Abstraction and Refinement in Protocol Derivation

1
Abstraction and Refinement in Protocol Derivation

• Anupam Datta Ante Derek
• John C. Mitchell Dusko Pavlovic
• Stanford University Kestrel Institute
• CSFW June 28, 2004

2
Project Goals

• Protocol derivation
• Build security protocols by combining and
  refining parts from basic protocols.
• Proof of correctness
• Prove protocols correct using logic that follows
  steps of derivation.

3
Outline

• Background
• Derivation System CSFW03
• Compositional Logic
  CSFW01,CSFW03
• Abstraction and Refinement
• Methods
• Applications
• Conclusions and Future Work

4
Example

• Construct protocol with properties
• Shared secret
• Authenticated
• Identity Protection
• Design requirements for IKE, JFK, IKEv2 (IPSec
  key exchange protocol)

5
Component 1
Diffie Hellman
A ? B ga B ? A gb

• Shared secret (with someone)
• A deduces
• Knows(Y, gab) ? (Y A) ? Knows(Y,b)
• Authenticated
• Identity Protection

6
Component 2
Challenge-Response
A ? B m, A B ? A n, sigB m, n, A A ?
B sigA m, n, B

• Shared secret
• Authenticated
• A deduces Received (B, msg1) ? Sent (B, msg2)
• Identity Protection

7
Composition
m ga n gb
ISO-9798-3
A ? B ga, A B ? A gb, sigB ga, gb, A A ? B
sigA ga, gb, B

• Shared secret gab
• Authenticated
• Identity Protection

8
Refinement
Encrypt Signatures
A ? B ga, A B ? A gb, EK sigB ga, gb, A A
? B EK sigA ga, gb, B

• Shared secret gab
• Authenticated
• Identity Protection

9
Outline

• Background
• Derivation System
• Compositional Logic
• Abstraction and Refinement
• Methods
• Applications
• Conclusions and Future Work

10
Challenge-Response Proof Idea
m, A
n, sigB m, n, A
A
B
sigA m, n, B

• Alice reasons if Bob is honest, then
• only Bob can generate his signature. protocol
  independent
• if Bob generates a signature of the form sigB m,
  n, A,
• he sends it as part of msg 2 of the protocol and
• he must have received msg1 from Alice. protocol
  specific
• Alice deduces Received (B, msg1) ? Sent (B, msg2)

11
Formalism

• Cord calculus
• Protocol programming language
• Protocol logic
• Expressing protocol properties
• Proof system
• Proving protocol properties

Symbolic (Dolev-Yao) model
12
Challenge-Response as Cords
m, A
n, sigB m, n, A
A
B
sigA m, n, B
RespCR(B) receive Y, B, y, Y new n send
B, Y, n, sigBy, n, Y receive Y, B, sigYy, n,
B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A, X,
sigAm, x, X
13
Correctness of CR
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A,
X, sigAm, x, X
RespCR(B) receive Y, B, y, Y new
n send B, Y, n, sigBy, n, Y receive Y, B,
sigYy, n, B
CR - InitCR(A, B) A Honest(B) ?
ActionsInOrder( Send(A, A,B,m),
Receive(B, A,B,m), Send(B, B,A,n,
sigB m, n, A), Receive(A, B,A,n, sigB
m, n, A) )
14
Proof System

• Sample Axioms
• Reasoning about possession
• Has(A, mK) ? Has(A, K) ? Has(A, m)
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Reasoning about crypto primitives
• Honest(X) ? ?Decrypt(Y, encXm) ? XY
• Honest(X) ? ?Verify(Y, sigXm) ?
• ? m (?Send(X, m) ? Contains(m, sigXm)
• Protocol-specific Rule Honesty/Invariance rule
• Soundness Theorem
• Every provable formula is valid

15
Outline

• Background
• Derivation System
• Compositional Logic
• Abstraction and Refinement
• Methods
• Applications
• Conclusions and Future Work

16
Protocol Templates

• Protocols with function variables instead of
  specific cryptographic operations
• Idea One template can be instantiated to many
  protocols
• Advantages
• proof reuse
• design principles/patterns

17
Example
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)
Abstraction
A ? B m B ? A n,EKAB(n,m,B) A ? B
EKAB(n,m)
A ? B m B ? A n,HKAB(n,m,B) A ? B
HKAB(n,m,A)
A ? B m B ? A n, sigB(n,m,A) A ? B
sigA(n,m,B)
ISO-9798-2
ISO-9798-3
SKID3
Instantiations
18
Extending Formalism

• Language Extensions Add function variables to
  term language for cords and logic (HOL)
• Semantics Q f ? sQ sf, for all
  substitutions s eliminating all function
  variables
• Soundness Theorem Every provable formula is
  valid

19
Abstraction-Instantiation Method(1)

• Characterizing protocol concepts
• Step 1 Under hypotheses about function variables
  and invariants, prove security property of
  template
• Step 2 Instantiate function variables to
  cryptographic operations and prove hypotheses.
• Benefit
• Proof reuse

20
Example
Challenge-Response Template
A ? B m B ? A n, F(B,A,n,m) A ? B
G(A,B,n,m)

• Step 1
• Hypotheses Function F(B,A,n,m) can be computed
  only by B or A,
• Property Mutual authentication
• Step 2
• Instantiate F() to signature, keyed hash,
  encryption (ISO-9798-2,3, SKID3)
• Satisfies hypotheses gt Guarantees mutual
  authentication

21
Proof Structure
Discharge hypothesis
axiom
hypothesis
Proof reuse
Instance
Template
22
Abstraction-Instantiation Method(2)

• Combining protocol templates
• If protocol P is a hypotheses-respecting
  instance of two different templates, then it has
  the properties of both.
• Benefits
• Modular proofs of properties
• Formalization of protocol refinements

23
Refinement Example Revisited
Encrypt Signatures
A ? B ga, A B ? A gb, EK sigB ga, gb, A A
? B EK sigA ga, gb, B

• Two templates
• Template 1 authentication shared secret
• (Preserves existing properties proof reused)
• Template 2 identity protection (encryption)
• (Adds new property)

24
Authenticated key exchange
AKE1
AKE2
A ? B ga, A B ? A gb, F(B,A,gb,ga) A ?
B G(A,B,ga,gb)
A ? B ga B ? A gb, F(B,gb,ga),
F(B,gab) A ? B G(A,ga, gb), G(A,gab)
ISO-9798-3, JFKi
STS, JFKr, IKEv2, SIGMA

• Shared secret
• Stronger authentication
• Identity protection for B
• Non-repudiation

• Shared secret
• Weaker authentication
• Identity protection for A
• Repudiability

H. Krawczyk The Cryptography of the IPSec and
IKE Protocols CRYPTO03
25
More examples

• Authenticated Key Exchange
• Template for JFKr, STS, IKE, IKEv2
• Key Computation
• Template for Diffie-Hellman, UM, MTI/A, MQV
• Combining these templates

26
Synthesis STS-MQV
protect identities
symmetric hash
STSPH
STSP
DH
STS
RFK
cookie
authenticate
MTI/A
MTIC
MTICPH
MTIRFK
MTICP
key conf.
UM
UMC
UMCP
UMCPH
UMRFK
MQV
MQVRFK
MQVCPH
MQVCP
MQVC
27
Conclusions

• Abstraction-Instantiation using protocol
  templates
• Single proof for similar protocols from common
  template
• Multiple protocol properties from different
  templates
• Logical foundation
• Add function variables to protocol language and
  logic
• Applications
• CR template ISO-9798-2,3, SKID3
• Identity protection refinement in JFK
• Design principles IKEv2, JFKi, JFKr, ISO, STS,
  SIGMA, IKE
• Synthesis DH-MQV STS-JFKr

28
Future Work

• Done
• Derivation idea successfully applied to large set
  of protocol examples
• Rigorous treatment of composition, refinement in
  protocol logic
• Work In Progress
• Tool support for derivation system and logic
• Formalization of protocol transformations
• More applications