Loading in 2 Seconds...

Security Analysis of Network Protocols: Logical and Computational Methods

Loading in 2 Seconds...

- 96 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Security Analysis of Network Protocols: Logical and Computational Methods' - philip-bennett

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Security Analysis of Network Protocols: Logical and Computational Methods

John Mitchell

Stanford University

ICALP and PPDP, 2005

Outline

- Protocols
- Some examples, some intuition
- Symbolic analysis of protocol security
- Models, results, tools
- Computational analysis
- Communicating Turing machines, composability
- Combining symbolic, computational analysis
- Some alternate approaches
- Protocol Composition Logic (PCL)
- Symbolic and computational semantics

Many Protocols

- Authentication
- Kerberos
- Key Exchange
- SSL/TLS handshake, IKE, JFK, IKEv2,
- Wireless and mobile computing
- Mobile IP, WEP, 802.11i
- Electronic commerce
- Contract signing, SET, electronic cash, …

Mobile IPv6 Architecture

- Authentication is a requirement
- Early proposals weak

Mobile Node (MN)

Direct connection via binding update

Corresponding Node (CN)

Home Agent (HA)

EAP/802.1X/RADIUS Authentication

Data Communication

802.11i Wireless AuthenticationSupplicant

UnAuth/UnAssoc

802.1X Blocked

No Key

Supplicant

Auth/Assoc

802.1X UnBlocked

PTK/GTK

802.11 Association

MSK

4-Way Handshake

Group Key Handshake

m2

IKE subprotocol from IPSECA, (ga mod p)

B, (gb mod p)

, signB(m1,m2)

signA(m1,m2)

A

B

Result: A and B share secret gab mod p

Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

Needham-Schroeder Protocol

{A, NonceA}

{NonceA, NonceB }

{ NonceB}

Kb

A

B

Ka

Kb

Result: A and B share two private numbers

not known to any observer without Ka-1, Kb-1

Anomaly in Needham-Schroeder

[Lowe]

{ A, Na }

Ke

A

E

{ Na, Nb }

Ka

{ Nb }

Ke

{ A, Na }

{ Na, Nb }

Evil agent E tricks

honest A into revealing

private key Nb from B.

Kb

Ka

B

Evil E can then fool B.

Protocol analysis methods

- Cryptographic reductions
- Bellare-Rogaway, Shoup, many others
- UC [Canetti et al], Simulatability [BPW]
- Prob poly-time process calculus [LMRST…]
- Symbolic methods
- Model checking
- FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …],
- Symbolic search
- NRL protocol analyzer [Meadows]
- Theorem proving
- Isabelle [Paulson …], Specialized logics [BAN, …]

See papers in PPDP, ICALP proceedings for references

“The” Symbolic Model

- Messages are algebraic expressions
- Nonce, Encrypt(K,M), Sign(K,M), …
- Adversary
- Nondeterministic
- Observe, store, direct all communication
- Break messages into parts
- Encrypt, decrypt, sign only if it has the key
- Example: K1, Encrypt(K1, “hi”)

K1, Encrypt(K1, “hi”) “hi”

- Send messages derivable from stored parts

Many formulations

- Word problems [Dolev-Yao, Dolev-Even-Karp, …]
- Each protocol step is symbolic function from input message to output message; cancellation law dkekx = x
- Rewrite systems [CDLMS]
- Each protocol step is symbolic function from state and input message to state and output message
- Logic programming [Meadows NRL Analyzer]
- Each protocol step can be defined by logical clauses
- Resolution used to perform reachability search
- Constraint solving [Amadio-Lugiez, … ]
- Write set constraints defining messages known at step i
- Strand space model [MITRE]
- Partial order (Lamport causality), reasoning methods
- Process calculus [CSP, Spi-calculus, applied , …)
- Each protocol step is process that reads, writes on channel
- Spi-calculus: use for new values, private channels, simulate crypto

Complexity results (see [Cortier et al])

Additional results for variants of basic model (AC, xor, modular exp, …)

Many protocol case studies

- Murphi [Shmatikov, He, …]
- SSL, Contract signing, 802.11i, …
- Meadows NRL tool
- Participation in IETF, IEEE standards
- Many important examples
- Paulson inductive method; Scedrov et al
- Kerberos, SSL, SET, many more
- Protocol logic
- BAN logic and successors (GNY, SvO, …)
- DDMP …

Computational model I

“Alice”

