Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June."— Presentation transcript:

1 Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June 28, 2004

2 Project Goals Protocol derivation Build security protocols by combining and refining parts from basic protocols. Proof of correctness Prove protocols correct using logic that follows steps of derivation.

3 Outline Background Derivation System [CSFW03] Compositional Logic [CSFW01,CSFW03] Abstraction and Refinement Methods Applications Conclusions and Future Work

4 Example Construct protocol with properties: Shared secret Authenticated Identity Protection Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

5 Component 1 Shared secret (with someone) A deduces: Knows(Y, g ab )  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection A  B: g a B  A: g b Diffie Hellman

6 Component 2 Shared secret Authenticated A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Challenge-Response

7 Composition Shared secret: g ab Authenticated Identity Protection m := g a n := g b A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} ISO-9798-3

8 Refinement Shared secret: g ab Authenticated Identity Protection A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

9 Outline Background Derivation System Compositional Logic Abstraction and Refinement Methods Applications Conclusions and Future Work

10 AB Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific] Alice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

11 Formalism Cord calculus Protocol programming language Protocol logic Expressing protocol properties Proof system Proving protocol properties Symbolic (“Dolev-Yao”) model

12 AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

13 Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

14 Proof System Sample Axioms: Reasoning about possession: Has(A, {m} K )  Has(A, K)  Has(A, m) Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: Honest(X)   Decrypt(Y, enc X {m})  X=Y Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m}) Protocol-specific Rule: Honesty/Invariance rule Soundness Theorem: Every provable formula is valid

15 Outline Background Derivation System Compositional Logic Abstraction and Refinement Methods Applications Conclusions and Future Work

16 Protocol Templates Protocols with function variables instead of specific cryptographic operations Idea: One template can be instantiated to many protocols Advantages: proof reuse design principles/patterns

17 Example A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) A  B: m B  A: n,E KAB (n,m,B) A  B: E KAB (n,m) A  B: m B  A: n,H KAB (n,m,B) A  B: H KAB (n,m,A) A  B: m B  A: n, sig B (n,m,A) A  B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Abstraction Instantiations

18 Extending Formalism Language Extensions: Add function variables to term language for cords and logic (HOL) Semantics: Q |= φ  σQ |= σφ, for all substitutions σ eliminating all function variables Soundness Theorem: Every provable formula is valid

19 Abstraction-Instantiation Method(1) Characterizing protocol concepts Step 1: Under hypotheses about function variables and invariants, prove security property of template Step 2: Instantiate function variables to cryptographic operations and prove hypotheses. Benefit: Proof reuse

20 Example Challenge-Response Template A  B: m B  A: n, F(B,A,n,m) A  B: G(A,B,n,m) Step 1: Hypotheses: Function F(B,A,n,m) can be computed only by B or A,… Property: Mutual authentication Step 2: Instantiate F() to signature, keyed hash, encryption (ISO- 9798-2,3, SKID3) Satisfies hypotheses => Guarantees mutual authentication

21 Proof Structure Template axiomhypothesis Instance Discharge hypothesis Proof reuse

22 Abstraction-Instantiation Method(2) Combining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. Benefits: Modular proofs of properties Formalization of protocol refinements

23 Refinement Example Revisited Two templates: Template 1: authentication + shared secret (Preserves existing properties; proof reused) Template 2: identity protection (encryption) (Adds new property) A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Encrypt Signatures

24 Authenticated key exchange A  B: g a, A B  A: g b, F(B,A,g b,g a ) A  B: G(A,B,g a,g b ) A  B: g a B  A: g b, F(B,g b,g a ), F’(B,g ab ) A  B: G(A,g a, g b ), G’(A,g ab ) AKE1AKE2 Shared secret Stronger authentication Identity protection for B Non-repudiation Shared secret Weaker authentication Identity protection for A Repudiability H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03] ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA

25 More examples… Authenticated Key Exchange: Template for JFKr, STS, IKE, IKEv2 Key Computation: Template for Diffie-Hellman, UM, MTI/A, MQV Combining these templates

26 Synthesis: STS-MQV STS PH cookie STS P MQV CPH MQV CP MQV C key conf. MQV RFK protect identities DH STS RFK symmetric hash MTI/A UM MTI C UM C MTI CP UM CP MTI CPH UM CPH MTI RFK UM RFK authenticate

27 Conclusions Abstraction-Instantiation using protocol templates: Single proof for similar protocols from common template Multiple protocol properties from different templates Logical foundation: Add function variables to protocol language and logic Applications: CR template: ISO-9798-2,3, SKID3 Identity protection refinement in JFK Design principles: IKEv2, JFKi, JFKr, ISO, STS, SIGMA, IKE Synthesis: DH-MQV + STS-JFKr

28 Future Work Done: Derivation idea successfully applied to large set of protocol examples Rigorous treatment of composition, refinement in protocol logic Work In Progress: Tool support for derivation system and logic Formalization of protocol transformations More applications

Download ppt "Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June."

Similar presentations

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.

Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.
Security Analysis of Network Protocols John Mitchell Stanford University.

Security Analysis of Network Protocols John Mitchell Stanford University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.

1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.

Similar presentations

Ads by Google