Title: Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations
1Security Analysis of Network Protocols
Compositional Reasoning and Complexity-theoretic
Foundations
- Anupam Datta
- Stanford University
- May 10, 2005
2Outline
- Part I Overview
- Motivation
- Central problems
- Divide and Conquer paradigm
- Combining logic and cryptography
- Results
- Part II Protocol Composition Logic
- Compositional Reasoning
- Complexity-theoretic foundations
3This talk is about
- Network security protocols
- Internet Engineering Task Force (IETF) Standards
- SSL/TLS - web authentication
- IPSec - corporate VPNs
- Mobile IPv6 routing security
- Kerberos - network authentication
- GDOI secure group communication
- IEEE Standards Working Group
- 802.11i - wireless security
- And methods for their security analysis
- Security proof in some model or
- Identify attacks
4Characteristics of protocols
- Relatively simple distributed programs
- 5-7 steps, 3-10 fields per message (per
component) - Mission critical
- Security of data, credit card numbers,
- Subtle
- Concurrency attack may combine data from many
sessions - Computation modeling cryptographic primitives
-
-
- Good domain for logical methods
- Active research area since early 80s
5Security Analysis Methodology
Protocol
Property
Attacker model
Analysis Tool
Security proof or attack
Forty-two, said Deep Thought, with infinite
majesty and calm. - D. Adams, HGG, 1979
6Classifying Attacks
- Implementation bugs
- Buffer overflow, format string vulnerabilities
- Cryptography breaks
- IEEE 802.11b (WEP encryption)
- Protocol flaws
- Needham-Schroeder, IKE, IEEE 802.11i
- Focus on protocol flaws assuming strong crypto
- Complexity-theoretic characterization of strong
crypto
7IEEE 802.11i wireless security 2004
Wireless Device
Access Point
Authentication Server
802.11 Association
Uses crypto encryption, hash,
EAP/802.1X/RADIUS Authentication
4-way handshake
- Divide-and-conquer paradigm
- Combining logic and cryptography
Group key handshake
Data communication
8Divide-and-Conquer paradigm
- Result Protocol Derivation System DDMP03-05
- Incremental protocol construction
- Result Protocol Composition Logic (PCL)
DDDMP01-05 - Compositional correctness proofs
- Related work Heintze-Tygar96, Lynch99,
Sheyner-Wing00, Canetti01, Pfitzmann-Waidner0
1, - Composition is a hard problem in security
Central Problem 1
9Combining logic and cryptography
- Symbolic model NS78, DY84
- - Perfect cryptography assumption
- Idealization gt tools and techniques
- Complexity-theoretic model GM84
- More detailed model probabilistic guarantees
- - Hand-proofs very hard no automation
- Result Computational PCL DDMST05
- Logical proof methods
- Complexity-theoretic crypto model
- Related work Mitchell-Scedrov et al 98-04,
Abadi-Rogaway00, Backes-Pfitzmann-Waidner03-04
, Micciancio-Warinschi04
Central Problem 2
10Applied to industrial protocols
- IEEE 802.11i authentication protocol IEEE
Standards 2004 - (Attack! Fix adopted by IEEE WG) He et
al - IKEv2 IETF Internet Draft 2004 Aron et al
- TLS/SSL RFC 2246 1999 He et al
- Mobile IPv6 RFC 3775 2004
- (New Attack!) Roy et al
- Kerberos V5 IETF Internet Draft 2004
- Cervasato et al
- GDOI Secure Group Communication protocol RFC
3547 2003 - (Attack! Fix adopted by IETF WG) Meadows et al
11Tool support
- Isabelle implementation of PCL Kempston et al
- PCL syntax and proof system encoded into
Isabelle, a generic theorem-prover - Machine-checkable axiomatic proofs
- Use Isabelles first-order reasoner
- Protocol Derivation Assistant Anlauff et al
- Graphical support tool for protocol derivations
12IPSec
IP layer host-to-host security
- Widely deployed Corporate VPNs
- Provides secrecy and integrity
- IKEv2 is the IPSec key exchange protocol
13IKEv2 IETF ID 2004
IKE_INIT (Exchange key material)
Multi-mode protocol authenticator can use either
signature or pre-shared key
I ? R HDR, SAi1, gi, Ni R ? I HDR, SAr1,
gr, Nr
IKE_AUTH (Authenticate)
I ? R HDR, SK IDi, CERT, CERTREQ, IDr,
AUTH, SAi2, TSi, TSr R ? I HDR, SK IDr,
CERT, AUTH, SAr2, TSi, TSr
- Modular proofs
- Multi-mode (Unified template proof)
- Properties authentication, shared secret,
identity DoS protection, repudiability
IKE_CHILD_SA (Rekey)
14Mobile IPv6 IETF ID 2004
Correspondent Node
Home address
Home address
- Change of location
- Authentication
- DoS issues
- Protocol breaks if attacker controls complete
network
Care of address
15GDOI RFC 3547, 2003
Public network
Group controller
- Secure group communication
- Composition attack
- Fix adopted by IETF WG
Communicating in a group can be difficult
16Protocol analysis spectrum
Combining logic and cryptography
Hand proofs
Computational Protocol logic
Holy Grail
?
