security analysis of network protocols n.
Download
Skip this Video
Download Presentation
Security Analysis of Network Protocols

Loading in 2 Seconds...

play fullscreen
1 / 46

Security Analysis of Network Protocols - PowerPoint PPT Presentation


  • 102 Views
  • Uploaded on

Security Analysis of Network Protocols. Anupam Datta Stanford University UW-Madison CSD April 18, 2005. Outline. Part I: Overview Motivation Central problems Divide and Conquer paradigm Combining logic and cryptography Results Part II: Glimpses of technical machinery

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Analysis of Network Protocols' - giacomo-allen


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security analysis of network protocols

Security Analysis of Network Protocols

Anupam Datta

Stanford University

UW-Madison CSD

April 18, 2005

outline
Outline

Part I: Overview

  • Motivation
  • Central problems
    • Divide and Conquer paradigm
    • Combining logic and cryptography
  • Results

Part II: Glimpses of technical machinery

  • Divide and Conquer Paradigm
    • Protocol Derivation System
    • Protocol Composition Logic
  • Combining logic and cryptography
    • Complexity-theoretic foundations
this talk is about
This talk is about…
  • Industrial network protocols
    • Internet Engineering Task Force (IETF) Standards
      • SSL/TLS - web authentication
      • IPSec - corporate VPNs
      • Mobile IPv6 – routing security
      • Kerberos - network authentication
      • GDOI – secure group communication
    • IEEE Standards Working Group
      • 802.11i - wireless security
  • And methods for their security analysis
    • Security proof in some model; or
    • Identify attacks
slide4

Motivating Example

[Needham-Schroeder78]

{ A, Noncea }

{ Noncea, Nonceb }

{ Nonceb}

Kb

A

B

Ka

Kb

Result: A and B share two private numbers

not known to any observer without Ka-1, Kb-1

slide5

Anomaly in Needham-Schroeder

[Lowe96]

{ A, Na }

Ke

A

E

{ Na, Nb }

Ka

{ Nb }

Ke

{ A, Na }

{ Na, Nb }

Evil agent E tricks

honest A into revealing

private key Nb from B.

Kb

Ka

B

Evil E can then fool B.

characteristics of protocols
Characteristics of protocols
  • Relatively simple distributed programs
    • 5-7 steps, 3-10 fields per message (per component)
  • Mission critical
    • Security of data, credit card numbers, …
  • Subtle
    • Concurrency: attack may combine data from many sessions
    • Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

security analysis methodology

SSL

authentication

Our tool: Protocol Composition Logic (PCL)

-Complete control over network

-Perfect crypto

42 line axiomatic proof

Security Analysis Methodology

Protocol

Property

Attacker model

Analysis Tool

Security proof or attack

classifying attacks
Classifying Attacks
  • Implementation bugs
    • Buffer overflow, format string vulnerabilities
  • Cryptography breaks
    • IEEE 802.11b (WEP encryption), GSM cell phone
  • Protocol flaws
    • Needham-Schroeder, IKE, IEEE 802.11i
  • Focus on protocol flaws assuming “strong crypto”
  • Complexity-theoretic characterization of “strong crypto”
ieee 802 11i wireless security 2004
IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

Uses crypto: encryption, hash,…

EAP/802.1X/RADIUS Authentication

4-way handshake

  • Divide-and-conquer paradigm
  • Combining logic and cryptography

Group key handshake

Data communication

divide and conquer paradigm
Divide-and-Conquer paradigm
  • Result:Protocol Derivation System
    • Incremental protocol construction
  • Result:Protocol Composition Logic (PCL)
    • Compositional correctness proofs
  • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …

Composition is a hard problem in security

Central Problem 1

combining logic and cryptography
Combining logic and cryptography
  • Symbolic model [DY84]

- Perfect cryptography assumption

+ Idealization => tools and techniques

  • Complexity-theoretic model [GM84]

+ More detailed model; probabilistic guarantees

- Hand-proofs very hard; no automation

  • Result:Computational PCL

+ Logical proof methods

+ Complexity-theoretic crypto model

  • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

slide12

Applied to industrial protocols

  • IEEE 802.11i authentication protocol [IEEE Standards; 2004]

(Attack! Fix adopted by IEEE WG)

  • IKEv2 [IETF Internet Draft; 2004]
  • TLS/SSL [RFC 2246; 1999]
  • Kerberos V5 [IETF Internet Draft; 2004]
  • GDOI Secure Group Communication protocol [RFC 3547; 2003]

(Attack! Fix adopted by IETF WG)

Many More:

    • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…
ipsec

Internet

IPSec
  • Widely deployed: Corporate VPNs
  • Provides secrecy and integrity
  • IKEv2 is the IPSec key exchange protocol

IP layer host-to-host security

ikev2 ietf id 2004
IKEv2 [IETF ID 2004]

IKE_INIT (Exchange key material)

Multi-mode protocol: authenticator can use either signature or pre-shared key

I  R: HDR, SAi1, gi, Ni

R  I: HDR, SAr1, gr, Nr

IKE_AUTH (Authenticate)

