Proving Security of Industrial Network

Protocols: Theory and Practice

Anupam DattaStanford University

Oakland PC Crystal Ball WorkshopJanuary 2007

Security Protocol Analysis

Network security protocols • Industry Standards (IETF, IEEE)

– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication– 802.11i - wireless LAN security

Methods for their security analysis• Security proof in some model; or• Identify attacks

Our Result

Protocol Composition Logic (PCL): • Unbounded number of sessions (vs.

model-checking)• Short high-level proofs: 2-3 pages• Sound wrt symbolic and

computational cryptographic models• Taught in security courses (alternative

to BAN): CMU, Penn, Stanford, Texas…

[DMP01, DDMP03, …, RDDM06]

PCL: Big Picture

Symbolic Model•PCL Semantics (Meaning of formulas)

Unbounded # concurrent sessions

PCL •Syntax (Properties)•Proof System (Proofs)

Soundness Theorem

(Induction)

High-level proof principles

Cryptographic Model•PCL Semantics (Meaning of formulas)

Polynomial # concurrent sessions

Computational PCL •Syntax ± •Proof System±

Soundness Theorem

(Reduction)

[BPW, MW,…]

PCL Results: Industrial Protocols

IEEE 802.11i [IEEE Standards; 2004] [HSDDM05] TLS/SSL [RFC 2246] is a component(Attack using model-checking; fix adopted by

WG) GDOI Secure Group Communication [RFC 3547]

[MP04]

(Attack using PCL; fix adopted by IETF WG) Kerberos V5 [IETF ID; 2004]

[CMP05,RDDM06]

Mobile IPv6 [RFC 3775] in progress [RDM06]

IKE/JFK family IKEv2 [IETF ID;2004] in progress

[RDM06]

Except Kerberos, results currently apply only to symbolic model

PCL Proof Techniques

Modular Proofs [DDMP03, HSDDM05]

• Useful for protocols composed from multiple components, e.g. IEEE 802.11i has 4 components including TLS

• Sequential, parallel, staged composition Generic Template-style Proofs [DDMP04]

• Useful for protocols with multiple modes but similar abstract structure, e.g. IKEv2 has two modes based on symmetric and public-key cryptography

In More Detail …

Protocol Programming Language Protocol Composition Logic

• Syntax: Stating security properties• Trace Semantics: Property holds in

(almost) all runs of protocol Proof System

• Axioms and rules: Used to prove security

• High-level proof principles

Example: Challenge-Response

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Alice reasons: if Bob is honest, then:1. only Bob can generate his signature [protocol independent]2. if Bob generates a signature of the form sigB{m, n, A},

– he sends it as part of msg2 of the protocol, and – he must have received msg1 from Alice [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

Challenge-Response Programs

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

InitCR(A, X) = [

new m;

send A, X, {m, A};

receive X, A, {x, sigX{m, x, A}};

send A, X, sigA{m, x, X}};

] < >

RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};

receive Y, B, sigY{y, n, B}};

] < >

Challenge-Response Property

Specifying authentication for Initiator using PCL syntax true [ InitCR(A, B) ] A Honest(B)

( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}})

Receive(A, {B,A,{n, sigB {m, n, A}}}))

Semantics: Property should hold in (almost) all protocol runs

PCL: Proof System

Sample Axiom: Property of signature:

– Honest(X) Verifies(Y, sigX{m}) m’. Sent(X, m’) Contains(m’,

sigX{m}))

Sample proof rules: First-order logic rules Induction rule (next slide)

Soundness Theorem If is provable, then holds in all protocol

runs Established using induction for symbolic

and reduction for cryptographic model

Step 1 of CR proof

Inductive Invariant Rule Scheme

steps A of protocol Q.

Start(X) [ ]X [ A ]X Q |- Honest(X)

• Example:– CR |- Honest(X) (Send(X, m) Contains(m, sigx

{y, x, Y}) m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}}) )

• Note: Rule depends on protocol

Step 2 of CR proof

In More Detail …

PCL Proof Techniques• Modular Proofs• Generic Template-style Proofs

Modular Analysis / Composition

EAP-TLS: Certificates to Authorization (PMK)

4WAY Handshake:

PMK to Keys for data communication

Group key: Keys for broadcast

communication

Data protection:AES based using above keys

(Shared Secret-PMK)

Laptop Access Point

Auth Server

802.11i Key Management

20 msgs in 4 components[HSDDM CCS’05 ->

TISSEC Special Issue]

Compositional Proofs: Intuition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A},

– he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could

be used to attack another• PCL proof system: Invariant rule

Protocol independent reasoning• Axiom stating unforgeability of signatures• Still good: unaffected by composition• All other axioms and proof rules for PCL

Proof Tree

Axiom

INV rule

Other rules

Security property

Inv |-Auth

Auth

TLS |- Inv

InvBulk of proof

reused

Additional work to

prove 4WAY

|- Inv

TLS | 4WAY |- Inv

Theorem: If Q |- Inv and Q’ |- Inv, then

Q | Q’ |- Inv[DDMP CSF’03 -> JCS Special Issue, MFPS’03 ]

Generic Template-style Proofs

Protocols with function variables instead of specific cryptographic operations• One template can be instantiated to many

protocols • Proof of template yields proofs for instances

Motivating example: • IKEv2: two instances based on

symmetric and public-key cryptography

Protocol Template

A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)

A B: mB A: n,EKAB(n,m,B)

A B: EKAB(n,m)

A B: mB A: n,HKAB(n,m,B)

A B: HKAB(n,m,A)

A B: mB A: n, sigB(n,m,A)

A B: sigA(n,m,B)

Challenge-Response Template

ISO-9798-2

ISO-9798-3

SKID3

Instantiations

Template Proof Method

Characterizing protocol concepts• Step 1: Under hypotheses about function

variables and invariants, prove security property of template

• Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.

Benefit: • Proof reuse

Single protocol can be instance of multiple templates allowing modular proofs

Proof Structure

Template

axiom

hypothesis

Instance

Additional work to discharge hypotheses

Bulk of proof reused

Summary

PCL – Logic for security protocols• Sound wrt symbolic and cryptographic

models• High-level short proofs: 2-3 pages

Proof techniques• Modular/compositional proofs• Generic template-style proofs

Proofs of industrial protocols• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2

(unpublished), Mobile IPv6 (in progress)

Acknowledgements

PCL Design• A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D.

Pavlovic, A. Roy Computational PCL Design

• A. Datta, A. Derek, J. C. Mitchell, A. Roy, M. Turuani, V. Shmatikov, B. Warinschi

PCL Applications (in addition)• M. Backes, I. Cervasato, C. He, C. Meadows, M.

Sundararajan

PCL Project Page:• http://www.stanford.edu/~danupam/logic-

derivation.html

Thanks!

Questions?

Attacks on Industry Standards

IKE [Meadows; 1999]• Reflection attack; fix adopted by IETF WG

IEEE 802.11i [He, Mitchell; 2004]• DoS attack; fix adopted by IEEE WG

GDOI [Meadows, Pavlovic; 2004]• Composition attack; fix adopted by IETF WG

Kerberos V5 [Scedrov et al; 2005]• Identity misbinding attack; fix adopted by

IETF WG; Windows update released by Microsoft

Identified using logical methods

Protocol Analysis Techniques

Cryptographic Protocol Analysis

Formal Models Cryptographic Models

Protocol LogicsModel Checking Theorem Proving

Dolev-Yao(perfect cryptography)

Probabilistic Interactive TMProbabilistic process calculiProbabilistic I/O automata

Computational PCL

Process Calculi …

Spi-calculus, Applied -calculus

BAN, PCL Inductive Method, Automating BAN, TAPS,Automating PCL

FDR, Murphi,Athena, NRL,Brutus, OFMC

Bug finding Correctness Proofs

Communication Setting

Insecure network

…

Full Control

Open Problems in 2000

Background:• Precise model of protocol execution • Methods applied to simple protocols [Clark-J97]

Central open problems:• Develop methods for industrial protocols

– [Mea99, Pau99] exceptions: SET, IKE, Kerberos– Compositional analysis technique required for

practice

• Cryptographic soundness – Remove perfect cryptography assumption– Analysis should be sound wrt complexity-theoretic

model of cryptography

PCL: Syntax

Action formulasa ::= Send(P,t) | Receive (P,t) | …

Formulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x

| a < a | …

Modal formula [ actions ] P

ExampleHas(X, secret) ( X = A X = B)

Specifying secrecy

Compositional Security

Protocol Q

Safe Environment for Q

Q1 Q2 Q3 Qn…

Hard problem in security!

Modularity in CS:

•Programming Languages

•Distributed computing

•Hardware verification

Different from:

•Assume-guarantee in distributed computing [MC81]

•Universal Composability [C01, PW01]

Protocol Analysis Spectrum

Low High

Hig

hL

owStr

en

gth

of

atta

ck

er m

od

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

PCL

Computational PCL

Multiset rewriting Holy

Grail

Combining logic and cryptography

Divide and

conquer

BPW, MW, Herz, Blan