Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Control Flow Analysis
of Security Protocols (I)
Mikael Buchholtz
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view
of cryptography
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view of cryptography
Millen ’84, Meadows ’89, ...
State/transition model
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view of cryptography
Millen ’84, Meadows ’89, ...
State/transition model
Burrows-Abadi-Needham ’89, ...
Modal logics
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view of cryptography
Millen ’84, Meadows ’89, ...
State/transition model
Burrows-Abadi-Needham ’89, ...
Modal logics
Woo-Lam ’93
Lowe ’95
Language-based
Model checking of CSP
. . . LySa
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view of cryptography
Millen ’84, Meadows ’89, ...
State/transition model
Burrows-Abadi-Needham ’89, ...
Modal logics
Woo-Lam ’93
Lowe ’95
Language-based
Model checking of CSP
. . . LySa
Thayer-Herzog- Guttman ’98, ...
Strand Spaces
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
History of Protocol Analysis
Needham-Schroeder ’78 Dolev-Yao ’81
Algebraic view of cryptography
Millen ’84, Meadows ’89, ...
State/transition model
Burrows-Abadi-Needham ’89, ...
Modal logics
Woo-Lam ’93
Lowe ’95
Language-based
Model checking of CSP
. . . LySa
Thayer-Herzog- Guttman ’98, ...
Strand Spaces Probabalistic/complexity
theoretic view
of cryptography Herzog ’03,
Zunino-Degano ’04
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysing a Protocol
[Bodei-Buchholtz-Degano-Nielson-Nielson ’04]
1. Write the protocol in the process calculus L Y S A
2. Specify an attacker
3. Analyse the protocol and the attacker using control flow analysis
4. Inspect the analysis result to determine
(security) properties of the protocol.
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
L Y S A for Symmetric Cryptography
E ::= n name ( n ∈ N )
x variable (x ∈ X )
{E 1 , · · · , E k } E
0encryption P ::= hE 1 , · · · , E k i. P output
(E 1 , · · · , E j ; x j +1 , · · · , x k ). P input (with matching)
decrypt E as {E 1 , · · · , E j ; x j +1 , · · · , x k } E
0in P
decryption (with matching)
P 1 | P 2 parallel composition
(ν n)P introduce new name n
! P replication
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Wide-mouthed-frog Protocol
(without timestamps) [Burrows-Abadi-Needham ’89]
1. A → S : A, {B, K AB } K A
2. S → B : {A, K AB } K B
3. A → B : { mess } K AB
A
S Network
K A
K
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Wide-mouthed-frog Protocol
(without timestamps) [Burrows-Abadi-Needham ’89]
1. A → S : A, {B, K AB } K A
2. S → B : {A, K AB } K B
3. A → B : { mess } K AB
A
S Network
A, {B, K AB } K A
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Wide-mouthed-frog Protocol
(without timestamps) [Burrows-Abadi-Needham ’89]
1. A → S : A, {B, K AB } K A
2. S → B : {A, K AB } K B
3. A → B : { mess } K AB
A
S Network
{A, K AB } K B
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Wide-mouthed-frog Protocol
(without timestamps) [Burrows-Abadi-Needham ’89]
1. A → S : A, {B, K AB } K A
2. S → B : {A, K AB } K B
3. A → B : { mess } K AB
A
S Network { mess } K AB
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Semantics
L Y S A has a reduction semantics defined by two relations
P → P 0 the reduction relation
P ≡ P 0 the structural congruence
(P → R P 0 parameterised reduction relation used in
the paper )
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Reduction Relation P → P 0
◦ ◦
◦
◦
◦
◦
◦ ◦
◦
· · ·
· · ·
· · ·
· · ·
· · ·
Executions with the attacker
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Reduction Relation P → P 0
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
· · ·
Executions
Executions with the attacker
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Reduction Relation
P → P 0
(ν n)P → (ν n)P 0
∧ j i =1 E i = E i 0
hE 1 , · · · , E k i. P | (E 1 0 , · · · , E j 0 ; x j +1 , · · · , x k ). Q →
P | Q[E j +1 /x j +1 , · · · , E k /x k ]
