Title: Vitaly Shmatikov
1Constraint-Based MethodsAdding Algebraic
Properties toSymbolic Models
- Vitaly Shmatikov
- SRI International
2One-Slide Summary
- Constraint solving is a symbolic analysis
method for cryptographic protocols - Decidable without finite bounds on the attacker
- Big win over finite-state checking (FDR, Mur?,
etc.) - Only need to specify behavior of honest
participants - Can be extended with algebraic theories for XOR,
modular multiplication, Diffie-Hellman - Push-button procedure for finding both Dolev-Yao
and algebraic attacks (e.g., Pereira-Quisquater) - Works only for a finite number of sessions
- Attack template must be expressed as a symbolic
execution trace
3Dolev-Yao Model
- Inspired by a 1983 paper
- D. Dolev and A. Yao. On the security of public
key protocols. IEEE Transactions on Information
Theory, 29(2)198-208. - Adversary is a nondeterministic process
- Can read any message, decompose it into parts and
re-assemble - Cannot gain partial knowledge, perform
statistical tests, - Black-box cryptography
- Adversary can decrypt if and only if he knows the
correct key - Assumes that cryptographic functions have no
special properties - Most mechanized formal methods for security
analysis use some version of this model
4Protocol Analysis Techniques
Protocol Analysis Techniques
Formal Models
Computational Models
(no probabilities)
Probabilistic poly-time Random oracle
Modal Logics
Decidable
Inductive Proofs
Process Calculi
Infinite message space, finite sessions
Finite-state
Attacker algebra with equational theory
Free attacker algebra
5Protocol Analysis Meets Algebra
- Dolev-Yao model uses black-box cryptography
- Many crypto primitives are not black boxes
- XOR a?b b?a a?a 0
- Modular exponentiation ?xy ?yx (?xy)x-1 ?y
- Attacker can and will exploit algebraic
properties - Ryan-Schneider attack on Bulls recursive
authentication protocol - Pereira-Quisquater attack on A-GDH.2 protocol
- Goal fully automated analysis of protocols with
relevant algebraic theories - GDOI, group key management protocols,
6A-GDH.2 Protocol
Ateniese, Steiner, Tsudik 00
p is prime q is prime divisor of p-1 ? is
generator of cyclic sub- group of Zp of
order q
- Parties start with pairwise keys Kaz,Kbz,Kcz
- The goal is to establish common session key
?rarbrcrz
A
C
B
Z
Computes session key ?rarbrcrz as
(?rarcrzKbz)Kbz-1rb
7Is This Protocol Secure?
- Suppose two sessions are run concurrently, and
malicious C wants to - learn the session key of the session from which
he is excluded
A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
Can the attacker who controls the network and
participates in the 1st session learn the session
key of the 2nd session?
8Model Checking Approach
- Two sources of infinite behavior
- Multiple protocol sessions, multiple participant
roles - Message space or data space may be infinite
- Finite approximation
- Assume finite number of participants
- Example 2 clients, 2 servers
- Assume finite message space
- Represent random numbers by r1, r2, r3,
- Do not allow encrypt(encrypt(encrypt()))
This restriction is necessary (or the problem is
undecidable)
This is restriction is not necessary for fully
automated analysis!
9Infinite-State Protocol Model
Amadio and Lugiez 00
Rusinowitch and Turuani 01
- Finite number of processes
- Each process models a protocol role
- Messages modeled as terms with variables
- Variables represent data under attackers control
- Attacker capabilities modeled by a term algebra
- No artificial bounds on attacker computations
- Generates an infinite space of possible attacker
messages - Protocol analysis problem reduces to a decidable
symbolic constraint solving problem - Easy-to-use, practical software for protocol
analysis
Boreale 01
Millen and Shmatikov 01
10Roles in A-GDH.2 Protocol
A
C
B
?,?ra
?ra,?rb,?rarb
?rbrc,?rarc,?rarb,?rarbrc
Z
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
B role
Z role
B ? ?,?X1 B ? ?X1,?rb,?X1rb B ? Y1,?Y2Kbz,Y3
Z ? ?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
- Variables represent terms unknown to the party
who plays the role - Attacker can instantiate a variable with any
value, but instantiation must be consistent in
all terms where it occurs
11Symbolic Execution Trace
- Suppose two sessions are run concurrently, and
malicious C wants to - learn the session key of the session from which
he is excluded
A
B
C
A
B
C
?ra,?rb, ?rarb
?qa, ?qb, ?qaqb
?,?ra
?,?qa
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
12Is There A Feasible Attack?
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
B will use this value as session key. If
attacker can learn (and announce) it, the
protocol is broken.
