abstraction and refinement in protocol derivation anupam dattaante derek john c. mitchell dusko...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Abstraction and Refinement in Protocol Derivation
Anupam Datta Ante DerekJohn C. Mitchell Dusko Pavlovic
Stanford University Kestrel Institute CSFW June 28, 2004
Project Goals
Protocol derivation Build security protocols by combining
and refining parts from basic protocols.
Proof of correctness Prove protocols correct using logic
that follows steps of derivation.
Outline Background
Derivation System [CSFW03]
Compositional Logic [CSFW01,CSFW03]
Abstraction and Refinement Methods Applications
Conclusions and Future Work
Example
Construct protocol with properties: Shared secret Authenticated Identity Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
Component 1
Shared secret (with someone) A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
Authenticated Identity Protection
A B: ga
B A: gb
Diffie Hellman
Component 2
Shared secret Authenticated
A deduces: Received (B, msg1) Λ Sent (B, msg2)
Identity Protection
A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}
Challenge-Response
Composition
Shared secret: gab
Authenticated Identity Protection
m := ga
n := gb
A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}
ISO-9798-3
Refinement
Shared secret: gab
Authenticated Identity Protection
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
Outline
Background Derivation System Compositional Logic
Abstraction and Refinement Methods Applications
Conclusions and Future Work
A B
Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol
independent] if Bob generates a signature of the form sigB {m, n, A},
he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
Formalism
Cord calculus Protocol programming language
Protocol logic Expressing protocol properties
Proof system Proving protocol properties
Symbolic (“Dolev-Yao”) model
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
Correctness of CR
CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder(
Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}),
Receive(A, {B,A,{n, sigB {m, n, A}}}))
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Proof System Sample Axioms:
Reasoning about possession: Has(A, {m}K) Has(A, K) Has(A, m) Has(A, {m,n}) Has(A, m) Has(A, n)
Reasoning about crypto primitives: Honest(X) Decrypt(Y, encX{m}) X=Y Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m}) Protocol-specific Rule: Honesty/Invariance rule Soundness Theorem:
Every provable formula is valid
Outline Background
Derivation System Compositional Logic
Abstraction and Refinement Methods Applications
Conclusions and Future Work
Protocol Templates
Protocols with function variables instead of specific cryptographic operations
Idea: One template can be instantiated to many protocols
Advantages: proof reuse design principles/patterns
Example
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)
A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B)
A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)
A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Abstraction
Instantiations
Extending Formalism
Language Extensions: Add function variables to term language for cords and logic (HOL)
Semantics: Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables
Soundness Theorem: Every provable formula is valid
Abstraction-Instantiation Method(1)
Characterizing protocol concepts Step 1: Under hypotheses about function
variables and invariants, prove security property of template
Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit: Proof reuse
ExampleChallenge-Response TemplateA B: m
B A: n, F(B,A,n,m)A B: G(A,B,n,m)
•Step 1:
•Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…
•Property: Mutual authentication
•Step 2:
•Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)
•Satisfies hypotheses => Guarantees mutual authentication
Abstraction-Instantiation Method(2)
Combining protocol templates If protocol P is a hypotheses-
respecting instance of two different templates, then it has the properties of both.
Benefits: Modular proofs of properties Formalization of protocol refinements
Refinement Example Revisited
Two templates: Template 1: authentication + shared secret
(Preserves existing properties; proof reused) Template 2: identity protection (encryption)
(Adds new property)
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
Authenticated key exchange
A B: ga, AB A: gb, F(B,A,gb,ga)A B: G(A,B,ga,gb)
A B: ga
B A: gb, F(B,gb,ga), F’(B,gab)A B: G(A,ga, gb), G’(A,gab)
AKE1 AKE2
•Shared secret
•Stronger authentication
•Identity protection for B
•Non-repudiation
•Shared secret
•Weaker authentication
•Identity protection for A
•Repudiability
H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]
ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA
More examples…
Authenticated Key Exchange: Template for JFKr, STS, IKE, IKEv2
Key Computation: Template for Diffie-Hellman, UM,
MTI/A, MQV Combining these templates
Synthesis: STS-MQV
STSPH
cookieSTSP
MQVCPHMQVCPMQV MQVC
keyconf.
MQVRFK
protect identities
DH STS RFKsymmetric
hash
MTI/A
UM
MTIC
UMC
MTICP
UMCP
MTICPH
UMCPH
MTIRFK
UMRFK
authenticate
Conclusions Abstraction-Instantiation using protocol templates:
Single proof for similar protocols from common template Multiple protocol properties from different templates
Logical foundation: Add function variables to protocol language and logic
Applications: CR template: ISO-9798-2,3, SKID3 Identity protection refinement in JFK Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE Synthesis: DH-MQV + STS-JFKr