proving security of industrial network protocols: theory and practice
DESCRIPTION
Proving Security of Industrial Network Protocols: Theory and Practice. Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007. Security Protocol Analysis. Network security protocols Industry Standards (IETF, IEEE) SSL/TLS - web authentication - PowerPoint PPT PresentationTRANSCRIPT
Proving Security of Industrial Network
Protocols: Theory and Practice
Anupam DattaStanford University
Oakland PC Crystal Ball WorkshopJanuary 2007
Security Protocol Analysis Network security protocols
• Industry Standards (IETF, IEEE)– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication– 802.11i - wireless LAN security
Methods for their security analysis• Security proof in some model; or• Identify attacks
Our Result Protocol Composition Logic (PCL):
• Unbounded number of sessions (vs. model-checking)
• Short high-level proofs: 2-3 pages• Sound wrt symbolic and
computational cryptographic models• Taught in security courses (alternative
to BAN): CMU, Penn, Stanford, Texas…
[DMP01, DDMP03, …, RDDM06]
PCL: Big Picture
Symbolic Model•PCL Semantics (Meaning of formulas)
Unbounded # concurrent sessions
PCL •Syntax (Properties)•Proof System (Proofs)
Soundness Theorem
(Induction)
High-level proof principles
Cryptographic Model•PCL Semantics (Meaning of formulas)
Polynomial # concurrent sessions
Computational PCL •Syntax ± •Proof System±
Soundness Theorem
(Reduction)
[BPW, MW,…]
PCL Results: Industrial Protocols IEEE 802.11i [IEEE Standards; 2004]
[HSDDM05] TLS/SSL [RFC 2246] is a component(Attack using model-checking; fix adopted by
WG) GDOI Secure Group Communication [RFC 3547]
[MP04]
(Attack using PCL; fix adopted by IETF WG) Kerberos V5 [IETF ID; 2004]
[CMP05,RDDM06]
Mobile IPv6 [RFC 3775] in progress [RDM06]
IKE/JFK family IKEv2 [IETF ID;2004] in progress
[RDM06]
Except Kerberos, results currently apply only to symbolic model
PCL Proof Techniques Modular Proofs [DDMP03, HSDDM05]
• Useful for protocols composed from multiple components, e.g. IEEE 802.11i has 4 components including TLS
• Sequential, parallel, staged composition Generic Template-style Proofs [DDMP04]
• Useful for protocols with multiple modes but similar abstract structure, e.g. IKEv2 has two modes based on symmetric and public-key cryptography
In More Detail … Protocol Programming Language Protocol Composition Logic
• Syntax: Stating security properties• Trace Semantics: Property holds in
(almost) all runs of protocol Proof System
• Axioms and rules: Used to prove security• High-level proof principles
Example: Challenge-Response
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Alice reasons: if Bob is honest, then:1. only Bob can generate his signature [protocol independent]2. if Bob generates a signature of the form sigB{m, n, A},
– he sends it as part of msg2 of the protocol, and – he must have received msg1 from Alice [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
Challenge-Response Programs
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};send A, X, sigA{m, x, X}};
] < >
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};receive Y, B, sigY{y, n, B}};
] < >
Challenge-Response Property Specifying authentication for Initiator
using PCL syntax true [ InitCR(A, B) ] A Honest(B)
( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}}) Receive(A, {B,A,{n, sigB {m, n, A}}}))
Semantics: Property should hold in (almost) all
protocol runs
PCL: Proof System Sample Axiom:
Property of signature:– Honest(X) Verifies(Y, sigX{m}) m’. Sent(X, m’) Contains(m’,
sigX{m})) Sample proof rules:
First-order logic rules Induction rule (next slide)
Soundness Theorem If is provable, then holds in all protocol
runs Established using induction for symbolic
and reduction for cryptographic model
Step 1 of CR proof
Inductive Invariant Rule Scheme
steps A of protocol Q. Start(X) [ ]X [ A ]X Q |- Honest(X)
• Example:– CR |- Honest(X) (Send(X, m) Contains(m, sigx {y,
x, Y}) m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}}) )
• Note: Rule depends on protocol
Step 2 of CR proof
In More Detail … PCL Proof Techniques
• Modular Proofs• Generic Template-style Proofs
Modular Analysis / Composition
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake: PMK to Keys for data
communicationGroup key:
Keys for broadcast communicationData protection:
AES based using above keys
(Shared Secret-PMK)
Laptop Access Point
