security analysis of network protocols anupam datta stanford university uw-madison csd april 18,...
Post on 20-Dec-2015
216 views
TRANSCRIPT
![Page 1: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/1.jpg)
Security Analysis of Network Protocols
Anupam DattaStanford University
UW-Madison CSDApril 18, 2005
![Page 2: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/2.jpg)
Outline
Part I: Overview• Motivation• Central problems
– Divide and Conquer paradigm– Combining logic and cryptography
• Results
Part II: Glimpses of technical machinery• Divide and Conquer Paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
![Page 3: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/3.jpg)
This talk is about…
Industrial network protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Group– 802.11i - wireless security
And methods for their security analysis• Security proof in some model; or• Identify attacks
![Page 4: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/4.jpg)
Motivating Example
{ A, Noncea }
{ Noncea, Nonceb }
{ Nonceb}
Ka
Kb
Result: A and B share two private numbers not known to any observer without Ka-1, Kb
-1
A B
Kb
[Needham-Schroeder78]
![Page 5: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/5.jpg)
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }
{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.
Evil E can then fool B.
[Lowe96]
![Page 6: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/6.jpg)
Characteristics of protocols
Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per
component) Mission critical
• Security of data, credit card numbers, … Subtle
• Concurrency: attack may combine data from many sessions
• Computation: modeling cryptographic primitives
Good domain for logical methods
Active research area since early 80’s
![Page 7: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/7.jpg)
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
![Page 8: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/8.jpg)
Classifying Attacks
Implementation bugs• Buffer overflow, format string
vulnerabilities Cryptography breaks
• IEEE 802.11b (WEP encryption), GSM cell phone
Protocol flaws• Needham-Schroeder, IKE, IEEE 802.11i•Focus on protocol flaws assuming “strong crypto”
•Complexity-theoretic characterization of “strong crypto”
![Page 9: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/9.jpg)
IEEE 802.11i wireless security [2004]
Wireless Device
Access Point
Authentication Server
802.11 Association
EAP/802.1X/RADIUS Authentication
4-way handshake
Group key handshake
Data communication
•Divide-and-conquer paradigm•Combining logic and cryptography
Uses crypto: encryption, hash,
…
![Page 10: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/10.jpg)
Divide-and-Conquer paradigm
Result: Protocol Derivation System • Incremental protocol construction
Result: Protocol Composition Logic (PCL)• Compositional correctness proofs
Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …
Composition is a hard problem in security
Central Problem 1
![Page 11: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/11.jpg)
Combining logic and cryptography
Symbolic model [DY84]- Perfect cryptography assumption+ Idealization => tools and techniques
Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation
Result: Computational PCL + Logical proof methods + Complexity-theoretic crypto model
Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]
Central Problem 2
![Page 12: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/12.jpg)
Applied to industrial protocols
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG)
IKEv2 [IETF Internet Draft; 2004] TLS/SSL [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Attack! Fix adopted by IETF WG)
Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-
3, NSL,…
![Page 13: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/13.jpg)
IPSec
Widely deployed: Corporate VPNs Provides secrecy and integrity IKEv2 is the IPSec key exchange protocol
Internet
IP layer host-to-host security
![Page 14: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/14.jpg)
IKEv2 [IETF ID 2004]
IKE_AUTH (Authenticate)
IKE_CHILD_SA (Rekey)
I R: HDR, SAi1, gi, Ni R I: HDR, SAr1, gr, Nr
IKE_INIT (Exchange key material)
I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}
R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}
•Modular proofs
•Multi-mode (Unified “template” proof)
• Properties: authentication, shared secret, identity & DoS protection, repudiability
Multi-mode protocol: authenticator can
use either signature or pre-shared key
![Page 15: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/15.jpg)
Mobile IPv6 [IETF ID 2004]
Stanford
Wisconsin
Home address
Home addres
s
Care of address
Correspondent Node
•Change of location
•Authentication
•DoS issues
•Protocol breaks if attacker controls complete network
![Page 16: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/16.jpg)
GDOI [RFC 3547, 2003]
•Secure group communication
•Composition attack
•Fix adopted by IETF WG
Communicating in a group can be difficult…
Public networkGroup
controller
![Page 17: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/17.jpg)
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
![Page 18: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/18.jpg)
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
![Page 19: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/19.jpg)
Protocol Derivation System
Construct protocol with properties:• Shared secret • Authenticated• Identity Protection• DoS Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
![Page 20: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/20.jpg)
Component 1
• Shared secret (with someone)– A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
• Authenticated• Identity Protection• DoS Protection
A B: ga
B A: gb
Diffie Hellman
![Page 21: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/21.jpg)
Component 2
• Shared secret• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection• DoS Protection
A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}
Challenge-Response
![Page 22: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/22.jpg)
