symbolic and computational analysis of network protocol security
DESCRIPTION
Symbolic and Computational Analysis of Network Protocol Security. John Mitchell Stanford University. Asian 2006. Outline. Protocols Some examples, some intuition Symbolic analysis of protocol security Models, results, tools Computational analysis - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/1.jpg)
Symbolic and Computational Analysis
of Network Protocol Security
John MitchellStanford University
Asian 2006
![Page 2: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/2.jpg)
OutlineProtocols Some examples, some intuition
Symbolic analysis of protocol security Models, results, tools
Computational analysis Communicating Turing machines, composability
Combining symbolic, computational analysis Some alternate approaches Protocol Composition Logic (PCL) Symbolic and computational semantics
![Page 3: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/3.jpg)
Many ProtocolsAuthentication KerberosKey Exchange SSL/TLS handshake, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP, 802.11iElectronic commerce Contract signing, SET, electronic cash,
See http://www.lsv.ens-cachan.fr/spore/, http://www.avispa-project.org/library
![Page 4: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/4.jpg)
Mobile IPv6 Architecture
IPv6
Mobile Node (MN)
Corresponding Node (CN)
Home Agent (HA)
Direct connection via binding update
Authentication is a requirementEarly proposals weak
![Page 5: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/5.jpg)
SupplicantUnAuth/UnAssoc802.1X BlockedNo Key
802.11 Association
802.11i Wireless Authentication
MSK EAP/802.1X/RADIUS Authentication
4-Way Handshake
Group Key Handshake
Data Communication
SupplicantAuth/Assoc802.1X UnBlockedPTK/GTK
![Page 6: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/6.jpg)
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod p
A B
m1
m2 , signB(m1,m2)
signA(m1,m2)
Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
![Page 7: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/7.jpg)
Run of a protocol
AB
InitiateRespond
C
D
Correct if no security violation in any run
Attacker
![Page 8: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/8.jpg)
Protocol analysis methodsCryptographic reductions Bellare-Rogaway, Shoup, many others UC [Canetti et al], Simulatability [BPW] Prob poly-time process calculus [LMRST…]
Symbolic methods (see also http://www.avispa-project.org/) Model checking
FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …], Symbolic search
NRL protocol analyzer [Meadows] Theorem proving
Isabelle [Paulson …], Specialized logics [BAN, …]
![Page 9: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/9.jpg)
“The” Symbolic ModelMessages are algebraic expressions Nonce, Encrypt(K,M), Sign(K,M), …Adversary Nondeterministic Observe, store, direct all communication
Break messages into parts Encrypt, decrypt, sign only if it has the key
Example: K1, Encrypt(K1, “hi”) K1, Encrypt(K1, “hi”) “hi”
Send messages derivable from stored parts
![Page 10: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/10.jpg)
Many formulationsWord problems [Dolev-Yao, Dolev-Even-Karp, …]
Each protocol step is symbolic function from input message to output message; cancellation law dkekx = x
Rewrite systems [CDLMS, …] Each protocol step is symbolic function from state and input
message to state and output messageLogic programming [Meadows NRL Analyzer]
Each protocol step can be defined by logical clauses Resolution used to perform reachability search
Constraint solving [Amadio-Lugiez, … ] Write set constraints defining messages known at step i
Strand space model [MITRE] Partial order (Lamport causality), reasoning methods
Process calculus [CSP, Spi-calculus, applied , …) Each protocol step is process that reads, writes on channel Spi-calculus: use for new values, private channels, simulate
crypto
![Page 11: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/11.jpg)
Complexity results (see [Cortier et al])
Bounded # of sessions
Unbounded number of sessionsWithout nonces With nonces
Co-NP complete General: undecidable
General: undecidable
Bounded msg length: DEXP-time complete
Bounded msg length: undecidable
Tagged: exptime Tagged: decidableOne-copy: DEXP-time completePing-pong protocols: PtimeAdditional results for variants of basic model (AC, xor, modular exp, …)
![Page 12: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/12.jpg)
Many protocol case studies
Murphi [Shmatikov, He, …] SSL, Contract signing, 802.11i, …
Meadows NRL tool Participation in IETF, IEEE standards Many important examples
Paulson inductive method; Scedrov et al Kerberos, SSL, SET, many more
Protocol logic BAN logic and successors (GNY, SvO, …) DDMP …
Automated tools based on the symbolic model detect important, nontrivial bugs in practical, deployed, and standardized protocols
![Page 13: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/13.jpg)
Computational model I
[Bellare-Rogaway, Shoup, …]
Adversary
