Slide 1

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University Logic and Computational Complexity, 2006 Slide 2 Outline Protocols Some examples, some intuition Symbolic analysis of protocol security Models, results, tools Computational analysis Communicating Turing machines, composability Combining symbolic, computational analysis Some alternate approaches Protocol Composition Logic (PCL) Symbolic and computational semantics Slide 3 Many Protocols Authentication Kerberos Key Exchange SSL/TLS handshake, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP, 802.11i Electronic commerce Contract signing, SET, electronic cash, Slide 4 Mobile IPv6 Architecture IPv6 Mobile Node (MN) Corresponding Node (CN) Home Agent (HA) Direct connection via binding update Authentication is a requirement Early proposals weak Slide 5 Supplicant UnAuth/UnAssoc 802.1X Blocked No Key 802.11 Association 802.11i Wireless Authentication MSK EAP/802.1X/RADIUS Authentication 4-Way Handshake Group Key Handshake Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Slide 6 IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks Slide 7 Needham-Schroeder Protocol { A, NonceA } { NonceA, NonceB } { NonceB} Ka Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb Slide 8 Anomaly in Needham-Schroeder AE B { A, Na } { Na, Nb } { Nb } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key Nb from B. Evil E can then fool B. [Lowe] Slide 9 Run of a protocol A B Initiate Respond C D Correct if no security violation in any run Attacker Slide 10 Protocol analysis methods Cryptographic reductions Bellare-Rogaway, Shoup, many others UC [Canetti et al], Simulatability [BPW] Prob poly-time process calculus [LMRST] Symbolic methods Model checking FDR [Lowe, Roscoe, ], Murphi [M, Shmatikov, ], Symbolic search NRL protocol analyzer [Meadows] Theorem proving Isabelle [Paulson ], Specialized logics [BAN, ] Slide 11 The Symbolic Model Messages are algebraic expressions Nonce, Encrypt(K,M), Sign(K,M), Adversary Nondeterministic Observe, store, direct all communication Break messages into parts Encrypt, decrypt, sign only if it has the key Example: K1, Encrypt(K1, hi) K1, Encrypt(K1, hi) hi Send messages derivable from stored parts Slide 12 Many formulations Word problems [Dolev-Yao, Dolev-Even-Karp, ] Each protocol step is symbolic function from input message to output message; cancellation law d k e k x = x Rewrite systems [CDLMS] Each protocol step is symbolic function from state and input message to state and output message Logic programming [Meadows NRL Analyzer] Each protocol step can be defined by logical clauses Resolution used to perform reachability search Constraint solving [Amadio-Lugiez, ] Write set constraints defining messages known at step i Strand space model [MITRE] Partial order (Lamport causality), reasoning methods Process calculus [CSP, Spi-calculus, applied, ) Each protocol step is process that reads, writes on channel Spi-calculus: use for new values, private channels, simulate crypto Slide 13 Complexity results (see [Cortier et al]) Bounded # of sessions Unbounded number of sessions Without noncesWith nonces Co-NP completeGeneral: undecidable Bounded msg length: DEXP-time complete Bounded msg length: undecidable Tagged: exptimeTagged: decidable One-copy: DEXP-time complete Ping-pong protocols: Ptime Additional results for variants of basic model (AC, xor, modular exp, ) Slide 14 Many protocol case studies Murphi [Shmatikov, He, ] SSL, Contract signing, 802.11i, Meadows NRL tool Participation in IETF, IEEE standards Many important examples Paulson inductive method; Scedrov et al Kerberos, SSL, SET, many more Protocol logic BAN logic and successors (GNY, SvO, ) DDMP Slide 15 Computational model I [Bellare-Rogaway, Shoup, ] Adversary input tape work tape oracle tape AliceBob Slide 16 Computational model II [Canetti, ] Turing machine Adversary Slide 17 Computational security: encryption Passive adversary Semantic security Chosen ciphertext attacks (CCA1) Adversary can ask for decryption before receiving a challenge ciphertext Chosen ciphertext attacks (CCA2) Adversary can ask for decryption before and after receiving a challenge ciphertext Slide 18 Passive Adversary ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 Slide 19 Chosen ciphertext CCA1 ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 c D(c) Slide 20 Chosen ciphertext CCA2 ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 c D(c) c E(m j ) D(c) Slide 21 Protocol execution P1P1 P3P3 P4P4 P2P2 output Z Ideal functionality P1P1 P3P3 P4P4 P2P2 F S simulator input Z Protocol security