protocol composition logic (pcl): part ii anupam datta cs 259
TRANSCRIPT
Protocol Composition Logic (PCL): Part II
Anupam Datta
CS 259
Using PCL: Summary
Modeling the protocol• Program for each protocol role
Modeling security properties• Using PCL syntax• Authentication, secrecy easily expressed
Proving security properties• Using PCL proof system• Soundness theorem guarantees that
provable properties hold in all protocol runs
Example: C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell, A modular correctness proof of TLS and IEEE 802.11i, ACM CCS 2005
Challenge-Response programs (1)
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
] < >
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
] < >
Challenge-Response Property (2)
Specifying authentication for InitiatorCR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}})
Receive(A, {B,A,{n, sigB {m, n, A}}})
)
Challenge-Response Proof(3)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
Modular Analysis / Composition
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake:
PMK to Keys for data communication
Group key: Keys for broadcast
communication
Data protection:AES based using above keys
(Shared Secret-PMK)
Laptop Access Point
Auth Server
802.11i Key Management
20 msgs in 4 components
Goal: Divide and Conquer
Desiderata
Non-destructive combination• Security guarantee for TLS in isolation must
be preserved when run simultaneously with 4WAY
• Formalized as parallel composition
Additive combination• Prove 4WAY security guarantee assuming
TLS provides shared secret. Combine with separate proof of TLS guarantee.
• Formalized as sequential composition
Parallel Composition
Definition: Q = Q1 | Q2 if the set of roles of Q is the
union of the set of roles of Q1 and Q2
Examples:• On the internet many protocols run in
parallel, e.g., SSL, IKE, Kerberos• In 802.11i, TLS, 4WAY, GroupKey can
be run in parallel
Compositional Proofs: Intuition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
• PCL proof system: Honesty rule
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition• All other axioms and proof rules for PCL
Proof Tree
Axiom
HON rule
Other rules
Proof step might fail
Security property
Parallel Composition Theorem (1)
Honesty rule:roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
Lemma: Let Q = Q1 | Q2. If Q1 |- and Q2 |- , then Q |-
• Proof idea: – Roles (Q) = Roles (Q1) Roles(Q2)
Parallel Composition Theorem (2)
Theorem: Let Q = Q1 | Q2. If Q1 |- , |- and
Q2 |- , then Q |- , where includes all invariants proved using Honesty rule
• Proof idea: – By Lemma, Q |- – Also, |- – Intuitively, the old proof tree for Q1 still
works
Proof Tree
Axiom
HON rule
Other rules
Security property
|-
Q1 |-
Q |-
Bulk of proof
reused
Additional work to
prove Q2 |-
Example: Challenge-Response
Invariant proved with Honesty ruleCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x, Y}) New(X, y)
m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}})
Authentication property of CR is preserved under parallel composition with any Q which satisfies this invariant
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
Parallel Composition: Big Picture
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No explicit reasoning about attacker
…
Desiderata
Non-destructive combination• Security guarantee for TLS in isolation must
be preserved when run simultaneously with 4WAY
• Formalized as parallel composition
Additive combination• Prove 4WAY security guarantee assuming
TLS provides shared secret. Combine with separate proof of TLS guarantee.
• Formalized as sequential composition
Example: ISO-9798-3
Authentication• Similar to challenge-response• Do we need to prove property from scratch?
Shared secret: gab
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Sequential Composition
new x
X, Y
X, Y, gx
send W, Z, w, A;
receive Z, W, z, sigY{w, z, W};
send W, Z, sigX{w, z, Z};
DH-Init
CR-Init W, Z, w
new x;
send X, Y, gx, A;
receive Y, X, z, sigY{gx, z, X};
send X, Y, sigX{gx, z, Y};
X, YISO-Init
Sequential composition of roles with term
substitution
Diffie-Hellman: Property
Formula true [ new a ] A Fresh(A, ga)
Abstract challenge response
Free variables m and n instead of nonces Modal form: [ actions ]
• precondition: Fresh(A,m)
• actions: [ InitACR ]A
• postcondition: Honest(B) Authentication
InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Same proof as previous lecture!
Sequencing Rule
[ S ] P [ T ] P
[ ST ] P
Is this rule sound?
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
Sequential Composition: Picture
DH |- Honest(X) …
’
|- [ DH-Init ] P ’ |- [ CR-Init ] P
’ |- [ DH-Init ] P ’ |- [ CR-Init ] P
’ |- [DH-Init; CR-Init] P DH|- ’ CR |- ’
ISO |- [ISO-Init] P
CR |- Honest(X) …
ISO = DH;CR |- ’Non-destructive
Additive
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
Computational PCL
Symbolic proofs about complexity-theoretic model of cryptographic protocols
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
Main Result
Computational PCL• Symbolic logic for proving security properties of
network protocols using public-key encryption Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
ISO-9798-3 Key Exchange
Shared secret to be used as key:
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Roughly: A, B have gab and for everyone else it is indistinguishable from a random key gr
Central axioms
Cryptographic security property of signature scheme• Unforgeability (used for
authentication) Cryptographic security property of
Diffie-Hellman function• DDH (used to prove secrecy)
CMA-Secure Signatures
Challenger Attacker
miSig(Y,mi)
Sig(Y,m)
Attacker wins if m
mi
Attacker - any probabilistic polynomial time program; wins if above probability is non-negligible
Decisional Diffie-Hellman
Let a, b, c be chosen at random from a group G with generator g. Then the two distributions <ga,gb,gab> and <ga,gb,gc> are computationally indistinguishable (no polynomial time attacker can tell them apart)
Complete Proof
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Summary: PCL
Formalism• Protocol programming language• Protocol logic
– Syntax – stating security properties– Semantics – meaning of security properties
• Proof System – proving security properties
Examples• Signature-based challenge-response, ISO, 802.11i
Composition • Modular proofs
Computational Soundness• Symbolic proofs about complexity-theoretic model
Thanks
Questions?