280 likes | 421 Views
Abstraction and Refinement in Protocol Derivation. Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June 28, 2004. Project Goals. Protocol derivation Build security protocols by combining and refining parts from basic protocols.
E N D
Abstraction and Refinement in Protocol Derivation Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June 28, 2004
Project Goals • Protocol derivation • Build security protocols by combining and refining parts from basic protocols. • Proof of correctness • Prove protocols correct using logic that follows steps of derivation.
Outline • Background • Derivation System[CSFW03] • Compositional Logic[CSFW01,CSFW03] • Abstraction and Refinement • Methods • Applications • Conclusions and Future Work
Example • Construct protocol with properties: • Shared secret • Authenticated • Identity Protection • Design requirements forIKE, JFK, IKEv2(IPSec key exchange protocol)
Component 1 Diffie Hellman • Shared secret (with someone) • A deduces: Knows(Y, gab) (Y = A) ۷ Knows(Y,b) • Authenticated • Identity Protection A B: ga B A: gb
Component 2 Challenge-Response • Shared secret • Authenticated • A deduces: Received (B, msg1) Λ Sent (B, msg2) • Identity Protection A B: m, A B A: n, sigB {m, n, A} A B: sigA {m, n, B}
Composition m := ga n := gb ISO-9798-3 • Shared secret: gab • Authenticated • Identity Protection A B: ga, A B A: gb, sigB {ga, gb, A} A B: sigA {ga, gb, B}
Refinement Encrypt Signatures • Shared secret: gab • Authenticated • Identity Protection A B: ga, A B A: gb, EK {sigB {ga, gb, A}} A B: EK {sigA {ga, gb, B}}
Outline • Background • Derivation System • Compositional Logic • Abstraction and Refinement • Methods • Applications • Conclusions and Future Work
Challenge-Response: Proof Idea m, A n, sigB {m, n, A} A B sigA {m, n, B} • Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] • if Bob generates a signature of the form sigB {m, n, A}, • he sends it as part of msg 2 of the protocol and • he must have received msg1 from Alice. [protocol specific] • Alice deduces:Received (B, msg1) Λ Sent (B, msg2)
Formalism • Cord calculus • Protocol programming language • Protocol logic • Expressing protocol properties • Proof system • Proving protocol properties Symbolic (“Dolev-Yao”) model
Challenge-Response as Cords m, A n, sigB {m, n, A} A B sigA {m, n, B} RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sigB{y, n, Y}; receive Y, B, sigY{y, n, B}; ] InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sigX{m, x, A}; send A, X, sigA{m, x, X}; ]
Correctness of CR InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sigX{m, x, A}}; send A, X, sigA{m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sigB{y, n, Y}}; receive Y, B, sigY{y, n, B}}; ] CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}), Receive(A, {B,A,{n, sigB {m, n, A}}}) )
Proof System • Sample Axioms: • Reasoning about possession: • Has(A, {m}K) Has(A, K) Has(A, m) • Has(A, {m,n}) Has(A, m) Has(A, n) • Reasoning about crypto primitives: • Honest(X) Decrypt(Y, encX{m}) X=Y • Honest(X) Verify(Y, sigX{m}) m’ (Send(X, m’) Contains(m’, sigX{m}) • Protocol-specific Rule:Honesty/Invariance rule • Soundness Theorem: Every provable formula is valid
Outline • Background • Derivation System • Compositional Logic • Abstraction and Refinement • Methods • Applications • Conclusions and Future Work
Protocol Templates • Protocols with function variables instead of specific cryptographic operations • Idea: One template can be instantiated to many protocols • Advantages: • proof reuse • design principles/patterns
Example Challenge-Response Template A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) Abstraction A B: m B A: n,EKAB(n,m,B) A B: EKAB(n,m) A B: m B A: n,HKAB(n,m,B) A B: HKAB(n,m,A) A B: m B A: n, sigB(n,m,A) A B: sigA(n,m,B) ISO-9798-2 SKID3 ISO-9798-3 Instantiations
Extending Formalism • Language Extensions: Add function variables to term language for cords and logic (HOL) • Semantics:Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables • Soundness Theorem: Every provable formula is valid
Abstraction-Instantiation Method(1) • Characterizing protocol concepts • Step 1: Under hypotheses about function variables and invariants, prove security property of template • Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. • Benefit: • Proof reuse
Example Challenge-Response Template A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) • Step 1: • Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… • Property: Mutual authentication • Step 2: • Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3) • Satisfies hypotheses => Guarantees mutual authentication
Proof Structure Discharge hypothesis axiom hypothesis Proof reuse Instance Template
Abstraction-Instantiation Method(2) • Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. • Benefits: • Modular proofs of properties • Formalization of protocol refinements
Refinement Example Revisited Encrypt Signatures Two templates: • Template 1: authentication + shared secret (Preserves existing properties; proof reused) • Template 2: identity protection (encryption) (Adds new property) A B: ga, A B A: gb, EK {sigB {ga, gb, A}} A B: EK {sigA {ga, gb, B}}
Authenticated key exchange AKE1 AKE2 A B: ga, A B A: gb, F(B,A,gb,ga) A B: G(A,B,ga,gb) A B: ga B A: gb, F(B,gb,ga), F’(B,gab) A B: G(A,ga, gb), G’(A,gab) ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA • Shared secret • Stronger authentication • Identity protection for B • Non-repudiation • Shared secret • Weaker authentication • Identity protection for A • Repudiability H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]
More examples… • Authenticated Key Exchange: • Template for JFKr, STS, IKE, IKEv2 • Key Computation: • Template for Diffie-Hellman, UM, MTI/A, MQV • Combining these templates
Synthesis: STS-MQV protect identities symmetric hash STSPH DH STSP RFK STS authenticate cookie MTI/A MTIC MTIRFK MTICPH MTICP key conf. UM UMC UMCPH UMRFK UMCP MQV MQVRFK MQVCPH MQVC MQVCP
Conclusions • Abstraction-Instantiation using protocol templates: • Single proof for similar protocols from common template • Multiple protocol properties from different templates • Logical foundation: • Add function variables to protocol language and logic • Applications: • CR template: ISO-9798-2,3, SKID3 • Identity protection refinement in JFK • Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE • Synthesis: DH-MQV + STS-JFKr
Future Work • Done: • Derivation idea successfully applied to large set of protocol examples • Rigorous treatment of composition, refinement in protocol logic • Work In Progress: • Tool support for derivation system and logic • Formalization of protocol transformations • More applications