Verification of Security Protocols Part I. Fosad 2010

Size: px

Start display at page:

Download "Verification of Security Protocols Part I. Fosad 2010"

Mildred Thomas
6 years ago
Views:

1 Verification of Security Protocols Part I Véronique Cortier 1 September, 2010 Fosad LORIA, CNRS 1/65 Véronique Cortier Verification of Security Protocols

2 Two parts : 1 Analysis of security protocols with symbolic models 2 More guarantees : Analysis of security protocols with computational models 2/65 Véronique Cortier Verification of Security Protocols

Context : cryptographic protocols Context Security

3 Context : cryptographic protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Cryptographic protocols are widely used in everyday life. They aim at securing communications over public or insecure networks. 3/65 Véronique Cortier Verification of Security Protocols

4 On the web Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example - HTTPS, i.e. the SSL protocol for ensuring confidentiality - password-based authentication 4/65 Véronique Cortier Verification of Security Protocols

5 Credit Card payment Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It is a real card? Is the pin code protected? 5/65 Véronique Cortier Verification of Security Protocols

6 Pay-per-view devices Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Checks your identity You should be granted access to the movie only once You should not be able to broadcast the movie to other people 6/65 Véronique Cortier Verification of Security Protocols

7 Electronic voting Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The result corresponds to the votes. Each vote is confidential. No partial result is leaked before the end of the election Only voters can vote and at most once Coercion resistance 7/65 Véronique Cortier Verification of Security Protocols

8 Electronic purse Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It should not possible to add money without paying. It should not be possible to create fake electronic purse. 8/65 Véronique Cortier Verification of Security Protocols

9 Security goals Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Cryptographic protocols aim at preserving confidentiality of data (e.g. pin code, medical files,...) ensuring authenticity (Are you really talking to your bank??) ensuring anonymous communications (for e-voting protocols,...) protecting against repudiation (I never sent this message!!)... Cryptographic protocols vary depending on the application. 9/65 Véronique Cortier Verification of Security Protocols

10 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example How does this work? 10/65 Véronique Cortier Verification of Security Protocols

11 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example How does this work? A cryptographic protocol : Protocol describes how each participant should behave in order to get e.g. a common key. Cryptographic makes uses of cryptographic primitives (e.g. encryption, signatures, hashes,...) 10/65 Véronique Cortier Verification of Security Protocols

12 Credit Card payment Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It is a real card? Is the pin code protected? 11/65 Véronique Cortier Verification of Security Protocols

13 Behavior in the usual case Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The waiter introduces the credit card. The waiter enters the amount m of the transaction on the terminal. The terminal authenticates the card. The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) The terminal asks the bank for authentication of the card. The bank provides authentication. 12/65 Véronique Cortier Verification of Security Protocols

14 More details Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 4 actors : Bank, Customer, Card and Terminal. Bank owns a signing key K 1 B, secret, a verification key K B, public, a secret symmetric key for each credit card K CB, secret. Card owns Data : last name, first name, card s number, expiration date, Signature s Value VS = {hash(data)} K 1, B secret key K CB. Terminal owns the verification key K B for bank s signatures. 13/65 Véronique Cortier Verification of Security Protocols

15 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B 14/65 Véronique Cortier Verification of Security Protocols

16 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B The terminal asks for the secret code : 2. T Cu : secret code? 3. Cu Ca : Ca T : ok 14/65 Véronique Cortier Verification of Security Protocols

17 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B The terminal asks for the secret code : 2. T Cu : secret code? 3. Cu Ca : Ca T : ok The terminal calls the bank : 5. T B : auth? 6. B T : N b 7. T Ca : N b 8. Ca T : {N b } KCB 9. T B : {N b } KCB 10. B T : ok 14/65 Véronique Cortier Verification of Security Protocols

18 Some flaws Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The security was initially ensured by : But the cards were very difficult to reproduce, the protocol and the keys were secret. cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. 15/65 Véronique Cortier Verification of Security Protocols

19 Some flaws Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The security was initially ensured by : But the cards were very difficult to reproduce, the protocol and the keys were secret. cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. YesCard build by Serge Humpich (1998 in France). 15/65 Véronique Cortier Verification of Security Protocols