A attacker Slide: R Canetti Slide 22 IDEALREAL Trusted party Protocol interaction For every real adversary A there exists an adversary S Universal composability also reactive simulatability [BPW], see [DKMRS] Slide: Y Lindell Slide 23 Symbolic model [NS78,DY84,] Complexity-theoretic model [GM84,] Attacker actions - Fixed set of actions, nondeterminism (ABSTRACTION) + Any probabilistic poly- time computation Security properties - Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we have best of both worlds? Slide 24 Some relevant approaches Simulation framework Backes, Pfitzmann, Waidner Correspondence theorems Micciancio, Warinschi Kapron-Impagliazzo logics Abadi-Rogaway passive equivalence (K2,{01} K3 ), {({101} K2,K5 )} K2, {{K6} K4 } K5 (K2, ), {({101} K2,K5 )} K2, { } K5 (K1, ), {({101} K1,K5 )} K1, { } K5 (K1,{K1} K7 ), {({101} K1,K5 )} K1, {{K6} K7 } K5 Proposed as start of larger plan for computational soundness [Abadi-Rogaway00, , Adao-Bana-Scedrov05] Slide 25 Symbolic methods compl results Pereira and Quisquater, CSFW 2001, 2004 Studied authenticated group Diffie-Hellman protocols Found symbolic attack in Cliques SA-GDH.2 protocol Proved no protocol of certain type is secure, for >3 participants Micciancio and Panjwani, EUROCRYPT 2004 Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning Model pseudo-random generators, encryption symbolically Lower bounds is tight; matches a known protocol Slide 26 Rest of talk: Protocol composition logic Alices information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data Logic now has symbolic and computational semantics Slide 27 Example { A, Nonce a } { Nonce a, } KaKa Kb AB Alice assumes that only Bob has Kb -1 Alice generated Nonce a and knows that some X decrypted first message Since only X knows Kb -1, Alice knows X=Bob Slide 28 More subtle example: Bobs view { A, Nonce a } { Nonce a, B, Nonce b } { Nonce b } KaKa Kb AB Bob assumes that Alice follows protocol Since Alice responds to second message, Alice must have sent the first message Slide 29 Execution model Protocol Program for each protocol role Initial configuration Set of principals and key Assignment of 1 role to each principal Run x z {x} B ({x} B ) {z} B decr A B C ({z} B ) Position in run Slide 30 Formulas true at a position in run Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | Example After(a,b) = (b a) Notation in papers varies slightly Slide 31 Modal Formulas After actions, condition [ actions ] P where P = princ, role id Before/after assertions [ actions ] P Composition rule [ S ] P [ T ] P [ ST ] P Logic formulated: [DMP,DDMP] Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL Slide 32 Example: Bobs view of NSL Bob knows hes talking to Alice [ receive encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); receive encrypt( Key(B), n ) ] B Honest(A) Csent(A, msg1) Csent(A, msg3) where Csent(A, ) Created(A, ) Sent(A, ) msg1msg3 Slide 33 Proof System Sample Axioms: Reasoning about possession: [receive m ]A Has(A,m) Has(A, {m,n}) Has(A, m) Has(A, n) Reasoning about crypto primitives: Honest(X) Decrypt(Y, enc(X, {m})) X=Y Honest(X) Verify(Y, sig(X, {m})) m (Send(X, m) Contains(m, sig(X, {m})) Soundness Theorem: Every provable formula is valid in symbolic model Slide 34 Modal Formulas After actions, condition [ actions ] P where P = princ, role id Before/after assertions [ actions ] P Composition rule [ S ] P [ T ] P [ ST ] P Slide 35 Application DH + CR = ISO 9798-3 Initiator role of DH [ new a ] I Fresh(I, g a ) HasAlone(I, a) Initiator role of CR Fresh(I, m) [send receive B send] Honest(B) ActionsInOrder() Combination Substitute g a for m in CR Apply composition rule, persistence Obtain assertion about ISO initiator Slide 36 Additional issues Reasoning about honest principals Invariance rule, called honesty rule Preserve invariants under composition If we prove Honest(X) for protocol 1 and compose with protocol 2, is formula still true? Slide 37 Composing protocols DH Honest(X) |- Secrecy |- Authentication |- Secrecy |- Authentication |- Secrecy Authentication [additive] DH CR [nondestructive] ISO Secrecy Authentication = CR Honest(X) Slide 38 PCL Computational PCL PCL Syntax Proof System Symbolic model Semantics Computational PCL Syntax Proof System Complexity-theoretic model Semantics Slide 39 Some general issues Computational PCL Symbolic logic for proving security properties of network protocols using public-key encryption Soundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. Benefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions Slide 40 PCL Computational PCL