- 74 Views
- Uploaded on
- Presentation posted in: General

Security Analysis of Network Protocols

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Security Analysis of Network Protocols

Anupam Datta

Stanford University

UW-Madison CSD

April 18, 2005

Part I: Overview

- Motivation
- Central problems
- Divide and Conquer paradigm
- Combining logic and cryptography

- Results
Part II: Glimpses of technical machinery

- Divide and Conquer Paradigm
- Protocol Derivation System
- Protocol Composition Logic

- Combining logic and cryptography
- Complexity-theoretic foundations

- Industrial network protocols
- Internet Engineering Task Force (IETF) Standards
- SSL/TLS - web authentication
- IPSec - corporate VPNs
- Mobile IPv6 – routing security
- Kerberos - network authentication
- GDOI – secure group communication

- IEEE Standards Working Group
- 802.11i - wireless security

- Internet Engineering Task Force (IETF) Standards
- And methods for their security analysis
- Security proof in some model; or
- Identify attacks

Motivating Example

[Needham-Schroeder78]

{ A, Noncea }

{ Noncea, Nonceb }

{ Nonceb}

Kb

A

B

Ka

Kb

Result: A and B share two private numbers

not known to any observer without Ka-1, Kb-1

Anomaly in Needham-Schroeder

[Lowe96]

{ A, Na }

Ke

A

E

{ Na, Nb }

Ka

{ Nb }

Ke

{ A, Na }

{ Na, Nb }

Evil agent E tricks

honest A into revealing

private key Nb from B.

Kb

Ka

B

Evil E can then fool B.

- Relatively simple distributed programs
- 5-7 steps, 3-10 fields per message (per component)

- Mission critical
- Security of data, credit card numbers, …

- Subtle
- Concurrency: attack may combine data from many sessions
- Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

SSL

authentication

Our tool: Protocol Composition Logic (PCL)

-Complete control over network

-Perfect crypto

42 line axiomatic proof

Protocol

Property

Attacker model

Analysis Tool

Security proof or attack

- Implementation bugs
- Buffer overflow, format string vulnerabilities

- Cryptography breaks
- IEEE 802.11b (WEP encryption), GSM cell phone

- Protocol flaws
- Needham-Schroeder, IKE, IEEE 802.11i

- Focus on protocol flaws assuming “strong crypto”
- Complexity-theoretic characterization of “strong crypto”

Wireless Device

Access Point

Authentication Server

802.11 Association

Uses crypto: encryption, hash,…

EAP/802.1X/RADIUS Authentication

4-way handshake

- Divide-and-conquer paradigm

- Combining logic and cryptography

Group key handshake

Data communication

- Result:Protocol Derivation System
- Incremental protocol construction

- Result:Protocol Composition Logic (PCL)
- Compositional correctness proofs

- Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …
Composition is a hard problem in security

Central Problem 1

- Symbolic model [DY84]
- Perfect cryptography assumption

+ Idealization => tools and techniques

- Complexity-theoretic model [GM84]
+ More detailed model; probabilistic guarantees

- Hand-proofs very hard; no automation

- Result:Computational PCL
+ Logical proof methods

+ Complexity-theoretic crypto model

- Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols

- IEEE 802.11i authentication protocol [IEEE Standards; 2004]
(Attack! Fix adopted by IEEE WG)

- IKEv2 [IETF Internet Draft; 2004]
- TLS/SSL [RFC 2246; 1999]
- Kerberos V5 [IETF Internet Draft; 2004]
- GDOI Secure Group Communication protocol [RFC 3547; 2003]
(Attack! Fix adopted by IETF WG)

Many More:

- STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…

Internet

- Widely deployed: Corporate VPNs
- Provides secrecy and integrity
- IKEv2 is the IPSec key exchange protocol

IP layer host-to-host security

IKE_INIT (Exchange key material)

Multi-mode protocol: authenticator can use either signature or pre-shared key

I R: HDR, SAi1, gi, Ni

R I: HDR, SAr1, gr, Nr

IKE_AUTH (Authenticate)

I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

- Modular proofs
- Multi-mode (Unified “template” proof)
- Properties: authentication, shared secret, identity & DoSprotection, repudiability

