protocol composition logic (pcl): part ii
DESCRIPTION
CS 259. Protocol Composition Logic (PCL): Part II. Anupam Datta. Using PCL: Summary. Modeling the protocol Program for each protocol role Modeling security properties Using PCL syntax Authentication, secrecy easily expressed Proving security properties Using PCL proof system - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/1.jpg)
Protocol Composition Logic (PCL): Part II
Anupam Datta
CS 259
![Page 2: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/2.jpg)
Using PCL: Summary
Modeling the protocol• Program for each protocol role
Modeling security properties• Using PCL syntax• Authentication, secrecy easily expressed
Proving security properties• Using PCL proof system• Soundness theorem guarantees that
provable properties hold in all protocol runs
Example: C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell, A modular correctness proof of TLS and IEEE 802.11i, ACM CCS 2005
![Page 3: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/3.jpg)
Challenge-Response programs (1)
A B
m, A
n, sigB {m, n, A}
sigA {m, n, B}
InitCR(A, X) = [
new m;
send A, X, {m, A};
receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
] < >
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
] < >
![Page 4: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/4.jpg)
Challenge-Response Property (2)
Specifying authentication for InitiatorCR | true [ InitCR(A, B) ] A Honest(B) ( Send(A, {A,B,m}) Receive(B, {A,B,m}) Send(B, {B,A,{n, sigB {m, n, A}}})
Receive(A, {B,A,{n, sigB {m, n, A}}})
)
![Page 5: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/5.jpg)
Challenge-Response Proof(3)
![Page 6: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/6.jpg)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
![Page 7: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/7.jpg)
Modular Analysis / Composition
EAP-TLS: Certificates to Authorization (PMK)
4WAY Handshake:
PMK to Keys for data communication
Group key: Keys for broadcast
communication
Data protection:AES based using above keys
(Shared Secret-PMK)
Laptop Access Point
Auth Server
802.11i Key Management
20 msgs in 4 components
Goal: Divide and Conquer
![Page 8: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/8.jpg)
Desiderata
Non-destructive combination• Security guarantee for TLS in isolation must
be preserved when run simultaneously with 4WAY
• Formalized as parallel composition
Additive combination• Prove 4WAY security guarantee assuming
TLS provides shared secret. Combine with separate proof of TLS guarantee.
• Formalized as sequential composition
![Page 9: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/9.jpg)
Parallel Composition
Definition: Q = Q1 | Q2 if the set of roles of Q is the
union of the set of roles of Q1 and Q2
Examples:• On the internet many protocols run in
parallel, e.g., SSL, IKE, Kerberos• In 802.11i, TLS, 4WAY, GroupKey can
be run in parallel
![Page 10: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/10.jpg)
Compositional Proofs: Intuition
Protocol specific reasoning• “if honest Bob generates a signature of the form
sigB {m, n, A},
– he sends it as part of msg2 of the protocol and – he must have received msg1 from Alice”
• Could break: Bob’s signature from one protocol could be used to attack another
• PCL proof system: Honesty rule
Protocol independent reasoning• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition• All other axioms and proof rules for PCL
![Page 11: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/11.jpg)
Proof Tree
Axiom
HON rule
Other rules
Proof step might fail
Security property
![Page 12: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/12.jpg)
Parallel Composition Theorem (1)
Honesty rule:roles R of Q. protocol steps A of R.
Start(X) [ ]X [ A ]X Q |- Honest(X)
Lemma: Let Q = Q1 | Q2. If Q1 |- and Q2 |- , then Q |-
• Proof idea: – Roles (Q) = Roles (Q1) Roles(Q2)
![Page 13: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/13.jpg)
Parallel Composition Theorem (2)
Theorem: Let Q = Q1 | Q2. If Q1 |- , |- and
Q2 |- , then Q |- , where includes all invariants proved using Honesty rule
• Proof idea: – By Lemma, Q |- – Also, |- – Intuitively, the old proof tree for Q1 still
works
![Page 14: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/14.jpg)
Proof Tree
Axiom
HON rule
Other rules
Security property
|-
Q1 |-
Q |-
Bulk of proof
reused
Additional work to
prove Q2 |-
![Page 15: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/15.jpg)
Example: Challenge-Response
Invariant proved with Honesty ruleCR |- Honest(X) Send(X, m’) Contains(m’, sigx {y, x, Y}) New(X, y)
m= X, Y, {x, sigB{y, x, Y}} Receive(X, {Y, X, {y, Y}})
Authentication property of CR is preserved under parallel composition with any Q which satisfies this invariant
InitCR(A, X) = [new m;send A, X, {m, A};receive X, A, {x, sigX{m, x, A}};
send A, X, sigA{m, x, X}};
]
RespCR(B) = [receive Y, B, {y, Y};new n;send B, Y, {n, sigB{y, n, Y}};
receive Y, B, sigY{y, n, B}};
]
![Page 16: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/16.jpg)
Parallel Composition: Big Picture
Protocol Q
Safe Environment for Q
Q1 Q2 Q3 Qn
• Q |- Inv(Q)
• Inv(Q) |-
• Qi |- Inv(Q)
• No explicit reasoning about attacker
…
![Page 17: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/17.jpg)
Desiderata
Non-destructive combination• Security guarantee for TLS in isolation must
be preserved when run simultaneously with 4WAY
• Formalized as parallel composition
Additive combination• Prove 4WAY security guarantee assuming
TLS provides shared secret. Combine with separate proof of TLS guarantee.
• Formalized as sequential composition
![Page 18: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/18.jpg)
Example: ISO-9798-3
Authentication• Similar to challenge-response• Do we need to prove property from scratch?
Shared secret: gab
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
![Page 19: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/19.jpg)
Sequential Composition
new x
X, Y
X, Y, gx
send W, Z, w, A;
receive Z, W, z, sigY{w, z, W};
send W, Z, sigX{w, z, Z};
DH-Init
CR-Init W, Z, w
new x;
send X, Y, gx, A;
receive Y, X, z, sigY{gx, z, X};
send X, Y, sigX{gx, z, Y};
X, YISO-Init
Sequential composition of roles with term
substitution
![Page 20: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/20.jpg)
Diffie-Hellman: Property
Formula true [ new a ] A Fresh(A, ga)
![Page 21: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/21.jpg)
Abstract challenge response
Free variables m and n instead of nonces Modal form: [ actions ]
• precondition: Fresh(A,m)
• actions: [ InitACR ]A
• postcondition: Honest(B) Authentication
InitACR(A, X, m) = [send A, X, {m};receive X, A, {x, sigX{m, x}};
send A, X, sigA{m, x}};
]
RespACR(B, n) = [receive Y, B, {y};send B, Y, {n, sigB{y, n}};
receive Y, B, sigY{y, n}};
]
Same proof as previous lecture!
![Page 22: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/22.jpg)
Sequencing Rule
[ S ] P [ T ] P
[ ST ] P
Is this rule sound?
![Page 23: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/23.jpg)
Composition: DH+CR = ISO-9798-3
• Additive Combination DH post-condition matches CR precondition Sequential Composition:
• Substitute ga for m in CR to obtain ISO.• Apply composition rule• ISO initiator role inherits CR authentication.
DH secrecy is also preserved• Proved using another application of
composition rule.
• Nondestructive Combination• DH and CR satisfy each other’s invariants
![Page 24: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/24.jpg)
Sequential Composition: Picture
DH |- Honest(X) …
’
|- [ DH-Init ] P ’ |- [ CR-Init ] P
’ |- [ DH-Init ] P ’ |- [ CR-Init ] P
’ |- [DH-Init; CR-Init] P DH|- ’ CR |- ’
ISO |- [ISO-Init] P
CR |- Honest(X) …
ISO = DH;CR |- ’Non-destructive
Additive
![Page 25: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/25.jpg)
Protocol Composition Logic: PCL
Intuition Formalism
• Protocol programming language• Protocol logic
– Syntax– Semantics
• Proof System Example
• Signature-based challenge-response Composition Computational Soundness
![Page 26: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/26.jpg)
Computational PCL
Symbolic proofs about complexity-theoretic model of cryptographic protocols
![Page 27: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/27.jpg)
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
![Page 28: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/28.jpg)
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•Semantics
Talk so far… Leverage PCL success…
![Page 29: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/29.jpg)
Main Result
Computational PCL• Symbolic logic for proving security properties of
network protocols using public-key encryption Soundness Theorem:
• If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability.
Benefits• Symbolic proofs about computational model• Computational reasoning in soundness proof
(only!)• Different axioms rely on different crypto
assumptions
![Page 30: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/30.jpg)
ISO-9798-3 Key Exchange
Shared secret to be used as key:
A B
ga, A
gb, sigB {ga, gb, A}
sigA {ga, gb, B}
Roughly: A, B have gab and for everyone else it is indistinguishable from a random key gr
![Page 31: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/31.jpg)
Central axioms
Cryptographic security property of signature scheme• Unforgeability (used for
authentication) Cryptographic security property of
Diffie-Hellman function• DDH (used to prove secrecy)
![Page 32: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/32.jpg)
CMA-Secure Signatures
Challenger Attacker
miSig(Y,mi)
Sig(Y,m)
Attacker wins if m
mi
Attacker - any probabilistic polynomial time program; wins if above probability is non-negligible
![Page 33: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/33.jpg)
Decisional Diffie-Hellman
Let a, b, c be chosen at random from a group G with generator g. Then the two distributions <ga,gb,gab> and <ga,gb,gc> are computationally indistinguishable (no polynomial time attacker can tell them apart)
![Page 34: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/34.jpg)
Complete Proof
![Page 35: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/35.jpg)
PCL Computational PCL
Syntax, proof rules mostly the same• But not sure about propositional
connectives… Significant difference
• Symbolic “knowledge”– Has(X,t) : X can produce t from msgs that have
been observed, by symbolic algorithm• Computational “knowledge”
– Possess(X,t) : can produce t by ppt algorithm– Indistinguishable(X,t) : can distinguish from random in ppt
• More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.
![Page 36: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/36.jpg)
Complexity-theoretic semantics
Q |= if adversary A distinguisher D negligible function f n0 n > n0
s.t.
[[]](T,D,f)
T(Q,A,n)
[[]](T,D,f(n))|/|T| > 1 – f(n)
Fraction represents probability
• Fix protocol Q, PPT adversary A• Choose value of security parameter n• Vary random bits used by all programs• Obtain set T=T(Q,A,n) of equi-probable traces
![Page 37: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/37.jpg)
Inductive Semantics
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[1 2]] (T,D,) = [[1]] (T,D,) [[2]] (T,D,)
[[ ]] (T,D,) = T - [[]] (T,D,)
Implication uses conditional probability
[[1 2]] (T,D,) = [[1]] (T,D,)
[[2]] (T’,D,)
where T’ = [[1]] (T,D,)
Formula defines transformation on probability distributions over traces
![Page 38: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/38.jpg)
Soundness of proof system
Example axiom• Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Proof idea: crypto-style reduction• Assume axiom not valid: A D negligible f n0 n > n0 s.t.
• [[]](T,D,f)|/|T| < 1 –f(n)• Construct attacker A’ that uses A, D to break
IND-CCA2 secure encryption scheme• Conditional implication essential
![Page 39: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/39.jpg)
Logic and Cryptography: Big Picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
![Page 40: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/40.jpg)
Summary: PCL
Formalism• Protocol programming language• Protocol logic
– Syntax – stating security properties– Semantics – meaning of security properties
• Proof System – proving security properties
Examples• Signature-based challenge-response, ISO, 802.11i
Composition • Modular proofs
Computational Soundness• Symbolic proofs about complexity-theoretic model
![Page 41: Protocol Composition Logic (PCL): Part II](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56814073550346895dabf3c2/html5/thumbnails/41.jpg)
Thanks
Questions?