Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November...

Security Analysis of Network Protocols

Anupam DattaStanford University

CIS Seminar, MITNovember 18, 2005

Outline

Part I: Overview• Motivation• Central problems

– Divide and Conquer paradigm– Combining logic and cryptography

• Results

Part II: Protocol Composition Logic• Compositional Reasoning• Complexity-theoretic foundations

This talk is about…

Network security protocols • Internet Engineering Task Force (IETF)

Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication

• IEEE Standards Working Group– 802.11i - wireless LAN security– 802.16e – wireless MAN security

And methods for their security analysis• Security proof in some model; or• Identify attacks

Run of a protocol

A

BInitiate

Respond

C

D

Correct if no security violation in any run

Attacker

Characteristics of protocols

Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per

component) Mission critical

• Security of data, credit card numbers, … Subtle

• Concurrency: attack may combine data from many sessions

• Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

Security Analysis Methodology

Analysis Tool

Protocol Property

Security proof or attack

Attacker model

Our tool: Protocol

Composition Logic (PCL)

SSLauthenticatio

n

-Complete control

over network

-Perfect crypto

42 line axiomatic

proof

Protocol analysis methods

Cryptographic reductions• Bellare-Rogaway, Shoup, many others• UC [Canetti et al], Simulatability [BPW]• Prob poly-time process calculus [LMRST…]

Symbolic methods• Model checking

– FDR [Lowe, Roscoe, …], Murphi [Mitchell, Shmatikov, …], …

– NRL protocol analyzer [Meadows], Athena [Song], …

• Theorem proving– Isabelle [Paulson …], Specialized logics [BAN, …, PCL]

Examples of protocol flaws

IKE [Meadows; 1999]• Reflection attack; fix adopted by IETF WG

IEEE 802.11i [He, Mitchell; 2004]• DoS attack; fix adopted by IEEE WG

GDOI [Meadows, Pavlovic; 2004]• Composition attack; fix adopted by IETF WG

Kerberos V5 [Scedrov et al; 2005]• Identity misbinding attack; fix adopted by

IETF WG

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

EAP/802.1X/RADIUS Authentication

4-way handshake

Group key handshake

Data communication

•Divide-and-conquer paradigm•Combining logic and cryptography

Uses crypto: encryption, hash,

…

Divide-and-Conquer paradigm

Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction

Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs

Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …

Composition is a hard problem in security

Central Problem 1

Combining logic and cryptography

Symbolic model [NS78, DY84]- Perfect cryptography assumption+ Idealization => tools and techniques

Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation

Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model

Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols

IEEE 802.11i [IEEE Standards; 2004] [He et al] TLS/SSL [RFC 2246] is a component

IKE/JFK family IKEv2 [IETF ID;2004] in progress [Aron et

al] Mobile IPv6 [RFC 3775] in progress [Roy et

al]

Kerberos V5 [IETF ID; 2004] [Cervasato et al]

GDOI Secure Group Communication protocol [RFC 3547] [Meadows et al]

Protocol analysis spectrum

Low High

Hig

hL

owStr

en

gth

of

atta

ck

er m

od

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy

Grail


Divide and

conquer

Outline

Part I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

A B

Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol

independent]

• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response: Proof Idea

Reasoning method

Reason about local information• I know my own actions

Incorporate knowledge of protocol• Honest people faithfully follow protocol

No explicit reasoning about intruder• Absence of bad action expressed as a

positive property of good actions– E.g., honest agent’s signature can be

produced only by the agent

Distinguishes our method from existing techniques

Formalism

Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)

Protocol logic• Expressing protocol properties

Proof system• Proving protocol properties• Soundness theorem

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response as Cords

InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

Execution model

Protocol• “Program” for each protocol role

Initial configuration• Set of principals and key• Assignment of 1 role to each principal

RunNew

x

New z

Send<{x}B

Recv {x}B

Send {z}B

A

B

C

Recv {z}B

Position in run

Attacker capabilities

Controls complete network• Can read, remove, inject messages

Fixed set of operations on terms• Pairing• Projection• Encryption with known key• Decryption with known key• …

Challenge Response: Property

Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )Secure if desired property holds in all runs

Proof System

Sample Axioms:• Reasoning about possession:

– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)

• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})

m’ (Send(X, m’) Contains(m’, sigX{m})

Soundness Theorem: Every provable formula is valid

Outline



Reasoning about Composition

Non-destructive Combination: Ensure combined parts do not

interfere– In logic: invariance assertions

Additive Combination: Accumulate security properties of

combined parts, assuming they do not interfere– In logic: before-after assertions

Proof steps (Intuition)

Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A},

– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”

• Could break: Bob’s signature from one protocol could be used to attack another

Technically:

•Protocol-specific proof steps use invariants

•Invariants must be preserved for safe composition

Invariants

Reasoning about honest principals• Invariance rule, called “honesty rule”

Preservation of invariants under composition• If we prove Honest(X) for protocol 1

and compose with protocol 2, is formula still true?

Honesty Rule (Induction)

Definition• A protocol step begins with receive,

ends before next receive Rule

[ ]X B ProtocolSteps(Q). [B]X Q Honest(X)

ExampleCR Honest(X) (Sent(X, m2) Received(X, m1))

Composition of protocols

new x

X, Y

X, Y, gx, x

send W, Z, w, A;

receive Z, W, z, sigY{w, z, W};

send W, Z, sigX{w, z, Z};

X, Y, zx

DH-Init

CR-Init W, Z, w, x

new x;

send X, Y, gx, A;

receive Y, X, z, sigY{gx, z, X};

send X, Y, sigX{gx, z, Y};

X, Y, zx

X, YISO-Init

Sequential composition with term substitution

Composition Rules Invariant weakening rule

|- […]P

’ |- […]P

Sequential Composition |- [ S ] P |- [ T ] P

|- [ ST ] P Prove invariants from protocol

Q Q’ Q Q’

Sequential, parallel, staged composition theorems [MFPS03,CCS05]

Composition: Big Picture

Different from:

•Assume-guarantee in distributed computing [MC81]

•Universal Composability [C01, PW01]

Protocol Q

Safe Environment for Q

Q1 Q2 Q3 Qn

• Q |- Inv(Q)

• Inv(Q) |-

• Qi |- Inv(Q)

• No reasoning about attacker

…

Outline



Symbolic model[NS78,DY84,…]

Complexity-theoretic model [GM84,…]

Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)

+ Any probabilistic poly-time computation

Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)

+ Fine-grained, e.g., secret message = no partial information about bitstring representation

Analysis methods + Successful array of tools and techniques; automation

- Hand-proofs are difficult, error-prone; no automation

Can we get the best of both worlds?

Two worlds

Our Approach

Protocol Composition Logic (PCL)

•Syntax

•Proof System

Symbolic “Dolev-Yao” model

•Semantics

Computational PCL

•Syntax ±

•Proof System ±

Complexity-theoretic model

•Semantics

Talk so far… Leverage PCL success…

Main Result

Computational PCL• Symbolic logic for proving security properties of

network protocols Soundness Theorem:

• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.

Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof

(only!)• Different axioms rely on different crypto

assumptions

PCL Computational PCL

Syntax, proof rules mostly the same• But not sure about propositional

connectives… Significant difference

• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have

been observed, by symbolic algorithm• Computational “knowledge”

– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt

• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

Complexity-theoretic semantics

Q |= if adversary A distinguisher D negligible function f n0 n > n0

s.t.

[[]](T,D,f)

T(Q,A,n)

[[]](T,D,f(n))|/|T| > 1 – f(n)

Fraction represents probability

• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces

Inductive Semantics

[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)

[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)

[[ ]] (T,D,) = T - [[]] (T,D,)

Implication uses conditional probability

[[1 2]] (T,D,) = [[1]] (T,D,)

[[2]] (T’,D,)

where T’ = [[1]] (T,D,)

Formula defines transformation on probability distributions over traces

Soundness of proof system

Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)

Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.

• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break

IND-CCA2 secure encryption scheme• Conditional implication essential

Logic and Cryptography: Big Picture

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure

encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup

encryption scheme)

Axiom in proof system

Protocol security proofs using proof system

Semantics and soundness theorem

Current Work Investigate nature of logic

• Propositional fragment not classical represents conditional probability

– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86, Fagin-

Halpern90)

Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property

Cover more cryptographic protocols• More primitives: signature, hash functions, …• And protocols: secure key exchange, …

Information-theoretic and concrete security semantics• Only probability; no complexity• Concrete security reductions

Summary

PCL – A logic for security protocols:• Divide-and-conquer paradigm in security• Combining logic and cryptography

Applications:• IEEE 802.11i • GDOI Secure Group Communication protocol

[RFC 3547; 2003] • IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004]

Protocol analysis spectrum

Low High

Hig

hL

owStr

en

gth

of

atta

ck

er m

od

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy

Grail


Divide and

conquer

Ongoing Work Extend and refine PCL

• Programming language, syntax, proof system• More properties: beyond authentication, secrecy – abuse-

freeness, fairness, knowledge-based specification Tool implementation

• Encode logic into generic theorem-prover • Preliminary implementation in Isabelle• Investigate decidability of PCL

Unified theory for different models• Vary computational abilities of attacker – symbolic, poly-time,

information-theoretic• Vary adversary’s control over network – complete vs. partial

(e.g., in Mobile IPv6) Protocol Derivation

• Incremental protocol construction – replace Clark-Jacob survey

Other Projects

Specification of Security• Unifying simulation-based definitions – universal

composability, black-box simulatability, strong simulatability [DKMRS04,DKMR05]

• Comparing game-based definitions with simulation-based definitions – impossibility theorem [DDMRS05]

• Open problem: compositional security definition Foundations of Privacy

• Contextual Integrity [Nissenbaum04]• Formal theory: Kripke models, temporal logic• Application to HIPAA, GLBA, COPPA, …• Relation to RBAC, P3P, EPAL, DRM, statistical

databases,…[WIP - BDMN05]

Credits/Selected Publications

A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for

security protocols [CSFW03, JCS05 special issue] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M.

Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]

C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [CCS05, ACM TISSEC special issue]

Project web page: www.stanford.edu/~danupam/logic-derivation.html

Questions?

Chosen ciphertext CCA2

Challenger Attacker

m0, m1

E(mi)

guess 0 or 1

c

D(c)

c E(mj)

D(c)

Computational Soundness

Simulation framework• Backes, Pfitzmann, Waidner

Correspondence theorems• Micciancio, Warinschi

Kapron-Impagliazzo logics Abadi-Rogaway passive equivalence

(K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5 (K2, ) , {({101}K2,K5 )}K2, { }K5 (K1, ) , {({101}K1,K5 )}K1, { }K5 (K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5 Proposed as start of larger plan for computational soundness

… …

[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

Symbolic methods comp’l results

Pereira and Quisquater, CSFW 2001, 2004 • Studied authenticated group Diffie-Hellman protocols• Found symbolic attack in Cliques SA-GDH.2 protocol• Proved no protocol of certain type is secure, for >3

participants

Micciancio and Panjwani, EUROCRYPT 2004 • Lower bound for class of group key establishment

protocols using purely Dolev-Yao reasoning – Model pseudo-random generators, encryption

symbolically• Lower bounds is tight; matches a known protocol

Classifying Attacks

Implementation bugs• Buffer overflow, format string

vulnerabilities Cryptography breaks

• IEEE 802.11b (WEP encryption) Protocol flaws

• Needham-Schroeder, IKE, IEEE 802.11i

•Focus on protocol flaws assuming “strong crypto”

•Complexity-theoretic characterization of “strong crypto”

Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November...

Documents

Transcript of Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November...