I  R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

R  I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

  • Modular proofs
  • Multi-mode (Unified “template” proof)
  • Properties: authentication, shared secret, identity & DoSprotection, repudiability

IKE_CHILD_SA (Rekey)

mobile ipv6 ietf id 2004

Wisconsin

Stanford

Mobile IPv6 [IETF ID 2004]

Correspondent Node

Home address

Home address

  • Change of location
  • Authentication
  • DoS issues
  • Protocol breaks if attacker controls complete network

Care of address

gdoi rfc 3547 2003
GDOI [RFC 3547, 2003]

Public network

Group controller

  • Secure group communication
  • Composition attack
  • Fix adopted by IETF WG

Communicating in a group can be difficult…

slide17

Protocol analysis spectrum

Combining logic and cryptography

Hand proofs

Computational Protocol logic

Holy Grail

High

Divide and conquer

Poly-time calculus

Multiset rewriting

Protocol logic

Spi-calculus

Strength of attacker model

Athena

Paulson

NRL

BAN logic

Low

Model checking

FDR

Murj

Low

High

Protocol complexity

outline1
Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm
    • Protocol Derivation System
    • Protocol Composition Logic
  • Combining logic and cryptography
    • Complexity-theoretic foundations
protocol derivation system
Protocol Derivation System
  • Construct protocol with properties:
    • Shared secret
    • Authenticated
    • Identity Protection
    • DoS Protection
  • Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)
slide20

Component 1

Diffie Hellman

A  B: ga

B  A: gb

  • Shared secret (with someone)
    • A deduces:
    • Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
  • Authenticated
  • Identity Protection
  • DoS Protection
slide21

Component 2

Challenge-Response

A  B: m, A

B  A: n, sigB {m, n, A}

A  B: sigA {m, n, B}

  • Shared secret
  • Authenticated
    • A deduces: Received (B, msg1) Λ Sent (B, msg2)
  • Identity Protection
  • DoS Protection
slide22

Composition

m := ga

n := gb

ISO-9798-3

A  B: ga, A

B  A: gb, sigB {ga, gb, A}

A  B: sigA {ga, gb, B}

  • Shared secret: gab
  • Authenticated
  • Identity Protection
  • DoS Protection

Technically: sequential composition with variable substitution

slide23

Refinement

Encrypt Signatures

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}

  • Shared secret: gab
  • Authenticated
  • Identity Protection
  • DoS Protection

Technically: term replacement/function variable substitution

transformation
Transformation

Use cookie:JFK core protocol

A  B: ga, A

B  A: gb, hashKB {gb, ga}

A  B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga}

B  A: gb, EK {sigB {ga, gb, A}}

  • Shared secret: gab
  • Authenticated
  • Identity Protection
  • DoS Protection

Technically: program transformation

outline2
Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm
    • Protocol Derivation System
    • Protocol Composition Logic
  • Combining logic and cryptography
    • Complexity-theoretic foundations
slide27

Challenge-Response: Proof Idea

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

  • Alice reasons: if Bob is honest, then:
    • only Bob can generate his signature. [protocol independent]
    • if Bob generates a signature of the form sigB {m, n, A},
      • he sends it as part of msg 2 of the protocol and
      • he must have received msg1 from Alice. [protocol specific]
  • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)
reasoning method
Reasoning method
  • Reason about local information
    • I know my own actions
  • Incorporate knowledge of protocol
    • Honest people faithfully follow protocol
  • No explicit reasoning about intruder
    • Absence of bad action expressed as a positive property of good actions
      • E.g., honest agent’s signature can be produced only by the agent

Distinguishes our method from existing techniques

slide29

Formalism

  • Cord calculus
    • Protocol programming language
    • Execution model (Symbolic/“Dolev-Yao”)
  • Protocol logic
    • Expressing protocol properties
  • Proof system
    • Proving protocol properties
    • Soundness theorem
slide30

Challenge-Response as Cords

m, A

n, sigB {m, n, A}

A

B

sigA {m, n, B}

RespCR(B) = [

receive Y, B, y, Y;

new n;

send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

InitCR(A, X) = [

new m;

send A, X, m, A;

receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

slide31

Challenge Response: Property

  • Modal form:  [ actions ]P 
    • precondition: Fresh(A,m)
    • actions: [ Initiator role actions ]A
    • postcondition:
    • Honest(B)  ActionsInOrder(
        • send(A, {A,B,m}),
        • receive(B, {A,B,m}),
        • send(B, {B,A,{n, sigB {m, n, A}}}),
        • receive(A, {B,A,{n, sigB {m, n, A}}}) )
slide32

Proof System

  • Sample Axioms:
    • Reasoning about possession:
      • [receive m ]A Has(A,m)
      • Has(A, {m,n})  Has(A, m)  Has(A, n)
    • Reasoning about crypto primitives:
      • Honest(X)  Decrypt(Y, encX{m})  X=Y
      • Honest(X)  Verify(Y, sigX{m}) 
    •  m’ (Send(X, m’)  Contains(m’, sigX{m})
  • Soundness Theorem:
    • Every provable formula is valid
slide33

