Proving Security of Industrial Network
Protocols: Theory and Practice
Anupam DattaStanford University
Oakland PC Crystal Ball WorkshopJanuary 2007
Security Protocol Analysis
Network security protocols • Industry Standards (IETF, IEEE)
– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication– 802.11i - wireless LAN security
Methods for their security analysis• Security proof in some model; or• Identify attacks
Our Result
Protocol Composition Logic (PCL): • Unbounded number of sessions (vs.
model-checking)• Short high-level proofs: 2-3 pages• Sound wrt symbolic and
computational cryptographic models• Taught in security courses (alternative
to BAN): CMU, Penn, Stanford, Texas…
[DMP01, DDMP03, …, RDDM06]
PCL: Big Picture
Symbolic Model•PCL Semantics (Meaning of formulas)
Unbounded # concurrent sessions
PCL •Syntax (Properties)•Proof System (Proofs)
Soundness Theorem
(Induction)
High-level proof principles
Cryptographic Model•PCL Semantics (Meaning of formulas)
Polynomial # concurrent sessions
Computational PCL •Syntax ± •Proof System±
Soundness Theorem
(Reduction)
[BPW, MW,…]
PCL Results: Industrial Protocols
IEEE 802.11i [IEEE Standards; 2004] [HSDDM05] TLS/SSL [RFC 2246] is a component(Attack using model-checking; fix adopted by
WG) GDOI Secure Group Communication [RFC 3547]
[MP04]
(Attack using PCL; fix adopted by IETF WG) Kerberos V5 [IETF ID; 2004]
[CMP05,RDDM06]
Mobile IPv6 [RFC 3775] in progress [RDM06]
IKE/JFK family IKEv2 [IETF ID;2004] in progress
[RDM06]
Except Kerberos, results currently apply only to symbolic model
PCL Proof Techniques
Modular Proofs [DDMP03, HSDDM05]
• Useful for protocols composed from multiple components, e.g. IEEE 802.11i has 4 components including TLS
• Sequential, parallel, staged composition Generic Template-style Proofs [DDMP04]
• Useful for protocols with multiple modes but similar abstract structure, e.g. IKEv2 has two modes based on symmetric and public-key cryptography
In More Detail …
Protocol Programming Language Protocol Composition Logic
• Syntax: Stating security properties• Trace Semantics: Property holds in
(almost) all runs of protocol Proof System
• Axioms and rules: Used to prove security
• High-level proof principles
Example: Challenge-Response
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
Alice reasons: if Bob is honest, then:1. only Bob can generate his signature [protocol independent]2. if Bob generates a signature of the form sigB{m, n, A},
– he sends it as part of msg2 of the protocol, and – he must have received msg1 from Alice [protocol specific]
Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
Challenge-Response Programs
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
] < >
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
] < >
Challenge-Response Property
Specifying authentication for Initiator using PCL syntax true [ InitCR(A, B) ] A Honest(B)
( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}})
Receive(A, {B,A,{n, sigB {m, n, A}}}))
Semantics: Property should hold in (almost) all protocol runs
PCL: Proof System
Sample Axiom: Property of signature:
– Honest(X) Verifies(Y, sigX{m}) m’. Sent(X, m’) Contains(m’,
sigX{m}))
Sample proof rules: First-order logic rules Induction rule (next slide)
Soundness Theorem If is provable, then holds in all protocol
runs Established using induction for symbolic
and reduction for cryptographic model
Step 1 of CR proof
Inductive Invariant Rule Scheme
steps A of protocol Q.
