Abstraction and refinement in protocol derivation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Abstraction and Refinement in Protocol Derivation PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Abstraction and Refinement in Protocol Derivation. Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June 28, 2004. Project Goals. Protocol derivation Build security protocols by combining and refining parts from basic protocols.

Download Presentation

Abstraction and Refinement in Protocol Derivation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Abstraction and refinement in protocol derivation

Abstraction and Refinement in Protocol Derivation

Anupam DattaAnte Derek

John C. Mitchell Dusko Pavlovic

Stanford University Kestrel Institute

CSFW June 28, 2004


Project goals

Project Goals

  • Protocol derivation

    • Build security protocols by combining and refining parts from basic protocols.

  • Proof of correctness

    • Prove protocols correct using logic that follows steps of derivation.


Outline

Outline

  • Background

    • Derivation System[CSFW03]

    • Compositional Logic[CSFW01,CSFW03]

  • Abstraction and Refinement

    • Methods

    • Applications

  • Conclusions and Future Work


Example

Example

  • Construct protocol with properties:

    • Shared secret

    • Authenticated

    • Identity Protection

  • Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)


Component 1

Component 1

Diffie Hellman

  • Shared secret (with someone)

    • A deduces:

      Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

  • Authenticated

  • Identity Protection

A  B: ga

B  A: gb


Component 2

Component 2

Challenge-Response

  • Shared secret

  • Authenticated

    • A deduces: Received (B, msg1) Λ Sent (B, msg2)

  • Identity Protection

A  B: m, A

B  A: n, sigB {m, n, A}

A  B: sigA {m, n, B}


Composition

Composition

m := ga

n := gb

ISO-9798-3

  • Shared secret: gab

  • Authenticated

  • Identity Protection

A  B: ga, A

B  A: gb, sigB {ga, gb, A}

A  B: sigA {ga, gb, B}


Refinement

Refinement

Encrypt Signatures

  • Shared secret: gab

  • Authenticated

  • Identity Protection

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}


Outline1

Outline

  • Background

    • Derivation System

    • Compositional Logic

  • Abstraction and Refinement

    • Methods

    • Applications

  • Conclusions and Future Work


Challenge response proof idea

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

  • Alice reasons: if Bob is honest, then:

    • only Bob can generate his signature. [protocol independent]

    • if Bob generates a signature of the form sigB {m, n, A},

      • he sends it as part of msg 2 of the protocol and

      • he must have received msg1 from Alice. [protocol specific]

  • Alice deduces:Received (B, msg1) Λ Sent (B, msg2)


Formalism

Formalism

  • Cord calculus

    • Protocol programming language

  • Protocol logic

    • Expressing protocol properties

  • Proof system

    • Proving protocol properties

Symbolic (“Dolev-Yao”) model


Abstraction and refinement in protocol derivation

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]


Abstraction and refinement in protocol derivation

Correctness of CR

InitCR(A, X) = [

new m;

send A, X, {m, A};

receive X, A, {x, sigX{m, x, A}};

send A, X, sigA{m, x, X}};

]

RespCR(B) = [

receive Y, B, {y, Y};

new n;

send B, Y, {n, sigB{y, n, Y}};

receive Y, B, sigY{y, n, B}};

]

CR |- [ InitCR(A, B) ] A Honest(B)  ActionsInOrder(

Send(A, {A,B,m}),

Receive(B, {A,B,m}),

Send(B, {B,A,{n, sigB {m, n, A}}}),

Receive(A, {B,A,{n, sigB {m, n, A}}})

)


Proof system

Proof System

  • Sample Axioms:

    • Reasoning about possession:

      • Has(A, {m}K)  Has(A, K)  Has(A, m)

      • Has(A, {m,n})  Has(A, m)  Has(A, n)

    • Reasoning about crypto primitives:

      • Honest(X)  Decrypt(Y, encX{m})  X=Y

      • Honest(X)  Verify(Y, sigX{m}) 

         m’ (Send(X, m’)  Contains(m’, sigX{m})

  • Protocol-specific Rule:Honesty/Invariance rule

  • Soundness Theorem:

