100 likes | 215 Views
Symbolic Protocol Analysis with Algebraic Theories. Vitaly Shmatikov (SRI International) Hubert Comon-Lundh (ENS Cachan) Jonathan Millen (SRI International). joint research with. Formal Methods Meet XOR. Formal methods rely on an idealized model Protocol: finite-state machine
E N D
Symbolic Protocol Analysiswith Algebraic Theories Vitaly Shmatikov (SRI International) Hubert Comon-Lundh (ENS Cachan) Jonathan Millen (SRI International) joint research with
Formal Methods Meet XOR • Formal methods rely on an idealized model • Protocol: finite-state machine • Cryptography: abstract data types (“black boxes”) • Attacker: Dolev-Yao rules for manipulating crypto types • Many crypto primitives are not black boxes • XOR: ab = ba; aa = 0 • Diffie-Hellman: exy = eyx; (exy)x-1 = ey • These properties can be exploited by the attacker! • Term algebra must include an equational theory, or the protocol cannot be modeled
Protocol Analysis Techniques Protocol Analysis Techniques Formal Models Computational Models (no probabilities) Probabilistic poly-time Random oracle … Modal Logics Decidable Process Calculi Inductive Proofs … Finite-state Infinite attacker, finite instances Free attacker algebra Attacker algebra with equational theories LICS ‘03 (Comon-Lundh and Shmatikov) CSFW ‘03 (Millen and Shmatikov)
Decidability of Protocol Analysis Undecidable ??? Decidable Infinite freshness Finite freshness, infinite attacker, equational theories Finite freshness, infinite attacker, free term algebra Finite freshness, finite attacker Rusinowitch-Turuani (CSFW ’01) Boreale (CONCUR ’01) Comon-Cortier-Mitchell (ICALP ’01) Millen-Shmatikov (CCS ’01) Model checking FDR, Mur, Brutus, … Lincoln et al. Amadio-Lugiez …
Constraint Solving Approach • Security violation modeled as an attack trace • Sequence of protocol messages leading to an attack • Adequate for secrecy, authentication, fairness • Attack trace converted into a symbolic constraint • Unbounded attacker model Can attacker construct message m from terms t1, …, tn? m from t1, …, tn • - Untyped • - No bounds on depth of messages • - Arbitrary terms may be used as encryption keys
From Protocols to Constraints Formal Specification of Protocol Roles All Possible Attack Traces contain variables &may not have a feasible instantiation Symbolic Constraint For Each Trace satisfiable there is a feasible instantiation Decidable Constraint Solving Procedure
Constraint Generation: Example Attack Trace Symbolic Constraint AX A {A,nA}pk(X) B {A,Y}pk(B) B {nB,Y}pk(A) A {Z,nA}pk(A) A {Z}pk(X) nB X fromT0 (attacker’s initial knowledge) {A,Y}pk(B) from T0, {A,nA}pk(X) {Z,nA}pk(A) fromT0, {A,nA}pk(X), {nB,Y}pk(A) nB from T0, {A,nA}pk(X), {nB,Y}pk(A), {Z}pk(X) monotonicity (term sets on the right are non-decreasing)
Attacker Model • Attacker is a nondeterministic process • Attacker abilities modeled by term algebra • Decompose and assemble, decrypt if can compute key • AG theory to model any Abelian group operator • Associative: (x y) z = x (y z) • Commutative: x y = y x • Cancellative, with unity: x x-1 = 1; x 1 = x • Can model XOR, products, • Diffie-Hellman exponentials • (with some restrictions)
Symbolic Decision Procedure • C = { u1fromT1 … unfromTn } • Symbolic constraint generated from the protocol • C has a solution C has a conservative solution (solution that does not introduce new term structure) • Guess equalities between all subterms of C • Finite number of possible AG unifiers • C is solvable C is solvable • Guess which subterms are derivable & the order • Reduce to system of quadratic Diophantine eqs
Overview of Decidability Results • Ground terms • NP-complete decision procedure • Symbolic terms with XOR • NP-complete decision procedure • Simple constraint rewriting rules • Symbolic terms with Abelian groups • Reduction to quadratic Diophantine equations • Decidability in general is still open, but equations are solvable for practical protocols LICS 2003 (with H. Comon-Lundh) CSFW 2003 (with J. Millen)