1. Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007

2. Security Protocol Analysis uNetwork security protocols Industry Standards (IETF, IEEE) –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication –802.11i - wireless LAN security uMethods for their security analysis Security proof in some model; or Identify attacks

3. Our Result uProtocol Composition Logic (PCL): Unbounded number of sessions (vs. model-checking) Short high-level proofs: 2-3 pages Sound wrt symbolic and computational cryptographic models Taught in security courses (alternative to BAN): CMU, Penn, Stanford, Texas… [DMP01, DDMP03, …, RDDM06]

4. PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ±  Proof System±  Soundness Theorem (Reduction) [BPW, MW,…]

5. PCL Results: Industrial Protocols uIEEE 802.11i [IEEE Standards; 2004] [HSDDM05] uTLS/SSL [RFC 2246] is a component (Attack using model-checking; fix adopted by WG) uGDOI Secure Group Communication [RFC 3547] [MP04] (Attack using PCL; fix adopted by IETF WG) uKerberos V5 [IETF ID; 2004] [CMP05,RDDM06] uMobile IPv6 [RFC 3775] in progress [RDM06] uIKE/JFK family uIKEv2 [IETF ID;2004] in progress [RDM06] Except Kerberos, results currently apply only to symbolic model

6. PCL Proof Techniques uModular Proofs [DDMP03, HSDDM05] Useful for protocols composed from multiple components, e.g. IEEE 802.11i has 4 components including TLS Sequential, parallel, staged composition uGeneric Template-style Proofs [DDMP04] Useful for protocols with multiple modes but similar abstract structure, e.g. IKEv2 has two modes based on symmetric and public-key cryptography

7. In More Detail … uProtocol Programming Language uProtocol Composition Logic Syntax: Stating security properties Trace Semantics: Property holds in (almost) all runs of protocol uProof System Axioms and rules: Used to prove security High-level proof principles

8. Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: 1.only Bob can generate his signature [protocol independent] 2.if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol, and –he must have received msg1 from Alice [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2)

9. Challenge-Response Programs AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

10. Challenge-Response Property uSpecifying authentication for Initiator using PCL syntax true [ InitCR(A, B) ] A Honest(B)  ( Send(A, {A,B,m})  Receive(B, {A,B,m})  Send(B, {B,A,{n, sig B {m, n, A}}})  Receive(A, {B,A,{n, sig B {m, n, A}}}) ) Semantics: Property should hold in (almost) all protocol runs

11. PCL: Proof System uSample Axiom: uProperty of signature: –Honest(X)  Verifies(Y, sig X {m})   m’. Sent(X, m’)  Contains(m’, sig X {m})) uSample proof rules: uFirst-order logic rules uInduction rule (next slide) uSoundness Theorem  If  is provable, then  holds in all protocol runs uEstablished using induction for symbolic and reduction for cryptographic model Step 1 of CR proof

12. Inductive Invariant Rule Scheme  steps A of protocol Q. Start(X) [ ] X   [ A ] X  Q |- Honest(X)   Example: –CR |- Honest(X)  (Send(X, m)  Contains(m, sig x {y, x, Y})  m= X, Y, {x, sig B {y, x, Y}}  Receive(X, {Y, X, {y, Y}}) ) Note: Rule depends on protocol Step 2 of CR proof

13. In More Detail … uPCL Proof Techniques Modular Proofs Generic Template-style Proofs

14. Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server 802.11i Key Management  20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]

15. Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 …” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Invariant rule uProtocol independent reasoning Axiom stating unforgeability of signatures Still good: unaffected by composition All other axioms and proof rules for PCL

16. Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth TLS |- Inv Inv Bulk of proof reused Additional work to prove 4WAY |- Inv TLS | 4WAY |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03 ]

17. Generic Template-style Proofs uProtocols with function variables instead of specific cryptographic operations One template can be instantiated to many protocols Proof of template yields proofs for instances uMotivating example: IKEv2: two instances based on symmetric and public-key cryptography

18. Protocol Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Instantiations

19. Template Proof Method uCharacterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. uBenefit: Proof reuse uSingle protocol can be instance of multiple templates allowing modular proofs

20. Proof Structure Template axiomhypothesis Instance Additional work to discharge hypotheses Bulk of proof reused

21. Summary uPCL – Logic for security protocols Sound wrt symbolic and cryptographic models High-level short proofs: 2-3 pages uProof techniques Modular/compositional proofs Generic template-style proofs uProofs of industrial protocols IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress)

22. Acknowledgements uPCL Design A. Datta, A. Derek, N. Durgin, J. C. Mitchell, D. Pavlovic, A. Roy uComputational PCL Design A. Datta, A. Derek, J. C. Mitchell, A. Roy, M. Turuani, V. Shmatikov, B. Warinschi uPCL Applications (in addition) M. Backes, I. Cervasato, C. He, C. Meadows, M. Sundararajan uPCL Project Page: http://www.stanford.edu/~danupam/logic-derivation.html

23. Thanks! Questions?

24. Attacks on Industry Standards uIKE [Meadows; 1999] Reflection attack; fix adopted by IETF WG uIEEE 802.11i [He, Mitchell; 2004] DoS attack; fix adopted by IEEE WG uGDOI [Meadows, Pavlovic; 2004] Composition attack; fix adopted by IETF WG uKerberos V5 [Scedrov et al; 2005] Identity misbinding attack; fix adopted by IETF WG; Windows update released by Microsoft Identified using logical methods

25. Protocol Analysis Techniques Cryptographic Protocol Analysis Formal ModelsCryptographic Models Protocol LogicsModel Checking Theorem Proving Dolev-Yao (perfect cryptography) Probabilistic Interactive TM Probabilistic process calculi Probabilistic I/O automata Computational PCL Process Calculi … Spi-calculus, Applied  -calculus BAN, PCL Inductive Method, Automating BAN, TAPS, Automating PCL FDR, Murphi, Athena, NRL, Brutus, OFMC Bug finding Correctness Proofs

26. Communication Setting Insecure network … Full Control

27. Open Problems in 2000 uBackground: Precise model of protocol execution Methods applied to simple protocols [Clark-J97] uCentral open problems: Develop methods for industrial protocols –[Mea99, Pau99] exceptions: SET, IKE, Kerberos –Compositional analysis technique required for practice Cryptographic soundness –Remove perfect cryptography assumption –Analysis should be sound wrt complexity-theoretic model of cryptography

28. PCL: Syntax uAction formulas a ::= Send(P,t) | Receive (P,t) | … uFormulas  ::= a | Has(P,t) | Honest(N) |  |  1   2 |  x  | a < a | … uModal formula  [ actions ] P  uExample Has(X, secret)  ( X = A  X = B) Specifying secrecy

29. Compositional Security Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn … Hard problem in security! Modularity in CS: Programming Languages Distributed computing Hardware verification Different from: Assume-guarantee in distributed computing [MC81] Universal Composability [C01, PW01]

30. Protocol Analysis Spectrum LowHigh Low Strength of attacker model Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  PCL Computational PCL  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer BPW, MW, Herz, Blan 