Security Analysis of Network Protocols

Anupam DattaStanford University

May 18, 2005

This talk is about… Industrial network security protocols

• Internet Engineering Task Force (IETF) Standards

– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication

• IEEE Standards Working Group– 802.11i - wireless security

And methods for their security analysis• Security proof in some model; or• Identify attacks Earlier talk by John Mitchell

OutlinePart I: Overview

• Motivation• Central problems

– Divide and Conquer paradigm– Combining logic and cryptography

• ResultsPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

Security Analysis Methodology

Analysis Tool

Protocol Property

Security proof or attack

Attacker model

Our tool: Protocol

Composition Logic (PCL)

SSLauthenticatio

n

-Complete control

over network-Perfect crypto

42 line axiomatic

proof

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

EAP/802.1X/RADIUS Authentication

4-way handshake

Group key handshake

Data communication

•Divide-and-conquer paradigm•Combining logic and cryptography

Uses crypto: encryption, hash,

…

Divide-and-Conquer paradigm

Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction

Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs

Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …

Composition is a hard problem in security

Central Problem 1

Combining logic and cryptography Symbolic model [NS78, DY84]

- Perfect cryptography assumption+ Idealization => tools and techniques

Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation

Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model

Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols IEEE 802.11i authentication protocol [IEEE

Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al]

IKEv2 [IETF Internet Draft; 2004] [Aron et al] TLS/SSL [RFC 2246; 1999] [He et

al] Mobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et

al]

Kerberos V5 [IETF Internet Draft; 2004] [Cervasato et

al] GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

Protocol analysis spectrum

Low High

Hig

hLo

wSt

reng

th o

f atta

cker

mod

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy Grail

Combining logic and

cryptography

Divide and

conquer

OutlinePart I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

A B

Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol independent]• if Bob generates a signature of the form sigB {m, n, A},

– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response: Proof Idea

Reasoning method Reason about local information

• I know my own actions Incorporate knowledge of protocol

• Honest people faithfully follow protocol No explicit reasoning about intruder

• Absence of bad action expressed as a positive property of good actions– E.g., honest agent’s signature can be

produced only by the agent

Distinguishes our method from existing techniques

Formalism Cord calculus

• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)

Protocol logic• Expressing protocol properties

Proof system• Proving protocol properties• Soundness theorem

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response as Cords

InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};send A, X, sigA{m, x, X};

]

RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};receive Y, B, sigY{y, n, B};

]

Challenge Response: Property Modal form: [ actions ]P

• precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

Proof System Sample Axioms:

• Reasoning about possession:– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)

• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})

m’ (Send(X, m’) Contains(m’, sigX{m}) Soundness Theorem:

Every provable formula is valid

OutlinePart I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

Reasoning about Composition Non-destructive Combination:

Ensure combined parts do not interfere– In logic: invariance assertions

Additive Combination: Accumulate security properties of

combined parts, assuming they do not interfere– In logic: before-after assertions

Proof steps (Intuition) Protocol independent reasoning

• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”

• Could break: Bob’s signature from one protocol could be used to attack another

Technically:•Protocol-specific proof steps use invariants•Invariants must be preserved for safe composition

Composing protocols

DH Honest(X) …

’

|- Secrecy ’ |- Authentication

’ |- Secrecy ’ |- Authentication

’ |- Secrecy Authentication [additive]DH CR ’ [nondestructive] ISO Secrecy Authentication

=CR Honest(X) …

Sequential and parallel composition theorems

Composition Rules Invariant weakening rule

|- […]P

’ |- […]P

Sequential Composition |- [ S ] P |- [ T ] P

|- [ ST ] P Prove invariants from protocol

Q Q’ Q Q’

Composition: Big Picture

Different from:•Assume-guarantee in distributed computing [MC81]•Universal Composability [C01, PW01]

Protocol Q

Safe Environment for Q

Q1 Q2 Q3 Qn

• Q |- Inv(Q)• Inv(Q) |- • Qi |- Inv(Q)• No reasoning about attacker

…

OutlinePart I: OverviewPart II: Protocol Composition Logic

• Compositional Reasoning• Complexity-theoretic foundations

Symbolic model[NS78,DY84,…]

Complexity-theoretic model [GM84,…]

Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)

+ Any probabilistic poly-time computation

Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)

+ Fine-grained, e.g., secret message = no partial information about bitstring representation

Analysis methods + Successful array of tools and techniques; automation

- Hand-proofs are difficult, error-prone; no automation

Can we get the best of both worlds?

Two worlds

Our ApproachProtocol Composition Logic (PCL)•Syntax•Proof System

Symbolic “Dolev-Yao” model•Semantics

Computational PCL•Syntax ± •Proof System ±

Complexity-theoretic model•Semantics

Talk so far… Leverage PCL success…

Soundness of proof system

Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)

Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)

Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

Asymptotic calculations

Sum of two negligible functions is a negligible function

Reduction to IND-CCA2-secure encryption scheme

Logic and Cryptography: Big Picture

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure

encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup

encryption scheme)

Axiom in proof system

Protocol security proofs using proof system

Semantics and soundness theorem

Summary Methodology:

• Divide-and-conquer paradigm in security• Combining logic and cryptography

Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE

WG)• GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)

• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004] (New Attack!)

Protocol analysis spectrum

Low High

Hig

hLo

wSt

reng

th o

f atta

cker

mod

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy Grail

Combining logic and

cryptography

Divide and

conquer

Selected Publications A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic

• A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue]

• Secure Protocol Composition [MFPS03]• Abstraction and refinement in protocol derivation

[CSFW04] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M.

Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]

C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]

www.stanford.edu/~danupam