PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU...
-
date post
19-Dec-2015 -
Category
Documents
-
view
225 -
download
0
Transcript of PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU...
![Page 1: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/1.jpg)
PCL: A Logic for Security Protocols
Anupam DattaStanford University
Secure Software Systems, CMUOctober 3, 5, 2005
![Page 2: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/2.jpg)
Computer Security
Cryptography• Encryption, signatures, cryptographic hash, …
Security mechanisms• Access control policy• Network protocols
Implementation• Cryptographic library• Code implementing mechanisms
– Reference monitor and TCB– Protocol
• Runs under OS, uses program library, network protocol stack
Analyze protocols, assuming crypto, implementation, OS correct
![Page 3: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/3.jpg)
Network Security Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal
• Exchange secret keys• Verify identity (authentication)
Example: SSL (internet banking)
Examples of crypto primitives: Public-key encryption, symmetric-key encryption, CBC,
hash, signature, key generation, random-number generators
![Page 4: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/4.jpg)
This lecture is about…
Network security protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Groups– 802.11i - wireless LAN security– 802.16e – wireless MAN security
And methods for their security analysis• Security proof in some model; or• Identify attacks
![Page 5: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/5.jpg)
Why prove security?
Examples of protocol flaws • IKE [Meadows; 1999]
– Reflection attack; fix adopted by IETF WG
• IEEE 802.11i [He, Mitchell; 2004]– DoS attack; fix adopted by IEEE WG
• GDOI [Meadows, Pavlovic; 2004]– Composition attack; fix adopted by IETF WG
• Kerberos V5 [Scedrov et al; 2005]– Identity misbinding attack; fix adopted by
IETF WG
![Page 6: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/6.jpg)
Security Analysis
Model system Model adversary Identify security properties See if properties preserved under attack
Result• No “absolute security”• Security means: under given assumptions
about system, no attack of a certain form will destroy specified properties.
![Page 7: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/7.jpg)
Important Modeling Decisions
How powerful is the adversary?• Simple replay of previous messages• Block messages; Decompose, reassemble and resend• Statistical analysis, partial info from network traffic• Timing attacks
How much detail in underlying data types?• Plaintext, ciphertext and keys
– atomic data or bit sequences
• Encryption and hash functions– “perfect” cryptography– algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N
![Page 8: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/8.jpg)
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
![Page 9: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/9.jpg)
Resources: Protocols & Tools
IETF Security Areahttp://www.ietf.org/html.charters/wg-dir.html
IEEE Security Working Groupshttp://grouper.ieee.org/groups/802/11/
Stanford CS 259: Security Analysis of Network Protocols
http://www.stanford.edu/class/cs259/
Will focus today on one tool: Protocol Composition Logic (PCL)
![Page 10: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/10.jpg)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition
Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic
http://www.stanford.edu/~danupam/logic-derivation.html
![Page 11: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/11.jpg)
Intuition
Reason about local information• I chose a new number• I sent it out encrypted• I received it decrypted • Therefore: someone decrypted it
Incorporate knowledge about protocol• Protocol: Server only sends m if it received
m’• If server not corrupt and I receive m signed
by server, then server received m’
![Page 12: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/12.jpg)
Intuition: Picture
Alice’s information• Protocol• Private data• Sends and receives
Honest Principals,Attacker
Protocol
Private Data
![Page 13: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/13.jpg)
Example: Challenge-Response
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol independent]
• if Bob generates a signature of the form sigB{m, n, A}, – he sends it as part of msg2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
![Page 14: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/14.jpg)
Formalizing the Approach
Language for protocol description• Arrows-and-messages are informal.
Protocol Semantics• How does the protocol execute?
Protocol logic• Stating security properties.
Proof system• Formally proving security properties. (User view of the logic)
![Page 15: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/15.jpg)
Cords
“protocol programming language”• A protocol is described by specifying a
“program” for each role– Server = [receive x; new n; send {x, n}]
Building blocks• Terms (think “messages”)
– names, nonces, keys, encryption, …
• Actions (operations on terms)– send, receive, pattern match, …
![Page 16: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/16.jpg)
Terms
t ::= c constant termx variableN nameK keyt, t tuplingsigK{t} signature
encK{t} encryption
Example: x, sigB{m, x, A} is a term
![Page 17: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/17.jpg)
Actions
send t; send a term t receive x; receive a term into variable
x match t/p(x); match term t against p(x)
A Cord is just a sequence of actions Notation:
• we often omit match actions
• receive sigB{A, n} = receive x; match x/sigB{A, n}
![Page 18: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/18.jpg)
Challenge-Response as Cords
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
![Page 19: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/19.jpg)
Cord Spaces
Cord space is a multiset of cords Cords may react
• via communication• via internal actions
Sample reaction steps:• Communication:
[ S; send t; S’] [ T; receive x; T’ ] [ S; S’] [ T; T’(t/x) ]
• Matching:[ S; match p(t)/p(x); S’ ] [ S; S’(t/x) ]
![Page 20: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/20.jpg)
Execution Model
Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of 1 role to each principal
Run
new x
send {x}B
receive {x}B
A
B
C
Position in run
receive {z}B
new z
send {z}B
![Page 21: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/21.jpg)
Attacker capabilities
Controls complete network• Can read, remove, inject messages
Fixed set of operations on terms• Pairing• Projection• Encryption with known key• Decryption with known key• …
Commonly referred to as “Dolev-Yao” attacker
Next lecture: more powerful “crypto-style” attacker
![Page 22: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/22.jpg)
Logical assertions
Modal operator [ actions ] P - if holds and P executes
actions, then holds
Predicates in • Send(X,m) - principal X sent message m
• Receive(X,m) – principal X received message m
• Verify(X,m) - X verified signature m
• Has(X,m) - X created m or received msg containing m and has keys to extract m from msg
• Honest(X) – X follows rules of protocol
![Page 23: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/23.jpg)
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | |
Example After(a,b) = (b a)
![Page 24: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/24.jpg)
Semantics
Protocol Q• Defines set of roles (e.g, initiator, responder)
• Run R of Q is sequence of actions by principals following roles, plus attacker
Satisfaction• Q, R | [ actions ] P
If some role of P in R does exactly actions starting from state where is true, then is true in state after actions completed
• Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
![Page 25: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/25.jpg)
Security Properties
Authentication for InitiatorCR | true [ InitCR(A, B) ] A Honest(B)
ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n,
A}}}), Receive(A, {B,A,{n, sigB {m, n,
A}}}))
![Page 26: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/26.jpg)
Proof System
Goal: formally prove security properties
Axioms• Simple formulas provable by hand
Inference rules• Proof steps
Theorem • Formula obtained from axioms by
application of inference rulesThis is what you will do!
![Page 27: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/27.jpg)
Sample axioms about actions
New data• true [ new x ]P Has(P,x)
• true [ new x ]P Has(Y,x) Y=P
Actions• true [ send m ]P Send(P,m)
Knowledge• true [receive m ]P Has(P,m)
Verify• true [ match x/sigX{m} ] P Verify(P,m)
![Page 28: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/28.jpg)
Reasoning about knowledge
Pairing• Has(X, {m,n}) Has(X, m) Has(X, n)
Encryption • Has(X, encK(m)) Has(X, K-1) Has(X,
m)
![Page 29: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/29.jpg)
Encryption and signature
Public key encryptionHonest(X) Decrypt(Y, encX{m}) X=Y
SignatureHonest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
![Page 30: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/30.jpg)
Sample inference rules
First-order logic rules
Generic rules
[ actions ]P [ actions ]P
[ actions ]P
![Page 31: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/31.jpg)
Bidding conventions (motivation)
Blackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces
Reasoning • If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
![Page 32: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/32.jpg)
Honesty rule (rule scheme)
roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
• This is a finitary rule:– Typical protocol has 2-3 roles– Typical role has 1-3 receives– Only need to consider A waiting to receive
![Page 33: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/33.jpg)
Honesty rule (example use)
roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
• Example use:– If Y receives a message m from X, and – Honest(X) (Sent(X,m) Received(X,m’)) – then Y can conclude Honest(X) Received(X,m’))
Proved using honesty rule
![Page 34: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/34.jpg)
Correctness of CR
CR |- true [ InitCR(A, B) ] A Honest(B) ActionsInOrder(
Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}),
Receive(A, {B,A,{n, sigB {m, n, A}}}))
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
![Page 35: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/35.jpg)
Correctness of CR – step 1
1. A reasons about her own actionsCR |- true [ InitCR(A, B) ] A
Verify(A, sigB {m, n, A})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
![Page 36: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/36.jpg)
Correctness of CR – step 2
2. Properties of signaturesCR |- true [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n,
A})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Recall signature axiom
![Page 37: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/37.jpg)
Correctness of CR – Honesty
Invariant proved with Honesty ruleCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x, Y}) New(X, y)
m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}})
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Induction over protocol steps
![Page 38: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/38.jpg)
Correctness of CR – step 3
3. Use Honesty invariantCR |- true [ InitCR(A, B) ] A Honest(B)
Receive(B, {A,B,m}),…
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
![Page 39: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/39.jpg)
Correctness of CR – step 4
4. Use properties of nonces for temporal orderingCR |- true [ InitCR(A, B) ] A Honest(B) Auth
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Nonces are “fresh” random numbers
![Page 40: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/40.jpg)
Complete proof
![Page 41: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/41.jpg)
We have a proof. So what?
Soundness Theorem:• if Q |- then Q |= •If is a theorem then is a valid
formula holds in any step in any run of
protocol Q•Unbounded number of
participants•Dolev-Yao intruder
![Page 42: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/42.jpg)
Weak Challenge-Response
A B
m
n, sigB {m, n}
sigA {m, n}
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 43: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/43.jpg)
Correctness of WCR – step 1
1. A reasons about it’s own actionsWCR |- [ InitWCR(A, B) ] A
Verify(A, sigB {m, n})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 44: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/44.jpg)
Correctness of WCR – step 2
2. Properties of signaturesCR |- [ InitCR(A, B) ] A Honest(B) m’ (Send(B, m’) Contains(m’, sigB {m, n,
A})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 45: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/45.jpg)
Correctness of WCR – Honesty
Honesty invariantCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x}) New(X, y)
m= X, Z, {x, sigB{y, x}} Receive(X, {Z, X, {y, Z}})
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 46: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/46.jpg)
Correctness of WCR – step 3
3. Use Honesty ruleWCR |- [ InitWCR(A, B) ] A Honest(B)
Receive(B, {Z,B,m}),
InitWCR(A, X) = [new m;send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [receive Y, B, {y};new n;send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 47: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/47.jpg)
Result
WCR does not have the strong authentication property for the initiator
Counterexample• Intruder can forge senders and
receivers identity in first two messages– A -> X(B) m– X(C) -> B m – B -> X(C) n, sigB(m, n)– X(B) ->A n, sigB(m, n)
![Page 48: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/48.jpg)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
![Page 49: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/49.jpg)
Compositional Security
Assigned readings:• A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic.
A derivation system and compositional logic for security protocols
• C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i
Perspective:• C. Meadows. Open issues in formal methods
for cryptographic protocol analysis. • J. M. Wing. Beyond the horizon: A call to arms.
![Page 50: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/50.jpg)
ISO-9798-3 Key Exchange
Authentication• Do we need to prove it from scratch?
Shared secret: gab
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols
![Page 51: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/51.jpg)
Abstract challenge response
Free variables m and n instead of nonces Modal form: [ actions ]
• precondition: Fresh(A,m)• actions: [ InitACR ]A
• postcondition: Honest(B) Authentication Secrecy is proved from properties of Diffie-
Hellman
InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
![Page 52: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/52.jpg)
Diffie-Hellman: Property
Formula true [ new a ] A Fresh(A, ga)
Diffie-Hellman property:Can compute gab given ga and b or
gb and a Cannot compute gab given ga and gb
![Page 53: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/53.jpg)
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
![Page 54: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/54.jpg)
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
![Page 55: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/55.jpg)
Composing protocols
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
![Page 56: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/56.jpg)
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
![Page 57: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/57.jpg)
Composition: Big Picture
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No reasoning about attacker
…
![Page 58: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/58.jpg)
802.11i:Staged Composition
Control Flow• Intended run is sequential• Different Failure Recovery
mechanisms can be implemented for efficiency
• Periodically update Group Key, PTK, PMK (omit here)
Hybrid modes• Pre-Shared Key (PSK)
used directly instead of EAP authentication methods
• Cached PMK might be used for mobile users
• Alternatives for EAP-TLS, e.g., PEAP, LEAP
Data Transmission
Group Key
4-Way
EAP-TLS
PMK
PTK
GTK
![Page 59: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/59.jpg)
802.11i Proof Structure
Step 1. i, j |- θi [Pi]X i
Separate proof of individual components TLS, 4-Way, and Group Key Handshake;
Step 2. i, j, Qi |- j
Necessary invariants are satisfied by all components;
Step 3. i, i θi+1
The postcondition of TLS implies precondition of 4-Way;
postcondition of 4-Way implies precondition of Group Key;
Step 4. i, θi [B]X θi
The preconditions of each component are preserved by subsequent components.
Applying the Staged Composition Theorem, 802.11i is secure
![Page 60: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/60.jpg)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
![Page 61: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/61.jpg)
Computational PCL
Symbolic proofs about complexity-theoretic model of cryptographic protocols!
![Page 62: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/62.jpg)
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
![Page 63: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/63.jpg)
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
![Page 64: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/64.jpg)
Main Result
Computational PCL• Symbolic logic for proving security properties of
network protocols using public-key encryption Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
![Page 65: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/65.jpg)
ISO-9798-3 Key Exchange
Shared secret to be used as key:
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Roughly: A, B have gab and for everyone else it is indistinguishable from a random key gr
![Page 66: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/66.jpg)
Central axioms
Cryptographic security property of signature scheme• Unforgeability (used for
authentication) Cryptographic security property of
Diffie-Hellman function• DDH (used to prove secrecy)
![Page 67: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/67.jpg)
CMA-Secure Signatures
Challenger Attacker
miSig(Y,mi)
Sig(Y,m)
Attacker wins if m
mi
![Page 68: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/68.jpg)
Decisional Diffie-Hellman
Let a, b, c be chosen at random from a group G with generator g. Then the two distributions <ga,gb,gab> and <ga,gb,gc> are computationally indistinguishable (no polynomial time attacker can tell them apart)
![Page 69: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/69.jpg)
Complete Proof
![Page 70: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/70.jpg)
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
![Page 71: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/71.jpg)
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
![Page 72: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/72.jpg)
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
![Page 73: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/73.jpg)
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
![Page 74: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/74.jpg)
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
![Page 75: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/75.jpg)
Summary: PCL
Proving security properties of network protocols is important! Formalism
• Protocol programming language• Protocol logic
– Syntax – stating security properties– Semantics – meaning of security properties
• Proof System – proving security properties
Examples• Signature-based challenge-response, ISO, 802.11i
Composition • Modular proofs
Computational Soundness• Symbolic proofs about complexity-theoretic model
![Page 76: PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649d395503460f94a126bb/html5/thumbnails/76.jpg)
Thanks !
Questions?