Start(X) [ ]X [ A ]X Q |- Honest(X)
• Example:– CR |- Honest(X) (Send(X, m) Contains(m, sigx
{y, x, Y}) m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}}) )
• Note: Rule depends on protocol
Step 2 of CR proof
In More Detail …
PCL Proof Techniques• Modular Proofs• Generic Template-style Proofs
Modular Analysis / Composition
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake:
PMK to Keys for data communication
Group key: Keys for broadcast
communication
Data protection:AES based using above keys
(Shared Secret-PMK)
Laptop Access Point
Auth Server
802.11i Key Management
20 msgs in 4 components[HSDDM CCS’05 ->
TISSEC Special Issue]
Compositional Proofs: Intuition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg2 …” • Could break: Bob’s signature from one protocol could
be used to attack another• PCL proof system: Invariant rule
Protocol independent reasoning• Axiom stating unforgeability of signatures• Still good: unaffected by composition• All other axioms and proof rules for PCL
Proof Tree
Axiom
INV rule
Other rules
Security property
Inv |-Auth
Auth
TLS |- Inv
InvBulk of proof
reused
Additional work to
prove 4WAY
|- Inv
TLS | 4WAY |- Inv
Theorem: If Q |- Inv and Q’ |- Inv, then
Q | Q’ |- Inv[DDMP CSF’03 -> JCS Special Issue, MFPS’03 ]
Generic Template-style Proofs
Protocols with function variables instead of specific cryptographic operations• One template can be instantiated to many
protocols • Proof of template yields proofs for instances
Motivating example: • IKEv2: two instances based on
symmetric and public-key cryptography
Protocol Template
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)
A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B)
A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)
A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
Template Proof Method
Characterizing protocol concepts• Step 1: Under hypotheses about function
variables and invariants, prove security property of template
• Step 2: Instantiate function variables to cryptographic operations and prove hypotheses.
Benefit: • Proof reuse
Single protocol can be instance of multiple templates allowing modular proofs
Proof Structure
Template
axiom
hypothesis
Instance
Additional work to discharge hypotheses
Bulk of proof reused
Summary
PCL – Logic for security protocols• Sound wrt symbolic and cryptographic
models• High-level short proofs: 2-3 pages
Proof techniques• Modular/compositional proofs• Generic template-style proofs
Proofs of industrial protocols• IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2
(unpublished), Mobile IPv6 (in progress)
Acknowledgements
PCL Design• A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D.
Pavlovic, A. Roy Computational PCL Design
• A. Datta, A. Derek, J. C. Mitchell, A. Roy, M. Turuani, V. Shmatikov, B. Warinschi
PCL Applications (in addition)• M. Backes, I. Cervasato, C. He, C. Meadows, M.
Sundararajan
PCL Project Page:• http://www.stanford.edu/~danupam/logic-
derivation.html
Thanks!
Questions?
Attacks on Industry Standards
IKE [Meadows; 1999]• Reflection attack; fix adopted by IETF WG
IEEE 802.11i [He, Mitchell; 2004]• DoS attack; fix adopted by IEEE WG
GDOI [Meadows, Pavlovic; 2004]• Composition attack; fix adopted by IETF WG
Kerberos V5 [Scedrov et al; 2005]• Identity misbinding attack; fix adopted by
IETF WG; Windows update released by Microsoft
Identified using logical methods
Protocol Analysis Techniques
Cryptographic Protocol Analysis
Formal Models Cryptographic Models
Protocol LogicsModel Checking Theorem Proving
Dolev-Yao(perfect cryptography)
Probabilistic Interactive TMProbabilistic process calculiProbabilistic I/O automata
Computational PCL
Process Calculi …
Spi-calculus, Applied -calculus
BAN, PCL Inductive Method, Automating BAN, TAPS,Automating PCL
FDR, Murphi,Athena, NRL,Brutus, OFMC
Bug finding Correctness Proofs
Communication Setting
Insecure network
…
Full Control
Open Problems in 2000
Background:• Precise model of protocol execution • Methods applied to simple protocols [Clark-J97]
Central open problems:• Develop methods for industrial protocols
– [Mea99, Pau99] exceptions: SET, IKE, Kerberos– Compositional analysis technique required for
practice
• Cryptographic soundness – Remove perfect cryptography assumption– Analysis should be sound wrt complexity-theoretic
model of cryptography
PCL: Syntax
Action formulasa ::= Send(P,t) | Receive (P,t) | …
Formulas ::= a | Has(P,t) | Honest(N) | | 1 2 | x
| a < a | …
Modal formula [ actions ] P
ExampleHas(X, secret) ( X = A X = B)
Specifying secrecy
Compositional Security
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn…
Hard problem in security!
Modularity in CS:
•Programming Languages
•Distributed computing
•Hardware verification
Different from:
•Assume-guarantee in distributed computing [MC81]
•Universal Composability [C01, PW01]
Protocol Analysis Spectrum
Low High
Hig
hL
owStr
en
gth
of
atta
ck
er m
od
el
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
BAN logic
Spi-calculus
Poly-time calculus
Model checking
PCL
Computational PCL
Multiset rewriting Holy
Grail
Combining logic and cryptography
Divide and
conquer
BPW, MW, Herz, Blan