Vitaly Shmatikov - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Vitaly Shmatikov

Description:

SRI International. Constraint-Based Methods: Adding Algebraic Properties to. Symbolic Models ... Can read any message, decompose it into parts and re-assemble ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 34
Provided by: vita79
Category:

less

Transcript and Presenter's Notes

Title: Vitaly Shmatikov


1
Constraint-Based MethodsAdding Algebraic
Properties toSymbolic Models
  • Vitaly Shmatikov
  • SRI International

2
One-Slide Summary
  • Constraint solving is a symbolic analysis
    method for cryptographic protocols
  • Decidable without finite bounds on the attacker
  • Big win over finite-state checking (FDR, Mur?,
    etc.)
  • Only need to specify behavior of honest
    participants
  • Can be extended with algebraic theories for XOR,
    modular multiplication, Diffie-Hellman
  • Push-button procedure for finding both Dolev-Yao
    and algebraic attacks (e.g., Pereira-Quisquater)
  • Works only for a finite number of sessions
  • Attack template must be expressed as a symbolic
    execution trace

3
Dolev-Yao Model
  • Inspired by a 1983 paper
  • D. Dolev and A. Yao. On the security of public
    key protocols. IEEE Transactions on Information
    Theory, 29(2)198-208.
  • Adversary is a nondeterministic process
  • Can read any message, decompose it into parts and
    re-assemble
  • Cannot gain partial knowledge, perform
    statistical tests,
  • Black-box cryptography
  • Adversary can decrypt if and only if he knows the
    correct key
  • Assumes that cryptographic functions have no
    special properties
  • Most mechanized formal methods for security
    analysis use some version of this model

4
Protocol Analysis Techniques
Protocol Analysis Techniques
Formal Models
Computational Models
(no probabilities)
Probabilistic poly-time Random oracle
Modal Logics
Decidable
Inductive Proofs
Process Calculi

Infinite message space, finite sessions
Finite-state
Attacker algebra with equational theory
Free attacker algebra
5
Protocol Analysis Meets Algebra
  • Dolev-Yao model uses black-box cryptography
  • Many crypto primitives are not black boxes
  • XOR a?b b?a a?a 0
  • Modular exponentiation ?xy ?yx (?xy)x-1 ?y
  • Attacker can and will exploit algebraic
    properties
  • Ryan-Schneider attack on Bulls recursive
    authentication protocol
  • Pereira-Quisquater attack on A-GDH.2 protocol
  • Goal fully automated analysis of protocols with
    relevant algebraic theories
  • GDOI, group key management protocols,

6
A-GDH.2 Protocol
Ateniese, Steiner, Tsudik 00
p is prime q is prime divisor of p-1 ? is
generator of cyclic sub- group of Zp of
order q
  • Parties start with pairwise keys Kaz,Kbz,Kcz
  • The goal is to establish common session key
    ?rarbrcrz

A
C
B
Z
Computes session key ?rarbrcrz as
(?rarcrzKbz)Kbz-1rb
7
Is This Protocol Secure?
  • Suppose two sessions are run concurrently, and
    malicious C wants to
  • learn the session key of the session from which
    he is excluded

A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
Can the attacker who controls the network and
participates in the 1st session learn the session
key of the 2nd session?
8
Model Checking Approach
  • Two sources of infinite behavior
  • Multiple protocol sessions, multiple participant
    roles
  • Message space or data space may be infinite
  • Finite approximation
  • Assume finite number of participants
  • Example 2 clients, 2 servers
  • Assume finite message space
  • Represent random numbers by r1, r2, r3,
  • Do not allow encrypt(encrypt(encrypt()))

