security analysis of network protocols n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security Analysis of Network Protocols PowerPoint Presentation
Download Presentation
Security Analysis of Network Protocols

Loading in 2 Seconds...

play fullscreen
1 / 52

Security Analysis of Network Protocols - PowerPoint PPT Presentation


  • 245 Views
  • Uploaded on

Security Analysis of Network Protocols. Anupam Datta Stanford University CIS Seminar, MIT November 18, 2005. Outline. Part I: Overview Motivation Central problems Divide and Conquer paradigm Combining logic and cryptography Results Part II: Protocol Composition Logic

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Analysis of Network Protocols' - deron


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security analysis of network protocols

Security Analysis of Network Protocols

Anupam Datta

Stanford University

CIS Seminar, MIT

November 18, 2005

outline
Outline

Part I: Overview

  • Motivation
  • Central problems
    • Divide and Conquer paradigm
    • Combining logic and cryptography
  • Results

Part II: Protocol Composition Logic

  • Compositional Reasoning
  • Complexity-theoretic foundations
this talk is about
This talk is about…
  • Network security protocols
    • Internet Engineering Task Force (IETF) Standards
      • SSL/TLS - web authentication
      • IPSec - corporate VPNs
      • Mobile IPv6 – routing security
      • Kerberos - network authentication
      • GDOI – secure group communication
    • IEEE Standards Working Group
      • 802.11i - wireless LAN security
      • 802.16e – wireless MAN security
  • And methods for their security analysis
    • Security proof in some model; or
    • Identify attacks
run of a protocol

Initiate

Respond

Attacker

C

D

Run of a protocol

B

A

Correct if no security violation in any run

characteristics of protocols
Characteristics of protocols
  • Relatively simple distributed programs
    • 5-7 steps, 3-10 fields per message (per component)
  • Mission critical
    • Security of data, credit card numbers, …
  • Subtle
    • Concurrency: attack may combine data from many sessions
    • Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

security analysis methodology

SSL

authentication

Our tool: Protocol Composition Logic (PCL)

-Complete control over network

-Perfect crypto

42 line axiomatic proof

Security Analysis Methodology

Protocol

Property

Attacker model

Analysis Tool

Security proof or attack

protocol analysis methods
Protocol analysis methods
  • Cryptographic reductions
    • Bellare-Rogaway, Shoup, many others
    • UC [Canetti et al], Simulatability [BPW]
    • Prob poly-time process calculus [LMRST…]
  • Symbolic methods
    • Model checking
      • FDR [Lowe, Roscoe, …], Murphi [Mitchell, Shmatikov, …], …
      • NRL protocol analyzer [Meadows], Athena [Song], …
    • Theorem proving
      • Isabelle [Paulson …], Specialized logics [BAN, …, PCL]
examples of protocol flaws
Examples of protocol flaws
  • IKE [Meadows; 1999]
    • Reflection attack; fix adopted by IETF WG
  • IEEE 802.11i [He, Mitchell; 2004]
    • DoS attack; fix adopted by IEEE WG
  • GDOI [Meadows, Pavlovic; 2004]
    • Composition attack; fix adopted by IETF WG
  • Kerberos V5 [Scedrov et al; 2005]
    • Identity misbinding attack; fix adopted by IETF WG
ieee 802 11i wireless security 2004
IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

Uses crypto: encryption, hash,…

EAP/802.1X/RADIUS Authentication

4-way handshake

  • Divide-and-conquer paradigm
  • Combining logic and cryptography

Group key handshake

Data communication

divide and conquer paradigm
Divide-and-Conquer paradigm
  • Result:Protocol Derivation System [DDMP03-05]
    • Incremental protocol construction
  • Result:Protocol Composition Logic (PCL) [DDDMP01-05]
    • Compositional correctness proofs
  • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …

Composition is a hard problem in security

Central Problem 1

combining logic and cryptography
Combining logic and cryptography
  • Symbolic model [NS78, DY84]

- Perfect cryptography assumption

+ Idealization => tools and techniques

  • Complexity-theoretic model [GM84]

+ More detailed model; probabilistic guarantees

- Hand-proofs very hard; no automation

  • Result:Computational PCL[DDMST05]

