Security Analysis of Network Protocols:
Logical and Computational Methods
John MitchellStanford University
ICALP and PPDP, 2005
Outline
Protocols• Some examples, some intuition
Symbolic analysis of protocol security• Models, results, tools
Computational analysis• Communicating Turing machines, composability
Combining symbolic, computational analysis• Some alternate approaches• Protocol Composition Logic (PCL)• Symbolic and computational semantics
Many Protocols
Authentication• Kerberos
Key Exchange• SSL/TLS handshake, IKE, JFK, IKEv2,
Wireless and mobile computing• Mobile IP, WEP, 802.11i
Electronic commerce• Contract signing, SET, electronic cash, …
Mobile IPv6 Architecture
IPv6
Mobile Node (MN)
Corresponding Node (CN)
Home Agent (HA)
Direct connection via binding update
Authentication is a requirement
Early proposals weak
SupplicantUnAuth/UnAssoc802.1X BlockedNo Key
802.11 Association
802.11i Wireless Authentication
MSK EAP/802.1X/RADIUS Authentication
4-Way Handshake
Group Key Handshake
Data Communication
SupplicantAuth/Assoc802.1X UnBlockedPTK/GTK
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod p
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
Needham-Schroeder Protocol
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}
Ka
Kb
Result: A and B share two private numbers
not known to any observer without Ka-1, Kb-1
A B
Kb
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }
{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.
Evil E can then fool B.
[Lowe]
Run of a protocol
A
BInitiate
Respond
C
D
Correct if no security violation in any run
Attacker
Protocol analysis methods
Cryptographic reductions• Bellare-Rogaway, Shoup, many others• UC [Canetti et al], Simulatability [BPW]• Prob poly-time process calculus [LMRST…]
Symbolic methods• Model checking
– FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …],
• Symbolic search– NRL protocol analyzer [Meadows]
• Theorem proving– Isabelle [Paulson …], Specialized logics [BAN, …]
See papers in PPDP, ICALP proceedings for references
“The” Symbolic Model
Messages are algebraic expressions• Nonce, Encrypt(K,M), Sign(K,M), …
Adversary• Nondeterministic• Observe, store, direct all communication
– Break messages into parts– Encrypt, decrypt, sign only if it has the key
• Example: K1, Encrypt(K1, “hi”) K1, Encrypt(K1, “hi”) “hi”
– Send messages derivable from stored parts
Many formulations
Word problems [Dolev-Yao, Dolev-Even-Karp, …]• Each protocol step is symbolic function from input message to
output message; cancellation law dkekx = x Rewrite systems [CDLMS]
• Each protocol step is symbolic function from state and input message to state and output message
Logic programming [Meadows NRL Analyzer]• Each protocol step can be defined by logical clauses• Resolution used to perform reachability search
Constraint solving [Amadio-Lugiez, … ]• Write set constraints defining messages known at step i
Strand space model [MITRE]• Partial order (Lamport causality), reasoning methods
Process calculus [CSP, Spi-calculus, applied , …)• Each protocol step is process that reads, writes on channel• Spi-calculus: use for new values, private channels, simulate
crypto
Complexity results (see [Cortier et al])
Bounded # of sessions
Unbounded number of sessions
Without nonces With nonces
Co-NP complete General: undecidable
General: undecidable
Bounded msg length: DEXP-time complete
Bounded msg length: undecidable
Tagged: exptime Tagged: decidable
One-copy: DEXP-time complete
Ping-pong protocols: Ptime
Additional results for variants of basic model (AC, xor, modular exp, …)
Many protocol case studies
Murphi [Shmatikov, He, …]• SSL, Contract signing, 802.11i, …
Meadows NRL tool• Participation in IETF, IEEE standards• Many important examples
Paulson inductive method; Scedrov et al• Kerberos, SSL, SET, many more
Protocol logic• BAN logic and successors (GNY, SvO, …)• DDMP …
Computational model I
[Bellare-Rogaway, Shoup, …]
Adversary
input tape
work tape
oracle tape oracle tape
“Alice” “Bob”
Computational model II
[Canetti, …]
Turing machine Turing
machine
Turing machine
Turing machine
Adversary
Computational security: encryption
Passive adversary• Semantic security
Chosen ciphertext attacks (CCA1)• Adversary can ask for decryption
before receiving a challenge ciphertext
Chosen ciphertext attacks (CCA2)• Adversary can ask for decryption
before and after receiving a challenge ciphertext
Passive Adversary
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
Chosen ciphertext CCA1
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
c
D(c)
Chosen ciphertext CCA2
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
c
D(c)
c E(mj)
D(c)
Protocol execution
P1
P3P4
P2
output
output
Z
Ideal functionality
P1
P3P4
P2
F
S
simulator
input inputZ
Protocol security
A
attacker
Slide: R Canetti
IDEALREAL
Trusted party
Protocolinteraction
For every real adversary A
there exists anadversary S
Universal composability
also “reactive simulatability” [BPW], … see [DKMRS]
Slide: Y Lindell
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions - Fixed set of actions, nondeterminism(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we have best of both worlds?
Some relevant approaches
Simulation framework• Backes, Pfitzmann, Waidner
Correspondence theorems• Micciancio, Warinschi
Kapron-Impagliazzo logics Abadi-Rogaway passive equivalence
(K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5 (K2, ) , {({101}K2,K5 )}K2, { }K5 (K1, ) , {({101}K1,K5 )}K1, { }K5 (K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5 Proposed as start of larger plan for computational soundness
… …
[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]
Symbolic methods comp’l results
Pereira and Quisquater, CSFW 2001, 2004 • Studied authenticated group Diffie-Hellman protocols• Found symbolic attack in Cliques SA-GDH.2 protocol• Proved no protocol of certain type is secure, for >3
participants
Micciancio and Panjwani, EUROCRYPT 2004 • Lower bound for class of group key establishment
protocols using purely Dolev-Yao reasoning – Model pseudo-random generators, encryption
symbolically• Lower bounds is tight; matches a known protocol
Rest of talk: Protocol composition logic
Alice’s information• Protocol• Private data• Sends and receives
Honest Principals,Attacker
Send
Receive
Protocol
Private Data
Logic now has symbolic
and computational semantics
Example
{ A, Noncea }
{ Noncea, … }Ka
Kb
A B
Alice assumes that only Bob has Kb-1
Alice generated Noncea and knows that
some X decrypted first message Since only X knows Kb-1, Alice knows X=Bob
More subtle example: Bob’s view
{ A, Noncea }
{ Noncea, B, Nonceb }
{ Nonceb}
Ka
Kb
A B
Kb
Bob assumes that Alice follows protocol Since Alice responds to second
message, Alice must have sent the first message
Execution model
Protocol• “Program” for each protocol role
Initial configuration• Set of principals and key• Assignment of 1 role to each principal
Runx
z
{x}B
({x}B)
{z}B
decr
A
B
C
({z}B)
Position in run
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | |
Example After(a,b) = (b a)
Notation in papers varies slightly …
Modal Formulas
After actions, condition [ actions ] P where P = princ,
role id
Before/after assertions [ actions ] P
Composition rule
[ S ] P [ T ] P
[ ST ] P Logic formulated: [DMP,DDMP]
Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
Example: Bob’s view of NSL
Bob knows he’s talking to Alice[ receive encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); receive encrypt( Key(B), n ) ] B
Honest(A) Csent(A, msg1) Csent(A, msg3)
where Csent(A, …) Created(A, …) Sent(A, …)
msg1
msg3
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, enc(X, {m})) X=Y– Honest(X) Verify(Y, sig(X, {m})) m’ (Send(X, m’) Contains(m’, sig(X, {m}))
Soundness Theorem: • Every provable formula is valid in symbolic
model
Modal Formulas
After actions, condition [ actions ] P where P = princ,
role id
Before/after assertions [ actions ] P
Composition rule
[ S ] P [ T ] P
[ ST ] P
Application DH + CR = ISO 9798-3
Initiator role of DH[ new a ] I Fresh(I, ga) HasAlone(I, a)
Initiator role of CRFresh(I, m) [send … receive … B… send] Honest(B) ActionsInOrder(…)
Combination• Substitute ga for m in CR• Apply composition rule, persistence• Obtain assertion about ISO initiator
Additional issues
Reasoning about honest principals• Invariance rule, called “honesty rule”
Preserve invariants under composition• If we prove Honest(X) for protocol
1 and compose with protocol 2, is formula still true?
Composing protocols
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Main results in ICALP Proceedings
Computational PCL• Symbolic logic for proving security properties of
network protocols using public-key encryption Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
Parts of proof are similar to [Micciancio, Warinschi]
Applications of PCL
IKE, JFK family key exchange• IKEv2 in progress
802.11i wireless networking• SSL/TLS, 4way handshake, group handshake
Kerberos v5 [Cervesato et al] GDOI [Meadows, Pavlovic]
Future work• Use CPCL to understand computational security of
these protocols, reliance on specific crypto properties
Advantages of Computational PCL
High-level reasoning• Prove properties of protocols without
explicit reasoning about probability, asymptotic complexity
Sound for “real crypto” Composability
• PCL is designed for protocol composition
Identify crypto assumptions needed
Future Work
Investigate nature of propositional fragment• Non-classical; involves some conditional probability
– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86)
Generalize reasoning about secrecy Extend logic
• More primitives: signature, hash functions,…• Remove current syntactic restrictions on formulas
Information-theoretic semantics (thanks to A Scedrov)• Only probability; no complexity
Other fundamental problems• See Kapron-Impagliazzo, etc.
Conclusion
Symbolic model supports useful analysis• Tools, case studies, high-level proofs
Computational model more “correct”• More accurately reflects realistic attack
Two approaches can be combined• Several current projects and approaches• One example: computational semantics for
symbolic protocol logic
Credits
Collaborators• M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague, M. Turuani, B. Warinschi, …
More information• References in PPDP, ICALP proceedings• Web page on Protocol Composition Logic
– http://www.stanford.edu/~danupam/logic-derivation.html– My web site for related projects not discussed
Science is a social process