security analysis of network protocols logical and computational methods
Download
Skip this Video
Download Presentation
Security Analysis of Network Protocols: Logical and Computational Methods

Loading in 2 Seconds...

play fullscreen
1 / 48

Security Analysis of Network Protocols: Logical and Computational Methods - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Security Analysis of Network Protocols: Logical and Computational Methods. John Mitchell Stanford University. ICALP and PPDP, 2005. Outline. Protocols Some examples, some intuition Symbolic analysis of protocol security Models, results, tools Computational analysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security Analysis of Network Protocols: Logical and Computational Methods' - philip-bennett


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security analysis of network protocols logical and computational methods

Security Analysis of Network Protocols: Logical and Computational Methods

John Mitchell

Stanford University

ICALP and PPDP, 2005

outline
Outline
  • Protocols
    • Some examples, some intuition
  • Symbolic analysis of protocol security
    • Models, results, tools
  • Computational analysis
    • Communicating Turing machines, composability
  • Combining symbolic, computational analysis
    • Some alternate approaches
    • Protocol Composition Logic (PCL)
    • Symbolic and computational semantics
many protocols
Many Protocols
  • Authentication
    • Kerberos
  • Key Exchange
    • SSL/TLS handshake, IKE, JFK, IKEv2,
  • Wireless and mobile computing
    • Mobile IP, WEP, 802.11i
  • Electronic commerce
    • Contract signing, SET, electronic cash, …
mobile ipv6 architecture

IPv6

Mobile IPv6 Architecture
  • Authentication is a requirement
  • Early proposals weak

Mobile Node (MN)

Direct connection via binding update

Corresponding Node (CN)

Home Agent (HA)

802 11i wireless authentication

EAP/802.1X/RADIUS Authentication

Data Communication

802.11i Wireless Authentication

Supplicant

UnAuth/UnAssoc

802.1X Blocked

No Key

Supplicant

Auth/Assoc

802.1X UnBlocked

PTK/GTK

802.11 Association

MSK

4-Way Handshake

Group Key Handshake

ike subprotocol from ipsec

m1

m2

IKE subprotocol from IPSEC

A, (ga mod p)

B, (gb mod p)

, signB(m1,m2)

signA(m1,m2)

A

B

Result: A and B share secret gab mod p

Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

needham schroeder protocol
Needham-Schroeder Protocol

{A, NonceA}

{NonceA, NonceB }

{ NonceB}

Kb

A

B

Ka

Kb

Result: A and B share two private numbers

not known to any observer without Ka-1, Kb-1

anomaly in needham schroeder
Anomaly in Needham-Schroeder

[Lowe]

{ A, Na }

Ke

A

E

{ Na, Nb }

Ka

{ Nb }

Ke

{ A, Na }

{ Na, Nb }

Evil agent E tricks

honest A into revealing

private key Nb from B.

Kb

Ka

B

Evil E can then fool B.

run of a protocol

Initiate

Respond

Attacker

C

D

Run of a protocol

B

A

Correct if no security violation in any run

protocol analysis methods
Protocol analysis methods
  • Cryptographic reductions
    • Bellare-Rogaway, Shoup, many others
    • UC [Canetti et al], Simulatability [BPW]
    • Prob poly-time process calculus [LMRST…]
  • Symbolic methods
    • Model checking
      • FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …],
    • Symbolic search
      • NRL protocol analyzer [Meadows]
    • Theorem proving
      • Isabelle [Paulson …], Specialized logics [BAN, …]

See papers in PPDP, ICALP proceedings for references

the symbolic model
“The” Symbolic Model
  • Messages are algebraic expressions
    • Nonce, Encrypt(K,M), Sign(K,M), …
  • Adversary
    • Nondeterministic
    • Observe, store, direct all communication
      • Break messages into parts
      • Encrypt, decrypt, sign only if it has the key
        • Example: K1, Encrypt(K1, “hi”) 

 K1, Encrypt(K1, “hi”)  “hi”