+ Logical proof methods

+ Complexity-theoretic crypto model

  • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

slide12

Applied to industrial protocols

  • IEEE 802.11i [IEEE Standards; 2004] [He et al]
    • TLS/SSL [RFC 2246] is a component
  • IKE/JFK family
    • IKEv2 [IETF ID;2004] in progress [Aron et al]
  • Mobile IPv6 [RFC 3775] in progress[Roy et al]
  • Kerberos V5 [IETF ID; 2004] [Cervasato et al]
  • GDOI Secure Group Communication protocol [RFC 3547] [Meadows et al]
slide13

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

outline1
Outline

Part I: Overview

Part II: Protocol Composition Logic

  • Compositional Reasoning
  • Complexity-theoretic foundations
slide15

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

  • Alice reasons: if Bob is honest, then:
    • only Bob can generate his signature. [protocol independent]
    • if Bob generates a signature of the form sigB {m, n, A},
      • he sends it as part of msg 2 of the protocol and
      • he must have received msg1 from Alice. [protocol specific]
  • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)
reasoning method
Reasoning method
  • Reason about local information
    • I know my own actions
  • Incorporate knowledge of protocol
    • Honest people faithfully follow protocol
  • No explicit reasoning about intruder
    • Absence of bad action expressed as a positive property of good actions
      • E.g., honest agent’s signature can be produced only by the agent

Distinguishes our method from existing techniques

slide17

Formalism

  • Cord calculus
    • Protocol programming language
    • Execution model (Symbolic/“Dolev-Yao”)
  • Protocol logic
    • Expressing protocol properties
  • Proof system
    • Proving protocol properties
    • Soundness theorem
slide18

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

execution model
Execution model
  • Protocol
    • “Program” for each protocol role
  • Initial configuration
    • Set of principals and key
    • Assignment of 1 role to each principal
  • Run

Position in run

New x

Send<{x}B

A

Recv {x}B

Recv {z}B

B

New z

Send {z}B

C

attacker capabilities
Attacker capabilities
  • Controls complete network
    • Can read, remove, inject messages
  • Fixed set of operations on terms
    • Pairing
    • Projection
    • Encryption with known key
    • Decryption with known key
formulas true at a position in run
Formulas true at a position in run
  • Action formulas

a ::= Send(P,m) | Receive (P,m) | New(P,t)

| Decrypt (P,t) | Verify (P,t)

  • Formulas

 ::= a | Has(P,t) | Fresh(P,t) | Honest(N)

| Contains(t1, t2) |  | 1 2 | x 

|  | 

  • Example

After(a,b) = (b a)

slide22

Challenge Response: Property

  • Modal form:  [ actions ]P 
    • precondition: Fresh(A,m)
    • actions: [ Initiator role actions ]A
    • postcondition:
    • Honest(B)  ActionsInOrder(
        • send(A, {A,B,m}),
        • receive(B, {A,B,m}),
        • send(B, {B,A,{n, sigB {m, n, A}}}),
        • receive(A, {B,A,{n, sigB {m, n, A}}}) )

Secure if desired property holds in all runs

slide23

Proof System

  • Sample Axioms:
    • Reasoning about possession:
      • [receive m ]A Has(A,m)
      • Has(A, {m,n})  Has(A, m)  Has(A, n)
    • Reasoning about crypto primitives:
      • Honest(X)  Decrypt(Y, encX{m})  X=Y
      • Honest(X)  Verify(Y, sigX{m}) 
    •  m’ (Send(X, m’)  Contains(m’, sigX{m})
  • Soundness Theorem:
    • Every provable formula is valid
outline2
Outline

Part I: Overview

Part II: Protocol Composition Logic

  • Compositional Reasoning
  • Complexity-theoretic foundations
slide25

Reasoning about Composition

  • Non-destructive Combination:
    • Ensure combined parts do not interfere
      • In logic: invariance assertions
  • Additive Combination:

Accumulate security properties of combined parts, assuming they do not interfere

      • In logic: before-after assertions
slide26

Proof steps (Intuition)

  • Protocol independent reasoning
    • Has(A, {m,n})  Has(A, m)  Has(A, n)
    • Still good: unaffected by composition
  • Protocol specific reasoning
    • “if honest Bob generates a signature of the form
    • sigB {m, n, A},
      • he sends it as part of msg 2 of the protocol and
      • he must have received msg1 from Alice”
    • Could break:Bob’s signature from one protocol could be used to attack another
  • Technically:
  • Protocol-specific proof steps use invariants
  • Invariants must be preserved for safe composition
slide27

