The Inductive Approach to Verifying Cryptographic Protocols Shaohui Wang (aka Vincent) shaohui@seas.upenn.edu Computer and Information Science University of Pennsylvania November 17, 2018

The Inductive Approach to Verifying Cryptographic Protocols Outline An Example: A Variant of the Otway-Rees Protocol Formal Modeling of Cryptographic Protocols Properties of the Otway-Rees Protocol Variant Proofs in Details (Optional) Conclusions 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The (Modified) Otway-Rees Protocol 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

A Variant of the Otway-Rees Protocol Goal: To establish a session key between A and B for communication Note: before going in to the steps, explain the notation here. Identify the first one with the example in prev slide. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Dolev-Yao Adversary Model A Spy Acts According to the Protocol Rules, but Can Overhear the traffic in the protocol Intercept events in protocol events Forge new messages from her existing knowledge Send fraudulent messages to other agents Forging of New Messages A spy can analyze her known set of messages, including decrypting messages if she knows the key. She can form fraudulent messages out of this analysis. Formally, she sends messages from the set of synth(analz H). Assumptions A spy can act as an honest agent. A spy can also send fraudulent messages . Should the spy hold somebody’s key, communications between other agents should not suffer. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Attacking the Otway-Rees Protocol 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Formal Modeling of Cryptographic Protocols 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Proving Cryptographic Protocols: Idea Model Components in a Cryptographic Protocol Messages—as sets of (uninterpreted) identities E.g., {| A, B, Na |}, {| A, Na, Crypt K Na |} Operations on messages—as inductively defined operators analz, parts, synth Events—as logical formulas based on primitives E.g., Says A B {| Na, A, B, Crypt Ka {| Na, A, B |} |} Describe Behaviors of Components with Traces / Rules Communication session—as a trace of events Behaviors of components—as rules under which an existing trace can be extended State and Prove Properties E.g., never can a nonce generated by two different agents Caution: stating the correct theorems is crucial! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Messages and Events A message is one of Agent—A, B, Spy, S, etc. Number—1, 2, 3, etc. (Guessable) Nonce—Na, Nb, Na’, etc. (Non-guessable) Key—Ka, Kb, Kab, etc. Tuple / Compound Message—{| Na, A, B |} Hash—Hash X, where X is a message Encryption—Crypt K X, or {| X |}K An event is one of Says A B X where A and B are agents and X is a message Note A X where A is an agent and X is a message 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Trace and Protocol Behaviors A trace is a sequence of events E.g., An empty sequence [] of events is a trace E.g., [Says A B X, Notes Spy X, Says B S {| Nb, A, B, X |} ] is a trace Protocol behaviors are described with allowed rules for trace construction Protocol Specific Rules Standard Rules Nil rule: [] is a trace Fake rule: a spy can send a fraudulent message Need the parts, analz, and synth operators to define fraudulent message (next slides) Oops rule: a spy can take note of a compromised key 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Describing Protocols as Rules (I) If evs is a trace, Na is a fresh nonce and B is an agent distinct from A and S, then evs may be extended with the event Says A B {| Na, A, B, {| Na, A, B |}Ka |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Describing Protocols as Rules (II) If evs is a trace with an event of the form Says A’ B {| Na, A, B, X |} and Nb is a fresh nonce and B  S, then evs may be extended with the event Says B S {| Na, A, B, X, Nb, {| Na, A, B |}Kb |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Describing Protocols as Rules (III) If evs is a trace with an event of the form Says B’ S {| Na, A, B, {| Na, A, B |}Ka, Nb, {| Na, A, B |}Kb |} and Kab is a fresh key and B  S, then evs may be extended with the event Says S B {| Na, {| Na, Kab |}Ka, {| Nb, Kab |}Kb |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Describing Protocols as Rules (IV) If evs contains the two events Says B S {| Na, A, B, X’, Nb, {| Na, A, B |}Kb |} Says S’ B {| Na, X, {| Nb, K |}Kb |} and A  B, then evs may be extended with the event Says B A {| Na, X |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Standard Rules The Empty List [] is a trace If evs is a trace, X  synth(analz H) is a fraudulent message and B  Spy, then evs maybe extended with the event Says Spy B X If evs is a trace and S distributed the session key K in a run involving the nonces Na and Nb, then evs may be extended with the event Notes Spy {| Na, Nb, K |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols The Operator parts Definition The set parts H is obtained from H by repeatedly adding the components of compound message and the bodies of encrypted messages Not including the key K in Crypt K X unless K is part of X. Represents the set of all components of H that are potentially recoverable. Example parts{ {| A, Na, Crypt K X |} } = { {| A, Na, Crypt K X |}, A, Na, Crypt K X, X } Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols The Operator analz Definition The set analz H is obtained from H by repeatedly adding the component of compound messages and by decrypting messages whose keys are in analz H. Represents the most that could be gleaned from H without breaking ciphers. Example analz{ {| Na |}Ka } = { {| Na |}Ka } analz{ {| {| Na |}Ka, Ka-1 |} } = { {| {| Na |}Ka, Ka-1 |}, {| Na |}Ka, Ka-1, Na } Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols The Operator synth Definition The set synth H models the messages a spy could build up from elements of H by repeatedly adding agent names, forming compound messages and encrypting with keys contained in H. Example synth{ {| K |} } = { A, {| A, K |}, Crypt K A, {| A, Crypt K (Crypt K A) |}, …. } (essentially unbound) Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Operators parts, analz, synth Monotonic Idempotent Equations Equivalencies 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Computing parts and analz The set of keys that can decrypt messages in H Defining analz (the case for Crypt) Note: not going through these one by one, but emphasize the inductive definition. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Modeling the Spy She has some initial knowledge The server S knows the shared keys for everyone Each agent knows his own key The Spy knows keys of a set of bad agents She updates her knowledge on the fly Initially she only has her initial knowledge If she overheard an event Says A B X, she learns X If she overheard an event Notes A X and knows the key for A, she learns X 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols What’s Next? What we have now The behaviors of agents / server / spy are described by rules The interaction is modeled as a trace of events What to do next State properties on the any trace that can be constructed according to the protocol rules E.g., secret keys remain secret, i.e., A’s key is known to the Spy if and only if A is a bad agent. Formal description: Prove them! Most of the time with induction! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Major Proof Technique: Induction The set of natural numbers  is inductively defined 0  , and n    Suc n  . To prove a property P on all natural numbers  Prove P(0), and P(n)  P(Suc n). A cryptographic session trace is inductively defined [] is a trace ev#evs is a trace if evs is a trace, and ev is the new message allowed by the protocol To prove a property P on a trace Prove P[], and P(evs)  P(ev#evs) for all allowed ev. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The (Modified) Otway-Rees Protocol Revisited: Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Overall Idea For a given protocol, we need establish a few properties Correctness of the protocol To do so, different types of supporting lemmas are needed Possibility Properties Forwarding Lemmas Regularity Lemmas Unicity Theorems Secrecy Theorems Authenticity Theorems We prove families of these lemmas and draw a conclusion If the key correctness theorems can be proved, the protocol is safe When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Possibility Properties Synopsis If A tries to establish a session with B, finally the message BA : Na, {| Na, Kab |}Ka will be sent. English Description For all agents A and B, distinct from each other and from the server, there is a key Kab, a nonce Na, and a trace such that the final message BA : Na, {| Na, Kab |}Ka is sent. Proof Idea Successively applying the protocol rules and checking all the preconditions of the rules are satisfied. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Forwarding Lemmas Synopsis Once a message is learnt, an agent can forward an unknown item in the message. Example If a spy sees this message, she learns the message X. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Regularity Lemmas Synopsis Once a message is known to the spy, something happens… In the form of “X  parts(spies evs)  …” Example Secret keys remain secret. I.e., once A’s key is known to the spy, we know A is a bad agent. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Unicity Theorems Synopsis Uniqueness of session keys and nonces Example If the Server ever tells Agent B that this message is uniquely formed with the messages B, Na, Nb, X. Formally, it is 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Secrecy Theorems Synopsis A spy cannot reveal other keys with an known key and existing trace. E.g., the Session Key Compromise Theorem If K can be obtained with the help of a session key K’ and previous traffic, then either K = K’ or K can be obtained from the traffic alone. If the server distributes a session key Kab to A and B, then the spy (hence other agents) never gets this key. Formal Description For an arbitrary trace evs, where  is an arbitrary set of session keys, not necessarily in the trace evs. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Session Key Secrecy Theorem Synopsis The protocol is correct from the server’s viewpoint. English Description If the server distributes a session key to agents A and B, and the key is not lost in an Oops event, then the key is unavailable to the spy. Formally, and implies 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Authenticity Theorems Synopsis If a message appears to be from an agent A, then it is precisely A who sent this message. An agent must guarantee that his certificate is authentic. In the correct version of the Otway-Rees Protocol If a trace contains an event and if A is uncompromised and has previously sent then the Server should have sent a correct instance of step 3 with some Nonce Nb. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Authenticity Theorems In the modified version of the Otway-Rees Protocol The authenticity property cannot be proved. This indicates possible attacks. Although A has sent and received correct messages in step 1 and step 4, the event trace doesn’t show the server has sent the correct form of message back to CB. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Proof of the Session Key Compromise Theorem 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Conclusions 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Conclusions The Inductive Approach to Cryptographic Protocols Verification We first formally model the cryptographic protocol Components, Behaviors We then describe the properties of the protocol based on event trace Pitfall: it is a challenge to state the correct theorems E.g., in the Otway-Rees protocol, only the secrecy theorems are not enough, but the authenticity theorems are needed as well We prove the theorems With the help of possibly a family of other supporting theorems The proofs are heavily based on “proof by induction” And make a conclusion If the key correctness theorems can be proved, the protocol is safe When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

The Inductive Approach to Verifying Cryptographic Protocols Q & A Thank you! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols