1. Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005

2. Outline uProtocols Some examples, some intuition uSymbolic analysis of protocol security Models, results, tools uComputational analysis Communicating Turing machines, composability uCombining symbolic, computational analysis Some alternate approaches Protocol Composition Logic (PCL) Symbolic and computational semantics

3. Many Protocols uAuthentication Kerberos uKey Exchange SSL/TLS handshake, IKE, JFK, IKEv2, uWireless and mobile computing Mobile IP, WEP, 802.11i uElectronic commerce Contract signing, SET, electronic cash, …

4. Mobile IPv6 Architecture IPv6 Mobile Node (MN) Corresponding Node (CN) Home Agent (HA) Direct connection via binding update uAuthentication is a requirement uEarly proposals weak

5. Supplicant UnAuth/UnAssoc 802.1X Blocked No Key 802.11 Association 802.11i Wireless Authentication MSK EAP/802.1X/RADIUS Authentication 4-Way Handshake Group Key Handshake Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK

6. IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

7. Needham-Schroeder Protocol { A, NonceA } { NonceA, NonceB } { NonceB} KaKa Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb

8. Anomaly in Needham-Schroeder AE B { A, Na } { Na, Nb } { Nb } Ke Kb Ka Ke Evil agent E tricks honest A into revealing private key Nb from B. Evil E can then fool B. [Lowe]

9. Run of a protocol A B Initiate Respond C D Correct if no security violation in any run Attacker

10. Protocol analysis methods uCryptographic reductions Bellare-Rogaway, Shoup, many others UC [Canetti et al], Simulatability [BPW] Prob poly-time process calculus [LMRST…] uSymbolic methods Model checking –FDR [Lowe, Roscoe, …], Murphi [M, Shmatikov, …], Symbolic search –NRL protocol analyzer [Meadows] Theorem proving –Isabelle [Paulson …], Specialized logics [BAN, …] See papers in PPDP, ICALP proceedings for references

11. “The” Symbolic Model uMessages are algebraic expressions Nonce, Encrypt(K,M), Sign(K,M), … uAdversary Nondeterministic Observe, store, direct all communication –Break messages into parts –Encrypt, decrypt, sign only if it has the key Example:  K1, Encrypt(K1, “hi”)   K1, Encrypt(K1, “hi”)  “hi” –Send messages derivable from stored parts

12. Many formulations uWord problems [Dolev-Yao, Dolev-Even-Karp, …] Each protocol step is symbolic function from input message to output message; cancellation law d k e k x = x uRewrite systems [CDLMS] Each protocol step is symbolic function from state and input message to state and output message uLogic programming [Meadows NRL Analyzer] Each protocol step can be defined by logical clauses Resolution used to perform reachability search uConstraint solving [Amadio-Lugiez, … ] Write set constraints defining messages known at step i uStrand space model [MITRE] Partial order (Lamport causality), reasoning methods uProcess calculus [CSP, Spi-calculus, applied , …) Each protocol step is process that reads, writes on channel Spi-calculus: use for new values, private channels, simulate crypto

13. Complexity results (see [Cortier et al]) Bounded # of sessions Unbounded number of sessions Without noncesWith nonces Co-NP completeGeneral: undecidable Bounded msg length: DEXP-time complete Bounded msg length: undecidable Tagged: exptimeTagged: decidable One-copy: DEXP-time complete Ping-pong protocols: Ptime Additional results for variants of basic model (AC, xor, modular exp, …)

14. Many protocol case studies uMurphi [Shmatikov, He, …] SSL, Contract signing, 802.11i, … uMeadows NRL tool Participation in IETF, IEEE standards Many important examples uPaulson inductive method; Scedrov et al Kerberos, SSL, SET, many more uProtocol logic BAN logic and successors (GNY, SvO, …) DDMP …

15. Computational model I [Bellare-Rogaway, Shoup, …] Adversary input tape work tape oracle tape “Alice”“Bob”

16. Computational model II [Canetti, …] Turing machine Adversary

17. Computational security: encryption uPassive adversary Semantic security uChosen ciphertext attacks (CCA1) Adversary can ask for decryption before receiving a challenge ciphertext uChosen ciphertext attacks (CCA2) Adversary can ask for decryption before and after receiving a challenge ciphertext

18. Passive Adversary ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1

19. Chosen ciphertext CCA1 ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 c D(c)

20. Chosen ciphertext CCA2 ChallengerAttacker m 0, m 1 E(m i ) guess 0 or 1 c D(c) c  E(m j ) D(c)

21. Protocol execution P1P1 P3P3 P4P4 P2P2 output Z  Ideal functionality P1P1 P3P3 P4P4 P2P2 F S simulator input Z Protocol security A attacker Slide: R Canetti

22. IDEALREAL Trusted party Protocol interaction For every real adversary A there exists an adversary S  Universal composability also “reactive simulatability” [BPW], … see [DKMRS] Slide: Y Lindell

23. Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions- Fixed set of actions, nondeterminism (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we have best of both worlds?