Invariants

  • Reasoning about honest principals
    • Invariance rule, called “honesty rule”
  • Preservation of invariants under composition
    • If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?
honesty rule induction
Honesty Rule (Induction)
  • Definition
    • A protocol step begins with receive, ends before next receive
  • Rule
    • [ ]X B  ProtocolSteps(Q).  [B]X
    • Q  Honest(X)  
  • Example
    • CR  Honest(X) 
    • (Sent(X, m2)  Received(X, m1))
composition of protocols
Composition of protocols

DH-Init

X, Y

ISO-Init

X, Y

new x

new x;

send X, Y, gx, A;

receive Y, X, z, sigY{gx, z, X};

send X, Y, sigX{gx, z, Y};

X, Y, gx, x

CR-Init

W, Z, w, x

send W, Z, w, A;

receive Z, W, z, sigY{w, z, W};

send W, Z, sigX{w, z, Z};

X, Y, zx

Sequential composition with term substitution

X, Y, zx

slide30

Compositional proofs

’

DHHonest(X)  …

CRHonest(X)  …

’ |- Authentication

 |- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy  Authentication [additive]

DHCR’[nondestructive]

=

ISOSecrecy  Authentication

slide31

Composition Rules

  • Invariant weakening rule
    •  |-  […]P
    •   ’ |-  […]P
  • Sequential Composition
    •  |-  [ S ] P  |-  [ T ] P 
      •  |-  [ ST ] P
  • Prove invariants from protocol
    • Q   Q’  
    • Q  Q’  

Sequential, parallel, staged composition theorems [MFPS03,CCS05]

composition big picture
Composition: Big Picture
  • Q |- Inv(Q)
  • Inv(Q) |- 
  • Qi |- Inv(Q)
  • No reasoning about attacker

Safe Environment for Q

Q1

Q2

Q3

Qn

  • Different from:
  • Assume-guarantee in distributed computing [MC81]
  • Universal Composability [C01, PW01]

Protocol Q

outline3
Outline

Part I: Overview

Part II: Protocol Composition Logic

  • Compositional Reasoning
  • Complexity-theoretic foundations
slide34

Two worlds

Can we get the best of both worlds?

our approach
Our Approach
  • Protocol Composition Logic (PCL)
  • Syntax
  • Proof System
  • Computational PCL
  • Syntax ± 
  • Proof System ± 
  • Symbolic “Dolev-Yao” model
  • Semantics
  • Complexity-theoretic model
  • Semantics

Leverage PCL success…

Talk so far…

main result
Main Result
  • Computational PCL
    • Symbolic logic for proving security properties of network protocols
  • Soundness Theorem:
    • If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
  • Benefits
    • Symbolic proofs about computational model
    • Computational reasoning in soundness proof (only!)
    • Different axioms rely on different crypto assumptions
pcl computational pcl
PCL  Computational PCL
  • Syntax, proof rules mostly the same
    • But not sure about propositional connectives…
  • Significant difference
    • Symbolic “knowledge”
      • Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm
    • Computational “knowledge”
      • Possess(X,t) : can produce t by ppt algorithm
      • Indistinguishable(X,t) : can distinguish from

random in ppt

    • More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
complexity theoretic semantics
Complexity-theoretic semantics
  • Q |=  if  adversary A  distinguisher D  negligible function f  n0 n > n0 s.t.

Fraction represents probability

[[]](T,D,f(n))|/|T| > 1 – f(n)

  • Fix protocol Q, PPT adversary A
  • Choose value of security parameter n
  • Vary random bits used by all programs
  • Obtain set T=T(Q,A,n) of equi-probable traces

T(Q,A,n)

[[]](T,D,f)

inductive semantics
Inductive Semantics
  • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
  • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
  • [[ ]] (T,D,) = T - [[]] (T,D,)

Implication uses conditional probability

  • [[1  2]] (T,D,) = [[1]] (T,D,)

 [[2]] (T’,D,)

where T’ = [[1]] (T,D,)

Formula defines transformation on probability distributions over traces

soundness of proof system
Soundness of proof system
  • Example axiom
    • Source(Y,u,{m}X)  Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u)
  • Proof idea: crypto-style reduction
    • Assume axiom not valid:

 A  D  negligible f  n0  n > n0 s.t.