      • Send messages derivable from stored parts
many formulations
Many formulations
  • Word problems [Dolev-Yao, Dolev-Even-Karp, …]
    • Each protocol step is symbolic function from input message to output message; cancellation law dkekx = x
  • Rewrite systems [CDLMS]
    • Each protocol step is symbolic function from state and input message to state and output message
  • Logic programming [Meadows NRL Analyzer]
    • Each protocol step can be defined by logical clauses
    • Resolution used to perform reachability search
  • Constraint solving [Amadio-Lugiez, … ]
    • Write set constraints defining messages known at step i
  • Strand space model [MITRE]
    • Partial order (Lamport causality), reasoning methods
  • Process calculus [CSP, Spi-calculus, applied , …)
    • Each protocol step is process that reads, writes on channel
    • Spi-calculus: use  for new values, private channels, simulate crypto
complexity results see cortier et al
Complexity results (see [Cortier et al])

Additional results for variants of basic model (AC, xor, modular exp, …)

many protocol case studies
Many protocol case studies
  • Murphi [Shmatikov, He, …]
    • SSL, Contract signing, 802.11i, …
  • Meadows NRL tool
    • Participation in IETF, IEEE standards
    • Many important examples
  • Paulson inductive method; Scedrov et al
    • Kerberos, SSL, SET, many more
  • Protocol logic
    • BAN logic and successors (GNY, SvO, …)
    • DDMP …
computational model i
Computational model I

“Alice”

“Bob”

oracle tape

oracle tape

Adversary

input tape

work tape

[Bellare-Rogaway, Shoup, …]

computational model ii
Computational model II

Turing machine

Turing machine

Adversary

Turing machine

Turing machine

[Canetti, …]

computational security encryption
Computational security: encryption
  • Passive adversary
    • Semantic security
  • Chosen ciphertext attacks (CCA1)
    • Adversary can ask for decryption before receiving a challenge ciphertext
  • Chosen ciphertext attacks (CCA2)
    • Adversary can ask for decryption before and after receiving a challenge ciphertext
passive adversary

m0, m1

E(mi)

guess 0 or 1

Passive Adversary

Challenger

Attacker

chosen ciphertext cca1

c

D(c)

m0, m1

E(mi)

guess 0 or 1

Chosen ciphertext CCA1

Challenger

Attacker

chosen ciphertext cca2

c

D(c)

m0, m1

E(mi)

c  E(mj)

D(c)

guess 0 or 1

Chosen ciphertext CCA2

Challenger

Attacker

slide21

Z

input

input

P2

P1

S

A

P4

attacker

P3

simulator

F

output

Ideal functionality

output

Z

Slide: R Canetti

Protocol execution

Protocol security

P2

P1

P4

P3

universal composability

For every real

adversary A

there exists an

adversary S

Protocol

interaction

Trusted party

Slide: Y Lindell

Universal composability

also “reactive simulatability” [BPW], … see [DKMRS]

REAL

IDEAL

some relevant approaches
Some relevant approaches
  • Simulation framework
    • Backes, Pfitzmann, Waidner
  • Correspondence theorems
    • Micciancio, Warinschi
  • Kapron-Impagliazzo logics
  • Abadi-Rogaway passive equivalence

 (K2,{01}K3) ,  {({101}K2,K5 )}K2, {{K6}K4}K5 

  (K2,  ) ,  {({101}K2,K5 )}K2, {  }K5 

  (K1,  ) ,  {({101}K1,K5 )}K1, {  }K5 

  (K1,{K1}K7) ,  {({101}K1,K5 )}K1, {{K6}K7}K5 

Proposed as start of larger plan for computational soundness

[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

symbolic methods comp l results
Symbolic methods  comp’l results
  • Pereira and Quisquater, CSFW 2001, 2004
    • Studied authenticated group Diffie-Hellman protocols
    • Found symbolic attack in Cliques SA-GDH.2 protocol
    • Proved no protocol of certain type is secure, for >3 participants
  • Micciancio and Panjwani, EUROCRYPT 2004
    • Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning
      • Model pseudo-random generators, encryption symbolically
    • Lower bounds is tight; matches a known protocol
rest of talk protocol composition logic
Rest of talk: Protocol composition logic

