Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations

1
Security Analysis of Network Protocols
Compositional Reasoning and Complexity-theoretic
Foundations

• Anupam Datta
• Stanford University
• May 23, 2005

2
Protocol analysis spectrum
Combining logic and cryptography

Hand proofs
Computational Protocol C. logic
Holy Grail
?
High
Divide and conquer
Poly-time calculus
Protocol C. logic
Multiset rewriting
Spi-calculus
?
Sophistication of attacks
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
3
Divide-and-Conquer paradigm
Central Problem 1

• Result Protocol Derivation System DDMP03-05
• Incremental protocol construction
• Result Protocol Composition Logic (PCL)
  DDDMP01-05
• Compositional correctness proofs
• Related work Heintze-Tygar96, Lynch99,
  Sheyner-Wing00, Canetti01, Pfitzmann-Waidner0
  1,
• Composition is a hard problem in security

4
Combining logic and cryptography

• Symbolic model NS78, DY84
• - Perfect cryptography assumption
• Idealization gt tools and techniques
• Complexity-theoretic model GM84
• More detailed model probabilistic guarantees
• - Hand-proofs very hard no automation
• Result Computational PCL DDMST05
• Logical proof methods
• Complexity-theoretic crypto model
• Related work Mitchell-Scedrov et al 98-04,
  Abadi-Rogaway00, Backes-Pfitzmann-Waidner03-04
  , Micciancio-Warinschi04, Adao-Bana-Scedrov05

Central Problem 2
5
Applied to industrial protocols

• IEEE 802.11i authentication protocol IEEE
  Standards 2004
• (Attack! Fix adopted by IEEE WG) He et
  al
• IKEv2 IETF Internet Draft 2004 Aron et al
• TLS/SSL RFC 2246 1999 He et al
• Mobile IPv6 RFC 3775 2004
• (New Attack!) Roy et al
• Kerberos V5 IETF Internet Draft 2004
• Cervasato et al
• GDOI Secure Group Communication protocol RFC
  3547 2003
• (Attack! Fix adopted by IETF WG) Meadows et al

6
Outline

• Protocol Composition Logic
• Background
• Compositional Reasoning
• Complexity-theoretic foundations

7
Challenge-Response Proof Idea
m, A
n, sigB m, n, A
A
B
sigA m, n, B

• Alice reasons if Bob is honest, then
• only Bob can generate his signature. protocol
  independent
• if Bob generates a signature of the form sigB
  m, n, A,
• he sends it as part of msg 2 of the protocol and
• he must have received msg1 from Alice. protocol
  specific
• Alice deduces Received (B, msg1) ? Sent (B, msg2)

8
Formalism

• Cord calculus
• Protocol programming language
• Execution model (Symbolic/Dolev-Yao)
• Protocol logic
• Expressing protocol properties
• Proof system
• Proving protocol properties
• Soundness theorem

9
Challenge-Response as Cords
m, A
n, sigB m, n, A
A
B
sigA m, n, B
RespCR(B) receive Y, B, y, Y new n send
B, Y, n, sigBy, n, Y receive Y, B, sigYy, n,
B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A, X,
sigAm, x, X
10
Challenge Response Property

• Modal form ? actions P ?
• precondition Fresh(A,m)
• actions Initiator role actions A
• postcondition
• Honest(B) ? ActionsInOrder(
• send(A, A,B,m),
• receive(B, A,B,m),
• send(B, B,A,n, sigB m, n, A),
• receive(A, B,A,n, sigB m, n, A) )

11
Proof System

• Sample Axioms
• Reasoning about possession
• receive m A Has(A,m)
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Reasoning about crypto primitives
• Honest(X) ? Decrypt(Y, encXm) ? XY
• Honest(X) ? Verify(Y, sigXm) ?
• ? m (Send(X, m) ? Contains(m, sigXm)
• Soundness Theorem
• Every provable formula is valid

12
Invariant Rule

• Definition
• A protocol step begins with receive, ends before
  next receive
• Rule
• X ? ?B ? ProtocolSteps(Q). ? BX ?
• Q ? Honest(X) ? ?
• Example
• CR ? Honest(X) ?
• (Sent(X, m2) ? Received(X, m1))
• Reasoning about honest principals actions

