Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, - PowerPoint PPT Presentation

Rewriting in Protocol Verification Stéphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23

Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) The network is unsecure! Communications take place over a public network like the Internet. 2/23

Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy. 2/23

How cryptographic protocols can be attacked? Cryptanalysis ◮ Differential attacks, ◮ Boomerang attacks, ◮ Cube attacks, ◮ . . . 3/23

How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol This is the so-called Dolev-Yao attacker ! 3/23

How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) A → B : { N B } pub( B ) NS protocol (1978) 3/23

How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) B → A : { N A , N B , B } pub( A ) A → B : { N B } pub( B ) A → B : { N B } pub( B ) NS protocol (1978) NS-Lowe protocol (1995) 3/23

How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: FREAK attack by Barghavan et al. (2015) A logical flaw that allows a man-in-the- middle attacker to downgrade connections from ’strong’ RSA to ’export grade’ RSA. 3/23

How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010 3/23

Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R 4/23

Unlinkability/Untraceability Informally, an observer/attacker can not observe the difference between the two following situations: 1. a situation where the same passport may be used twice (or even more); 2. a situation where each passport is used at most once. 5/23

Unlinkability/Untraceability Informally, an observer/attacker can not observe the difference between the two following situations: 1. a situation where the same passport may be used twice (or even more); 2. a situation where each passport is used at most once. More formally, ? !new ke . new km . (! P BAC | ! R BAC ) ≈ !new ke . new km . ( P BAC | R BAC ) ↑ ↑ many sessions only one session for each passport for each passport (we still have to formalize the notion of equivalence) 5/23

Some other equivalence-based security properties Vote privacy the fact that a particular voter voted in a particular way is not revealed to anyone Strong secrecy the fact that an adversary cannot see any difference when the value of the secret changes − → stronger than the notion of secrecy as non-deducibility. Guessing attack the fact that an adversary can not learn the value of passwords even if he knows that they have been choosen in a particular dic- tionary. 6/23

How rewriting and unification theory can help us in protocol verification? 7/23

Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y 8/23

Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Exclusive-or operator: ⊕ of arity 2 and 0 (neutral element) x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z x ⊕ x = 0 x ⊕ y y ⊕ x x ⊕ 0 = = x 8/23

Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Equational theories are useful to model algebraic properties of cryptographic primitives. 8/23

Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } 9/23

Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS 9/23

Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS Some recipes: ◮ from his private key skc , the attacker is able to get his public key with R = pk( w 3 ); ◮ R = aenc(adec( w 4 , w 3 ) , w 2 ) – this is the first step of the man-in-the-middle attack on NS protocol 9/23

Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS Some recipes: ◮ from his private key skc , the attacker is able to get his public key with R = pk( w 3 ); ◮ R = aenc(adec( w 4 , w 3 ) , w 2 ) – this is the first step of the man-in-the-middle attack on NS protocol Rewriting is useful to express computations performed by the attacker. 9/23

Static equivalence Warm-up − → this is the so-called passive attacker 10/23

The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). 11/23

The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). Example 1: adec(aenc( x , pk( y )) , y ) = x ◮ φ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( yes , pk( sks )) } ; and ◮ ψ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( no , pk( sks )) } . 11/23

The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). Example 1: adec(aenc( x , pk( y )) , y ) = x ◮ φ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( yes , pk( sks )) } ; and ◮ ψ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( no , pk( sks )) } . → They are not in static equivalence: aenc( yes , w 1 ) ? − = w 2 . 11/23