Symbolic Logic for Complexity-theoretic Model of Security

Protocols

Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov

Mathieu Turuani

May 5, 2005

Security Protocols

Security Protocol• Distributed program• Uses cryptography to accomplish goal• Network controlled by adversary

Examples • Internet Engineering Task Force (IETF), IEEE

Working Group Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication– 802.11i - wireless security

Engineering practice

Identify requirements Design protocol Think hard Think some more Can’t find attack protocol

“secure” Implement Deploy

Protocol flaws

IEEE 802.11i wireless authentication

IPSec’s IKE key exchange IETF GDOI secure group

communication IETF Mobile IPv6 security …many more

These are protocols designed for real networks

Engineering Practice (Cycle 2)

Someone else thinks hard and finds attack

Go back to cycle 1:• Fix protocol• Reimplement• Redeploy

This is Theory Lunch…

We like to do rigorous proofs But prove what? What does “secure” mean? What is the model of protocol

execution and attack?

Problem Statement

Cryptographers and logicians working in computer security don’t talk to each other

(Disclaimer: Examples not representative)

Symbolic model[NS78,DY84,…]

Complexity-theoretic model [GM84,…]

Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)

+ Any probabilistic poly-time computation

Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)

+ Fine-grained, e.g., secret message = no partial information about bitstring representation

Analysis methods + Successful array of tools and techniques; automation

- Hand-proofs are difficult, error-prone; no automation

Can we get the best of both worlds?

Two worlds

Logic 101 (Recall)

Logic• Syntax Formulas

– p, p q, (p q), p q

• Semantics Truth– Model, M = {p = true, q = false}

M |= p q

Proof System• Axioms and proof rules Provability

– p (q p) p p q q

• Soundness Theorem– Provability implies truth

Our Approach

Protocol Composition Logic (PCL)

•Syntax

•Proof System

Symbolic “Dolev-Yao” model

•Semantics

Computational PCL

•Syntax ±

•Proof System ±

Complexity-theoretic model

•SemanticsPhD Oral

May 10, 11AM

Right here

Main Result

Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption

Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model

Computational PCL

Syntax• Expressing security properties

Proof System• Proving security properties• Soundness Theorem

Semantics• Complexity-theoretic Model

– Attacker – any PPT algorithm– Meaning of security properties

Example 1

A BA, B, {n, A}B

B, A, n

Security Property - authentication [Initiator Program]A Honest(B)

ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )

Example 2

A BA, B, {n, A}B

Security Property - secrecy [Initiator Program]A Honest(B)

(X (X A,B) Indistinguishable(X,n)

Logic Syntax

Proof System

Soundness of proof system

Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)

Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)

Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

Asymptotic calculations

Sum of two negligible functions is a negligible function

Reduction to IND-CCA2-secure encryption scheme

Big picture

Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure

encryption)

Crypto constructions satisfying definitions (e.g., Cramer-Shoup

encryption scheme)

Axiom in proof system

Protocol security proofs using proof system

Semantics and soundness theorem

Complexity-theoretic semantics

Q |= if A D f negligible n0 n > n0 function s.t.

• Fix protocol Q, PPT adversary A, security parameter n

• Vary random bits used by all programs

• Obtain set of equi-probable traces, T(Q,A,n)

T()

T(Q,A,n)

|T()|/|T(Q,A,n)| > 1 –f(n)

Represents probability

Inductive Semantics

Consider set of traces T(Q,A,n)

• T(1 2) = T(1)T(2)

• T(1 2) = T(1) T(2)

• T( ) = T()

Semantics of formulas are transformers on probability distribution over traces

Future Work

Investigate nature of logic• Propositional fragment not classical represents conditional probability

– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86)

Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property

Extend logic• More primitives: signature, hash functions,…• Remove current syntactic restrictions on formulas

Information-theoretic semantics• Only probability; no complexity

Related Work

Process calculus• LMMS98-RMST05

Logic• AR00 (passive eavesdropper;

encryption)• IK03 (computational indistinguishability)

Relating symbolic and crypto models• BPW03-05 (active attacker)• MW04-05 (active attacker)