P → P 0
P | Q → P 0 | Q
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Structural Congruence
The structural congruence, P ≡ Q , brings processes
“on the right form” for the reduction relation
P ≡ Q ∧ Q → Q 0 ∧ Q 0 ≡ P 0
P → P 0
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Structural Congruence
P ≡ P
P 1 ≡ P 2 ⇒ P 2 ≡ P 1
P 1 ≡ P 2 ∧ P 2 ≡ P 3 ⇒ P 1 ≡ P 3
P 1 ≡ P 2 ⇒ hE 1 , · · · , E k i. P 1 ≡ hE 1 , · · · , E k i. P 2 P 1 ≡ P 2 ⇒ (E 1 , · · · , E j ; x j +1 , · · · , x k ). P 1 ≡
(E 1 , · · · , E j ; x j +1 , · · · , x k ). P 2
P 1 ≡ P 2 ∧ P 3 ≡ P 4 ⇒ P 1 | P 3 ≡ P 2 | P 4
P 1 ≡ P 2 ⇒ (ν n)P 1 ≡ (ν n)P 2
P 1 ≡ P 2 ⇒ !P 1 ≡ !P 2
P ≡ P ⇒ E {E , · · · , E ; x , · · · , x } P ≡
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Structural Congruence
P 1 ≡ P 2 if P 1 and P 2 are disciplined α -equivalent
P 1 | P 2 ≡ P 2 | P 1
(P 1 | P 2 ) | P 3 ≡ P 1 | (P 2 | P 3 ) P | 0 ≡ P
(ν n) 0 ≡ 0
(ν n)(ν n 0 )P ≡ (ν n 0 )(ν n)P
(ν n)(P 1 | P 2 ) ≡ P 1 | (ν n)P 2 if n 6∈ fn(P 1 )
!P ≡ P | !P
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Semantics at Work
((ν n)hni. 0 ) | (; x). hn, xi. 0
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Semantics at Work
((ν n)hni. 0 ) | (; x). hn, xi. 0
≡ ((ν m)hmi. 0 ) | (; x). hn, xi. 0
≡ (ν m)(hmi. 0 | (; x). hn, xi. 0 )
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Semantics at Work
((ν n)hni. 0 ) | (; x). hn, xi. 0
≡ ((ν m)hmi. 0 ) | (; x). hn, xi. 0
≡ (ν m)(hmi. 0 | (; x). hn, xi. 0 )
→ (ν m)( 0 | hn, mi. 0 )
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Semantics at Work
((ν n)hni. 0 ) | (; x). hn, xi. 0
≡ ((ν m)hmi. 0 ) | (; x). hn, xi. 0
≡ (ν m)(hmi. 0 | (; x). hn, xi. 0 )
→ (ν m)( 0 | hn, mi. 0 )
≡ 0 | (ν m)hn, mi. 0
≡ (ν m)hn, mi. 0
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Algebraic View of Cryptography
[Dolev-Yao ’81]
For example, to model
encrypt as E K (P ) and decrypt as D K (C ) such
that D K (E K (m)) = m and nothing else
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Symmetric Cryptography in L Y S A
Encryption:
{E 1 , · · · , E k } E 0
Decryption:
decrypt E as {E 1 , · · · , E j ; x j +1 , · · · , x k } E 0 in P Semantics models perfect cryptography:
∧ j i =0 E i = E i 0
decrypt {E 1 , · · · , E k } E
0as {E 1 0 , · · · , E j 0 ; x j +1 , · · · , x k } E
00
in P
→ P [E j +1 /x j +1 , · · · , E k /x k ]
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Asymmetric Cryptography in L Y S A
Keys:
(ν ± m)P introduces two keys m + , m − in P
Encryption:
{|E 1 , · · · , E k |} E 0
Decryption:
decrypt E as {|E 1 , · · · , E j ; x j +1 , · · · , x k |} E 0 in P
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Asymmetric Cryptography in L Y S A
Decryption with private key:
∧ j i =1 E i = E i 0
decrypt {|E 1 , · · · , E k |} m
+as {|E 1 0 , · · · , E j 0 ; x j +1 , · · · , x k |} m
−in P
→ P [E j +1 /x j +1 , · · · , E k /x k ] Signature validation public key:
∧ j i =1 E i = E i 0
decrypt {|E 1 , · · · , E k |} m
−as {|E 1 0 , · · · , E j 0 ; x j +1 , · · · , x k |} m
+in P
→ P [E j +1 /x j +1 , · · · , E k /x k ]
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Asymmetric Cryptography in L Y S A
E ::= . . . . . .
m + , m − public and private keys {|E 1 , · · · , E k |} E
0asymmetric encryption
P ::= . . . . . .
(ν ± m)P key pair creation
decrypt E as {|E 1 , · · · , E j ; x j +1 , · · · , x k |} E
0in
asymmetric decryption
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Analysis
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
· · ·
Executions
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Analysis
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
Executions
Analysis
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Analysis
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
· · ·
Executions
Analysis
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysis Components
Network messages: Variable bindings:
κ ∈ P (V ∗ ) ρ : X → P (V )
where values from V are variable-free terms i.e.
