Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November...
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Security Analysis of Network Protocols Anupam Datta Stanford University CIS Seminar, MIT November...
Security Analysis of Network Protocols
Anupam DattaStanford University
CIS Seminar, MITNovember 18, 2005
Outline
Part I: Overview• Motivation• Central problems
– Divide and Conquer paradigm– Combining logic and cryptography
• Results
Part II: Protocol Composition Logic• Compositional Reasoning• Complexity-theoretic foundations
This talk is about…
Network security protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Group– 802.11i - wireless LAN security– 802.16e – wireless MAN security
And methods for their security analysis• Security proof in some model; or• Identify attacks
Characteristics of protocols
Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per
component) Mission critical
• Security of data, credit card numbers, … Subtle
• Concurrency: attack may combine data from many sessions
• Computation: modeling cryptographic primitives
Good domain for logical methods
Active research area since early 80’s
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
Protocol analysis methods
Cryptographic reductions• Bellare-Rogaway, Shoup, many others• UC [Canetti et al], Simulatability [BPW]• Prob poly-time process calculus [LMRST…]
Symbolic methods• Model checking
– FDR [Lowe, Roscoe, …], Murphi [Mitchell, Shmatikov, …], …
– NRL protocol analyzer [Meadows], Athena [Song], …
• Theorem proving– Isabelle [Paulson …], Specialized logics [BAN, …, PCL]
Examples of protocol flaws
IKE [Meadows; 1999]• Reflection attack; fix adopted by IETF WG
IEEE 802.11i [He, Mitchell; 2004]• DoS attack; fix adopted by IEEE WG
GDOI [Meadows, Pavlovic; 2004]• Composition attack; fix adopted by IETF WG
Kerberos V5 [Scedrov et al; 2005]• Identity misbinding attack; fix adopted by
IETF WG
IEEE 802.11i wireless security [2004]
Wireless Device
Access Point
Authentication Server
802.11 Association
EAP/802.1X/RADIUS Authentication
4-way handshake
Group key handshake
Data communication
•Divide-and-conquer paradigm•Combining logic and cryptography
Uses crypto: encryption, hash,
…
Divide-and-Conquer paradigm
Result: Protocol Derivation System [DDMP03-05]• Incremental protocol construction
Result: Protocol Composition Logic (PCL) [DDDMP01-05]• Compositional correctness proofs
Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], [Pfitzmann-Waidner01], …
Composition is a hard problem in security
Central Problem 1
Combining logic and cryptography
Symbolic model [NS78, DY84]- Perfect cryptography assumption+ Idealization => tools and techniques
Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation
Result: Computational PCL [DDMST05]+ Logical proof methods + Complexity-theoretic crypto model
Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]
Central Problem 2
Applied to industrial protocols
IEEE 802.11i [IEEE Standards; 2004] [He et al] TLS/SSL [RFC 2246] is a component
IKE/JFK family IKEv2 [IETF ID;2004] in progress [Aron et
al] Mobile IPv6 [RFC 3775] in progress [Roy et
al]
Kerberos V5 [IETF ID; 2004] [Cervasato et al]
GDOI Secure Group Communication protocol [RFC 3547] [Meadows et al]
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
A B
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol
independent]
• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
Reasoning method
Reason about local information• I know my own actions
Incorporate knowledge of protocol• Honest people faithfully follow protocol
No explicit reasoning about intruder• Absence of bad action expressed as a
positive property of good actions– E.g., honest agent’s signature can be
produced only by the agent
Distinguishes our method from existing techniques
Formalism
Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)
Protocol logic• Expressing protocol properties
Proof system• Proving protocol properties• Soundness theorem
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
Execution model
Protocol• “Program” for each protocol role
Initial configuration• Set of principals and key• Assignment of 1 role to each principal
RunNew
x
New z
Send<{x}B
Recv {x}B
Send {z}B
A
B
C
Recv {z}B
Position in run
Attacker capabilities
Controls complete network• Can read, remove, inject messages
Fixed set of operations on terms• Pairing• Projection• Encryption with known key• Decryption with known key• …
Action formulasa ::= Send(P,m) | Receive (P,m) |
New(P,t) | Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x
| | Example
After(a,b) = (b a)
Formulas true at a position in run
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )Secure if desired property holds in all runs
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Soundness Theorem: Every provable formula is valid
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Reasoning about Composition
Non-destructive Combination: Ensure combined parts do not
interfere– In logic: invariance assertions
Additive Combination: Accumulate security properties of
combined parts, assuming they do not interfere– In logic: before-after assertions
Proof steps (Intuition)
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
Technically:
•Protocol-specific proof steps use invariants
•Invariants must be preserved for safe composition
Invariants
Reasoning about honest principals• Invariance rule, called “honesty rule”
Preservation of invariants under composition• If we prove Honest(X) for protocol 1
and compose with protocol 2, is formula still true?
Honesty Rule (Induction)
Definition• A protocol step begins with receive,
ends before next receive Rule
[ ]X B ProtocolSteps(Q). [B]X Q Honest(X)
ExampleCR Honest(X) (Sent(X, m2) Received(X, m1))
Composition of protocols
new x
X, Y
X, Y, gx, x
send W, Z, w, A;
receive Z, W, z, sigY{w, z, W};
send W, Z, sigX{w, z, Z};
X, Y, zx
DH-Init
CR-Init W, Z, w, x
new x;
send X, Y, gx, A;
receive Y, X, z, sigY{gx, z, X};
send X, Y, sigX{gx, z, Y};
X, Y, zx
X, YISO-Init
Sequential composition with term substitution
Compositional proofs
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Sequential, parallel, staged composition theorems [MFPS03,CCS05]
Composition: Big Picture
Different from:
•Assume-guarantee in distributed computing [MC81]
•Universal Composability [C01, PW01]
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No reasoning about attacker
…
Outline
Part I: OverviewPart II: Protocol Composition Logic
• Compositional Reasoning• Complexity-theoretic foundations
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
Main Result
Computational PCL• Symbolic logic for proving security properties of
network protocols Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Current Work Investigate nature of logic
• Propositional fragment not classical represents conditional probability
– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86, Fagin-
Halpern90)
Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property
Cover more cryptographic protocols• More primitives: signature, hash functions, …• And protocols: secure key exchange, …
Information-theoretic and concrete security semantics• Only probability; no complexity• Concrete security reductions
Summary
PCL – A logic for security protocols:• Divide-and-conquer paradigm in security• Combining logic and cryptography
Applications:• IEEE 802.11i • GDOI Secure Group Communication protocol
[RFC 3547; 2003] • IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]• Mobile IPv6 [RFC 3775; 2004]
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Ongoing Work Extend and refine PCL
• Programming language, syntax, proof system• More properties: beyond authentication, secrecy – abuse-
freeness, fairness, knowledge-based specification Tool implementation
• Encode logic into generic theorem-prover • Preliminary implementation in Isabelle• Investigate decidability of PCL
Unified theory for different models• Vary computational abilities of attacker – symbolic, poly-time,
information-theoretic• Vary adversary’s control over network – complete vs. partial
(e.g., in Mobile IPv6) Protocol Derivation
• Incremental protocol construction – replace Clark-Jacob survey
Other Projects
Specification of Security• Unifying simulation-based definitions – universal
composability, black-box simulatability, strong simulatability [DKMRS04,DKMR05]
• Comparing game-based definitions with simulation-based definitions – impossibility theorem [DDMRS05]
• Open problem: compositional security definition Foundations of Privacy
• Contextual Integrity [Nissenbaum04]• Formal theory: Kripke models, temporal logic• Application to HIPAA, GLBA, COPPA, …• Relation to RBAC, P3P, EPAL, DRM, statistical
databases,…[WIP - BDMN05]
Credits/Selected Publications
A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic A derivation system and compositional logic for
security protocols [CSFW03, JCS05 special issue] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M.
Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05]
C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [CCS05, ACM TISSEC special issue]
Project web page: www.stanford.edu/~danupam/logic-derivation.html
Computational Soundness
Simulation framework• Backes, Pfitzmann, Waidner
Correspondence theorems• Micciancio, Warinschi
Kapron-Impagliazzo logics Abadi-Rogaway passive equivalence
(K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5 (K2, ) , {({101}K2,K5 )}K2, { }K5 (K1, ) , {({101}K1,K5 )}K1, { }K5 (K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5 Proposed as start of larger plan for computational soundness
… …
[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]
Symbolic methods comp’l results
Pereira and Quisquater, CSFW 2001, 2004 • Studied authenticated group Diffie-Hellman protocols• Found symbolic attack in Cliques SA-GDH.2 protocol• Proved no protocol of certain type is secure, for >3
participants
Micciancio and Panjwani, EUROCRYPT 2004 • Lower bound for class of group key establishment
protocols using purely Dolev-Yao reasoning – Model pseudo-random generators, encryption
symbolically• Lower bounds is tight; matches a known protocol
Classifying Attacks
Implementation bugs• Buffer overflow, format string
vulnerabilities Cryptography breaks
• IEEE 802.11b (WEP encryption) Protocol flaws
• Needham-Schroeder, IKE, IEEE 802.11i
•Focus on protocol flaws assuming “strong crypto”
•Complexity-theoretic characterization of “strong crypto”