The Nance is the Thing Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John Mitchell, Andre Scedrov

Goals uState and prove general properties of security protocols, e.g., Corrupt principal can be simulated by intruder Error can be found with < k honest principals No need for buffered network Secrecy decidable for protocols that are … uUnderstand basic problems in simplest possible formal setting uStudy nances : “choose a new value”

Outline uMultiset rewriting model “choose new nonce” => existential quantification uLinear logic Proof search Protocol equivalence, other properties uDecision problems Undecidability –Previous results: folklore, general protocols –Main result: security in restricted fragment Bounded case –Exponential attack; security DEXP-time complete

A notation for inf-state systems uDefine protocol, intruder in minimal framework uTranslations to other formalisms Logical Proof (      ) Process Calculus Finite Automata Proof search (Horn clause) Multiset rewriting

Protocol Notation uNon-deterministic infinite-state systems uFacts F ::= P(t 1, …, t n ) t ::= x | c | f(t 1, …, t n ) uStates { F 1,..., F n } Multiset of facts –Includes network messages, private state –Intruder will see messages, not private state –Multi set allows duplicated messages, states Multi-sorted first-order atomic formulas

State Transitions uTransition rule F 1, …, F k   x 1 …  x m. G 1, …, G n uWhat this means If F 1, …, F k in state , then a next state  ’ has –Facts F 1, …, F k removed –G 1, …, G n added, with x 1 … x m replaced by new symbols –Other facts in state  carry over to  ’ Free variables in rule universally quantified Pattern matching in F 1, …, F k can invert functions uLinear Logic: F 1  …  F k    x 1 …  x m (G 1  …  G n )

Simplified Needham-Schroeder uPredicates A 1 (n a ) -- Alice in state 1 with nonce n a B 1 (n a,n b ) -- Bob in state 1 with n a, n b N 1 (n a ) -- Network contains message 1 with data n a uTransitions  x. A 1 (x) A 1 (x)  N 1 (x), A 2 (x) N 1 (x)   y. B 1 (x,y) … A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb uAuthentication A 4 (x,y)  B 3 (x,y’)  y=y’

Sample Trace A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb A 2 (n a ) A 1 (n a ) A 2 (n a ) A 3 (n a, n b ) A 4 (n a, n b ) B 2 (n a, n b ) B 1 (n a, n b ) B 2 (n a, n b ) B 3 (n a, n b ) B 2 (n a, n b ) N 1 (n a ) N 2 (n a, n b ) N3( nb)N3( nb)  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y)

Common Intruder Model uDerived from Dolev-Yao model [1989] Adversary is nondeterministic process Adversary can –Block network traffic –Read any message, decompose into parts –Decrypt if key is known to adversary –Insert new message from data it has observed Adversary cannot –Gain partial knowledge –Guess part of a key –Perform statistical tests…

Formalize Intruder Model uIntercept, decompose and remember messages N 1 (x)  M(x) N 2 (x,y)  M(x), M(y) N 3 (x)  M(x) uCompose and send messages from “known” data M(x)  N 1 (x), M(x) M(x), M(y)  N 2 (x,y), M(x), M(y) M(x)  N 3 (x), M(x) uGenerate new data as needed  x. M(x) Highly nondeterministic, same for any protocol

Attack on Simplified Protocol A 2 (n a ) A 1 (n a ) A 2 (n a ) B 1 (n a ’, n b ) N 1 (n a )  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)  M(x)  x. M(x) M(x)  N 1 (x), M(x) N 1 (x)   y. B 1 (x,y) M(n a ) M(n a ), M(n a ’) N 1 (n a ’ ) A 2 (n a ) M(n a ), M(n a ’) A 2 (n a ) M(n a ), M(n a ’) Continue “man-in-the-middle” to violate specification

Protocols vs Rewrite rules uCan axiomatize any computational system uBut -- protocols are not arbitrary programs Initial data Client Select roles ClientTGSServer

Protocol theory uInitialization theory Bounded theory that “precedes” agent theories Example:  key. Principal(key) uRole generation theory Principal(key)  A 0 (key), Principal(key) Principal(key)  B 0 (key), Principal(key) uAgent theory Rules of form A i (…), N j (…)   … A k (…), N l (x) where i<k and j<l Can also have persistent predicates on left/right

Two-phase intruder theory uAvoid pointless looping by intruder M(x), M(y)  N(x,y), M(x), M(y) N (x,y)  M(x), M(y) uPhase 1: Decomposition uPhase 2: Composition

Connections with logic and tools uSearch can find protocol errors Backward search: –Interrogator [Millen] –NRL analyzer [Meadows] Forward search (model checking) –FDR [Roscoe], Casper [Lowe], Murphi [Mitchell 2 & Stern] –SMV [Marrero, Clarke, & Jha] –Athena [Song], TIPE [Denker, Meseguer, Talcott & Millen] uProve protocol properties Inductive proof: –InaJo [Kemmerer], Coq [Bolignano] –Isabelle [Paulson], PVS[Dutertre, Schneider, Millen] Prove correctness of optimizations (example in paper)

Conventional wisdom uFind protocol errors Model checking Exhaustive search of finite-state system uProve protocol correct Use theorem-proving system Exhausting development of formal proof uAre there decidable protocol cases? Many are short programs with simple data Ping-Pong protocols (D&Y: Ptime) too restrictive What causes intractability for interesting protocols?

