Security analysis of network protocols
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Security Analysis of Network Protocols PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Security Analysis of Network Protocols. Anupam Datta Stanford University UW-Madison CSD April 18, 2005. Outline. Part I: Overview Motivation Central problems Divide and Conquer paradigm Combining logic and cryptography Results Part II: Glimpses of technical machinery

Download Presentation

Security Analysis of Network Protocols

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security analysis of network protocols

Security Analysis of Network Protocols

Anupam Datta

Stanford University

UW-Madison CSD

April 18, 2005


Outline

Outline

Part I: Overview

  • Motivation

  • Central problems

    • Divide and Conquer paradigm

    • Combining logic and cryptography

  • Results

    Part II: Glimpses of technical machinery

  • Divide and Conquer Paradigm

    • Protocol Derivation System

    • Protocol Composition Logic

  • Combining logic and cryptography

    • Complexity-theoretic foundations


This talk is about

This talk is about…

  • Industrial network protocols

    • Internet Engineering Task Force (IETF) Standards

      • SSL/TLS - web authentication

      • IPSec - corporate VPNs

      • Mobile IPv6 – routing security

      • Kerberos - network authentication

      • GDOI – secure group communication

    • IEEE Standards Working Group

      • 802.11i - wireless security

  • And methods for their security analysis

    • Security proof in some model; or

    • Identify attacks


Security analysis of network protocols

Motivating Example

[Needham-Schroeder78]

{ A, Noncea }

{ Noncea, Nonceb }

{ Nonceb}

Kb

A

B

Ka

Kb

Result: A and B share two private numbers

not known to any observer without Ka-1, Kb-1


Security analysis of network protocols

Anomaly in Needham-Schroeder

[Lowe96]

{ A, Na }

Ke

A

E

{ Na, Nb }

Ka

{ Nb }

Ke

{ A, Na }

{ Na, Nb }

Evil agent E tricks

honest A into revealing

private key Nb from B.

Kb

Ka

B

Evil E can then fool B.


Characteristics of protocols

Characteristics of protocols

  • Relatively simple distributed programs

    • 5-7 steps, 3-10 fields per message (per component)

  • Mission critical

    • Security of data, credit card numbers, …

  • Subtle

    • Concurrency: attack may combine data from many sessions

    • Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s


Security analysis methodology

SSL

authentication

Our tool: Protocol Composition Logic (PCL)

-Complete control over network

-Perfect crypto

42 line axiomatic proof

Security Analysis Methodology

Protocol

Property

Attacker model

Analysis Tool

Security proof or attack


Classifying attacks

Classifying Attacks

  • Implementation bugs

    • Buffer overflow, format string vulnerabilities

  • Cryptography breaks

    • IEEE 802.11b (WEP encryption), GSM cell phone

  • Protocol flaws

    • Needham-Schroeder, IKE, IEEE 802.11i

  • Focus on protocol flaws assuming “strong crypto”

  • Complexity-theoretic characterization of “strong crypto”


Ieee 802 11i wireless security 2004

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

Uses crypto: encryption, hash,…

EAP/802.1X/RADIUS Authentication

4-way handshake

  • Divide-and-conquer paradigm

  • Combining logic and cryptography

Group key handshake

Data communication


Divide and conquer paradigm

Divide-and-Conquer paradigm

  • Result:Protocol Derivation System

    • Incremental protocol construction

  • Result:Protocol Composition Logic (PCL)

    • Compositional correctness proofs

  • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …

    Composition is a hard problem in security

Central Problem 1


Combining logic and cryptography

Combining logic and cryptography

  • Symbolic model [DY84]

    - Perfect cryptography assumption

    + Idealization => tools and techniques

  • Complexity-theoretic model [GM84]

    + More detailed model; probabilistic guarantees

    - Hand-proofs very hard; no automation

  • Result:Computational PCL

    + Logical proof methods

    + Complexity-theoretic crypto model

  • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2


Security analysis of network protocols

Applied to industrial protocols

  • IEEE 802.11i authentication protocol [IEEE Standards; 2004]

    (Attack! Fix adopted by IEEE WG)

  • IKEv2 [IETF Internet Draft; 2004]

  • TLS/SSL [RFC 2246; 1999]

  • Kerberos V5 [IETF Internet Draft; 2004]

  • GDOI Secure Group Communication protocol [RFC 3547; 2003]

    (Attack! Fix adopted by IETF WG)

    Many More:

    • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…


Ipsec

Internet

IPSec

  • Widely deployed: Corporate VPNs

  • Provides secrecy and integrity

  • IKEv2 is the IPSec key exchange protocol

IP layer host-to-host security


Ikev2 ietf id 2004

IKEv2 [IETF ID 2004]

IKE_INIT (Exchange key material)

Multi-mode protocol: authenticator can use either signature or pre-shared key

I  R: HDR, SAi1, gi, Ni

R  I: HDR, SAr1, gr, Nr

IKE_AUTH (Authenticate)

