1 / 48

Security Analysis of Network Protocols: Logical and Computational Methods

Security Analysis of Network Protocols: Logical and Computational Methods. John Mitchell Stanford University. ICALP and PPDP, 2005. Outline. Protocols Some examples, some intuition Symbolic analysis of protocol security Models, results, tools Computational analysis

philip-bennett
Download Presentation

Security Analysis of Network Protocols: Logical and Computational Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005

  2. Outline • Protocols • Some examples, some intuition • Symbolic analysis of protocol security • Models, results, tools • Computational analysis • Communicating Turing machines, composability • Combining symbolic, computational analysis • Some alternate approaches • Protocol Composition Logic (PCL) • Symbolic and computational semantics

  3. Many Protocols • Authentication • Kerberos • Key Exchange • SSL/TLS handshake, IKE, JFK, IKEv2, • Wireless and mobile computing • Mobile IP, WEP, 802.11i • Electronic commerce • Contract signing, SET, electronic cash, …

  4. IPv6 Mobile IPv6 Architecture • Authentication is a requirement • Early proposals weak Mobile Node (MN) Direct connection via binding update Corresponding Node (CN) Home Agent (HA)

  5. EAP/802.1X/RADIUS Authentication Data Communication 802.11i Wireless Authentication Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK 802.11 Association MSK 4-Way Handshake Group Key Handshake

  6. m1 m2 IKE subprotocol from IPSEC A, (ga mod p) B, (gb mod p) , signB(m1,m2) signA(m1,m2) A B Result: A and B share secret gab mod p Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

  7. Needham-Schroeder Protocol {A, NonceA} {NonceA, NonceB } { NonceB} Kb A B Ka Kb Result: A and B share two private numbers not known to any observer without Ka-1, Kb-1

  8. Anomaly in Needham-Schroeder [Lowe] { A, Na } Ke A E { Na, Nb } Ka { Nb } Ke { A, Na } { Na, Nb } Evil agent E tricks honest A into revealing private key Nb from B. Kb Ka B Evil E can then fool B.

  9. Initiate Respond Attacker C D Run of a protocol B A Correct if no security violation in any run

  10. Protocol analysis methods • Cryptographic reductions • Bellare-Rogaway, Shoup, many others • UC [Canetti et al], Simulatability [BPW] • Prob poly-time process calculus [LMRST…] • Symbolic methods • Model checking • FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …], • Symbolic search • NRL protocol analyzer [Meadows] • Theorem proving • Isabelle [Paulson …], Specialized logics [BAN, …] See papers in PPDP, ICALP proceedings for references

  11. “The” Symbolic Model • Messages are algebraic expressions • Nonce, Encrypt(K,M), Sign(K,M), … • Adversary • Nondeterministic • Observe, store, direct all communication • Break messages into parts • Encrypt, decrypt, sign only if it has the key • Example: K1, Encrypt(K1, “hi”)   K1, Encrypt(K1, “hi”)  “hi” • Send messages derivable from stored parts

  12. Many formulations • Word problems [Dolev-Yao, Dolev-Even-Karp, …] • Each protocol step is symbolic function from input message to output message; cancellation law dkekx = x • Rewrite systems [CDLMS] • Each protocol step is symbolic function from state and input message to state and output message • Logic programming [Meadows NRL Analyzer] • Each protocol step can be defined by logical clauses • Resolution used to perform reachability search • Constraint solving [Amadio-Lugiez, … ] • Write set constraints defining messages known at step i • Strand space model [MITRE] • Partial order (Lamport causality), reasoning methods • Process calculus [CSP, Spi-calculus, applied , …) • Each protocol step is process that reads, writes on channel • Spi-calculus: use  for new values, private channels, simulate crypto

  13. Complexity results (see [Cortier et al]) Additional results for variants of basic model (AC, xor, modular exp, …)

  14. Many protocol case studies • Murphi [Shmatikov, He, …] • SSL, Contract signing, 802.11i, … • Meadows NRL tool • Participation in IETF, IEEE standards • Many important examples • Paulson inductive method; Scedrov et al • Kerberos, SSL, SET, many more • Protocol logic • BAN logic and successors (GNY, SvO, …) • DDMP …

  15. Computational model I “Alice” “Bob” oracle tape oracle tape Adversary input tape work tape [Bellare-Rogaway, Shoup, …]

