YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St´ ephanie Delaune 3 Joint work with V´ 1 DCSSI, France 2 LORIA, CNRS & INRIA project Cassis, France 3 LSV, ENS Cachan & CNRS & INRIA, France RTA’2009, Braz´ ılia, June 29. 1 / 41
Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 2 / 41
Motivations Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 3 / 41
Motivations Why study static equivalence ? Static equivalence (teaser) 1 A useful logical tool for security protocols. 2 A nice and general algebraic notion. 4 / 41
Motivations Why study static equivalence ? Algebraic framework • Consider a set F pub of first-order symbols f : s × · · · × s → s . (Single sort s assumed for simplicity.) • A F pub -algebra is a set A together with functions f A : A × · · · × A → A . • Standard definitions : F pub -morphisms, generated sub-algebras F pub [ S ] ⊆ A , free algebra F pub [ X ], . . . 5 / 41
Motivations Why study static equivalence ? Static equivalence (algebraic definition) • Consider the tuples ϕ = ( t 1 , . . . , t n ) in A n , also called frames and written ϕ = { w 1 ⊲ t 1 , . . . , w n ⊲ t n } . • A formal equation on A n is a pair M 1 ⊲ ⊳ M 2 where M 1 , M 2 ∈ F pub [w 1 , . . . , w n ] are terms built upon special constants w i . 6 / 41
Motivations Why study static equivalence ? Static equivalence (algebraic definition) • Consider the tuples ϕ = ( t 1 , . . . , t n ) in A n , also called frames and written ϕ = { w 1 ⊲ t 1 , . . . , w n ⊲ t n } . • A formal equation on A n is a pair M 1 ⊲ ⊳ M 2 where M 1 , M 2 ∈ F pub [w 1 , . . . , w n ] are terms built upon special constants w i . Definition Two frames ϕ 1 and ϕ 2 in A n are statically equivalent (from [Abadi and Fournet, 2001]), written ϕ 1 ≈ ϕ 2 , iff eq( ϕ 1 ) = eq( ϕ 2 ) where eq( ϕ ) = { M 1 ⊲ ⊳ M 2 | M 1 ϕ = A M 2 ϕ } . 7 / 41
Motivations Why study static equivalence ? A mathematical example Example Let n = 1, A = C and the terms M ∈ Q [w 1 ] be rational polynomials with single variable w 1 . We have ϕ 1 ≈ ϕ 2 iff ϕ 1 and ϕ 2 are both transcendental or are conjugated elements (i.e. have the same minimal polynomial over Q ). √ √ For instance, π ≈ e and 2 ≈ − 2. We are currently investigating further links with the fundamentals of algebraic geometry. (Ask me for more details !) 8 / 41
Motivations Why study static equivalence ? Back to logics and security protocols I • We are interested in modeling cryptographic messages : we let A be an F -algebra of ground terms taken modulo an equational theory E, where F pub � F . • Typically, the symbols in F − F pub are free constants modeling secret keys or random numbers. • E is generated by a finite set of equations modeling the cryptographic primitives. 9 / 41
Motivations Why study static equivalence ? Back to logics and security protocols II • Static equivalence models indistinguishability between messages from an attacker’s point of view. • Another classical problem is deducibility : Given ϕ ∈ A n and t ∈ A , does there exist M ∈ F pub [ w 1 , . . . , w n ] such that M ϕ = A t ? N.B. Such an M is often called a recipe of t . 10 / 41
Motivations Why study static equivalence ? Example : deterministic symmetric encryption • M ∈ F pub [ w 1 , . . . , w n ] (recipes) ::= w i | enc( M 1 , M 2 ) | dec( M 1 , M 2 ) • t ∈ F [ ∅ ] ::= k j | enc( t 1 , t 2 ) | dec( t 1 , t 2 ) (plain terms) • Let E be generated by dec(enc( x , y ) , y ) = x . • Consider ϕ 1 = { w 1 ⊲ enc(k 1 , k 2 ) , w 2 ⊲ k 2 } (frames) and ϕ 2 = { w 1 ⊲ enc(k 1 , k 2 ) , w 2 ⊲ k 3 } . • We have ϕ 1 �≈ E ϕ 2 ( ϕ 1 , ϕ 2 not E-equivalent) because enc(dec( w 1 , w 2 ) , w 2 ) ϕ 1 = E w 1 ϕ 1 but enc(dec( w 1 , w 2 ) , w 2 ) ϕ 2 � = E w 1 ϕ 2 11 / 41
Motivations Why study static equivalence ? Equational approach to security protocols I • Similar equational settings used in popular specification languages such as the applied pi calculus [Abadi and Fournet, 2001], or Proverif’s language [Blanchet, 2001, Blanchet et al., 2008]. • Studying full protocols requires a more general notion of observational equivalence. 12 / 41
Motivations Why study static equivalence ? Equational approach to security protocols II • Proof techniques for observational equivalence include – labelled bisimulations built on the top of static equivalence [Abadi and Fournet, 2001], – and symbolic semantics based on a generalization of static equivalence [Baudet, 2005, Delaune et al., 2007]. • Static equivalence also applied to characterize guessing attacks [Corin et al., 2004, Baudet, 2005] • Correspondance between static equivalence and cryptographic (a.k.a. computational) indistinguishability investigated in several papers, e.g. [Abadi et al., 2006]. 13 / 41
Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok 14 / 41
Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok – XOR symbol : AC [ ⊕ ] x ⊕ x = 0 – XOR-homomorphic symbols : h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) ( g x ) y = ( g y ) x – Diffie-Hellman exponents : 15 / 41
Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok – XOR symbol : AC [ ⊕ ] x ⊕ x = 0 – XOR-homomorphic symbols : h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) ( g x ) y = ( g y ) x – Diffie-Hellman exponents : – pair-homomorphic encryption : . . . enc( � x , y � , z ) = � enc( x , z ) , enc( y , z ) � – prefix-homomorphic encryption : . . . pref(enc( � x , y � , z )) = enc( x , z ) – blind signatures : checksign(sign( x , y ) , pub( y )) = ok unblind(blind( x , y ) , y ) = x unblind(sign(blind( x , y ) , z ) , y ) = sign( x , z ) 16 / 41
Motivations Why a new tool ? More equational theories II • Each of these theories yields new deduction and static-equivalence problems to decide. • So far the only applicable tool to static equivalence has been Proverif [Blanchet et al., 2008], but it does not make use of the specialized, existing decision procedures for static equivalence [Abadi and Cortier, 2006, Cortier and Delaune, 2007]. 17 / 41
Motivations Why a new tool ? Our contributions Focusing on theories E generated by convergent rewrite systems R : • We present a uniform procedure for deducibility and static equivalence, that is – sound and complete, up to explicit failure cases, – provably non failing on a syntactic class of theories called layered , – “as much terminating as possible” in non-failing cases (termination implied by finite representation of deducible terms). • We provide an efficient Ocaml implementation : http://www.lsv.ens-cachan.fr/~baudet/yapa/ 18 / 41
Results Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 19 / 41
Results Overview of the procedure Overview of the procedure I • We saturate a set of deduction facts Φ = { M i ⊲ t i } and a set of visible equations Ψ = {∀ x . M j ⊲ ⊳ N j } by ⇒ st ′ . means of transformation rules st = • The initial state Init( ϕ ) is (roughly) (Φ 0 , Ψ 0 ) ≃ ( ϕ ↓ R , ∅ ). • The final state is either ⊥ (failure) or a saturated state (Φ 1 , Ψ 1 ) (success). 20 / 41
Results Overview of the procedure Overview of the procedure II • Saturated states are finite syntactic representations of the sets of deducible terms and equations of the initial frame ϕ . Theorem (soundness and completeness) ⇒ ∗ (Φ , Ψ) is saturated, then If Init( ϕ ) = 1 For all recipes M and ground terms t, M ϕ = E t ⇔ ∃ N s.t. Ψ ⊢ M ⊲ ⊳ N and N ⊲ Φ t ↓ R 2 For all recipes M and N, M ϕ = E N ϕ ⇔ Ψ ⊢ M ⊲ ⊳ N. � M = C [ M 1 , . . . , M n ] where M ⊲ Φ t ⇔ ∃ C , { M i ⊲ t i } ⊆ Φ , . t = C [ t 1 , . . . , t n ] 21 / 41
Results Overview of the procedure Overview of the procedure III ⇒ ∗ (Φ i , Ψ i ), it is easy to From saturated states Init( ϕ i ) = deduce procedures to check whether (i) t is deducible from ϕ 1 , that is : t ↓ R ∈ F pub [im(Φ 1 )] (ii) eq E ( ϕ 1 ) ⊆ eq E ( ϕ 2 ), that is : for all ( ∀ x . M ⊲ ⊳ N ) ∈ Ψ 1 , ( M ϕ 2 ) ↓ R = ( N ϕ 2 ) ↓ R . 22 / 41
Recommend
More recommend