1 / 30

Proving Security of Industrial Network Protocols: Theory and Practice

Proving Security of Industrial Network Protocols: Theory and Practice. Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007. Security Protocol Analysis. Network security protocols Industry Standards (IETF, IEEE) SSL/TLS - web authentication

neva
Download Presentation

Proving Security of Industrial Network Protocols: Theory and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007

  2. Security Protocol Analysis • Network security protocols • Industry Standards (IETF, IEEE) • SSL/TLS - web authentication • IPSec - corporate VPNs • Mobile IPv6 – routing security • Kerberos - network authentication • GDOI – secure group communication • 802.11i - wireless LAN security • Methods for their security analysis • Security proof in some model; or • Identify attacks

  3. Our Result • Protocol Composition Logic (PCL): • Unbounded number of sessions (vs. model-checking) • Short high-level proofs: 2-3 pages • Sound wrt symbolic and computational cryptographic models • Taught in security courses (alternative to BAN): CMU, Penn, Stanford, Texas… [DMP01, DDMP03, …, RDDM06]

  4. PCL: Big Picture High-level proof principles • PCL • Syntax (Properties) • Proof System (Proofs) • Computational PCL • Syntax ±  • Proof System±  Soundness Theorem (Induction) Soundness Theorem (Reduction) [BPW, MW,…] • Symbolic Model • PCL Semantics • (Meaning of formulas) • Cryptographic Model • PCL Semantics • (Meaning of formulas) Unbounded # concurrent sessions Polynomial # concurrent sessions

  5. PCL Results: Industrial Protocols • IEEE 802.11i[IEEE Standards; 2004][HSDDM05] • TLS/SSL[RFC 2246] is a component (Attack using model-checking; fix adopted by WG) • GDOISecure Group Communication [RFC 3547] [MP04] (Attack using PCL; fix adopted by IETF WG) • Kerberos V5[IETF ID; 2004][CMP05,RDDM06] • Mobile IPv6[RFC 3775] in progress [RDM06] • IKE/JFK family • IKEv2[IETF ID;2004] in progress[RDM06] Except Kerberos, results currently apply only to symbolic model

  6. PCL Proof Techniques • Modular Proofs [DDMP03, HSDDM05] • Useful for protocols composed from multiple components, e.g. IEEE 802.11i has 4 components including TLS • Sequential, parallel, staged composition • Generic Template-style Proofs [DDMP04] • Useful for protocols with multiple modes but similar abstract structure, e.g. IKEv2 has two modes based on symmetric and public-key cryptography

  7. In More Detail … • Protocol Programming Language • Protocol Composition Logic • Syntax: Stating security properties • Trace Semantics: Property holds in (almost) all runs of protocol • Proof System • Axioms and rules: Used to prove security • High-level proof principles

  8. Example: Challenge-Response m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature [protocol independent] • if Bob generates a signature of the form sigB{m, n, A}, • he sends it as part of msg2 of the protocol, and • he must have received msg1 from Alice[protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

  9. Challenge-Response Programs m, A n, sigB {m, n, A} A B sigA {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] < > RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] < >

  10. Challenge-Response Property • Specifying authentication for Initiator using PCL syntax true [ InitCR(A, B) ] A Honest(B)  ( Send(A, {A,B,m})  Receive(B, {A,B,m})  Send(B, {B,A,{n, sigB {m, n, A}}})  Receive(A, {B,A,{n, sigB {m, n, A}}}) ) Semantics: Property should hold in (almost) all protocol runs

  11. PCL: Proof System • Sample Axiom: • Property of signature: • Honest(X)  Verifies(Y, sigX{m})  • m’. Sent(X, m’)  Contains(m’, sigX{m})) • Sample proof rules: • First-order logic rules • Induction rule (next slide) • Soundness Theorem • If  is provable, then  holds in all protocol runs • Established using induction for symbolic and reduction for cryptographic model Step 1 of CR proof

  12. Inductive Invariant Rule Scheme  steps A of protocol Q. Start(X) [ ]X [ A ]X  Q |- Honest(X)   • Example: • CR |-Honest(X)  (Send(X, m)  Contains(m, sigx {y, x, Y})  m= X, Y, {x, sigB{y, x, Y}}  Receive(X, {Y, X, {y, Y}}) ) • Note: Rule depends on protocol Step 2 of CR proof

  13. In More Detail … • PCL Proof Techniques • Modular Proofs • Generic Template-style Proofs

  14. EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys Modular Analysis / Composition Auth Server Laptop Access Point (Shared Secret-PMK) 802.11i Key Management 20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]

  15. Compositional Proofs: Intuition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could be used to attack another • PCL proof system: Invariant rule • Protocol independent reasoning • Axiom stating unforgeability of signatures • Still good: unaffected by composition • All other axioms and proof rules for PCL

  16. Proof Tree TLS | 4WAY |- Inv TLS |- Inv Inv |-Auth Bulk of proof reused Additional work to prove 4WAY|- Inv Inv Axiom Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv INV rule Other rules Auth [DDMP CSF’03 -> JCS Special Issue, MFPS’03 ] Security property

  17. Generic Template-style Proofs • Protocols with function variables instead of specific cryptographic operations • One template can be instantiated to many protocols • Proof of template yields proofs for instances • Motivating example: • IKEv2: two instances based on symmetric and public-key cryptography

  18. Protocol Template Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,EKAB(n,m,B) A  B: EKAB(n,m) A  B: m B  A: n,HKAB(n,m,B) A  B: HKAB(n,m,A) A  B: m B  A: n, sigB(n,m,A) A  B: sigA(n,m,B) ISO-9798-2 SKID3 ISO-9798-3 Instantiations

  19. Template Proof Method • Characterizing protocol concepts • Step 1: Under hypotheses about function variables and invariants, prove security property of template • Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. • Benefit: • Proof reuse • Single protocol can be instance of multiple templates allowing modular proofs

  20. Proof Structure Additional work to discharge hypotheses axiom hypothesis Bulk of proof reused Instance Template

  21. Summary • PCL – Logic for security protocols • Sound wrt symbolic and cryptographic models • High-level short proofs: 2-3 pages • Proof techniques • Modular/compositional proofs • Generic template-style proofs • Proofs of industrial protocols • IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress)

  22. Acknowledgements • PCL Design • A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D. Pavlovic, A. Roy • Computational PCL Design • A. Datta, A. Derek, J. C. Mitchell, A. Roy, M. Turuani, V. Shmatikov, B. Warinschi • PCL Applications (in addition) • M. Backes, I. Cervasato, C. He, C. Meadows, M. Sundararajan • PCL Project Page: • http://www.stanford.edu/~danupam/logic-derivation.html

  23. Thanks! Questions?

  24. Attacks on Industry Standards • IKE [Meadows; 1999] • Reflection attack; fix adopted by IETF WG • IEEE 802.11i [He, Mitchell; 2004] • DoS attack; fix adopted by IEEE WG • GDOI [Meadows, Pavlovic; 2004] • Composition attack; fix adopted by IETF WG • Kerberos V5 [Scedrov et al; 2005] • Identity misbinding attack; fix adopted by IETF WG; Windows update released by Microsoft Identified using logical methods

  25. Protocol Analysis Techniques Cryptographic Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Cryptographic Models Probabilistic Interactive TM Probabilistic process calculi Probabilistic I/O automata Computational PCL Model Checking Protocol Logics Process Calculi Theorem Proving … FDR, Murphi, Athena, NRL, Brutus, OFMC BAN, PCL Spi-calculus, Applied -calculus Inductive Method, Automating BAN, TAPS, Automating PCL Bug finding Correctness Proofs

  26. Communication Setting … Full Control Insecure network

  27. Open Problems in 2000 • Background: • Precise model of protocol execution • Methods applied to simple protocols [Clark-J97] • Central open problems: • Develop methods for industrial protocols • [Mea99, Pau99] exceptions: SET, IKE, Kerberos • Compositional analysis technique required for practice • Cryptographic soundness • Remove perfect cryptography assumption • Analysis should be sound wrt complexity-theoretic model of cryptography

  28. PCL: Syntax • Action formulas a ::= Send(P,t) | Receive (P,t) | … • Formulas  ::= a | Has(P,t) | Honest(N) |  | 1 2 | x  | a < a | … • Modal formula [ actions ] P  • Example Has(X, secret)  ( X = A  X = B) Specifying secrecy

  29. Compositional Security Safe Environment for Q • Modularity in CS: • Programming Languages • Distributed computing • Hardware verification Q1 Q2 Q3 … Qn • Different from: • Assume-guarantee in distributed computing [MC81] • Universal Composability [C01, PW01] Protocol Q Hard problem in security!

  30.  Protocol Analysis Spectrum Combining logic and cryptography BPW, MW, Herz, Blan Hand proofs Computational PCL   High Divide and conquer Holy Grail Poly-time calculus Multiset rewriting Spi-calculus  PCL Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

More Related