1 / 33

Protocol Composition Logic II

18739A: Foundations of Security and Privacy. Protocol Composition Logic II. Anupam Datta Fall 2007-08. Protocol Analysis Techniques. Crypto Protocol Analysis. Formal Models. Dolev-Yao (perfect cryptography). Computational Models. Random oracle Probabilistic process calculi

tamarr
Download Presentation

Protocol Composition Logic II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 18739A: Foundations of Security and Privacy Protocol Composition Logic II Anupam Datta Fall 2007-08

  2. Protocol Analysis Techniques Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models Random oracle Probabilistic process calculi Probabilistic I/O automata … Model Checking Protocol Logics Process Calculi Inductive Proofs … Murphi, AVISPA BAN, PCL Applied -calculus Paulson, MSR

  3. Protocol Composition Logic • Intuition • Formalism • Protocol programming language • Protocol logic • Proof System • Example • Signature-based challenge-response • Proof techniques TODAY

  4. Example: JFK Protocol • Recall earlier lecture about JFK design • Today we will describe corresponding proof techniques

  5. Ingredient 1: Diffie-Hellman A  B: ga B  A: gb • Shared secret: gab • Authentication • Identity protection

  6. Ingredient 2: Challenge-Response A  B: m, A B  A: n, sigB{m, n, A} A  B: sigA{m, n, B} • Shared secret • Authentication • Identity protection

  7. DH + Challenge-Response ISO 9798-3 protocol: A  B: ga, A B  A: gb, sigB{ga, gb, A} A  B: sigA{ga, gb, B} • Shared secret: gab • Authentication • Identity protection m := ga n := gb Formalized as sequential composition

  8. Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: ga, A B  A: gb, EK{sigB{ga, gb, A}} A  B: EK{sigA{ga, gb, B}} • Shared secret: gab • Authentication • Identity protection Formalized using abstraction-refinement

  9. PCL Proof Techniques • Modular Proofs • Parallel Composition • Sequential Composition • Generic Template-style Proofs • Function variables • Higher-order logic extension

  10. Parallel Composition of Protocols • The parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2. • Example: • IKEv2 | SSL

  11. Compositional Proofs: Intuition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could be used to attack another • PCL proof system: Invariant rule • Protocol independent reasoning • Axiom stating unforgeability of signatures • Still good: unaffected by composition • All other axioms and proof rules for PCL

  12. Proof Tree Q1 |- Inv Q1 | Q2 |- Inv Inv |-Auth Bulk of proof reused Additional work to prove Q2|- Inv Inv Axiom Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv INV rule Other rules Auth [DDMP CSF’03 -> JCS Special Issue, MFPS’03] Security property

  13. Parallel Composition Theorem • IF • Q1 satisfies security property  in isolation • Q2 respects the invariants  of Q1 used in the proof of security property  • THEN • Q1 | Q2 also satisfies security property 

  14. Sequential Composition of Protocols • Run protocols in sequence • Examples • Key exchange followed by secure sessions that use the exchanged key • Diffie-Hellman followed by Challenge-Response = ISO-9798-3

  15. ISO-9798-3 Key Exchange ga, A • Authentication • Do we need to prove it from scratch? • Shared secret: gab gb, sigB {ga, gb, A} A B sigA {ga, gb, B} Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols

  16. Abstract challenge response • Free variables m and n instead of nonces • Modal form:  [ actions ]  • precondition: Fresh(A,m) • actions: [ InitACR ]A • postcondition: Honest(B)  Authentication • Secrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ]

  17. Diffie-Hellman: Property • Formula • true [ new a ] AFresh(A, ga) • Diffie-Hellman property: • Can compute gab given ga and b or gb and a • Cannot compute gab given ga and gb

  18. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  19. Composition: DH+CR = ISO-9798-3 • Additive Combination • DH post-condition matches CR precondition • Sequential Composition: • Substitute ga for m in CR to obtain ISO. • Apply composition rule • ISO initiator role inherits CR authentication. • DH secrecy is also preserved • Proved using another application of composition rule. • Nondestructive Combination • DH and CR satisfy each other’s invariants

  20. Definition of Sequential Composition

  21. Sequential Composition Theorem • Both protocols should satisfy each other’s invariants (similar to parallel composition) • Post-condition of first should match pre-condition of second protocol

  22. PCL Proof Techniques • Modular Proofs • Parallel Composition • Sequential Composition • Generic Template-style Proofs • Function variables • Higher-order logic extension

  23. Protocol Templates • Protocols withfunction variables instead of specific cryptographic operations • Idea: One template can be instantiated to many protocols • Advantages: • proof reuse • design principles/patterns [DDMP CSF’04]

  24. Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,EKAB(n,m,B) A  B: EKAB(n,m) A  B: m B  A: n,HKAB(n,m,B) A  B: HKAB(n,m,A) A  B: m B  A: n, sigB(n,m,A) A  B: sigA(n,m,B) SKID3 ISO-9798-3 ISO-9798-2 Instantiations

  25. Extending Formalism • Language Extensions • Add function variables to term language for cords and logic (HOL) • Semantics • Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables • Soundness Theorem • Every provable formula is valid

  26. Abstraction-Instantiation Method(1) • Characterizing protocol concepts • Step 1: Under hypotheses about function variables and invariants, prove security property of template • Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. • Benefit: • Proof reuse

  27. Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) • Step 1: • Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… • Property: Mutual authentication • Step 2: • Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3) • Satisfies hypotheses => Guarantees mutual authentication

  28. Proof Structure Discharge hypothesis axiom hypothesis Proof reuse Instance Template

  29. Abstraction-Instantiation Method(2) • Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. • Benefits: • Modular proofs of properties • Formalization of protocol refinements

  30. Refinement Example Revisited Two templates: • Template 1: authentication + shared secret (Preserves existing properties; proof reused) • Template 2: identity protection (encryption) (Adds new property) Encrypt Signatures A  B: ga, A B  A: gb, EK {sigB {ga, gb, A}} A  B: EK {sigA {ga, gb, B}}

  31. Summary • PCL – Logic for security protocols • Sound wrt symbolic and cryptographic models • High-level short proofs: 2-3 pages • Proof techniques • Modular/compositional proofs • Generic template-style proofs • Proofs of industrial protocols • IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) • Implementation not done

  32. Thanks ! Questions?

  33. EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys Modular Analysis / Composition Auth Server Laptop Access Point (Shared Secret-PMK) 802.11i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]

More Related