This restriction is necessary (or the problem is
undecidable)
This is restriction is not necessary for fully
automated analysis!
9
Infinite-State Protocol Model
Amadio and Lugiez 00
Rusinowitch and Turuani 01
  • Finite number of processes
  • Each process models a protocol role
  • Messages modeled as terms with variables
  • Variables represent data under attackers control
  • Attacker capabilities modeled by a term algebra
  • No artificial bounds on attacker computations
  • Generates an infinite space of possible attacker
    messages
  • Protocol analysis problem reduces to a decidable
    symbolic constraint solving problem
  • Easy-to-use, practical software for protocol
    analysis

Boreale 01
Millen and Shmatikov 01
10
Roles in A-GDH.2 Protocol
A
C
B
?,?ra
?ra,?rb,?rarb
?rbrc,?rarc,?rarb,?rarbrc
Z
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
B role
Z role
B ? ?,?X1 B ? ?X1,?rb,?X1rb B ? Y1,?Y2Kbz,Y3
Z ? ?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
  • Variables represent terms unknown to the party
    who plays the role
  • Attacker can instantiate a variable with any
    value, but instantiation must be consistent in
    all terms where it occurs

11
Symbolic Execution Trace
  • Suppose two sessions are run concurrently, and
    malicious C wants to
  • learn the session key of the session from which
    he is excluded

A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
12
Is There A Feasible Attack?
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
B will use this value as session key. If
attacker can learn (and announce) it, the
protocol is broken.
  • This attack is feasible if and only if
  • the attacker can consistently instantiate all
    variables in the trace so
  • that he can produce every message received by
    B and Z

13
Symbolic Attack Traces
  • Attack is modeled as a symbolic execution trace
  • A trace is a sequence of message send and receive
    events
  • Attack trace ends in a violation (e.g., attacker
    learns the secret)
  • Messages contain variables, modeling data
    controlled by attacker
  • Adequate for trace-based security properties
  • Secrecy, authentication, some forms of fairness
  • A symbolic trace may or may not have a feasible
    concrete instantiation
  • Finding whether such an instantiation exists is
    the main goal of symbolic (infinite-state)
    protocol analysis

14
From Attack Traces to Constraints
  • For each message sent by the attacker in the
    attack trace, create a symbolic constraint
  • mi is the message attacker needs to send
  • t1,,tn are the messages observed by attacker up
    to this point
  • Attack is feasible if and only if
  • all constraints are satisfiable simultaneously
  • There exists an instantiation ? such that ?i mi?
    can be derived
  • from t1?, , tn? in attackers term algebra

mi from t1, , tn
15
Constraint Generation for A-GDH.2
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ?
?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
B ? ?,?V1 B ? ?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
? ?W2qb
from ?,kcz (attackers initial knowledge)
from ?,kcz,?X1,?rb,?X1rb
from ?,kcz,?X1,?rb,?X1rb,
?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
16
Dolev-Yao Term Algebra
  • Attackers term algebra is a set of derivation
    rules

T?u T?v T?u,v
T?u T?v T?cryptuv
v?T T?u
if uv? for some ?
T?u,v T?v
T?u,v T?u
T?cryptuv T?u T?v
Symbolic constraint m from t1, , tn is
satisfiable if and only if there is a
substitution ? such that t1?, , tn? ? m? is
derivable using these rules
17
Properties of Term Algebra
  • No restriction on structural size of terms
  • The closure of any term set under derivation
    rules is infinite
  • There is no a priori bound on attacker
    computations
  • Untyped
  • Attacker doesnt have to comply with the protocol
    specification
  • Attacker may substitute a ciphertext for a random
    number, a key for an output of a hash function,
    etc.
  • Symmetric encryption with non-atomic keys
  • Can add an equational theory to model algebraic
    properties of cryptographic functions
  • XOR, modular exponentiation, blinded signatures,

18
Solving Symbolic Constraints
Millen and Shmatikov CCS 01
  • Constraint reduction rules
  • Replace each mi from Ti with one or more simpler
    constraints
  • Preserve essential properties of the constraint
    sequence
  • Nondeterministic reduction procedure
  • Structure-driven, but several rules may apply in
    any state
  • Exponential in the worst case (the problem is
    NP-complete)
  • The procedure is terminating and complete
  • If T? ? m? is derivable in attackers term
    algebra,
  • There exists reduction rule rr(?) which is
    applicable to m from T and produces some m from
    T such that
  • T? ? m? is derivable in attackers term algebra

19
Reduction Rules
m1,m2 from T m1 from T m2 from T
cryptkm from T m from T k
from T
(pair)
(enc)
m from T, v m from T
m from t, T ___ add mgu(t,m) to ?
(un)
(elim)
m from cryptuv, T u from cryptu?v?, T m from
cryptuv, v, T
m from u,v, T m from u, v, T
(dec)
(split)
20
Reduction Procedure
Initial constraint sequence
apply every possible reduction rule to first m
from T where m is not a variable


No rule is applicable
v1 from T1 vN from TN
or
If reduction tree has at least one such sequence
as a leaf, there is a solution, and attack trace
is feasible
21
Symbolic Analysis Summary
specified by the analyst
Formal specification of protocol roles
attacker is implicit! variables model attackers
input
fully automated
Attack (violating execution trace)
may not have a feasible instantiation
Sequence of symbolic constraints
satisfiable if and only if there exists a
feasible instantiation of attack trace
Decidable constraint solving procedure
22
Lets Add Algebraic Properties
  • Verification of trace-based security properties
  • is decidable for protocols with XOR
  • Comon-Lundh and Shmatikov (LICS 03)
  • Chevalier, K?sters, Rusinowitch, Turuani (LICS
    03)
  • reduces to a system of quadratic Diophantine
    equations for protocols with Abelian groups
  • Millen and Shmatikov (CSFW 03)
  • is decidable for a restricted class of
    protocols with modular exponentiation
  • Chevalier, K?sters, Rusinowitch, Turuani (FST/TCS
    03)
  • is decidable for any well-defined protocol with
    products and modular exponentiation
  • Shmatikov (ESOP 04)

23
Attacker Term Algebra
Dolev-Yao
v?T T?u
T?u,v T?u
T?u,v T?v
T?cryptuv T?u T?v
T?u T?v T?cryptuv
T?u T?v T?uv
T?u T?v T?u,v
T?u T?v T?u?v
T?u T?u-1
Associative (x ? y) ? z x ? (y ?
z) Commutative x ? y y ? x Normalization
x?x-1 ? 1 x?1 ? x rules
(x-1)-1 ? x (x?y)-1 ? y-1?x-1
x1 ? x (xy)z ? xy?z
24
Key Insights For Decidability
  • In a well-defined protocol, honest participants
    dont need to guess values of attacker inputs
  • Leads to a syntactic condition on usage of
    variables
  • If attacker can derive u from T, then there is a
    derivation which uses only subterms of T and u
  • If constraints are satisfiable, then there is an
    attack in which every variable is instantiated by
    a product of subterms drawn from a finite set

25
Origination Stability
  • Variable origination condition
  • If C is a constraint sequence generated from an
    execution trace,
  • then there exists a linear ordering lt on
    Vars(C) such that
  • if x appears for the first time in mi from Ti
    ? C,
  • then x ? Vars(mi) and ? y ? Vars(Ti) y lt x
  • This condition must be satisfied by C? after any
    partial substitution ?
  • Rules out only ill-defined protocols
  • A?B X?Y
  • B?A X

Requires B to split a product of two unknown
values
26
Normal Derivations
tn?T T?tn
t1?T T?t1
t2?T T?t2



T?v
T?v1
T?vk

T?u
Lemma if T?u is derivable, then there is a
normal derivation
27
Conservative Solutions
  • Conservative solution only uses subterms from the
    original, uninstantiated constraint sequence
  • ?x Subterms(x?) ? Subterms(C)? closed under ?,
    inverse and
  • exponentiation
  • All subterms used in the conservative solution
    are drawn from a finite set which is known before
    any variables are instantiated
  • Lemma if C has a solution,
  • then C has a conservative
    solution
  • This lemma allows to derive a bound on the size
    of the attack

