Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."— Presentation transcript:

1 Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy

2 Protocol Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Protocol LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Process Calculi … Applied  -calculus BAN, PCLMurphi, AVISPA Paulson, MSR

3 Protocol Composition Logic uIntuition uFormalism Protocol programming language Protocol logic Proof System uExample Signature-based challenge-response uProof techniques TODAY

4 Example: JFK Protocol uRecall earlier lecture about JFK design uToday we will describe corresponding proof techniques

5 Ingredient 1: Diffie-Hellman A  B: g a B  A: g b Shared secret: g ab Authentication Identity protection

6 Ingredient 2: Challenge-Response A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret Authentication Identity protection

7 DH + Challenge-Response ISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: g ab Authentication Identity protection m := g a n := g b Formalized as sequential composition

8 Ingredient 3: Encryption Encrypt signatures to protect identities: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: g ab Authentication Identity protection Formalized using abstraction-refinement

9 uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

10 Parallel Composition of Protocols uThe parallel composition Q1 | Q2 of protocols Q1 and Q2 is the union of the sets of roles of Q1 and Q2. uExample: IKEv2 | SSL

11 Compositional Proofs: Intuition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 …” Could break: Bob’s signature from one protocol could be used to attack another PCL proof system: Invariant rule uProtocol independent reasoning Axiom stating unforgeability of signatures Still good: unaffected by composition All other axioms and proof rules for PCL

12 Proof Tree Axiom INV rule Other rules Security property Inv |- Auth Auth Q1 |- Inv Inv Bulk of proof reused Additional work to prove Q2 |- Inv Q1 | Q2 |- Inv Theorem: If Q |- Inv and Q’ |- Inv, then Q | Q’ |- Inv [DDMP CSF’03 -> JCS Special Issue, MFPS’03]

13 Parallel Composition Theorem IF Q1 satisfies security property  in isolation Q2 respects the invariants  of Q1 used in the proof of security property  THEN Q1 | Q2 also satisfies security property 

14 Sequential Composition of Protocols uRun protocols in sequence uExamples Key exchange followed by secure sessions that use the exchanged key Diffie-Hellman followed by Challenge- Response = ISO-9798-3

15 ISO-9798-3 Key Exchange uAuthentication Do we need to prove it from scratch?  Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Goal: Combine proofs of Diffie-Hellman and challenge- response sub-protocols

16 Abstract challenge response uFree variables m and n instead of nonces  Modal form:  [ actions ]  precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B)  Authentication uSecrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

17 Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a ) uDiffie-Hellman property: uCan compute g ab given g a and b or g b and a uCannot compute g ab given g a and g b

18 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

19 Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

20 Definition of Sequential Composition

21 Sequential Composition Theorem uBoth protocols should satisfy each other’s invariants (similar to parallel composition) uPost-condition of first should match pre- condition of second protocol

22 uModular Proofs Parallel Composition Sequential Composition uGeneric Template-style Proofs Function variables Higher-order logic extension PCL Proof Techniques

23 Protocol Templates uProtocols with function variables instead of specific cryptographic operations uIdea: One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns [DDMP CSF’04]

24 Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2 ISO-9798-3SKID3 Instantiations

25 Extending Formalism uLanguage Extensions Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid

26 Abstraction-Instantiation Method(1) uCharacterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. uBenefit: Proof reuse

27 Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO- 9798-2,3, SKID3) Satisfies hypotheses => Guarantees mutual authentication

28 Proof Structure Template axiomhypothesis Instance Discharge hypothesis Proof reuse

29 Abstraction-Instantiation Method(2) uCombining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. uBenefits: Modular proofs of properties Formalization of protocol refinements

30 Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

31 Summary uPCL – Logic for security protocols Sound wrt symbolic and cryptographic models High-level short proofs: 2-3 pages uProof techniques Modular/compositional proofs Generic template-style proofs uProofs of industrial protocols IEEE 802.11i (w/ TLS), Kerberos, GDOI, IKEv2 (unpublished), Mobile IPv6 (in progress) uImplementation not done

32 Thanks ! Questions?

33 Modular Analysis / Composition EAP-TLS: Certificates to Authorization (PMK) 4WAY Handshake: PMK to Keys for data communication Group key: Keys for broadcast communication Data protection: AES based using above keys (Shared Secret-PMK) LaptopAccess Point Auth Server 802.11i Key Management  20 msgs in 4 components [HSDDM CCS’05 -> TISSEC Special Issue]

Download ppt "Protocol Composition Logic II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.

A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Similar presentations

Ads by Google