Security Analysis of Network Protocols

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005

Outline Part I: Overview • Motivation • Central problems • Divide and Conquer paradigm • Combining logic and cryptography • Results Part II: Glimpses of technical machinery • Divide and Conquer Paradigm • Protocol Derivation System • Protocol Composition Logic • Combining logic and cryptography • Complexity-theoretic foundations

This talk is about… • Industrial network protocols • Internet Engineering Task Force (IETF) Standards • SSL/TLS - web authentication • IPSec - corporate VPNs • Mobile IPv6 – routing security • Kerberos - network authentication • GDOI – secure group communication • IEEE Standards Working Group • 802.11i - wireless security • And methods for their security analysis • Security proof in some model; or • Identify attacks

Motivating Example [Needham-Schroeder78] { A, Noncea } { Noncea, Nonceb } { Nonceb} Kb A B Ka Kb Result: A and B share two private numbers not known to any observer without Ka-1, Kb-1

Anomaly in Needham-Schroeder [Lowe96] { A, Na } Ke A E { Na, Nb } Ka { Nb } Ke { A, Na } { Na, Nb } Evil agent E tricks honest A into revealing private key Nb from B. Kb Ka B Evil E can then fool B.

Characteristics of protocols • Relatively simple distributed programs • 5-7 steps, 3-10 fields per message (per component) • Mission critical • Security of data, credit card numbers, … • Subtle • Concurrency: attack may combine data from many sessions • Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s

SSL authentication Our tool: Protocol Composition Logic (PCL) -Complete control over network -Perfect crypto 42 line axiomatic proof Security Analysis Methodology Protocol Property Attacker model Analysis Tool Security proof or attack

Classifying Attacks • Implementation bugs • Buffer overflow, format string vulnerabilities • Cryptography breaks • IEEE 802.11b (WEP encryption), GSM cell phone • Protocol flaws • Needham-Schroeder, IKE, IEEE 802.11i • Focus on protocol flaws assuming “strong crypto” • Complexity-theoretic characterization of “strong crypto”

IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association Uses crypto: encryption, hash,… EAP/802.1X/RADIUS Authentication 4-way handshake • Divide-and-conquer paradigm • Combining logic and cryptography Group key handshake Data communication

Divide-and-Conquer paradigm • Result:Protocol Derivation System • Incremental protocol construction • Result:Protocol Composition Logic (PCL) • Compositional correctness proofs • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], … Composition is a hard problem in security Central Problem 1

Combining logic and cryptography • Symbolic model [DY84] - Perfect cryptography assumption + Idealization => tools and techniques • Complexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation • Result:Computational PCL + Logical proof methods + Complexity-theoretic crypto model • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04] Central Problem 2

Applied to industrial protocols • IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) • IKEv2 [IETF Internet Draft; 2004] • TLS/SSL [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) Many More: • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…

Internet IPSec • Widely deployed: Corporate VPNs • Provides secrecy and integrity • IKEv2 is the IPSec key exchange protocol IP layer host-to-host security

IKEv2 [IETF ID 2004] IKE_INIT (Exchange key material) Multi-mode protocol: authenticator can use either signature or pre-shared key I  R: HDR, SAi1, gi, Ni R  I: HDR, SAr1, gr, Nr IKE_AUTH (Authenticate) I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} • Modular proofs • Multi-mode (Unified “template” proof) • Properties: authentication, shared secret, identity & DoSprotection, repudiability IKE_CHILD_SA (Rekey)

Wisconsin Stanford Mobile IPv6 [IETF ID 2004] Correspondent Node Home address Home address • Change of location • Authentication • DoS issues • Protocol breaks if attacker controls complete network Care of address

GDOI [RFC 3547, 2003] Public network Group controller • Secure group communication • Composition attack • Fix adopted by IETF WG Communicating in a group can be difficult…

  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

Outline Part I: Overview Part II: Glimpses of technical machinery • Divide and conquer paradigm • Protocol Derivation System • Protocol Composition Logic • Combining logic and cryptography • Complexity-theoretic foundations

Protocol Derivation System • Construct protocol with properties: • Shared secret • Authenticated • Identity Protection • DoS Protection • Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)

Component 1 Diffie Hellman A  B: ga B  A: gb • Shared secret (with someone) • A deduces: • Knows(Y, gab) (Y = A) ۷ Knows(Y,b) • Authenticated • Identity Protection • DoS Protection

Component 2 Challenge-Response A  B: m, A B  A: n, sigB {m, n, A} A  B: sigA {m, n, B} • Shared secret • Authenticated • A deduces: Received (B, msg1) Λ Sent (B, msg2) • Identity Protection • DoS Protection

