Abstraction and Refinement in Protocol Derivation

Abstraction and Refinement in Protocol Derivation

Anupam Datta Ante DerekJohn C. Mitchell Dusko Pavlovic

Stanford University Kestrel Institute CSFW June 28, 2004

Project Goals Protocol derivation

Build security protocols by combining and refining parts from basic protocols.

Proof of correctness Prove protocols correct using logic

that follows steps of derivation.

Outline Background

Derivation System [CSFW03] Compositional Logic

[CSFW01,CSFW03] Abstraction and Refinement

Methods Applications

Conclusions and Future Work

Example Construct protocol with properties:

Shared secret Authenticated Identity Protection

Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

Component 1

Shared secret (with someone) A deduces:

Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

Authenticated Identity Protection

A B: ga

B A: gb

Diffie Hellman

Component 2

Shared secret Authenticated

A deduces: Received (B, msg1) Λ Sent (B, msg2)

Identity Protection

A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}

Challenge-Response

Composition

Shared secret: gab

Authenticated Identity Protection

m := ga

n := gb

A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}

ISO-9798-3

Refinement

Shared secret: gab

Authenticated Identity Protection

A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}

Encrypt Signatures

Outline Background

Derivation System Compositional Logic

Abstraction and Refinement Methods Applications

Conclusions and Future Work

A B

Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sigB {m, n, A},

he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response: Proof Idea

Formalism Cord calculus

Protocol programming language Protocol logic

Expressing protocol properties Proof system

Proving protocol properties

Symbolic (“Dolev-Yao”) model

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response as Cords

InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};send A, X, sigA{m, x, X};

]

RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};receive Y, B, sigY{y, n, B};

]

Correctness of CR

CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder(

Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sigB {m, n, A}}}), Receive(A, {B,A,{n, sigB {m, n, A}}})

)

InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};send A, X, sigA{m, x, X}};

]

RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};receive Y, B, sigY{y, n, B}};

]

Proof System Sample Axioms:

Reasoning about possession: Has(A, {m}K) Has(A, K) Has(A, m) Has(A, {m,n}) Has(A, m) Has(A, n)

Reasoning about crypto primitives: Honest(X) Decrypt(Y, encX{m}) X=Y Honest(X) Verify(Y, sigX{m})

m’ (Send(X, m’) Contains(m’, sigX{m}) Protocol-specific Rule: Honesty/Invariance rule Soundness Theorem:

Every provable formula is valid

Outline Background

Derivation System Compositional Logic

Abstraction and Refinement Methods Applications

Conclusions and Future Work

Protocol Templates Protocols with function variables instead

of specific cryptographic operations Idea: One template can be instantiated

to many protocols Advantages:

proof reuse design principles/patterns

ExampleA B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)

A B: mB A: n,EKAB(n,m,B)A B: EKAB(n,m)

A B: mB A: n,HKAB(n,m,B) A B: HKAB(n,m,A)

A B: mB A: n, sigB(n,m,A)A B: sigA(n,m,B)

Challenge-Response Template

ISO-9798-2

ISO-9798-3

SKID3

Abstraction

Instantiations

Extending Formalism Language Extensions: Add function

variables to term language for cords and logic (HOL)

Semantics: Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables

Soundness Theorem: Every provable formula is valid

Abstraction-Instantiation Method(1) Characterizing protocol concepts

Step 1: Under hypotheses about function variables and invariants, prove security property of template

Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.

Benefit: Proof reuse

ExampleChallenge-Response TemplateA B: m

B A: n, F(B,A,n,m)A B: G(A,B,n,m)

•Step 1:•Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…•Property: Mutual authentication

•Step 2:•Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)•Satisfies hypotheses => Guarantees mutual authentication

Proof Structure

Template

axiom

hypothesis

Instance

Discharge hypothesis

Proof reuse

Abstraction-Instantiation Method(2) Combining protocol templates

If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both.

Benefits: Modular proofs of properties Formalization of protocol refinements

Refinement Example Revisited

Two templates: Template 1: authentication + shared secret

(Preserves existing properties; proof reused) Template 2: identity protection (encryption)

(Adds new property)

A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}

Encrypt Signatures

Authenticated key exchange

A B: ga, AB A: gb, F(B,A,gb,ga)A B: G(A,B,ga,gb)

A B: ga

B A: gb, F(B,gb,ga), F’(B,gab)A B: G(A,ga, gb), G’(A,gab)

AKE1 AKE2

•Shared secret•Stronger authentication•Identity protection for B•Non-repudiation

•Shared secret•Weaker authentication•Identity protection for A•Repudiability

H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03]

ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA

More examples… Authenticated Key Exchange:

Template for JFKr, STS, IKE, IKEv2 Key Computation:

Template for Diffie-Hellman, UM, MTI/A, MQV

Combining these templates

Synthesis: STS-MQV

STSPHcookie

STSP

MQVCPHMQVCPMQV MQVC

keyconf.

MQVRFK

protect identities

DH STS RFKsymmetric

hash

MTI/A

UM

MTIC

UMC

MTICP

UMCP

MTICPH

UMCPH

MTIRFK

UMRFK

authenticate

Conclusions Abstraction-Instantiation using protocol templates:

Single proof for similar protocols from common template Multiple protocol properties from different templates

Logical foundation: Add function variables to protocol language and logic

Applications: CR template: ISO-9798-2,3, SKID3 Identity protection refinement in JFK Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE Synthesis: DH-MQV + STS-JFKr

Future Work Done:

Derivation idea successfully applied to large set of protocol examples

Rigorous treatment of composition, refinement in protocol logic

Work In Progress: Tool support for derivation system and logic Formalization of protocol transformations More applications