Satisfiability of Dolev-Yao Constraints Laurent Mazar´ e laurent.mazare@imag.fr Laboratoire VERIMAG Grenoble, France Satisfiability of Dolev-Yao Constraints – p.1/17
Motivation Constraints are used to verify secrecy with a bounded number of sessions. Satisfiability of Dolev-Yao Constraints – p.2/17
✁ ✁ ✁ ✆ ✂ ✁ ✂ ✄ ✂ ✁ ✄ ☎ ✁ ✂ ☎ ✁ ✄ ✁ ✄ ✂ ✁ ✂ ✂ � ✁ ✁ ✁ ✄ ✁ ✆ ✄ ✄ ☎ ✂ ✄ Motivation Constraints are used to verify secrecy with a bounded number of sessions. Needham-Schroeder constraint: NS E N C A x A K C K B E N C A x N B N C y K C K A K A E N C A x N B y N B K C K A K C Satisfiability of Dolev-Yao Constraints – p.2/17
✄ ✁ ✁ ✆ ✂ ✁ ✂ ✁ ✆ ✄ ✄ ✄ ✁ ✂ ✁ ✁ ✄ ✁ ☎ ✂ ☎ ✄ ✂ � ✁ ✁ ✄ ✁ ✁ ✁ ✄ ✂ ☎ ✂ ✂ Motivation Constraints are used to verify secrecy with a bounded number of sessions. Needham-Schroeder constraint: NS E N C A x A K C K B E N C A x N B N C y K C K A K A E N C A x N B y N B K C K A K C Extensions: Inequations, Multiple Intruders, Opacity (Strong Secrecy). Satisfiability of Dolev-Yao Constraints – p.2/17
✁ ✁ ☎ ✂ ✂ ✂ ✁ ✁ ✆ ✄ � � � ✂ � ✄ � Messages and Constraints Messages are defined by: m :: a x f m 1 m n m 1 m 2 m 1 m 2 a : atom, x: variable, f : first order symbol Satisfiability of Dolev-Yao Constraints – p.3/17
☎ ✁ � ✂ ✄ � � � � � ✁ ✆ ✂ � � ☎ ✆ ✄ � � ✆ ✂ ✂ ☎ � ✄ � � � ✁ ✁ ✁ ✂ Messages and Constraints Messages are defined by: m :: a x f m 1 m n m 1 m 2 m 1 m 2 a : atom, x: variable, f : first order symbol Constraints are defined by: C :: C C C C C A C A :: T m U m n m, n: messages, T, U: finite sets of messages. Satisfiability of Dolev-Yao Constraints – p.3/17
� � � � ✁ ✆ ✂ Models A substitution σ is a model of constraint C iff σ C where is the smallest relation defined by: Usual definitions for , , Satisfiability of Dolev-Yao Constraints – p.4/17
� � ✆ � ✆ � ✂ ✆ ✁ � � � � Models A substitution σ is a model of constraint C iff σ C where is the smallest relation defined by: Usual definitions for , , m σ n σ σ m n Satisfiability of Dolev-Yao Constraints – p.4/17
� ✂ ✄ ☎ ☎ ✄ � � ✄ ☎ � ✆ � � � � � ☎ � � � ☎ � � ✄ ✁ ✆ ✁ ☎ ✆ ✄ ✂ ✄ � Models A substitution σ is a model of constraint C iff σ C where is the smallest relation defined by: Usual definitions for , , m σ n σ σ m n T σ m σ U σ σ T m U where T m U is defined as except the decode rule: T m U u U u T m U Satisfiability of Dolev-Yao Constraints – p.4/17
� Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : Satisfiability of Dolev-Yao Constraints – p.5/17
� ✄ � ✁ � ☎ � ✄ ✁ ☎ ☎ � ☎ � Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : If T m U and T m U are in Co , then T T or T T (Environment Inclusion). Satisfiability of Dolev-Yao Constraints – p.5/17
✁ ✄ ✁ � ☎ � � ✁ � ✁ ☎ ☎ ✄ � ☎ ✄ ✁ ☎ ✁ � � � � ☎ ✁ ✄ ☎ � ✄ � ☎ � � ✄ ✁ ✁ Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : If T m U and T m U are in Co , then T T or T T (Environment Inclusion). If T m U Co and x var T , then there exists T m U Co such that x var m , U U and T T (Variable Introduction). Satisfiability of Dolev-Yao Constraints – p.5/17
✁ ✄ ✁ � ☎ � � ✁ � ✁ ☎ ☎ ✄ � ☎ ✄ ✁ ☎ ✁ � � � � ☎ ✁ ✄ ☎ � ✄ � ☎ � � ✄ ✁ ✁ Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : If T m U and T m U are in Co , then T T or T T (Environment Inclusion). If T m U Co and x var T , then there exists T m U Co such that x var m , U U and T T (Variable Introduction). A constraint C quasi-well-formed iff Satisfiability of Dolev-Yao Constraints – p.5/17
✁ ✁ ☎ ✄ ☎ ✁ ✁ � ✁ � ✄ � � � ☎ ✄ � ✄ � � ☎ ✁ ✁ ✁ ✄ � � � ☎ ✄ ☎ ✁ � ☎ ☎ � Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : If T m U and T m U are in Co , then T T or T T (Environment Inclusion). If T m U Co and x var T , then there exists T m U Co such that x var m , U U and T T (Variable Introduction). A constraint C quasi-well-formed iff Variable Introduction. Satisfiability of Dolev-Yao Constraints – p.5/17
