Protocol Composition Logic II

Anupam DattaFall 2007-08

18739A: Foundations of Security and Privacy

Protocol Analysis Techniques

Crypto Protocol Analysis

Formal Models Computational Models

Protocol LogicsModel Checking Inductive Proofs

Dolev-Yao(perfect cryptography)

Random oracleProbabilistic process calculiProbabilistic I/O automata…Process Calculi …

Applied -calculusBAN, PCLMurphi, AVISPA Paulson, MSR

Protocol Composition Logic

Intuition Formalism

• Protocol programming language• Protocol logic• Proof System

Example• Signature-based challenge-response

Proof techniquesTODAY

Example: JFK Protocol

Recall earlier lecture about JFK design

Today we will describe corresponding proof techniques

Ingredient 1: Diffie-Hellman

A B: ga

B A: gb

• Shared secret: gab • Authentication• Identity protection

Ingredient 2: Challenge-Response

A B: m, A B A: n, sigB{m, n, A}

A B: sigA{m, n, B}

• Shared secret • Authentication• Identity protection

DH + Challenge-Response

ISO 9798-3 protocol: A B: ga, A B A: gb, sigB{ga, gb, A}

A B: sigA{ga, gb, B}

• Shared secret: gab

• Authentication• Identity protection

m := ga

n := gb

Formalized as sequential composition

Ingredient 3: Encryption

Encrypt signatures to protect identities: A B: ga, A B A: gb, EK{sigB{ga, gb, A}}

A B: EK{sigA{ga, gb, B}}

• Shared secret: gab

• Authentication• Identity protection

Formalized using abstraction-refinement

Modular Proofs• Parallel Composition• Sequential Composition

Generic Template-style Proofs• Function variables• Higher-order logic extension

PCL Proof Techniques

Parallel Composition of Protocols

The parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2.

Example: • IKEv2 | SSL

Compositional Proofs: Intuition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A},

– he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could

be used to attack another• PCL proof system: Invariant rule

Protocol independent reasoning• Axiom stating unforgeability of signatures• Still good: unaffected by composition• All other axioms and proof rules for PCL

Proof Tree

Axiom

INV rule

Other rules

Security property

Inv |-Auth

Auth

Q1 |- Inv

InvBulk of proof

reused

Additional work to

prove Q2 |-

Inv

Q1 | Q2 |- Inv

Theorem: If Q |- Inv and Q’ |- Inv, then

Q | Q’ |- Inv[DDMP CSF’03 -> JCS Special Issue, MFPS’03]

Parallel Composition Theorem

IF

•Q1 satisfies security property in isolation

• Q2 respects the invariants of Q1 used in the proof of security property

THEN

•Q1 | Q2 also satisfies security property

Sequential Composition of Protocols

Run protocols in sequence Examples

• Key exchange followed by secure sessions that use the exchanged key

• Diffie-Hellman followed by Challenge-Response = ISO-9798-3

ISO-9798-3 Key Exchange

Authentication• Do we need to prove it from scratch?

Shared secret: gab

A B

ga, A

gb, sigB {ga, gb, A}

sigA {ga, gb, B}

Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols

Abstract challenge response

Free variables m and n instead of nonces Modal form: [ actions ]

• precondition: Fresh(A,m)• actions: [ InitACR ]A

• postcondition: Honest(B) Authentication Secrecy is proved from properties of Diffie-

Hellman

InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};

send A, X, sigA{m, x}};

]

RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};

receive Y, B, sigY{y, n}};

]

Diffie-Hellman: Property

Formula true [ new a ] A Fresh(A, ga)

Diffie-Hellman property:Can compute gab given ga and b or

gb and a Cannot compute gab given ga and gb

Challenge Response: Property

Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

Composition: DH+CR = ISO-9798-3

• Additive Combination DH post-condition matches CR precondition Sequential Composition:

• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.

DH secrecy is also preserved• Proved using another application of

composition rule.

• Nondestructive Combination• DH and CR satisfy each other’s invariants

Definition of Sequential Composition

Sequential Composition Theorem

Both protocols should satisfy each other’s invariants (similar to parallel composition)

Post-condition of first should match pre-condition of second protocol

Modular Proofs• Parallel Composition• Sequential Composition

Generic Template-style Proofs• Function variables• Higher-order logic extension

PCL Proof Techniques

Protocol Templates

Protocols with function variables instead of specific cryptographic operations

Idea: One template can be instantiated to many protocols

Advantages:• proof reuse• design principles/patterns

[DDMP CSF’04]

Example

A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)

A B: mB A: n,EKAB(n,m,B)

A B: EKAB(n,m)

A B: mB A: n,HKAB(n,m,B)

A B: HKAB(n,m,A)

A B: mB A: n, sigB(n,m,A)

A B: sigA(n,m,B)

Challenge-Response Template

ISO-9798-2

ISO-9798-3

SKID3

Instantiations

Extending Formalism

Language Extensions• Add function variables to term language for

cords and logic (HOL)

Semantics• Q |= φ σQ |= σφ, for all substitutions σ

eliminating all function variables

Soundness Theorem • Every provable formula is valid

Abstraction-Instantiation Method(1)

Characterizing protocol concepts• Step 1: Under hypotheses about function

variables and invariants, prove security property of template

• Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.

Benefit: • Proof reuse

Example

Challenge-Response Template

A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)

•Step 1:

•Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…

•Property: Mutual authentication

•Step 2:

•Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)

•Satisfies hypotheses => Guarantees mutual authentication

Proof Structure

Template

axiom

hypothesis

Instance

Discharge hypothesis

Proof reuse

Abstraction-Instantiation Method(2)

Combining protocol templates If protocol P is a hypotheses-

respecting instance of two different templates, then it has the properties of both.

Benefits:• Modular proofs of properties• Formalization of protocol refinements

Refinement Example Revisited

Two templates:• Template 1: authentication + shared secret

(Preserves existing properties; proof reused)

• Template 2: identity protection (encryption)(Adds new property)

A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}

Encrypt Signatures

Summary

PCL – Logic for security protocols• Sound wrt symbolic and cryptographic

models• High-level short proofs: 2-3 pages

Proof techniques• Modular/compositional proofs• Generic template-style proofs

Proofs of industrial protocols• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2

(unpublished), Mobile IPv6 (in progress) Implementation not done

Thanks !

Questions?

Modular Analysis / Composition

EAP-TLS: Certificates to Authorization (PMK)

4WAY Handshake:

PMK to Keys for data communication

Group key: Keys for broadcast

communication

Data protection:AES based using above keys

(Shared Secret-PMK)

Laptop Access Point

Auth Server

802.11i Key Management

20 msgs in 4 components[HSDDM CCS’05 ->

TISSEC Special Issue]