1 / 52

Security Analysis of Network Protocols

Security Analysis of Network Protocols. Anupam Datta Stanford University CIS Seminar, MIT November 18, 2005. Outline. Part I: Overview Motivation Central problems Divide and Conquer paradigm Combining logic and cryptography Results Part II: Protocol Composition Logic

deron
Download Presentation

Security Analysis of Network Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November 18, 2005

  2. Outline Part I: Overview • Motivation • Central problems • Divide and Conquer paradigm • Combining logic and cryptography • Results Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  3. This talk is about… • Network security protocols • Internet Engineering Task Force (IETF) Standards • SSL/TLS - web authentication • IPSec - corporate VPNs • Mobile IPv6 – routing security • Kerberos - network authentication • GDOI – secure group communication • IEEE Standards Working Group • 802.11i - wireless LAN security • 802.16e – wireless MAN security • And methods for their security analysis • Security proof in some model; or • Identify attacks

  4. Initiate Respond Attacker C D Run of a protocol B A Correct if no security violation in any run

  5. Characteristics of protocols • Relatively simple distributed programs • 5-7 steps, 3-10 fields per message (per component) • Mission critical • Security of data, credit card numbers, … • Subtle • Concurrency: attack may combine data from many sessions • Computation: modeling cryptographic primitives Good domain for logical methods Active research area since early 80’s

  6. SSL authentication Our tool: Protocol Composition Logic (PCL) -Complete control over network -Perfect crypto 42 line axiomatic proof Security Analysis Methodology Protocol Property Attacker model Analysis Tool Security proof or attack

  7. Protocol analysis methods • Cryptographic reductions • Bellare-Rogaway, Shoup, many others • UC [Canetti et al], Simulatability [BPW] • Prob poly-time process calculus [LMRST…] • Symbolic methods • Model checking • FDR [Lowe, Roscoe, …], Murphi [Mitchell, Shmatikov, …], … • NRL protocol analyzer [Meadows], Athena [Song], … • Theorem proving • Isabelle [Paulson …], Specialized logics [BAN, …, PCL]

  8. Examples of protocol flaws • IKE [Meadows; 1999] • Reflection attack; fix adopted by IETF WG • IEEE 802.11i [He, Mitchell; 2004] • DoS attack; fix adopted by IEEE WG • GDOI [Meadows, Pavlovic; 2004] • Composition attack; fix adopted by IETF WG • Kerberos V5 [Scedrov et al; 2005] • Identity misbinding attack; fix adopted by IETF WG

  9. IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association Uses crypto: encryption, hash,… EAP/802.1X/RADIUS Authentication 4-way handshake • Divide-and-conquer paradigm • Combining logic and cryptography Group key handshake Data communication

  10. Divide-and-Conquer paradigm • Result:Protocol Derivation System [DDMP03-05] • Incremental protocol construction • Result:Protocol Composition Logic (PCL) [DDDMP01-05] • Compositional correctness proofs • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

  11. Combining logic and cryptography • Symbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques • Complexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation • Result:Computational PCL[DDMST05] + Logical proof methods + Complexity-theoretic crypto model • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04] Central Problem 2

  12. Applied to industrial protocols • IEEE 802.11i [IEEE Standards; 2004] [He et al] • TLS/SSL [RFC 2246] is a component • IKE/JFK family • IKEv2 [IETF ID;2004] in progress [Aron et al] • Mobile IPv6 [RFC 3775] in progress[Roy et al] • Kerberos V5 [IETF ID; 2004] [Cervasato et al] • GDOI Secure Group Communication protocol [RFC 3547] [Meadows et al]

  13.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic  Holy Grail High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  14. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  15. Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

  16. Reasoning method • Reason about local information • I know my own actions • Incorporate knowledge of protocol • Honest people faithfully follow protocol • No explicit reasoning about intruder • Absence of bad action expressed as a positive property of good actions • E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

  17. Formalism • Cord calculus • Protocol programming language • Execution model (Symbolic/“Dolev-Yao”) • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties • Soundness theorem

