Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Nance is the Thing Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John Mitchell, Andre Scedrov.

Published byLeon Francis Doyle Modified over 9 years ago

Similar presentations

Presentation on theme: "The Nance is the Thing Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John Mitchell, Andre Scedrov."— Presentation transcript:

1 The Nance is the Thing Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John Mitchell, Andre Scedrov

2 Goals uState and prove general properties of security protocols, e.g., Corrupt principal can be simulated by intruder Error can be found with < k honest principals No need for buffered network Secrecy decidable for protocols that are … uUnderstand basic problems in simplest possible formal setting uStudy nances : “choose a new value”

3 Outline uMultiset rewriting model “choose new nonce” => existential quantification uLinear logic Proof search Protocol equivalence, other properties uDecision problems Undecidability –Previous results: folklore, general protocols –Main result: security in restricted fragment Bounded case –Exponential attack; security DEXP-time complete

4 A notation for inf-state systems uDefine protocol, intruder in minimal framework uTranslations to other formalisms Logical Proof (      ) Process Calculus Finite Automata Proof search (Horn clause) Multiset rewriting

5 Protocol Notation uNon-deterministic infinite-state systems uFacts F ::= P(t 1, …, t n ) t ::= x | c | f(t 1, …, t n ) uStates { F 1,..., F n } Multiset of facts –Includes network messages, private state –Intruder will see messages, not private state –Multi set allows duplicated messages, states Multi-sorted first-order atomic formulas

6 State Transitions uTransition rule F 1, …, F k   x 1 …  x m. G 1, …, G n uWhat this means If F 1, …, F k in state , then a next state  ’ has –Facts F 1, …, F k removed –G 1, …, G n added, with x 1 … x m replaced by new symbols –Other facts in state  carry over to  ’ Free variables in rule universally quantified Pattern matching in F 1, …, F k can invert functions uLinear Logic: F 1  …  F k    x 1 …  x m (G 1  …  G n )

7 Simplified Needham-Schroeder uPredicates A 1 (n a ) -- Alice in state 1 with nonce n a B 1 (n a,n b ) -- Bob in state 1 with n a, n b N 1 (n a ) -- Network contains message 1 with data n a uTransitions  x. A 1 (x) A 1 (x)  N 1 (x), A 2 (x) N 1 (x)   y. B 1 (x,y) … A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb uAuthentication A 4 (x,y)  B 3 (x,y’)  y=y’

8 Sample Trace A  B: {n a, A} Kb B  A: {n a, n b } Ka A  B: {n b } Kb A 2 (n a ) A 1 (n a ) A 2 (n a ) A 3 (n a, n b ) A 4 (n a, n b ) B 2 (n a, n b ) B 1 (n a, n b ) B 2 (n a, n b ) B 3 (n a, n b ) B 2 (n a, n b ) N 1 (n a ) N 2 (n a, n b ) N3( nb)N3( nb)  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)   y. B 1 (x,y) B 1 (x,y)  N 2 (x,y), B 2 (x,y) A 2 (x), N 2 (x,y)  A 3 (x,y) A 3 (x,y)  N 3 (y), A 4 (x,y) B 2 (x,y), N 3 (y)  B 3 (x,y)

9 Common Intruder Model uDerived from Dolev-Yao model [1989] Adversary is nondeterministic process Adversary can –Block network traffic –Read any message, decompose into parts –Decrypt if key is known to adversary –Insert new message from data it has observed Adversary cannot –Gain partial knowledge –Guess part of a key –Perform statistical tests…

10 Formalize Intruder Model uIntercept, decompose and remember messages N 1 (x)  M(x) N 2 (x,y)  M(x), M(y) N 3 (x)  M(x) uCompose and send messages from “known” data M(x)  N 1 (x), M(x) M(x), M(y)  N 2 (x,y), M(x), M(y) M(x)  N 3 (x), M(x) uGenerate new data as needed  x. M(x) Highly nondeterministic, same for any protocol

11 Attack on Simplified Protocol A 2 (n a ) A 1 (n a ) A 2 (n a ) B 1 (n a ’, n b ) N 1 (n a )  x. A 1 (x) A 1 (x)  A 2 (x), N 1 (x) N 1 (x)  M(x)  x. M(x) M(x)  N 1 (x), M(x) N 1 (x)   y. B 1 (x,y) M(n a ) M(n a ), M(n a ’) N 1 (n a ’ ) A 2 (n a ) M(n a ), M(n a ’) A 2 (n a ) M(n a ), M(n a ’) Continue “man-in-the-middle” to violate specification

12 Protocols vs Rewrite rules uCan axiomatize any computational system uBut -- protocols are not arbitrary programs Initial data Client Select roles ClientTGSServer

13 Protocol theory uInitialization theory Bounded theory that “precedes” agent theories Example:  key. Principal(key) uRole generation theory Principal(key)  A 0 (key), Principal(key) Principal(key)  B 0 (key), Principal(key) uAgent theory Rules of form A i (…), N j (…)   … A k (…), N l (x) where i<k and j<l Can also have persistent predicates on left/right

14 Two-phase intruder theory uAvoid pointless looping by intruder M(x), M(y)  N(x,y), M(x), M(y) N (x,y)  M(x), M(y) uPhase 1: Decomposition uPhase 2: Composition

15 Connections with logic and tools uSearch can find protocol errors Backward search: –Interrogator [Millen] –NRL analyzer [Meadows] Forward search (model checking) –FDR [Roscoe], Casper [Lowe], Murphi [Mitchell 2 & Stern] –SMV [Marrero, Clarke, & Jha] –Athena [Song], TIPE [Denker, Meseguer, Talcott & Millen] uProve protocol properties Inductive proof: –InaJo [Kemmerer], Coq [Bolignano] –Isabelle [Paulson], PVS[Dutertre, Schneider, Millen] Prove correctness of optimizations (example in paper)

16 Conventional wisdom uFind protocol errors Model checking Exhaustive search of finite-state system uProve protocol correct Use theorem-proving system Exhausting development of formal proof uAre there decidable protocol cases? Many are short programs with simple data Ping-Pong protocols (D&Y: Ptime) too restrictive What causes intractability for interesting protocols?

17 General protocols are undecidable uEven and Goldreich 1983, Heintze and Tygar 1996, … uIdea: Post Correspondence Problem Good guy adds domino ( Z1,Z2 ) to end of sequence If top and bottom read the same, spill secret –A -> B: {empty, empty}k –B -> A: {X,Y}k  {(X Z1), (Y Z2)}k –A -> B: {X,X}k  if X!=empty, send SECRET uBut -- requires unbounded message length

18 What about a “realistic” restricted class of protocols ? uFinite number of principals uEach role has finite number of steps But a principal may repeat any number of roles uBounded message size Fixed number of fields in message Fixed set of message constants Fixed depth encryption Allow nonces (but only “create new nonce”, and = ) uEverything constant, except number of roles and number of new nonces ?

19 Still undecidable

20 Turing machine uMain Idea: Cook’s Theorem but use nances instead of propositional variables Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End

21 Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End Turing machine 1 | q  0 | 0 1 Constant (3) piece of state at time N determines state of cell at time N+1

22 Start | 0 | 0 | q 5  0 | 1 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 1 | q 2  0 | 0 | 1 | 1 | 0 | End Start | 0 | 0 | 0 | q 6  0 | 0 | 1 | 1 | 0 | End Turing machine 1 | q  0 | 0 1 Constant (3) piece of state at time N determines state of cell at time N+1

23

24 Turing machine uPredicates Cell(name, symbol, right) -- contents of tape cell Below(cell, cell) -- next row of tableau uRules Cell(a,0,b), Cell(b, q 2  0,c), Cell(c,1,…)   d. Below(b,d), Cell(d,1,…),... q20q20 01 1 a b c d

25 Turing machine Cell(a,da, b), Cell(b,db, c), Cell(c,dc, d), Below(b,b’)   c’. Below(c,c’), Cell(b’,F(da,db,dc),c’) Below (a,a’), Cell(a,Start,b)   a’’,b’: Below(a’,a’’), Cell(a’,Start, b’) Below (a,a’), Cell(a,End,b)   b’, c’: Cell(a’,0, b’), Cell(b’, End, c’)   a,a’,b,c,d,e: Cell(a,Start,b), Cell(b,Qinit,c), Cell(c, 0, d), Cell(d,End,e), Below(a,a’) Cell(a,Qfinal,b)  Broadcast(Secret) Turing machine move Start and End Copy to Next Time Extend Tape

26 Turing machine discussion uEach move is a protocol role Finite length protocol uAttacker replays and routes messages To prevent malicious alteration, encrypt all messages will shared private key: { Cell(a,da, b) }k uMachine steps in standard protocol form  Ai(…), Nj(…)  Ak(…), Nl(…) Role reads hypotheses one at a time, saving data in internal state.

