Download ppt - Stanford University`s Security Lab

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
Document related concepts
no text concepts found
Transcript 
CS 259
Protocol Composition Logic
(PCL)
Anupam Datta
Protocol Analysis Techniques
Crypto Protocol Analysis
Formal Models
Dolev-Yao
(perfect cryptography)
Computational Models
…
Protocol Logics Model Checking Process Calculi Inductive Proofs
BAN, PCL
FDR, Murphi
Spi-calculus
Paulson
Probabilistic Interactive TM
Probabilistic process calculi
Probabilistic I/O automata
Computational PCL
…
PCL Highlights
Mechanizable proofs of security for
unbounded number of protocol runs
• Similar guarantees as Paulson’s Method;
better than finite-state model-checking
• Codifies high-level reasoning principles
used in protocol design, cf. KaufmanPerlman-Speciner, Network Security
Modular proof methods
Cryptographic soundness
Modular Analysis / Composition
Laptop
Access
Point
Auth
Server
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake:
PMK to Keys for data communication
Group key:
Keys for broadcast communication
Data protection:
AES based using above keys
(Shared Secret-PMK)
802.11i Key Management
20 msgs in 4 components
Goal: Divide and Conquer
Cryptographic Soundness
Cryptographers and logicians working in computer
security don’t talk to each other
(Disclaimer: Examples not representative)
Goal: Logical methods for complexity-theoretic model of cryptography
Protocol Composition Logic: PCL
Intuition
Formalism
[Datta, Derek, Durgin, Mitchell, Pavlovic]
• Protocol programming language
• Protocol logic
– Syntax
– Semantics
• Proof System
Example
• Signature-based challenge-response
Composition
[Datta, Derek, Mitchell, Pavlovic]
Cryptographic Soundness
[Datta, Derek, Mitchell, Shmatikov, Turuani]
PCL - Intuition
Protocol
Honest Principals,
Attacker
Private
Data
 Alice’s information
• Protocol
• Private data or keys
• Sends and receives
Example: Challenge-Response
m, A
A
n, sigB {m, n, A}
B
sigA {m, n, B}
 Alice reasons: if Bob is honest, then:
• only Bob can generate his signature
[protocol independent]
• if Bob generates a signature of the form sigB{m, n, A},
– he sends it as part of msg2 of the protocol, and
– he must have received msg1 from Alice
[protocol specific]
 Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
Logic: Background
Logic
• Syntax
Formulas
– p, p  q, (p  q), p  q
• Semantics
– Model, M = {p = true, q = false}
M |= p  q
Proof System
• Axioms and proof rules
– p  (q  p)
• Soundness Theorem
p
pq
q
Truth
Provability
– Provability implies truth
– Axioms and proof rules hold in all “relevant” models
Formalizing the Approach
Protocol Programming Language
• Syntax for writing protocol code
• Precise description of protocol execution
Protocol Composition Logic (PCL)
• Syntax for stating security properties
• Trace-based semantics
Proof system
• Formally proving security properties
• Soundness Theorem
First logic for security protocols
Related to: BAN, Floyd-Hoare, CSP/CCS, temporal logic, NPATRL
Protocol programming language
A protocol is described by specifying
a program for each role
– Server = [receive x; new n; send {x, n}]
Building blocks
• Terms (think “messages”)
– names, nonces, keys, encryption, …
• Actions (operations on terms)
