verification of security protocols part i
play

Verification of Security Protocols Part I eronique Cortier 1 V - PowerPoint PPT Presentation

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security


  1. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card 16/65 V´ eronique Cortier Verification of Security Protocols

  2. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card Ca ′ → T : XXX , { hash (XXX) } K − 1 1 . B → Cu 2 . T : secret code ? → Ca ′ 3 . Cu : 0000 Ca ′ → T 4 . : ok 16/65 V´ eronique Cortier Verification of Security Protocols

  3. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Commutative Symmetric encryption Symmetric encryption, denoted by { m } k clef clef Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption The same key is used for encrypting and decrypting. Commutative (symmetric) encryption (e.g. RSA) {{ m } k 1 } k 2 = {{ m } k 2 } k 1 17/65 V´ eronique Cortier Verification of Security Protocols

  4. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − → 18/65 V´ eronique Cortier Verification of Security Protocols

  5. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − 18/65 V´ eronique Cortier Verification of Security Protocols

  6. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → � � � � Since { pin : 3443 } k alice = { pin : 3443 } k bob k bob k alice 18/65 V´ eronique Cortier Verification of Security Protocols

  7. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) 18/65 V´ eronique Cortier Verification of Security Protocols

  8. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k intruder ← − − − − − − − − − − − − − − − − − { pin : 3443 } k intruder − − − − − − − − − − − − → 18/65 V´ eronique Cortier Verification of Security Protocols

  9. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Another example The “famous” Needham-Schroeder public key protocol (and its associated Man-In-The-Middle Attack) 19/65 V´ eronique Cortier Verification of Security Protocols

  10. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Public key encryption Public key : pk( A ) Encryption : { m } pk( A ) public private key key Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption Encryption with the public key and decryption with the private key. Invented only in the late 70’s ! 20/65 V´ eronique Cortier Verification of Security Protocols

  11. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . • A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  12. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) • B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  13. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) • A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  14. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? 21/65 V´ eronique Cortier Verification of Security Protocols

  15. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? → An attack was discovered in 1994, 15 years after the publication of the protocol ! 21/65 V´ eronique Cortier Verification of Security Protocols

  16. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → 22/65 V´ eronique Cortier Verification of Security Protocols

  17. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − 22/65 V´ eronique Cortier Verification of Security Protocols

  18. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → 22/65 V´ eronique Cortier Verification of Security Protocols

  19. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { B , N a , N b } pub( A ) { B , N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → Fixing the flaw : add the identity of B . 22/65 V´ eronique Cortier Verification of Security Protocols

  20. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Outline of the talk 1 Introduction on security protocols Context Security Protocols : how does it work ? Commutative encryption (RSA) Needham-Schroeder Example 2 Formal models Messages Intruder Protocol Solving constraint systems 3 Unbounded number of sessions Undecidability Horn clauses 23/65 V´ eronique Cortier Verification of Security Protocols

  21. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Difficulty Presence of an attacker may read every message sent on the net, may intercept and send new messages. ⇒ The system is infinitely branching 24/65 V´ eronique Cortier Verification of Security Protocols

  22. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A first approach Why not modeling security protocol using a (possibly extended) automata ? login name pw correct START VALIDATE CONNECTED restart pw wrong restart DELAY LOG ERROR log pw wrong 25/65 V´ eronique Cortier Verification of Security Protocols

  23. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems How to model a security protocol ? login name pw correct START VALIDATE CONNECTED restart pw wrong restart DELAY LOG ERROR log pw wrong The output of each participants strongly depends on the data received inside the message. At each step, a malicious user (called the adversary) may create arbitrary messages. The output of the adversary strongly depends on the messages sent on the network. → It is important to have a tight modeling of the messages. 26/65 V´ eronique Cortier Verification of Security Protocols

  24. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An appropriate datastructure : Terms Given a signature F of symbols with an arity e.g. { enc , pair , a , b , c , n a , n b } and a set X of variables, the set of terms T ( F , X ) is inductively defined as follows : constants terms (e.g. a , b , c , n a , n b ) are terms variables are terms f ( t 1 , . . . , t n ) is a term whenever t 1 , . . . , t n are terms. Intuition : from words to trees. → There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 27/65 V´ eronique Cortier Verification of Security Protocols

  25. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Messages Messages are abstracted by terms. Agents : a , b , . . . Nonces : n 1 , n 2 , . . . Keys : k 1 , k 2 , . . Cyphertext : enc( m , k ) Concatenation : pair( m 1 , m 2 ) Example : The message { A , N a } K is represented by : {} enc(pair( A , N a ) , K ) �� K A N a Intuition : only the structure of the message is kept. 28/65 V´ eronique Cortier Verification of Security Protocols

  26. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) 29/65 V´ eronique Cortier Verification of Security Protocols

  27. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u 29/65 V´ eronique Cortier Verification of Security Protocols

  28. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u Deducibility relation A term u is deducible from a set of terms T , denoted by T ⊢ u , if there exists a prooftree witnessing this fact. 29/65 V´ eronique Cortier Verification of Security Protocols

  29. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � 30/65 V´ eronique Cortier Verification of Security Protocols

  30. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Question ? Can the attacker learn the secret s ? 30/65 V´ eronique Cortier Verification of Security Protocols

  31. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Answer : Of course, Yes ! � Alice , enc(s , k) � � Bob , k � enc(s , k) k s 30/65 V´ eronique Cortier Verification of Security Protocols

  32. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Exercise : (medium) Prove it. 31/65 V´ eronique Cortier Verification of Security Protocols

  33. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Exercise : (medium) Prove it. Lemma (Locality) If there is a proof of S ⊢ m then there is a proof that only uses the subterms of S and m. 31/65 V´ eronique Cortier Verification of Security Protocols

  34. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . 32/65 V´ eronique Cortier Verification of Security Protocols

  35. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . role Π(2) corresponding to the 2 nd participant played by b with a : k b → x enc( x , k b ) enc( y , k b ) → stop . 32/65 V´ eronique Cortier Verification of Security Protocols

  36. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  T 0 , v 1 � u 2 rcv( u 2 ) → snd( v 2 )  C = ... . . .   T 0 , v 1 , .., v n � s N n  rcv( u n ) → snd( v n ) where T 0 is the initial knowledge of the attacker. Remark : Constraint Systems may be used more generally for trace-based properties, e.g. authentication. 33/65 V´ eronique Cortier Verification of Security Protocols

  37. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  T 0 , v 1 � u 2 rcv( u 2 ) → snd( v 2 )  C = ... . . .   T 0 , v 1 , .., v n � s N n  → snd( v n ) rcv( u n ) where T 0 is the initial knowledge of the attacker. Solution of a constraint system A substitution σ such that for every T � u ∈ C , u σ is deducible from T σ , that is u σ ⊢ T σ . 33/65 V´ eronique Cortier Verification of Security Protocols

  38. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? 34/65 V´ eronique Cortier Verification of Security Protocols

  39. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? Of course yes, simply consider x = pin ! 34/65 V´ eronique Cortier Verification of Security Protocols

  40. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? Of course yes, simply consider x = pin ! Exercise : (easy) Propose the constraint system associated to the (non-corrected) Needham-Schroeder protocol (for a reasonable choice of sessions) and exhibit a solution. 34/65 V´ eronique Cortier Verification of Security Protocols

  41. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems How to solve constraint system ?  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? 35/65 V´ eronique Cortier Verification of Security Protocols

  42. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? 36/65 V´ eronique Cortier Verification of Security Protocols

  43. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? Solved constraint systems  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? 36/65 V´ eronique Cortier Verification of Security Protocols

  44. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? Solved constraint systems  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? Of course yes ! Consider e.g. σ ( x 1 ) = · · · = σ ( x n +1 ) = t ∈ T 0 . 36/65 V´ eronique Cortier Verification of Security Protocols

  45. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision procedure [Millen / Comon-Lundh] Goal : Transformation of the constraints in order to obtain a solved constraint system. 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = > ... > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED C has a solution iff C � C ′ with C ′ in solved form. 37/65 V´ eronique Cortier Verification of Security Protocols

  46. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Transformation rules if T ∪ { x | T ′ � x ∈ C , T ′ � T } ⊢ u R 1 : C ∧ T � u C � u ′ ∈ st ( T ) R 2 : C ∧ T � u C σ ∧ T σ � u σ � σ if σ = mgu( u , u ′ ) u , u ′ ∈ st ( T ) R 3 : C ∧ T � v � σ C σ ∧ T σ � v σ if σ = mgu( u , u ′ ) R 4 : C ∧ T � u � ⊥ if var( T , u ) = ∅ and T �⊢ u R 5 : C ∧ T � f ( u , v ) � C ∧ T � u ∧ T � v for f ∈ {�� , enc } 38/65 V´ eronique Cortier Verification of Security Protocols

  47. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc } 39/65 V´ eronique Cortier Verification of Security Protocols

  48. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc } Example : a , k � k a , k � enc( � x , y � , k ) � a , k � � x , y � 39/65 V´ eronique Cortier Verification of Security Protocols

  49. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Unsolvable constraints R 4 : C ∧ T � u � ⊥ if var( T , u ) = ∅ and T �⊢ u Example : . . . ⊥ a , enc( s , k ) � s � . . . 40/65 V´ eronique Cortier Verification of Security Protocols

  50. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 41/65 V´ eronique Cortier Verification of Security Protocols

  51. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 2 Example : enc( s , � a , x � ) , enc( � y , b � , k ) , k � s u , u ′ ∈ st ( T ) R 3 : C ∧ T � v � σ C σ ∧ T σ � v σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 41/65 V´ eronique Cortier Verification of Security Protocols

  52. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. 42/65 V´ eronique Cortier Verification of Security Protocols

  53. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. if T ∪ { x | T ′ � x ∈ C , T ′ � T } ⊢ u R 1 : C ∧ T � u � C 42/65 V´ eronique Cortier Verification of Security Protocols

  54. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Soundness and completeness Theorem Soundness If C � σ C ′ and θ solution of C ′ then σθ is a solution of C . Completeness If θ solution of C then there exists C ′ , σ, θ ′ such that C � σ C ′ , θ = σθ ′ and θ ′ is a solution of C . Termination � is terminating in polynomial time in the size of C . 43/65 V´ eronique Cortier Verification of Security Protocols

  55. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Soundness and completeness Theorem Soundness If C � σ C ′ and θ solution of C ′ then σθ is a solution of C . Completeness If θ solution of C then there exists C ′ , σ, θ ′ such that C � σ C ′ , θ = σθ ′ and θ ′ is a solution of C . Termination � is terminating in polynomial time in the size of C . Exercise (easy) : show correctness Exercise (easy) : show termination using the lexicographic order (number of var, size of C ). What complexity do you get ? (More involved) : show termination in polynomial time Full proofs in [TOCL 2010] 43/65 V´ eronique Cortier Verification of Security Protocols

  56. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems NP-procedure for solving constraint systems 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = ... > > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED Corollary Checking secrecy for a bounded number of sessions is NP. NP-hardness can be shown by encoding 3-SAT. 44/65 V´ eronique Cortier Verification of Security Protocols

  57. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of tool : Avispa Platform Collaborators LORIA, France DIST, Italy ETHZ, Switzer- land Siemens, Germany www.avispa-project.org 45/65 V´ eronique Cortier Verification of Security Protocols

  58. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Limitations of this approach ? Are you ready to use any protocol verified with this technique ? 46/65 V´ eronique Cortier Verification of Security Protocols

  59. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Limitations of this approach ? Are you ready to use any protocol verified with this technique ? Only a finite scenario is checked. → What happens if the protocol is used one more time ? The underlying mathematical properties of the primitives are abstracted away. The specification of the protocol is analysed, but not its implementation. 46/65 V´ eronique Cortier Verification of Security Protocols

  60. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? 47/65 V´ eronique Cortier Verification of Security Protocols

  61. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? 47/65 V´ eronique Cortier Verification of Security Protocols

  62. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? → Yes, 1,2,3,1. babababab babababab 47/65 V´ eronique Cortier Verification of Security Protocols

  63. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . 48/65 V´ eronique Cortier Verification of Security Protocols

  64. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . Then there is an attack on P iff there is a solution to the Post Correspondence Problem with entry { ( u i , v i ) } 1 ≤ i ≤ n . 48/65 V´ eronique Cortier Verification of Security Protocols

  65. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to circumvent undecidability ? Find decidable subclasses of protocols. Design semi-decision procedure, that works in practice ... 49/65 V´ eronique Cortier Verification of Security Protocols

  66. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to model an unbounded number of sessions ? “For any x, if the agent A receives enc( x , k a ) then A responds with x.” → Use of first-order logic. 50/65 V´ eronique Cortier Verification of Security Protocols

