security analysis of network protocols anupam datta stanford university may 18, 2005
Post on 19-Dec-2015
216 views
TRANSCRIPT
This talk is about…
Industrial network security protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Group– 802.11i - wireless security
And methods for their security analysis• Security proof in some model; or• Identify attacks Earlier talk by John Mitchell
Outline
Part I: Overview• Motivation• Central problems
– Divide and Conquer paradigm– Combining logic and cryptography
• Results
Part II: Protocol Composition Logic• Compositional Reasoning• Complexity-theoretic foundations
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
IEEE 802.11i wireless security [2004]
Wireless Device
Access Point
Authentication Server
802.11 Association
EAP/802.1X/RADIUS Authentication
4-way handshake
Group key handshake
Data communication
•Divide-and-conquer paradigm•Combining logic and cryptography
Uses crypto: encryption, hash,
…
Divide-and-Conquer paradigm
Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction
Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs
Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …
Composition is a hard problem in security
Central Problem 1
Combining logic and cryptography
Symbolic model [NS78, DY84]- Perfect cryptography assumption+ Idealization => tools and techniques
Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation
Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model
Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]
Central Problem 2
Applied to industrial protocols
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al]
IKEv2 [IETF Internet Draft; 2004] [Aron et al] TLS/SSL [RFC 2246; 1999] [He et
al] Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et
al]
Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et
al] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
A B
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol
independent]
• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
Reasoning method
Reason about local information• I know my own actions
Incorporate knowledge of protocol• Honest people faithfully follow protocol
No explicit reasoning about intruder• Absence of bad action expressed as a
positive property of good actions– E.g., honest agent’s signature can be
produced only by the agent
Distinguishes our method from existing techniques
Formalism
Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)
Protocol logic• Expressing protocol properties
Proof system• Proving protocol properties• Soundness theorem
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Soundness Theorem: Every provable formula is valid
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Reasoning about Composition
Non-destructive Combination: Ensure combined parts do not
interfere– In logic: invariance assertions
Additive Combination: Accumulate security properties of
combined parts, assuming they do not interfere– In logic: before-after assertions
Proof steps (Intuition)
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
Technically:
•Protocol-specific proof steps use invariants
•Invariants must be preserved for safe composition
Composing protocols
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Composition: Big Picture
Different from:
•Assume-guarantee in distributed computing [MC81]
•Universal Composability [C01, PW01]
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No reasoning about attacker
…
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
Soundness of proof system
Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)
Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Asymptotic calculations
Sum of two negligible functions is a negligible function
Reduction to IND-CCA2-secure encryption scheme
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Summary
Methodology:• Divide-and-conquer paradigm in security• Combining logic and cryptography
Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE
WG)
• GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004] (New Attack!)
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Selected Publications
A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic• A derivation system and compositional logic for
security protocols [CSFW03, JCS05 special issue]
• Secure Protocol Composition [MFPS03]• Abstraction and refinement in protocol derivation
[CSFW04] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M.
Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]
C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]
www.stanford.edu/~danupam