- 79 Views
- Uploaded on
- Presentation posted in: General

Abstraction and Refinement in Protocol Derivation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Abstraction and Refinement in Protocol Derivation

Anupam DattaAnte Derek

John C. Mitchell Dusko Pavlovic

Stanford University Kestrel Institute

CSFW June 28, 2004

- Protocol derivation
- Build security protocols by combining and refining parts from basic protocols.

- Proof of correctness
- Prove protocols correct using logic that follows steps of derivation.

- Background
- Derivation System[CSFW03]
- Compositional Logic[CSFW01,CSFW03]

- Abstraction and Refinement
- Methods
- Applications

- Conclusions and Future Work

- Construct protocol with properties:
- Shared secret
- Authenticated
- Identity Protection

- Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)

Diffie Hellman

- Shared secret (with someone)
- A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

- A deduces:
- Authenticated
- Identity Protection

A B: ga

B A: gb

Challenge-Response

- Shared secret
- Authenticated
- A deduces: Received (B, msg1) Λ Sent (B, msg2)

- Identity Protection

A B: m, A

B A: n, sigB {m, n, A}

A B: sigA {m, n, B}

m := ga

n := gb

ISO-9798-3

- Shared secret: gab
- Authenticated
- Identity Protection

A B: ga, A

B A: gb, sigB {ga, gb, A}

A B: sigA {ga, gb, B}

Encrypt Signatures

- Shared secret: gab
- Authenticated
- Identity Protection

A B: ga, A

B A: gb, EK {sigB {ga, gb, A}}

A B: EK {sigA {ga, gb, B}}

- Background
- Derivation System
- Compositional Logic

- Abstraction and Refinement
- Methods
- Applications

- Conclusions and Future Work

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

- Alice reasons: if Bob is honest, then:
- only Bob can generate his signature. [protocol independent]
- if Bob generates a signature of the form sigB {m, n, A},
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice. [protocol specific]

- Alice deduces:Received (B, msg1) Λ Sent (B, msg2)

- Cord calculus
- Protocol programming language

- Protocol logic
- Expressing protocol properties

- Proof system
- Proving protocol properties

Symbolic (“Dolev-Yao”) model

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

Correctness of CR

InitCR(A, X) = [

new m;

send A, X, {m, A};

receive X, A, {x, sigX{m, x, A}};

send A, X, sigA{m, x, X}};

]

RespCR(B) = [

receive Y, B, {y, Y};

new n;

send B, Y, {n, sigB{y, n, Y}};

receive Y, B, sigY{y, n, B}};

]

CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder(

Send(A, {A,B,m}),

Receive(B, {A,B,m}),

Send(B, {B,A,{n, sigB {m, n, A}}}),

Receive(A, {B,A,{n, sigB {m, n, A}}})

)

- Sample Axioms:
- Reasoning about possession:
- Has(A, {m}K) Has(A, K) Has(A, m)
- Has(A, {m,n}) Has(A, m) Has(A, n)

- Reasoning about crypto primitives:
- Honest(X) Decrypt(Y, encX{m}) X=Y
- Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})

- Reasoning about possession:
- Protocol-specific Rule:Honesty/Invariance rule
- Soundness Theorem:
Every provable formula is valid

- Background
- Derivation System
- Compositional Logic

- Abstraction and Refinement
- Methods
- Applications

- Conclusions and Future Work

- Protocols with function variables instead of specific cryptographic operations
- Idea: One template can be instantiated to many protocols
- Advantages:
- proof reuse
- design principles/patterns

Challenge-Response Template

A B: m

B A: n, F(B,A,n,m)

A B: G(A,B,n,m)

Abstraction

A B: m

B A: n,EKAB(n,m,B)

A B: EKAB(n,m)

A B: m

B A: n,HKAB(n,m,B)

A B: HKAB(n,m,A)

A B: m

B A: n, sigB(n,m,A)

A B: sigA(n,m,B)

ISO-9798-2

SKID3

ISO-9798-3

Instantiations

- Language Extensions: Add function variables to term language for cords and logic (HOL)
- Semantics:Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables
- Soundness Theorem: Every provable formula is valid

- Characterizing protocol concepts
- Step 1: Under hypotheses about function variables and invariants, prove security property of template
- Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.

- Benefit:
- Proof reuse

Challenge-Response Template

A B: m

B A: n, F(B,A,n,m)

A B: G(A,B,n,m)

- Step 1:
- Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…
- Property: Mutual authentication

- Step 2:
- Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)
- Satisfies hypotheses => Guarantees mutual authentication

Discharge hypothesis

axiom

hypothesis

Proof reuse

Instance

Template

- Combining protocol templates
If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both.

- Benefits:
- Modular proofs of properties
- Formalization of protocol refinements

Encrypt Signatures

Two templates:

- Template 1: authentication + shared secret
(Preserves existing properties; proof reused)

- Template 2: identity protection (encryption)
(Adds new property)

A B: ga, A

B A: gb, EK {sigB {ga, gb, A}}

A B: EK {sigA {ga, gb, B}}

Authenticated key exchange

AKE1

AKE2

A B: ga, A

B A: gb, F(B,A,gb,ga)

A B: G(A,B,ga,gb)

A B: ga

B A: gb, F(B,gb,ga), F’(B,gab)

A B: G(A,ga, gb), G’(A,gab)

ISO-9798-3, JFKi

STS, JFKr, IKEv2, SIGMA

- Shared secret
- Stronger authentication
- Identity protection for B
- Non-repudiation

- Shared secret
- Weaker authentication
- Identity protection for A
- Repudiability

H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]

- Authenticated Key Exchange:
- Template for JFKr, STS, IKE, IKEv2

- Key Computation:
- Template for Diffie-Hellman, UM, MTI/A, MQV

- Combining these templates

protect

identities

symmetric

hash

STSPH

DH

STSP

RFK

STS

authenticate

cookie

MTI/A

MTIC

MTIRFK

MTICPH

MTICP

key

conf.

UM

UMC

UMCPH

UMRFK

UMCP

MQV

MQVRFK

MQVCPH

MQVC

MQVCP

- Abstraction-Instantiation using protocol templates:
- Single proof for similar protocols from common template
- Multiple protocol properties from different templates

- Logical foundation:
- Add function variables to protocol language and logic

- Applications:
- CR template: ISO-9798-2,3, SKID3
- Identity protection refinement in JFK
- Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE
- Synthesis: DH-MQV + STS-JFKr

- Done:
- Derivation idea successfully applied to large set of protocol examples
- Rigorous treatment of composition, refinement in protocol logic

- Work In Progress:
- Tool support for derivation system and logic
- Formalization of protocol transformations
- More applications