28
Symbolic Decision Procedure
  • u1 from T1 , , un from Tn
  • Monotonic T1 ? ? Tn
  • Satisfy the variable stability condition
  • Guess all equalities between subterms
  • Finite number of possible unifiers modulo AG
  • Guess the order in which subterms are derived
  • Replace exponentiation by ? and inverse
  • Reduce to a decidable system of
  • quadratic Diophantine equations

symbolic constraints generated from protocol
Solvable iff a linear subsystem is solvable
29
Back to A-GDH.2
?X1
from ?,kcz
X1
from kcz
from --,?X1,?rb,?X1rb
?Z1
rb-1Z1
from kcz
from --
?Z2
Only ? and inverse used in derivation. Reduces to
system of Diophantine equations.
rb-1Z2
from kcz
from --
?Z3
rb-1Z3
from kcz
from --
?Z4
rb-1Z4
from kcz
?V1
from --, ?Z1rzKaz,?Z2rzKbz,
?Z3rzKcz
Z3-1rz-1kcz-1V1
from kcz
?W2Kbz
Z2-1rz-1W2
from kcz
from --, ?V1,?qb,?V1qb
V1-1W2
from kcz
?W2qb
from --
Key insight under the Diffie-Hellman assumption,
attacker can produce ?x from ?y
if and only if he can produce y-1x (?x(?y)y-1x)
30
Decidable Quadratic Equations
Only ? and inverse used in each derivation
  • u1X11X1k1 from t11, , tm1
  • u2X21X2k2 from t21, , tm2
  • unXn1Xnkn from tn1, , tmn
  • Convert each constraint into a Diophantine
    equation
  • uiXi1Xik from ti1, , tim becomes uiXi1Xik
    ti1z1 timzm for integer zj
  • If some tij is a variable, equation becomes
    quadratic, for example
  • a2?X (a?b)z1
  • a6 (a?b)z2?(b?X)z3
  • Equations associated with execution traces have
    special structure
  • If a variable occurs on the right, it must
    previously occur on the left
  • All terms used to construct the variable where it
    first occurred are available in every subsequent
    constraint

31
Intuition Behind Decidability
a2?X (a?b)z1 a6 (a?b)z2?(b?X)z3
  • substitute X

a6 (a?b)z2?(b?a-2?(a?b)z1)z3
group (a?b) terms together
a6 (a?b)z?(b?a-2)z3 z z2 z1?z3
Quadratic part always has a solution because z2
is unconstrained
32
Is There A Feasible Attack? Yes!
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
Attacker can learn this value by clever variable
instantiation
33
Attack on A-GDH.2
  • Suppose two sessions are run concurrently, and
    malicious C wants to
  • learn the session key of the session from which
    he is excluded

1. Replace with ?1
3. Replace with ?rbrzkcz
A
B
A
B
?ra,?rb, ?rarb
?qb, ?qb, ?qaqb
?,?ra
?,?qb
Attacks of this type can be found automatically
from protocol specification
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
4. Replace with ?rbrzkbz
2. Replace with ?rb,?rb,?rb,?rb
Attack B will use ?rbrzqb as session key,
which attacker can compute as
(?rbrzkczqb)kcz-1
34
Decision Procedures
?
  • Free (black-box) algebra decidable
  • Implemented as an easy-to-use analysis tool
  • XOR decidable
  • All integer variables are equal to 0 or 1
  • (Group) Diffie-Hellman decidable
  • System of quadratic Diophantine equations, which
    is solvable if and only if a linear subsystem is
    solvable
  • Some restrictions (no products in exponentiation
    base)
  • Blind signatures, super-exponentiation, ...
  • Axiomatic models of various cryptographic
    primitives

?
?
Current research
35
Example Secure Teleconferencing
Write a Comment
User Comments (0)
About PowerShow.com