- By
**deron** - Follow User

- 248 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Security Analysis of Network Protocols' - deron

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Security Analysis of Network Protocols

Anupam Datta

Stanford University

CIS Seminar, MIT

November 18, 2005

Outline

Part I: Overview

- Motivation
- Central problems
- Divide and Conquer paradigm
- Combining logic and cryptography
- Results

Part II: Protocol Composition Logic

- Compositional Reasoning
- Complexity-theoretic foundations

This talk is about…

- Network security protocols
- Internet Engineering Task Force (IETF) Standards
- SSL/TLS - web authentication
- IPSec - corporate VPNs
- Mobile IPv6 – routing security
- Kerberos - network authentication
- GDOI – secure group communication
- IEEE Standards Working Group
- 802.11i - wireless LAN security
- 802.16e – wireless MAN security
- And methods for their security analysis
- Security proof in some model; or
- Identify attacks

Characteristics of protocols

- Relatively simple distributed programs
- 5-7 steps, 3-10 fields per message (per component)
- Mission critical
- Security of data, credit card numbers, …
- Subtle
- Concurrency: attack may combine data from many sessions
- Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

authentication

Our tool: Protocol Composition Logic (PCL)

-Complete control over network

-Perfect crypto

42 line axiomatic proof

Security Analysis MethodologyProtocol

Property

Attacker model

Analysis Tool

Security proof or attack

Protocol analysis methods

- Cryptographic reductions
- Bellare-Rogaway, Shoup, many others
- UC [Canetti et al], Simulatability [BPW]
- Prob poly-time process calculus [LMRST…]
- Symbolic methods
- Model checking
- FDR [Lowe, Roscoe, …], Murphi [Mitchell, Shmatikov, …], …
- NRL protocol analyzer [Meadows], Athena [Song], …
- Theorem proving
- Isabelle [Paulson …], Specialized logics [BAN, …, PCL]

Examples of protocol flaws

- IKE [Meadows; 1999]
- Reflection attack; fix adopted by IETF WG
- IEEE 802.11i [He, Mitchell; 2004]
- DoS attack; fix adopted by IEEE WG
- GDOI [Meadows, Pavlovic; 2004]
- Composition attack; fix adopted by IETF WG
- Kerberos V5 [Scedrov et al; 2005]
- Identity misbinding attack; fix adopted by IETF WG

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

Uses crypto: encryption, hash,…

EAP/802.1X/RADIUS Authentication

4-way handshake

- Divide-and-conquer paradigm

- Combining logic and cryptography

Group key handshake

Data communication

Divide-and-Conquer paradigm

- Result:Protocol Derivation System [DDMP03-05]
- Incremental protocol construction
- Result:Protocol Composition Logic (PCL) [DDDMP01-05]
- Compositional correctness proofs
- Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …

Composition is a hard problem in security

Central Problem 1

Combining logic and cryptography

- Symbolic model [NS78, DY84]

- Perfect cryptography assumption

+ Idealization => tools and techniques

- Complexity-theoretic model [GM84]

+ More detailed model; probabilistic guarantees

- Hand-proofs very hard; no automation

- Result:Computational PCL[DDMST05]

+ Logical proof methods

+ Complexity-theoretic crypto model

- Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols

- IEEE 802.11i [IEEE Standards; 2004] [He et al]
- TLS/SSL [RFC 2246] is a component
- IKE/JFK family
- IKEv2 [IETF ID;2004] in progress [Aron et al]
- Mobile IPv6 [RFC 3775] in progress[Roy et al]
- Kerberos V5 [IETF ID; 2004] [Cervasato et al]
- GDOI Secure Group Communication protocol [RFC 3547] [Meadows et al]

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

Outline

Part I: Overview

Part II: Protocol Composition Logic

- Compositional Reasoning
- Complexity-theoretic foundations

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

- Alice reasons: if Bob is honest, then:
- only Bob can generate his signature. [protocol independent]
- if Bob generates a signature of the form sigB {m, n, A},
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice. [protocol specific]
- Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

Reasoning method

- Reason about local information
- I know my own actions
- Incorporate knowledge of protocol
- Honest people faithfully follow protocol
- No explicit reasoning about intruder
- Absence of bad action expressed as a positive property of good actions
- E.g., honest agent’s signature can be produced only by the agent

Distinguishes our method from existing techniques

- Cord calculus
- Protocol programming language
- Execution model (Symbolic/“Dolev-Yao”)
- Protocol logic
- Expressing protocol properties
- Proof system
- Proving protocol properties
- Soundness theorem

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

Execution model

- Protocol
- “Program” for each protocol role
- Initial configuration
- Set of principals and key
- Assignment of 1 role to each principal
- Run

Position in run

New x

Send<{x}B

A

Recv {x}B

Recv {z}B

B

New z

Send {z}B

C

Attacker capabilities

- Controls complete network
- Can read, remove, inject messages
- Fixed set of operations on terms
- Pairing
- Projection
- Encryption with known key
- Decryption with known key
- …

