1. Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations Anupam Datta Stanford University May 23, 2005

2. Protocol analysis spectrum LowHigh Low Sophistication of attacks Protocol complexity Mur  FDR  NRL  Athena  Hand proofs Paulson   BAN logic  Spi-calculus Poly-time calculus   Model checking  Protocol C. logic Computational Protocol C. logic  Multiset rewriting Holy Grail Combining logic and cryptography Divide and conquer

3. Divide-and-Conquer paradigm lResult: Protocol Derivation System [DDMP03- 05] - Incremental protocol construction lResult: Protocol Composition Logic (PCL) [DDDMP01-05] - Compositional correctness proofs lRelated work: [Heintze-Tygar96], [Lynch99], [Sheyner- Wing00], [Canetti01], [Pfitzmann-Waidner01], … Composition is a hard problem in security Central Problem 1

4. Combining logic and cryptography lSymbolic model [NS78, DY84] - Perfect cryptography assumption + Idealization => tools and techniques lComplexity-theoretic model [GM84] + More detailed model; probabilistic guarantees - Hand-proofs very hard; no automation lResult: Computational PCL [DDMST05] + Logical proof methods + Complexity-theoretic crypto model lRelated work: [Mitchell-Scedrov et al 98-04], [Abadi- Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio- Warinschi04], [Adao-Bana-Scedrov05] Central Problem 2

5. Applied to industrial protocols uIEEE 802.11i authentication protocol [IEEE Standards; 2004] (Attack! Fix adopted by IEEE WG) [He et al] uIKEv2 [IETF Internet Draft; 2004] [Aron et al] uTLS/SSL [RFC 2246; 1999] [He et al] uMobile IPv6 [RFC 3775; 2004] (New Attack!) [Roy et al] uKerberos V5 [IETF Internet Draft; 2004] [Cervasato et al] uGDOI Secure Group Communication protocol [RFC 3547; 2003] (Attack! Fix adopted by IETF WG) [Meadows et al]

6. Outline Protocol Composition Logic - Background - Compositional Reasoning - Complexity-theoretic foundations

7. AB Alice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific] Alice deduces: Received (B, msg1) Λ Sent (B, msg2) m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response: Proof Idea

8. Formalism uCord calculus Protocol programming language Execution model ( Symbolic/“Dolev-Yao”) uProtocol logic Expressing protocol properties uProof system Proving protocol properties Soundness theorem

9. AB m, A n, sig B {m, n, A} sig A {m, n, B} Challenge-Response as Cords InitCR(A, X) = [ new m; send A, X, m, A; receive X, A, x, sig X {m, x, A}; send A, X, sig A {m, x, X}; ] RespCR(B) = [ receive Y, B, y, Y; new n; send B, Y, n, sig B {y, n, Y}; receive Y, B, sig Y {y, n, B}; ]

10. Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

11. Proof System uSample Axioms: Reasoning about possession: –[receive m ] A Has(A,m) –Has(A, {m,n})  Has(A, m)  Has(A, n) Reasoning about crypto primitives: –Honest(X)  Decrypt(Y, enc X {m})  X=Y –Honest(X)  Verify(Y, sig X {m})   m’ (Send(X, m’)  Contains(m’, sig X {m}) uSoundness Theorem: Every provable formula is valid

12. Invariant Rule uDefinition A protocol step begins with receive, ends before next receive uRule [ ] X   B  ProtocolSteps(Q).  [B] X  Q  Honest(X)   uExample CR  Honest(X)  (Sent(X, m 2 )  Received(X, m 1 )) Reasoning about honest principals’ actions

13. Outline Protocol Composition Logic - Background - Compositional Reasoning - Complexity-theoretic foundations

14. Reasoning about Composition uNon-destructive Combination: Ensure combined parts do not interfere –In logic: invariance assertions uAdditive Combination: Accumulate security properties of combined parts, assuming they do not interfere –In logic: before-after assertions

15. Proof steps (Intuition) uProtocol independent reasoning Has(A, {m,n})  Has(A, m)  Has(A, n) Still good: unaffected by composition uProtocol specific reasoning “if honest Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg 2 of the protocol and –he must have received msg1 from Alice” Could break: Bob’s signature from one protocol could be used to attack another Technically: Protocol-specific proof steps use invariants Invariants must be preserved for safe composition

16. Diffie-Hellman: Property uFormula [ new a ] A Fresh(A, g a ) uExplanation Modal form: [ actions ] P  Actions: [ new a ] A Postcondition: Fresh(A, g a )

17. Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

18. Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

19. Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  …

20. Composition Theorems lParallel Composition [DDMP-JCS05] If Q  ,  |-  [ S ] P , and Q’  , then Q | Q’   [ S ] P  lSequential Composition [DDMP-JCS05] If Q  ,  |-  [ S ] P , Q’   ’,  ’ |-  [ T ] P , Q   ’, Q’  , then Q’’   [ S T ] P , where Q’’ is a sequential composition of Q and Q’ lStaged Composition [HSDDM05]

21. Parallel Composition Different from: Assume-guarantee in distributed computing [MC81] Universal Composability [C01, PW01] Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |-  [ P ] X  Q i |- Inv(Q) No reasoning about attacker … Q | (Q 1 | Q 2 |…| Q n ) |-  [ P ] X 

22. Staged Composition Q1Q1 Q2Q2 Q3Q3 QnQn Q i |- Inv(Q i ) Inv(Q i ) |-  i [P i ] X  i Q i |- Inv(Q j )  i   i+1  B   j>= i ProtocolSteps(Q i ).  i [ B] X  i … Applicable to large protocols with error-handling flows between components, e.g., IEEE 802.11i Proof of component Parallel composition Sequential composition Staged composition SC(Q 1,Q 2,..,Q n ) |-  1 [P;P i ] X  i

23. Outline Protocol Composition Logic - Background - Compositional Reasoning - Complexity-theoretic foundations

24. Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

25. Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success…

26. Main Result lComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption lSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model

27. Syntax lSimilar to PCL lMain difference: - Has(X,t) in PCL - Possess(X,t) and Indistinguishable(X,t) in Computational PCL

28. Complexity-theoretic semantics lQ |=  if  A  D  f negligible function  n 0  n > n 0 s.t. Fix protocol Q, PPT adversary A, security parameter n Vary random bits used by all programs Obtain set of equi- probable traces, T= T(Q,A,n) [[  ]](T,D,f) T(Q,A,n) [[  ]](T,D,f) |/|T| > 1 –f(n) Represents probability

29. Inductive Semantics [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  ) [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  ) [[   ]] = T - [[  ]] (T,D,  ) Implication uses conditional probability [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T’,D,  ) with T’ = [[  1 ]] (T,D,  ) Semantics of formulas are transformers on probability distribution over traces

30. Example AB A, B, {n, A} B uSecurity Property - secrecy [Initiator Program] A Honest(B)  (  X (X  A,B)  Indistinguishable(X,n)

31. Soundness of proof system lAxiom Source(Y,u,{m} X )   Decrypts(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) lProof idea: crypto-style reduction - Assume axiom not valid  A  D  f negligible function  n 0  n > n 0 s.t. [[  ]](T,D,f) |/|T| < 1 –f(n) - Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme - Conditional implication essential

32. Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

33. Current Work lInvestigate nature of logic - Propositional fragment not classical -  represents conditional probability  complexity-theoretic reductions  connections with probabilistic logics (e.g. Nilsson86) lGeneralize reasoning about secrecy - Probability close to ½ instead of 1 - Not a trace property lExtend logic - More primitives: signature, hash functions,… - Remove current syntactic restrictions on formulas l Information-theoretic semantics - Only probability; no complexity

34. Summary lMethodology: - Divide-and-conquer paradigm in security - Combining logic and cryptography lApplications: - IEEE 802.11i (Attack! Fix adopted by IEEE WG) - GDOI Secure Group Communication protocol [RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG) - IKEv2 [IETF Internet Draft; 2004] - TLS [RFC 2246; 1999] - Kerberos V5 [IETF Internet Draft; 2004] - Mobile IPv6 [RFC 3775; 2004] (New Attack!)

35. Publications in dissertation lA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic - A derivation system and compositional logic for security protocols [CSFW03, JCS05 special issue] - Abstraction and refinement in protocol derivation [CSFW04] lA. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, M. Turuani. Probabilistic polynomial time semantics for a protocol security logic [ICALP05] lA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan, V. Shmatikov. Unifying equivalence-based definitions of protocol security [WITS04]

36. Other publications lA. Datta, R. Kuesters, J. C. Mitchell, A. Ramanathan. On the Relationships between Notions of Simulation-based Security [TCC05] lM. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional Analysis of Contract-Signing Protocols [CSFW05] lA. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. Secure Protocol Composition [MFPS03] lA. Datta, A. Derek, J. C. Mitchell, A. Ramanathan, A. Scedrov. The Impossibility of Realizable Ideal Functionality [In submission] lC. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i [In submission]