Auth Server
802.11i Key Management20 msgs in 4 components[HSDDM CCS’05 ->
TISSEC Special Issue]
Compositional Proofs: Intuition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A}, – he sends it as part of msg2 …”
• Could break: Bob’s signature from one protocol could be used to attack another
• PCL proof system: Invariant rule Protocol independent reasoning
• Axiom stating unforgeability of signatures• Still good: unaffected by composition• All other axioms and proof rules for PCL
Proof Tree
Axiom
INV ruleOther rules
Security property
Inv |-Auth
Auth
TLS |- Inv
InvBulk of proof
reused
Additional work to
prove 4WAY
|- Inv
TLS | 4WAY |- Inv
Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv
[DDMP CSF’03 -> JCS Special Issue, MFPS’03 ]
Generic Template-style Proofs Protocols with function variables instead
of specific cryptographic operations• One template can be instantiated to many
protocols • Proof of template yields proofs for instances
Motivating example: • IKEv2: two instances based on
symmetric and public-key cryptography
Protocol Template
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B) A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
Template Proof Method Characterizing protocol concepts
• Step 1: Under hypotheses about function variables and invariants, prove security property of template
• Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit: • Proof reuse
Single protocol can be instance of multiple templates allowing modular proofs
Proof Structure
Template
axiom
hypothesis
Instance
Additional work to discharge hypotheses
Bulk of proof reused
Summary PCL – Logic for security protocols
• Sound wrt symbolic and cryptographic models• High-level short proofs: 2-3 pages
Proof techniques• Modular/compositional proofs• Generic template-style proofs
Proofs of industrial protocols• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
(unpublished), Mobile IPv6 (in progress)
Acknowledgements PCL Design
• A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D. Pavlovic, A. Roy
Computational PCL Design• A. Datta, A. Derek, J. C. Mitchell, A. Roy, M. Turuani, V.
Shmatikov, B. Warinschi PCL Applications (in addition)
• M. Backes, I. Cervasato, C. He, C. Meadows, M. Sundararajan
PCL Project Page:• http://www.stanford.edu/~danupam/logic-
derivation.html
Thanks!
Questions?
Attacks on Industry Standards IKE [Meadows; 1999]
• Reflection attack; fix adopted by IETF WG IEEE 802.11i [He, Mitchell; 2004]
• DoS attack; fix adopted by IEEE WG GDOI [Meadows, Pavlovic; 2004]
• Composition attack; fix adopted by IETF WG Kerberos V5 [Scedrov et al; 2005]
• Identity misbinding attack; fix adopted by IETF WG; Windows update released by Microsoft
Identified using logical methods
Protocol Analysis Techniques
Cryptographic Protocol Analysis
Formal Models Cryptographic Models
Protocol LogicsModel Checking Theorem Proving
Dolev-Yao(perfect cryptography)
Probabilistic Interactive TMProbabilistic process calculiProbabilistic I/O automata
Computational PCLProcess Calculi …
Spi-calculus, Applied -calculus
BAN, PCL Inductive Method, Automating BAN, TAPS,Automating PCL
FDR, Murphi,Athena, NRL,Brutus, OFMC
Bug finding Correctness Proofs
Communication Setting
Insecure network
…
Full Control
Open Problems in 2000 Background:
• Precise model of protocol execution • Methods applied to simple protocols [Clark-J97]
Central open problems:• Develop methods for industrial protocols
– [Mea99, Pau99] exceptions: SET, IKE, Kerberos– Compositional analysis technique required for
practice • Cryptographic soundness
– Remove perfect cryptography assumption– Analysis should be sound wrt complexity-theoretic
model of cryptography
PCL: Syntax Action formulas
a ::= Send(P,t) | Receive (P,t) | … Formulas
::= a | Has(P,t) | Honest(N) | | 1 2 | x | a < a | …
Modal formula [ actions ] P
ExampleHas(X, secret) ( X = A X = B)
Specifying secrecy
Compositional Security
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn…
Hard problem in security!
Modularity in CS:•Programming Languages•Distributed computing•Hardware verification
Different from:•Assume-guarantee in distributed computing [MC81]•Universal Composability [C01, PW01]
Protocol Analysis Spectrum
Low High
Hig
hLo
wSt
reng
th o
f atta
cker
mod
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
PCL
Computational PCL
Multiset rewriting Holy
Grail
Combining logic and
cryptography
Divide and
conquer
BPW, MW, Herz, Blan