Title: PCL: A Logic for Proving Security of Industrial Network Protocols
1PCL A Logic for Proving Security of Industrial
Network Protocols
- Anupam Datta
- CMU
- May 2007
2Perspective
- Theoretical basis for security practice
- Security models
- Analysis and design methods
- Application to real systems
- Concepts and methods from
- Logic and programming languages, specification
and verification, cryptography, philosophy,
economics
3Projects
- Security of network protocols 2001-07
- Protocol Composition Logic
- Perfect cryptography model
- Proof techniques
- Composition theorems, Templates
- Complexity-theoretic model
- Privacy
- Logic of Privacy and Utility Oakland06, CSF07
Today
4Projects (2)
- Theory of Cryptography
- Concurrent composition, security specification
methods (games, simulation) - Using probabilistic polynomial time process
calculus WITS04, TCC05, TCC06 - Software System Security
- Trusted computing, software diversity
5Security Protocol Analysis
- Network security protocols
- Industry Standards (IETF, IEEE)
- SSL/TLS - web authentication
- IPSec - corporate VPNs
- Mobile IPv6 routing security
- Kerberos - network authentication
- GDOI secure group communication
- 802.11i - wireless LAN security
- Method for their security analysis
- Goal Security proof in some model
6Protocol Composition Logic
- Intuition
- Formalism
- Protocol programming language
- Protocol logic
- Proof System
- Example
- Signature-based challenge-response
- Proof techniques
- Cryptographic soundness
Formulated by Datta, Derek, Durgin, Mitchell,
Pavlovic
7Example Challenge-Response
m, A
n, sigB m, n, A
A
B
sigA m, n, B
- Alice reasons if Bob is honest, then
- only Bob can generate his signature
- if Bob generates a signature of the form sigBm,
n, A, - he sends it as part of msg2 of the protocol, and
- he must have received msg1 from Alice
- Alice deduces Received (B, msg1) ? Sent (B, msg2)
8Formalizing the Approach
- Language for protocol description
- Arrows-and-messages are informal.
- Protocol Operational Semantics
- How does the protocol execute?
- Protocol logic
- Stating security properties.
- Proof system
- Formally proving security properties.
-
9Protocol Programming Language
- A protocol is described by specifying a program
for each role - Server receive x new n send x, n
- Building blocks
- Terms (think messages)
- names, nonces, keys, encryption,
- Actions (operations on terms)
- send, receive, pattern match,
10Terms
- t c constant term
- x variable
- N name
- K key
- t, t tupling
- sigKt signature
- encKt encryption
- Example x, sigBm, x, A is a term
11Actions
- send t send a term t
- receive x receive a term into variable x
- match t/p(x) match term t against p(x)
- A program is a sequence of actions
- Notation
- we often omit match actions
- receive sigBA, n receive x match x/sigBA, n
12Challenge-Response Programs
m, A
n, sigB m, n, A
A
B
sigA m, n, B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
13Protocol Execution
- Initial configuration
- Protocol is a finite set of roles
- Set of principals and keys
- Assignment of ?1 role to each principal
- Run
Process calculus operational semantics
send xB
new x
A
receive xB
receive zB
B
send zB
new z
C
14Attacker capabilities
- Controls complete network
- Can read, remove, inject messages
- Fixed set of operations on terms
- Pairing
- Projection
- Encryption with known key
- Decryption with known key
Commonly referred to as Dolev-Yao attacker
15PCL Syntax
- Action formulas
- a Send(P,t) Receive (P,t) Verify(P,T)
- Formulas
- ? a Has(P,t) Honest(N) ?? ?1? ?2
?x ? - a lt a
- Modal formula
- ? actions P ?
- Example
- Has(X, secret) ? ( X A ? X B)
Specifying secrecy
16Challenge-Response Property
- Specifying authentication for Initiator
- true InitCR(A, B) A Honest(B) ?
- (
- Send(A, A,B,m) ?
- Receive(B, A,B,m) ?
- Send(B, B,A,n, sigB m, n, A) ?
- Receive(A, B,A,n, sigB m, n, A)
- )
-
17PCL Semantics
- Protocol Q
- Defines set of roles (e.g, initiator,
responder) - Run R of Q is sequence of actions by principals
following roles, plus attacker - Satisfaction
- Q, R ? ? actions P ?
- If some role of P in R does exactly actions
starting from state where ? is true, then ? is
true in state after actions completed
irrespective of actions executed by other agents
concurrently - Q ? ? actions P ?
- Q, R ? ? actions P ? for all runs R of Q
18Proof System
- Goal formally prove security properties
- Axioms
- Simple formulas provable by hand
- Inference rules
- Proof steps
- Theorem
- Formula obtained from axioms by application of
inference rules
19Sample axioms about actions
- New data
- true new x P Has(P,x)
- true new x P Has(Y,x) ? YP
- Actions
- true send m P Send(P,m)
- Verify
- true match x/sigXm P Verify(P,m)
20Reasoning about knowledge
- Pairing
- Has(X, m,n) ? Has(X, m) ? Has(X, n)
- Encryption
- Has(X, encK(m)) ? Has(X, K-1) ? Has(X, m)
21Encryption and signature
- Public key encryption
- Honest(X) ? Decrypt(Y, encXm) ? XY
- Signature
- Honest(X) ? Verify(Y, sigXm) ?
- ? m (Send(X, m) ? Contains(m, sigXm)
-
22Sample inference rules
- First-order logic rules
- ? ? ? ? ?
- Generic rules
- ? actions P ? ? actions P ?
- ? actions P ? ? ?
23Honesty rule (example use)
- ?roles R of Q. ? protocol steps A of R.
- Start(X) X ? ? A X ?
- Q - Honest(X) ? ?
- Example use
- If Y receives a message m from X, and
- Honest(X) ? (Sent(X,m) ? Received(X,m))
- then Y can conclude
- Honest(X) ? Received(X,m))
Proved using honesty rule
24Correctness of CR
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- CR - true InitCR(A, B) A Honest(B) ?
- Send(A, A,B,m) ?
- Receive(B, A,B,m) ?
- Send(B, B,A,n, sigB m, n, A) ?
- Receive(A, B,A,n, sigB m, n, A)
-
Auth
25Correctness of CR step 1
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- 1. A reasons about her own actions
- CR - true InitCR(A, B) A
- Verify(A, sigB m, n, A)
26Correctness of CR step 2
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- 2. Properties of signatures
- CR - true InitCR(A, B) A Honest(B) ?
- ? m (Send(B, m) ? Contains(m, sigB m, n, A)
Recall signature axiom
27Correctness of CR Honesty
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- Invariant proved with Honesty rule
- CR - Honest(X) ?
- Send(X, m) ? Contains(m, sigx y, x, Y) ? ?
New(X, y) ? - m X, Y, x, sigBy, x, Y ? Receive(X, Y, X,
y, Y)
Induction over protocol steps
28Correctness of CR step 3
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- 3. Use Honesty invariant
- CR - true InitCR(A, B) A Honest(B) ?
- Receive(B, A,B,m),
29Correctness of CR step 4
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
- 4. Use properties of nonces for temporal ordering
- CR - true InitCR(A, B) A Honest(B) ? Auth
Nonces are fresh random numbers
30We have a proof. So what?
- Soundness Theorem
- if Q - ? then Q ?
- If ? is a theorem then ? is a valid formula
- ? holds in any step in any run of protocol Q
- Unbounded number of participants
- Dolev-Yao intruder
31PCL Proof Techniques
- Modular Proofs
- Generic Template-style Proofs
32Modular Analysis / Composition
Auth Server
Laptop
Access Point
(Shared Secret-PMK)
802.11i Key Management ?20 msgs in 4 components
HSDDM CCS05 -gt TISSEC Special Issue
33Compositional Proofs Intuition
- Protocol specific reasoning
- if honest Bob generates a signature of the form
- sigB m, n, A,
- he sends it as part of msg2
- Could break Bobs signature from one protocol
could be used to attack another - PCL proof system Invariant rule
- Protocol independent reasoning
- Axiom stating unforgeability of signatures
- Still good unaffected by composition
- All other axioms and proof rules for PCL
34Proof Tree
TLS 4WAY - Inv
TLS - Inv
Inv -Auth
Bulk of proof reused
Additional work to prove 4WAY - Inv
Inv
Axiom
Theorem If Q - Inv and Q - Inv, then Q Q
- Inv
INV rule
Other rules
Auth
DDMP CSF03 -gt JCS Special Issue, MFPS03
Security property
35Generic Template-style Proofs
- Protocols with function variables instead of
specific cryptographic operations - One template can be instantiated to many
protocols - Proof of template yields proofs for instances
- Motivating example
- IKEv2 two instances based on symmetric and
public-key cryptography
36Protocol Template
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
37Template Proof Method
- Characterizing protocol concepts
- Step 1 Under hypotheses about function variables
and invariants, prove security property of
template - Step 2 Instantiate function variables to
cryptographic operations and prove hypotheses. - Benefit
- Proof reuse
- Single protocol can be instance of multiple
templates allowing modular proofs
38Proof Structure
Additional work to discharge hypotheses
axiom
hypothesis
Bulk of proof reused
Instance
Template
39Extending Formalism
- Language Extensions
- Add function variables to term language for
cords and logic (HOL) - Semantics
- Q f ? sQ sf, for all substitutions s
eliminating all function variables - Soundness Theorem
- Every provable formula is valid
40PCL Big Picture
High-level proof principles
- PCL
- Syntax (Properties)
- Proof System (Proofs)
- Computational PCL
- Syntax ?
- Proof System ?
Soundness Theorem (Induction)
Soundness Theorem (Reduction)
BPW, MW,
- Symbolic Model
- PCL Semantics
- (Meaning of formulas)
- Cryptographic Model
- PCL Semantics
- (Meaning of formulas)
Unbounded concurrent sessions
Polynomial concurrent sessions
41Complexity-theoretic semantics
- Q ? if ? adversary A ? distinguisher D ?
negligible function f ? n0 ?n gt n0 s.t.
Fraction represents probability
?(T,D,f(n))/T gt 1 f(n)
- Fix protocol Q, PPT adversary A
- Choose value of security parameter n
- Vary random bits used by all programs
- Obtain set TT(Q,A,n) of equi-probable traces
T(Q,A,n)
?(T,D,f)
DDMST05
42PCL Proof System
- Property of signature
- Honest(X) ? Verifies(Y, m, X) ? Signed(X, m)
- Soundness proof
- Assume axiom not valid
- ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
- ?(T, D, f(n))/T
lt 1 f(n) - Construct attacker A that uses A, D to break
CMA-secure signature scheme - Standard cryptographic reduction
DDMST05, DDMW06
43Logic and Cryptography Big Picture
Protocol security proofs using proof system
Axiom in proof system
Semantics and soundness theorem
Complexity-theoretic crypto definitions (e.g.,
IND-CCA2 secure encryption)
Crypto constructions satisfying definitions
(e.g., Cramer-Shoup encryption scheme)
44Summary
- PCL Logic for security protocols
- Sound wrt symbolic and cryptographic models
- High-level short proofs 2-3 pages
- Proof techniques
- Modular/compositional proofs
- Generic template-style proofs
- Proofs of industrial protocols
- IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
(unpublished), Mobile IPv6 (in progress) - Implementation not done
45Thanks ! Questions?