Composition
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
m := ga
n := gb
A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}
ISO-9798-3
Technically: sequential composition with variable substitution
![Page 23: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/23.jpg)
Refinement
• Shared secret: gab
• Authenticated• Identity Protection • DoS Protection
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
Technically: term replacement/function variable substitution
![Page 24: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/24.jpg)
Transformation
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
A B: ga, AB A: gb, hashKB {gb, ga}
A B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga} B A: gb, EK {sigB {ga, gb, A}}
Use cookie: JFK core protocol
Technically: program transformation
![Page 25: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/25.jpg)
Tool Support (PDA)
![Page 26: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/26.jpg)
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
![Page 27: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/27.jpg)
A B
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol
independent]
• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
![Page 28: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/28.jpg)
Reasoning method
Reason about local information• I know my own actions
Incorporate knowledge of protocol• Honest people faithfully follow protocol
No explicit reasoning about intruder• Absence of bad action expressed as a
positive property of good actions– E.g., honest agent’s signature can be
produced only by the agent
Distinguishes our method from existing techniques
![Page 29: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/29.jpg)
Formalism
Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)
Protocol logic• Expressing protocol properties
Proof system• Proving protocol properties• Soundness theorem
![Page 30: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/30.jpg)
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
![Page 31: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/31.jpg)
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
![Page 32: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/32.jpg)
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Soundness Theorem: Every provable formula is valid
![Page 33: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/33.jpg)
Reasoning about Composition
Non-destructive Combination: Ensure combined parts do not
interfere– In logic: invariance assertions
Additive Combination: Accumulate security properties of
combined parts, assuming they do not interfere– In logic: before-after assertions
![Page 34: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/34.jpg)
Proof steps (Intuition)
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
Technically:
•Protocol-specific proof steps use invariants
•Invariants must be preserved for safe composition
![Page 35: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/35.jpg)
Composing protocols
DH Honest(X) …
(Invariant) ’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
![Page 36: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/36.jpg)
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Also have proof method for class of refinements & transformations
![Page 37: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/37.jpg)
Applications
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG)
IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-
3, NSL,…
![Page 38: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/38.jpg)
Tool Support
Isabelle Proof Assistant for PCL• Encode syntax and proof system of PCL
into a generic theorem-proverconsts PSend :: "[thread,CTerm] => o"syntax PSend :: "[threadI,CTermlist] => actformI" ("Send'(_,_')")axioms AA1S: "{P, X[send t], Send(X,t)}" REC : "Receive(X,t) --> Has(X,t)"Rule: SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|] ==> {P, X[S1 ; S2], R}"
![Page 39: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/39.jpg)
Sample proof (forward reasoning)
lemma "{P,X[new t; send t],Has(X,t) & Send(X,t)}"; proof -; have A: "{P,X[new t; send t],Has(X,t)}"; apply (rule G3); apply (rule SEQ); apply (rule AA1N); apply (rule P1N); apply (blast); apply (rule ORIG); done;
Use PCL axioms and rules to carry out proofs Use Isabelle’s first-order reasoner
![Page 40: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/40.jpg)
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
![Page 41: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/41.jpg)
Symbolic model[NS78,DY84]
Complexity-theoretic model [GM84]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
![Page 42: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/42.jpg)
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far…Leverage PCL success
Idea: Use same logical proof methods for complexity-theoretic cryptography
![Page 43: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/43.jpg)
Our result
Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model
Logical methods for complexity-theoretic cryptography
![Page 44: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/44.jpg)
Soundness of proof system
Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)
Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Asymptotic calculations
Sum of two negligible functions is a negligible function
Reduction to CCA2-secure encryption scheme
![Page 45: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/45.jpg)
Summary
Methodology:• Divide-and-conquer paradigm in security• Combining logic and cryptography
Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE
WG)
• GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]
![Page 46: Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005](https://reader031.vdocuments.us/reader031/viewer/2022032201/56649d435503460f94a1f40d/html5/thumbnails/46.jpg)
Research Directions
Bring automated tools and techniques to industrial protocol design
Formal methods and cryptography Composition of secure systems Apply similar techniques to other
kinds of security mechanisms• Web services
Software analysis of secure systems • Model-checking C code