20 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols

21 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols

22 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok Remark : there is always somebody to debit. creation of a fake card 16/65 Véronique Cortier Verification of Security Protocols

23 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok Remark : there is always somebody to debit. creation of a fake card 1. Ca T : XXX, {hash(xxx)} K 1 B 2. T Cu : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols

24 Commutative Symmetric encryption Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Symmetric encryption, denoted by {m} k Hello Alice clef Encryption Obawbhe Nyvpr clef Decryption Hello Alice The same key is used for encrypting and decrypting. Commutative (symmetric) encryption (e.g. RSA) {{m} k1 } k2 = {{m} k2 } k1 17/65 Véronique Cortier Verification of Security Protocols

25 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice 18/65 Véronique Cortier Verification of Security Protocols

26 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob 18/65 Véronique Cortier Verification of Security Protocols

27 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob } } Since {{pin : 3443} kalice {{pin : 3443} kbob k bob = k alice 18/65 Véronique Cortier Verification of Security Protocols

28 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob It does not work! (Authentication problem) 18/65 Véronique Cortier Verification of Security Protocols

29 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob It does not work! (Authentication problem) {pin : 3443} kalice j{pin : 3443} kalice ff k intruder {pin : 3443} kintruder 18/65 Véronique Cortier Verification of Security Protocols

30 Another example Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The famous Needham-Schroeder public key protocol (and its associated Man-In-The-Middle Attack) 19/65 Véronique Cortier Verification of Security Protocols

31 Public key encryption Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Public key : pk(a) Encryption : {m} pk(a) Hello Alice public key Encryption Obawbhe Nyvpr private key Decryption Hello Alice Encryption with the public key and decryption with the private key. Invented only in the late 70 s! 20/65 Véronique Cortier Verification of Security Protocols

32 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols

33 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols

34 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols

35 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) Questions : Is N b secret between A and B? When B receives {N b } pub(b), does this message really come from A? 21/65 Véronique Cortier Verification of Security Protocols

36 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) Questions : Is N b secret between A and B? When B receives {N b } pub(b), does this message really come from A? An attack was discovered in 1994, 15 years after the publication of the protocol! 21/65 Véronique Cortier Verification of Security Protocols

37 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) 22/65 Véronique Cortier Verification of Security Protocols

38 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) { N a,n b } pub(a) { N a,n b } pub(a) 22/65 Véronique Cortier Verification of Security Protocols

39 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) { N a,n b } pub(a) { N a,n b } pub(a) {N b } pub(p) {N b } pub(b) 22/65 Véronique Cortier Verification of Security Protocols

40 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) {B,N a,n b } pub(a) {B,N a,n b } pub(a) {N b } pub(p) {N b } pub(b) Fixing the flaw : add the identity of B. 22/65 Véronique Cortier Verification of Security Protocols

41 Outline of the talk Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 1 Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 2 Messages Intruder Protocol Solving constraint systems 3 Undecidability Horn clauses 23/65 Véronique Cortier Verification of Security Protocols

Difficulty Introduction on security protocols Messages Intruder Protocol Solving constraint systems Presence of an attacker may read every message

42 Difficulty Introduction on security protocols Messages Intruder Protocol Solving constraint systems Presence of an attacker may read every message sent on the net, may intercept and send new messages. The system is infinitely branching 24/65 Véronique Cortier Verification of Security Protocols

43 A first approach Introduction on security protocols Messages Intruder Protocol Solving constraint systems Why not modeling security protocol using a (possibly extended) automata? login name pw correct START VALIDATE CONNECTED restart restart pw wrong DELAY log pw wrong LOG ERROR 25/65 Véronique Cortier Verification of Security Protocols

44 How to model a security protocol? Messages Intruder Protocol Solving constraint systems login name pw correct START VALIDATE CONNECTED restart restart pw wrong DELAY LOG ERROR log pw wrong The output of each participants strongly depends on the data received inside the message. At each step, a malicious user (called the adversary) may create arbitrary messages. The output of the adversary strongly depends on the messages sent on the network. It is important to have a tight modeling of the messages. 26/65 Véronique Cortier Verification of Security Protocols

45 Messages Intruder Protocol Solving constraint systems An appropriate datastructure : Terms Given a signature F of symbols with an arity e.g. {enc, pair, a, b, c, n a, n b } and a set X of variables, the set of terms T(F, X) is inductively defined as follows : constants terms (e.g. a, b, c, n a, n b ) are terms variables are terms f (t 1,...,t n ) is a term whenever t 1,...,t n are terms. Intuition : from words to trees. There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 27/65 Véronique Cortier Verification of Security Protocols

46 Messages Introduction on security protocols Messages Intruder Protocol Solving constraint systems Messages are abstracted by terms. Agents : a, b,... Nonces : n 1, n 2,... Keys : k 1, k 2,.. Cyphertext : enc(m, k) Concatenation : pair(m 1, m 2 ) Example : The message {A, N a } K is represented by : {} enc(pair(a, N a ), K) K A N a Intuition : only the structure of the message is kept. 28/65 Véronique Cortier Verification of Security Protocols

47 Intruder abilities Composition rules T u Introduction on security protocols T v T u, v T u T v T enc(u, v) Messages Intruder Protocol Solving constraint systems T u T v T enca(u, v) 29/65 Véronique Cortier Verification of Security Protocols

48 Intruder abilities Composition rules T u Introduction on security protocols T v T u, v T u T v T enc(u, v) Messages Intruder Protocol Solving constraint systems T u T v T enca(u, v) Decomposition rules u T T u T u, v T u T u, v T v T enc(u, v) T v T enca(u, pub(v)) T priv(v) T u T u 9/65 Véronique Cortier Verification of Security Protocols

49 Intruder abilities Introduction on security protocols Messages Intruder Protocol Solving constraint systems Composition rules T u T v T u T v T u T v T u, v T enc(u, v) T enca(u, v) Decomposition rules u T T u T u, v T u T u, v T v T enc(u, v) T v T enca(u, pub(v)) T priv(v) T u T u Deducibility relation A term u is deducible from a set of terms T, denoted by T u, if there exists a prooftree witnessing this fact. 9/65 Véronique Cortier Verification of Security Protocols

50 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) 30/65 Véronique Cortier Verification of Security Protocols

51 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) Question? Can the attacker learn the secret s? 30/65 Véronique Cortier Verification of Security Protocols

52 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) Answer : Of course, Yes! Alice, enc(s, k) enc(s, k) s Bob, k k 30/65 Véronique Cortier Verification of Security Protocols

53 Decision of the intruder problem Messages Intruder Protocol Solving constraint systems Given A set of messages S and a message m Question Can the intruder learn m from S that is S m? This problem is decidable in polynomial time. Exercise : (medium) Prove it. 31/65 Véronique Cortier Verification of Security Protocols

54 Decision of the intruder problem Messages Intruder Protocol Solving constraint systems Given A set of messages S and a message m Question Can the intruder learn m from S that is S m? This problem is decidable in polynomial time. Exercise : (medium) Prove it. Lemma (Locality) If there is a proof of S m then there is a proof that only uses the subterms of S and m. 31/65 Véronique Cortier Verification of Security Protocols

55 Protocol description Messages Intruder Protocol Solving constraint systems Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k init a enc(pin, ka ) enc(x, k a ) x. 32/65 Véronique Cortier Verification of Security Protocols

56 Protocol description Messages Intruder Protocol Solving constraint systems Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k init a enc(pin, ka ) enc(x, k a ) x. role Π(2) corresponding to the 2 nd participant played by b with a : k x b enc(x, kb ) enc(y, k b ) stop. 32/65 Véronique Cortier Verification of Security Protocols

57 Secrecy via constraint solving Messages Intruder Protocol Solving constraint systems [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario rcv(u 1 ) N 1 snd(v 1 ) rcv(u 2 ) N 2 snd(v 2 )... rcv(u n ) Nn snd(v n ) Constraint System T 0 u 1 T C = 0, v 1 u 2... T 0, v 1,..,v n s where T 0 is the initial knowledge of the attacker. Remark : Constraint Systems may be used more generally for trace-based properties, e.g. authentication. 33/65 Véronique Cortier Verification of Security Protocols

58 Secrecy via constraint solving Messages Intruder Protocol Solving constraint systems [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario rcv(u 1 ) N 1 snd(v 1 ) rcv(u 2 ) N 2 snd(v 2 )... rcv(u n ) Nn snd(v n ) Constraint System T 0 u 1 T C = 0, v 1 u 2... T 0, v 1,..,v n s where T 0 is the initial knowledge of the attacker. Solution of a constraint system A substitution σ such that for every T u C, uσ is deducible from Tσ, that is uσ Tσ. 33/65 Véronique Cortier Verification of Security Protocols

59 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? 34/65 Véronique Cortier Verification of Security Protocols

60 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? Of course yes, simply consider x = pin! 34/65 Véronique Cortier Verification of Security Protocols

61 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? Of course yes, simply consider x = pin! Exercise : (easy) Propose the constraint system associated to the (non-corrected) Needham-Schroeder protocol (for a reasonable choice of sessions) and exhibit a solution. 4/65 Véronique Cortier Verification of Security Protocols

62 How to solve constraint system? Messages Intruder Protocol Solving constraint systems T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? 5/65 Véronique Cortier Verification of Security Protocols

63 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? 6/65 Véronique Cortier Verification of Security Protocols

64 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? Solved constraint systems T 0 x 1 T Given C = 0, v 1 x 2... T 0, v 1,..,v n x n+1 Question Is there a solution σ of C? 6/65 Véronique Cortier Verification of Security Protocols

65 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? Solved constraint systems T 0 x 1 T Given C = 0, v 1 x 2... T 0, v 1,..,v n x n+1 Question Is there a solution σ of C? Of course yes! 36/65 Consider e.g. σ(x ) = Véronique = σ(x Cortier) = Verification t T of. Security Protocols

66 Messages Intruder Protocol Solving constraint systems Decision procedure [Millen / Comon-Lundh] Goal : Transformation of the constraints in order to obtain a solved constraint system. 8 T >< 0 u 1 T C = 0, v 1 u 2... >: T 0, v 1,.., v n u n+1 C 1 C 2 C 3 C 4 SOLVED C has a solution iff C C with C in solved form. 37/65 Véronique Cortier Verification of Security Protocols

67 Transformation rules Messages Intruder Protocol Solving constraint systems R 1 : C T u C if T {x T x C, T T } u R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ) R 3 : C T v σ Cσ Tσ vσ u, u st(t) if σ = mgu(u, u ) R 4 : C T u if var(t, u) = and T u R 5 : C T f (u, v) C T u T v for f {, enc} 38/65 Véronique Cortier Verification of Security Protocols

68 Intruder step Introduction on security protocols Messages Intruder Protocol Solving constraint systems The intruder can built messages R 5 : C T f (u, v) C T u T v for f {, enc} 39/65 Véronique Cortier Verification of Security Protocols

69 Intruder step Introduction on security protocols Messages Intruder Protocol Solving constraint systems The intruder can built messages R 5 : C T f (u, v) C T u T v for f {, enc} Example : a, k enc( x, y, k) a, k k a, k x, y 39/65 Véronique Cortier Verification of Security Protocols

70 Unsolvable constraints Messages Intruder Protocol Solving constraint systems R 4 : C T u if var(t, u) = and T u Example :... a, enc(s, k) s... 0/65 Véronique Cortier Verification of Security Protocols

71 Guessing equalities Introduction on security protocols Messages Intruder Protocol Solving constraint systems 1 Example : k, enc(enc(x, k ), k) enc(a, k ) R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ), u, u X, u u 41/65 Véronique Cortier Verification of Security Protocols

72 Guessing equalities Introduction on security protocols Messages Intruder Protocol Solving constraint systems 1 Example : k, enc(enc(x, k ), k) enc(a, k ) R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ), u, u X, u u 2 Example : enc(s, a, x ), enc( y, b, k), k s R 3 : C T v σ Cσ Tσ vσ u, u st(t) if σ = mgu(u, u ), u, u X, u u 41/65 Véronique Cortier Verification of Security Protocols

73 Eliminating redundancies Messages Intruder Protocol Solving constraint systems k x k, enc(s, x) s The constraint enc(s, x) s will be satisfied as soon as k x is satisfied. 42/65 Véronique Cortier Verification of Security Protocols

74 Eliminating redundancies Messages Intruder Protocol Solving constraint systems k x k, enc(s, x) s The constraint enc(s, x) s will be satisfied as soon as k x is satisfied. R 1 : C T u C if T {x T x C, T T } u 42/65 Véronique Cortier Verification of Security Protocols

75 Soundness and completeness Messages Intruder Protocol Solving constraint systems Theorem Soundness If C σ C and θ solution of C then σθ is a solution of C. Completeness If θ solution of C then there exists C, σ, θ such that C σ C, θ = σθ and θ is a solution of C. Termination is terminating in polynomial time in the size of C. 3/65 Véronique Cortier Verification of Security Protocols

76 Soundness and completeness Messages Intruder Protocol Solving constraint systems Theorem Soundness If C σ C and θ solution of C then σθ is a solution of C. Completeness If θ solution of C then there exists C, σ, θ such that C σ C, θ = σθ and θ is a solution of C. Termination is terminating in polynomial time in the size of C. Exercise (easy) : show correctness Exercise (easy) : show termination using the lexicographic order (number of var, size of C). What complexity do you get? (More involved) : show termination in polynomial time Full proofs in [TOCL 2010] 43/65 Véronique Cortier Verification of Security Protocols

77 Messages Intruder Protocol Solving constraint systems NP-procedure for solving constraint systems 8 T >< 0 u 1 T C = 0, v 1 u 2... >: T 0, v 1,.., v n u n+1 C 1 C 2 C 3 C 4 SOLVED Corollary Checking secrecy for a bounded number of sessions is NP. NP-hardness can be shown by encoding 3-SAT. 44/65 Véronique Cortier Verification of Security Protocols

78 Example of tool : Avispa Platform Messages Intruder Protocol Solving constraint systems Collaborators LORIA, France DIST, Italy ETHZ, Switzerland Siemens, Germany 5/65 Véronique Cortier Verification of Security Protocols

79 Undecidability Horn clauses Limitations of this approach? Are you ready to use any protocol verified with this technique? 46/65 Véronique Cortier Verification of Security Protocols

80 Undecidability Horn clauses Limitations of this approach? Are you ready to use any protocol verified with this technique? Only a finite scenario is checked. What happens if the protocol is used one more time? The underlying mathematical properties of the primitives are abstracted away. The specification of the protocol is analysed, but not its implementation. 46/65 Véronique Cortier Verification of Security Protocols

81 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? 47/65 Véronique Cortier Verification of Security Protocols

82 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? Post correspondence problem (PCP) input {(u i, v i )} 1 i n, u i, v i Σ output n, i 1,...,i n u i1 u in = v i1 v in Example : {(bab, b), (ab, aba), (a, baba)} Solution? 7/65 Véronique Cortier Verification of Security Protocols

83 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? Post correspondence problem (PCP) input {(u i, v i )} 1 i n, u i, v i Σ output n, i 1,...,i n u i1 u in = v i1 v in Example : {(bab, b), (ab, aba), (a, baba)} Solution? Yes, 1,2,3,1. babababab babababab 47/65 Véronique Cortier Verification of Security Protocols

84 Undecidability Horn clauses How to encode PCP in protocols? Given {(u i, v i )} 1 i n, we construct the following protocol P : A B : { u 1, v 1 } Kab,...,{ u k, v k } Kab B : { x, y } Kab A : { x, u 1, y, v 1 } Kab, {s} { x,u1,x,u 1 } Kab,...,{ x, u k, y, v k } Kab, {s} { x,uk,x,u k } Kab where a 1 a 2 a n denotes the term a 1, a 2, a 3,...a n. 8/65 Véronique Cortier Verification of Security Protocols

85 Undecidability Horn clauses How to encode PCP in protocols? Given {(u i, v i )} 1 i n, we construct the following protocol P : A B : { u 1, v 1 } Kab,...,{ u k, v k } Kab B : { x, y } Kab A : { x, u 1, y, v 1 } Kab, {s} { x,u1,x,u 1 } Kab,...,{ x, u k, y, v k } Kab, {s} { x,uk,x,u k } Kab where a 1 a 2 a n denotes the term a 1, a 2, a 3,...a n. Then there is an attack on P iff there is a solution to the Post Correspondence Problem with entry {(u i, v i )} 1 i n. 48/65 Véronique Cortier Verification of Security Protocols

86 Undecidability Horn clauses How to circumvent undecidability? Find decidable subclasses of protocols. Design semi-decision procedure, that works in practice... 49/65 Véronique Cortier Verification of Security Protocols

87 Undecidability Horn clauses How to model an unbounded number of sessions? For any x, if the agent A receives enc(x, k a ) then A responds with x. Use of first-order logic. 50/65 Véronique Cortier Verification of Security Protocols

Intruder Introduction on security protocols Undecidability Horn clauses Horn clauses perfectly reflects the attacker symbolic manipulations on terms.

88 Intruder Introduction on security protocols Undecidability Horn clauses Horn clauses perfectly reflects the attacker symbolic manipulations on terms. I(x), I(y) I(< x, y >) pairing I(x), I(y) I({x} y ) encryption I({x} y ), I(y) I(x) decryption I(< x, y >) I(x) projection I(< x, y >) I(y) projection 51/65 Véronique Cortier Verification of Security Protocols

89 Protocol Introduction on security protocols Undecidability Horn clauses Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb Horn clauses : I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) 52/65 Véronique Cortier Verification of Security Protocols

90 Protocol Introduction on security protocols Undecidability Horn clauses Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb Horn clauses : I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) Secrecy property is a reachability (accessibility) property I(pin) Then there exists an attack iff the set of formula corresponding to Intruder manipulations + protocol + property is NOT satisfiable. 52/65 Véronique Cortier Verification of Security Protocols

91 Undecidability Horn clauses How to decide satisfiability? Resolution techniques 53/65 Véronique Cortier Verification of Security Protocols

92 Undecidability Horn clauses Some vocabulary First order logic Atoms P(t 1,...,t n ) where t i are terms, P is a predicate Literals P(t 1,...,t n ) or P(t 1,...,t n ) closed under,,,, Clauses : Only universal quantifiers Horn Clauses : at most one positive literal where A i, B are atoms. A 1,...,A n B 54/65 Véronique Cortier Verification of Security Protocols

93 Binary resolution Introduction on security protocols Undecidability Horn clauses A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C 55/65 Véronique Cortier Verification of Security Protocols

94 Undecidability Horn clauses Binary resolution A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C Generalizing A C B Cθ θ = mgu(a, B) (i.e. Aθ = Bθ) 5/65 Véronique Cortier Verification of Security Protocols

95 Undecidability Horn clauses Binary resolution A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C Generalizing A C B Cθ Generalizing a bit more A C B D Cθ Dθ θ = mgu(a, B) θ = mgu(a, B) (i.e. Aθ = Bθ) Binary resolution 55/65 Véronique Cortier Verification of Security Protocols

96 Undecidability Horn clauses Binary resolution and Factorization A C B D θ = mgu(a, B) Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Binary resolution Factorisation Theorem (Soundness and Completeness) Binary resolution and factorisation are sound and refutationally complete, i.e. a set of clauses C is not satisfiable if and only if (the empty clause) can be obtained from C by binary resolution and factorisation. Exercise : Why do we need the factorisation rule? 56/65 Véronique Cortier Verification of Security Protocols

97 Example Introduction on security protocols Undecidability Horn clauses C = { I(s), I(k 1 ), I({s} k1,k 1 ), I({x} y ), I(y) I(x), I(x), I(y) I( x, y ) I(k 1) I(x), I(y) I( x, y ) I({s} k1,k 1 ) I({x} y), I(y) I(x) I(k 1) I(y) I( k 1, y ) I( k 1, k 1 ) s I( k 1, k 1 ) I(s) I(s) 57/65 Véronique Cortier Verification of Security Protocols