“Bob”

oracle tape

oracle tape

Adversary

input tape

work tape

[Bellare-Rogaway, Shoup, …]

Computational security: encryption

- Passive adversary
- Semantic security
- Chosen ciphertext attacks (CCA1)
- Adversary can ask for decryption before receiving a challenge ciphertext
- Chosen ciphertext attacks (CCA2)
- Adversary can ask for decryption before and after receiving a challenge ciphertext

input

input

P2

P1

S

A

P4

attacker

P3

simulator

F

output

Ideal functionality

output

Z

Slide: R Canetti

Protocol execution

Protocol security

P2

P1

P4

P3

adversary A

there exists an

adversary S

Protocol

interaction

Trusted party

Slide: Y Lindell

Universal composabilityalso “reactive simulatability” [BPW], … see [DKMRS]

REAL

IDEAL

Some relevant approaches

- Simulation framework
- Backes, Pfitzmann, Waidner
- Correspondence theorems
- Micciancio, Warinschi
- Kapron-Impagliazzo logics
- Abadi-Rogaway passive equivalence

(K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5

(K2, ) , {({101}K2,K5 )}K2, { }K5

(K1, ) , {({101}K1,K5 )}K1, { }K5

(K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5

Proposed as start of larger plan for computational soundness

…

…

[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

Symbolic methods comp’l results

- Pereira and Quisquater, CSFW 2001, 2004
- Studied authenticated group Diffie-Hellman protocols
- Found symbolic attack in Cliques SA-GDH.2 protocol
- Proved no protocol of certain type is secure, for >3 participants
- Micciancio and Panjwani, EUROCRYPT 2004
- Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning
- Model pseudo-random generators, encryption symbolically
- Lower bounds is tight; matches a known protocol

Rest of talk: Protocol composition logic

Protocol

Honest Principals,

Attacker

- Alice’s information
- Protocol
- Private data
- Sends and receives

Private Data

Send

Receive

Logic now has symbolic and computational semantics

Example

{ A, Noncea }

{ Noncea, … }

Kb

A

B

Ka

- Alice assumes that only Bob has Kb-1
- Alice generated Noncea and knows that some X decrypted first message
- Since only X knows Kb-1, Alice knows X=Bob

More subtle example: Bob’s view

{ A, Noncea }

{ Noncea, B, Nonceb }

{ Nonceb}

Kb

A

B

Ka

Kb

- Bob assumes that Alice follows protocol
- Since Alice responds to second message, Alice must have sent the first message

Execution model

- Protocol
- “Program” for each protocol role
- Initial configuration
- Set of principals and key
- Assignment of 1 role to each principal
- Run

Position in run

x

{x}B

A

({z}B)

({x}B)

decr

B

{z}B

z

C

Formulas true at a position in run

- Action formulas

a ::= Send(P,m) | Receive (P,m) | New(P,t)

| Decrypt (P,t) | Verify (P,t)

- Formulas

::= a | Has(P,t) | Fresh(P,t) | Honest(N)

| Contains(t1, t2) | | 1 2 | x

| |

- Example

After(a,b) = (b a)

Notation in papers varies slightly …

Modal Formulas

- After actions, condition

[ actions ] P where P = princ, role id

- Before/after assertions

[ actions ] P

- Composition rule

[ S ] P [ T ] P

[ ST ] P

Logic formulated: [DMP,DDMP]

Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL

msg3

Example: Bob’s view of NSL- Bob knows he’s talking to Alice

[ receive encrypt( Key(B), A,m );

new n;

send encrypt( Key(A), m, B, n );

receive encrypt( Key(B), n )

] B

Honest(A) Csent(A, msg1) Csent(A, msg3)

where Csent(A, …) Created(A, …) Sent(A, …)

Proof System

- Sample Axioms:
- Reasoning about possession:
- [receive m ]A Has(A,m)
- Has(A, {m,n}) Has(A, m) Has(A, n)
- Reasoning about crypto primitives:
- Honest(X) Decrypt(Y, enc(X, {m})) X=Y
- Honest(X) Verify(Y, sig(X, {m}))

m’ (Send(X, m’) Contains(m’, sig(X, {m}))

- Soundness Theorem:
- Every provable formula is valid in symbolic model

Modal Formulas

- After actions, condition

[ actions ] P where P = princ, role id

- Before/after assertions

[ actions ] P

- Composition rule

[ S ] P [ T ] P

[ ST ] P

Application DH + CR = ISO 9798-3

- Initiator role of DH

[ new a ] I Fresh(I, ga) HasAlone(I, a)

- Initiator role of CR

Fresh(I, m) [send … receive … B… send]

Honest(B) ActionsInOrder(…)

- Combination
- Substitute ga for m in CR
- Apply composition rule, persistence
- Obtain assertion about ISO initiator

Additional issues

- Reasoning about honest principals
- Invariance rule, called “honesty rule”
- Preserve invariants under composition
- If we prove Honest(X) for protocol 1 and compose with protocol 2, is formula still true?

