Vitaly Shmatikov

1
Constraint-Based MethodsAdding Algebraic
Properties toSymbolic Models

• Vitaly Shmatikov
• SRI International

2
One-Slide Summary

• Constraint solving is a symbolic analysis
  method for cryptographic protocols
• Decidable without finite bounds on the attacker
• Big win over finite-state checking (FDR, Mur?,
  etc.)
• Only need to specify behavior of honest
  participants
• Can be extended with algebraic theories for XOR,
  modular multiplication, Diffie-Hellman
• Push-button procedure for finding both Dolev-Yao
  and algebraic attacks (e.g., Pereira-Quisquater)
• Works only for a finite number of sessions
• Attack template must be expressed as a symbolic
  execution trace

3
Dolev-Yao Model

• Inspired by a 1983 paper
• D. Dolev and A. Yao. On the security of public
  key protocols. IEEE Transactions on Information
  Theory, 29(2)198-208.
• Adversary is a nondeterministic process
• Can read any message, decompose it into parts and
  re-assemble
• Cannot gain partial knowledge, perform
  statistical tests,
• Black-box cryptography
• Adversary can decrypt if and only if he knows the
  correct key
• Assumes that cryptographic functions have no
  special properties
• Most mechanized formal methods for security
  analysis use some version of this model

4
Protocol Analysis Techniques
Protocol Analysis Techniques
Formal Models
Computational Models
(no probabilities)
Probabilistic poly-time Random oracle
Modal Logics
Decidable
Inductive Proofs
Process Calculi

Infinite message space, finite sessions
Finite-state
Attacker algebra with equational theory
Free attacker algebra
5
Protocol Analysis Meets Algebra

• Dolev-Yao model uses black-box cryptography
• Many crypto primitives are not black boxes
• XOR a?b b?a a?a 0
• Modular exponentiation ?xy ?yx (?xy)x-1 ?y
• Attacker can and will exploit algebraic
  properties
• Ryan-Schneider attack on Bulls recursive
  authentication protocol
• Pereira-Quisquater attack on A-GDH.2 protocol
• Goal fully automated analysis of protocols with
  relevant algebraic theories
• GDOI, group key management protocols,

6
A-GDH.2 Protocol
Ateniese, Steiner, Tsudik 00
p is prime q is prime divisor of p-1 ? is
generator of cyclic sub- group of Zp of
order q

• Parties start with pairwise keys Kaz,Kbz,Kcz
• The goal is to establish common session key
  ?rarbrcrz

A
C
B
Z
Computes session key ?rarbrcrz as
(?rarcrzKbz)Kbz-1rb
7
Is This Protocol Secure?

• Suppose two sessions are run concurrently, and
  malicious C wants to
• learn the session key of the session from which
  he is excluded

A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
Can the attacker who controls the network and
participates in the 1st session learn the session
key of the 2nd session?
8
Model Checking Approach

• Two sources of infinite behavior
• Multiple protocol sessions, multiple participant
  roles
• Message space or data space may be infinite
• Finite approximation
• Assume finite number of participants
• Example 2 clients, 2 servers
• Assume finite message space
• Represent random numbers by r1, r2, r3,
• Do not allow encrypt(encrypt(encrypt()))

This restriction is necessary (or the problem is
undecidable)
This is restriction is not necessary for fully
automated analysis!
9
Infinite-State Protocol Model
Amadio and Lugiez 00
Rusinowitch and Turuani 01

• Finite number of processes
• Each process models a protocol role
• Messages modeled as terms with variables
• Variables represent data under attackers control
• Attacker capabilities modeled by a term algebra
• No artificial bounds on attacker computations
• Generates an infinite space of possible attacker
  messages
• Protocol analysis problem reduces to a decidable
  symbolic constraint solving problem
• Easy-to-use, practical software for protocol
  analysis

Boreale 01
Millen and Shmatikov 01
10
Roles in A-GDH.2 Protocol
A
C
B
?,?ra
?ra,?rb,?rarb
?rbrc,?rarc,?rarb,?rarbrc
Z
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
B role
Z role
B ? ?,?X1 B ? ?X1,?rb,?X1rb B ? Y1,?Y2Kbz,Y3
Z ? ?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz

• Variables represent terms unknown to the party
  who plays the role
• Attacker can instantiate a variable with any
  value, but instantiation must be consistent in
  all terms where it occurs

11
Symbolic Execution Trace

• Suppose two sessions are run concurrently, and
  malicious C wants to
• learn the session key of the session from which
  he is excluded

A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
12
Is There A Feasible Attack?
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
B will use this value as session key. If
attacker can learn (and announce) it, the
protocol is broken.

