Post on 19-Dec-2015
PCL: A Logic for Security Protocols
Anupam DattaStanford University
Secure Software Systems, CMUOctober 3, 5, 2005
Computer Security
Cryptography• Encryption, signatures, cryptographic hash, …
Security mechanisms• Access control policy• Network protocols
Implementation• Cryptographic library• Code implementing mechanisms
– Reference monitor and TCB– Protocol
• Runs under OS, uses program library, network protocol stack
Analyze protocols, assuming crypto, implementation, OS correct
Network Security Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal
• Exchange secret keys• Verify identity (authentication)
Example: SSL (internet banking)
Examples of crypto primitives: Public-key encryption, symmetric-key encryption, CBC,
hash, signature, key generation, random-number generators
This lecture is about…
Network security protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Groups– 802.11i - wireless LAN security– 802.16e – wireless MAN security
And methods for their security analysis• Security proof in some model; or• Identify attacks
Why prove security?
Examples of protocol flaws • IKE [Meadows; 1999]
– Reflection attack; fix adopted by IETF WG
• IEEE 802.11i [He, Mitchell; 2004]– DoS attack; fix adopted by IEEE WG
• GDOI [Meadows, Pavlovic; 2004]– Composition attack; fix adopted by IETF WG
• Kerberos V5 [Scedrov et al; 2005]– Identity misbinding attack; fix adopted by
IETF WG
Security Analysis
Model system Model adversary Identify security properties See if properties preserved under attack
Result• No “absolute security”• Security means: under given assumptions
about system, no attack of a certain form will destroy specified properties.
Important Modeling Decisions
How powerful is the adversary?• Simple replay of previous messages• Block messages; Decompose, reassemble and resend• Statistical analysis, partial info from network traffic• Timing attacks
How much detail in underlying data types?• Plaintext, ciphertext and keys
– atomic data or bit sequences
• Encryption and hash functions– “perfect” cryptography– algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
Resources: Protocols & Tools
IETF Security Areahttp://www.ietf.org/html.charters/wg-dir.html
IEEE Security Working Groupshttp://grouper.ieee.org/groups/802/11/
Stanford CS 259: Security Analysis of Network Protocols
http://www.stanford.edu/class/cs259/
Will focus today on one tool: Protocol Composition Logic (PCL)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition
Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic
http://www.stanford.edu/~danupam/logic-derivation.html
Intuition
Reason about local information• I chose a new number• I sent it out encrypted• I received it decrypted • Therefore: someone decrypted it
Incorporate knowledge about protocol• Protocol: Server only sends m if it received
m’• If server not corrupt and I receive m signed
by server, then server received m’
Intuition: Picture
Alice’s information• Protocol• Private data• Sends and receives
Honest Principals,Attacker
Protocol
Private Data
Example: Challenge-Response
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol independent]
• if Bob generates a signature of the form sigB{m, n, A}, – he sends it as part of msg2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
Formalizing the Approach
Language for protocol description• Arrows-and-messages are informal.
Protocol Semantics• How does the protocol execute?
Protocol logic• Stating security properties.
Proof system• Formally proving security properties. (User view of the logic)
Cords
“protocol programming language”• A protocol is described by specifying a
“program” for each role– Server = [receive x; new n; send {x, n}]
Building blocks• Terms (think “messages”)
– names, nonces, keys, encryption, …
• Actions (operations on terms)– send, receive, pattern match, …
Terms
t ::= c constant termx variableN nameK keyt, t tuplingsigK{t} signature
encK{t} encryption
Example: x, sigB{m, x, A} is a term
Actions
send t; send a term t receive x; receive a term into variable
x match t/p(x); match term t against p(x)
A Cord is just a sequence of actions Notation:
• we often omit match actions
• receive sigB{A, n} = receive x; match x/sigB{A, n}
Challenge-Response as Cords
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Cord Spaces
Cord space is a multiset of cords Cords may react
• via communication• via internal actions
Sample reaction steps:• Communication:
[ S; send t; S’] [ T; receive x; T’ ] [ S; S’] [ T; T’(t/x) ]
• Matching:[ S; match p(t)/p(x); S’ ] [ S; S’(t/x) ]
Execution Model
Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of 1 role to each principal
Run
new x
send {x}B
receive {x}B
A
B
C
Position in run
receive {z}B
new z
send {z}B
Attacker capabilities
Controls complete network• Can read, remove, inject messages
Fixed set of operations on terms• Pairing• Projection• Encryption with known key• Decryption with known key• …
Commonly referred to as “Dolev-Yao” attacker
Next lecture: more powerful “crypto-style” attacker
Logical assertions
Modal operator [ actions ] P - if holds and P executes
actions, then holds
Predicates in • Send(X,m) - principal X sent message m
• Receive(X,m) – principal X received message m
• Verify(X,m) - X verified signature m
• Has(X,m) - X created m or received msg containing m and has keys to extract m from msg
• Honest(X) – X follows rules of protocol
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | |
Example After(a,b) = (b a)
Semantics
Protocol Q• Defines set of roles (e.g, initiator, responder)
• Run R of Q is sequence of actions by principals following roles, plus attacker
Satisfaction• Q, R | [ actions ] P
If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed
• Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
Security Properties
Authentication for InitiatorCR | true [ InitCR(A, B) ] A Honest(B)
ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n,
A}}}), Receive(A, {B,A,{n, sigB {m, n,
A}}}))
Proof System
Goal: formally prove security properties
Axioms• Simple formulas provable by hand
Inference rules• Proof steps
Theorem • Formula obtained from axioms by
application of inference rulesThis is what you will do!
Sample axioms about actions
New data• true [ new x ]P Has(P,x)
• true [ new x ]P Has(Y,x) Y=P
Actions• true [ send m ]P Send(P,m)
Knowledge• true [receive m ]P Has(P,m)
Verify• true [ match x/sigX{m} ] P Verify(P,m)
Reasoning about knowledge
Pairing• Has(X, {m,n}) Has(X, m) Has(X, n)
Encryption • Has(X, encK(m)) Has(X, K-1) Has(X,
m)
Encryption and signature
Public key encryptionHonest(X) Decrypt(Y, encX{m}) X=Y
SignatureHonest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Sample inference rules
First-order logic rules
Generic rules
[ actions ]P [ actions ]P
[ actions ]P
Bidding conventions (motivation)
Blackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces
Reasoning • If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
Honesty rule (rule scheme)
roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
• This is a finitary rule:– Typical protocol has 2-3 roles– Typical role has 1-3 receives– Only need to consider A waiting to receive
Honesty rule (example use)
roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
• Example use:– If Y receives a message m from X, and – Honest(X) (Sent(X,m) Received(X,m’)) – then Y can conclude Honest(X) Received(X,m’))
Proved using honesty rule
Correctness of CR
CR |- true [ InitCR(A, B) ] A Honest(B) ActionsInOrder(
Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}),
Receive(A, {B,A,{n, sigB {m, n, A}}}))
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Correctness of CR – step 1
1. A reasons about her own actionsCR |- true [ InitCR(A, B) ] A
Verify(A, sigB {m, n, A})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Correctness of CR – step 2
2. Properties of signaturesCR |- true [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n,
A})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Recall signature axiom
Correctness of CR – Honesty
Invariant proved with Honesty ruleCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x, Y}) New(X, y)
m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Induction over protocol steps
Correctness of CR – step 3
3. Use Honesty invariantCR |- true [ InitCR(A, B) ] A Honest(B)
Receive(B, {A,B,m}),…
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Correctness of CR – step 4
4. Use properties of nonces for temporal orderingCR |- true [ InitCR(A, B) ] A Honest(B) Auth
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Nonces are “fresh” random numbers
Complete proof
We have a proof. So what?
Soundness Theorem:• if Q |- then Q |= •If is a theorem then is a valid
formula holds in any step in any run of
protocol Q•Unbounded number of
participants•Dolev-Yao intruder
Weak Challenge-Response
A B
m
n, sigB {m, n}
sigA {m, n}
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Correctness of WCR – step 1
1. A reasons about it’s own actionsWCR |- [ InitWCR(A, B) ] A
Verify(A, sigB {m, n})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Correctness of WCR – step 2
2. Properties of signaturesCR |- [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n,
A})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Correctness of WCR – Honesty
Honesty invariantCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x}) New(X, y)
m= X, Z, {x, sigB{y, x}} Receive(X, {Z, X, {y, Z}})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Correctness of WCR – step 3
3. Use Honesty ruleWCR |- [ InitWCR(A, B) ] A Honest(B)
Receive(B, {Z,B,m}),
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Result
WCR does not have the strong authentication property for the initiator
Counterexample• Intruder can forge senders and
receivers identity in first two messages– A -> X(B) m– X(C) -> B m – B -> X(C) n, sigB(m, n)– X(B) ->A n, sigB(m, n)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
Compositional Security
Assigned readings:• A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic.
A derivation system and compositional logic for security protocols
• C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i
Perspective:• C. Meadows. Open issues in formal methods
for cryptographic protocol analysis. • J. M. Wing. Beyond the horizon: A call to arms.
ISO-9798-3 Key Exchange
Authentication• Do we need to prove it from scratch?
Shared secret: gab
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols
Abstract challenge response
Free variables m and n instead of nonces Modal form: [ actions ]
• precondition: Fresh(A,m)• actions: [ InitACR ]A
• postcondition: Honest(B) Authentication Secrecy is proved from properties of Diffie-
Hellman
InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Diffie-Hellman: Property
Formula true [ new a ] A Fresh(A, ga)
Diffie-Hellman property:Can compute gab given ga and b or
gb and a Cannot compute gab given ga and gb
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
Composing protocols
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Composition: Big Picture
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No reasoning about attacker
…
802.11i:Staged Composition
Control Flow• Intended run is sequential• Different Failure Recovery
mechanisms can be implemented for efficiency
• Periodically update Group Key, PTK, PMK (omit here)
Hybrid modes• Pre-Shared Key (PSK)
used directly instead of EAP authentication methods
• Cached PMK might be used for mobile users
• Alternatives for EAP-TLS, e.g., PEAP, LEAP
Data Transmission
Group Key
4-Way
EAP-TLS
PMK
PTK
GTK
802.11i Proof Structure
Step 1. i, j |- θi [Pi]X i
Separate proof of individual components TLS, 4-Way, and Group Key Handshake;
Step 2. i, j, Qi |- j
Necessary invariants are satisfied by all components;
Step 3. i, i θi+1
The postcondition of TLS implies precondition of 4-Way;
postcondition of 4-Way implies precondition of Group Key;
Step 4. i, θi [B]X θi
The preconditions of each component are preserved by subsequent components.
Applying the Staged Composition Theorem, 802.11i is secure
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
Computational PCL
Symbolic proofs about complexity-theoretic model of cryptographic protocols!
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
Main Result
Computational PCL• Symbolic logic for proving security properties of
network protocols using public-key encryption Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
ISO-9798-3 Key Exchange
Shared secret to be used as key:
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Roughly: A, B have gab and for everyone else it is indistinguishable from a random key gr
Central axioms
Cryptographic security property of signature scheme• Unforgeability (used for
authentication) Cryptographic security property of
Diffie-Hellman function• DDH (used to prove secrecy)
CMA-Secure Signatures
Challenger Attacker
miSig(Y,mi)
Sig(Y,m)
Attacker wins if m
mi
Decisional Diffie-Hellman
Let a, b, c be chosen at random from a group G with generator g. Then the two distributions <ga,gb,gab> and <ga,gb,gc> are computationally indistinguishable (no polynomial time attacker can tell them apart)
Complete Proof
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Summary: PCL
Proving security properties of network protocols is important! Formalism
• Protocol programming language• Protocol logic
– Syntax – stating security properties– Semantics – meaning of security properties
• Proof System – proving security properties
Examples• Signature-based challenge-response, ISO, 802.11i
Composition • Modular proofs
Computational Soundness• Symbolic proofs about complexity-theoretic model
Thanks !
Questions?