1 / 36

Anupam Datta Stanford University May 23, 2005

Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations. Anupam Datta Stanford University May 23, 2005. . . Protocol analysis spectrum. Combining logic and cryptography. Hand proofs. Computational Protocol C. logic. Holy Grail. . High.

taima
Télécharger la présentation

Anupam Datta Stanford University May 23, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 23, 2005

  2.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol C. logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol C. logic Spi-calculus  Sophistication of attacks Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  3. Divide-and-Conquer paradigm Central Problem 1 • Result: Protocol Derivation System[DDMP03-05] • Incremental protocol construction • Result: Protocol Composition Logic (PCL)[DDDMP01-05] • Compositional correctness proofs • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security

  4. Combining logic and cryptography Central Problem 2 • Symbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques • Complexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation • Result: Computational PCL [DDMST05] + Logical proof methods + Complexity-theoretic crypto model • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04], [Adao-Bana-Scedrov05]

  5. Applied to industrial protocols • IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] • IKEv2 [IETF Internet Draft; 2004] [Aron et al] • TLS/SSL [RFC 2246; 1999] [He et al] • Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] • Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG)[Meadows et al]

  6. Outline Protocol Composition Logic • Background • Compositional Reasoning • Complexity-theoretic foundations

  7. Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

  8. Formalism • Cord calculus • Protocol programming language • Execution model (Symbolic/“Dolev-Yao”) • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties • Soundness theorem

  9. Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]

  10. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  11. Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, encX{m})  X=Y • Honest(X)  Verify(Y, sigX{m})  •  m’ (Send(X, m’)  Contains(m’, sigX{m}) • Soundness Theorem: • Every provable formula is valid

  12. Invariant Rule • Definition • A protocol step begins with receive, ends before next receive • Rule • [ ]X B  ProtocolSteps(Q).  [B]X • Q  Honest(X)   • Example • CR  Honest(X)  • (Sent(X, m2)  Received(X, m1)) • Reasoning about honest principals’ actions

  13. Outline Protocol Composition Logic • Background • Compositional Reasoning • Complexity-theoretic foundations

  14. Reasoning about Composition • Non-destructive Combination: • Ensure combined parts do not interfere • In logic:invariance assertions • Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere • In logic:before-after assertions

  15. Proof steps (Intuition) • Protocol independent reasoning • Has(A, {m,n})  Has(A, m)  Has(A, n) • Still good: unaffected by composition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice” • Could break:Bob’s signature from one protocol could be used to attack another • Technically: • Protocol-specific proof steps use invariants • Invariants must be preserved for safe composition

  16. Diffie-Hellman: Property • Formula • [ new a ] AFresh(A, ga) • Explanation • Modal form: [ actions ] P • Actions: [ new a ] A • Postcondition: Fresh(A, ga)

  17. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  18. Composition: DH+CR = ISO-9798-3 • Additive Combination • DH post-condition matches CR precondition • Sequential Composition: • Substitute ga for m in CR to obtain ISO. • Apply composition rule • ISO initiator role inherits CR authentication. • DH secrecy is also preserved • Proved using another application of composition rule. • Nondestructive Combination • DH and CR satisfy each other’s invariants

  19. Composing protocols  ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DH  CR’[nondestructive] = ISOSecrecy  Authentication

  20. Composition Theorems • Parallel Composition [DDMP-JCS05] If Q  ,  |-  [ S ] P, and Q’  , then Q | Q’   [ S ] P • Sequential Composition [DDMP-JCS05] If Q  ,  |-  [ S ] P, Q’  ’, ’ |-  [ T ] P, Q  ’, Q’  , then Q’’   [ S T ] P, where Q’’ is a sequential composition of Q and Q’ • Staged Composition [HSDDM05]

  21. Parallel Composition • Q |- Inv(Q) • Inv(Q) |-  [ P ] X • Qi |- Inv(Q) • No reasoning about attacker Safe Environment for Q Q1 Q2 Q3 Qn … • Different from: • Assume-guarantee in distributed computing [MC81] • Universal Composability [C01, PW01] Protocol Q Q | (Q1 |Q2 |…| Qn) |-  [ P ] X

  22. Staged Composition • Qi |- Inv(Qi) • Inv(Qi) |- i [Pi]X i • Qi |- Inv(Qj) • i  i+1 • B  j>= iProtocolSteps(Q i). • i [B]X i Q1 Proof of component Q2 Parallel composition Sequential composition Q3 Staged composition … Qn Applicable to large protocols with error-handling flows between components, e.g., IEEE 802.11i SC(Q1,Q2,..,Qn) |-1 [P;Pi]X i

  23. Outline Protocol Composition Logic • Background • Compositional Reasoning • Complexity-theoretic foundations

  24. Two worlds Can we get the best of both worlds?

  25. Our Approach • Protocol Composition Logic (PCL) • Syntax • Proof System • Computational PCL • Syntax ±  • Proof System ±  • Symbolic “Dolev-Yao” model • Semantics • Complexity-theoretic model • Semantics Leverage PCL success… Talk so far…

  26. Main Result • Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption • Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model

  27. Syntax • Similar to PCL • Main difference: • Has(X,t) in PCL • Possess(X,t) and Indistinguishable(X,t) in Computational PCL

  28. Complexity-theoretic semantics • Q |=  if A  D  f negligible function  n0 n > n0 s.t. Represents probability [[]](T,D,f)|/|T| > 1 –f(n) • Fix protocol Q, PPT adversary A, security parameter n • Vary random bits used by all programs • Obtain set of equi-probable traces, T= T(Q,A,n) [[]](T,D,f) T(Q,A,n)

  29. Inductive Semantics • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[ ]] = T - [[]] (T,D,) Implication uses conditional probability • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T’,D,) with T’ = [[1]] (T,D,) Semantics of formulas are transformers on probability distribution over traces

  30. Example A, B, {n, A}B A B • Security Property - secrecy [Initiator Program]A Honest(B)  (X (X A,B)  Indistinguishable(X,n)

  31. Soundness of proof system • Axiom Source(Y,u,{m}X)  Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Proof idea: crypto-style reduction • Assume axiom not valid  A  D  f negligible function  n0  n > n0 s.t. [[]](T,D,f)|/|T| < 1 –f(n) • Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme • Conditional implication essential

  32. Logic and Cryptography: Big Picture Protocol security proofs using proof system Axiom in proof system Semantics and soundness theorem Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

  33. Current Work • Investigate nature of logic • Propositional fragment not classical •  represents conditional probability • complexity-theoretic reductions • connections with probabilistic logics (e.g. Nilsson86) • Generalize reasoning about secrecy • Probability close to ½ instead of 1 • Not a trace property • Extend logic • More primitives: signature, hash functions,… • Remove current syntactic restrictions on formulas • Information-theoretic semantics • Only probability; no complexity

  34. Summary • Methodology: • Divide-and-conquer paradigm in security • Combining logic and cryptography • Applications: • IEEE 802.11i (Attack! Fix adopted by IEEE WG) • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • Mobile IPv6 [RFC 3775; 2004] (New Attack!)

  35. Publications in dissertation • A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic • A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] • Abstraction and refinement in protocol derivation [CSFW04] • A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic[ICALP05] • A. Datta,R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence-based definitions of protocol security[WITS04]

  36. Other publications • A. Datta,R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security[TCC05] • M. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols[CSFW05] • A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition[MFPS03] • A. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality[In submission] • C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i[In submission]

More Related