Security Analysis of Network Protocols: Compositional

Reasoning and Complexity-theoretic Foundations

Anupam DattaStanford University

May 10, 2005

Outline

Part I: Overview• Motivation• Central problems

– Divide and Conquer paradigm– Combining logic and cryptography

• Results

Part II: Protocol Composition Logic• Compositional Reasoning• Complexity-theoretic foundations

This talk is about…

Network security protocols • Internet Engineering Task Force (IETF)

Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication

• IEEE Standards Working Group– 802.11i - wireless security

And methods for their security analysis• Security proof in some model; or• Identify attacks

Characteristics of protocols

Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per

component) Mission critical

• Security of data, credit card numbers, … Subtle

• Concurrency: attack may combine data from many sessions

• Computation: modeling cryptographic primitives

Good domain for logical methods

Active research area since early 80’s

Security Analysis Methodology

Analysis Tool

Protocol Property

Security proof or attack

Attacker model

Our tool: Protocol

Composition Logic (PCL)

SSLauthenticatio

n

-Complete control

over network

-Perfect crypto

42 line axiomatic

proof“Forty-two,” said Deep Thought, with infinite majesty and calm.

- D. Adams, HGG, 1979

Classifying Attacks

Implementation bugs• Buffer overflow, format string

vulnerabilities Cryptography breaks

• IEEE 802.11b (WEP encryption) Protocol flaws

• Needham-Schroeder, IKE, IEEE 802.11i

•Focus on protocol flaws assuming “strong crypto”

•Complexity-theoretic characterization of “strong crypto”

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

EAP/802.1X/RADIUS Authentication

4-way handshake

Group key handshake

Data communication

•Divide-and-conquer paradigm•Combining logic and cryptography

Uses crypto: encryption, hash,

…

Divide-and-Conquer paradigm

Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction

Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs

Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …

Composition is a hard problem in security

Central Problem 1

Combining logic and cryptography

Symbolic model [NS78, DY84]- Perfect cryptography assumption+ Idealization => tools and techniques

Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation

Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model

Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols

IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al]

IKEv2 [IETF Internet Draft; 2004] [Aron et al] TLS/SSL [RFC 2246; 1999] [He et

al] Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et

al]

Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et

al] GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

Tool support

Isabelle implementation of PCL [Kempston et al]• PCL syntax and proof system encoded into

Isabelle, a generic theorem-prover• Machine-checkable axiomatic proofs• Use Isabelle’s first-order reasoner

Protocol Derivation Assistant [Anlauff et al]• Graphical support tool for protocol

derivations

IPSec

Widely deployed: Corporate VPNs Provides secrecy and integrity IKEv2 is the IPSec key exchange protocol

Internet

IP layer host-to-host security

IKEv2 [IETF ID 2004]

IKE_AUTH (Authenticate)

IKE_CHILD_SA (Rekey)

I R: HDR, SAi1, gi, Ni R I: HDR, SAr1, gr, Nr

IKE_INIT (Exchange key material)

I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

•Modular proofs

•Multi-mode (Unified “template” proof)

• Properties: authentication, shared secret, identity & DoS protection, repudiability

Multi-mode protocol: authenticator can

use either signature or pre-shared key

Mobile IPv6 [IETF ID 2004]

Stanford

Wisconsin

Home address

Home addres

s

Care of address

Correspondent Node

•Change of location

•Authentication

•DoS issues

•Protocol breaks if attacker controls complete network

GDOI [RFC 3547, 2003]

•Secure group communication

•Composition attack

•Fix adopted by IETF WG

Communicating in a group can be difficult…

Public networkGroup

controller

Protocol analysis spectrum

Low High

Hig

hL

owStr

en

gth

of

atta

ck

er m

od

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy

Grail

Combining logic and cryptography

Divide and

conquer

Outline

Part I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

A B

Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol

independent]

• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response: Proof Idea

Reasoning method

Reason about local information• I know my own actions

Incorporate knowledge of protocol• Honest people faithfully follow protocol

No explicit reasoning about intruder• Absence of bad action expressed as a

positive property of good actions– E.g., honest agent’s signature can be

produced only by the agent

Distinguishes our method from existing techniques

Formalism

Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)

Protocol logic• Expressing protocol properties

Proof system• Proving protocol properties• Soundness theorem

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response as Cords

InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};

send A, X, sigA{m, x, X};

]

RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};

receive Y, B, sigY{y, n, B};

]

Challenge Response: Property

Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

Proof System

Sample Axioms:• Reasoning about possession:

– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)

• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})

m’ (Send(X, m’) Contains(m’, sigX{m})

Soundness Theorem: Every provable formula is valid

Outline

Part I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

Reasoning about Composition

Non-destructive Combination: Ensure combined parts do not

interfere– In logic: invariance assertions

Additive Combination: Accumulate security properties of

combined parts, assuming they do not interfere– In logic: before-after assertions

Proof steps (Intuition)

Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A},

– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”

• Could break: Bob’s signature from one protocol could be used to attack another

Technically:

•Protocol-specific proof steps use invariants

•Invariants must be preserved for safe composition

Invariants

Reasoning about honest principals• Invariance rule, called “honesty rule”

Preservation of invariants under composition• If we prove Honest(X) for protocol 1

and compose with protocol 2, is formula still true?

Honesty Rule (Induction)

Definition• A protocol step begins with receive,

ends before next receive Rule

[ ]X B ProtocolSteps(Q). [B]X Q Honest(X)

ExampleCR Honest(X) (Sent(X, m2) Received(X, m1))

Diffie-Hellman: Property

Formula• [ new a ] A Fresh(A, ga)

Explanation• Modal form: [ actions ] P

• Actions: [ new a ] A

• Postcondition: Fresh(A, ga)

Challenge Response: Property

Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

Composition: DH+CR = ISO-9798-3

• Additive Combination DH post-condition matches CR precondition Sequential Composition:

• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.

DH secrecy is also preserved• Proved using another application of

composition rule.

• Nondestructive Combination• DH and CR satisfy each other’s invariants

Composing protocols

DH Honest(X) …

’

|- Secrecy ’ |- Authentication

’ |- Secrecy ’ |- Authentication

’ |- Secrecy Authentication [additive]

DH CR ’ [nondestructive] ISO Secrecy Authentication

=CR Honest(X) …

Sequential and parallel composition theorems

Composition Rules Invariant weakening rule

|- […]P

’ |- […]P

Sequential Composition |- [ S ] P |- [ T ] P

|- [ ST ] P Prove invariants from protocol

Q Q’ Q Q’

Composition: Big Picture

Different from:

•Assume-guarantee in distributed computing [MC81]

•Universal Composability [C01, PW01]

Protocol Q

Safe Environment for Q

Q1 Q2 Q3 Qn

• Q |- Inv(Q)

• Inv(Q) |-

• Qi |- Inv(Q)

• No reasoning about attacker

…

Outline

Part I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

Symbolic model[NS78,DY84,…]

Complexity-theoretic model [GM84,…]

Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)

+ Any probabilistic poly-time computation

Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)

+ Fine-grained, e.g., secret message = no partial information about bitstring representation

Analysis methods + Successful array of tools and techniques; automation

- Hand-proofs are difficult, error-prone; no automation

Can we get the best of both worlds?

Two worlds

Our Approach

Protocol Composition Logic (PCL)

•Syntax

•Proof System

Symbolic “Dolev-Yao” model

•Semantics

Computational PCL

•Syntax ±

•Proof System ±

Complexity-theoretic model

•Semantics

Talk so far… Leverage PCL success…

Main Result

Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption

Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model

Computational PCL

Syntax• Expressing security properties

Proof System• Proving security properties• Soundness Theorem

Semantics• Complexity-theoretic Model

– Attacker – any PPT algorithm– Meaning of security properties

Example 1

A BA, B, {n, A}B

B, A, n

Security Property - authentication [Initiator Program]A Honest(B)

ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )

Example 2

A BA, B, {n, A}B

Security Property - secrecy [Initiator Program]A Honest(B)

(X (X A,B) Indistinguishable(X,n)

Logic Syntax

Proof System

Soundness of proof system

Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)

Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)

Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

Asymptotic calculations

Sum of two negligible functions is a negligible function

Reduction to IND-CCA2-secure encryption scheme

Complexity-theoretic semantics

Q |= if A D f negligible function n0 n > n0 s.t.

• Fix protocol Q, PPT adversary A, security parameter n

• Vary random bits used by all programs

• Obtain set of equi-probable traces, T(Q,A,n)

T()

T(Q,A,n)

|T()|/|T(Q,A,n)| > 1 –f(n)

Represents probability

Inductive Semantics

Consider set of traces T(Q,A,n)

• T(1 2) = T(1)T(2)

• T(1 2) = T(1) T(2)

• T( ) = T()

Semantics of formulas are transformers on probability distribution over traces

Logic and Cryptography: Big Picture

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure

encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup

encryption scheme)

Axiom in proof system

Protocol security proofs using proof system

Semantics and soundness theorem

Current Work

Investigate nature of logic• Propositional fragment not classical represents conditional probability

– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86)

Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property

Extend logic• More primitives: signature, hash functions,…• Remove current syntactic restrictions on formulas

Information-theoretic semantics• Only probability; no complexity

Summary

Methodology:• Divide-and-conquer paradigm in security• Combining logic and cryptography

Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE

WG)

• GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)

• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004] (New Attack!)

Protocol analysis spectrum

Low High

Hig

hL

owStr

en

gth

of

atta

ck

er m

od

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy

Grail

Combining logic and cryptography

Divide and

conquer

Publications in dissertation

A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic• A derivation system and compositional logic for

security protocols [CSFW03, JCS05 special issue]

• Abstraction and refinement in protocol derivation [CSFW04]

A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]

A. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence-based definitions of protocol security [WITS04]

Other publications

A. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security [TCC05]

M. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols [CSFW05]

A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition [MFPS03]

A. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality [In submission]

C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]

Acknowledgements

John Mitchell Dan Boneh, David Dill, Rajeev Motwani,

Stanley Peters Dusko Pavlovic, Andre Scedrov Ante Derek, Ajith Ramanathan Ralf Kuesters, Vitaly Shmatikov, Mathieu

Turuani, Bogdan Warinschi, Andrei Aron, Dan Auerbach, Changhua He, Cary Kempston, Arnab Roy, Mukund Sundararajan

Family, friends, …