13
Outline

• Protocol Composition Logic
• Background
• Compositional Reasoning
• Complexity-theoretic foundations

14
Reasoning about Composition

• Non-destructive Combination
• Ensure combined parts do not interfere
• In logic invariance assertions
• Additive Combination
• Accumulate security properties of combined
  parts, assuming they do not interfere
• In logic before-after assertions

15
Proof steps (Intuition)

• Protocol independent reasoning
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Still good unaffected by composition
• Protocol specific reasoning
• if honest Bob generates a signature of the form
• sigB m, n, A,
• he sends it as part of msg 2 of the protocol and
• he must have received msg1 from Alice
• Could break Bobs signature from one protocol
  could be used to attack another

• Technically
• Protocol-specific proof steps use invariants
• Invariants must be preserved for safe composition

16
Diffie-Hellman Property

• Formula
• new a A Fresh(A, ga)
• Explanation
• Modal form actions P ?
• Actions new a A
• Postcondition Fresh(A, ga)

17
Challenge Response Property

• Modal form ? actions P ?
• precondition Fresh(A,m)
• actions Initiator role actions A
• postcondition
• Honest(B) ? ActionsInOrder(
• send(A, A,B,m),
• receive(B, A,B,m),
• send(B, B,A,n, sigB m, n, A),
• receive(A, B,A,n, sigB m, n, A) )

18
Composition DHCR ISO-9798-3

• Additive Combination
• DH post-condition matches CR precondition
• Sequential Composition
• Substitute ga for m in CR to obtain ISO.
• Apply composition rule
• ISO initiator role inherits CR authentication.
• DH secrecy is also preserved
• Proved using another application of composition
  rule.
• Nondestructive Combination
• DH and CR satisfy each others invariants

19
Composing protocols
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive

ISO ? Secrecy ? Authentication
20
Composition Theorems

• Parallel Composition DDMP-JCS05
• If Q ? ?, ? - ? S P ?, and Q ? ?, then
  Q Q ? ? S P ?
• Sequential Composition DDMP-JCS05
• If Q ? ?, ? - ? S P ?, Q ? ?, ? - ? T
  P?, Q ? ?, Q ? ?, then Q ? ? S T
  P?, where Q is a sequential composition of Q
  and Q
• Staged Composition
• HSDDM05

21
Parallel Composition

• Q - Inv(Q)
• Inv(Q) - ? P X ?
• Qi - Inv(Q)
• No reasoning about attacker

Safe Environment for Q
Q1
Q2
Q3
Qn

• Different from
• Assume-guarantee in distributed computing MC81
• Universal Composability C01, PW01

Protocol Q
Q (Q1 Q2 Qn) - ? P X ?
22
Staged Composition

• Qi - Inv(Qi)
• Inv(Qi) - ?i PiX ?i
• Qi - Inv(Qj)
• ?i ? ?i1
• ?B ? ?jgt i ProtocolSteps(Q i).
• ?i BX ?i

Q1
Proof of component
Q2
Parallel composition
Sequential composition
Q3
Staged composition

Qn
Applicable to large protocols with error-handling
flows between components, e.g., IEEE 802.11i
SC(Q1,Q2,..,Qn) -?1 PPiX ?i
23
Outline

• Protocol Composition Logic
• Background
• Compositional Reasoning
• Complexity-theoretic foundations

24
Two worlds
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, e.g., decryption with known key (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques automation - Hand-proofs are difficult, error-prone no automation
Can we get the best of both worlds?
25
Our Approach

• Protocol Composition Logic (PCL)
• Syntax
• Proof System

• Computational PCL
• Syntax ?
• Proof System ?

• Symbolic Dolev-Yao model
• Semantics

• Complexity-theoretic model
• Semantics

Leverage PCL success
Talk so far
26
Main Result

• Computational PCL A symbolic logic for proving
  security properties of network protocols that use
  public-key encryption
• Soundness Theorem If a property is provable
  within the proof system of CPCL, it holds in the
  complexity-theoretic model with probability
  asymptotically close to 1.
• Symbolic proofs
• Complexity-theoretic model

27
Syntax

• Similar to PCL
• Main difference
• Has(X,t) in PCL
• Possess(X,t) and Indistinguishable(X,t) in
  Computational PCL

28
Complexity-theoretic semantics

• Q ? if ?A ? D ? f negligible function ? n0 ?n
  gt n0 s.t.

