View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Security Analysis of Network Protocols
Anupam DattaStanford University
UW-Madison CSDApril 18, 2005
Outline
Part I: Overview• Motivation• Central problems
– Divide and Conquer paradigm– Combining logic and cryptography
• Results
Part II: Glimpses of technical machinery• Divide and Conquer Paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
This talk is about…
Industrial network protocols • Internet Engineering Task Force (IETF)
Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication
• IEEE Standards Working Group– 802.11i - wireless security
And methods for their security analysis• Security proof in some model; or• Identify attacks
Motivating Example
{ A, Noncea }
{ Noncea, Nonceb }
{ Nonceb}
Ka
Kb
Result: A and B share two private numbers not known to any observer without Ka-1, Kb
-1
A B
Kb
[Needham-Schroeder78]
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }
{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.
Evil E can then fool B.
[Lowe96]
Characteristics of protocols
Relatively simple distributed programs• 5-7 steps, 3-10 fields per message (per
component) Mission critical
• Security of data, credit card numbers, … Subtle
• Concurrency: attack may combine data from many sessions
• Computation: modeling cryptographic primitives
Good domain for logical methods
Active research area since early 80’s
Security Analysis Methodology
Analysis Tool
Protocol Property
Security proof or attack
Attacker model
Our tool: Protocol
Composition Logic (PCL)
SSLauthenticatio
n
-Complete control
over network
-Perfect crypto
42 line axiomatic
proof
Classifying Attacks
Implementation bugs• Buffer overflow, format string
vulnerabilities Cryptography breaks
• IEEE 802.11b (WEP encryption), GSM cell phone
Protocol flaws• Needham-Schroeder, IKE, IEEE 802.11i•Focus on protocol flaws assuming “strong crypto”
•Complexity-theoretic characterization of “strong crypto”
IEEE 802.11i wireless security [2004]
Wireless Device
Access Point
Authentication Server
802.11 Association
EAP/802.1X/RADIUS Authentication
4-way handshake
Group key handshake
Data communication
•Divide-and-conquer paradigm•Combining logic and cryptography
Uses crypto: encryption, hash,
…
Divide-and-Conquer paradigm
Result: Protocol Derivation System • Incremental protocol construction
Result: Protocol Composition Logic (PCL)• Compositional correctness proofs
Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …
Composition is a hard problem in security
Central Problem 1
Combining logic and cryptography
Symbolic model [DY84]- Perfect cryptography assumption+ Idealization => tools and techniques
Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation
Result: Computational PCL + Logical proof methods + Complexity-theoretic crypto model
Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]
Central Problem 2
Applied to industrial protocols
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG)
IKEv2 [IETF Internet Draft; 2004] TLS/SSL [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Attack! Fix adopted by IETF WG)
Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-
3, NSL,…
IPSec
Widely deployed: Corporate VPNs Provides secrecy and integrity IKEv2 is the IPSec key exchange protocol
Internet
IP layer host-to-host security
IKEv2 [IETF ID 2004]
IKE_AUTH (Authenticate)
IKE_CHILD_SA (Rekey)
I R: HDR, SAi1, gi, Ni R I: HDR, SAr1, gr, Nr
IKE_INIT (Exchange key material)
I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}
R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}
•Modular proofs
•Multi-mode (Unified “template” proof)
• Properties: authentication, shared secret, identity & DoS protection, repudiability
Multi-mode protocol: authenticator can
use either signature or pre-shared key
Mobile IPv6 [IETF ID 2004]
Stanford
Wisconsin
Home address
Home addres
s
Care of address
Correspondent Node
•Change of location
•Authentication
•DoS issues
•Protocol breaks if attacker controls complete network
GDOI [RFC 3547, 2003]
•Secure group communication
•Composition attack
•Fix adopted by IETF WG
Communicating in a group can be difficult…
Public networkGroup
controller
Protocol analysis spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Protocol logic
Computational Protocol logic
Multiset rewriting
Holy
Grail
Combining logic and cryptography
Divide and
conquer
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
Protocol Derivation System
Construct protocol with properties:• Shared secret • Authenticated• Identity Protection• DoS Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
Component 1
• Shared secret (with someone)– A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
• Authenticated• Identity Protection• DoS Protection
A B: ga
B A: gb
Diffie Hellman
Component 2
• Shared secret• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection• DoS Protection
A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}
Challenge-Response
Composition
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
m := ga
n := gb
A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}
