Protocol Analysis Techniques
Crypto Protocol Analysis
Formal Models Computational Models
Protocol LogicsModel Checking Inductive Proofs
Dolev-Yao(perfect cryptography)
Random oracleProbabilistic process calculiProbabilistic I/O automata…Process Calculi …
Applied -calculusBAN, PCLMurphi, AVISPA Paulson, MSR
Protocol Composition Logic
Intuition Formalism
• Protocol programming language• Protocol logic• Proof System
Example• Signature-based challenge-response
Proof techniquesTODAY
Example: JFK Protocol
Recall earlier lecture about JFK design
Today we will describe corresponding proof techniques
Ingredient 1: Diffie-Hellman
A B: ga
B A: gb
• Shared secret: gab • Authentication• Identity protection
Ingredient 2: Challenge-Response
A B: m, A B A: n, sigB{m, n, A}
A B: sigA{m, n, B}
• Shared secret • Authentication• Identity protection
DH + Challenge-Response
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB{ga, gb, A}
A B: sigA{ga, gb, B}
• Shared secret: gab
• Authentication• Identity protection
m := ga
n := gb
Formalized as sequential composition
Ingredient 3: Encryption
Encrypt signatures to protect identities: A B: ga, A B A: gb, EK{sigB{ga, gb, A}}
A B: EK{sigA{ga, gb, B}}
• Shared secret: gab
• Authentication• Identity protection
Formalized using abstraction-refinement
Modular Proofs• Parallel Composition• Sequential Composition
Generic Template-style Proofs• Function variables• Higher-order logic extension
PCL Proof Techniques
Parallel Composition of Protocols
The parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2.
Example: • IKEv2 | SSL
Compositional Proofs: Intuition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could
be used to attack another• PCL proof system: Invariant rule
Protocol independent reasoning• Axiom stating unforgeability of signatures• Still good: unaffected by composition• All other axioms and proof rules for PCL
Proof Tree
Axiom
INV rule
Other rules
Security property
Inv |-Auth
Auth
Q1 |- Inv
InvBulk of proof
reused
Additional work to
prove Q2 |-
Inv
Q1 | Q2 |- Inv
Theorem: If Q |- Inv and Q’ |- Inv, then
Q | Q’ |- Inv[DDMP CSF’03 -> JCS Special Issue, MFPS’03]
Parallel Composition Theorem
IF
•Q1 satisfies security property in isolation
• Q2 respects the invariants of Q1 used in the proof of security property
THEN
•Q1 | Q2 also satisfies security property
Sequential Composition of Protocols
Run protocols in sequence Examples
• Key exchange followed by secure sessions that use the exchanged key
• Diffie-Hellman followed by Challenge-Response = ISO-9798-3
ISO-9798-3 Key Exchange
Authentication• Do we need to prove it from scratch?
Shared secret: gab
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Goal: Combine proofs of Diffie-Hellman and challenge-response sub-protocols
Abstract challenge response
Free variables m and n instead of nonces Modal form: [ actions ]
• precondition: Fresh(A,m)• actions: [ InitACR ]A
• postcondition: Honest(B) Authentication Secrecy is proved from properties of Diffie-
Hellman
InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Diffie-Hellman: Property
Formula true [ new a ] A Fresh(A, ga)
Diffie-Hellman property:Can compute gab given ga and b or
gb and a Cannot compute gab given ga and gb
Challenge Response: Property
Modal form: [ actions ]P • precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(
send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
Sequential Composition Theorem
Both protocols should satisfy each other’s invariants (similar to parallel composition)
Post-condition of first should match pre-condition of second protocol
Modular Proofs• Parallel Composition• Sequential Composition
Generic Template-style Proofs• Function variables• Higher-order logic extension
PCL Proof Techniques
Protocol Templates
Protocols with function variables instead of specific cryptographic operations
Idea: One template can be instantiated to many protocols
Advantages:• proof reuse• design principles/patterns
[DDMP CSF’04]
Example
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)
A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B)
A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)
A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
Extending Formalism
Language Extensions• Add function variables to term language for
cords and logic (HOL)
Semantics• Q |= φ σQ |= σφ, for all substitutions σ
eliminating all function variables
Soundness Theorem • Every provable formula is valid
Abstraction-Instantiation Method(1)
Characterizing protocol concepts• Step 1: Under hypotheses about function
variables and invariants, prove security property of template
• Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit: • Proof reuse
Example
Challenge-Response Template
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
•Step 1:
•Hypotheses: Function F(B,A,n,m) can be computed only by B or A,…
•Property: Mutual authentication
•Step 2:
•Instantiate F() to signature, keyed hash, encryption (ISO-9798-2,3, SKID3)
•Satisfies hypotheses => Guarantees mutual authentication
Abstraction-Instantiation Method(2)
Combining protocol templates If protocol P is a hypotheses-
respecting instance of two different templates, then it has the properties of both.
Benefits:• Modular proofs of properties• Formalization of protocol refinements
Refinement Example Revisited
Two templates:• Template 1: authentication + shared secret
(Preserves existing properties; proof reused)
• Template 2: identity protection (encryption)(Adds new property)
A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}
Encrypt Signatures
Summary
PCL – Logic for security protocols• Sound wrt symbolic and cryptographic
models• High-level short proofs: 2-3 pages
Proof techniques• Modular/compositional proofs• Generic template-style proofs
Proofs of industrial protocols• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
(unpublished), Mobile IPv6 (in progress) Implementation not done
Modular Analysis / Composition
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake:
PMK to Keys for data communication
Group key: Keys for broadcast
communication
Data protection:AES based using above keys
(Shared Secret-PMK)
Laptop Access Point
Auth Server
802.11i Key Management
20 msgs in 4 components[HSDDM CCS’05 ->
TISSEC Special Issue]