Symbolic and Computational Analysis of Network Protocol Security

1
Symbolic and Computational Analysis of Network
Protocol Security

• John Mitchell
• Stanford University

Asian 2006
2
Outline

• Protocols
• Some examples, some intuition
• Symbolic analysis of protocol security
• Models, results, tools
• Computational analysis
• Communicating Turing machines, composability
• Combining symbolic, computational analysis
• Some alternate approaches
• Protocol Composition Logic (PCL)
• Symbolic and computational semantics

3
Many Protocols

• Authentication
• Kerberos
• Key Exchange
• SSL/TLS handshake, IKE, JFK, IKEv2,
• Wireless and mobile computing
• Mobile IP, WEP, 802.11i
• Electronic commerce
• Contract signing, SET, electronic cash,

See http//www.lsv.ens-cachan.fr/spore/,
http//www.avispa-project.org/library
4
Mobile IPv6 Architecture
Mobile Node (MN)
Direct connection via binding update
Corresponding Node (CN)

• Authentication is a requirement
• Early proposals weak

Home Agent (HA)
5
802.11i Wireless Authentication
Supplicant UnAuth/UnAssoc 802.1X Blocked No Key
Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK
802.11 Association
MSK
4-Way Handshake
Group Key Handshake
6
IKE subprotocol from IPSEC

• A, (ga mod p)
• B, (gb mod p)

, signB(m1,m2) signA(m1,m2)
A
B
Result A and B share secret gab mod p
Analysis involves probability, modular
exponentiation, complexity, digital signatures,
communication networks

7
Run of a protocol
B
A
Correct if no security violation in any run
8
Protocol analysis methods

• Cryptographic reductions
• Bellare-Rogaway, Shoup, many others
• UC Canetti et al, Simulatability BPW
• Prob poly-time process calculus LMRST
• Symbolic methods (see also http//www.avispa-proj
  ect.org/)
• Model checking
• FDR Lowe, Roscoe, , Murphi M, Shmatikov, ,
• Symbolic search
• NRL protocol analyzer Meadows
• Theorem proving
• Isabelle Paulson , Specialized logics BAN,

9
The Symbolic Model

• Messages are algebraic expressions
• Nonce, Encrypt(K,M), Sign(K,M),
• Adversary
• Nondeterministic
• Observe, store, direct all communication
• Break messages into parts
• Encrypt, decrypt, sign only if it has the key
• Example ?K1, Encrypt(K1, hi) ?
• ? K1, Encrypt(K1, hi) ?
  hi
• Send messages derivable from stored parts

10
Many formulations

• Word problems Dolev-Yao, Dolev-Even-Karp,
• Each protocol step is symbolic function from
  input message to output message cancellation law
  dkekx x
• Rewrite systems CDLMS,
• Each protocol step is symbolic function from
  state and input message to state and output
  message
• Logic programming Meadows NRL Analyzer
• Each protocol step can be defined by logical
  clauses
• Resolution used to perform reachability search
• Constraint solving Amadio-Lugiez,
• Write set constraints defining messages known at
  step i
• Strand space model MITRE
• Partial order (Lamport causality), reasoning
  methods
• Process calculus CSP, Spi-calculus, applied ?,
  )
• Each protocol step is process that reads, writes
  on channel
• Spi-calculus use ? for new values, private
  channels, simulate crypto

11
Complexity results (see Cortier et al)
Bounded of sessions Unbounded number of sessions Unbounded number of sessions
Bounded of sessions Without nonces With nonces
Co-NP complete General undecidable General undecidable
Co-NP complete Bounded msg length DEXP-time complete Bounded msg length undecidable
Co-NP complete Tagged exptime Tagged decidable
Co-NP complete One-copy DEXP-time complete
Co-NP complete Ping-pong protocols Ptime Ping-pong protocols Ptime
Additional results for variants of basic model
(AC, xor, modular exp, )
12
Many protocol case studies

• Murphi Shmatikov, He,
• SSL, Contract signing, 802.11i,
• Meadows NRL tool
• Participation in IETF, IEEE standards
• Many important examples
• Paulson inductive method Scedrov et al
• Kerberos, SSL, SET, many more
• Protocol logic
• BAN logic and successors (GNY, SvO, )
• DDMP

Automated tools based on the symbolic model
detect important, nontrivial bugs in practical,
deployed, and standardized protocols
13
Computational model I
Alice
Bob
oracle tape
oracle tape
Adversary
input tape
work tape
Bellare-Rogaway, Shoup,
14
Computational model II
Turing machine
Turing machine
Adversary
Turing machine
Turing machine
Canetti,
15
Computational model III
Program
Program
Adversary
In(c, x).Send() In(d,y).new z. Send(y
z ..) In(c, encrypt(k,)).
program
Program
Micciancio-Warinschi,
16
Computational security encryption

• Several standard conditions on encryption
• Passive adversary
• Semantic security
• Chosen ciphertext attacks (CCA1)
• Adversary can ask for decryption before receiving
  a challenge ciphertext
• Chosen ciphertext attacks (CCA2)
• Adversary can ask for decryption before and after
  receiving a challenge ciphertext
• Computational model offers more choices than the
  symbolic model

17
Passive Adversary
Challenger
Attacker
18
Chosen ciphertext CCA1
Challenger
Attacker
19
Chosen ciphertext CCA2
Challenger
Attacker
20
Slide R Canetti

• Equivalence-based
• methods UC, RSIM

Protocol execution
P2
P1
?
P4
P3
21
Can we have best of both worlds?
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, nondeterminism (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques compositionality Hand-proofs are difficult, error-prone, unsystematic no automation
22
Some relevant approaches

• Simulation framework
• Backes, Pfitzmann, Waidner
• Correspondence theorems
• Micciancio, Warinschi
• Kapron-Impagliazzo logics
• Abadi-Rogaway passive equivalence
• ? (K2,01K3) , ? (101K2,K5 )K2,
  K6K4K5 ? ?
• ? ? (K2, ? ) , ? (101K2,K5 )K2, ?
  K5 ? ?
• ? ? (K1, ? ) , ? (101K1,K5 )K1, ?
  K5 ? ?
• ? ? (K1,K1K7) , ? (101K1,K5 )K1,
  K6K7K5 ? ?
• Proposed as start of larger plan for
  computational soundness

Abadi-Rogaway00, , Adao-Bana-Scedrov05
23
Symbolic methods ? compl results

• Pereira and Quisquater, CSFW 2001, 2004
• Studied authenticated group Diffie-Hellman
  protocols
• Found symbolic attack in Cliques SA-GDH.2
  protocol
• Proved no protocol of certain type is secure, for
  gt3 participants
• Micciancio and Panjwani, EUROCRYPT 2004
• Lower bound for class of group key establishment
  protocols using purely Dolev-Yao reasoning
• Model pseudo-random generators, encryption
  symbolically
• Lower bounds is tight matches a known protocol

24
Rest of talk Protocol composition logic
Honest Principals, Attacker
Protocol
Private Data
Send
Receive

• Alices information
• Protocol
• Private data
• Sends and receives

Logic has symbolic and computational semantics
25
Example

• A, Noncea
• Noncea,

Kb
A
B
Ka

• Alice assumes that only Bob has Kb-1
• Alice generated Noncea and knows that some X
  decrypted first message
• Since only X knows Kb-1, Alice knows XBob

26
More subtle example Bobs view

• A, Noncea
• Noncea, B, Nonceb
• Nonceb

Kb
A
B
Ka
Kb

• Bob assumes that Alice follows protocol
• Since Alice responds to second message, Alice
  must have sent the first message

27
Execution model

• Protocol
• Program for each protocol role
• Initial configuration
• Set of principals and key
• Assignment of ?1 role to each principal
• Run

Position in run
sendxB
new x
A
recvzB
recvxB
decr
B
sendzB
new z
C
28
Formulas true at a position in run

• Action formulas
• a Send(P,m) Receive (P,m) New(P,t)
  
• Decrypt (P,t) Verify (P,t)
• Formulas
• ? a Has(P,t) Fresh(P,t) Honest(N)
• Contains(t1, t2) ?? ?1? ?2 ?x ?
• ?? ??
• Example
• a lt b ?(b ? ??a)

Notation in papers varies slightly
29
Modal Formulas

• After actions, condition
• actions P ? where P ?princ,
  role id?
• Before/after assertions
• ? actions P ?
• Composition rule
• ? S P ? ? T P ?
• ? ST P ?

Logic formulated DMP,DDMP Related to BAN,
Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
30
Example Bobs view of NSL

• Bob knows hes talking to Alice
• receive encrypt( Key(B), ?A,m? )
• new n
• send encrypt( Key(A), ?m, B, n? )
• receive encrypt( Key(B), n )
• B
• Honest(A) ? Csent(A, msg1) ? Csent(A, msg3)
• where Csent(A, ) ? Created(A, ) ? Sent(A, )

31
Proof System

• Sample Axioms
• Reasoning about possession
• receive m A Has(A,m)
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Reasoning about crypto primitives
• Honest(X) ? Decrypt(Y, enc(X, m)) ? XY
• Honest(X) ? Verify(Y, sig(X, m)) ?
• ? m (Send(X, m) ? Contains(m, sig(X,
  m))
• Soundness Theorem
• Every provable formula is valid in symbolic model

32
Modal Formulas

• After actions, condition
• actions P ? where P ?princ,
  role id?
• Before/after assertions
• ? actions P ?
• Composition rule
• ? S P ? ? T P ?
• ? ST P ?

33
Composition example Part 1
Diffie Hellman
A ? B ga B ? A gb

• Shared secret (with someone)
• A deduces
• Knows(Y, gab) ? (Y A) ? Knows(Y,b)
• Authenticated

34
Composition example Part 2
Challenge-Response
A ? B m, A B ? A n, sigB m, n, A A ?
B sigA m, n, B

• Shared secret
• Authenticated
• A deduces Received (B, msg1)
• ? Sent (B, msg2)

35
Composition Part 3
m ga n gb
ISO-9798-3
A ? B ga, A B ? A gb, sigB ga, gb, A A ? B
sigA ga, gb, B

• Shared secret gab
• Authenticated

36
Additional issues

• Reasoning about honest principals
• Invariance rule, called honesty rule
• Preserve invariants under composition
• If we prove Honest(X) ? ? for protocol 1 and
  compose with protocol 2, is formula still true?

37
More about composing protocols
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive

ISO ? Secrecy ? Authentication
38
PCL ? Computational PCL

• PCL
• Syntax
• Proof System

• Computational PCL
• Syntax ?
• Proof System ?

• Symbolic model
• Semantics

• Complexity-theoretic model
• Semantics

39
Some general issues

• Computational PCL
• Symbolic logic for proving security properties of
  network protocols using public-key encryption
• Soundness Theorem
• If a property is provable in CPCL, then property
  holds in computational model with overwhelming
  asymptotic probability.
• Benefits
• Retain compositionality
• Symbolic proofs about computational model
• Computational reasoning in soundness proof
  (only!)
• Different axioms rely on different crypto
  assumptions
• symbolic ? computational generally uses strong
  crypto assumptions

40
PCL ? Computational PCL

• Syntax, proof rules mostly the same
• Retain compositional approach
• But some issues with propositional connectives
• Significant differences
• Symbolic knowledge
• Has(X,t) X can produce t from msgs that have
  been observed, by symbolic algorithm
• Computational knowledge
• Possess(X,t) can produce t by ppt algorithm
• Indist(X,t) cannot distinguish from rand value
  in ppt
• More subtle system
• Some axioms rely on CCA2, some info-theoretically
  sound, etc.

41
Computational Traces

• Computational trace contains
• Symbolic actions of honest parties
• Mapping of symbolic variables to bitstrings
• Send-receive actions (only) of the adversary
• Runs of the protocol
• Set of all possible traces
• Each tagged with random bits used to generate
  trace
• Tagging ? set of equi-probable traces

42
Complexity-theoretic semantics

• Given protocol Q, adversary A, security parameter
  n, define
• TT(Q,A,n), set of all possible traces
• ?(T) a subset of T that respects ? in a
  specific way
• Intuition ? valid when ?(T) is an
  asymptotically overwhelming subset of T

43
Semantics of trace properties

• Defined in a straight forward way
• Send(X, m)(T)
• All traces t such that
• t contains a Send(msg) action by X
• the bistring value of msg is
• the bitstring value of m

44
Inductive Semantics

• ?1 ? ?2 (T) ?1 (T) ? ?2 (T)
• ?1 ? ?2 (T) ?1 (T) ? ?2 (T)
• ? ? (T) T - ? (T)
• Implication uses a form of conditional
  probability
• ?1 ? ?2 (T) ??1 (T)
• ? ?2 (T)
  
• where T
  ?1 (T)

45
Semantics of Indistinguishable

• Not a trace property
• Intuition Indist(X, m) holds if no algorithm can
  distinguish m from a random value, given Xs view
  of the run

Indist(X, m) (T, D, e) T if (t
bb)-T/2 lt e
46
Validity of a formula

• Q ? if ? adversary A ? distinguisher D
• ? negligible function f ? n0 s.t.
  ?n gt n0

?(T,D,f(n)) / T gt 1 f(n)
Fraction of traces where ? is true

• Fix protocol Q, PPT adversary A
• Choose value of security parameter n
• Vary random bits used by all programs
• Obtain set TT(Q,A,n) of equi-probable traces

T(Q,A,n)
?(T,D,f)
47
Advantages of Computational PCL

• High-level reasoning, sound for real crypto
• Prove properties of protocols without explicit
  reasoning about probability, asymptotic
  complexity
• Composability
• PCL is designed for protocol composition
• Composition of individual steps
• Not just coarser composition available with
  UC/RSIM
• Can identify crypto assumptions needed
• ISO-9798-3 DDMW2006
• Kerberos V5 unpublished

Thesis existing deployed protocols have weak
security properties, assuming weak security
properties of primitives they use UC/RSIM may be
too strong
48
CPCL analysis of Kerberos V5

• Kerberos has a staged architecture
• First stage generates a nonce and sends it
  encrypted
• Second stage uses nonce as key to encrypt another
  nonce
• Third stage uses second-stage nonce to encrypt
  other msgs
• Secrecy
• Logic proves GoodKey property of both nonces
• Authentication
• Proved assuming encryption provides ciphertext
  integrity
• Modular proofs using composition theorems

49
Challenges for computational reasoning

• More complicated adversary
• Actions of computational adversary do not have a
  simple inductive characterization
• More complicated messages
• Computational messages are arbitrary sequences of
  bits, without an inductively defined syntactic
  structure
• Different scheduler
• Simpler non-preemptive scheduling is typically
  used in computational models (change symbolic
  model for equiv)
• Power of induction ?
• Indistinguishability, other non-trace-based
  properties appear unsuitable as inductive
  hypotheses
• Solution prove trace property inductively and
  derive secrecy

50
Current and Future Work

• Investigate nature of propositional fragment
• Non-classical implication related to conditional
  probability
• complexity-theoretic reductions
• connections with probabilistic logics (e.g.
  Nilsson86)
• Generalize reasoning about secrecy
• Work in progress, thanks to Arnab
• Need to incorporate insight of Rackoffs attack
• Extend logic
• More primitives signature, hash functions,
• Complete case studies
• Produce correctness proofs for all widely
  deployed standards
• Collaborate on
• Foundational work please join us !
• Implementation and case studies please help us !

51
Conclusions

• Symbolic model supports useful analysis
• Tools, case studies, high-level proofs
• Computational model more correct
• Captures accepted notions in cryptography
• Greater expressiveness for security properties
• Two approaches can be combined
• Several current projects and approaches
• One example computational semantics for symbolic
  protocol logic

52
Credits

• Collaborators
• M. Backes, A. Datta, A. Derek, N. Durgin, C. He,
  
• R. Kuesters, D. Pavlovic, A. Ramanathan, A.
  Roy,
• A. Scedrov, V. Shmatikov, M. Sundararajan, V.
  Teague,
• M. Turuani, B. Warinschi,
• More information
• Web page on Protocol Composition Logic
• http//www.stanford.edu/danupam/logic-derivation.
  html
• Science is a social process

53
(No Transcript)
54
Needham-Schroeder Protocol

• A, NonceA
• NonceA, NonceB
• NonceB

Kb
A
B
Ka
Kb
Result A and B share two private numbers not
known to any observer without Ka-1, Kb-1
55
Anomaly in Needham-Schroeder
Lowe
A, Na
Ke
A
E
Na, Nb
Ka
Nb
Ke
A, Na
Na, Nb
Evil agent E tricks honest A into
revealing private key Nb from B.
Kb
Ka
B
Evil E can then fool B.
56
Universal composability
Slide Y Lindell
also reactive simulatability BPW, see
DKMRS
?
IDEAL
REAL
57
Proof system

• Information-theoretic reasoning
• new nX (Y ? X) ? Indist(Y, n)
• Complexity-theoretic reductions
• Verify(X, m, Y) ? Honest(X, Y) ? ? Y Sign(Y,
  m)
• Asymptotic calculations

? ? ? ?
?
58
Example

• Axiom
• Source(Y,u,mX) ? ?Decrypts(X, mX) ?
  Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z, u)
• Proof idea crypto-style reduction
• Assume axiom not valid
• ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
• ?(T,D,f)/T lt 1
  f(n)
• Construct attacker A that uses A, D to break
  IND-CCA2 secure encryption scheme
• Conditional implication essential

Parts of proof are similar to Micciancio,
Warinschi
59
Applications of PCL

• IKE, JFK family key exchange
• IKEv2 in progress
• 802.11i wireless networking
• SSL/TLS, 4way handshake, group handshake
• Kerberos v5 Cervesato et al
• GDOI Meadows,
  Pavlovic
• Current work
• Use CPCL to understand computational security of
  these protocols, reliance on specific crypto
  properties