![Page 1: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/1.jpg)
Abstraction and Refinement in Protocol Derivation
Anupam Datta Ante DerekJohn C. Mitchell Dusko Pavlovic
Stanford University Kestrel Institute CSFW June 28, 2004
![Page 2: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/2.jpg)
Project Goals Protocol derivation
Build security protocols by combining and refining parts from basic protocols.
Proof of correctness Prove protocols correct using logic
that follows steps of derivation.
![Page 3: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/3.jpg)
Outline Background
Derivation System [CSFW03] Compositional Logic
[CSFW01,CSFW03] Abstraction and Refinement
Methods Applications
Conclusions and Future Work
![Page 4: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/4.jpg)
Example Construct protocol with properties:
Shared secret Authenticated Identity Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
![Page 5: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/5.jpg)
Component 1
Shared secret (with someone) A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
Authenticated Identity Protection
A B: ga
B A: gb
Diffie Hellman
![Page 6: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/6.jpg)
Component 2
Shared secret Authenticated
A deduces: Received (B, msg1) Λ Sent (B, msg2)
Identity Protection
A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}
Challenge-Response
![Page 7: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/7.jpg)
Composition
Shared secret: gab
Authenticated Identity Protection
m := ga
n := gb
A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}
ISO-9798-3
![Page 8: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/8.jpg)
Refinement
Shared secret: gab
Authenticated Identity Protection
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
![Page 9: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/9.jpg)
Outline Background
Derivation System Compositional Logic
Abstraction and Refinement Methods Applications
Conclusions and Future Work
![Page 10: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/10.jpg)
A B
Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sigB {m, n, A},
he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
![Page 11: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/11.jpg)
Formalism Cord calculus
Protocol programming language Protocol logic
Expressing protocol properties Proof system
Proving protocol properties
Symbolic (“Dolev-Yao”) model
![Page 12: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/12.jpg)
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};receive Y, B, sigY{y, n, B};
]
![Page 13: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/13.jpg)
Correctness of CR
CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder(
Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}), Receive(A, {B,A,{n, sigB {m, n, A}}})
)
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};receive Y, B, sigY{y, n, B}};
]
![Page 14: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/14.jpg)
Proof System Sample Axioms:
Reasoning about possession: Has(A, {m}K) Has(A, K) Has(A, m) Has(A, {m,n}) Has(A, m) Has(A, n)
Reasoning about crypto primitives: Honest(X) Decrypt(Y, encX{m}) X=Y Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m}) Protocol-specific Rule: Honesty/Invariance rule Soundness Theorem:
Every provable formula is valid
![Page 15: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/15.jpg)
Outline Background
Derivation System Compositional Logic
Abstraction and Refinement Methods Applications
Conclusions and Future Work
![Page 16: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/16.jpg)
Protocol Templates Protocols with function variables instead
of specific cryptographic operations Idea: One template can be instantiated
to many protocols Advantages:
proof reuse design principles/patterns
![Page 17: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/17.jpg)
ExampleA B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B) A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Abstraction
Instantiations
![Page 18: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/18.jpg)
Extending Formalism Language Extensions: Add function
variables to term language for cords and logic (HOL)
Semantics: Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables
Soundness Theorem: Every provable formula is valid
![Page 19: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/19.jpg)
Abstraction-Instantiation Method(1) Characterizing protocol concepts
Step 1: Under hypotheses about function variables and invariants, prove security property of template
Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit: Proof reuse
![Page 20: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/20.jpg)
ExampleChallenge-Response TemplateA B: m
B A: n, F(B,A,n,m)A B: G(A,B,n,m)
•Step 1:•Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…•Property: Mutual authentication
•Step 2:•Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)•Satisfies hypotheses => Guarantees mutual authentication
![Page 21: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/21.jpg)
Proof Structure
Template
axiom
hypothesis
Instance
Discharge hypothesis
Proof reuse
![Page 22: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/22.jpg)
Abstraction-Instantiation Method(2) Combining protocol templates
If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both.
Benefits: Modular proofs of properties Formalization of protocol refinements
![Page 23: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/23.jpg)
Refinement Example Revisited
Two templates: Template 1: authentication + shared secret
(Preserves existing properties; proof reused) Template 2: identity protection (encryption)
(Adds new property)
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
![Page 24: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/24.jpg)
Authenticated key exchange
A B: ga, AB A: gb, F(B,A,gb,ga)A B: G(A,B,ga,gb)
A B: ga
B A: gb, F(B,gb,ga), F’(B,gab)A B: G(A,ga, gb), G’(A,gab)
AKE1 AKE2
•Shared secret•Stronger authentication•Identity protection for B•Non-repudiation
•Shared secret•Weaker authentication•Identity protection for A•Repudiability
H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]
ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA
![Page 25: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/25.jpg)
More examples… Authenticated Key Exchange:
Template for JFKr, STS, IKE, IKEv2 Key Computation:
Template for Diffie-Hellman, UM, MTI/A, MQV
Combining these templates
![Page 26: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/26.jpg)
Synthesis: STS-MQV
STSPHcookie
STSP
MQVCPHMQVCPMQV MQVC
keyconf.
MQVRFK
protect identities
DH STS RFKsymmetric
hash
MTI/A
UM
MTIC
UMC
MTICP
UMCP
MTICPH
UMCPH
MTIRFK
UMRFK
authenticate
![Page 27: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/27.jpg)
Conclusions Abstraction-Instantiation using protocol templates:
Single proof for similar protocols from common template Multiple protocol properties from different templates
Logical foundation: Add function variables to protocol language and logic
Applications: CR template: ISO-9798-2,3, SKID3 Identity protection refinement in JFK Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE Synthesis: DH-MQV + STS-JFKr
![Page 28: Abstraction and Refinement in Protocol Derivation](https://reader036.vdocuments.site/reader036/viewer/2022062310/568167da550346895ddd370c/html5/thumbnails/28.jpg)
Future Work Done:
Derivation idea successfully applied to large set of protocol examples
Rigorous treatment of composition, refinement in protocol logic
Work In Progress: Tool support for derivation system and logic Formalization of protocol transformations More applications