Represents probability
?(T,D,f)/T gt 1 f(n)

• Fix protocol Q, PPT adversary A, security
  parameter n
• Vary random bits used by all programs
• Obtain set of equi-probable traces, T T(Q,A,n)

?(T,D,f)
T(Q,A,n)
29
Inductive Semantics

• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ? ? T - ? (T,D,?)
• Implication uses conditional probability
• ?1 ? ?2 (T,D,?) ??1 (T,D,?) ? ?2
  (T,D,?) with T ?1 (T,D,?)

Semantics of formulas are transformers on
probability distribution over traces
30
Example
A, B, n, AB
A
B

• Security Property - secrecy
• Initiator ProgramA Honest(B) ?
• (?X (X ?A,B) ? Indistinguishable(X,n)

31
Soundness of proof system

• Axiom
• Source(Y,u,mX) ? ?Decrypts(X, mX) ?
  Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z,
  u)
• Proof idea crypto-style reduction
• Assume axiom not valid
• ? A ? D ? f negligible function ? n0 ? n gt n0
  s.t. ?(T,D,f)/T lt 1 f(n)
• Construct attacker A that uses A, D to break
  IND-CCA2 secure encryption scheme
• Conditional implication essential

32
Logic and Cryptography Big Picture
Protocol security proofs using proof system
Axiom in proof system
Semantics and soundness theorem
Complexity-theoretic crypto definitions (e.g.,
IND-CCA2 secure encryption)
Crypto constructions satisfying definitions
(e.g., Cramer-Shoup encryption scheme)
33
Current Work

• Investigate nature of logic
• Propositional fragment not classical
• ? represents conditional probability
• complexity-theoretic reductions
• connections with probabilistic logics (e.g.
  Nilsson86)
• Generalize reasoning about secrecy
• Probability close to ½ instead of 1
• Not a trace property
• Extend logic
• More primitives signature, hash functions,
• Remove current syntactic restrictions on formulas
• Information-theoretic semantics
• Only probability no complexity

34
Summary

• Methodology
• Divide-and-conquer paradigm in security
• Combining logic and cryptography
• Applications
• IEEE 802.11i (Attack! Fix adopted by IEEE WG)
• GDOI Secure Group Communication protocol RFC
  3547 2003
• (Composition Attack! Fix adopted by IETF WG)
• IKEv2 IETF Internet Draft 2004
• TLS RFC 2246 1999
• Kerberos V5 IETF Internet Draft 2004
• Mobile IPv6 RFC 3775 2004 (New Attack!)

35
Publications in dissertation

• A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic
• A derivation system and compositional logic for
  security protocols CSFW03, JCS05 special issue
• Abstraction and refinement in protocol derivation
  CSFW04
• A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov,
  M. Turuani. Probabilistic polynomial time
  semantics for a protocol security logic ICALP05
• A. Datta, R. Kuesters, J. C. Mitchell, A.
  Ramanathan, V. Shmatikov. Unifying
  equivalence-based definitions of protocol
  security WITS04

36
Other publications

• A. Datta, R. Kuesters, J. C. Mitchell, A.
  Ramanathan. On the Relationships between Notions
  of Simulation-based Security TCC05
• M. Backes, A. Datta, A. Derek, J. C. Mitchell, M.
  Turuani. Compositional Analysis of
  Contract-Signing Protocols CSFW05
• A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic.
  Secure Protocol Composition MFPS03
• A. Datta, A. Derek, J. C. Mitchell, A.
  Ramanathan, A. Scedrov. The Impossibility of
  Realizable Ideal Functionality In submission
• C. He, M. Sundararajan, A. Datta, A. Derek, J. C.
  Mitchell. A Modular Correctness Proof of TLS and
  IEEE 802.11i In submission