Composition m := ga n := gb ISO-9798-3 A  B: ga, A B  A: gb, sigB {ga, gb, A} A  B: sigA {ga, gb, B} • Shared secret: gab • Authenticated • Identity Protection • DoS Protection Technically: sequential composition with variable substitution

Refinement Encrypt Signatures A  B: ga, A B  A: gb, EK {sigB {ga, gb, A}} A  B: EK {sigA {ga, gb, B}} • Shared secret: gab • Authenticated • Identity Protection • DoS Protection Technically: term replacement/function variable substitution

Transformation Use cookie:JFK core protocol A  B: ga, A B  A: gb, hashKB {gb, ga} A  B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga} B  A: gb, EK {sigB {ga, gb, A}} • Shared secret: gab • Authenticated • Identity Protection • DoS Protection Technically: program transformation

Tool Support (PDA)

Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

Reasoning method • Reason about local information • I know my own actions • Incorporate knowledge of protocol • Honest people faithfully follow protocol • No explicit reasoning about intruder • Absence of bad action expressed as a positive property of good actions • E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

Formalism • Cord calculus • Protocol programming language • Execution model (Symbolic/“Dolev-Yao”) • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties • Soundness theorem

Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]

Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, encX{m})  X=Y • Honest(X)  Verify(Y, sigX{m})  •  m’ (Send(X, m’)  Contains(m’, sigX{m}) • Soundness Theorem: • Every provable formula is valid

Reasoning about Composition • Non-destructive Combination: • Ensure combined parts do not interfere • In logic: invariance assertions • Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere • In logic: before-after assertions

Proof steps (Intuition) • Protocol independent reasoning • Has(A, {m,n})  Has(A, m)  Has(A, n) • Still good: unaffected by composition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice” • Could break:Bob’s signature from one protocol could be used to attack another • Technically: • Protocol-specific proof steps use invariants • Invariants must be preserved for safe composition

Composing protocols  (Invariant) ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DHCR’[nondestructive] = ISOSecrecy  Authentication Sequential and parallel composition theorems

Composition Rules • Invariant weakening rule •  |-  […]P •   ’ |-  […]P • Sequential Composition •  |-  [ S ] P  |-  [ T ] P  •  |-  [ ST ] P • Prove invariants from protocol • Q   Q’   • Q  Q’   Also have proof method for class of refinements & transformations

Applications • IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) Many More: • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…

Tool Support • Isabelle Proof Assistant for PCL • Encode syntax and proof system of PCL into a generic theorem-prover consts PSend :: "[thread,CTerm] => o" syntax PSend :: "[threadI,CTermlist] => actformI" ("Send'(_,_')") axioms AA1S: "{P, X[send t], Send(X,t)}" REC : "Receive(X,t) --> Has(X,t)" Rule: SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|] ==> {P, X[S1 ; S2], R}"

Sample proof (forward reasoning) • Use PCL axioms and rules to carry out proofs • Use Isabelle’s first-order reasoner lemma "{P,X[new t; send t],Has(X,t) & Send(X,t)}"; proof -; have A: "{P,X[new t; send t],Has(X,t)}"; apply (rule G3); apply (rule SEQ); apply (rule AA1N); apply (rule P1N); apply (blast); apply (rule ORIG); done;

Two worlds Can we get the best of both worlds?

Our Approach Talk so far… Leverage PCL success • Protocol Composition Logic (PCL) • Syntax • Proof System • Computational PCL • Syntax ±  • Proof System ±  • Symbolic “Dolev-Yao” model • Semantics • Complexity-theoretic model • Semantics Idea: Use same logical proof methods for complexity-theoretic cryptography

Our result • Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption • Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model Logical methods for complexity-theoretic cryptography

Soundness of proof system • Information-theoretic reasoning [new u]X (Y  X)  Indistinguishable(Y, u) • Complexity-theoretic reductions Source(Y,u,{m}X)  Decrypts(X,{m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Asymptotic calculations Reduction to CCA2-secure encryption scheme     Sum of two negligible functions is a negligible function

Summary • Methodology: • Divide-and-conquer paradigm in security • Combining logic and cryptography • Applications: • IEEE 802.11i (Attack! Fix adopted by IEEE WG) • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004]

Research Directions • Bring automated tools and techniques to industrial protocol design • Formal methods and cryptography • Composition of secure systems • Apply similar techniques to other kinds of security mechanisms • Web services • Software analysis of secure systems • Model-checking C code

Security Analysis of Network Protocols