- This attack is feasible if and only if
- the attacker can consistently instantiate all
variables in the trace so - that he can produce every message received by
B and Z
13Symbolic Attack Traces
- Attack is modeled as a symbolic execution trace
- A trace is a sequence of message send and receive
events - Attack trace ends in a violation (e.g., attacker
learns the secret) - Messages contain variables, modeling data
controlled by attacker - Adequate for trace-based security properties
- Secrecy, authentication, some forms of fairness
- A symbolic trace may or may not have a feasible
concrete instantiation - Finding whether such an instantiation exists is
the main goal of symbolic (infinite-state)
protocol analysis
14From Attack Traces to Constraints
- For each message sent by the attacker in the
attack trace, create a symbolic constraint -
- mi is the message attacker needs to send
- t1,,tn are the messages observed by attacker up
to this point - Attack is feasible if and only if
- all constraints are satisfiable simultaneously
- There exists an instantiation ? such that ?i mi?
can be derived - from t1?, , tn? in attackers term algebra
mi from t1, , tn
15Constraint Generation for A-GDH.2
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ?
?Z1,?Z2,?Z3,?Z4 Z ? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
B ? ?,?V1 B ? ?V1,?qb,?V1qb B ? W1,?W2Kbz,W3
? ?W2qb
from ?,kcz (attackers initial knowledge)
from ?,kcz,?X1,?rb,?X1rb
from ?,kcz,?X1,?rb,?X1rb,
?Z1rzKaz,?Z2rzKbz,?Z3rzKcz
16Dolev-Yao Term Algebra
- Attackers term algebra is a set of derivation
rules
T?u T?v T?u,v
T?u T?v T?cryptuv
v?T T?u
if uv? for some ?
T?u,v T?v
T?u,v T?u
T?cryptuv T?u T?v
Symbolic constraint m from t1, , tn is
satisfiable if and only if there is a
substitution ? such that t1?, , tn? ? m? is
derivable using these rules
17Properties of Term Algebra
- No restriction on structural size of terms
- The closure of any term set under derivation
rules is infinite - There is no a priori bound on attacker
computations - Untyped
- Attacker doesnt have to comply with the protocol
specification - Attacker may substitute a ciphertext for a random
number, a key for an output of a hash function,
etc. - Symmetric encryption with non-atomic keys
- Can add an equational theory to model algebraic
properties of cryptographic functions - XOR, modular exponentiation, blinded signatures,
18Solving Symbolic Constraints
Millen and Shmatikov CCS 01
- Constraint reduction rules
- Replace each mi from Ti with one or more simpler
constraints - Preserve essential properties of the constraint
sequence - Nondeterministic reduction procedure
- Structure-driven, but several rules may apply in
any state - Exponential in the worst case (the problem is
NP-complete) - The procedure is terminating and complete
- If T? ? m? is derivable in attackers term
algebra, - There exists reduction rule rr(?) which is
applicable to m from T and produces some m from
T such that - T? ? m? is derivable in attackers term algebra
19Reduction Rules
m1,m2 from T m1 from T m2 from T
cryptkm from T m from T k
from T
(pair)
(enc)
m from T, v m from T
m from t, T ___ add mgu(t,m) to ?
(un)
(elim)
m from cryptuv, T u from cryptu?v?, T m from
cryptuv, v, T
m from u,v, T m from u, v, T
(dec)
(split)
20Reduction Procedure
Initial constraint sequence
apply every possible reduction rule to first m
from T where m is not a variable
No rule is applicable
v1 from T1 vN from TN
or
If reduction tree has at least one such sequence
as a leaf, there is a solution, and attack trace
is feasible
21Symbolic Analysis Summary
specified by the analyst
Formal specification of protocol roles
attacker is implicit! variables model attackers
input
fully automated
Attack (violating execution trace)
may not have a feasible instantiation
Sequence of symbolic constraints
satisfiable if and only if there exists a
feasible instantiation of attack trace
Decidable constraint solving procedure
22Lets Add Algebraic Properties
- Verification of trace-based security properties
- is decidable for protocols with XOR
- Comon-Lundh and Shmatikov (LICS 03)
- Chevalier, K?sters, Rusinowitch, Turuani (LICS
03) - reduces to a system of quadratic Diophantine
equations for protocols with Abelian groups - Millen and Shmatikov (CSFW 03)
- is decidable for a restricted class of
protocols with modular exponentiation - Chevalier, K?sters, Rusinowitch, Turuani (FST/TCS
03) - is decidable for any well-defined protocol with
products and modular exponentiation - Shmatikov (ESOP 04)
23Attacker Term Algebra
Dolev-Yao
v?T T?u
T?u,v T?u
T?u,v T?v
T?cryptuv T?u T?v
T?u T?v T?cryptuv
T?u T?v T?uv
T?u T?v T?u,v
T?u T?v T?u?v
T?u T?u-1
Associative (x ? y) ? z x ? (y ?