• This attack is feasible if and only if
• the attacker can consistently instantiate all
  variables in the trace so
• that he can produce every message received by
  B and Z

13
Symbolic Attack Traces

• Attack is modeled as a symbolic execution trace
• A trace is a sequence of message send and receive
  events
• Attack trace ends in a violation (e.g., attacker
  learns the secret)
• Messages contain variables, modeling data
  controlled by attacker
• Adequate for trace-based security properties
• Secrecy, authentication, some forms of fairness
• A symbolic trace may or may not have a feasible
  concrete instantiation
• Finding whether such an instantiation exists is
  the main goal of symbolic (infinite-state)
  protocol analysis

14
From Attack Traces to Constraints

• For each message sent by the attacker in the
  attack trace, create a symbolic constraint
• mi is the message attacker needs to send
• t1,,tn are the messages observed by attacker up
  to this point
• Attack is feasible if and only if
• all constraints are satisfiable simultaneously
• There exists an instantiation ? such that ?i mi?
  can be derived
• from t1?, , tn? in attackers term algebra

mi from t1, , tn
15
Constraint Generation for A-GDH.2
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ?
?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
B ? ?,?V1 B ? ?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
? ?W2qb
from ?,kcz (attackers initial knowledge)
from ?,kcz,?X1,?rb,?X1rb
from ?,kcz,?X1,?rb,?X1rb,
?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
16
Dolev-Yao Term Algebra

• Attackers term algebra is a set of derivation
  rules

T?u T?v T?u,v
T?u T?v T?cryptuv
v?T T?u
if uv? for some ?
T?u,v T?v
T?u,v T?u
T?cryptuv T?u T?v
Symbolic constraint m from t1, , tn is
satisfiable if and only if there is a
substitution ? such that t1?, , tn? ? m? is
derivable using these rules
17
Properties of Term Algebra

• No restriction on structural size of terms
• The closure of any term set under derivation
  rules is infinite
• There is no a priori bound on attacker
  computations
• Untyped
• Attacker doesnt have to comply with the protocol
  specification
• Attacker may substitute a ciphertext for a random
  number, a key for an output of a hash function,
  etc.
• Symmetric encryption with non-atomic keys
• Can add an equational theory to model algebraic
  properties of cryptographic functions
• XOR, modular exponentiation, blinded signatures,

18
Solving Symbolic Constraints
Millen and Shmatikov CCS 01

• Constraint reduction rules
• Replace each mi from Ti with one or more simpler
  constraints
• Preserve essential properties of the constraint
  sequence
• Nondeterministic reduction procedure
• Structure-driven, but several rules may apply in
  any state
• Exponential in the worst case (the problem is
  NP-complete)
• The procedure is terminating and complete
• If T? ? m? is derivable in attackers term
  algebra,
• There exists reduction rule rr(?) which is
  applicable to m from T and produces some m from
  T such that
• T? ? m? is derivable in attackers term algebra

19
Reduction Rules
m1,m2 from T m1 from T m2 from T
cryptkm from T m from T k
from T
(pair)
(enc)
m from T, v m from T
m from t, T ___ add mgu(t,m) to ?
(un)
(elim)
m from cryptuv, T u from cryptu?v?, T m from
cryptuv, v, T
m from u,v, T m from u, v, T
(dec)
(split)
20
Reduction Procedure
Initial constraint sequence
apply every possible reduction rule to first m
from T where m is not a variable


No rule is applicable
v1 from T1 vN from TN
or
If reduction tree has at least one such sequence
as a leaf, there is a solution, and attack trace
is feasible
21
Symbolic Analysis Summary
specified by the analyst
Formal specification of protocol roles
attacker is implicit! variables model attackers
input
fully automated
Attack (violating execution trace)
may not have a feasible instantiation
Sequence of symbolic constraints
satisfiable if and only if there exists a
feasible instantiation of attack trace
Decidable constraint solving procedure
22
Lets Add Algebraic Properties

• Verification of trace-based security properties
• is decidable for protocols with XOR
• Comon-Lundh and Shmatikov (LICS 03)
• Chevalier, K?sters, Rusinowitch, Turuani (LICS
  03)
• reduces to a system of quadratic Diophantine
  equations for protocols with Abelian groups
• Millen and Shmatikov (CSFW 03)
• is decidable for a restricted class of
  protocols with modular exponentiation
• Chevalier, K?sters, Rusinowitch, Turuani (FST/TCS
  03)
• is decidable for any well-defined protocol with
  products and modular exponentiation
• Shmatikov (ESOP 04)

23
Attacker Term Algebra
Dolev-Yao
v?T T?u
T?u,v T?u
T?u,v T?v
T?cryptuv T?u T?v
T?u T?v T?cryptuv
T?u T?v T?uv
T?u T?v T?u,v
T?u T?v T?u?v
T?u T?u-1
Associative (x ? y) ? z x ? (y ?
z) Commutative x ? y y ? x Normalization
x?x-1 ? 1 x?1 ? x rules
(x-1)-1 ? x (x?y)-1 ? y-1?x-1
x1 ? x (xy)z ? xy?z
24
Key Insights For Decidability