Syntax, proof rules mostly the same But not sure about propositional connectives Significant differences Symbolic knowledge Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational knowledge Possess(X,t) : can produce t by ppt algorithm Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc. Slide 41 Computational Traces Computational trace contains Symbolic actions of honest parties Mapping of symbolic variables to bitstrings Only send-receive actions of the adversary Run of the protocol Set of all possible traces Technicality: we make them equiprobable by explicitly including randomness. Slide 42 Complexity-theoretic semantics Given a protocol Q, adversary A T set of all possible traces [[ ]](T) a subset of T that respects in a certain way Intuition: valid when [[ ]](T) is an asymptotically overwhelming subset of T Slide 43 Semantics of trace properties Defined in a straight forward way [[Send(X, m)]](T) Contains all traces t such that, t contains a send action by X with the bistring value of the argument corresponding to the bitstring value of m Slide 44 Inductive Semantics [[ 1 2 ]] (T) = [[ 1 ]] (T) [[ 2 ]] (T) [[ ]] (T) = T - [[ ]] (T) Implication uses a form of conditional probability [[ 1 2 ]] (T) = [[ 1 ]] (T) [[ 2 ]] (T) where T = [[ 1 ]] (T) Slide 45 Semantics of Indist Not a trace property Intuition: Indist(X, m) holds if no algorithm can distinguish m from a random value given Xs view of the run Protocol Attacker CD mView(X) LR(b, m, r) b [[Indist(X, m)]] (T, D, e) = T if | #(t: b=b)-|T|/2 | < e Slide 46 Validity of a formula Q |= if adversary A distinguisher D negligible function f n 0 s.t. n > n 0 [[ ]](T,D,f) T(Q,A,n) |[[ ]](T,D,f(n)) | / |T| > 1 f(n) Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces Slide 47 Proof system Information-theoretic reasoning [new n] X (Y X) Indist(Y, n) Complexity-theoretic reductions Verify(X, m, Y) Honest(X, Y) Y Sign(Y, m) Asymptotic calculations Slide 48 Example Axiom Source(Y,u,{m} X ) Decrypts(X, {m} X ) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u) Proof idea: crypto-style reduction Assume axiom not valid: A D negligible f n 0 n > n 0 s.t. [[ ]](T,D,f)|/|T| < 1 f(n) Construct attacker A that uses A, D to break IND- CCA2 secure encryption scheme Conditional implication essential Parts of proof are similar to [Micciancio, Warinschi] Slide 49 Applications of PCL IKE, JFK family key exchange IKEv2 in progress 802.11i wireless networking SSL/TLS, 4way handshake, group handshake Kerberos v5 [Cervesato et al] GDOI [Meadows, Pavlovic] Current work Use CPCL to understand computational security of these protocols, reliance on specific crypto properties Slide 50 Advantages of Computational PCL High-level reasoning, sound for real crypto Prove properties of protocols without explicit reasoning about probability, asymptotic complexity Composability PCL is designed for protocol composition Identify crypto assumptions needed ISO-9798-3 [DDMW2006] Kerberos V5 [yet unpublished] Slide 51 CPCL analysis of Kerberos V5 Kerberos has a staged architecture First stage generates a nonce and sends it encrypted. Second stage uses this nonce as a key to encrypt another nonce. Third stage uses the nonce exchanged in the second stage to encrypt other terms. Our proof system is sufficient to prove the GoodKey-ness of both the nonces. Authentication properties are proved assuming that the encryption scheme provides ciphertext integrity. Modular proofs are made possible by composition theorems. Slide 52 Current and Future Work Investigate nature of propositional fragment Non-classical; involves some conditional probability complexity-theoretic reductions connections with probabilistic logics (e.g. Nilsson86) Generalize reasoning about secrecy Extend logic More primitives: signature, hash functions, Remove current syntactic restrictions on formulas Information-theoretic semantics (thanks to A Scedrov) Only probability; no complexity Other fundamental problems See Kapron-Impagliazzo, etc. Slide 53 Conclusion Symbolic model supports useful analysis Tools, case studies, high-level proofs Computational model more correct More accurately reflects realistic attack Two approaches can be combined Several current projects and approaches One example: computational semantics for symbolic protocol logic Slide 54 Credits Collaborators M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague, M. Turuani, B. Warinschi, More information Web page on Protocol Composition Logic http://www.stanford.edu/~danupam/logic-derivation.html My web site for related projects not discussed Science is a social process Slide 55