A Linear Framework for Protocol Analysis - PowerPoint PPT Presentation

1 / 28

About This Presentation

Title:

A Linear Framework for Protocol Analysis

Description:

Illiano Cervesato, Nancy Durgin, John Mitchell, Mark Mitchell, ... (Horn clause) Multiset. rewriting. Protocol Notation. Non-deterministic infinite-state systems ... – PowerPoint PPT presentation

Number of Views:23

Avg rating:3.0/5.0

Slides: 29

Provided by: patri190

Category:

more less

Transcript and Presenter's Notes

Title: A Linear Framework for Protocol Analysis

1
A Linear Framework for Protocol Analysis

Patrick Lincoln
Illiano Cervesato, Nancy Durgin, John Mitchell,
Mark Mitchell, Andre Scedrov
SRI, Stanford, UPenn

2
Outline The Nonce is the thing

Multiset rewriting model
Undecidability
Previous results, folklore, easy preliminaries
Main result security in restricted fragment
No-nonces
Exponential tight bound on steps
PSPACE-hardness of security decision problem

3
A notation for inf-state systems

Define protocol, intruder in minimal framework
Disadvantage need to introduce new notation

4
Protocol Notation

Non-deterministic infinite-state systems
Facts
F P(t1, , tn)
t x c f(t1, , tn)
States F1, ..., Fn
Multiset of facts
Includes network messages, private state
Intruder will see messages, not private state

Multi-sorted first-order atomic formulas
5
State Transitions

Transition
F1, , Fk ?? ?x1 ?xm. G1, , Gn
What this means
If F1, , Fk in state ?, then a next state ? has
Facts F1, , Fk removed
G1, , Gn added, with x1 xm replaced by new
symbols
Other facts in state ? carry over to ?
Free variables in rule universally quantified
Pattern matching in F1, , Fk can invert
functions
Linear Logic

6
Finite-State Example
a
q1
a
a
b
q0
q3
b
b
a
b
q2

Predicates State, Input
Function ?
Constants q0, q1, q2, q3, a, b, nil
Transitions State(q0), Input(a ? x) ?
State(q1), Input(x)
State(q0), Input(b ? x) ?
State(q2), Input(x)
...

b
7
Simplified Needham-Schroeder

Predicates
Ai, Bi, Ni
-- Alice, Bob, Network in state i
Transitions
?x. A1(x)
A1(x) ?? N1(x), A2(x)
N1(x) ?? ?y. B1(x,y)
B1(x,y) ?? N2(x,y), B2(x,y)
A2(x), N2(x,y) ?? A3(x,y)
A3(x,y) ?? N3(y), A4(x,y)
B2(x,y), N3(y) ?? B3(x,y)
picture next slide

A ? B na, AKb
B ? A na, nbKa
A ? B nbKb
Authentication
A4(x,y) ? B3(x,y) ? yy

8
Sample Trace

?x. A1(x)
A1(x) ? A2(x), N1(x)
N1(x) ? ?y. B1(x,y)
B1(x,y) ? N2(x,y), B2(x,y)
A2(x), N2(x,y) ? A3(x,y)
A3(x,y) ? N3(y), A4(x,y)
B2(x,y), N3(y) ? B3(x,y)

A1(na)
N1(na)
A2(na)
B1(na, nb)
A2(na)
N2(na, nb)
B2(na, nb)
A2(na)
B2(na, nb)
A3(na, nb)
N3( nb)
B2(na, nb)
A4(na, nb)
B3(na, nb)
A4(na, nb)
9
Common Intruder Model

Derived from Dolev-Yao model 1989
Adversary is nondeterministic process
Adversary can
Block network traffic
Read any message, decompose into parts
Decrypt if key is known to adversary
Insert new message from data it has observed
Adversary cannot
Gain partial knowledge
Guess part of a key
Perform statistical tests,

10
Formalize Intruder Model

Intercept and remember messages
N1(x) ?? M(x) N2(x,y) ??
M(x), M(y)
N3(x) ?? M(x)
Send messages from known data
M(x) ?? N1(x), M(x)
M(x), M(y) ?? N2(x,y), M(x), M(y)
M(x) ?? N3(x), M(x)
Generate new data as needed
?x. M(x)
Highly nondeterministic, same for any
protocol

11
Attack on Simplified Protocol

?x. A1(x)
A1(x) ? A2(x), N1(x)
N1(x) ? M(x)
?x. M(x)
M(x) ? N1(x), M(x)
N1(x) ? ?y. B1(x,y)

A1(na)
N1(na)
A2(na)
A2(na)
M(na)
A2(na)
M(na), M(na)
N1(na)
A2(na)
M(na), M(na)
B1(na, nb)
A2(na)
M(na), M(na)
Continue man-in-the-middle to violate
specification
12
Protocol Analysis is Undecidable

Even and Goldreich 1983
Heintze and Tygar 1996 (weaker result)
Millens clarification
Post Correspondence Problem
Good guy adds domino to end of sequence
If top and bottom read the same, spill secret
A -gt B empty, emptyk
B -gt A X,Yk -gt (X Z11), (Y Z12)k
A -gt B X,Xk -gt if X!empty, send SECRET

13
But what if we disallow cons?

Without cons ( ), cannot directly encode post
problems or Turing machine state
But arbitrary numbers can also be used to encode
undecidable problems, such as 2
Counter machines
C1, C2, Qk Encodes that state C1, C2, Q is
reachable
A-gtB 0,0,Qinitk
B-gtA C1,C2,Qk -gt C11,C2,Q2k
A-gtB C1,C2,Qfinalk -gt SECRET

14
But what if we disallow ints?

Some protocols use successor
A -gt B Noncek
B -gt B Nonce 1k
Successor (and implicit matching) is enough, so
this is still undecidable

15
But what if we disallow that too?

Some protocols use nested encryption
A -gt B mk, Noncek
Arbitrary depth encryption allows undecidability
2 counter machines
A -gt B mk, mkkk, Qk
State is Q, counters are 1 and 3.

16
So what is left?

Fixed set of constants
Nonces (but no succ, API is Gensym, ?)
Fixed depth encryption (1 or 2 enough)
Fixed number of arguments of message
Everything fixed or constant, except nonces
Nonces
Implicit unboundedness (Gensym is fresh)
But no obvious way to exploit this

17
Still undecidable
18
Turing Machine

Main Idea Cooks Theorem
but use nonces instead of propositions

Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
19
Turing Machine
Constant (3) piece o f state at time N determines
state of cell at time N1
1 q4 0
0
Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
20
Turing Machine

Predicates
Cell(neighbor, symbol, neighbor) -- contents of
tape cell
Next(cell, cell) --
keep cells in order
Constants
q0, q1, q2, --
finite set of states
c0, ceot
-- initial tape cells
0, 1, b
-- tape symbols

21
Turing Machine
Turing machine move

Cell(a,da, b), Cell(b,db, c), Cell(c,dc, d),
Next(b,b) ?? ?c. Next(c,c),
Cell(b,F(da,db,dc),c)
Next(a,a), Cell(a,Start,b)
??
?a,b Next(a,a), Cell(a,Start, b)
Next(a,a), Cell(a,End,b)
?? ?b, c
Cell(a,0, b), Cell(b, End, c)
?? ?a,a,b,c,d,e Cell(a,Start,b),
Cell(b,Qinit,c), Cell(c, 0, d),
Cell(d,End,e), Next(a,a)
Cell(a,Qfinal,b) ?? Broadcast(Secret)