input tapework tape
oracle tape oracle tape
“Alice” “Bob”
![Page 14: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/14.jpg)
Computational model II
[Canetti, …]
Turing machine Turing
machine
Turing machine
Turing machine
Adversary
![Page 15: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/15.jpg)
Computational model III
[Micciancio-Warinschi, …]
Program Program
Program
program
Adversary In(c, x).Send(…)| In(d,y).new z. Send(…y z ..)| In(c, encrypt(k,…)). …
![Page 16: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/16.jpg)
Computational security: encryption
Several standard conditions on encryption Passive adversary
Semantic security Chosen ciphertext attacks (CCA1)
Adversary can ask for decryption before receiving a challenge ciphertext
Chosen ciphertext attacks (CCA2) Adversary can ask for decryption before and after
receiving a challenge ciphertextComputational model offers more choices than the symbolic model
![Page 17: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/17.jpg)
Passive Adversary
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
![Page 18: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/18.jpg)
Chosen ciphertext CCA1
Challenger Attackerm0, m1
E(mi)guess 0 or 1
cD(c)
![Page 19: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/19.jpg)
Chosen ciphertext CCA2
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
cD(c)
c E(mj) D(c)
![Page 20: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/20.jpg)
Protocol execution
P1
P3P4
P2
output
output
Z
Ideal functionality
P1
P3P4
P2
F
S
simulator
input inputZ
Equivalence-basedmethods: UC, RSIM
A
attacker
Slide: R Canetti
![Page 21: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/21.jpg)
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions – Fixed set of actions, nondeterminism(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties – Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; compositionality
– Hand-proofs are difficult, error-prone, unsystematic; no automation
Can we have best of both worlds?
![Page 22: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/22.jpg)
Some relevant approachesSimulation framework Backes, Pfitzmann, Waidner
Correspondence theorems Micciancio, Warinschi
Kapron-Impagliazzo logicsAbadi-Rogaway passive equivalence (K2,{01}K3) , {({101}K2,K5 )}K2, {{K6}K4}K5 (K2, ) , {({101}K2,K5 )}K2, { }K5 (K1, ) , {({101}K1,K5 )}K1, { }K5 (K1,{K1}K7) , {({101}K1,K5 )}K1, {{K6}K7}K5 Proposed as start of larger plan for computational soundness
… …
[Abadi-Rogaway00, …, Adao-Bana-Scedrov05]
![Page 23: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/23.jpg)
Symbolic methods comp’l results
Pereira and Quisquater, CSFW 2001, 2004 Studied authenticated group Diffie-Hellman protocols Found symbolic attack in Cliques SA-GDH.2 protocol Proved no protocol of certain type is secure, for >3
participants
Micciancio and Panjwani, EUROCRYPT 2004 Lower bound for class of group key establishment
protocols using purely Dolev-Yao reasoning Model pseudo-random generators, encryption
symbolically Lower bounds is tight; matches a known protocol
![Page 24: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/24.jpg)
Rest of talk: Protocol composition logic
Alice’s information Protocol Private data Sends and receives
Honest Principals,Attacker
Send
Receive
Protocol
Private Data
Logic has symbolic and computational semantics
![Page 25: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/25.jpg)
Example{ A, Noncea }
{ Noncea, … }Ka
Kb
A B
Alice assumes that only Bob has Kb-1
Alice generated Noncea and knows that some X decrypted first message Since only X knows Kb-1, Alice knows X=Bob
![Page 26: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/26.jpg)
More subtle example: Bob’s view
{ A, Noncea }
{ Noncea, B, Nonceb }
{ Nonceb}
Ka
Kb
A BKb
Bob assumes that Alice follows protocol Since Alice responds to second message, Alice must have sent the first message
![Page 27: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/27.jpg)
Execution modelProtocol “Program” for each protocol roleInitial configuration Set of principals and key Assignment of 1 role to each principalRun
new x
new z
send{x}B
recv{x}B
send{z}B
decrA
BC
recv{z}B
Position in run
![Page 28: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/28.jpg)
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | | 1 2 | x | |
Example a < b = (b a)
Notation in papers varies slightly …
![Page 29: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/29.jpg)
Modal FormulasAfter actions, condition
[ actions ] P where P = princ, role id
Before/after assertions [ actions ] P
Composition rule [ S ] P [ T ] P
[ ST ] P Logic formulated: [DMP,DDMP]Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
![Page 30: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/30.jpg)
Example: Bob’s view of NSL
Bob knows he’s talking to Alice[ receive encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); receive encrypt( Key(B), n ) ] B
