Title: Proving%20Security%20of%20Industrial%20Network%20Protocols:%20Theory%20and%20Practice
1Proving Security of Industrial Network Protocols
Theory and Practice
- Anupam Datta
- Stanford University
- Oakland PC Crystal Ball Workshop
- January 2007
2Security Protocol Analysis
- Network security protocols
- Industry Standards (IETF, IEEE)
- SSL/TLS - web authentication
- IPSec - corporate VPNs
- Mobile IPv6 routing security
- Kerberos - network authentication
- GDOI secure group communication
- 802.11i - wireless LAN security
- Methods for their security analysis
- Security proof in some model or
- Identify attacks
3Our Result
- Protocol Composition Logic (PCL)
- Unbounded number of sessions (vs. model-checking)
- Short high-level proofs 2-3 pages
- Sound wrt symbolic and computational
cryptographic models - Taught in security courses (alternative to BAN)
CMU, Penn, Stanford, Texas
DMP01, DDMP03, , RDDM06
4PCL Big Picture
High-level proof principles
- PCL
- Syntax (Properties)
- Proof System (Proofs)
- Computational PCL
- Syntax ?
- Proof System ?
Soundness Theorem (Induction)
Soundness Theorem (Reduction)
BPW, MW,
- Symbolic Model
- PCL Semantics
- (Meaning of formulas)
- Cryptographic Model
- PCL Semantics
- (Meaning of formulas)
Unbounded concurrent sessions
Polynomial concurrent sessions
5PCL Results Industrial Protocols
- IEEE 802.11i IEEE Standards 2004 HSDDM05
- TLS/SSL RFC 2246 is a component
- (Attack using model-checking fix adopted by WG)
- GDOI Secure Group Communication RFC 3547
MP04 - (Attack using PCL fix adopted by IETF WG)
- Kerberos V5 IETF ID 2004
CMP05,RDDM06 - Mobile IPv6 RFC 3775 in progress
RDM06 - IKE/JFK family
- IKEv2 IETF ID2004 in progress RDM06
Except Kerberos, results currently apply only to
symbolic model
6PCL Proof Techniques
- Modular Proofs DDMP03, HSDDM05
- Useful for protocols composed from multiple
components, e.g. IEEE 802.11i has 4 components
including TLS - Sequential, parallel, staged composition
- Generic Template-style Proofs DDMP04
- Useful for protocols with multiple modes but
similar abstract structure, e.g. IKEv2 has two
modes based on symmetric and public-key
cryptography
7In More Detail
- Protocol Programming Language
- Protocol Composition Logic
- Syntax Stating security properties
- Trace Semantics Property holds in (almost) all
runs of protocol - Proof System
- Axioms and rules Used to prove security
- High-level proof principles
8Example Challenge-Response
m, A
n, sigB m, n, A
A
B
sigA m, n, B
- Alice reasons if Bob is honest, then
- only Bob can generate his signature protocol
independent - if Bob generates a signature of the form sigBm,
n, A, - he sends it as part of msg2 of the protocol, and
- he must have received msg1 from Alice
protocol specific - Alice deduces Received (B, msg1) ? Sent (B, msg2)
9Challenge-Response Programs
m, A
n, sigB m, n, A
A
B
sigA m, n, B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X lt gt
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B lt gt
10Challenge-Response Property
- Specifying authentication for Initiator using PCL
syntax - true InitCR(A, B) A Honest(B) ?
- (
- Send(A, A,B,m) ?
- Receive(B, A,B,m) ?
- Send(B, B,A,n, sigB m, n, A) ?
- Receive(A, B,A,n, sigB m, n, A)
- )
-
Semantics Property should hold in (almost) all
protocol runs
11PCL Proof System
- Sample Axiom
- Property of signature
- Honest(X) ? Verifies(Y, sigXm) ?
- ?m. Sent(X, m) ?
Contains(m, sigXm)) - Sample proof rules
- First-order logic rules
- Induction rule (next slide)
- Soundness Theorem
- If ? is provable, then ? holds in all protocol
runs - Established using induction for symbolic and
reduction for cryptographic model
Step 1 of CR proof
12Inductive Invariant Rule Scheme
- ? steps A of protocol Q.
- Start(X) X ? ? A X ?
- Q - Honest(X) ? ?
- Example
- CR - Honest(X) ? (Send(X, m) ? Contains(m, sigx
y, x, Y) ? m X, Y, x, sigBy, x, Y ?
