View
218
Download
0
Category
Preview:
Citation preview
Security Analysis of Network Protocols: Compositional
Reasoning and Complexity-theoretic Foundations
Anupam DattaStanford University
May 10, 2005
Outline
Part I: Overview• Motivation• Central problems
– Divide and Conquer paradigm– Combining logic and cryptography
• Results
Part II: Protocol Composition Logic• Compositional Reasoning• Complexity-theoretic foundations
This talk is about…
Network security protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Group– 802.11i - wireless security
And methods for their security analysis• Security proof in some model; or• Identify attacks
Characteristics of protocols
Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per
component) Mission critical
• Security of data, credit card numbers, … Subtle
• Concurrency: attack may combine data from many sessions
• Computation: modeling cryptographic primitives
Good domain for logical methods
Active research area since early 80’s
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof“Forty-two,” said Deep Thought, with infinite majesty and calm.
- D. Adams, HGG, 1979
Classifying Attacks
Implementation bugs• Buffer overflow, format string
vulnerabilities Cryptography breaks
• IEEE 802.11b (WEP encryption) Protocol flaws
• Needham-Schroeder, IKE, IEEE 802.11i
•Focus on protocol flaws assuming “strong crypto”
•Complexity-theoretic characterization of “strong crypto”
IEEE 802.11i wireless security [2004]
Wireless Device
Access Point
Authentication Server
802.11 Association
EAP/802.1X/RADIUS Authentication
4-way handshake
Group key handshake
Data communication
•Divide-and-conquer paradigm•Combining logic and cryptography
Uses crypto: encryption, hash,
…
Divide-and-Conquer paradigm
Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction
Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs
Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …
Composition is a hard problem in security
Central Problem 1
Combining logic and cryptography
Symbolic model [NS78, DY84]- Perfect cryptography assumption+ Idealization => tools and techniques
Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation
Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model
Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]
Central Problem 2
Applied to industrial protocols
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al]
IKEv2 [IETF Internet Draft; 2004] [Aron et al] TLS/SSL [RFC 2246; 1999] [He et
al] Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et
al]
Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et
al] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]
Tool support
Isabelle implementation of PCL [Kempston et al]• PCL syntax and proof system encoded into
Isabelle, a generic theorem-prover• Machine-checkable axiomatic proofs• Use Isabelle’s first-order reasoner
Protocol Derivation Assistant [Anlauff et al]• Graphical support tool for protocol
derivations
IPSec
Widely deployed: Corporate VPNs Provides secrecy and integrity IKEv2 is the IPSec key exchange protocol
Internet
IP layer host-to-host security
IKEv2 [IETF ID 2004]
IKE_AUTH (Authenticate)
IKE_CHILD_SA (Rekey)
I R: HDR, SAi1, gi, Ni R I: HDR, SAr1, gr, Nr
IKE_INIT (Exchange key material)
I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}
R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}
•Modular proofs
•Multi-mode (Unified “template” proof)
• Properties: authentication, shared secret, identity & DoS protection, repudiability
Multi-mode protocol: authenticator can
use either signature or pre-shared key
Mobile IPv6 [IETF ID 2004]
Stanford
Wisconsin
Home address
Home addres
s
Care of address
Correspondent Node
•Change of location
•Authentication
•DoS issues
•Protocol breaks if attacker controls complete network
GDOI [RFC 3547, 2003]
•Secure group communication
•Composition attack
•Fix adopted by IETF WG
Communicating in a group can be difficult…
Public networkGroup
controller
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
A B
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol
independent]
• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
Reasoning method
Reason about local information• I know my own actions
Incorporate knowledge of protocol• Honest people faithfully follow protocol
No explicit reasoning about intruder• Absence of bad action expressed as a
positive property of good actions– E.g., honest agent’s signature can be
produced only by the agent
Distinguishes our method from existing techniques
Formalism
Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)
Protocol logic• Expressing protocol properties
Proof system• Proving protocol properties• Soundness theorem
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Soundness Theorem: Every provable formula is valid
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Reasoning about Composition
Non-destructive Combination: Ensure combined parts do not
interfere– In logic: invariance assertions
Additive Combination: Accumulate security properties of
combined parts, assuming they do not interfere– In logic: before-after assertions
Proof steps (Intuition)
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
Technically:
•Protocol-specific proof steps use invariants
•Invariants must be preserved for safe composition
Invariants
Reasoning about honest principals• Invariance rule, called “honesty rule”
Preservation of invariants under composition• If we prove Honest(X) for protocol 1
and compose with protocol 2, is formula still true?