  16. Computational model II Turing machine Turing machine Adversary Turing machine Turing machine [Canetti, …]

  17. Computational security: encryption • Passive adversary • Semantic security • Chosen ciphertext attacks (CCA1) • Adversary can ask for decryption before receiving a challenge ciphertext • Chosen ciphertext attacks (CCA2) • Adversary can ask for decryption before and after receiving a challenge ciphertext

  18. m0, m1 E(mi) guess 0 or 1 Passive Adversary Challenger Attacker

  19. c D(c) m0, m1 E(mi) guess 0 or 1 Chosen ciphertext CCA1 Challenger Attacker

  20. c D(c) m0, m1 E(mi) c  E(mj) D(c) guess 0 or 1 Chosen ciphertext CCA2 Challenger Attacker

  21. Z input input P2 P1 S A P4 attacker P3 simulator F output Ideal functionality output Z Slide: R Canetti Protocol execution Protocol security P2 P1  P4 P3

  22. For every real adversary A there exists an adversary S Protocol interaction Trusted party Slide: Y Lindell Universal composability also “reactive simulatability” [BPW], … see [DKMRS]  REAL IDEAL

  23. Can we have best of both worlds?

  24. Some relevant approaches • Simulation framework • Backes, Pfitzmann, Waidner • Correspondence theorems • Micciancio, Warinschi • Kapron-Impagliazzo logics • Abadi-Rogaway passive equivalence  (K2,{01}K3) ,  {({101}K2,K5 )}K2, {{K6}K4}K5    (K2,  ) ,  {({101}K2,K5 )}K2, {  }K5    (K1,  ) ,  {({101}K1,K5 )}K1, {  }K5    (K1,{K1}K7) ,  {({101}K1,K5 )}K1, {{K6}K7}K5  Proposed as start of larger plan for computational soundness … … [Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

  25. Symbolic methods  comp’l results • Pereira and Quisquater, CSFW 2001, 2004 • Studied authenticated group Diffie-Hellman protocols • Found symbolic attack in Cliques SA-GDH.2 protocol • Proved no protocol of certain type is secure, for >3 participants • Micciancio and Panjwani, EUROCRYPT 2004 • Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning • Model pseudo-random generators, encryption symbolically • Lower bounds is tight; matches a known protocol

  26. Rest of talk: Protocol composition logic Protocol Honest Principals, Attacker • Alice’s information • Protocol • Private data • Sends and receives Private Data Send Receive Logic now has symbolic and computational semantics

  27. Example { A, Noncea } { Noncea, … } Kb A B Ka • Alice assumes that only Bob has Kb-1 • Alice generated Noncea and knows that some X decrypted first message • Since only X knows Kb-1, Alice knows X=Bob

  28. More subtle example: Bob’s view { A, Noncea } { Noncea, B, Nonceb } { Nonceb} Kb A B Ka Kb • Bob assumes that Alice follows protocol • Since Alice responds to second message, Alice must have sent the first message

  29. Execution model • Protocol • “Program” for each protocol role • Initial configuration • Set of principals and key • Assignment of 1 role to each principal • Run Position in run x {x}B A ({z}B) ({x}B) decr B {z}B z C

  30. Formulas true at a position in run • Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) • Formulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) |  | 1 2 | x  |  |  • Example After(a,b) = (b a) Notation in papers varies slightly …

  31. Modal Formulas • After actions, condition [ actions ] P where P = princ, role id • Before/after assertions  [ actions ] P  • Composition rule  [ S ] P  [ T ] P   [ ST ] P Logic formulated: [DMP,DDMP] Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL

  32. msg1 msg3 Example: Bob’s view of NSL • Bob knows he’s talking to Alice [ receive encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); receive encrypt( Key(B), n ) ] B Honest(A)  Csent(A, msg1)  Csent(A, msg3) where Csent(A, …)  Created(A, …)  Sent(A, …)

  33. Proof System • Sample Axioms: • Reasoning about possession: • [receive m ]A Has(A,m) • Has(A, {m,n})  Has(A, m)  Has(A, n) • Reasoning about crypto primitives: • Honest(X)  Decrypt(Y, enc(X, {m}))  X=Y • Honest(X)  Verify(Y, sig(X, {m}))   m’ (Send(X, m’)  Contains(m’, sig(X, {m})) • Soundness Theorem: • Every provable formula is valid in symbolic model

