1 / 53

Anupam Datta Stanford University May 10, 2005

Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations. Anupam Datta Stanford University May 10, 2005. Outline. Part I: Overview Motivation Central problems Divide and Conquer paradigm Combining logic and cryptography Results

ugo
Download Presentation

Anupam Datta Stanford University May 10, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 10, 2005

  2. Outline Part I: Overview • Motivation • Central problems • Divide and Conquer paradigm • Combining logic and cryptography • Results Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  3. This talk is about… • Network security protocols • Internet Engineering Task Force (IETF) Standards • SSL/TLS - web authentication • IPSec - corporate VPNs • Mobile IPv6 – routing security • Kerberos - network authentication • GDOI – secure group communication • IEEE Standards Working Group • 802.11i - wireless security • And methods for their security analysis • Security proof in some model; or • Identify attacks

  4. Characteristics of protocols • Relatively simple distributed programs • 5-7 steps, 3-10 fields per message (per component) • Mission critical • Security of data, credit card numbers, … • Subtle • Concurrency: attack may combine data from many sessions • Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s

  5. SSL authentication Our tool: Protocol Composition Logic (PCL) -Complete control over network -Perfect crypto 42 line axiomatic proof Security Analysis Methodology Protocol Property Attacker model Analysis Tool Security proof or attack “Forty-two,” said Deep Thought, with infinite majesty and calm. - D. Adams, HGG, 1979

  6. Classifying Attacks • Implementation bugs • Buffer overflow, format string vulnerabilities • Cryptography breaks • IEEE 802.11b (WEP encryption) • Protocol flaws • Needham-Schroeder, IKE, IEEE 802.11i • Focus on protocol flaws assuming “strong crypto” • Complexity-theoretic characterization of “strong crypto”

  7. IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association Uses crypto: encryption, hash,… EAP/802.1X/RADIUS Authentication 4-way handshake • Divide-and-conquer paradigm • Combining logic and cryptography Group key handshake Data communication

  8. Divide-and-Conquer paradigm • Result:Protocol Derivation System [DDMP03-05] • Incremental protocol construction • Result:Protocol Composition Logic (PCL) [DDDMP01-05] • Compositional correctness proofs • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

  9. Combining logic and cryptography • Symbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques • Complexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation • Result:Computational PCL[DDMST05] + Logical proof methods + Complexity-theoretic crypto model • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04] Central Problem 2

  10. Applied to industrial protocols • IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] • IKEv2 [IETF Internet Draft; 2004] [Aron et al] • TLS/SSL [RFC 2246; 1999] [He et al] • Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] • Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

  11. Tool support • Isabelle implementation of PCL [Kempston et al] • PCL syntax and proof system encoded into Isabelle, a generic theorem-prover • Machine-checkable axiomatic proofs • Use Isabelle’s first-order reasoner • Protocol Derivation Assistant [Anlauff et al] • Graphical support tool for protocol derivations

  12. Internet IPSec • Widely deployed: Corporate VPNs • Provides secrecy and integrity • IKEv2 is the IPSec key exchange protocol IP layer host-to-host security

  13. IKEv2 [IETF ID 2004] IKE_INIT (Exchange key material) Multi-mode protocol: authenticator can use either signature or pre-shared key I  R: HDR, SAi1, gi, Ni R  I: HDR, SAr1, gr, Nr IKE_AUTH (Authenticate) I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} • Modular proofs • Multi-mode (Unified “template” proof) • Properties: authentication, shared secret, identity & DoSprotection, repudiability IKE_CHILD_SA (Rekey)

  14. Wisconsin Stanford Mobile IPv6 [IETF ID 2004] Correspondent Node Home address Home address • Change of location • Authentication • DoS issues • Protocol breaks if attacker controls complete network Care of address

  15. GDOI [RFC 3547, 2003] Public network Group controller • Secure group communication • Composition attack • Fix adopted by IETF WG Communicating in a group can be difficult…

  16.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  17. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  18. Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

  19. Reasoning method • Reason about local information • I know my own actions • Incorporate knowledge of protocol • Honest people faithfully follow protocol • No explicit reasoning about intruder • Absence of bad action expressed as a positive property of good actions • E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

  20. Formalism • Cord calculus • Protocol programming language • Execution model (Symbolic/“Dolev-Yao”) • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties • Soundness theorem

  21. Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]

  22. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  23. Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, encX{m})  X=Y • Honest(X)  Verify(Y, sigX{m})  •  m’ (Send(X, m’)  Contains(m’, sigX{m}) • Soundness Theorem: • Every provable formula is valid

  24. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  25. Reasoning about Composition • Non-destructive Combination: • Ensure combined parts do not interfere • In logic: invariance assertions • Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere • In logic: before-after assertions