  67. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Intruder Horn clauses perfectly reflects the attacker symbolic manipulations on terms. I ( x ) , I ( y ) ⇒ I ( < x , y > ) pairing ⇒ I ( { x } y ) I ( x ) , I ( y ) encryption I ( { x } y ) , I ( y ) ⇒ I ( x ) decryption ⇒ I ( < x , y > ) I ( x ) projection I ( < x , y > ) ⇒ I ( y ) projection 51/65 V´ eronique Cortier Verification of Security Protocols

  68. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) 52/65 V´ eronique Cortier Verification of Security Protocols

  69. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) Secrecy property is a reachability (accessibility) property ¬ I (pin) Then there exists an attack iff the set of formula corresponding to Intruder manipulations + protocol + property is NOT satisfiable. 52/65 V´ eronique Cortier Verification of Security Protocols

  70. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide satisfiability ? → Resolution techniques 53/65 V´ eronique Cortier Verification of Security Protocols

  71. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Some vocabulary First order logic Atoms P ( t 1 , . . . , t n ) where t i are terms, P is a predicate Literals P ( t 1 , . . . , t n ) or ¬ P ( t 1 , . . . , t n ) closed under ∨ , ∧ , ¬ , ∃ , ∀ Clauses : Only universal quantifiers Horn Clauses : at most one positive literal A 1 , . . . , A n ⇒ B where A i , B are atoms. 54/65 V´ eronique Cortier Verification of Security Protocols

  72. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C 55/65 V´ eronique Cortier Verification of Security Protocols

  73. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ 55/65 V´ eronique Cortier Verification of Security Protocols

  74. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ Generalizing a bit more ¬ A ∨ C B ∨ D θ = mgu ( A , B ) Binary resolution C θ ∨ D θ 55/65 V´ eronique Cortier Verification of Security Protocols

  75. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution and Factorization ¬ A ∨ C B ∨ D Binary resolution θ = mgu( A , B ) C θ ∨ D θ A ∨ B ∨ C Factorisation θ = mgu( A , B ) A θ ∨ C θ Theorem (Soundness and Completeness) Binary resolution and factorisation are sound and refutationally complete, i.e. a set of clauses C is not satisfiable if and only if ⊥ (the empty clause) can be obtained from C by binary resolution and factorisation. Exercise : Why do we need the factorisation rule ? 56/65 V´ eronique Cortier Verification of Security Protocols

  76. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Example C = {¬ I ( s ) , I ( k 1 ) , I ( { s } � k 1 , k 1 � ) , I ( { x } y ) , I ( y ) ⇒ I ( x ) , I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( k 1 ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( { s } � k 1 , k 1 � ) I ( { x } y ) , I ( y ) ⇒ I ( x ) I ( k 1 ) I ( y ) ⇒ I ( � k 1 , y � ) I ( � k 1 , k 1 � ) ⇒ s I ( � k 1 , k 1 � ) ¬ I ( s ) I ( s ) ⊥ 57/65 V´ eronique Cortier Verification of Security Protocols

  77. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions But it is not terminating ! I ( s ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( y ) ⇒ I ( � s , y � ) I ( s ) I ( y ) ⇒ I ( � s , y � ) I ( � s , s � ) I ( y ) ⇒ I ( � s , y � ) I ( � s , � s , s �� ) I ( � s , � s , � s , s ��� ) · · · → This does not yield any decidability result. 58/65 V´ eronique Cortier Verification of Security Protocols

  78. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Ordered Binary resolution and Factorization Let < be any order on clauses. ¬ A ∨ C B ∨ D θ = mgu( A , B ) Ordered binary resolution A θ � < C θ ∨ D θ C θ ∨ D θ A ∨ B ∨ C θ = mgu( A , B ) Ordered factorisation A θ � < C θ A θ ∨ C θ 59/65 V´ eronique Cortier Verification of Security Protocols

  79. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Ordered Binary resolution and Factorization Let < be any order on clauses. ¬ A ∨ C B ∨ D θ = mgu( A , B ) Ordered binary resolution A θ � < C θ ∨ D θ C θ ∨ D θ A ∨ B ∨ C θ = mgu( A , B ) Ordered factorisation A θ � < C θ A θ ∨ C θ Theorem (Soundness and Completeness) Ordered binary resolution and factorisation are sound and refutationally complete provided that < is liftable ∀ A , B , θ A < B ⇒ A θ < B θ 59/65 V´ eronique Cortier Verification of Security Protocols

Recommend


More recommend