27 Undecidability uFinite length protocols with bounded number of principals bounded message size have undecidable behavior if principals can repeat roles arbitrarily many times runs can generate new atomic data uWhat happens if we Bound ability to generate new data? Restrict number of roles ?

28 Attack requires exponential run uSender role broadcasts initial message A: Broadcast {0, 0, 0, 0}k un responder roles modify secret messages B1: {x, y, z, 0 }k  {x, y, z, 1 }k B2: {x, y, 0, 1 }k  {x, y, 1, 0 }k B3: {x, 0, 1, 1 }k  {x, 1, 0, 0 }k B4: {0, 1, 1, 1 }k  {1, 0, 0, 0 }k uServer broadcasts key on specific message C : {1, 1, 1, 1, 1 }k  Broadcast( k ) uAttack requires 2 n steps and 2 n messages.

29 Security DEXP-time complete uNo new data, but repeat roles arbitrarily uEssentially same proof as undecidability Axiomatize bounded Turing machine tableau uUse counters instead of nonces to name cells Cell(name, data, neighbor) as before Represent name by pair of numbers – Cell( 0,1,0,...,0, 0,0,1,…,1, data, neighbor), 2 n  2 n tableau using messages of size 4n n bits

30 Conclusions uSymbolic notation for unrestricted protocols Nonce becomes existentially quantified variable Translations to process calculus, strands, HOL,... Fragment of linear logic –Protocol search is proof search –Formal proofs using linear-logic proof theory, tools uStudy decision problems (secrecy, authenticity) Undecidable if protocols generate new data DEXP-time complete with bounded new data NP-complete if bounded number of roles (discuss over bocce)

31 Bounded message size uProhibit arithmetic Some protocols use successor: –A -> B: {Nonce}k –B -> A: {Nonce + 1}k Successor and equality test lead to undecidability uProhibit nested encryption Some protocols use nested encryption: –A -> B: {{m}k, Nonce}k’ Arbitrary depth encryption allows undecidability –A -> B: {{m}k, {{{m}k}k}k, Q}k State is Q, two counters are 1 and 3.

32 Bounded protocols uLet T be a protocol theory, m and n nonnegative integers uThen The set of derivations from T  Intruder that –Instantiate at most m existential quantifiers –Use only terms of length n is finite. Each run has exponential length. If we bound data complexity and limit nonces, then protocol properties are decidable.

33 Turing Machine uMain Idea: Cooks Theorem but use nonces instead of propositions Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End

34 Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 0 | 1 0 Constant size (3) piece of state at time N determines state of cell at time N+1

35 Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 1 | q4 q5 Constant size (3) piece of state at time N determines state of cell at time N+1

36 Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 1 | q4 | 0 0 Constant size (3) piece of state at time N determines state of cell at time N+1

37 Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End q4 | 0 | 1 0 Constant size (3) piece of state at time N determines state of cell at time N+1

38 Turing Machine Start | 0 | 0 | 1 | q4 | 0 | 1 | 1 | End Start | 0 | 0 | q5 | 0 | 0 | 1 | 1 | 0 |End Start | 0 | 0 | 0 | q6 | 0 | 1 | 1 | 0 | 0 | End 0 | 1 | 1 1 Constant size (3) piece of state at time N determines state of cell at time N+1

39 Still undecidable

Download ppt "The Nance is the Thing Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John Mitchell, Andre Scedrov."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Comparative Succinctness of KR Formalisms Paolo Liberatore.

Comparative Succinctness of KR Formalisms Paolo Liberatore.
Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.

Linked List Implementation class List { private List next; private Object data; private static List root; private static int size; public static void addNew(Object.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Timed Automata.

Timed Automata.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Applications of Logic in Computer Security Jonathan Millen SRI International.

Applications of Logic in Computer Security Jonathan Millen SRI International.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
Logic.

Logic.
1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 

1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.

Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.
The Formal Method CAPSL Kyle Taylor Zhenxiao Yang.

The Formal Method CAPSL Kyle Taylor Zhenxiao Yang.
Introduction to Computability Theory

Introduction to Computability Theory
Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov.

Multiset Rewriting and Security Protocol Analysis John Mitchell Stanford University I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Similar presentations

Ads by Google