’

DHHonest(X) …

CRHonest(X) …

’ |- Authentication

|- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy Authentication [additive]

DH CR’[nondestructive]

=

ISOSecrecy Authentication

Main results in ICALP Proceedings

- Computational PCL
- Symbolic logic for proving security properties of network protocols using public-key encryption
- Soundness Theorem:
- If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
- Benefits
- Symbolic proofs about computational model
- Computational reasoning in soundness proof (only!)
- Different axioms rely on different crypto assumptions

PCL Computational PCL

- Syntax, proof rules mostly the same
- But not sure about propositional connectives…
- Significant difference
- Symbolic “knowledge”
- Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm
- Computational “knowledge”
- Possess(X,t) : can produce t by ppt algorithm
- Indistinguishable(X,t) : can distinguish from

random in ppt

- More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

Complexity-theoretic semantics

- Q |= if adversary A distinguisher D negligible function f n0 n > n0 s.t.

Fraction represents probability

[[]](T,D,f(n))|/|T| > 1 – f(n)

- Fix protocol Q, PPT adversary A
- Choose value of security parameter n
- Vary random bits used by all programs
- Obtain set T=T(Q,A,n) of equi-probable traces

T(Q,A,n)

[[]](T,D,f)

Inductive Semantics

- [[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
- [[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
- [[ ]] (T,D,) = T - [[]] (T,D,)

Implication uses conditional probability

- [[1 2]] (T,D,) = [[1]] (T,D,)

[[2]] (T’,D,)

where T’ = [[1]] (T,D,)

Formula defines transformation on probability distributions over traces

Soundness of proof system

- Example axiom
- Source(Y,u,{m}X) Decrypts(X, {m}X) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
- Proof idea: crypto-style reduction
- Assume axiom not valid:

A D negligible f n0 n > n0 s.t.

- [[]](T,D,f)|/|T| < 1 –f(n)
- Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme
- Conditional implication essential

Parts of proof are similar to [Micciancio, Warinschi]

Applications of PCL

- IKE, JFK family key exchange
- IKEv2 in progress
- 802.11i wireless networking
- SSL/TLS, 4way handshake, group handshake
- Kerberos v5 [Cervesato et al]
- GDOI [Meadows, Pavlovic]
- Future work
- Use CPCL to understand computational security of these protocols, reliance on specific crypto properties

Advantages of Computational PCL

- High-level reasoning
- Prove properties of protocols without explicit reasoning about probability, asymptotic complexity
- Sound for “real crypto”
- Composability
- PCL is designed for protocol composition
- Identify crypto assumptions needed

Future Work

- Investigate nature of propositional fragment
- Non-classical; involves some conditional probability
- complexity-theoretic reductions
- connections with probabilistic logics (e.g. Nilsson86)
- Generalize reasoning about secrecy
- Extend logic
- More primitives: signature, hash functions,…
- Remove current syntactic restrictions on formulas
- Information-theoretic semantics (thanks to A Scedrov)
- Only probability; no complexity
- Other fundamental problems
- See Kapron-Impagliazzo, etc.

Conclusion

- Symbolic model supports useful analysis
- Tools, case studies, high-level proofs
- Computational model more “correct”
- More accurately reflects realistic attack
- Two approaches can be combined
- Several current projects and approaches
- One example: computational semantics for symbolic protocol logic

Credits

- Collaborators
- M. Backes, A. Datta, A. Derek, N. Durgin, C. He,

R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy,

A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague,

M. Turuani, B. Warinschi, …

- More information
- References in PPDP, ICALP proceedings
- Web page on Protocol Composition Logic
- http://www.stanford.edu/~danupam/logic-derivation.html
- My web site for related projects not discussed

Science is a social process

Download Presentation

Connecting to Server..