• In a well-defined protocol, honest participants
  dont need to guess values of attacker inputs
• Leads to a syntactic condition on usage of
  variables
• If attacker can derive u from T, then there is a
  derivation which uses only subterms of T and u
• If constraints are satisfiable, then there is an
  attack in which every variable is instantiated by
  a product of subterms drawn from a finite set

25
Origination Stability

• Variable origination condition
• If C is a constraint sequence generated from an
  execution trace,
• then there exists a linear ordering lt on
  Vars(C) such that
• if x appears for the first time in mi from Ti
  ? C,
• then x ? Vars(mi) and ? y ? Vars(Ti) y lt x
• This condition must be satisfied by C? after any
  partial substitution ?
• Rules out only ill-defined protocols
• A?B X?Y
• B?A X

Requires B to split a product of two unknown
values
26
Normal Derivations
tn?T T?tn
t1?T T?t1
t2?T T?t2



T?v
T?v1
T?vk

T?u
Lemma if T?u is derivable, then there is a
normal derivation
27
Conservative Solutions

• Conservative solution only uses subterms from the
  original, uninstantiated constraint sequence
• ?x Subterms(x?) ? Subterms(C)? closed under ?,
  inverse and
• exponentiation
• All subterms used in the conservative solution
  are drawn from a finite set which is known before
  any variables are instantiated
• Lemma if C has a solution,
• then C has a conservative
  solution
• This lemma allows to derive a bound on the size
  of the attack

28
Symbolic Decision Procedure

• u1 from T1 , , un from Tn
• Monotonic T1 ? ? Tn
• Satisfy the variable stability condition
• Guess all equalities between subterms
• Finite number of possible unifiers modulo AG
• Guess the order in which subterms are derived
• Replace exponentiation by ? and inverse
• Reduce to a decidable system of
• quadratic Diophantine equations

symbolic constraints generated from protocol
Solvable iff a linear subsystem is solvable
29
Back to A-GDH.2
?X1
from ?,kcz
X1
from kcz
from --,?X1,?rb,?X1rb
?Z1
rb-1Z1
from kcz
from --
?Z2
Only ? and inverse used in derivation. Reduces to
system of Diophantine equations.
rb-1Z2
from kcz
from --
?Z3
rb-1Z3
from kcz
from --
?Z4
rb-1Z4
from kcz
?V1
from --, ?Z1rzKaz,?Z2rzKbz,
?Z3rzKcz
Z3-1rz-1kcz-1V1
from kcz
?W2Kbz
Z2-1rz-1W2
from kcz
from --, ?V1,?qb,?V1qb
V1-1W2
from kcz
?W2qb
from --
Key insight under the Diffie-Hellman assumption,
attacker can produce ?x from ?y
if and only if he can produce y-1x (?x(?y)y-1x)
30
Decidable Quadratic Equations
Only ? and inverse used in each derivation

• u1X11X1k1 from t11, , tm1
• u2X21X2k2 from t21, , tm2
• unXn1Xnkn from tn1, , tmn

• Convert each constraint into a Diophantine
  equation
• uiXi1Xik from ti1, , tim becomes uiXi1Xik
  ti1z1 timzm for integer zj
• If some tij is a variable, equation becomes
  quadratic, for example
• a2?X (a?b)z1
• a6 (a?b)z2?(b?X)z3
• Equations associated with execution traces have
  special structure
• If a variable occurs on the right, it must
  previously occur on the left
• All terms used to construct the variable where it
  first occurred are available in every subsequent
  constraint

31
Intuition Behind Decidability
a2?X (a?b)z1 a6 (a?b)z2?(b?X)z3

• substitute X

a6 (a?b)z2?(b?a-2?(a?b)z1)z3
group (a?b) terms together
a6 (a?b)z?(b?a-2)z3 z z2 z1?z3
Quadratic part always has a solution because z2
is unconstrained
32
Is There A Feasible Attack? Yes!
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
Attacker can learn this value by clever variable
instantiation
33
Attack on A-GDH.2

• Suppose two sessions are run concurrently, and
  malicious C wants to
• learn the session key of the session from which
  he is excluded

1. Replace with ?1
3. Replace with ?rbrzkcz
A
B
A
B
?ra,?rb, ?rarb
?qb, ?qb, ?qaqb
?,?ra
?,?qb
Attacks of this type can be found automatically
from protocol specification
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
4. Replace with ?rbrzkbz
2. Replace with ?rb,?rb,?rb,?rb
Attack B will use ?rbrzqb as session key,
which attacker can compute as
(?rbrzkczqb)kcz-1
34
Decision Procedures
?

• Free (black-box) algebra decidable
• Implemented as an easy-to-use analysis tool
• XOR decidable
• All integer variables are equal to 0 or 1
• (Group) Diffie-Hellman decidable
• System of quadratic Diophantine equations, which
  is solvable if and only if a linear subsystem is
  solvable
• Some restrictions (no products in exponentiation
  base)
• Blind signatures, super-exponentiation, ...
• Axiomatic models of various cryptographic
  primitives

?
?
Current research
35
Example Secure Teleconferencing