330 likes | 476 Vues
18739A: Foundations of Security and Privacy. Protocol Composition Logic II. Anupam Datta Fall 2007-08. Protocol Analysis Techniques. Crypto Protocol Analysis. Formal Models. Dolev-Yao (perfect cryptography). Computational Models. Random oracle Probabilistic process calculi
E N D
18739A: Foundations of Security and Privacy Protocol Composition Logic II Anupam Datta Fall 2007-08
Protocol Analysis Techniques Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models Random oracle Probabilistic process calculi Probabilistic I/O automata … Model Checking Protocol Logics Process Calculi Inductive Proofs … Murphi, AVISPA BAN, PCL Applied -calculus Paulson, MSR
Protocol Composition Logic • Intuition • Formalism • Protocol programming language • Protocol logic • Proof System • Example • Signature-based challenge-response • Proof techniques TODAY
Example: JFK Protocol • Recall earlier lecture about JFK design • Today we will describe corresponding proof techniques
Ingredient 1: Diffie-Hellman A B: ga B A: gb • Shared secret: gab • Authentication • Identity protection
Ingredient 2: Challenge-Response A B: m, A B A: n, sigB{m, n, A} A B: sigA{m, n, B} • Shared secret • Authentication • Identity protection
DH + Challenge-Response ISO 9798-3 protocol: A B: ga, A B A: gb, sigB{ga, gb, A} A B: sigA{ga, gb, B} • Shared secret: gab • Authentication • Identity protection m := ga n := gb Formalized as sequential composition
Ingredient 3: Encryption Encrypt signatures to protect identities: A B: ga, A B A: gb, EK{sigB{ga, gb, A}} A B: EK{sigA{ga, gb, B}} • Shared secret: gab • Authentication • Identity protection Formalized using abstraction-refinement
PCL Proof Techniques • Modular Proofs • Parallel Composition • Sequential Composition • Generic Template-style Proofs • Function variables • Higher-order logic extension
Parallel Composition of Protocols • The parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2. • Example: • IKEv2 | SSL
Compositional Proofs: Intuition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could be used to attack another • PCL proof system: Invariant rule • Protocol independent reasoning • Axiom stating unforgeability of signatures • Still good: unaffected by composition • All other axioms and proof rules for PCL
Proof Tree Q1 |- Inv Q1 | Q2 |- Inv Inv |-Auth Bulk of proof reused Additional work to prove Q2|- Inv Inv Axiom Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv INV rule Other rules Auth [DDMP CSF’03 -> JCS Special Issue, MFPS’03] Security property
Parallel Composition Theorem • IF • Q1 satisfies security property in isolation • Q2 respects the invariants of Q1 used in the proof of security property • THEN • Q1 | Q2 also satisfies security property
Sequential Composition of Protocols • Run protocols in sequence • Examples • Key exchange followed by secure sessions that use the exchanged key • Diffie-Hellman followed by Challenge-Response = ISO-9798-3
ISO-9798-3 Key Exchange ga, A • Authentication • Do we need to prove it from scratch? • Shared secret: gab gb, sigB {ga, gb, A} A B sigA {ga, gb, B} Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols
Abstract challenge response • Free variables m and n instead of nonces • Modal form: [ actions ] • precondition: Fresh(A,m) • actions: [ InitACR ]A • postcondition: Honest(B) Authentication • Secrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sigX{m, x}}; send A, X, sigA{m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sigB{y, n}}; receive Y, B, sigY{y, n}}; ]
Diffie-Hellman: Property • Formula • true [ new a ] AFresh(A, ga) • Diffie-Hellman property: • Can compute gab given ga and b or gb and a • Cannot compute gab given ga and gb
Challenge Response: Property • Modal form: [ actions ]P • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B) ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )
Composition: DH+CR = ISO-9798-3 • Additive Combination • DH post-condition matches CR precondition • Sequential Composition: • Substitute ga for m in CR to obtain ISO. • Apply composition rule • ISO initiator role inherits CR authentication. • DH secrecy is also preserved • Proved using another application of composition rule. • Nondestructive Combination • DH and CR satisfy each other’s invariants
Sequential Composition Theorem • Both protocols should satisfy each other’s invariants (similar to parallel composition) • Post-condition of first should match pre-condition of second protocol
PCL Proof Techniques • Modular Proofs • Parallel Composition • Sequential Composition • Generic Template-style Proofs • Function variables • Higher-order logic extension
Protocol Templates • Protocols withfunction variables instead of specific cryptographic operations • Idea: One template can be instantiated to many protocols • Advantages: • proof reuse • design principles/patterns [DDMP CSF’04]
Example Challenge-Response Template A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) A B: m B A: n,EKAB(n,m,B) A B: EKAB(n,m) A B: m B A: n,HKAB(n,m,B) A B: HKAB(n,m,A) A B: m B A: n, sigB(n,m,A) A B: sigA(n,m,B) SKID3 ISO-9798-3 ISO-9798-2 Instantiations
Extending Formalism • Language Extensions • Add function variables to term language for cords and logic (HOL) • Semantics • Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables • Soundness Theorem • Every provable formula is valid
Abstraction-Instantiation Method(1) • Characterizing protocol concepts • Step 1: Under hypotheses about function variables and invariants, prove security property of template • Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. • Benefit: • Proof reuse
Example Challenge-Response Template A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) • Step 1: • Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… • Property: Mutual authentication • Step 2: • Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3) • Satisfies hypotheses => Guarantees mutual authentication
Proof Structure Discharge hypothesis axiom hypothesis Proof reuse Instance Template
Abstraction-Instantiation Method(2) • Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. • Benefits: • Modular proofs of properties • Formalization of protocol refinements
Refinement Example Revisited Two templates: • Template 1: authentication + shared secret (Preserves existing properties; proof reused) • Template 2: identity protection (encryption) (Adds new property) Encrypt Signatures A B: ga, A B A: gb, EK {sigB {ga, gb, A}} A B: EK {sigA {ga, gb, B}}
Summary • PCL – Logic for security protocols • Sound wrt symbolic and cryptographic models • High-level short proofs: 2-3 pages • Proof techniques • Modular/compositional proofs • Generic template-style proofs • Proofs of industrial protocols • IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) • Implementation not done
Thanks ! Questions?
EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys Modular Analysis / Composition Auth Server Laptop Access Point (Shared Secret-PMK) 802.11i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]