Honest(A) Csent(A, msg1) Csent(A, msg3) where Csent(A, …) Created(A, …) Sent(A, …)
msg1
msg3
![Page 31: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/31.jpg)
Proof SystemSample Axioms: Reasoning about possession:
[receive m ]A Has(A,m) Has(A, {m,n}) Has(A, m) Has(A, n)
Reasoning about crypto primitives: Honest(X) Decrypt(Y, enc(X, {m})) X=Y Honest(X) Verify(Y, sig(X, {m})) m’ (Send(X, m’) Contains(m’, sig(X, {m}))
Soundness Theorem: Every provable formula is valid in symbolic model
![Page 32: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/32.jpg)
Modal FormulasAfter actions, condition
[ actions ] P where P = princ, role id
Before/after assertions [ actions ] P
Composition rule [ S ] P [ T ] P
[ ST ] P
![Page 33: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/33.jpg)
Composition example: Part 1
Shared secret (with someone) A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
Authenticated
A B: ga
B A: gb
Diffie Hellman
![Page 34: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/34.jpg)
Composition example: Part 2
Shared secret Authenticated
A deduces: Received (B, msg1) Λ Sent (B, msg2)
A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}
Challenge-Response
![Page 35: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/35.jpg)
Composition: Part 3
Shared secret: gab
Authenticated
m := ga
n := gb
A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}
ISO-9798-3
![Page 36: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/36.jpg)
Additional issuesReasoning about honest principals Invariance rule, called “honesty rule”Preserve invariants under composition If we prove Honest(X) for protocol
1 and compose with protocol 2, is formula still true?
![Page 37: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/37.jpg)
DH Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
More about composing protocols
![Page 38: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/38.jpg)
PCL Computational PCLPCL
•Syntax•Proof System
Symbolic model•Semantics
Computational PCL•Syntax ± •Proof System ±
Complexity-theoretic model
•Semantics
![Page 39: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/39.jpg)
Some general issuesComputational PCL
Symbolic logic for proving security properties of network protocols using public-key encryption
Soundness Theorem: If a property is provable in CPCL, then property holds in
computational model with overwhelming asymptotic probability.
Benefits Retain compositionality Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions
symbolic computational generally uses strong crypto assumptions
![Page 40: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/40.jpg)
PCL Computational PCLSyntax, proof rules mostly the same
Retain compositional approach But some issues with propositional connectives…
Significant differences Symbolic “knowledge”
Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm
Computational “knowledge” Possess(X,t) : can produce t by ppt algorithm Indist(X,t) : cannot distinguish from rand value in ppt
More subtle system Some axioms rely on CCA2, some info-theoretically
sound, etc.
![Page 41: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/41.jpg)
Computational TracesComputational trace contains Symbolic actions of honest parties Mapping of symbolic variables to bitstrings Send-receive actions (only) of the adversary
Runs of the protocol Set of all possible traces
Each tagged with random bits used to generate trace Tagging set of equi-probable traces
![Page 42: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/42.jpg)
Complexity-theoretic semantics
Given protocol Q, adversary A, security parameter n, define T=T(Q,A,n), set of all possible traces [[]](T) a subset of T that respects in a
specific way
Intuition: valid when [[]](T) is an asymptotically overwhelming subset of T
![Page 43: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/43.jpg)
Semantics of trace properties
Defined in a straight forward way
[[Send(X, m)]](T)
All traces t such that t contains a Send(msg) action by X the bistring value of msg is the bitstring value of m
![Page 44: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/44.jpg)
Inductive Semantics[[1 2]] (T) = [[1]] (T) [[2]] (T)[[1 2]] (T) = [[1]] (T) [[2]] (T) [[ ]] (T) = T - [[]] (T)
Implication uses a form of conditional probability[[1 2]] (T) = [[1]] (T)
[[2]] (T’) where T’ = [[1]] (T)
![Page 45: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/45.jpg)
Semantics of Indistinguishable
Not a trace propertyIntuition: Indist(X, m) holds if no algorithm can distinguish m from a random value, given X’s view of the run
Protocol Attacker
C D
m View(X)
if b then m else rand b’
[[Indist(X, m)]] (T, D, e) = T if | #(t: b=b’)-|T|/2 | < e
![Page 46: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/46.jpg)
Validity of a formulaQ |= if adversary A distinguisher D negligible function f n0 s.t. n >
n0
[[]](T,D,f)
T(Q,A,n)
|[[]](T,D,f(n))| / |T| > 1 – f(n)
Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces
Fraction of traces where “ is true”