    • [[]](T,D,f)|/|T| < 1 –f(n)
    • Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme
    • Conditional implication essential
logic and cryptography big picture
Logic and Cryptography: Big Picture

Protocol security proofs using proof system

Axiom in proof system

Semantics and soundness theorem

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

current work
Current Work
  • Investigate nature of logic
    • Propositional fragment not classical
    •  represents conditional probability
      • complexity-theoretic reductions
      • connections with probabilistic logics (e.g. Nilsson86, Fagin-Halpern90)
  • Generalize reasoning about secrecy
    • Probability close to ½ instead of 1
    • Not a trace property
  • Cover more cryptographic protocols
    • More primitives: signature, hash functions, …
    • And protocols: secure key exchange, …
  • Information-theoretic and concrete security semantics
    • Only probability; no complexity
    • Concrete security reductions
summary
Summary
  • PCL – A logic for security protocols:
    • Divide-and-conquer paradigm in security
    • Combining logic and cryptography
  • Applications:
    • IEEE 802.11i
    • GDOI Secure Group Communication protocol [RFC 3547; 2003]
    • IKEv2 [IETF Internet Draft; 2004]
    • TLS [RFC 2246; 1999]
    • Kerberos V5 [IETF Internet Draft; 2004]
    • Mobile IPv6 [RFC 3775; 2004]
slide44

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

ongoing work
Ongoing Work
  • Extend and refine PCL
    • Programming language, syntax, proof system
    • More properties: beyond authentication, secrecy – abuse-freeness, fairness, knowledge-based specification
  • Tool implementation
    • Encode logic into generic theorem-prover
    • Preliminary implementation in Isabelle
    • Investigate decidability of PCL
  • Unified theory for different models
    • Vary computational abilities of attacker – symbolic, poly-time, information-theoretic
    • Vary adversary’s control over network – complete vs. partial (e.g., in Mobile IPv6)
  • Protocol Derivation
    • Incremental protocol construction – replace Clark-Jacob survey
other projects
Other Projects
  • Specification of Security
    • Unifying simulation-based definitions – universal composability, black-box simulatability, strong simulatability[DKMRS04,DKMR05]
    • Comparing game-based definitions with simulation-based definitions – impossibility theorem[DDMRS05]
    • Open problem: compositional security definition
  • Foundations of Privacy
    • Contextual Integrity [Nissenbaum04]
    • Formal theory: Kripke models, temporal logic
    • Application to HIPAA, GLBA, COPPA, …
    • Relation to RBAC, P3P, EPAL, DRM, statistical databases,… [WIP - BDMN05]
credits selected publications
Credits/Selected Publications
  • A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic

A derivation system and compositional logic for security protocols[CSFW03, JCS05 special issue]

  • A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic[ICALP05]
  • C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [CCS05, ACM TISSEC special issue]

Project web page: www.stanford.edu/~danupam/logic-derivation.html

chosen ciphertext cca2

c

D(c)

m0, m1

E(mi)

c  E(mj)

D(c)

guess 0 or 1

Chosen ciphertext CCA2

Challenger

Attacker

computational soundness
Computational Soundness
  • Simulation framework
    • Backes, Pfitzmann, Waidner
  • Correspondence theorems
    • Micciancio, Warinschi
  • Kapron-Impagliazzo logics
  • Abadi-Rogaway passive equivalence

 (K2,{01}K3) ,  {({101}K2,K5 )}K2, {{K6}K4}K5 

  (K2,  ) ,  {({101}K2,K5 )}K2, {  }K5 

  (K1,  ) ,  {({101}K1,K5 )}K1, {  }K5 

  (K1,{K1}K7) ,  {({101}K1,K5 )}K1, {{K6}K7}K5 

Proposed as start of larger plan for computational soundness

[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

symbolic methods comp l results
Symbolic methods  comp’l results
  • Pereira and Quisquater, CSFW 2001, 2004
    • Studied authenticated group Diffie-Hellman protocols
    • Found symbolic attack in Cliques SA-GDH.2 protocol
    • Proved no protocol of certain type is secure, for >3 participants
  • Micciancio and Panjwani, EUROCRYPT 2004
    • Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning
      • Model pseudo-random generators, encryption symbolically
    • Lower bounds is tight; matches a known protocol
classifying attacks
Classifying Attacks
  • Implementation bugs
    • Buffer overflow, format string vulnerabilities
  • Cryptography breaks
    • IEEE 802.11b (WEP encryption)
  • Protocol flaws
    • Needham-Schroeder, IKE, IEEE 802.11i
  • Focus on protocol flaws assuming “strong crypto”
  • Complexity-theoretic characterization of “strong crypto”