  34. Modal Formulas • After actions, condition [ actions ] P where P = princ, role id • Before/after assertions  [ actions ] P  • Composition rule  [ S ] P  [ T ] P   [ ST ] P

  35. Application DH + CR = ISO 9798-3 • Initiator role of DH [ new a ] I Fresh(I, ga)  HasAlone(I, a) • Initiator role of CR Fresh(I, m) [send … receive … B… send] Honest(B)  ActionsInOrder(…) • Combination • Substitute ga for m in CR • Apply composition rule, persistence • Obtain assertion about ISO initiator

  36. Additional issues • Reasoning about honest principals • Invariance rule, called “honesty rule” • Preserve invariants under composition • If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

  37. Composing protocols  ’ DHHonest(X)  … CRHonest(X)  … ’ |- Authentication  |- Secrecy ’ |- Secrecy ’ |- Authentication ’ |- Secrecy  Authentication [additive] DH  CR’[nondestructive] = ISOSecrecy  Authentication

  38. Main results in ICALP Proceedings • Computational PCL • Symbolic logic for proving security properties of network protocols using public-key encryption • Soundness Theorem: • If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. • Benefits • Symbolic proofs about computational model • Computational reasoning in soundness proof (only!) • Different axioms rely on different crypto assumptions

  39. PCL  Computational PCL • Syntax, proof rules mostly the same • But not sure about propositional connectives… • Significant difference • Symbolic “knowledge” • Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm • Computational “knowledge” • Possess(X,t) : can produce t by ppt algorithm • Indistinguishable(X,t) : can distinguish from random in ppt • More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

  40. Complexity-theoretic semantics • Q |=  if  adversary A  distinguisher D  negligible function f  n0 n > n0 s.t. Fraction represents probability [[]](T,D,f(n))|/|T| > 1 – f(n) • Fix protocol Q, PPT adversary A • Choose value of security parameter n • Vary random bits used by all programs • Obtain set T=T(Q,A,n) of equi-probable traces T(Q,A,n) [[]](T,D,f)

  41. Inductive Semantics • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[1  2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,) • [[ ]] (T,D,) = T - [[]] (T,D,) Implication uses conditional probability • [[1  2]] (T,D,) = [[1]] (T,D,)  [[2]] (T’,D,) where T’ = [[1]] (T,D,) Formula defines transformation on probability distributions over traces

  42. Soundness of proof system • Example axiom • Source(Y,u,{m}X)  Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) • Proof idea: crypto-style reduction • Assume axiom not valid:  A  D  negligible f  n0  n > n0 s.t. • [[]](T,D,f)|/|T| < 1 –f(n) • Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme • Conditional implication essential Parts of proof are similar to [Micciancio, Warinschi]

  43. Applications of PCL • IKE, JFK family key exchange • IKEv2 in progress • 802.11i wireless networking • SSL/TLS, 4way handshake, group handshake • Kerberos v5 [Cervesato et al] • GDOI [Meadows, Pavlovic] • Future work • Use CPCL to understand computational security of these protocols, reliance on specific crypto properties

  44. Advantages of Computational PCL • High-level reasoning • Prove properties of protocols without explicit reasoning about probability, asymptotic complexity • Sound for “real crypto” • Composability • PCL is designed for protocol composition • Identify crypto assumptions needed

  45. Future Work • Investigate nature of propositional fragment • Non-classical;  involves some conditional probability • complexity-theoretic reductions • connections with probabilistic logics (e.g. Nilsson86) • Generalize reasoning about secrecy • Extend logic • More primitives: signature, hash functions,… • Remove current syntactic restrictions on formulas • Information-theoretic semantics (thanks to A Scedrov) • Only probability; no complexity • Other fundamental problems • See Kapron-Impagliazzo, etc.

  46. Conclusion • Symbolic model supports useful analysis • Tools, case studies, high-level proofs • Computational model more “correct” • More accurately reflects realistic attack • Two approaches can be combined • Several current projects and approaches • One example: computational semantics for symbolic protocol logic

  47. Credits • Collaborators • M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague, M. Turuani, B. Warinschi, … • More information • References in PPDP, ICALP proceedings • Web page on Protocol Composition Logic • http://www.stanford.edu/~danupam/logic-derivation.html • My web site for related projects not discussed Science is a social process

More Related