Receive(X, Y, X, y, Y) ) - Note Rule depends on protocol
Step 2 of CR proof
13In More Detail
- PCL Proof Techniques
- Modular Proofs
- Generic Template-style Proofs
14Modular Analysis / Composition
Auth Server
Laptop
Access Point
(Shared Secret-PMK)
802.11i Key Management ?20 msgs in 4 components
HSDDM CCS05 -gt TISSEC Special Issue
15Compositional Proofs Intuition
- Protocol specific reasoning
- if honest Bob generates a signature of the form
- sigB m, n, A,
- he sends it as part of msg2
- Could break Bobs signature from one protocol
could be used to attack another - PCL proof system Invariant rule
- Protocol independent reasoning
- Axiom stating unforgeability of signatures
- Still good unaffected by composition
- All other axioms and proof rules for PCL
16Proof Tree
TLS 4WAY - Inv
TLS - Inv
Inv -Auth
Bulk of proof reused
Additional work to prove 4WAY - Inv
Inv
Axiom
Theorem If Q - Inv and Q - Inv, then Q Q
- Inv
INV rule
Other rules
Auth
DDMP CSF03 -gt JCS Special Issue, MFPS03
Security property
17Generic Template-style Proofs
- Protocols with function variables instead of
specific cryptographic operations - One template can be instantiated to many
protocols - Proof of template yields proofs for instances
- Motivating example
- IKEv2 two instances based on symmetric and
public-key cryptography
18Protocol Template
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
19Template Proof Method
- Characterizing protocol concepts
- Step 1 Under hypotheses about function variables
and invariants, prove security property of
template - Step 2 Instantiate function variables to
cryptographic operations and prove hypotheses. - Benefit
- Proof reuse
- Single protocol can be instance of multiple
templates allowing modular proofs
20Proof Structure
Additional work to discharge hypotheses
axiom
hypothesis
Bulk of proof reused
Instance
Template
21Summary
- PCL Logic for security protocols
- Sound wrt symbolic and cryptographic models
- High-level short proofs 2-3 pages
- Proof techniques
- Modular/compositional proofs
- Generic template-style proofs
- Proofs of industrial protocols
- IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
(unpublished), Mobile IPv6 (in progress)
22Acknowledgements
- PCL Design
- A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D.
Pavlovic, A. Roy - Computational PCL Design
- A. Datta, A. Derek, J. C. Mitchell, A. Roy, M.
Turuani, V. Shmatikov, B. Warinschi - PCL Applications (in addition)
- M. Backes, I. Cervasato, C. He, C. Meadows, M.
Sundararajan - PCL Project Page
- http//www.stanford.edu/danupam/logic-derivation.
html
23Thanks!
24Attacks on Industry Standards
- IKE Meadows 1999
- Reflection attack fix adopted by IETF WG
- IEEE 802.11i He, Mitchell 2004
- DoS attack fix adopted by IEEE WG
- GDOI Meadows, Pavlovic 2004
- Composition attack fix adopted by IETF WG
- Kerberos V5 Scedrov et al 2005
- Identity misbinding attack fix adopted by IETF
WG Windows update released by Microsoft
Identified using logical methods
25Protocol Analysis Techniques
Cryptographic Protocol Analysis
Formal Models
Cryptographic Models
Dolev-Yao (perfect cryptography)
Probabilistic Interactive TM Probabilistic
process calculi Probabilistic I/O
automata Computational PCL
Protocol Logics
Model Checking
Theorem Proving
Process Calculi
Spi-calculus, Applied ?-calculus
BAN, PCL
FDR, Murphi, Athena, NRL, Brutus, OFMC
Inductive Method, Automating BAN,
TAPS, Automating PCL
Bug finding
Correctness Proofs
26Communication Setting
Full Control
Insecure network
27Open Problems in 2000
- Background
- Precise model of protocol execution
- Methods applied to simple protocols Clark-J97
- Central open problems
- Develop methods for industrial protocols
- Mea99, Pau99 exceptions SET, IKE, Kerberos
- Compositional analysis technique required for
practice - Cryptographic soundness
- Remove perfect cryptography assumption
- Analysis should be sound wrt complexity-theoretic
model of cryptography
28PCL Syntax
- Action formulas
- a Send(P,t) Receive (P,t)
- Formulas
- ? a Has(P,t) Honest(N) ?? ?1? ?2
?x ? - a lt a
- Modal formula
- ? actions P ?
- Example
- Has(X, secret) ? ( X A ? X B)
Specifying secrecy
29Compositional Security
Safe Environment for Q
- Modularity in CS
- Programming Languages
- Distributed computing
- Hardware verification
Q1
Q2
Q3
Qn
- Different from
- Assume-guarantee in distributed computing MC81
- Universal Composability C01, PW01
Protocol Q
Hard problem in security!
30Protocol Analysis Spectrum
Combining logic and cryptography
BPW, MW, Herz, Blan
Hand proofs
Computational PCL
?
?
High
Divide and conquer
Holy Grail
Poly-time calculus
Multiset rewriting
Spi-calculus
PCL
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity