Protocol Composition Logic II

1
Protocol Composition Logic II
18739A Foundations of Security and Privacy

• Anupam Datta
• Fall 2007-08

2
Protocol Analysis Techniques
Crypto Protocol Analysis
Formal Models
Computational Models
Dolev-Yao (perfect cryptography)
Random oracle Probabilistic process
calculi Probabilistic I/O automata
Protocol Logics
Model Checking
Inductive Proofs
Process Calculi

Applied ?-calculus
BAN, PCL
Murphi, AVISPA
Paulson, MSR
3
Protocol Composition Logic

• Intuition
• Formalism
• Protocol programming language
• Protocol logic
• Proof System
• Example
• Signature-based challenge-response
• Proof techniques

TODAY
4
Example JFK Protocol

• Recall earlier lecture about JFK design
• Today we will describe corresponding proof
  techniques

5
Ingredient 1 Diffie-Hellman

• A ? B ga
• B ? A gb
• Shared secret gab
• Authentication
• Identity protection

6
Ingredient 2 Challenge-Response

• A ? B m, A
• B ? A n, sigBm, n, A
• A ? B sigAm, n, B
• Shared secret
• Authentication
• Identity protection

7
DH Challenge-Response

• ISO 9798-3 protocol
• A ? B ga, A
• B ? A gb, sigBga, gb, A
• A ? B sigAga, gb, B
• Shared secret gab
• Authentication
• Identity protection

m ga n gb
Formalized as sequential composition
8
Ingredient 3 Encryption

• Encrypt signatures to protect identities
• A ? B ga, A
• B ? A gb, EKsigBga, gb, A
• A ? B EKsigAga, gb, B
• Shared secret gab
• Authentication
• Identity protection

Formalized using abstraction-refinement
9
PCL Proof Techniques

• Modular Proofs
• Parallel Composition
• Sequential Composition
• Generic Template-style Proofs
• Function variables
• Higher-order logic extension

10
Parallel Composition of Protocols

• The parallel composition Q1 Q2 of protocols Q1
  and Q2 is the union of the sets of roles of Q1
  and Q2.
• Example
• IKEv2 SSL

11
Compositional Proofs Intuition

• Protocol specific reasoning
• if honest Bob generates a signature of the form
• sigB m, n, A,
• he sends it as part of msg2
• Could break Bobs signature from one protocol
  could be used to attack another
• PCL proof system Invariant rule
• Protocol independent reasoning
• Axiom stating unforgeability of signatures
• Still good unaffected by composition
• All other axioms and proof rules for PCL

12
Proof Tree
Q1 - Inv
Q1 Q2 - Inv
Inv -Auth
Bulk of proof reused
Additional work to prove Q2 - Inv
Inv
Axiom
Theorem If Q - Inv and Q - Inv, then Q Q
- Inv
INV rule
Other rules
Auth
DDMP CSF03 -gt JCS Special Issue, MFPS03
Security property
13
Parallel Composition Theorem

• IF
• Q1 satisfies security property ? in isolation
• Q2 respects the invariants ? of Q1 used in the
  proof of security property ??
• THEN
• Q1 Q2 also satisfies security property ?

14
Sequential Composition of Protocols

• Run protocols in sequence
• Examples
• Key exchange followed by secure sessions that use
  the exchanged key
• Diffie-Hellman followed by Challenge-Response
  ISO-9798-3

15
ISO-9798-3 Key Exchange
ga, A
gb, sigB ga, gb, A
A
B
sigA ga, gb, B

• Authentication
• Do we need to prove it from scratch?
• Shared secret gab

Goal Combine proofs of Diffie-Hellman and
challenge-response sub-protocols
16
Abstract challenge response
InitACR(A, X, m) send A, X, m receive X,
A, x, sigXm, x send A, X, sigAm, x
RespACR(B, n) receive Y, B, y send B, Y,
n, sigBy, n receive Y, B, sigYy, n

• Free variables m and n instead of nonces
• Modal form ? actions ?
• precondition Fresh(A,m)
• actions InitACR A
• postcondition Honest(B) ? Authentication
• Secrecy is proved from properties of
  Diffie-Hellman

17
Diffie-Hellman Property

• Formula
• true new a A Fresh(A, ga)
• Diffie-Hellman property
• Can compute gab given ga and b or gb and a
• Cannot compute gab given ga and gb

18
Challenge Response Property

• Modal form ? actions P ?
• precondition Fresh(A,m)
• actions Initiator role actions A
• postcondition
• Honest(B) ? ActionsInOrder(
• send(A, A,B,m),
• receive(B, A,B,m),
• send(B, B,A,n, sigB m, n, A),
• receive(A, B,A,n, sigB m, n, A) )

19
Composition DHCR ISO-9798-3

• Additive Combination
• DH post-condition matches CR precondition
• Sequential Composition
• Substitute ga for m in CR to obtain ISO.
• Apply composition rule
• ISO initiator role inherits CR authentication.
• DH secrecy is also preserved
• Proved using another application of composition
  rule.
• Nondestructive Combination
• DH and CR satisfy each others invariants

20
Definition of Sequential Composition
21
Sequential Composition Theorem

• Both protocols should satisfy each others
  invariants (similar to parallel composition)
• Post-condition of first should match
  pre-condition of second protocol

22
PCL Proof Techniques

• Modular Proofs
• Parallel Composition
• Sequential Composition
• Generic Template-style Proofs
• Function variables
• Higher-order logic extension

23
Protocol Templates

• Protocols with function variables instead of
  specific cryptographic operations
• Idea One template can be instantiated to many
  protocols
• Advantages
• proof reuse
• design principles/patterns

DDMP CSF04
24
Example
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-3
SKID3
ISO-9798-2
Instantiations
25
Extending Formalism

• Language Extensions
• Add function variables to term language for
  cords and logic (HOL)
• Semantics
• Q f ? sQ sf, for all substitutions s
  eliminating all function variables
• Soundness Theorem
• Every provable formula is valid

26
Abstraction-Instantiation Method(1)

• Characterizing protocol concepts
• Step 1 Under hypotheses about function variables
  and invariants, prove security property of
  template
• Step 2 Instantiate function variables to
  cryptographic operations and prove hypotheses.
• Benefit
• Proof reuse

27
Example
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)

• Step 1
• Hypotheses Function F(B,A,n,m) can be computed
  only by B or A,
• Property Mutual authentication
• Step 2
• Instantiate F() to signature, keyed hash,
  encryption (ISO-9798-2,3, SKID3)
• Satisfies hypotheses gt Guarantees mutual
  authentication

28
Proof Structure
Discharge hypothesis
axiom
hypothesis
Proof reuse
Instance
Template
29
Abstraction-Instantiation Method(2)

• Combining protocol templates
• If protocol P is a hypotheses-respecting
  instance of two different templates, then it has
  the properties of both.
• Benefits
• Modular proofs of properties
• Formalization of protocol refinements

30
Refinement Example Revisited
Encrypt Signatures
A ? B ga, A B ? A gb, EK sigB ga, gb, A A
? B EK sigA ga, gb, B

• Two templates
• Template 1 authentication shared secret
• (Preserves existing properties proof reused)
• Template 2 identity protection (encryption)
• (Adds new property)

31
Summary

• PCL Logic for security protocols
• Sound wrt symbolic and cryptographic models
• High-level short proofs 2-3 pages
• Proof techniques
• Modular/compositional proofs
• Generic template-style proofs
• Proofs of industrial protocols
• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
  (unpublished), Mobile IPv6 (in progress)
• Implementation not done

32
Thanks ! Questions?
33
Modular Analysis / Composition
Auth Server
Laptop
Access Point
(Shared Secret-PMK)
802.11i Key Management ?20 msgs in 4 components
HSDDM CCS05 -gt TISSEC Special Issue