IKE_CHILD_SA (Rekey)

Wisconsin

Stanford

Correspondent Node

Home address

Home address

- Change of location
- Authentication
- DoS issues
- Protocol breaks if attacker controls complete network

Care of address

Public network

Group controller

- Secure group communication
- Composition attack
- Fix adopted by IETF WG

Communicating in a group can be difficult…

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

Part I: Overview

Part II: Glimpses of technical machinery

- Divide and conquer paradigm
- Protocol Derivation System
- Protocol Composition Logic

- Combining logic and cryptography
- Complexity-theoretic foundations

- Construct protocol with properties:
- Shared secret
- Authenticated
- Identity Protection
- DoS Protection

- Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)

Component 1

Diffie Hellman

A B: ga

B A: gb

- Shared secret (with someone)
- A deduces:
- Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

- Authenticated
- Identity Protection
- DoS Protection

Component 2

Challenge-Response

A B: m, A

B A: n, sigB {m, n, A}

A B: sigA {m, n, B}

- Shared secret
- Authenticated
- A deduces: Received (B, msg1) Λ Sent (B, msg2)

- Identity Protection
- DoS Protection

Composition

m := ga

n := gb

ISO-9798-3

A B: ga, A

B A: gb, sigB {ga, gb, A}

A B: sigA {ga, gb, B}

- Shared secret: gab
- Authenticated
- Identity Protection
- DoS Protection

Technically: sequential composition with variable substitution

Refinement

Encrypt Signatures

A B: ga, A

B A: gb, EK {sigB {ga, gb, A}}

A B: EK {sigA {ga, gb, B}}

- Shared secret: gab
- Authenticated
- Identity Protection
- DoS Protection

Technically: term replacement/function variable substitution

Use cookie:JFK core protocol

A B: ga, A

B A: gb, hashKB {gb, ga}

A B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga}

B A: gb, EK {sigB {ga, gb, A}}

- Shared secret: gab
- Authenticated
- Identity Protection
- DoS Protection

Technically: program transformation

Part I: Overview

Part II: Glimpses of technical machinery

- Divide and conquer paradigm
- Protocol Derivation System
- Protocol Composition Logic

- Combining logic and cryptography
- Complexity-theoretic foundations

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

- Alice reasons: if Bob is honest, then:
- only Bob can generate his signature. [protocol independent]
- if Bob generates a signature of the form sigB {m, n, A},
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice. [protocol specific]

- Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

- Reason about local information
- I know my own actions

- Incorporate knowledge of protocol
- Honest people faithfully follow protocol

- No explicit reasoning about intruder
- Absence of bad action expressed as a positive property of good actions
- E.g., honest agent’s signature can be produced only by the agent

- Absence of bad action expressed as a positive property of good actions

Distinguishes our method from existing techniques

Formalism

- Cord calculus
- Protocol programming language
- Execution model (Symbolic/“Dolev-Yao”)

- Protocol logic
- Expressing protocol properties

- Proof system
- Proving protocol properties
- Soundness theorem

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

Challenge Response: Property

- Modal form: [ actions ]P
- precondition: Fresh(A,m)
- actions: [ Initiator role actions ]A
- postcondition:
- Honest(B) ActionsInOrder(
- send(A, {A,B,m}),
- receive(B, {A,B,m}),
- send(B, {B,A,{n, sigB {m, n, A}}}),
- receive(A, {B,A,{n, sigB {m, n, A}}}) )

Proof System

- Sample Axioms:
- Reasoning about possession:
- [receive m ]A Has(A,m)
- Has(A, {m,n}) Has(A, m) Has(A, n)

- Reasoning about crypto primitives:
- Honest(X) Decrypt(Y, encX{m}) X=Y
- Honest(X) Verify(Y, sigX{m})

- m’ (Send(X, m’) Contains(m’, sigX{m})

- Reasoning about possession:
- Soundness Theorem:
- Every provable formula is valid

Reasoning about Composition

- Non-destructive Combination:
- Ensure combined parts do not interfere
- In logic: invariance assertions

- Ensure combined parts do not interfere
- Additive Combination:
Accumulate security properties of combined parts, assuming they do not interfere