![Page 47: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/47.jpg)
Advantages of Computational PCL
High-level reasoning, sound for “real crypto” Prove properties of protocols without explicit
reasoning about probability, asymptotic complexityComposability
PCL is designed for protocol composition Composition of individual steps
Not just coarser composition available with UC/RSIMCan identify crypto assumptions needed
ISO-9798-3 [DDMW2006] Kerberos V5 [unpublished]
Thesis: existing deployed protocols have weak security properties, assuming weak security properties of primitives they use; UC/RSIM may be too strong
![Page 48: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/48.jpg)
CPCL analysis of Kerberos V5
Kerberos has a staged architecture First stage generates a nonce and sends it encrypted Second stage uses nonce as key to encrypt another
nonce Third stage uses second-stage nonce to encrypt other
msgs Secrecy
Logic proves “GoodKey” property of both nonces Authentication
Proved assuming encryption provides ciphertext integrity
Modular proofs using composition theorems
![Page 49: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/49.jpg)
Challenges for computational reasoning
More complicated adversary Actions of computational adversary do not have a simple
inductive characterizationMore complicated messages
Computational messages are arbitrary sequences of bits, without an inductively defined syntactic structure
Different scheduler Simpler “non-preemptive” scheduling is typically used in
computational models (change symbolic model for equiv)Power of induction ?
Indistinguishability, other non-trace-based properties appear unsuitable as inductive hypotheses
Solution: prove trace property inductively and derive secrecy
![Page 50: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/50.jpg)
Current and Future WorkInvestigate nature of propositional fragment
Non-classical implication related to conditional probability complexity-theoretic reductions connections with probabilistic logics (e.g. Nilsson86)
Generalize reasoning about secrecy Work in progress, thanks to Arnab Need to incorporate insight of “Rackoff’s attack”
Extend logic More primitives: signature, hash functions,…
Complete case studies Produce correctness proofs for all widely deployed
standardsCollaborate on
Foundational work – please join us ! Implementation and case studies – please help us !
![Page 51: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/51.jpg)
ConclusionsSymbolic model supports useful analysis Tools, case studies, high-level proofsComputational model more “correct” Captures accepted notions in cryptography Greater expressiveness for security propertiesTwo approaches can be combined Several current projects and approaches One example: computational semantics for
symbolic protocol logic
![Page 52: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/52.jpg)
CreditsCollaborators
M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague,
M. Turuani, B. Warinschi, …
More information Web page on Protocol Composition Logic
http://www.stanford.edu/~danupam/logic-derivation.html
Science is a social process
Talk this afternoon
![Page 53: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/53.jpg)
![Page 54: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/54.jpg)
Needham-Schroeder Protocol
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}Ka
Kb
Result: A and B share two private numbers not known to any observer without Ka-1, Kb-1
A BKb
![Page 55: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/55.jpg)
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.Evil E can then fool B.
[Lowe]
![Page 56: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/56.jpg)
IDEALREAL
Trusted party
Protocolinteraction
For every real adversary A
there exists anadversary S
Universal composabilityalso “reactive simulatability” [BPW], … see [DKMRS]
Slide: Y Lindell
![Page 57: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/57.jpg)
Proof systemInformation-theoretic reasoning
[new n]X (Y X) Indist(Y, n)
Complexity-theoretic reductions Verify(X, m, Y) Honest(X, Y) Y’ Sign(Y’, m)
Asymptotic calculations
![Page 58: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/58.jpg)
ExampleAxiom Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)Proof idea: crypto-style reduction Assume axiom not valid: A D negligible f n0 n > n0 s.t. [[]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme Conditional implication essential
Parts of proof are similar to [Micciancio, Warinschi]
![Page 59: Symbolic and Computational Analysis of Network Protocol Security](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815df0550346895dcc1e5a/html5/thumbnails/59.jpg)
Applications of PCLIKE, JFK family key exchange
IKEv2 in progress802.11i wireless networking
SSL/TLS, 4way handshake, group handshake
Kerberos v5 [Cervesato et al]GDOI [Meadows, Pavlovic]
Current work Use CPCL to understand computational security of
these protocols, reliance on specific crypto properties