✁ ✄ ✁ � ☎ � � ✁ � ✁ ☎ ☎ ✄ � ☎ ✁ ✁ ☎ ✁ � � � � ☎ ✁ ✄ ☎ � ✄ � ☎ � � ✄ ✁ ✄ Well-Formed Constraints A constraint C is well-formed iff C Co and for each Co : If T m U and T m U are in Co , then T T or T T (Environment Inclusion). If T m U Co and x var T , then there exists T m U Co such that x var m , U U and T T (Variable Introduction). A constraint C quasi-well-formed iff Variable Introduction. There exists a closed message m that occurs in any environment of Co . Satisfiability of Dolev-Yao Constraints – p.5/17
✄ ☎ ☎ ☛ ✡ ✡ ☎ ✄ ✟ ✆ ✠ ✁ ✁ ✁ ✂ ✂ ✂ ✁ ✂ ✄ ✂ ☎ ✟ ✂ ✆ ☎ ✆ ✁ ✂ ✂ ✂ ✁ ✂ ✄ ✂ ✂ ✂ ✆ ✂ ✂ ✂ ✆ ☎ ✆ ✁ ✂ ✂ ✂ ✠ � ✆ ✄ ☎ ✁ ✂ ✄ ✄ ✂✄ ✂ � ✂ ✂ ✁ ✂ � ✁ � ☎ � ✠ ☎ ✆ ✂ ✞ ✂ ✆ ☎ ✄ ✁ ☎ ☛ ✟ ☎ ✆ ✝ ✞ ✄ ✄ ✄ ✞ ✂ ✞ ✂ ✞ ✂ ☎ Constraints Reducing usual well-formed constraints to our constraints: n T i σ m i σ 1 i σ T 1 k 1 T 1 m 1 k 1 k i 1 k α k 1 keys T m 1 i 1 i 2 in n T 2 k i 1 k 1 k i 1 T 2 m 2 k 1 k i 2 1 T n k i n k 1 k i n T n m n k 1 k i n 1 1 1 Satisfiability of Dolev-Yao Constraints – p.6/17
✁ ☎ ✁ ☎ ✁ ✂ ✂ ✂ ✁ ✁ ✄ ✄ � ☎ � � ☎ ☎ ☎ ✄ ✄ ✂ ✆ ✄ ☎ ☎ � ☎ ☎ ✄ ✄ ☎ ✂ ✄ ✆ � ☎ ☎ ✄ ✄ ☎ � ✁ ☎ ☎ ✆ ✄ ☎ ☎ � ✄ ✁ ✁ � ☎ ✄ ✄ ✄ ☎ ✂ ☎ ✂ ✂ ✁ � ✁ ☎ ☎ Satisfiability 1 : Rewriting T a U T a U T f m 1 m n U T f m 1 m n U T m n U T m U T n U T m U n T m U T m U T n U n Satisfiability of Dolev-Yao Constraints – p.7/17
� Satisfiability 2 : Properties C 1 C 2 , if C 1 is well-formed, then C 2 is well-formed too. Satisfiability of Dolev-Yao Constraints – p.8/17
� Satisfiability 2 : Properties C 1 C 2 , if C 1 is well-formed, then C 2 is well-formed too. Correctness and Completness Satisfiability of Dolev-Yao Constraints – p.8/17
� Satisfiability 2 : Properties C 1 C 2 , if C 1 is well-formed, then C 2 is well-formed too. Correctness and Completness Termination Satisfiability of Dolev-Yao Constraints – p.8/17
✄ ☎ � ✠ � ✆ ✟ ✟ ✆ ☎ ✠ Satisfiability 2 : Properties C 1 C 2 , if C 1 is well-formed, then C 2 is well-formed too. Correctness and Completness Termination Normal Forms: T x U m n Satisfiability of Dolev-Yao Constraints – p.8/17
� ✂ ✁ � ✂ � ✆ � ✆ ✂ ✂ ✆ � ✆ Satisfiability 3 : Inequations Let P be the constraint m 1 n 1 m j n j If P is satisfiable, then for any substitution σ such that P σ is closed and x σ y σ x y , 1 and σ k is a There exists an integer k such that k j model of P . Satisfiability of Dolev-Yao Constraints – p.9/17
� ✆ � � ☎ � ✁ ✂ ✂ � ✂ ✁ ✆ ✂ ✂ ✂ ✆ ✁ � ✆ ✆ ✂ Satisfiability 3 : Inequations Let P be the constraint m 1 n 1 m j n j If P is satisfiable, then for any substitution σ such that P σ is closed and x σ y σ x y , 1 and σ k is a There exists an integer k such that k j model of P . Application: x σ m m Satisfiability of Dolev-Yao Constraints – p.9/17
Satisfiability 4 : Results Satisfiability for well-formed constraints is decidable (and NP-complete). Satisfiability of Dolev-Yao Constraints – p.10/17
Satisfiability 4 : Results Satisfiability for well-formed constraints is decidable (and NP-complete). Same thing for quasi-well-formed constraints. Satisfiability of Dolev-Yao Constraints – p.10/17
Satisfiability 4 : Results Satisfiability for well-formed constraints is decidable (and NP-complete). Same thing for quasi-well-formed constraints. Security for protocols with inequations (bounded number of sessions). Satisfiability of Dolev-Yao Constraints – p.10/17
Opacity: Definitions An intruder C observes a protocol session between A and B . Could he deduce any property on the parameters of this protocol ? Satisfiability of Dolev-Yao Constraints – p.11/17
Recommend
More recommend
![The Satisfiability Problem [HMU06,Chp.10b] Satisfiability (SAT) Problem Cooks](https://c.sambuz.com/761856/the-satisfiability-problem-s.jpg)
