1 / 10

Symbolic Protocol Analysis with Algebraic Theories

Symbolic Protocol Analysis with Algebraic Theories. Vitaly Shmatikov (SRI International) Hubert Comon-Lundh (ENS Cachan) Jonathan Millen (SRI International). joint research with. Formal Methods Meet XOR. Formal methods rely on an idealized model Protocol: finite-state machine

briana
Download Presentation

Symbolic Protocol Analysis with Algebraic Theories

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Symbolic Protocol Analysiswith Algebraic Theories Vitaly Shmatikov (SRI International) Hubert Comon-Lundh (ENS Cachan) Jonathan Millen (SRI International) joint research with

  2. Formal Methods Meet XOR • Formal methods rely on an idealized model • Protocol: finite-state machine • Cryptography: abstract data types (“black boxes”) • Attacker: Dolev-Yao rules for manipulating crypto types • Many crypto primitives are not black boxes • XOR: ab = ba; aa = 0 • Diffie-Hellman: exy = eyx; (exy)x-1 = ey • These properties can be exploited by the attacker! • Term algebra must include an equational theory, or the protocol cannot be modeled

  3. Protocol Analysis Techniques Protocol Analysis Techniques Formal Models Computational Models (no probabilities) Probabilistic poly-time Random oracle … Modal Logics Decidable Process Calculi Inductive Proofs … Finite-state Infinite attacker, finite instances Free attacker algebra Attacker algebra with equational theories LICS ‘03 (Comon-Lundh and Shmatikov) CSFW ‘03 (Millen and Shmatikov)

  4. Decidability of Protocol Analysis Undecidable ??? Decidable Infinite freshness Finite freshness, infinite attacker, equational theories Finite freshness, infinite attacker, free term algebra Finite freshness, finite attacker Rusinowitch-Turuani (CSFW ’01) Boreale (CONCUR ’01) Comon-Cortier-Mitchell (ICALP ’01) Millen-Shmatikov (CCS ’01) Model checking FDR, Mur, Brutus, … Lincoln et al. Amadio-Lugiez …

  5. Constraint Solving Approach • Security violation modeled as an attack trace • Sequence of protocol messages leading to an attack • Adequate for secrecy, authentication, fairness • Attack trace converted into a symbolic constraint • Unbounded attacker model Can attacker construct message m from terms t1, …, tn? m from t1, …, tn • - Untyped • - No bounds on depth of messages • - Arbitrary terms may be used as encryption keys

  6. From Protocols to Constraints Formal Specification of Protocol Roles All Possible Attack Traces contain variables &may not have a feasible instantiation Symbolic Constraint For Each Trace satisfiable  there is a feasible instantiation Decidable Constraint Solving Procedure

  7. Constraint Generation: Example Attack Trace Symbolic Constraint AX A {A,nA}pk(X) B {A,Y}pk(B) B {nB,Y}pk(A) A {Z,nA}pk(A) A {Z}pk(X)  nB X fromT0 (attacker’s initial knowledge) {A,Y}pk(B) from T0, {A,nA}pk(X) {Z,nA}pk(A) fromT0, {A,nA}pk(X), {nB,Y}pk(A) nB from T0, {A,nA}pk(X), {nB,Y}pk(A), {Z}pk(X) monotonicity (term sets on the right are non-decreasing)

  8. Attacker Model • Attacker is a nondeterministic process • Attacker abilities modeled by term algebra • Decompose and assemble, decrypt if can compute key • AG theory to model any Abelian group operator • Associative: (x  y)  z = x  (y  z) • Commutative: x  y = y  x • Cancellative, with unity: x  x-1 = 1; x  1 = x • Can model XOR, products, • Diffie-Hellman exponentials • (with some restrictions)

  9. Symbolic Decision Procedure • C = { u1fromT1 … unfromTn } • Symbolic constraint generated from the protocol • C has a solution  C has a conservative solution (solution that does not introduce new term structure) • Guess equalities between all subterms of C • Finite number of possible AG unifiers  • C is solvable  C is solvable • Guess which subterms are derivable & the order • Reduce to system of quadratic Diophantine eqs

  10. Overview of Decidability Results • Ground terms • NP-complete decision procedure • Symbolic terms with XOR • NP-complete decision procedure • Simple constraint rewriting rules • Symbolic terms with Abelian groups • Reduction to quadratic Diophantine equations • Decidability in general is still open, but equations are solvable for practical protocols LICS 2003 (with H. Comon-Lundh) CSFW 2003 (with J. Millen)

More Related