Honesty Rule (Induction)
Definition• A protocol step begins with receive,
ends before next receive Rule
[ ]X B ProtocolSteps(Q). [B]X Q Honest(X)
ExampleCR Honest(X) (Sent(X, m2) Received(X, m1))
Diffie-Hellman: Property
Formula• [ new a ] A Fresh(A, ga)
Explanation• Modal form: [ actions ] P
• Actions: [ new a ] A
• Postcondition: Fresh(A, ga)
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
Composing protocols
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Composition: Big Picture
Different from:
•Assume-guarantee in distributed computing [MC81]
•Universal Composability [C01, PW01]
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No reasoning about attacker
…
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
Main Result
Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model
Computational PCL
Syntax• Expressing security properties
Proof System• Proving security properties• Soundness Theorem
Semantics• Complexity-theoretic Model
– Attacker – any PPT algorithm– Meaning of security properties
Example 1
A BA, B, {n, A}B
B, A, n
Security Property - authentication [Initiator Program]A Honest(B)
ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )
Example 2
A BA, B, {n, A}B
Security Property - secrecy [Initiator Program]A Honest(B)
(X (X A,B) Indistinguishable(X,n)
Logic Syntax
Proof System
Soundness of proof system
Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)
Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Asymptotic calculations
Sum of two negligible functions is a negligible function
Reduction to IND-CCA2-secure encryption scheme
Complexity-theoretic semantics
Q |= if A D f negligible function n0 n > n0 s.t.
• Fix protocol Q, PPT adversary A, security parameter n
• Vary random bits used by all programs
• Obtain set of equi-probable traces, T(Q,A,n)
T()
T(Q,A,n)
|T()|/|T(Q,A,n)| > 1 –f(n)
Represents probability
Inductive Semantics
Consider set of traces T(Q,A,n)
• T(1 2) = T(1)T(2)
• T(1 2) = T(1) T(2)
• T( ) = T()
Semantics of formulas are transformers on probability distribution over traces
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Current Work
Investigate nature of logic• Propositional fragment not classical represents conditional probability
– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86)
Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property
Extend logic• More primitives: signature, hash functions,…• Remove current syntactic restrictions on formulas
Information-theoretic semantics• Only probability; no complexity
Summary
Methodology:• Divide-and-conquer paradigm in security• Combining logic and cryptography
Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE
WG)
• GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004] (New Attack!)
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Publications in dissertation
A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic• A derivation system and compositional logic for
security protocols [CSFW03, JCS05 special issue]
• Abstraction and refinement in protocol derivation [CSFW04]
A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]
A. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence-based definitions of protocol security [WITS04]
Other publications
A. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security [TCC05]
M. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols [CSFW05]
A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition [MFPS03]
A. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality [In submission]
C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]
Acknowledgements
John Mitchell Dan Boneh, David Dill, Rajeev Motwani,
Stanley Peters Dusko Pavlovic, Andre Scedrov Ante Derek, Ajith Ramanathan Ralf Kuesters, Vitaly Shmatikov, Mathieu
Turuani, Bogdan Warinschi, Andrei Aron, Dan Auerbach, Changhua He, Cary Kempston, Arnab Roy, Mukund Sundararajan
Family, friends, …
Recommended