Formulas true at a position in run

- Action formulas

a ::= Send(P,m) | Receive (P,m) | New(P,t)

| Decrypt (P,t) | Verify (P,t)

- Formulas

::= a | Has(P,t) | Fresh(P,t) | Honest(N)

| Contains(t1, t2) | | 1 2 | x

| |

- Example

After(a,b) = (b a)

- Modal form: [ actions ]P
- precondition: Fresh(A,m)
- actions: [ Initiator role actions ]A
- postcondition:
- Honest(B) ActionsInOrder(
- send(A, {A,B,m}),
- receive(B, {A,B,m}),
- send(B, {B,A,{n, sigB {m, n, A}}}),
- receive(A, {B,A,{n, sigB {m, n, A}}}) )

Secure if desired property holds in all runs

- Sample Axioms:
- Reasoning about possession:
- [receive m ]A Has(A,m)
- Has(A, {m,n}) Has(A, m) Has(A, n)
- Reasoning about crypto primitives:
- Honest(X) Decrypt(Y, encX{m}) X=Y
- Honest(X) Verify(Y, sigX{m})
- m’ (Send(X, m’) Contains(m’, sigX{m})
- Soundness Theorem:
- Every provable formula is valid

Outline

Part I: Overview

Part II: Protocol Composition Logic

- Compositional Reasoning
- Complexity-theoretic foundations

- Non-destructive Combination:
- Ensure combined parts do not interfere
- In logic: invariance assertions
- Additive Combination:

Accumulate security properties of combined parts, assuming they do not interfere

- In logic: before-after assertions

- Protocol independent reasoning
- Has(A, {m,n}) Has(A, m) Has(A, n)
- Still good: unaffected by composition
- Protocol specific reasoning
- “if honest Bob generates a signature of the form
- sigB {m, n, A},
- he sends it as part of msg 2 of the protocol and
- he must have received msg1 from Alice”
- Could break:Bob’s signature from one protocol could be used to attack another

- Technically:
- Protocol-specific proof steps use invariants
- Invariants must be preserved for safe composition

- Reasoning about honest principals
- Invariance rule, called “honesty rule”
- Preservation of invariants under composition
- If we prove Honest(X) for protocol 1 and compose with protocol 2, is formula still true?

Honesty Rule (Induction)

- Definition
- A protocol step begins with receive, ends before next receive
- Rule
- [ ]X B ProtocolSteps(Q). [B]X
- Q Honest(X)
- Example
- CR Honest(X)
- (Sent(X, m2) Received(X, m1))

Composition of protocols

DH-Init

X, Y

ISO-Init

X, Y

new x

new x;

send X, Y, gx, A;

receive Y, X, z, sigY{gx, z, X};

send X, Y, sigX{gx, z, Y};

X, Y, gx, x

CR-Init

W, Z, w, x

send W, Z, w, A;

receive Z, W, z, sigY{w, z, W};

send W, Z, sigX{w, z, Z};

X, Y, zx

Sequential composition with term substitution

X, Y, zx

’

DHHonest(X) …

CRHonest(X) …

’ |- Authentication

|- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy Authentication [additive]

DHCR’[nondestructive]

=

ISOSecrecy Authentication

- Invariant weakening rule
- |- […]P
- ’ |- […]P
- Sequential Composition
- |- [ S ] P |- [ T ] P
- |- [ ST ] P
- Prove invariants from protocol
- Q Q’
- Q Q’

Sequential, parallel, staged composition theorems [MFPS03,CCS05]

Composition: Big Picture

- Q |- Inv(Q)
- Inv(Q) |-
- Qi |- Inv(Q)
- No reasoning about attacker

Safe Environment for Q

Q1

Q2

Q3

…

Qn

- Different from:
- Assume-guarantee in distributed computing [MC81]
- Universal Composability [C01, PW01]

Protocol Q

Outline

Part I: Overview

Part II: Protocol Composition Logic

- Compositional Reasoning
- Complexity-theoretic foundations

Can we get the best of both worlds?

Our Approach

- Protocol Composition Logic (PCL)
- Syntax
- Proof System

- Computational PCL
- Syntax ±
- Proof System ±

- Symbolic “Dolev-Yao” model
- Semantics

- Complexity-theoretic model
- Semantics

Leverage PCL success…

Talk so far…

Main Result

- Computational PCL
- Symbolic logic for proving security properties of network protocols
- Soundness Theorem:
- If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
- Benefits
- Symbolic proofs about computational model
- Computational reasoning in soundness proof (only!)
- Different axioms rely on different crypto assumptions

PCL Computational PCL

- Syntax, proof rules mostly the same
- But not sure about propositional connectives…
- Significant difference
- Symbolic “knowledge”
- Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm
- Computational “knowledge”
- Possess(X,t) : can produce t by ppt algorithm
- Indistinguishable(X,t) : can distinguish from

random in ppt

- More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

Complexity-theoretic semantics

- Q |= if adversary A distinguisher D negligible function f n0 n > n0 s.t.