  18. Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]

  19. Execution model • Protocol • “Program” for each protocol role • Initial configuration • Set of principals and key • Assignment of 1 role to each principal • Run Position in run New x Send<{x}B A Recv {x}B Recv {z}B B New z Send {z}B C

  20. Attacker capabilities • Controls complete network • Can read, remove, inject messages • Fixed set of operations on terms • Pairing • Projection • Encryption with known key • Decryption with known key • …

  21. Formulas true at a position in run • Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) • Formulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) |  | 1 2 | x  |  |  • Example After(a,b) = (b a)

  22. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) ) Secure if desired property holds in all runs

  23. Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, encX{m})  X=Y • Honest(X)  Verify(Y, sigX{m})  •  m’ (Send(X, m’)  Contains(m’, sigX{m}) • Soundness Theorem: • Every provable formula is valid

  24. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  25. Reasoning about Composition • Non-destructive Combination: • Ensure combined parts do not interfere • In logic: invariance assertions • Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere • In logic: before-after assertions

  26. Proof steps (Intuition) • Protocol independent reasoning • Has(A, {m,n})  Has(A, m)  Has(A, n) • Still good: unaffected by composition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice” • Could break:Bob’s signature from one protocol could be used to attack another • Technically: • Protocol-specific proof steps use invariants • Invariants must be preserved for safe composition

  27. Invariants • Reasoning about honest principals • Invariance rule, called “honesty rule” • Preservation of invariants under composition • If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

  28. Honesty Rule (Induction) • Definition • A protocol step begins with receive, ends before next receive • Rule • [ ]X B  ProtocolSteps(Q).  [B]X • Q  Honest(X)   • Example • CR  Honest(X)  • (Sent(X, m2)  Received(X, m1))

  29. Composition of protocols DH-Init X, Y ISO-Init X, Y new x new x; send X, Y, gx, A; receive Y, X, z, sigY{gx, z, X}; send X, Y, sigX{gx, z, Y}; X, Y, gx, x CR-Init W, Z, w, x send W, Z, w, A; receive Z, W, z, sigY{w, z, W}; send W, Z, sigX{w, z, Z}; X, Y, zx Sequential composition with term substitution X, Y, zx

  30. Compositional proofs  ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DHCR’[nondestructive] = ISOSecrecy  Authentication

  31. Composition Rules • Invariant weakening rule •  |-  […]P •   ’ |-  […]P • Sequential Composition •  |-  [ S ] P  |-  [ T ] P  •  |-  [ ST ] P • Prove invariants from protocol • Q   Q’   • Q  Q’   Sequential, parallel, staged composition theorems [MFPS03,CCS05]

  32. Composition: Big Picture • Q |- Inv(Q) • Inv(Q) |-  • Qi |- Inv(Q) • No reasoning about attacker Safe Environment for Q Q1 Q2 Q3 … Qn • Different from: • Assume-guarantee in distributed computing [MC81] • Universal Composability [C01, PW01] Protocol Q

  33. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  34. Two worlds Can we get the best of both worlds?

  35. Our Approach • Protocol Composition Logic (PCL) • Syntax • Proof System • Computational PCL • Syntax ±  • Proof System ±  • Symbolic “Dolev-Yao” model • Semantics • Complexity-theoretic model • Semantics Leverage PCL success… Talk so far…

  36. Main Result • Computational PCL • Symbolic logic for proving security properties of network protocols • Soundness Theorem: • If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. • Benefits • Symbolic proofs about computational model • Computational reasoning in soundness proof (only!) • Different axioms rely on different crypto assumptions

  37. PCL  Computational PCL • Syntax, proof rules mostly the same • But not sure about propositional connectives… • Significant difference • Symbolic “knowledge” • Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm • Computational “knowledge” • Possess(X,t) : can produce t by ppt algorithm • Indistinguishable(X,t) : can distinguish from random in ppt • More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

