
• All other axioms and proof rules for PCL

34
Proof Tree
TLS 4WAY - Inv
TLS - Inv
Inv -Auth
Bulk of proof reused
Additional work to prove 4WAY - Inv
Inv
Axiom
Theorem If Q - Inv and Q - Inv, then Q Q
- Inv
INV rule
Other rules
Auth
DDMP CSF03 -gt JCS Special Issue, MFPS03
Security property
35
Generic Template-style Proofs

• Protocols with function variables instead of
  specific cryptographic operations
• One template can be instantiated to many
  protocols
• Proof of template yields proofs for instances
• Motivating example
• IKEv2 two instances based on symmetric and
  public-key cryptography

36
Protocol Template
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
37
Template Proof Method

• Characterizing protocol concepts
• Step 1 Under hypotheses about function variables
  and invariants, prove security property of
  template
• Step 2 Instantiate function variables to
  cryptographic operations and prove hypotheses.
• Benefit
• Proof reuse
• Single protocol can be instance of multiple
  templates allowing modular proofs

38
Proof Structure
Additional work to discharge hypotheses
axiom
hypothesis
Bulk of proof reused
Instance
Template
39
Extending Formalism

• Language Extensions
• Add function variables to term language for
  cords and logic (HOL)
• Semantics
• Q f ? sQ sf, for all substitutions s
  eliminating all function variables
• Soundness Theorem
• Every provable formula is valid

40
PCL Big Picture
High-level proof principles

• PCL
• Syntax (Properties)
• Proof System (Proofs)

• Computational PCL
• Syntax ?
• Proof System ?

Soundness Theorem (Induction)
Soundness Theorem (Reduction)
BPW, MW,

• Symbolic Model
• PCL Semantics
• (Meaning of formulas)

• Cryptographic Model
• PCL Semantics
• (Meaning of formulas)

Unbounded concurrent sessions
Polynomial concurrent sessions
41
Complexity-theoretic semantics

• Q ? if ? adversary A ? distinguisher D ?
  negligible function f ? n0 ?n gt n0 s.t.

Fraction represents probability
?(T,D,f(n))/T gt 1 f(n)

• Fix protocol Q, PPT adversary A
• Choose value of security parameter n
• Vary random bits used by all programs
• Obtain set TT(Q,A,n) of equi-probable traces

T(Q,A,n)
?(T,D,f)
DDMST05
42
PCL Proof System

• Property of signature
• Honest(X) ? Verifies(Y, m, X) ? Signed(X, m)
• Soundness proof
• Assume axiom not valid
• ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
• ?(T, D, f(n))/T
  lt 1 f(n)
• Construct attacker A that uses A, D to break
  CMA-secure signature scheme
• Standard cryptographic reduction

DDMST05, DDMW06
43
Logic and Cryptography Big Picture
Protocol security proofs using proof system
Axiom in proof system
Semantics and soundness theorem
Complexity-theoretic crypto definitions (e.g.,
IND-CCA2 secure encryption)
Crypto constructions satisfying definitions
(e.g., Cramer-Shoup encryption scheme)
44
Summary

• PCL Logic for security protocols
• Sound wrt symbolic and cryptographic models
• High-level short proofs 2-3 pages
• Proof techniques
• Modular/compositional proofs
• Generic template-style proofs
• Proofs of industrial protocols
• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
  (unpublished), Mobile IPv6 (in progress)
• Implementation not done

45
Thanks ! Questions?