A Derivation System for Security Protocols and its Logical - - PowerPoint PPT Presentation

a derivation system for security protocols and its
SMART_READER_LITE
LIVE PREVIEW

A Derivation System for Security Protocols and its Logical - - PowerPoint PPT Presentation

Jan 24, 2023 361 likes •669 views

A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW July 1, 2003 Contributions Protocol derivation Build

slide-1
SLIDE 1

A Derivation System for Security Protocols and its Logical Formalization

Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW July 1, 2003

slide-2
SLIDE 2

Contributions

Protocol derivation

Build security protocols by combining parts

from standard sub-protocols.

Proof of correctness

Prove protocols correct using logic that

follows steps of derivation.

slide-3
SLIDE 3

Outline

Derivation System

Motivating examples Main concepts Benefits

Compositional Logic

Main idea Syntax, semantics and proof system Formalizing Composition

Conclusions and Future Work

slide-4
SLIDE 4

Protocol Derivation System

slide-5
SLIDE 5

Example

Construct protocol with properties:

Shared secret Authenticated Identity Protection DoS Protection

Design requirements for IKE, JFK,

IKEv2 (IPSec key exchange protocol)

slide-6
SLIDE 6

Component 1

Diffie-Hellman

A → B: ga B → A: gb

Shared secret (with someone)

A deduces:

Knows(Y, gab) ⊃ (Y = A) ٧ Knows(Y,b)

Authenticated Identity Protection DoS Protection

slide-7
SLIDE 7

Component 2

Challenge Response:

A → B: m, A B → A: n, sigB {m, n, A} A → B: sigA {m, n, B}

Shared secret (with someone) Authenticated

A deduces: Received (B, msg1) Λ Sent (B, msg2)

Identity Protection DoS Protection

slide-8
SLIDE 8

m := ga n := gb

Composition

ISO 9798-3 protocol:

A → B: ga, A B → A: gb, sigB {ga, gb, A} A → B: sigA {ga, gb, B}

Shared secret: gab Authenticated Identity Protection DoS Protection

slide-9
SLIDE 9

Refinement

Encrypt signatures:

A → B: ga, A B → A: gb, EK {sigB {ga, gb, A}} A → B: EK {sigA {ga, gb, B}}

Shared secret: gab Authenticated Identity Protection DoS Protection

slide-10
SLIDE 10

Transformation

Use cookie: JFK core protocol

A → B: ga, A B → A: gb, hashKB {gb, ga} A → B: ga, gb, hashKB {gb, ga} EK {sigA {ga, gb, B}} B → A: gb, EK {sigB {ga, gb, A}}

Shared secret: gab Authenticated Identity Protection DoS Protection

slide-11
SLIDE 11

Derivation Framework

Protocols are constructed from:

components

by applying a series of:

composition, refinement and transformation

  • perations.

Properties accumulate as a derivation

proceeds.

Examples in paper:

STS, ISO-9798-3, JFKi, JFKr, IKE

slide-12
SLIDE 12

STS Family Derivation

m=gx, n=gy k=gxy

STS0H STS0 STSa STSaH STSH STS STSPH JFK1

distribute certificates cookie

  • pen

responder

JFK0

symmetric hash

JFKi

protect identities

STSP

Properties:

Certificates from CA Shared secret: gab Identity protection DoS protection Reverse ID protection

JFKr

slide-13
SLIDE 13

Benefits and Directions

Complex protocols are easier to

understand and analyze.

Protocols can be organized in a

taxonomy.

e.g., STS family, Needham-Schroeder

family.

Protocol synthesis.

slide-14
SLIDE 14

Compositional Logic

slide-15
SLIDE 15

Protocol Logic: Main idea

Alice’s information

Protocol Private data Sends and receives

Honest Principals, Attacker Send Receive Protocol

Private Data

slide-16
SLIDE 16

Example: Challenge-Response

m, A

A B

n, sigB {m, n, A}

sigA {m, n, B}

Alice reasons: if Bob is honest, then:

  • nly Bob can generate his signature. [protocol independent]

if Bob generates a signature of the form sigB {m, n, A},

he sends it as part of msg 2 of the protocol and he must have received msg1 from Alice. [protocol specific]

Alice deduces:

Received (B, msg1) Λ Sent (B, msg2)

slide-17
SLIDE 17

Protocol

“Program” for each protocol role

Initial configuration

Set of principals and key Assignment of ≥1 role to each principal

Run

υx υz 〈{x}B〉 ({x}B) 〈{z}B〉 A ({z}B) B Position in run

Execution Model

C

slide-18
SLIDE 18

Formulas true at a position in run

Action formulas

a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t)

Formulas

ϕ ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t1, t2) | ¬ϕ | ϕ1∧ ϕ2 | ∃x ϕ | οϕ | ◊ϕ

Example

After(a,b) = ◊(b ∧ ο◊a)

slide-19
SLIDE 19

Modal Formulas

After actions, postcondition

[ actions ] P ϕ

where P = 〈princ, role id〉

Before/after assertions

ϕ [ actions ] P ψ

Composition rule

ϕ [ S ] P ψ ψ [ T ] P θ ϕ [ ST ] P θ

Note: same P in all formulas

slide-20
SLIDE 20

Diffie-Hellman: Property

Formula

[ new a ] A Fresh(A, ga)

Explanation

Modal form: [ actions ] P ϕ Actions: [ new a ] A Postcondition: Fresh(A, ga)

slide-21
SLIDE 21

Challenge Response: Property

Modal form: ϕ [ actions ] P ψ

precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition:

Honest(B) ⊃ ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

slide-22
SLIDE 22

Composition: DH+CR = ISO-9798-3

DH postcondition matches CR precondition Combination:

Substitute ga for m in CR to obtain ISO. Apply composition rule, persistence. ISO initiator role inherits CR authentication.

DH secrecy is also preserved

Proved using another application of composition

rule.

slide-23
SLIDE 23

Critical issues

Reasoning about honest principals

Invariance rule, called “honesty rule”

Preservation of invariants under

composition

If we prove Honest(X) ⊃ ϕ for protocol 1 and

compose with protocol 2, is formula still true?

slide-24
SLIDE 24

Honesty Rule

Definition

A basic sequence of actions begins with

receive, ends before next receive

Rule

[ ]X ϕ For all B ∈ BasicSeq(Q). ϕ [B]X ϕ Q Honest(X) ⊃ ϕ

Example

CR Honest(X) ⊃ (Sent(X, m2) ⊃ Recd(X, m1))

slide-25
SLIDE 25

Combining protocols

Γ Γ’ DH Honest(X) ⊃ … CR Honest(X) ⊃ … Γ’ |- Authentication Γ |- Secrecy Γ∪Γ’ |- Secrecy Γ∪Γ’ |- Authentication Γ∪Γ’ |- Secrecy ∧ Authentication DH • CR Γ∪Γ’ ISO Secrecy ∧ Authentication =

slide-26
SLIDE 26

Composition Rules

Prove assertions from invariants

Γ |- ϕ […]P ψ

Invariant weakening rule

Γ |- ϕ […]P ψ Γ ∪ Γ’ |- ϕ […]P ψ

Prove invariants from protocol

Q Γ Q’ Γ Q • Q’ Γ

If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants

slide-27
SLIDE 27

Conclusions and Future Work

slide-28
SLIDE 28

Conclusions

Protocol Derivation System:

Systematizes the practice of building protocols

from standard sub-protocols. Useful for:

protocol analysis and understanding.

  • rganizing related protocols in taxonomies.

protocol synthesis.

Protocol Logic:

Correctness proofs follow derivation steps. Rigorous treatment of protocol composition.

slide-29
SLIDE 29

Future Work

Derivation system:

taxonomies: STS, Needham-Schroeder family. explore possibility of protocol synthesis. can proofs in other formal systems be guided by

derivations?

Protocol Logic:

Formalize refinements and transformations. Automate proofs.

slide-30
SLIDE 30

Questions?