    Every provable formula is valid


Outline2

Outline

  • Background

    • Derivation System

    • Compositional Logic

  • Abstraction and Refinement

    • Methods

    • Applications

  • Conclusions and Future Work


Protocol templates

Protocol Templates

  • Protocols with function variables instead of specific cryptographic operations

  • Idea: One template can be instantiated to many protocols

  • Advantages:

    • proof reuse

    • design principles/patterns


Example1

Example

Challenge-Response Template

A  B: m

B  A: n, F(B,A,n,m)

A  B: G(A,B,n,m)

Abstraction

A  B: m

B  A: n,EKAB(n,m,B)

A  B: EKAB(n,m)

A  B: m

B  A: n,HKAB(n,m,B)

A  B: HKAB(n,m,A)

A  B: m

B  A: n, sigB(n,m,A)

A  B: sigA(n,m,B)

ISO-9798-2

SKID3

ISO-9798-3

Instantiations


Extending formalism

Extending Formalism

  • Language Extensions: Add function variables to term language for cords and logic (HOL)

  • Semantics:Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables

  • Soundness Theorem: Every provable formula is valid


Abstraction instantiation method 1

Abstraction-Instantiation Method(1)

  • Characterizing protocol concepts

    • Step 1: Under hypotheses about function variables and invariants, prove security property of template

    • Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.

  • Benefit:

    • Proof reuse


Example2

Example

Challenge-Response Template

A  B: m

B  A: n, F(B,A,n,m)

A  B: G(A,B,n,m)

  • Step 1:

    • Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…

    • Property: Mutual authentication

  • Step 2:

    • Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)

    • Satisfies hypotheses => Guarantees mutual authentication


Proof structure

Proof Structure

Discharge hypothesis

axiom

hypothesis

Proof reuse

Instance

Template


Abstraction instantiation method 2

Abstraction-Instantiation Method(2)

  • Combining protocol templates

    If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both.

  • Benefits:

    • Modular proofs of properties

    • Formalization of protocol refinements


Refinement example revisited

Refinement Example Revisited

Encrypt Signatures

Two templates:

  • Template 1: authentication + shared secret

    (Preserves existing properties; proof reused)

  • Template 2: identity protection (encryption)

    (Adds new property)

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}


Abstraction and refinement in protocol derivation

Authenticated key exchange

AKE1

AKE2

A  B: ga, A

B  A: gb, F(B,A,gb,ga)

A  B: G(A,B,ga,gb)

A  B: ga

B  A: gb, F(B,gb,ga), F’(B,gab)

A  B: G(A,ga, gb), G’(A,gab)

ISO-9798-3, JFKi

STS, JFKr, IKEv2, SIGMA

  • Shared secret

  • Stronger authentication

  • Identity protection for B

  • Non-repudiation

  • Shared secret

  • Weaker authentication

  • Identity protection for A

  • Repudiability

H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]


More examples

More examples…

  • Authenticated Key Exchange:

    • Template for JFKr, STS, IKE, IKEv2

  • Key Computation:

    • Template for Diffie-Hellman, UM, MTI/A, MQV

  • Combining these templates


Synthesis sts mqv

Synthesis: STS-MQV

protect

identities

symmetric

hash

STSPH

DH

STSP

RFK

STS

authenticate

cookie

MTI/A

MTIC

MTIRFK

MTICPH

MTICP

key

conf.

UM

UMC

UMCPH

UMRFK

UMCP

MQV

MQVRFK

MQVCPH

MQVC

MQVCP


Conclusions

Conclusions

  • Abstraction-Instantiation using protocol templates:

    • Single proof for similar protocols from common template

    • Multiple protocol properties from different templates

  • Logical foundation:

    • Add function variables to protocol language and logic

  • Applications:

    • CR template: ISO-9798-2,3, SKID3

    • Identity protection refinement in JFK

    • Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE

    • Synthesis: DH-MQV + STS-JFKr


Future work

Future Work

  • Done:

    • Derivation idea successfully applied to large set of protocol examples

    • Rigorous treatment of composition, refinement in protocol logic

  • Work In Progress:

    • Tool support for derivation system and logic

    • Formalization of protocol transformations

    • More applications


  • Login