  26. Proof steps (Intuition) • Protocol independent reasoning • Has(A, {m,n})  Has(A, m)  Has(A, n) • Still good: unaffected by composition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice” • Could break:Bob’s signature from one protocol could be used to attack another • Technically: • Protocol-specific proof steps use invariants • Invariants must be preserved for safe composition

  27. Invariants • Reasoning about honest principals • Invariance rule, called “honesty rule” • Preservation of invariants under composition • If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

  28. Honesty Rule (Induction) • Definition • A protocol step begins with receive, ends before next receive • Rule • [ ]X B  ProtocolSteps(Q).  [B]X • Q  Honest(X)   • Example • CR  Honest(X)  • (Sent(X, m2)  Received(X, m1))

  29. Diffie-Hellman: Property • Formula • [ new a ] AFresh(A, ga) • Explanation • Modal form: [ actions ] P • Actions: [ new a ] A • Postcondition: Fresh(A, ga)

  30. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  31. Composition: DH+CR = ISO-9798-3 • Additive Combination • DH post-condition matches CR precondition • Sequential Composition: • Substitute ga for m in CR to obtain ISO. • Apply composition rule • ISO initiator role inherits CR authentication. • DH secrecy is also preserved • Proved using another application of composition rule. • Nondestructive Combination • DH and CR satisfy each other’s invariants

  32. Composing protocols  ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DHCR’[nondestructive] = ISOSecrecy  Authentication Sequential and parallel composition theorems

  33. Composition Rules • Invariant weakening rule •  |-  […]P •   ’ |-  […]P • Sequential Composition •  |-  [ S ] P  |-  [ T ] P  •  |-  [ ST ] P • Prove invariants from protocol • Q   Q’   • Q  Q’  

  34. Composition: Big Picture • Q |- Inv(Q) • Inv(Q) |-  • Qi |- Inv(Q) • No reasoning about attacker Safe Environment for Q Q1 Q2 Q3 … Qn • Different from: • Assume-guarantee in distributed computing [MC81] • Universal Composability [C01, PW01] Protocol Q

  35. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  36. Two worlds Can we get the best of both worlds?

  37. Our Approach • Protocol Composition Logic (PCL) • Syntax • Proof System • Computational PCL • Syntax ±  • Proof System ±  • Symbolic “Dolev-Yao” model • Semantics • Complexity-theoretic model • Semantics Leverage PCL success… Talk so far…

  38. Main Result • Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption • Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model

  39. Computational PCL • Syntax • Expressing security properties • Proof System • Proving security properties • Soundness Theorem • Semantics • Complexity-theoretic Model • Attacker – any PPT algorithm • Meaning of security properties

  40. Example 1 A, B, {n, A}B A B B, A, n • Security Property - authentication [Initiator Program]A Honest(B)  ActionsInOrder( • send(A, msg1), receive(B, msg1), • send(B, msg2), receive(A, msg2 ) )

  41. Example 2 A, B, {n, A}B A B • Security Property - secrecy [Initiator Program]A Honest(B)  (X (X A,B)  Indistinguishable(X,n)

  42. Logic Syntax

  43. Proof System

  44. Soundness of proof system • Information-theoretic reasoning [new u]X (Y  X)  Indistinguishable(Y, u) • Complexity-theoretic reductions Source(Y,u,{m}X)  Decrypts(X,{m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Asymptotic calculations Reduction to IND-CCA2-secure encryption scheme     Sum of two negligible functions is a negligible function

  45. Complexity-theoretic semantics • Q |=  if A  D  f negligible function  n0 n > n0 s.t. Represents probability |T()|/|T(Q,A,n)| > 1 –f(n) • Fix protocol Q, PPT adversary A, security parameter n • Vary random bits used by all programs • Obtain set of equi-probable traces, T(Q,A,n) T() T(Q,A,n)

  46. Inductive Semantics • Consider set of traces T(Q,A,n) • T(1  2) = T(1)T(2) • T(1  2) = T(1) T(2) • T( ) = T() Semantics of formulas are transformers on probability distribution over traces

  47. Logic and Cryptography: Big Picture Protocol security proofs using proof system Axiom in proof system Semantics and soundness theorem Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

  48. Current Work • Investigate nature of logic • Propositional fragment not classical •  represents conditional probability • complexity-theoretic reductions • connections with probabilistic logics (e.g. Nilsson86) • Generalize reasoning about secrecy • Probability close to ½ instead of 1 • Not a trace property • Extend logic • More primitives: signature, hash functions,… • Remove current syntactic restrictions on formulas • Information-theoretic semantics • Only probability; no complexity

  49. Summary • Methodology: • Divide-and-conquer paradigm in security • Combining logic and cryptography • Applications: • IEEE 802.11i (Attack! Fix adopted by IEEE WG) • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • Mobile IPv6 [RFC 3775; 2004] (New Attack!)

  50.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

More Related