24. Some relevant approaches uSimulation framework Backes, Pfitzmann, Waidner uCorrespondence theorems Micciancio, Warinschi uKapron-Impagliazzo logics uAbadi-Rogaway passive equivalence  (K2,{01} K3 ),  {({101} K2,K5 )} K2, {{K6} K4 } K5     (K2,  ),  {({101} K2,K5 )} K2, {  } K5     (K1,  ),  {({101} K1,K5 )} K1, {  } K5     (K1,{K1} K7 ),  {({101} K1,K5 )} K1, {{K6} K7 } K5   Proposed as start of larger plan for computational soundness … [Abadi-Rogaway00, …, Adao-Bana-Scedrov05]

25. Symbolic methods  comp’l results uPereira and Quisquater, CSFW 2001, 2004 Studied authenticated group Diffie-Hellman protocols Found symbolic attack in Cliques SA-GDH.2 protocol Proved no protocol of certain type is secure, for >3 participants uMicciancio and Panjwani, EUROCRYPT 2004 Lower bound for class of group key establishment protocols using purely Dolev-Yao reasoning –Model pseudo-random generators, encryption symbolically Lower bounds is tight; matches a known protocol

26. Rest of talk: Protocol composition logic uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Send Receive Protocol Private Data Logic now has symbolic and computational semantics

27. Example { A, Nonce a } { Nonce a, … } KaKa Kb AB uAlice assumes that only Bob has Kb -1 u Alice generated Nonce a and knows that some X decrypted first message u Since only X knows Kb -1, Alice knows X=Bob

28. More subtle example: Bob’s view { A, Nonce a } { Nonce a, B, Nonce b } { Nonce b } KaKa Kb AB u Bob assumes that Alice follows protocol u Since Alice responds to second message, Alice must have sent the first message

29. Execution model uProtocol “Program” for each protocol role uInitial configuration Set of principals and key Assignment of  1 role to each principal uRun xx zz  {x} B  ({x} B )  {z} B  decr A B C ({z} B ) Position in run

30. Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) |  |  1   2 |  x  |  |  uExample After(a,b) =  (b   a) Notation in papers varies slightly …

31. Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P  Logic formulated: [DMP,DDMP] Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL

32. Example: Bob’s view of NSL uBob knows he’s talking to Alice [ receive encrypt( Key(B),  A,m  ); new n; send encrypt( Key(A),  m, B, n  ); receive encrypt( Key(B), n ) ] B Honest(A)  Csent(A, msg1)  Csent(A, msg3) where Csent(A, …)  Created(A, …)  Sent(A, …) msg1msg3

33. Proof System uSample Axioms: Reasoning about possession: –[receive m ]A Has(A,m) –Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: –Honest(X)  Decrypt(Y, enc(X, {m}))  X=Y –Honest(X)  Verify(Y, sig(X, {m}))   m’ (Send(X, m’)  Contains(m’, sig(X, {m})) uSoundness Theorem: Every provable formula is valid in symbolic model

34. Modal Formulas uAfter actions, condition [ actions ] P  where P =  princ, role id  uBefore/after assertions  [ actions ] P  uComposition rule  [ S ] P   [ T ] P   [ ST ] P 

35. Application DH + CR = ISO 9798-3 uInitiator role of DH [ new a ] I Fresh(I, g a )  HasAlone(I, a) uInitiator role of CR Fresh(I, m) [send … receive … B… send] Honest(B)  ActionsInOrder(…) uCombination Substitute g a for m in CR Apply composition rule, persistence Obtain assertion about ISO initiator

36. Additional issues uReasoning about honest principals Invariance rule, called “honesty rule” uPreserve invariants under composition If we prove Honest(X)   for protocol 1 and compose with protocol 2, is formula still true?

37. Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  …

38. Main results in ICALP Proceedings uComputational PCL Symbolic logic for proving security properties of network protocols using public-key encryption uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. uBenefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions

39. PCL  Computational PCL uSyntax, proof rules mostly the same But not sure about propositional connectives… uSignificant difference Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

40. Complexity-theoretic semantics uQ |=  if  adversary A  distinguisher D  negligible function f  n 0  n > n 0 s.t. [[  ]](T,D,f) T(Q,A,n) [[  ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces

41. Inductive Semantics  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[   ]] (T,D,  ) = T - [[  ]] (T,D,  ) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T’,D,  ) where T’ = [[  1 ]] (T,D,  ) Formula defines transformation on probability distributions over traces

42. Soundness of proof system uExample axiom Source(Y,u,{m}X)   Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uProof idea: crypto-style reduction Assume axiom not valid:  A  D  negligible f  n 0  n > n 0 s.t. [[  ]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme Conditional implication essential Parts of proof are similar to [Micciancio, Warinschi]

43. Applications of PCL uIKE, JFK family key exchange IKEv2 in progress u802.11i wireless networking SSL/TLS, 4way handshake, group handshake uKerberos v5 [Cervesato et al] uGDOI [Meadows, Pavlovic] uFuture work Use CPCL to understand computational security of these protocols, reliance on specific crypto properties

44. Advantages of Computational PCL uHigh-level reasoning Prove properties of protocols without explicit reasoning about probability, asymptotic complexity uSound for “real crypto” uComposability PCL is designed for protocol composition uIdentify crypto assumptions needed

45. Future Work uInvestigate nature of propositional fragment Non-classical;  involves some conditional probability –complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy uExtend logic More primitives: signature, hash functions,… Remove current syntactic restrictions on formulas u Information-theoretic semantics (thanks to A Scedrov) Only probability; no complexity uOther fundamental problems See Kapron-Impagliazzo, etc.

46. Conclusion uSymbolic model supports useful analysis Tools, case studies, high-level proofs uComputational model more “correct” More accurately reflects realistic attack uTwo approaches can be combined Several current projects and approaches One example: computational semantics for symbolic protocol logic

47. Credits uCollaborators M. Backes, A. Datta, A. Derek, N. Durgin, C. He, R. Kuesters, D. Pavlovic, A. Ramanathan, A. Roy, A. Scedrov, V. Shmatikov, M. Sundararajan, V. Teague, M. Turuani, B. Warinschi, … uMore information References in PPDP, ICALP proceedings Web page on Protocol Composition Logic –http://www.stanford.edu/~danupam/logic-derivation.html –My web site for related projects not discussed Science is a social process