Security Analysis of Network Protocols

1
Security Analysis of Network Protocols

• Anupam Datta
• Stanford University
• CIS Seminar, MIT
• November 18, 2005

2
Outline

• Part I Overview
• Motivation
• Central problems
• Divide and Conquer paradigm
• Combining logic and cryptography
• Results
• Part II Protocol Composition Logic
• Compositional Reasoning
• Complexity-theoretic foundations

3
This talk is about

• Network security protocols
• Internet Engineering Task Force (IETF) Standards
• SSL/TLS - web authentication
• IPSec - corporate VPNs
• Mobile IPv6 routing security
• Kerberos - network authentication
• GDOI secure group communication
• IEEE Standards Working Group
• 802.11i - wireless LAN security
• 802.16e wireless MAN security
• And methods for their security analysis
• Security proof in some model or
• Identify attacks

4
Run of a protocol
B
A
Correct if no security violation in any run
5
Characteristics of protocols

• Relatively simple distributed programs
• 5-7 steps, 3-10 fields per message (per
  component)
• Mission critical
• Security of data, credit card numbers,
• Subtle
• Concurrency attack may combine data from many
  sessions
• Computation modeling cryptographic primitives

• Good domain for logical methods
• Active research area since early 80s

6
Security Analysis Methodology
Protocol
Property
Attacker model
Analysis Tool
Security proof or attack
7
Protocol analysis methods

• Cryptographic reductions
• Bellare-Rogaway, Shoup, many others
• UC Canetti et al, Simulatability BPW
• Prob poly-time process calculus LMRST
• Symbolic methods
• Model checking
• FDR Lowe, Roscoe, , Murphi Mitchell,
  Shmatikov, ,
• NRL protocol analyzer Meadows, Athena Song,
• Theorem proving
• Isabelle Paulson , Specialized logics BAN, ,
  PCL

8
Examples of protocol flaws

• IKE Meadows 1999
• Reflection attack fix adopted by IETF WG
• IEEE 802.11i He, Mitchell 2004
• DoS attack fix adopted by IEEE WG
• GDOI Meadows, Pavlovic 2004
• Composition attack fix adopted by IETF WG
• Kerberos V5 Scedrov et al 2005
• Identity misbinding attack fix adopted by IETF WG

9
IEEE 802.11i wireless security 2004
Wireless Device
Access Point
Authentication Server
802.11 Association
Uses crypto encryption, hash,
EAP/802.1X/RADIUS Authentication
4-way handshake

• Divide-and-conquer paradigm

• Combining logic and cryptography

Group key handshake
Data communication
10
Divide-and-Conquer paradigm

• Result Protocol Derivation System DDMP03-05
• Incremental protocol construction
• Result Protocol Composition Logic (PCL)
  DDDMP01-05
• Compositional correctness proofs
• Related work Heintze-Tygar96, Lynch99,
  Sheyner-Wing00, Canetti01, Pfitzmann-Waidner0
  1,
• Composition is a hard problem in security

Central Problem 1
11
Combining logic and cryptography

• Symbolic model NS78, DY84
• - Perfect cryptography assumption
• Idealization gt tools and techniques
• Complexity-theoretic model GM84
• More detailed model probabilistic guarantees
• - Hand-proofs very hard no automation
• Result Computational PCL DDMST05
• Logical proof methods
• Complexity-theoretic crypto model
• Related work Mitchell-Scedrov et al 98-04,
  Abadi-Rogaway00, Backes-Pfitzmann-Waidner03-04
  , Micciancio-Warinschi04

Central Problem 2
12
Applied to industrial protocols

• IEEE 802.11i IEEE Standards 2004 He et
  al
• TLS/SSL RFC 2246 is a component
• IKE/JFK family
• IKEv2 IETF ID2004 in progress Aron et al
• Mobile IPv6 RFC 3775 in progress Roy et
  al
• Kerberos V5 IETF ID 2004 Cervasato et
  al
• GDOI Secure Group Communication protocol RFC
  3547 Meadows et al

13
Protocol analysis spectrum
Combining logic and cryptography

Hand proofs
Computational Protocol logic
?
Holy Grail
High
Divide and conquer
Poly-time calculus
Protocol logic
Multiset rewriting
Spi-calculus
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
14
Outline

• Part I Overview
• Part II Protocol Composition Logic
• Compositional Reasoning
• Complexity-theoretic foundations

15
Challenge-Response Proof Idea
m, A
n, sigB m, n, A
A
B
sigA m, n, B

• Alice reasons if Bob is honest, then
• only Bob can generate his signature. protocol
  independent
• if Bob generates a signature of the form sigB m,
  n, A,
• he sends it as part of msg 2 of the protocol and
• he must have received msg1 from Alice. protocol
  specific
• Alice deduces Received (B, msg1) ? Sent (B, msg2)