I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

  • Modular proofs

  • Multi-mode (Unified “template” proof)

  • Properties: authentication, shared secret, identity & DoSprotection, repudiability

IKE_CHILD_SA (Rekey)


Mobile ipv6 ietf id 2004

Wisconsin

Stanford

Mobile IPv6 [IETF ID 2004]

Correspondent Node

Home address

Home address

  • Change of location

  • Authentication

  • DoS issues

  • Protocol breaks if attacker controls complete network

Care of address


Gdoi rfc 3547 2003

GDOI [RFC 3547, 2003]

Public network

Group controller

  • Secure group communication

  • Composition attack

  • Fix adopted by IETF WG

Communicating in a group can be difficult…


Security analysis of network protocols

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity


Outline1

Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm

    • Protocol Derivation System

    • Protocol Composition Logic

  • Combining logic and cryptography

    • Complexity-theoretic foundations


Protocol derivation system

Protocol Derivation System

  • Construct protocol with properties:

    • Shared secret

    • Authenticated

    • Identity Protection

    • DoS Protection

  • Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)


Security analysis of network protocols

Component 1

Diffie Hellman

A  B: ga

B  A: gb

  • Shared secret (with someone)

    • A deduces:

    • Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

  • Authenticated

  • Identity Protection

  • DoS Protection


Security analysis of network protocols

Component 2

Challenge-Response

A  B: m, A

B  A: n, sigB {m, n, A}

A  B: sigA {m, n, B}

  • Shared secret

  • Authenticated

    • A deduces: Received (B, msg1) Λ Sent (B, msg2)

  • Identity Protection

  • DoS Protection


Security analysis of network protocols

Composition

m := ga

n := gb

ISO-9798-3

A  B: ga, A

B  A: gb, sigB {ga, gb, A}

A  B: sigA {ga, gb, B}

  • Shared secret: gab

  • Authenticated

  • Identity Protection

  • DoS Protection

Technically: sequential composition with variable substitution


Security analysis of network protocols

Refinement

Encrypt Signatures

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}

  • Shared secret: gab

  • Authenticated

  • Identity Protection

  • DoS Protection

Technically: term replacement/function variable substitution


Transformation

Transformation

Use cookie:JFK core protocol

A  B: ga, A

B  A: gb, hashKB {gb, ga}

A  B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga}

B  A: gb, EK {sigB {ga, gb, A}}

  • Shared secret: gab

  • Authenticated

  • Identity Protection

  • DoS Protection

Technically: program transformation


Tool support pda

Tool Support (PDA)


Outline2

Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm

    • Protocol Derivation System

    • Protocol Composition Logic

  • Combining logic and cryptography

    • Complexity-theoretic foundations


Security analysis of network protocols

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

  • Alice reasons: if Bob is honest, then:

    • only Bob can generate his signature. [protocol independent]

    • if Bob generates a signature of the form sigB {m, n, A},

      • he sends it as part of msg 2 of the protocol and

      • he must have received msg1 from Alice. [protocol specific]

  • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)


Reasoning method

Reasoning method

  • Reason about local information

    • I know my own actions

  • Incorporate knowledge of protocol

    • Honest people faithfully follow protocol

  • No explicit reasoning about intruder

    • Absence of bad action expressed as a positive property of good actions

      • E.g., honest agent’s signature can be produced only by the agent

Distinguishes our method from existing techniques


Security analysis of network protocols

Formalism

  • Cord calculus

    • Protocol programming language

    • Execution model (Symbolic/“Dolev-Yao”)

  • Protocol logic

    • Expressing protocol properties

  • Proof system

    • Proving protocol properties

    • Soundness theorem


Security analysis of network protocols

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]


Security analysis of network protocols

Challenge Response: Property

  • Modal form:  [ actions ]P 

    • precondition: Fresh(A,m)

    • actions: [ Initiator role actions ]A

    • postcondition:

    • Honest(B)  ActionsInOrder(

      • send(A, {A,B,m}),

      • receive(B, {A,B,m}),

      • send(B, {B,A,{n, sigB {m, n, A}}}),

      • receive(A, {B,A,{n, sigB {m, n, A}}}) )


Security analysis of network protocols

Proof System

  • Sample Axioms:

    • Reasoning about possession:

      • [receive m ]A Has(A,m)

      • Has(A, {m,n})  Has(A, m)  Has(A, n)

    • Reasoning about crypto primitives:

      • Honest(X)  Decrypt(Y, encX{m})  X=Y

      • Honest(X)  Verify(Y, sigX{m}) 

    •  m’ (Send(X, m’)  Contains(m’, sigX{m})

  • Soundness Theorem:

    • Every provable formula is valid


Security analysis of network protocols

Reasoning about Composition

  • Non-destructive Combination:

    • Ensure combined parts do not interfere

      • In logic: invariance assertions

  • Additive Combination:

    Accumulate security properties of combined parts, assuming they do not interfere

    • In logic: before-after assertions


Security analysis of network protocols

Proof steps (Intuition)

  • Protocol independent reasoning

    • Has(A, {m,n})  Has(A, m)  Has(A, n)

    • Still good: unaffected by composition

  • Protocol specific reasoning

    • “if honest Bob generates a signature of the form

    • sigB {m, n, A},

      • he sends it as part of msg 2 of the protocol and

      • he must have received msg1 from Alice”

    • Could break:Bob’s signature from one protocol could be used to attack another

  • Technically:

  • Protocol-specific proof steps use invariants

  • Invariants must be preserved for safe composition


Security analysis of network protocols

Composing protocols

 (Invariant)

’

DHHonest(X)  …

CRHonest(X)  …

’ |- Authentication

 |- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy  Authentication [additive]

DHCR’[nondestructive]

=

ISOSecrecy  Authentication

Sequential and parallel composition theorems


Security analysis of network protocols

Composition Rules

  • Invariant weakening rule

    •  |-  […]P

    •   ’ |-  […]P

  • Sequential Composition

    •  |-  [ S ] P  |-  [ T ] P 

      •  |-  [ ST ] P

  • Prove invariants from protocol

    • Q   Q’  

    • Q  Q’  

Also have proof method for class of refinements & transformations


Applications

Applications

  • IEEE 802.11i authentication protocol [IEEE Standards; 2004]

    (Attack! Fix adopted by IEEE WG)

  • IKEv2 [IETF Internet Draft; 2004]

  • TLS [RFC 2246; 1999]

  • Kerberos V5 [IETF Internet Draft; 2004]

  • GDOI Secure Group Communication protocol [RFC 3547; 2003]

    (Composition Attack! Fix adopted by IETF WG)

    Many More:

    • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…


Tool support

Tool Support

  • Isabelle Proof Assistant for PCL

    • Encode syntax and proof system of PCL into a generic theorem-prover

consts

PSend :: "[thread,CTerm] => o"

syntax

PSend :: "[threadI,CTermlist] => actformI"

("Send'(_,_')")

axioms

AA1S: "{P, X[send t], Send(X,t)}"

REC : "Receive(X,t) --> Has(X,t)"

Rule:

SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|]

==> {P, X[S1 ; S2], R}"


Sample proof forward reasoning

Sample proof (forward reasoning)

  • Use PCL axioms and rules to carry out proofs

  • Use Isabelle’s first-order reasoner

lemma "{P,X[new t; send t],Has(X,t) &

Send(X,t)}";

proof -;

have A: "{P,X[new t; send t],Has(X,t)}";

apply (rule G3);

apply (rule SEQ);

apply (rule AA1N);

apply (rule P1N);

apply (blast);

apply (rule ORIG);

done;


Outline3

Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm

    • Protocol Derivation System

    • Protocol Composition Logic

  • Combining logic and cryptography

    • Complexity-theoretic foundations


Security analysis of network protocols

Two worlds

Can we get the best of both worlds?


Our approach

Our Approach

Talk so far…

Leverage PCL success

  • Protocol Composition Logic (PCL)

  • Syntax

  • Proof System

  • Computational PCL

  • Syntax ± 

  • Proof System ± 

  • Symbolic “Dolev-Yao” model

  • Semantics

  • Complexity-theoretic model

  • Semantics

Idea: Use same logical proof methods for complexity-theoretic cryptography


Our result

Our result

  • Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption

  • Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.

    + Symbolic proofs

    + Complexity-theoretic model

Logical methods for complexity-theoretic cryptography


Soundness of proof system

Soundness of proof system

  • Information-theoretic reasoning

    [new u]X (Y  X)  Indistinguishable(Y, u)

  • Complexity-theoretic reductions

    Source(Y,u,{m}X)  Decrypts(X,{m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u)

  • Asymptotic calculations

Reduction to CCA2-secure encryption scheme

  

Sum of two negligible functions is a negligible function


Summary

Summary

  • Methodology:

    • Divide-and-conquer paradigm in security

    • Combining logic and cryptography

  • Applications:

    • IEEE 802.11i (Attack! Fix adopted by IEEE WG)

    • GDOI Secure Group Communication protocol [RFC 3547; 2003]

      (Composition Attack! Fix adopted by IETF WG)

    • IKEv2 [IETF Internet Draft; 2004]

    • TLS [RFC 2246; 1999]

    • Kerberos V5 [IETF Internet Draft; 2004]


Research directions

Research Directions

  • Bring automated tools and techniques to industrial protocol design

  • Formal methods and cryptography

  • Composition of secure systems

  • Apply similar techniques to other kinds of security mechanisms

    • Web services

  • Software analysis of secure systems

    • Model-checking C code


  • Login