Proving%20Security%20of%20Industrial%20Network%20Protocols:%20Theory%20and%20Practice

1
Proving Security of Industrial Network Protocols
Theory and Practice

• Anupam Datta
• Stanford University
• Oakland PC Crystal Ball Workshop
• January 2007

2
Security Protocol Analysis

• Network security protocols
• Industry Standards (IETF, IEEE)
• SSL/TLS - web authentication
• IPSec - corporate VPNs
• Mobile IPv6 routing security
• Kerberos - network authentication
• GDOI secure group communication
• 802.11i - wireless LAN security
• Methods for their security analysis
• Security proof in some model or
• Identify attacks

3
Our Result

• Protocol Composition Logic (PCL)
• Unbounded number of sessions (vs. model-checking)
• Short high-level proofs 2-3 pages
• Sound wrt symbolic and computational
  cryptographic models
• Taught in security courses (alternative to BAN)
  CMU, Penn, Stanford, Texas

DMP01, DDMP03, , RDDM06
4
PCL Big Picture
High-level proof principles

• PCL
• Syntax (Properties)
• Proof System (Proofs)

• Computational PCL
• Syntax ?
• Proof System ?

Soundness Theorem (Induction)
Soundness Theorem (Reduction)
BPW, MW,

• Symbolic Model
• PCL Semantics
• (Meaning of formulas)

• Cryptographic Model
• PCL Semantics
• (Meaning of formulas)

Unbounded concurrent sessions
Polynomial concurrent sessions
5
PCL Results Industrial Protocols

• IEEE 802.11i IEEE Standards 2004 HSDDM05
• TLS/SSL RFC 2246 is a component
• (Attack using model-checking fix adopted by WG)
• GDOI Secure Group Communication RFC 3547
  MP04
• (Attack using PCL fix adopted by IETF WG)
• Kerberos V5 IETF ID 2004
  CMP05,RDDM06
• Mobile IPv6 RFC 3775 in progress
  RDM06
• IKE/JFK family
• IKEv2 IETF ID2004 in progress RDM06

Except Kerberos, results currently apply only to
symbolic model
6
PCL Proof Techniques

• Modular Proofs DDMP03, HSDDM05
• Useful for protocols composed from multiple
  components, e.g. IEEE 802.11i has 4 components
  including TLS
• Sequential, parallel, staged composition
• Generic Template-style Proofs DDMP04
• Useful for protocols with multiple modes but
  similar abstract structure, e.g. IKEv2 has two
  modes based on symmetric and public-key
  cryptography

7
In More Detail

• Protocol Programming Language
• Protocol Composition Logic
• Syntax Stating security properties
• Trace Semantics Property holds in (almost) all
  runs of protocol
• Proof System
• Axioms and rules Used to prove security
• High-level proof principles

8
Example Challenge-Response
m, A
n, sigB m, n, A
A
B
sigA m, n, B

• Alice reasons if Bob is honest, then
• only Bob can generate his signature protocol
  independent
• if Bob generates a signature of the form sigBm,
  n, A,
• he sends it as part of msg2 of the protocol, and
  
• he must have received msg1 from Alice
  protocol specific
• Alice deduces Received (B, msg1) ? Sent (B, msg2)

9
Challenge-Response Programs
m, A
n, sigB m, n, A
A
B
sigA m, n, B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X lt gt
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B lt gt
10
Challenge-Response Property

• Specifying authentication for Initiator using PCL
  syntax
• true InitCR(A, B) A Honest(B) ?
• (
• Send(A, A,B,m) ?
• Receive(B, A,B,m) ?
• Send(B, B,A,n, sigB m, n, A) ?
• Receive(A, B,A,n, sigB m, n, A)
• )

Semantics Property should hold in (almost) all
protocol runs
11
PCL Proof System

• Sample Axiom
• Property of signature
• Honest(X) ? Verifies(Y, sigXm) ?
• ?m. Sent(X, m) ?
  Contains(m, sigXm))
• Sample proof rules
• First-order logic rules
• Induction rule (next slide)
• Soundness Theorem
• If ? is provable, then ? holds in all protocol
  runs
• Established using induction for symbolic and
  reduction for cryptographic model

Step 1 of CR proof
12
Inductive Invariant Rule Scheme

• ? steps A of protocol Q.
• Start(X) X ? ? A X ?
• Q - Honest(X) ? ?
• Example
• CR - Honest(X) ? (Send(X, m) ? Contains(m, sigx
  y, x, Y) ? m X, Y, x, sigBy, x, Y ?
  Receive(X, Y, X, y, Y) )
• Note Rule depends on protocol

Step 2 of CR proof
13
In More Detail

• PCL Proof Techniques
• Modular Proofs
• Generic Template-style Proofs

14
Modular Analysis / Composition
Auth Server
Laptop
Access Point
(Shared Secret-PMK)
802.11i Key Management ?20 msgs in 4 components
HSDDM CCS05 -gt TISSEC Special Issue
15
Compositional Proofs Intuition

• Protocol specific reasoning
• if honest Bob generates a signature of the form
• sigB m, n, A,
• he sends it as part of msg2
• Could break Bobs signature from one protocol
  could be used to attack another
• PCL proof system Invariant rule
• Protocol independent reasoning
• Axiom stating unforgeability of signatures
• Still good unaffected by composition
• All other axioms and proof rules for PCL

16
Proof Tree
TLS 4WAY - Inv
TLS - Inv
Inv -Auth
Bulk of proof reused
Additional work to prove 4WAY - Inv
Inv
Axiom
Theorem If Q - Inv and Q - Inv, then Q Q
- Inv
INV rule
Other rules
Auth
DDMP CSF03 -gt JCS Special Issue, MFPS03
Security property
17
Generic Template-style Proofs

• Protocols with function variables instead of
  specific cryptographic operations
• One template can be instantiated to many
  protocols
• Proof of template yields proofs for instances
• Motivating example
• IKEv2 two instances based on symmetric and
  public-key cryptography

18
Protocol Template
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
19
Template Proof Method

• Characterizing protocol concepts
• Step 1 Under hypotheses about function variables
  and invariants, prove security property of
  template
• Step 2 Instantiate function variables to
  cryptographic operations and prove hypotheses.
• Benefit
• Proof reuse
• Single protocol can be instance of multiple
  templates allowing modular proofs

20
Proof Structure
Additional work to discharge hypotheses
axiom
hypothesis
Bulk of proof reused
Instance
Template
21
Summary

• PCL Logic for security protocols
• Sound wrt symbolic and cryptographic models
• High-level short proofs 2-3 pages
• Proof techniques
• Modular/compositional proofs
• Generic template-style proofs
• Proofs of industrial protocols
• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
  (unpublished), Mobile IPv6 (in progress)

22
Acknowledgements

• PCL Design
• A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D.
  Pavlovic, A. Roy
• Computational PCL Design
• A. Datta, A. Derek, J. C. Mitchell, A. Roy, M.
  Turuani, V. Shmatikov, B. Warinschi
• PCL Applications (in addition)
• M. Backes, I. Cervasato, C. He, C. Meadows, M.
  Sundararajan
• PCL Project Page
• http//www.stanford.edu/danupam/logic-derivation.
  html

23
Thanks!

• Questions?

24
Attacks on Industry Standards

• IKE Meadows 1999
• Reflection attack fix adopted by IETF WG
• IEEE 802.11i He, Mitchell 2004
• DoS attack fix adopted by IEEE WG
• GDOI Meadows, Pavlovic 2004
• Composition attack fix adopted by IETF WG
• Kerberos V5 Scedrov et al 2005
• Identity misbinding attack fix adopted by IETF
  WG Windows update released by Microsoft

Identified using logical methods
25
Protocol Analysis Techniques
Cryptographic Protocol Analysis
Formal Models
Cryptographic Models
Dolev-Yao (perfect cryptography)
Probabilistic Interactive TM Probabilistic
process calculi Probabilistic I/O
automata Computational PCL
Protocol Logics
Model Checking
Theorem Proving
Process Calculi

Spi-calculus, Applied ?-calculus
BAN, PCL
FDR, Murphi, Athena, NRL, Brutus, OFMC
Inductive Method, Automating BAN,
TAPS, Automating PCL
Bug finding
Correctness Proofs
26
Communication Setting

Full Control
Insecure network
27
Open Problems in 2000

• Background
• Precise model of protocol execution
• Methods applied to simple protocols Clark-J97
• Central open problems
• Develop methods for industrial protocols
• Mea99, Pau99 exceptions SET, IKE, Kerberos
• Compositional analysis technique required for
  practice
• Cryptographic soundness
• Remove perfect cryptography assumption
• Analysis should be sound wrt complexity-theoretic
  model of cryptography

28
PCL Syntax

• Action formulas
• a Send(P,t) Receive (P,t)
• Formulas
• ? a Has(P,t) Honest(N) ?? ?1? ?2
  ?x ?
• a lt a
• Modal formula
• ? actions P ?
• Example
• Has(X, secret) ? ( X A ? X B)

Specifying secrecy
29
Compositional Security
Safe Environment for Q

• Modularity in CS
• Programming Languages
• Distributed computing
• Hardware verification

Q1
Q2
Q3
Qn

• Different from
• Assume-guarantee in distributed computing MC81
• Universal Composability C01, PW01

Protocol Q
Hard problem in security!
30
Protocol Analysis Spectrum
Combining logic and cryptography

BPW, MW, Herz, Blan
Hand proofs
Computational PCL
?
?
High
Divide and conquer
Holy Grail
Poly-time calculus
Multiset rewriting
Spi-calculus
PCL
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity