1 / 30

Security Analysis of Network Protocols

Security Analysis of Network Protocols. Anupam Datta Stanford University May 18, 2005. This talk is about…. Industrial network security protocols Internet Engineering Task Force (IETF) Standards SSL/TLS - web authentication IPSec - corporate VPNs Mobile IPv6 – routing security

hailey
Download Presentation

Security Analysis of Network Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005

  2. This talk is about… • Industrial network security protocols • Internet Engineering Task Force (IETF) Standards • SSL/TLS - web authentication • IPSec - corporate VPNs • Mobile IPv6 – routing security • Kerberos - network authentication • GDOI – secure group communication • IEEE Standards Working Group • 802.11i - wireless security • And methods for their security analysis • Security proof in some model; or • Identify attacks Earlier talk by John Mitchell

  3. Outline Part I: Overview • Motivation • Central problems • Divide and Conquer paradigm • Combining logic and cryptography • Results Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  4. SSL authentication Our tool: Protocol Composition Logic (PCL) -Complete control over network -Perfect crypto 42 line axiomatic proof Security Analysis Methodology Protocol Property Attacker model Analysis Tool Security proof or attack

  5. IEEE 802.11i wireless security [2004] Wireless Device Access Point Authentication Server 802.11 Association Uses crypto: encryption, hash,… EAP/802.1X/RADIUS Authentication 4-way handshake • Divide-and-conquer paradigm • Combining logic and cryptography Group key handshake Data communication

  6. Divide-and-Conquer paradigm • Result:Protocol Derivation System [DDMP03-05] • Incremental protocol construction • Result:Protocol Composition Logic (PCL) [DDDMP01-05] • Compositional correctness proofs • Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

  7. Combining logic and cryptography • Symbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques • Complexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation • Result:Computational PCL[DDMST05] + Logical proof methods + Complexity-theoretic crypto model • Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04] Central Problem 2

  8. Applied to industrial protocols • IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] • IKEv2 [IETF Internet Draft; 2004] [Aron et al] • TLS/SSL [RFC 2246; 1999] [He et al] • Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] • Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

  9.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  10. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  11. Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alicededuces:Received (B, msg1) Λ Sent (B, msg2)

  12. Reasoning method • Reason about local information • I know my own actions • Incorporate knowledge of protocol • Honest people faithfully follow protocol • No explicit reasoning about intruder • Absence of bad action expressed as a positive property of good actions • E.g., honest agent’s signature can be produced only by the agent Distinguishes our method from existing techniques

  13. Formalism • Cord calculus • Protocol programming language • Execution model (Symbolic/“Dolev-Yao”) • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties • Soundness theorem

  14. Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]

  15. Challenge Response: Property • Modal form:  [ actions ]P  • precondition: Fresh(A,m) • actions: [ Initiator role actions ]A • postcondition: • Honest(B)  ActionsInOrder( • send(A, {A,B,m}), • receive(B, {A,B,m}), • send(B, {B,A,{n, sigB {m, n, A}}}), • receive(A, {B,A,{n, sigB {m, n, A}}}) )

  16. Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, encX{m})  X=Y • Honest(X)  Verify(Y, sigX{m})  •  m’ (Send(X, m’)  Contains(m’, sigX{m}) • Soundness Theorem: • Every provable formula is valid

  17. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  18. Reasoning about Composition • Non-destructive Combination: • Ensure combined parts do not interfere • In logic: invariance assertions • Additive Combination: Accumulate security properties of combined parts, assuming they do not interfere • In logic: before-after assertions

  19. Proof steps (Intuition) • Protocol independent reasoning • Has(A, {m,n})  Has(A, m)  Has(A, n) • Still good: unaffected by composition • Protocol specific reasoning • “if honest Bob generates a signature of the form • sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice” • Could break:Bob’s signature from one protocol could be used to attack another • Technically: • Protocol-specific proof steps use invariants • Invariants must be preserved for safe composition

  20. Composing protocols  ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DHCR’[nondestructive] = ISOSecrecy  Authentication Sequential and parallel composition theorems

  21. Composition Rules • Invariant weakening rule •  |-  […]P •   ’ |-  […]P • Sequential Composition •  |-  [ S ] P  |-  [ T ] P  •  |-  [ ST ] P • Prove invariants from protocol • Q   Q’   • Q  Q’  

  22. Composition: Big Picture • Q |- Inv(Q) • Inv(Q) |-  • Qi |- Inv(Q) • No reasoning about attacker Safe Environment for Q Q1 Q2 Q3 … Qn • Different from: • Assume-guarantee in distributed computing [MC81] • Universal Composability [C01, PW01] Protocol Q

  23. Outline Part I: Overview Part II: Protocol Composition Logic • Compositional Reasoning • Complexity-theoretic foundations

  24. Two worlds Can we get the best of both worlds?

  25. Our Approach • Protocol Composition Logic (PCL) • Syntax • Proof System • Computational PCL • Syntax ±  • Proof System ±  • Symbolic “Dolev-Yao” model • Semantics • Complexity-theoretic model • Semantics Leverage PCL success… Talk so far…

  26. Soundness of proof system • Information-theoretic reasoning [new u]X (Y  X)  Indistinguishable(Y, u) • Complexity-theoretic reductions Source(Y,u,{m}X)  Decrypts(X,{m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Asymptotic calculations Reduction to IND-CCA2-secure encryption scheme     Sum of two negligible functions is a negligible function

  27. Logic and Cryptography: Big Picture Protocol security proofs using proof system Axiom in proof system Semantics and soundness theorem Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme)

  28. Summary • Methodology: • Divide-and-conquer paradigm in security • Combining logic and cryptography • Applications: • IEEE 802.11i (Attack! Fix adopted by IEEE WG) • GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) • IKEv2 [IETF Internet Draft; 2004] • TLS [RFC 2246; 1999] • Kerberos V5 [IETF Internet Draft; 2004] • Mobile IPv6 [RFC 3775; 2004] (New Attack!)

  29.  Protocol analysis spectrum Combining logic and cryptography Hand proofs Computational Protocol logic Holy Grail  High Divide and conquer Poly-time calculus Multiset rewriting Protocol logic Spi-calculus  Strength of attacker model Athena  Paulson   NRL  BAN logic  Low Model checking   FDR Murj Low High Protocol complexity

  30. Selected Publications • A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic • A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] • Secure Protocol Composition [MFPS03] • Abstraction and refinement in protocol derivation [CSFW04] • A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic[ICALP05] • C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i[In submission] www.stanford.edu/~danupam

More Related