16
Reasoning method

• Reason about local information
• I know my own actions
• Incorporate knowledge of protocol
• Honest people faithfully follow protocol
• No explicit reasoning about intruder
• Absence of bad action expressed as a positive
  property of good actions
• E.g., honest agents signature can be produced
  only by the agent

Distinguishes our method from existing techniques
17
Formalism

• Cord calculus
• Protocol programming language
• Execution model (Symbolic/Dolev-Yao)
• Protocol logic
• Expressing protocol properties
• Proof system
• Proving protocol properties
• Soundness theorem

18
Challenge-Response as Cords
m, A
n, sigB m, n, A
A
B
sigA m, n, B
RespCR(B) receive Y, B, y, Y new n send
B, Y, n, sigBy, n, Y receive Y, B, sigYy, n,
B
InitCR(A, X) new m send A, X, m,
A receive X, A, x, sigXm, x, A send A, X,
sigAm, x, X
19
Execution model

• Protocol
• Program for each protocol role
• Initial configuration
• Set of principals and key
• Assignment of ?1 role to each principal
• Run

Position in run
New x
SendltxB?
A
Recv xB
Recv zB
B
New z
Send ?zB?
C
20
Attacker capabilities

• Controls complete network
• Can read, remove, inject messages
• Fixed set of operations on terms
• Pairing
• Projection
• Encryption with known key
• Decryption with known key

21
Formulas true at a position in run

• Action formulas
• a Send(P,m) Receive (P,m) New(P,t)
  
• Decrypt (P,t) Verify (P,t)
• Formulas
• ? a Has(P,t) Fresh(P,t) Honest(N)
• Contains(t1, t2) ?? ?1? ?2 ?x ?
• ?? ??
• Example
• After(a,b) ?(b ? ??a)

22
Challenge Response Property

• Modal form ? actions P ?
• precondition Fresh(A,m)
• actions Initiator role actions A
• postcondition
• Honest(B) ? ActionsInOrder(
• send(A, A,B,m),
• receive(B, A,B,m),
• send(B, B,A,n, sigB m, n, A),
• receive(A, B,A,n, sigB m, n, A) )

Secure if desired property holds in all runs
23
Proof System

• Sample Axioms
• Reasoning about possession
• receive m A Has(A,m)
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Reasoning about crypto primitives
• Honest(X) ? Decrypt(Y, encXm) ? XY
• Honest(X) ? Verify(Y, sigXm) ?
• ? m (Send(X, m) ? Contains(m, sigXm)
• Soundness Theorem
• Every provable formula is valid

24
Outline

• Part I Overview
• Part II Protocol Composition Logic
• Compositional Reasoning
• Complexity-theoretic foundations

25
Reasoning about Composition

• Non-destructive Combination
• Ensure combined parts do not interfere
• In logic invariance assertions
• Additive Combination
• Accumulate security properties of combined
  parts, assuming they do not interfere
• In logic before-after assertions

26
Proof steps (Intuition)

• Protocol independent reasoning
• Has(A, m,n) ? Has(A, m) ? Has(A, n)
• Still good unaffected by composition
• Protocol specific reasoning
• if honest Bob generates a signature of the form
• sigB m, n, A,
• he sends it as part of msg 2 of the protocol and
• he must have received msg1 from Alice
• Could break Bobs signature from one protocol
  could be used to attack another

• Technically
• Protocol-specific proof steps use invariants
• Invariants must be preserved for safe composition

27
Invariants

• Reasoning about honest principals
• Invariance rule, called honesty rule
• Preservation of invariants under composition
• If we prove Honest(X) ? ? for protocol 1 and
  compose with protocol 2, is formula still true?

28
Honesty Rule (Induction)

• Definition
• A protocol step begins with receive, ends before
  next receive
• Rule
• X ? ?B ? ProtocolSteps(Q). ? BX ?
• Q ? Honest(X) ? ?
• Example
• CR ? Honest(X) ?
• (Sent(X, m2) ? Received(X, m1))

29
Composition of protocols
X, Y
DH-Init
X, Y
ISO-Init
new x
new x send X, Y, gx, A receive Y, X, z,
sigYgx, z, X send X, Y, sigXgx, z, Y
X, Y, gx, x
CR-Init
W, Z, w, x
send W, Z, w, A receive Z, W, z, sigYw, z,
W send W, Z, sigXw, z, Z
X, Y, zx
Sequential composition with term substitution
X, Y, zx
30
Compositional proofs
?
?
DH ? Honest(X) ?
CR ? Honest(X) ?
? - Authentication
? - Secrecy
??? - Secrecy
??? - Authentication
??? - Secrecy ? Authentication additive
DH ? CR ? ??? nondestructive

ISO ? Secrecy ? Authentication
31
Composition Rules

• Invariant weakening rule
• ? - ? P ?
• ? ? ? - ? P ?
• Sequential Composition
• ? - ? S P ? ? - ? T P ?
• ? - ? ST P ?
• Prove invariants from protocol
• Q ? ? Q ? ?
• Q ? Q ? ?

Sequential, parallel, staged composition theorems
MFPS03,CCS05
32
Composition Big Picture

• Q - Inv(Q)
• Inv(Q) - ?
• Qi - Inv(Q)
• No reasoning about attacker

Safe Environment for Q
Q1
Q2
Q3
Qn

• Different from
• Assume-guarantee in distributed computing MC81
• Universal Composability C01, PW01

Protocol Q
33
Outline

• Part I Overview
• Part II Protocol Composition Logic
• Compositional Reasoning
• Complexity-theoretic foundations

34
Two worlds
Symbolic model NS78,DY84, Complexity-theoretic model GM84,
Attacker actions Fixed set of actions, e.g., decryption with known key (ABSTRACTION) Any probabilistic poly-time computation
Security properties Idealized, e.g., secret message not possessing atomic term representing message (ABSTRACTION) Fine-grained, e.g., secret message no partial information about bitstring representation
Analysis methods Successful array of tools and techniques automation - Hand-proofs are difficult, error-prone no automation
Can we get the best of both worlds?
35
Our Approach

• Protocol Composition Logic (PCL)
• Syntax
• Proof System

• Computational PCL
• Syntax ?
• Proof System ?

• Symbolic Dolev-Yao model
• Semantics

• Complexity-theoretic model
• Semantics

Leverage PCL success
Talk so far
36
Main Result

• Computational PCL
• Symbolic logic for proving security properties of
  network protocols
• Soundness Theorem
• If a property is provable in CPCL, then property
  holds in computational model with overwhelming
  asymptotic probability.
• Benefits
• Symbolic proofs about computational model
• Computational reasoning in soundness proof
  (only!)
• Different axioms rely on different crypto
  assumptions

37
PCL ? Computational PCL

• Syntax, proof rules mostly the same
• But not sure about propositional connectives
• Significant difference
• Symbolic knowledge
• Has(X,t) X can produce t from msgs that have
  been observed, by symbolic algorithm
• Computational knowledge
• Possess(X,t) can produce t by ppt algorithm
• Indistinguishable(X,t) can distinguish from
• random
  in ppt
• More subtle system some axioms rely on CCA2,
  some are info-theoretically true, etc.

38
Complexity-theoretic semantics

• Q ? if ? adversary A ? distinguisher D ?
  negligible function f ? n0 ?n gt n0 s.t.

Fraction represents probability
?(T,D,f(n))/T gt 1 f(n)

• Fix protocol Q, PPT adversary A
• Choose value of security parameter n
• Vary random bits used by all programs
• Obtain set TT(Q,A,n) of equi-probable traces

T(Q,A,n)
?(T,D,f)
39
Inductive Semantics

• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ?1 ? ?2 (T,D,?) ?1 (T,D,?) ? ?2
  (T,D,?)
• ? ? (T,D,?) T - ? (T,D,?)
• Implication uses conditional probability
• ?1 ? ?2 (T,D,?) ??1 (T,D,?)
• ? ?2
  (T,D,?)
• where T
  ?1 (T,D,?)

Formula defines transformation on probability
distributions over traces
40
Soundness of proof system

• Example axiom
• Source(Y,u,mX) ? ?Decrypts(X, mX) ?
  Honest(X,Y) ? (Z ? X,Y) ? Indistinguishable(Z, u)
• Proof idea crypto-style reduction
• Assume axiom not valid
• ? A ? D ? negligible f ? n0 ? n gt n0 s.t.
• ?(T,D,f)/T lt 1
  f(n)
• Construct attacker A that uses A, D to break
  IND-CCA2 secure encryption scheme
• Conditional implication essential

41
Logic and Cryptography Big Picture
Protocol security proofs using proof system
Axiom in proof system
Semantics and soundness theorem
Complexity-theoretic crypto definitions (e.g.,
IND-CCA2 secure encryption)
Crypto constructions satisfying definitions
(e.g., Cramer-Shoup encryption scheme)
42
Current Work

• Investigate nature of logic
• Propositional fragment not classical
• ? represents conditional probability
• complexity-theoretic reductions
• connections with probabilistic logics (e.g.
  Nilsson86, Fagin-Halpern90)
• Generalize reasoning about secrecy
• Probability close to ½ instead of 1
• Not a trace property
• Cover more cryptographic protocols
• More primitives signature, hash functions,
• And protocols secure key exchange,
• Information-theoretic and concrete security
  semantics
• Only probability no complexity
• Concrete security reductions

43
Summary

• PCL A logic for security protocols
• Divide-and-conquer paradigm in security
• Combining logic and cryptography
• Applications
• IEEE 802.11i
• GDOI Secure Group Communication protocol RFC
  3547 2003
• IKEv2 IETF Internet Draft 2004
• TLS RFC 2246 1999
• Kerberos V5 IETF Internet Draft 2004
• Mobile IPv6 RFC 3775 2004

44
Protocol analysis spectrum
Combining logic and cryptography

Hand proofs
Computational Protocol logic
Holy Grail
?
High
Divide and conquer
Poly-time calculus
Protocol logic
Multiset rewriting
Spi-calculus
?
Strength of attacker model
Athena
Paulson
?
?
?
NRL
?
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
45
Ongoing Work

• Extend and refine PCL
• Programming language, syntax, proof system
• More properties beyond authentication, secrecy
  abuse-freeness, fairness, knowledge-based
  specification
• Tool implementation
• Encode logic into generic theorem-prover
• Preliminary implementation in Isabelle
• Investigate decidability of PCL
• Unified theory for different models
• Vary computational abilities of attacker
  symbolic, poly-time, information-theoretic
• Vary adversarys control over network complete
  vs. partial (e.g., in Mobile IPv6)
• Protocol Derivation
• Incremental protocol construction replace
  Clark-Jacob survey

46
Other Projects

• Specification of Security
• Unifying simulation-based definitions universal
  composability, black-box simulatability, strong
  simulatability DKMRS04,DKMR05
• Comparing game-based definitions with
  simulation-based definitions impossibility
  theorem DDMRS05
• Open problem compositional security definition
• Foundations of Privacy
• Contextual Integrity Nissenbaum04
• Formal theory Kripke models, temporal logic
• Application to HIPAA, GLBA, COPPA,
• Relation to RBAC, P3P, EPAL, DRM, statistical
  databases, WIP - BDMN05

47
Credits/Selected Publications

• A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic
• A derivation system and compositional logic
  for security protocols CSFW03, JCS05 special
  issue
• A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov,
  M. Turuani. Probabilistic polynomial time
  semantics for a protocol security logic ICALP05
• C. He, M. Sundararajan, A. Datta, A. Derek, J. C.
  Mitchell. A Modular Correctness Proof of TLS and
  IEEE 802.11i CCS05, ACM TISSEC special issue
• Project web page www.stanford.edu/danupam/logic
  -derivation.html

48
Questions?
49
Chosen ciphertext CCA2
Challenger
Attacker
50
Computational Soundness

• Simulation framework
• Backes, Pfitzmann, Waidner
• Correspondence theorems
• Micciancio, Warinschi
• Kapron-Impagliazzo logics
• Abadi-Rogaway passive equivalence
• ? (K2,01K3) , ? (101K2,K5 )K2,
  K6K4K5 ? ?
• ? ? (K2, ? ) , ? (101K2,K5 )K2, ?
  K5 ? ?
• ? ? (K1, ? ) , ? (101K1,K5 )K1, ?
  K5 ? ?
• ? ? (K1,K1K7) , ? (101K1,K5 )K1,
  K6K7K5 ? ?
• Proposed as start of larger plan for
  computational soundness

Abadi-Rogaway00, , Adao-Bana-Scedrov05
51
Symbolic methods ? compl results

• Pereira and Quisquater, CSFW 2001, 2004
• Studied authenticated group Diffie-Hellman
  protocols
• Found symbolic attack in Cliques SA-GDH.2
  protocol
• Proved no protocol of certain type is secure, for
  gt3 participants
• Micciancio and Panjwani, EUROCRYPT 2004
• Lower bound for class of group key establishment
  protocols using purely Dolev-Yao reasoning
• Model pseudo-random generators, encryption
  symbolically
• Lower bounds is tight matches a known protocol

52
Classifying Attacks

• Implementation bugs
• Buffer overflow, format string vulnerabilities
• Cryptography breaks
• IEEE 802.11b (WEP encryption)
• Protocol flaws
• Needham-Schroeder, IKE, IEEE 802.11i

• Focus on protocol flaws assuming strong crypto
• Complexity-theoretic characterization of strong
  crypto