– send, receive, pattern match, …
Terms
t ::= c
x
N
K
t, t
sigK{t}
encK{t}
constant term
variable
name
key
tupling
signature
encryption
Example: x, sigB{m, x, A} is a term
Actions
send t;
receive x;
match t/p(x);
send a term t
receive a term into variable x
match term t against p(x)
A program is just a sequence of actions
Notation:
• we often omit match actions
• receive sigB{A, n} = receive x; match x/sigB{A, n}
Challenge-Response programs
m, A
A
n, sigB {m, n, A}
B
sigA {m, n, B}
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]<
>
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]<
>
Execution Model
Initial Configuration, IC
• Set of principals and keys
• Assignment of  1 role to each principal
Run
• Interleaving of actions of honest
principals and attacker starting from IC
A
B
C
new x
Position in run
send {x}B
receive {x}B
new z
receive {z}B
send {z}B
Process calculus
operational semantics
Formulas true at a position in run
Action formulas
a ::= Send(P,t) | Receive (P,t) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas
 ::= a | Has(P,t) | Fresh(P,t) | Honest(N)
| Contains(t1, t2) |  | 1 2 | x 
| a<a
Modal formula
 [ actions ] P 
Example
Has(X, secret)  ( X = A  X = B)
Specifying secrecy
Semantics
Protocol Q
• Defines set of roles (e.g., initiator, responder)
• Run R of Q is sequence of actions by principals
following roles, plus attacker
Satisfaction
• Q, R |  [ actions ] P 
If some role of P in R does exactly actions
starting from state where  is true, then  is
true in state after actions completed
• Q |  [ actions ] P 
Q, R |  [ actions ] P  for all runs R of Q
Challenge-Response Property
Specifying authentication for Initiator
CR | true [ InitCR(A, B) ] A Honest(B) 
(
Send(A, {A,B,m}) 
Receive(B, {A,B,m}) 
Send(B, {B,A,{n, sigB {m, n, A}}}) 
Receive(A, {B,A,{n, sigB {m, n, A}}})
)
Authentication as “matching conversations” [Bellare-Rogaway93]
Proof System
Goal: Formally prove security
properties
Axioms
• Simple formulas provable by hand
Inference rules
• Proof steps
Theorem
• Formula obtained from axioms by
application of inference rules
Sample axioms about actions
New data
• true [ new x ]P Has(P,x)
• true [ new x ]P Has(Y,x)  Y=P
Actions
• true [ send m ]P Send(P,m)
Knowledge
• true [receive m ]P Has(P,m)
Verify
• true [ match x/sigX{m} ] P Verify(P,m)
Reasoning about knowledge
Pairing
• Has(X, {m,n})  Has(X, m)  Has(X, n)
Encryption
• Has(X, encK(m))  Has(X, K-1)  Has(X, m)
Encryption and signature
Public key encryption
Honest(X)  Decrypt(Y, encX{m})  X=Y
Signature
Honest(X)  Verify(Y, sigX{m}) 
 m’ (Send(X, m’)  Contains(m’, sigX{m})
Sample inference rules
First-order logic rules



Generic rules
 [ actions ]P 
 [ actions ]P 
 [ actions ]P   
Bidding conventions
(motivation)
Blackwood response to 4NT
– 5 : 0 or 4 aces
– 5 : 1 ace
– 5 : 2 aces
– 5 : 3 aces
Reasoning
• If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
Honesty rule
(rule scheme)
roles R of Q.  protocol steps A of R.
Start(X) [ ]X 
 [ A ]X 
Q |- Honest(X)  
• This is a finitary rule:
– Typical protocol has 2-3 roles
– Typical role has 1-3 receives
– Only need to consider A waiting to receive
Protocol invariants proved by induction
Honesty rule
(example use)
roles R of Q.  protocol steps A of R.