- In logic: before-after assertions

Proof steps (Intuition)

- Protocol independent reasoning
- Has(A, {m,n}) Has(A, m) Has(A, n)
- Still good: unaffected by composition

- Protocol specific reasoning
- “if honest Bob generates a signature of the form
- sigB {m, n, A},
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice”

- Could break:Bob’s signature from one protocol could be used to attack another

- Technically:
- Protocol-specific proof steps use invariants
- Invariants must be preserved for safe composition

Composing protocols

(Invariant)

’

DHHonest(X) …

CRHonest(X) …

’ |- Authentication

|- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy Authentication [additive]

DHCR’[nondestructive]

=

ISOSecrecy Authentication

Sequential and parallel composition theorems

Composition Rules

- Invariant weakening rule
- |- […]P
- ’ |- […]P

- Sequential Composition
- |- [ S ] P |- [ T ] P
- |- [ ST ] P

- |- [ S ] P |- [ T ] P
- Prove invariants from protocol
- Q Q’
- Q Q’

Also have proof method for class of refinements & transformations

- IEEE 802.11i authentication protocol [IEEE Standards; 2004]
(Attack! Fix adopted by IEEE WG)

- IKEv2 [IETF Internet Draft; 2004]
- TLS [RFC 2246; 1999]
- Kerberos V5 [IETF Internet Draft; 2004]
- GDOI Secure Group Communication protocol [RFC 3547; 2003]
(Composition Attack! Fix adopted by IETF WG)

Many More:

- STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…

- Isabelle Proof Assistant for PCL
- Encode syntax and proof system of PCL into a generic theorem-prover

consts

PSend :: "[thread,CTerm] => o"

syntax

PSend :: "[threadI,CTermlist] => actformI"

("Send'(_,_')")

axioms

AA1S: "{P, X[send t], Send(X,t)}"

REC : "Receive(X,t) --> Has(X,t)"

Rule:

SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|]

==> {P, X[S1 ; S2], R}"

- Use PCL axioms and rules to carry out proofs
- Use Isabelle’s first-order reasoner

lemma "{P,X[new t; send t],Has(X,t) &

Send(X,t)}";

proof -;

have A: "{P,X[new t; send t],Has(X,t)}";

apply (rule G3);

apply (rule SEQ);

apply (rule AA1N);

apply (rule P1N);

apply (blast);

apply (rule ORIG);

done;

Part I: Overview

Part II: Glimpses of technical machinery

- Divide and conquer paradigm
- Protocol Derivation System
- Protocol Composition Logic

- Combining logic and cryptography
- Complexity-theoretic foundations

Two worlds

Can we get the best of both worlds?

Talk so far…

Leverage PCL success

- Protocol Composition Logic (PCL)
- Syntax
- Proof System

- Computational PCL
- Syntax ±
- Proof System ±

- Symbolic “Dolev-Yao” model
- Semantics

- Complexity-theoretic model
- Semantics

Idea: Use same logical proof methods for complexity-theoretic cryptography

- Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
- Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.
+ Symbolic proofs

+ Complexity-theoretic model

Logical methods for complexity-theoretic cryptography

- Information-theoretic reasoning
[new u]X (Y X) Indistinguishable(Y, u)

- Complexity-theoretic reductions
Source(Y,u,{m}X) Decrypts(X,{m}X) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

- Asymptotic calculations

Reduction to CCA2-secure encryption scheme

Sum of two negligible functions is a negligible function

- Methodology:
- Divide-and-conquer paradigm in security
- Combining logic and cryptography

- Applications:
- IEEE 802.11i (Attack! Fix adopted by IEEE WG)
- GDOI Secure Group Communication protocol [RFC 3547; 2003]
(Composition Attack! Fix adopted by IETF WG)

- IKEv2 [IETF Internet Draft; 2004]
- TLS [RFC 2246; 1999]
- Kerberos V5 [IETF Internet Draft; 2004]

- Bring automated tools and techniques to industrial protocol design
- Formal methods and cryptography
- Composition of secure systems
- Apply similar techniques to other kinds of security mechanisms
- Web services

- Software analysis of secure systems
- Model-checking C code