  38. Complexity-theoretic semantics • Q |=  if  adversary A  distinguisher D  negligible function f  n0 n > n0 s.t. Fraction represents probability [[]](T,D,f(n))|/|T| > 1 – f(n) • Fix protocol Q, PPT adversary A • Choose value of security parameter n • Vary random bits used by all programs • Obtain set T=T(Q,A,n) of equi-probable traces T(Q,A,n) [[]](T,D,f)

  39. Inductive Semantics • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[ ]] (T,D,) = T - [[]] (T,D,) Implication uses conditional probability • [[1  2]] (T,D,) = [[1]] (T,D,)  [[2]] (T’,D,) where T’ = [[1]] (T,D,) Formula defines transformation on probability distributions over traces

  40. Soundness of proof system • Example axiom • Source(Y,u,{m}X)  Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Proof idea: crypto-style reduction • Assume axiom not valid:  A  D  negligible f  n0  n > n0 s.t. • [[]](T,D,f)|/|T| < 1 –f(n) • Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme • Conditional implication essential

  41. Logic and Cryptography: Big Picture Protocol security proofs using proof system Axiom in proof system Semantics and soundness theorem Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

  42. Current Work • Investigate nature of logic • Propositional fragment not classical •  represents conditional probability • complexity-theoretic reductions • connections with probabilistic logics (e.g. Nilsson86, Fagin-Halpern90) • Generalize reasoning about secrecy • Probability close to ½ instead of 1 • Not a trace property • Cover more cryptographic protocols • More primitives: signature, hash functions, … • And protocols: secure key exchange, … • Information-theoretic and concrete security semantics • Only probability; no complexity • Concrete security reductions

  43. Summary • PCL – A logic for security protocols: • Divide-and-conquer paradigm in security • Combining logic and cryptography • Applications: • IEEE 802.11i • GDOI Secure Group Communication protocol [RFC 3547; 2003] • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • Mobile IPv6 [RFC 3775; 2004]

  44.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  45. Ongoing Work • Extend and refine PCL • Programming language, syntax, proof system • More properties: beyond authentication, secrecy – abuse-freeness, fairness, knowledge-based specification • Tool implementation • Encode logic into generic theorem-prover • Preliminary implementation in Isabelle • Investigate decidability of PCL • Unified theory for different models • Vary computational abilities of attacker – symbolic, poly-time, information-theoretic • Vary adversary’s control over network – complete vs. partial (e.g., in Mobile IPv6) • Protocol Derivation • Incremental protocol construction – replace Clark-Jacob survey

  46. Other Projects • Specification of Security • Unifying simulation-based definitions – universal composability, black-box simulatability, strong simulatability[DKMRS04,DKMR05] • Comparing game-based definitions with simulation-based definitions – impossibility theorem[DDMRS05] • Open problem: compositional security definition • Foundations of Privacy • Contextual Integrity [Nissenbaum04] • Formal theory: Kripke models, temporal logic • Application to HIPAA, GLBA, COPPA, … • Relation to RBAC, P3P, EPAL, DRM, statistical databases,… [WIP - BDMN05]

  47. Credits/Selected Publications • A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for security protocols[CSFW03, JCS05 special issue] • A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic[ICALP05] • C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [CCS05, ACM TISSEC special issue] Project web page: www.stanford.edu/~danupam/logic-derivation.html

  48. Questions?

  49. c D(c) m0, m1 E(mi) c  E(mj) D(c) guess 0 or 1 Chosen ciphertext CCA2 Challenger Attacker

  50. Computational Soundness • Simulation framework • Backes, Pfitzmann, Waidner • Correspondence theorems • Micciancio, Warinschi • Kapron-Impagliazzo logics • Abadi-Rogaway passive equivalence  (K2,{01}K3) ,  {({101}K2,K5 )}K2, {{K6}K4}K5    (K2,  ) ,  {({101}K2,K5 )}K2, {  }K5    (K1,  ) ,  {({101}K1,K5 )}K1, {  }K5    (K1,{K1}K7) ,  {({101}K1,K5 )}K1, {{K6}K7}K5  Proposed as start of larger plan for computational soundness … … [Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

More Related