z) Commutative x ? y y ? x Normalization
x?x-1 ? 1 x?1 ? x rules
(x-1)-1 ? x (x?y)-1 ? y-1?x-1
x1 ? x (xy)z ? xy?z
24Key Insights For Decidability
- In a well-defined protocol, honest participants
dont need to guess values of attacker inputs - Leads to a syntactic condition on usage of
variables - If attacker can derive u from T, then there is a
derivation which uses only subterms of T and u - If constraints are satisfiable, then there is an
attack in which every variable is instantiated by
a product of subterms drawn from a finite set
25Origination Stability
- Variable origination condition
- If C is a constraint sequence generated from an
execution trace, - then there exists a linear ordering lt on
Vars(C) such that - if x appears for the first time in mi from Ti
? C, - then x ? Vars(mi) and ? y ? Vars(Ti) y lt x
- This condition must be satisfied by C? after any
partial substitution ? - Rules out only ill-defined protocols
- A?B X?Y
- B?A X
Requires B to split a product of two unknown
values
26Normal Derivations
tn?T T?tn
t1?T T?t1
t2?T T?t2
T?v
T?v1
T?vk
T?u
Lemma if T?u is derivable, then there is a
normal derivation
27Conservative Solutions
- Conservative solution only uses subterms from the
original, uninstantiated constraint sequence - ?x Subterms(x?) ? Subterms(C)? closed under ?,
inverse and - exponentiation
- All subterms used in the conservative solution
are drawn from a finite set which is known before
any variables are instantiated - Lemma if C has a solution,
- then C has a conservative
solution - This lemma allows to derive a bound on the size
of the attack
28Symbolic Decision Procedure
- u1 from T1 , , un from Tn
- Monotonic T1 ? ? Tn
- Satisfy the variable stability condition
- Guess all equalities between subterms
- Finite number of possible unifiers modulo AG
- Guess the order in which subterms are derived
- Replace exponentiation by ? and inverse
- Reduce to a decidable system of
- quadratic Diophantine equations
symbolic constraints generated from protocol
Solvable iff a linear subsystem is solvable
29Back to A-GDH.2
?X1
from ?,kcz
X1
from kcz
from --,?X1,?rb,?X1rb
?Z1
rb-1Z1
from kcz
from --
?Z2
Only ? and inverse used in derivation. Reduces to
system of Diophantine equations.
rb-1Z2
from kcz
from --
?Z3
rb-1Z3
from kcz
from --
?Z4
rb-1Z4
from kcz
?V1
from --, ?Z1rzKaz,?Z2rzKbz,
?Z3rzKcz
Z3-1rz-1kcz-1V1
from kcz
?W2Kbz
Z2-1rz-1W2
from kcz
from --, ?V1,?qb,?V1qb
V1-1W2
from kcz
?W2qb
from --
Key insight under the Diffie-Hellman assumption,
attacker can produce ?x from ?y
if and only if he can produce y-1x (?x(?y)y-1x)
30Decidable Quadratic Equations
Only ? and inverse used in each derivation
- u1X11X1k1 from t11, , tm1
- u2X21X2k2 from t21, , tm2
-
- unXn1Xnkn from tn1, , tmn
- Convert each constraint into a Diophantine
equation - uiXi1Xik from ti1, , tim becomes uiXi1Xik
ti1z1 timzm for integer zj - If some tij is a variable, equation becomes
quadratic, for example - a2?X (a?b)z1
- a6 (a?b)z2?(b?X)z3
- Equations associated with execution traces have
special structure - If a variable occurs on the right, it must
previously occur on the left - All terms used to construct the variable where it
first occurred are available in every subsequent
constraint
31Intuition Behind Decidability
a2?X (a?b)z1 a6 (a?b)z2?(b?X)z3
a6 (a?b)z2?(b?a-2?(a?b)z1)z3
group (a?b) terms together
a6 (a?b)z?(b?a-2)z3 z z2 z1?z3
Quadratic part always has a solution because z2
is unconstrained
32Is There A Feasible Attack? Yes!
B ? ?,?X1 B ? ?X1,?rb,?X1rb Z ? ?Z1,?Z2,?Z3,?Z4 Z
? ?Z1rzKaz,?Z2rzKbz,?Z3rzKcz B ? ?,?V1 B ?
?V1,?qb,?V1qb B ? W1,?W2Kbz,W3 ? ?W2qb
Attacker can learn this value by clever variable
instantiation
33Attack on A-GDH.2
- Suppose two sessions are run concurrently, and
malicious C wants to - learn the session key of the session from which
he is excluded
1. Replace with ?1
3. Replace with ?rbrzkcz
A
B
A
B
?ra,?rb, ?rarb
?qb, ?qb, ?qaqb
?,?ra
?,?qb
Attacks of this type can be found automatically
from protocol specification
?rbrc, ?rarc, ?rarb, ?rarbrc
?rbrcrzKaz, ?rarcrzKbz, ?rarbrzKcz
?qbqzKaz, ?qaqzKbz
Z
Z
4. Replace with ?rbrzkbz
2. Replace with ?rb,?rb,?rb,?rb
Attack B will use ?rbrzqb as session key,
which attacker can compute as
(?rbrzkczqb)kcz-1
34Decision Procedures
?
- Free (black-box) algebra decidable
- Implemented as an easy-to-use analysis tool
- XOR decidable
- All integer variables are equal to 0 or 1
- (Group) Diffie-Hellman decidable
- System of quadratic Diophantine equations, which
is solvable if and only if a linear subsystem is
solvable - Some restrictions (no products in exponentiation
base) - Blind signatures, super-exponentiation, ...
- Axiomatic models of various cryptographic
primitives
?
?
Current research
35Example Secure Teleconferencing