Start(X) [ ]X 
 [ A ]X 
Q |- Honest(X)  
• Example use:
– If Y receives a message m from X, and
– Honest(X)  (Sent(X,m)  Received(X,m’))
– then Y can conclude
Honest(X)  Received(X,m’))
Proved using
honesty rule
Correctness of CR
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
CR |- true [ InitCR(A, B) ] A Honest(B) 
(
Send(A, {A,B,m}) 
Receive(B, {A,B,m}) 
Send(B, {B,A,{n, sigB {m, n, A}}}) 
Receive(A, {B,A,{n, sigB {m, n, A}}})
)
Authentication as “matching conversations” [Bellare-Rogaway93]
Correctness of CR – step 1
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
1. A reasons about her own actions
CR |- true [ InitCR(A, B) ] A
Verify(A, sigB {m, n, A})
Correctness of CR – step 2
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
2. Properties of signatures
CR |- true [ InitCR(A, B) ] A Honest(B) 
 m’ (Send(B, m’)  Contains(m’, sigB {m, n, A})
Recall signature axiom
Correctness of CR – Honesty
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Invariant proved with Honesty rule
CR |- Honest(X) 
Send(X, m’)  Contains(m’, sigx {y, x, Y})   New(X, y) 
m= X, Y, {x, sigB{y, x, Y}}  Receive(X, {Y, X, {y, Y}})
Induction over protocol steps
Correctness of CR – step 3
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
3. Use Honesty invariant
CR |- true [ InitCR(A, B) ] A Honest(B) 
Receive(B, {A,B,m}),…
Correctness of CR – step 4
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
4. Use properties of nonces for
temporal ordering
CR |- true [ InitCR(A, B) ] A Honest(B)  Auth
Nonces are “fresh” random numbers
Complete proof
We have a proof. So what?
 Soundness Theorem:
• If Q |-  then Q |= 
• If  is a theorem then  is a valid
formula
 holds in any step in any run of
protocol Q
• Unbounded number of participants
• Dolev-Yao intruder
Using PCL: Summary
Modeling the protocol
• Program for each protocol role
Modeling security properties
• Using PCL syntax
• Authentication, secrecy easily expressed
Proving security properties
• Using PCL proof system
• Soundness theorem guarantees that provable
properties hold in all protocol runs
Example: C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell,
modular correctness proof of TLS and IEEE 802.11i, ACM CCS 2005
A
Challenge-Response programs (1)
m, A
A
n, sigB {m, n, A}
B
sigA {m, n, B}
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]<
>
RespCR(B) = [
receive Y, B, {y, Y};
new n;
send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]<
>
Challenge-Response Property (2)
Specifying authentication for Initiator
CR | true [ InitCR(A, B) ] A Honest(B) 
(
Send(A, {A,B,m}) 
Receive(B, {A,B,m}) 
Send(B, {B,A,{n, sigB {m, n, A}}}) 
Receive(A, {B,A,{n, sigB {m, n, A}}})
)
Challenge-Response Proof (3)
Weak Challenge-Response
m
A
n, sigB {m, n}
B
sigA {m, n}
InitWCR(A, X) = [
new m;
send A, X, {m};
receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [
receive Y, B, {y};
new n;
send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Correctness of WCR – step 1
InitWCR(A, X) = [
new m;
send A, X, {m};
receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [
receive Y, B, {y};
new n;
send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
1. A reasons about it’s own actions
WCR |- [ InitWCR(A, B) ] A
Verify(A, sigB {m, n})
Correctness of WCR – step 2
InitWCR(A, X) = [
new m;
send A, X, {m};
receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [
receive Y, B, {y};
new n;
send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
2. Properties of signatures
WCR |- [ InitCR(A, B) ] A Honest(B) 
 m’ (Send(B, m’)  Contains(m’, sigB {m, n, A})
Correctness of WCR – Honesty
InitWCR(A, X) = [
new m;
send A, X, {m};
receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [
receive Y, B, {y};
new n;
send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Honesty invariant
WCR |- Honest(X) 
Send(X, m’)  Contains(m’, sigx {y, x})   New(X, y) 
 Z (m= X, Z, {x, sigB{y, x}}  Receive(X, {Z, X, {y, Z}}))
Correctness of WCR – step 3
InitWCR(A, X) = [
new m;
send A, X, {m};
receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespWCR(B) = [
receive Y, B, {y};
new n;
send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
3. Use Honesty rule
WCR |- [ InitWCR(A, B) ] A Honest(B) 
Z (Receive(B, {Z,B,m}), …)
Result
WCR does not have the strong
authentication property for the
initiator
Counterexample
• Intruder can forge sender’s and
receiver’s identity in first two messages
–
–
–
–
A -> X(B)
X(C) -> B
B -> X(C)
X(B) ->A
m
m
n, sigB(m, n)
n, sigB(m, n)
Related documents