ISO-9798-3
Technically: sequential composition with variable substitution
Refinement
• Shared secret: gab
• Authenticated• Identity Protection • DoS Protection
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
Technically: term replacement/function variable substitution
Transformation
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
A B: ga, AB A: gb, hashKB {gb, ga}
A B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga} B A: gb, EK {sigB {ga, gb, A}}
Use cookie: JFK core protocol
Technically: program transformation
Tool Support (PDA)
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
A B
Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol
independent]
• if Bob generates a signature of the form sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response: Proof Idea
Reasoning method
Reason about local information• I know my own actions
Incorporate knowledge of protocol• Honest people faithfully follow protocol
No explicit reasoning about intruder• Absence of bad action expressed as a
positive property of good actions– E.g., honest agent’s signature can be
produced only by the agent
Distinguishes our method from existing techniques
Formalism
Cord calculus• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)
Protocol logic• Expressing protocol properties
Proof system• Proving protocol properties• Soundness theorem
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Challenge-Response as Cords
InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};
send A, X, sigA{m, x, X};
]
RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};
receive Y, B, sigY{y, n, B};
]
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Proof System
Sample Axioms:• Reasoning about possession:
– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})
m’ (Send(X, m’) Contains(m’, sigX{m})
Soundness Theorem: Every provable formula is valid
Reasoning about Composition
Non-destructive Combination: Ensure combined parts do not
interfere– In logic: invariance assertions
Additive Combination: Accumulate security properties of
combined parts, assuming they do not interfere– In logic: before-after assertions
Proof steps (Intuition)
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
Technically:
•Protocol-specific proof steps use invariants
•Invariants must be preserved for safe composition
Composing protocols
DH Honest(X) …
(Invariant) ’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy Authentication [additive]
DH CR ’ [nondestructive] ISO Secrecy Authentication
=CR Honest(X) …
Sequential and parallel composition theorems
Composition Rules Invariant weakening rule
|- […]P
’ |- […]P
Sequential Composition |- [ S ] P |- [ T ] P
|- [ ST ] P Prove invariants from protocol
Q Q’ Q Q’
Also have proof method for class of refinements & transformations
Applications
IEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG)
IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol
[RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-
3, NSL,…
Tool Support
Isabelle Proof Assistant for PCL• Encode syntax and proof system of PCL
into a generic theorem-proverconsts PSend :: "[thread,CTerm] => o"syntax PSend :: "[threadI,CTermlist] => actformI" ("Send'(_,_')")axioms AA1S: "{P, X[send t], Send(X,t)}" REC : "Receive(X,t) --> Has(X,t)"Rule: SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|] ==> {P, X[S1 ; S2], R}"
Sample proof (forward reasoning)
lemma "{P,X[new t; send t],Has(X,t) & Send(X,t)}"; proof -; have A: "{P,X[new t; send t],Has(X,t)}"; apply (rule G3); apply (rule SEQ); apply (rule AA1N); apply (rule P1N); apply (blast); apply (rule ORIG); done;
Use PCL axioms and rules to carry out proofs Use Isabelle’s first-order reasoner
Outline
Part I: OverviewPart II: Glimpses of technical
machinery• Divide and conquer paradigm
– Protocol Derivation System– Protocol Composition Logic
• Combining logic and cryptography– Complexity-theoretic foundations
Symbolic model[NS78,DY84]
Complexity-theoretic model [GM84]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far…Leverage PCL success
Idea: Use same logical proof methods for complexity-theoretic cryptography
Our result
Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model
Logical methods for complexity-theoretic cryptography
Soundness of proof system
Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)
Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Asymptotic calculations
Sum of two negligible functions is a negligible function
Reduction to CCA2-secure encryption scheme
Summary
Methodology:• Divide-and-conquer paradigm in security• Combining logic and cryptography
Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE
WG)
• GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)
• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]
Research Directions
Bring automated tools and techniques to industrial protocol design
Formal methods and cryptography Composition of secure systems Apply similar techniques to other
kinds of security mechanisms• Web services
Software analysis of secure systems • Model-checking C code