General protocols are undecidable uEven and Goldreich 1983, Heintze and Tygar 1996, … uIdea: Post Correspondence Problem Good guy adds domino ( Z1,Z2 ) to end of sequence If top and bottom read the same, spill secret –A -> B: {empty, empty}k –B -> A: {X,Y}k  {(X Z1), (Y Z2)}k –A -> B: {X,X}k  if X!=empty, send SECRET uBut -- requires unbounded message length

What about a “realistic” restricted class of protocols ? uFinite number of principals uEach role has finite number of steps But a principal may repeat any number of roles uBounded message size Fixed number of fields in message Fixed set of message constants Fixed depth encryption Allow nonces (but only “create new nonce”, and = ) uEverything constant, except number of roles and number of new nonces ?

Still undecidable

Turing machine uMain Idea: Cook’s Theorem but use nances instead of propositional variables Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End

Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End Turing machine 1 | q  0 | 0 1 Constant (3) piece of state at time N determines state of cell at time N+1

Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End Turing machine 1 | q  0 | 0 1 Constant (3) piece of state at time N determines state of cell at time N+1

Turing machine uPredicates Cell(name, symbol, right) -- contents of tape cell Below(cell, cell) -- next row of tableau uRules Cell(a,0,b), Cell(b, q 2  0,c), Cell(c,1,…)   d. Below(b,d), Cell(d,1,…),... q20q2 a b c d

Turing machine Cell(a,da, b), Cell(b,db, c), Cell(c,dc, d), Below(b,b’)   c’. Below(c,c’), Cell(b’,F(da,db,dc),c’) Below (a,a’), Cell(a,Start,b)   a’’,b’: Below(a’,a’’), Cell(a’,Start, b’) Below (a,a’), Cell(a,End,b)   b’, c’: Cell(a’,0, b’), Cell(b’, End, c’)   a,a’,b,c,d,e: Cell(a,Start,b), Cell(b,Qinit,c), Cell(c, 0, d), Cell(d,End,e), Below(a,a’) Cell(a,Qfinal,b)  Broadcast(Secret) Turing machine move Start and End Copy to Next Time Extend Tape

Turing machine discussion uEach move is a protocol role Finite length protocol uAttacker replays and routes messages To prevent malicious alteration, encrypt all messages will shared private key: { Cell(a,da, b) }k uMachine steps in standard protocol form  Ai(…), Nj(…)  Ak(…), Nl(…) Role reads hypotheses one at a time, saving data in internal state.

Undecidability uFinite length protocols with bounded number of principals bounded message size have undecidable behavior if principals can repeat roles arbitrarily many times runs can generate new atomic data uWhat happens if we Bound ability to generate new data? Restrict number of roles ?

Attack requires exponential run uSender role broadcasts initial message A: Broadcast {0, 0, 0, 0}k un responder roles modify secret messages B1: {x, y, z, 0 }k  {x, y, z, 1 }k B2: {x, y, 0, 1 }k  {x, y, 1, 0 }k B3: {x, 0, 1, 1 }k  {x, 1, 0, 0 }k B4: {0, 1, 1, 1 }k  {1, 0, 0, 0 }k uServer broadcasts key on specific message C : {1, 1, 1, 1, 1 }k  Broadcast( k ) uAttack requires 2 n steps and 2 n messages.

Security DEXP-time complete uNo new data, but repeat roles arbitrarily uEssentially same proof as undecidability Axiomatize bounded Turing machine tableau uUse counters instead of nonces to name cells Cell(name, data, neighbor) as before Represent name by pair of numbers – Cell( 0,1,0,...,0, 0,0,1,…,1, data, neighbor), 2 n  2 n tableau using messages of size 4n n bits

Conclusions uSymbolic notation for unrestricted protocols Nonce becomes existentially quantified variable Translations to process calculus, strands, HOL,... Fragment of linear logic –Protocol search is proof search –Formal proofs using linear-logic proof theory, tools uStudy decision problems (secrecy, authenticity) Undecidable if protocols generate new data DEXP-time complete with bounded new data NP-complete if bounded number of roles (discuss over bocce)

Bounded message size uProhibit arithmetic Some protocols use successor: –A -> B: {Nonce}k –B -> A: {Nonce + 1}k Successor and equality test lead to undecidability uProhibit nested encryption Some protocols use nested encryption: –A -> B: {{m}k, Nonce}k’ Arbitrary depth encryption allows undecidability –A -> B: {{m}k, {{{m}k}k}k, Q}k State is Q, two counters are 1 and 3.

Bounded protocols uLet T be a protocol theory, m and n nonnegative integers uThen The set of derivations from T  Intruder that –Instantiate at most m existential quantifiers –Use only terms of length n is finite. Each run has exponential length. If we bound data complexity and limit nonces, then protocol properties are decidable.

Turing Machine uMain Idea: Cooks Theorem but use nonces instead of propositions Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End

Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 0 | 1 0 Constant size (3) piece of state at time N determines state of cell at time N+1

Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 1 | q4 q5 Constant size (3) piece of state at time N determines state of cell at time N+1

Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 1 | q4 | 0 0 Constant size (3) piece of state at time N determines state of cell at time N+1

Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End q4 | 0 | 1 0 Constant size (3) piece of state at time N determines state of cell at time N+1

Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 1 | 1 1 Constant size (3) piece of state at time N determines state of cell at time N+1

Still undecidable