98 But it is not terminating! Undecidability Horn clauses I(s) I(x), I(y) I( x, y ) I(s) I(y) I( s, y ) I(y) I( s, y ) I( s, s ) I(y) I( s, y ) I( s, s, s ) I( s, s, s, s ) This does not yield any decidability result. 58/65 Véronique Cortier Verification of Security Protocols

99 Undecidability Horn clauses Ordered Binary resolution and Factorization Let < be any order on clauses. A C B D θ = mgu(a, B) Aθ Cθ Dθ Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Aθ Cθ Ordered binary resolution Ordered factorisation 59/65 Véronique Cortier Verification of Security Protocols

100 Undecidability Horn clauses Ordered Binary resolution and Factorization Let < be any order on clauses. A C B D θ = mgu(a, B) Aθ Cθ Dθ Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Aθ Cθ Ordered binary resolution Ordered factorisation Theorem (Soundness and Completeness) Ordered binary resolution and factorisation are sound and refutationally complete provided that < is liftable A, B, θ A < B Aθ < Bθ 59/65 Véronique Cortier Verification of Security Protocols

101 Examples of liftable orders Undecidability Horn clauses A, B, θ A < B Aθ < Bθ First example : subterm order P(t 1,...,t n ) < Q(u 1,...,u k ) iff any t i is a subterm of u 1,...,u k extended to clauses as follows : C 1 < C 2 iff any literal of C 1 is smaller than some literal of C 2. Exercise : Show that C is not satisfiable by ordered resolution (and factorisation). 60/65 Véronique Cortier Verification of Security Protocols

102 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f? f x f x h x f h y a h y 61/65 Véronique Cortier Verification of Security Protocols

103 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f f x f x h x f h y a h y 61/65 Véronique Cortier Verification of Security Protocols

104 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f f x f x h x f h y a h y Exercise : Show that A, B, θ A B Aθ Bθ 61/65 Véronique Cortier Verification of Security Protocols

105 Undecidability Horn clauses Back to protocols Intruder clauses are of the form ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) Protocol clauses I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) At most one variable per clause! 62/65 Véronique Cortier Verification of Security Protocols

106 Undecidability Horn clauses Back to protocols Intruder clauses are of the form Protocol clauses ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) I({pin} ka ) I(x) I({x} kb ) I({x} ka ) At most one variable per clause! I(x) Theorem Given a set C of clauses such that each clause of C either contains at most one variable or is of the form ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) Then ordered ( ) binary resolution and factorisation is terminating. 62/65 Véronique Cortier Verification of Security Protocols

107 Undecidability Horn clauses Decidability for an unbounded number of sessions Corollary For any protocol that can be encoded with clauses of the previous form, then checking secrecy is decidable. But how to deal with protocols that need more than one variable per clause? 63/65 Véronique Cortier Verification of Security Protocols

108 ProVerif Introduction on security protocols Undecidability Horn clauses Developed by Bruno Blanchet, Paris, France. No restriction on the clauses Implements a sound semi-decision procedure (that may not terminate). Based on a resolution strategy well adapted to protocols. performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) 64/65 Véronique Cortier Verification of Security Protocols

109 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. 65/65 Véronique Cortier Verification of Security Protocols

110 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. For a bounded number of sessions, secrecy is co-np-complete [RusinowitchTuruani CSFW01] several tools for detecting attacks (Casper, Avispa platform... ) 65/65 Véronique Cortier Verification of Security Protocols

111 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. For a bounded number of sessions, secrecy is co-np-complete [RusinowitchTuruani CSFW01] several tools for detecting attacks (Casper, Avispa platform... ) For an unbounded number of sessions for one-copy protocols, secrecy is DEXPTIME-complete [CortierComon RTA03] [SeildVerma LPAR04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al FMSP99] [Chevalier et al CSL03] some tools for proving security (ProVerif, EVA Platform) 65/65 Véronique Cortier Verification of Security Protocols

Verification of security protocols introduction

Verification of security protocols introduction Stéphanie Delaune CNRS & IRISA, Rennes, France Tuesday, November 14th, 2017 Cryptographic protocols everywhere! they aim at securing communications over