Protocol

Honest Principals,

Attacker

  • Alice’s information
    • Protocol
    • Private data
    • Sends and receives

Private Data

Send

Receive

Logic now has symbolic and computational semantics

example
Example

{ A, Noncea }

{ Noncea, … }

Kb

A

B

Ka

  • Alice assumes that only Bob has Kb-1
  • Alice generated Noncea and knows that some X decrypted first message
  • Since only X knows Kb-1, Alice knows X=Bob
more subtle example bob s view
More subtle example: Bob’s view

{ A, Noncea }

{ Noncea, B, Nonceb }

{ Nonceb}

Kb

A

B

Ka

Kb

  • Bob assumes that Alice follows protocol
  • Since Alice responds to second message, Alice must have sent the first message
execution model
Execution model
  • Protocol
    • “Program” for each protocol role
  • Initial configuration
    • Set of principals and key
    • Assignment of 1 role to each principal
  • Run

Position in run

x

{x}B

A

({z}B)

({x}B)

decr

B

{z}B

z

C

formulas true at a position in run
Formulas true at a position in run
  • Action formulas

a ::= Send(P,m) | Receive (P,m) | New(P,t)

| Decrypt (P,t) | Verify (P,t)

  • Formulas

 ::= a | Has(P,t) | Fresh(P,t) | Honest(N)

| Contains(t1, t2) |  | 1 2 | x 

|  | 

  • Example

After(a,b) = (b a)

Notation in papers varies slightly …

modal formulas
Modal Formulas
  • After actions, condition

[ actions ] P where P = princ, role id

  • Before/after assertions

 [ actions ] P 

  • Composition rule

 [ S ] P  [ T ] P 

 [ ST ] P

Logic formulated: [DMP,DDMP]

Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL

example bob s view of nsl

msg1

msg3

Example: Bob’s view of NSL
  • Bob knows he’s talking to Alice

[ receive encrypt( Key(B), A,m );

new n;

send encrypt( Key(A), m, B, n );

receive encrypt( Key(B), n )

] B

Honest(A)  Csent(A, msg1)  Csent(A, msg3)

where Csent(A, …)  Created(A, …)  Sent(A, …)

proof system
Proof System
  • Sample Axioms:
    • Reasoning about possession:
      • [receive m ]A Has(A,m)
      • Has(A, {m,n})  Has(A, m)  Has(A, n)
    • Reasoning about crypto primitives:
      • Honest(X)  Decrypt(Y, enc(X, {m}))  X=Y
      • Honest(X)  Verify(Y, sig(X, {m})) 

 m’ (Send(X, m’)  Contains(m’, sig(X, {m}))

  • Soundness Theorem:
    • Every provable formula is valid in symbolic model
modal formulas1
Modal Formulas
  • After actions, condition

[ actions ] P where P = princ, role id

  • Before/after assertions

 [ actions ] P 

  • Composition rule

 [ S ] P  [ T ] P 

 [ ST ] P

application dh cr iso 9798 3
Application DH + CR = ISO 9798-3
  • Initiator role of DH

[ new a ] I Fresh(I, ga)  HasAlone(I, a)

  • Initiator role of CR

Fresh(I, m) [send … receive … B… send]

Honest(B)  ActionsInOrder(…)

  • Combination
    • Substitute ga for m in CR
    • Apply composition rule, persistence
    • Obtain assertion about ISO initiator
additional issues
Additional issues
  • Reasoning about honest principals
    • Invariance rule, called “honesty rule”
  • Preserve invariants under composition
    • If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?
slide37

Composing protocols

’

DHHonest(X)  …

CRHonest(X)  …

’ |- Authentication

 |- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy  Authentication [additive]

DH  CR’[nondestructive]

=

ISOSecrecy  Authentication

main results in icalp proceedings
Main results in ICALP Proceedings
  • Computational PCL
    • Symbolic logic for proving security properties of network protocols using public-key encryption
  • Soundness Theorem:
    • If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
  • Benefits
    • Symbolic proofs about computational model
    • Computational reasoning in soundness proof (only!)
    • Different axioms rely on different crypto assumptions
pcl computational pcl
PCL  Computational PCL
  • Syntax, proof rules mostly the same
    • But not sure about propositional connectives…
  • Significant difference
    • Symbolic “knowledge”
      • Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm
    • Computational “knowledge”
      • Possess(X,t) : can produce t by ppt algorithm
      • Indistinguishable(X,t) : can distinguish from

random in ppt

    • More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
complexity theoretic semantics
Complexity-theoretic semantics
  • Q |=  if  adversary A  distinguisher D  negligible function f  n0 n > n0 s.t.

Fraction represents probability

[[]](T,D,f(n))|/|T| > 1 – f(n)

  • Fix protocol Q, PPT adversary A
  • Choose value of security parameter n
  • Vary random bits used by all programs
  • Obtain set T=T(Q,A,n) of equi-probable traces

T(Q,A,n)

[[]](T,D,f)

inductive semantics
Inductive Semantics
  • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
  • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
  • [[ ]] (T,D,) = T - [[]] (T,D,)

Implication uses conditional probability

  • [[1  2]] (T,D,) = [[1]] (T,D,)

 [[2]] (T’,D,)

where T’ = [[1]] (T,D,)

Formula defines transformation on probability distributions over traces

soundness of proof system
Soundness of proof system
  • Example axiom
    • Source(Y,u,{m}X)  Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u)
  • Proof idea: crypto-style reduction
    • Assume axiom not valid:

 A  D  negligible f  n0  n > n0 s.t.

    • [[]](T,D,f)|/|T| < 1 –f(n)
    • Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme
    • Conditional implication essential

Parts of proof are similar to [Micciancio, Warinschi]

applications of pcl
Applications of PCL
  • IKE, JFK family key exchange
    • IKEv2 in progress
  • 802.11i wireless networking
    • SSL/TLS, 4way handshake, group handshake
  • Kerberos v5 [Cervesato et al]
  • GDOI [Meadows, Pavlovic]
  • Future work
    • Use CPCL to understand computational security of these protocols, reliance on specific crypto properties
advantages of computational pcl
Advantages of Computational PCL
  • High-level reasoning
    • Prove properties of protocols without explicit reasoning about probability, asymptotic complexity
  • Sound for “real crypto”
  • Composability
    • PCL is designed for protocol composition
  • Identify crypto assumptions needed
future work
Future Work
  • Investigate nature of propositional fragment
    • Non-classical;  involves some conditional probability
      • complexity-theoretic reductions
      • connections with probabilistic logics (e.g. Nilsson86)
  • Generalize reasoning about secrecy
  • Extend logic
    • More primitives: signature, hash functions,…
    • Remove current syntactic restrictions on formulas
  • Information-theoretic semantics (thanks to A Scedrov)
    • Only probability; no complexity
  • Other fundamental problems
    • See Kapron-Impagliazzo, etc.
conclusion
Conclusion
  • Symbolic model supports useful analysis
    • Tools, case studies, high-level proofs
  • Computational model more “correct”
    • More accurately reflects realistic attack
  • Two approaches can be combined
    • Several current projects and approaches
    • One example: computational semantics for symbolic protocol logic
credits
Credits
  • Collaborators
    • M. Backes, A. Datta, A. Derek, N. Durgin, C. He,

R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy,

A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague,

M. Turuani, B. Warinschi, …

  • More information
    • References in PPDP, ICALP proceedings
    • Web page on Protocol Composition Logic
      • http://www.stanford.edu/~danupam/logic-derivation.html
      • My web site for related projects not discussed

Science is a social process

ad