Reasoning about Composition

  • Non-destructive Combination:
    • Ensure combined parts do not interfere
      • In logic: invariance assertions
  • Additive Combination:

Accumulate security properties of combined parts, assuming they do not interfere

      • In logic: before-after assertions
slide34

Proof steps (Intuition)

  • Protocol independent reasoning
    • Has(A, {m,n})  Has(A, m)  Has(A, n)
    • Still good: unaffected by composition
  • Protocol specific reasoning
    • “if honest Bob generates a signature of the form
    • sigB {m, n, A},
      • he sends it as part of msg 2 of the protocol and
      • he must have received msg1 from Alice”
    • Could break:Bob’s signature from one protocol could be used to attack another
  • Technically:
  • Protocol-specific proof steps use invariants
  • Invariants must be preserved for safe composition
slide35

Composing protocols

 (Invariant)

’

DHHonest(X)  …

CRHonest(X)  …

’ |- Authentication

 |- Secrecy

’ |- Secrecy

’ |- Authentication

’ |- Secrecy  Authentication [additive]

DHCR’[nondestructive]

=

ISOSecrecy  Authentication

Sequential and parallel composition theorems

slide36

Composition Rules

  • Invariant weakening rule
    •  |-  […]P
    •   ’ |-  […]P
  • Sequential Composition
    •  |-  [ S ] P  |-  [ T ] P 
      •  |-  [ ST ] P
  • Prove invariants from protocol
    • Q   Q’  
    • Q  Q’  

Also have proof method for class of refinements & transformations

applications
Applications
  • IEEE 802.11i authentication protocol [IEEE Standards; 2004]

(Attack! Fix adopted by IEEE WG)

  • IKEv2 [IETF Internet Draft; 2004]
  • TLS [RFC 2246; 1999]
  • Kerberos V5 [IETF Internet Draft; 2004]
  • GDOI Secure Group Communication protocol [RFC 3547; 2003]

(Composition Attack! Fix adopted by IETF WG)

Many More:

    • STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-3, NSL,…
tool support
Tool Support
  • Isabelle Proof Assistant for PCL
    • Encode syntax and proof system of PCL into a generic theorem-prover

consts

PSend :: "[thread,CTerm] => o"

syntax

PSend :: "[threadI,CTermlist] => actformI"

("Send'(_,_')")

axioms

AA1S: "{P, X[send t], Send(X,t)}"

REC : "Receive(X,t) --> Has(X,t)"

Rule:

SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|]

==> {P, X[S1 ; S2], R}"

sample proof forward reasoning
Sample proof (forward reasoning)
  • Use PCL axioms and rules to carry out proofs
  • Use Isabelle’s first-order reasoner

lemma "{P,X[new t; send t],Has(X,t) &

Send(X,t)}";

proof -;

have A: "{P,X[new t; send t],Has(X,t)}";

apply (rule G3);

apply (rule SEQ);

apply (rule AA1N);

apply (rule P1N);

apply (blast);

apply (rule ORIG);

done;

outline3
Outline

Part I: Overview

Part II: Glimpses of technical machinery

  • Divide and conquer paradigm
    • Protocol Derivation System
    • Protocol Composition Logic
  • Combining logic and cryptography
    • Complexity-theoretic foundations
slide41

Two worlds

Can we get the best of both worlds?

our approach
Our Approach

Talk so far…

Leverage PCL success

  • Protocol Composition Logic (PCL)
  • Syntax
  • Proof System
  • Computational PCL
  • Syntax ± 
  • Proof System ± 
  • Symbolic “Dolev-Yao” model
  • Semantics
  • Complexity-theoretic model
  • Semantics

Idea: Use same logical proof methods for complexity-theoretic cryptography

our result
Our result
  • Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
  • Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.

+ Symbolic proofs

+ Complexity-theoretic model

Logical methods for complexity-theoretic cryptography

soundness of proof system
Soundness of proof system
  • Information-theoretic reasoning

[new u]X (Y  X)  Indistinguishable(Y, u)

  • Complexity-theoretic reductions

Source(Y,u,{m}X)  Decrypts(X,{m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u)

  • Asymptotic calculations

Reduction to CCA2-secure encryption scheme

  

Sum of two negligible functions is a negligible function

summary
Summary
  • Methodology:
    • Divide-and-conquer paradigm in security
    • Combining logic and cryptography
  • Applications:
    • IEEE 802.11i (Attack! Fix adopted by IEEE WG)
    • GDOI Secure Group Communication protocol [RFC 3547; 2003]

(Composition Attack! Fix adopted by IETF WG)

    • IKEv2 [IETF Internet Draft; 2004]
    • TLS [RFC 2246; 1999]
    • Kerberos V5 [IETF Internet Draft; 2004]
research directions
Research Directions
  • Bring automated tools and techniques to industrial protocol design
  • Formal methods and cryptography
  • Composition of secure systems
  • Apply similar techniques to other kinds of security mechanisms
    • Web services
  • Software analysis of secure systems
    • Model-checking C code