High
Divide and conquer
Poly-time calculus
Protocol logic
Multiset rewriting
Spi-calculus
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
17Outline
- Part I Overview
- Part II Protocol Composition Logic
- Compositional Reasoning
- Complexity-theoretic foundations
18Challenge-Response Proof Idea
m, A
n, sigB m, n, A
A
B
sigA m, n, B
- Alice reasons if Bob is honest, then
- only Bob can generate his signature. protocol
independent - if Bob generates a signature of the form sigB m,
n, A, - he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice. protocol
specific - Alice deduces Received (B, msg1) ? Sent (B, msg2)
19Reasoning method
- Reason about local information
- I know my own actions
- Incorporate knowledge of protocol
- Honest people faithfully follow protocol
- No explicit reasoning about intruder
- Absence of bad action expressed as a positive
property of good actions - E.g., honest agents signature can be produced
only by the agent
Distinguishes our method from existing techniques
20Formalism
- Cord calculus
- Protocol programming language
- Execution model (Symbolic/Dolev-Yao)
- Protocol logic
- Expressing protocol properties
- Proof system
- Proving protocol properties
- Soundness theorem
21Challenge-Response as Cords
m, A
n, sigB m, n, A
A
B
sigA m, n, B
RespCR(B) receive Y, B, y, Y new n send
B, Y, n, sigBy, n, Y receive Y, B, sigYy, n,
B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A, X,
sigAm, x, X
22Challenge Response Property
- Modal form ? actions P ?
- precondition Fresh(A,m)
- actions Initiator role actions A
- postcondition
- Honest(B) ? ActionsInOrder(
- send(A, A,B,m),
- receive(B, A,B,m),
- send(B, B,A,n, sigB m, n, A),
- receive(A, B,A,n, sigB m, n, A) )
23Proof System
- Sample Axioms
- Reasoning about possession
- receive m A Has(A,m)
- Has(A, m,n) ? Has(A, m) ? Has(A, n)
- Reasoning about crypto primitives
- Honest(X) ? Decrypt(Y, encXm) ? XY
- Honest(X) ? Verify(Y, sigXm) ?
- ? m (Send(X, m) ? Contains(m, sigXm)
- Soundness Theorem
- Every provable formula is valid
24Outline
- Part I Overview
- Part II Protocol Composition Logic
- Compositional Reasoning
- Complexity-theoretic foundations
25Reasoning about Composition
- Non-destructive Combination
- Ensure combined parts do not interfere
- In logic invariance assertions
- Additive Combination
- Accumulate security properties of combined
parts, assuming they do not interfere - In logic before-after assertions
26Proof steps (Intuition)
- Protocol independent reasoning
- Has(A, m,n) ? Has(A, m) ? Has(A, n)
- Still good unaffected by composition
- Protocol specific reasoning
- if honest Bob generates a signature of the form
- sigB m, n, A,
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice
- Could break Bobs signature from one protocol
could be used to attack another
- Technically
- Protocol-specific proof steps use invariants
- Invariants must be preserved for safe composition
27Invariants
- Reasoning about honest principals
- Invariance rule, called honesty rule
- Preservation of invariants under composition
- If we prove Honest(X) ? ? for protocol 1 and
compose with protocol 2, is formula still true?
28Honesty Rule (Induction)
- Definition
- A protocol step begins with receive, ends before
next receive - Rule
- X ? ?B ? ProtocolSteps(Q). ? BX ?
- Q ? Honest(X) ? ?
- Example
- CR ? Honest(X) ?
- (Sent(X, m2) ? Received(X, m1))
29Diffie-Hellman Property
- Formula
- new a A Fresh(A, ga)
- Explanation
- Modal form actions P ?
- Actions new a A
- Postcondition Fresh(A, ga)
30Challenge Response Property
- Modal form ? actions P ?
- precondition Fresh(A,m)
- actions Initiator role actions A
- postcondition
- Honest(B) ? ActionsInOrder(
- send(A, A,B,m),
- receive(B, A,B,m),
- send(B, B,A,n, sigB m, n, A),
- receive(A, B,A,n, sigB m, n, A) )
31Composition DHCR ISO-9798-3
- Additive Combination
- DH post-condition matches CR precondition
- Sequential Composition
- Substitute ga for m in CR to obtain ISO.
- Apply composition rule
- ISO initiator role inherits CR authentication.
- DH secrecy is also preserved
- Proved using another application of composition
rule. - Nondestructive Combination
- DH and CR satisfy each others invariants
32Composing protocols
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive
ISO ? Secrecy ? Authentication
Sequential and parallel composition theorems
33Composition Rules
- Invariant weakening rule
- ? - ? P ?
- ? ? ? - ? P ?
- Sequential Composition
- ? - ? S P ? ? - ? T P ?
- ? - ? ST P ?
- Prove invariants from protocol
- Q ? ? Q ? ?
- Q ? Q ? ?
34Composition Big Picture
- Q - Inv(Q)
- Inv(Q) - ?
- Qi - Inv(Q)
- No reasoning about attacker
Safe Environment for Q
Q1
Q2
Q3
Qn
- Different from
- Assume-guarantee in distributed computing MC81
- Universal Composability C01, PW01
Protocol Q
35Outline
- Part I Overview
- Part II Protocol Composition Logic
- Compositional Reasoning
- Complexity-theoretic foundations
36Two worlds
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, e.g., decryption with known key (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques automation - Hand-proofs are difficult, error-prone no automation
Can we get the best of both worlds?
37Our Approach
- Protocol Composition Logic (PCL)
- Syntax
- Proof System
- Computational PCL
- Syntax ?
- Proof System ?
- Symbolic Dolev-Yao model
- Semantics
- Complexity-theoretic model
- Semantics
Leverage PCL success
Talk so far
38Main Result
- Computational PCL A symbolic logic for proving
security properties of network protocols that use
public-key encryption - Soundness Theorem If a property is provable
within the proof system of CPCL, it holds in the
complexity-theoretic model with probability
asymptotically close to 1. - Symbolic proofs
- Complexity-theoretic model
39Computational PCL
- Syntax
- Expressing security properties
- Proof System
- Proving security properties
- Soundness Theorem
- Semantics
- Complexity-theoretic Model
- Attacker any PPT algorithm
- Meaning of security properties
40Example 1
A, B, n, AB
A
B
B, A, n
- Security Property - authentication
- Initiator ProgramA Honest(B) ?
- ActionsInOrder(
- send(A, msg1), receive(B, msg1),
- send(B, msg2), receive(A, msg2 ) )
41Example 2
A, B, n, AB
A
B
- Security Property - secrecy
- Initiator ProgramA Honest(B) ?
- (?X (X ?A,B) ? Indistinguishable(X,n)
42Logic Syntax
43Proof System
44Soundness of proof system
- Information-theoretic reasoning
- new uX (Y ? X) ? Indistinguishable(Y, u)
- Complexity-theoretic reductions
- Source(Y,u,mX) ? ?Decrypts(X, mX) ?
Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z, u) - Asymptotic calculations
Reduction to IND-CCA2-secure encryption scheme
? ? ? ?
?
- Sum of two negligible functions is a negligible
function
45Complexity-theoretic semantics
- Q ? if ?A ? D ? f negligible function ? n0 ?n
gt n0 s.t.
Represents probability
T(?)/T(Q,A,n) gt 1 f(n)
- Fix protocol Q, PPT adversary A, security
parameter n - Vary random bits used by all programs
- Obtain set of equi-probable traces, T(Q,A,n)
T(?)
T(Q,A,n)
46Inductive Semantics
- Consider set of traces T(Q,A,n)
- T(?1 ? ?2) T(?1)?T(?2)
- T(?1 ? ?2) T(?1) ?T(?2)
- T(? ?) T(?)
Semantics of formulas are transformers on
probability distribution over traces
47Logic and Cryptography Big Picture
Protocol security proofs using proof system
Axiom in proof system
Semantics and soundness theorem
Complexity-theoretic crypto definitions (e.g.,
IND-CCA2 secure encryption)
Crypto constructions satisfying definitions
(e.g., Cramer-Shoup encryption scheme)
48Current Work
- Investigate nature of logic
- Propositional fragment not classical
- ? represents conditional probability
- complexity-theoretic reductions
- connections with probabilistic logics (e.g.
Nilsson86) - Generalize reasoning about secrecy
- Probability close to ½ instead of 1
- Not a trace property
- Extend logic
- More primitives signature, hash functions,
- Remove current syntactic restrictions on formulas
- Information-theoretic semantics
- Only probability no complexity
49Summary
- Methodology
- Divide-and-conquer paradigm in security
- Combining logic and cryptography
- Applications
- IEEE 802.11i (Attack! Fix adopted by IEEE WG)
- GDOI Secure Group Communication protocol RFC
3547 2003 - (Composition Attack! Fix adopted by IETF WG)
- IKEv2 IETF Internet Draft 2004
- TLS RFC 2246 1999
- Kerberos V5 IETF Internet Draft 2004
- Mobile IPv6 RFC 3775 2004 (New Attack!)
50Protocol analysis spectrum
Combining logic and cryptography
Hand proofs
Computational Protocol logic
Holy Grail
?
High
Divide and conquer
Poly-time calculus
Protocol logic
Multiset rewriting
Spi-calculus
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
51Publications in dissertation
- A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic
- A derivation system and compositional logic for
security protocols CSFW03, JCS05 special issue - Abstraction and refinement in protocol derivation
CSFW04 - A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov,
M. Turuani. Probabilistic polynomial time
semantics for a protocol security logic ICALP05 - A. Datta, R. Kuesters, J. C. Mitchell, A.
Ramanathan, V. Shmatikov. Unifying
equivalence-based definitions of protocol
security WITS04
52Other publications
- A. Datta, R. Kuesters, J. C. Mitchell, A.
Ramanathan. On the Relationships between Notions
of Simulation-based Security TCC05 - M. Backes, A. Datta, A. Derek, J. C. Mitchell, M.
Turuani. Compositional Analysis of
Contract-Signing Protocols CSFW05 - A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic.
Secure Protocol Composition MFPS03 - A. Datta, A. Derek, J. C. Mitchell, A.
Ramanathan, A. Scedrov. The Impossibility of
Realizable Ideal Functionality In submission - C. He, M. Sundararajan, A. Datta, A. Derek, J. C.
Mitchell. A Modular Correctness Proof of TLS and
IEEE 802.11i In submission
53Acknowledgements
- John Mitchell
- Dan Boneh, David Dill, Rajeev Motwani, Stanley
Peters - Dusko Pavlovic, Andre Scedrov
- Ante Derek, Ajith Ramanathan
- Ralf Kuesters, Vitaly Shmatikov, Mathieu Turuani,
Bogdan Warinschi, Andrei Aron, Dan Auerbach,
Changhua He, Cary Kempston, Arnab Roy, Mukund
Sundararajan - Family, friends,