Fraction represents probability

[[]](T,D,f(n))|/|T| > 1 – f(n)

- Fix protocol Q, PPT adversary A
- Choose value of security parameter n
- Vary random bits used by all programs
- Obtain set T=T(Q,A,n) of equi-probable traces

T(Q,A,n)

[[]](T,D,f)

Inductive Semantics

- [[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
- [[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
- [[ ]] (T,D,) = T - [[]] (T,D,)

Implication uses conditional probability

- [[1 2]] (T,D,) = [[1]] (T,D,)

[[2]] (T’,D,)

where T’ = [[1]] (T,D,)

Formula defines transformation on probability distributions over traces

Soundness of proof system

- Example axiom
- Source(Y,u,{m}X) Decrypts(X, {m}X) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
- Proof idea: crypto-style reduction
- Assume axiom not valid:

A D negligible f n0 n > n0 s.t.

- [[]](T,D,f)|/|T| < 1 –f(n)
- Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme
- Conditional implication essential

Logic and Cryptography: Big Picture

Protocol security proofs using proof system

Axiom in proof system

Semantics and soundness theorem

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

Current Work

- Investigate nature of logic
- Propositional fragment not classical
- represents conditional probability
- complexity-theoretic reductions
- connections with probabilistic logics (e.g. Nilsson86, Fagin-Halpern90)
- Generalize reasoning about secrecy
- Probability close to ½ instead of 1
- Not a trace property
- Cover more cryptographic protocols
- More primitives: signature, hash functions, …
- And protocols: secure key exchange, …
- Information-theoretic and concrete security semantics
- Only probability; no complexity
- Concrete security reductions

Summary

- PCL – A logic for security protocols:
- Divide-and-conquer paradigm in security
- Combining logic and cryptography
- Applications:
- IEEE 802.11i
- GDOI Secure Group Communication protocol [RFC 3547; 2003]
- IKEv2 [IETF Internet Draft; 2004]
- TLS [RFC 2246; 1999]
- Kerberos V5 [IETF Internet Draft; 2004]
- Mobile IPv6 [RFC 3775; 2004]

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

Ongoing Work

- Extend and refine PCL
- Programming language, syntax, proof system
- More properties: beyond authentication, secrecy – abuse-freeness, fairness, knowledge-based specification
- Tool implementation
- Encode logic into generic theorem-prover
- Preliminary implementation in Isabelle
- Investigate decidability of PCL
- Unified theory for different models
- Vary computational abilities of attacker – symbolic, poly-time, information-theoretic
- Vary adversary’s control over network – complete vs. partial (e.g., in Mobile IPv6)
- Protocol Derivation
- Incremental protocol construction – replace Clark-Jacob survey

Other Projects

- Specification of Security
- Unifying simulation-based definitions – universal composability, black-box simulatability, strong simulatability[DKMRS04,DKMR05]
- Comparing game-based definitions with simulation-based definitions – impossibility theorem[DDMRS05]
- Open problem: compositional security definition
- Foundations of Privacy
- Contextual Integrity [Nissenbaum04]
- Formal theory: Kripke models, temporal logic
- Application to HIPAA, GLBA, COPPA, …
- Relation to RBAC, P3P, EPAL, DRM, statistical databases,… [WIP - BDMN05]

Credits/Selected Publications

- A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic

A derivation system and compositional logic for security protocols[CSFW03, JCS05 special issue]

- A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic[ICALP05]
- C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [CCS05, ACM TISSEC special issue]

Project web page: www.stanford.edu/~danupam/logic-derivation.html

Computational Soundness

- Simulation framework
- Backes, Pfitzmann, Waidner
- Correspondence theorems
- Micciancio, Warinschi
- Kapron-Impagliazzo logics
- Abadi-Rogaway passive equivalence

(K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5

(K2, ) , {({101}K2,K5 )}K2, { }K5

(K1, ) , {({101}K1,K5 )}K1, { }K5

(K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5

Proposed as start of larger plan for computational soundness

…

…

[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

Symbolic methods comp’l results

- Pereira and Quisquater, CSFW 2001, 2004
- Studied authenticated group Diffie-Hellman protocols
- Found symbolic attack in Cliques SA-GDH.2 protocol
- Proved no protocol of certain type is secure, for >3 participants
- Micciancio and Panjwani, EUROCRYPT 2004
- Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning
- Model pseudo-random generators, encryption symbolically
- Lower bounds is tight; matches a known protocol

Classifying Attacks

- Implementation bugs
- Buffer overflow, format string vulnerabilities
- Cryptography breaks
- IEEE 802.11b (WEP encryption)
- Protocol flaws
- Needham-Schroeder, IKE, IEEE 802.11i

- Focus on protocol flaws assuming “strong crypto”
- Complexity-theoretic characterization of “strong crypto”

Download Presentation

Connecting to Server..