V ::= n | {V 1 , · · · , V k } V 0 | {|V 1 , · · · , V k |} V 0
Example
hA, B, { mess } K i. 0 | (A, B ; x). 0
hA, B, { } i ∈ κ
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysis Judgements
ρ, κ | = P
reads: “ ρ and κ are valid analysis estimates for P ”
Example
P 1 def = hAi. 0 | (; x). 0 P 2 def = hA, B i. 0 | (B ; x). 0 κ a = {hA, B i}
ρ a = [x 7→ ∅]
κ b = {hAi}
ρ b = [x 7→ {A}]
κ c = {hAi, hB i}
ρ c = [x 7→ {A, B }]
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysing Restriction
!(ν n)hni. 0
≡ (ν m)hmi. 0 | (ν o)hoi. 0 | (ν p)hpi. 0 | (ν q )hq i. 0 | (ν r)hri. 0 | . . . |
!(ν n)hni. 0
Each name, n , is assigned a canonical name bnc The semantics uses disciplined α -equivalence:
(ν n)P is α -equivalent to (ν n 0 )P 0 and bnc = bn 0 c
For example
bmc = boc = bpc = bq c = brc = . . . = bnc
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysing Restriction
!(ν n)hni. 0 ≡ (ν m)hmi. 0 | (ν o)hoi. 0 | (ν p)hpi. 0 | (ν q )hq i. 0 | (ν r )hri. 0 | . . . |
!(ν n)hni. 0 Each name, n , is assigned a canonical name bnc
The semantics uses disciplined α -equivalence:
(ν n)P is α -equivalent to (ν n 0 )P 0 and bnc = bn 0 c
For example
bmc = boc = bpc = bq c = brc = . . . = bnc
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysing Restriction
!(ν n)hni. 0 ≡ (ν m)hmi. 0 | (ν o)hoi. 0 | (ν p)hpi. 0 | (ν q )hq i. 0 | (ν r )hri. 0 | . . . |
!(ν n)hni. 0
Each name, n , is assigned a canonical name bnc The semantics uses disciplined α -equivalence:
(ν n)P is α -equivalent to (ν n 0 )P 0 and bnc = bn 0 c
For example
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Canonical Names and Variables
Network messages: Variable bindings:
κ ∈ P (bVc ∗ ) ρ : bX c → P (bVc)
Example
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 )
≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 1 )hn 1 , n 1 i. 0 | (; x 1 , y 1 ). 0 → (!(ν n)hn, ni. 0 ) | (!(; x, y). 0 )≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 2 )hn 2 , n 2 i. 0 | (; x 2 , y 2 ). 0 → . . .
but bnc = bn 1 c = bn 2 c = . . .
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Canonical Names and Variables
Network messages: Variable bindings:
κ ∈ P (bVc ∗ ) ρ : bX c → P (bVc)
Example
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) ≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 1 )hn 1 , n 1 i. 0 | (; x 1 , y 1 ). 0
→ (!(ν n)hn, ni. 0 ) | (!(; x, y). 0 )≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 2 )hn 2 , n 2 i. 0 | (; x 2 , y 2 ). 0 → . . .
but bnc = bn 1 c = bn 2 c = . . .
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Canonical Names and Variables
Network messages: Variable bindings:
κ ∈ P (bVc ∗ ) ρ : bX c → P (bVc)
Example
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) ≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 1 )hn 1 , n 1 i. 0 | (; x 1 , y 1 ). 0 → (!(ν n)hn, ni. 0 ) | (!(; x, y). 0 )
≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 2 )hn 2 , n 2 i. 0 | (; x 2 , y 2 ). 0 → . . .
but bnc = bn 1 c = bn 2 c = . . .
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Canonical Names and Variables
Network messages: Variable bindings:
κ ∈ P (bVc ∗ ) ρ : bX c → P (bVc)
Example
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) ≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 1 )hn 1 , n 1 i. 0 | (; x 1 , y 1 ). 0 → (!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) ≡
(!(ν n)hn, ni. 0 ) | (!(; x, y). 0 ) | (ν n 2 )hn 2 , n 2 i. 0 | (; x 2 , y 2 ). 0 →
. . .
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Analysis of the Attacker
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
· · ·
Executions Analysis
n 1
n 2 n 3
bn i c
Executions with the attacker
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
The Analysis of the Attacker
◦ ◦
◦
◦
◦
◦ ◦
◦
◦
· · ·
· · ·
· · ·
· · ·
Executions Analysis
n 1
n 2 n 3
bn i c
Executions with the attacker
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocol Scenarios
Network
S
A
B
In LySa: A | B | S
|
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocol Scenarios
Network
S
A
B
M
In LySa: A | B | S | M
legitimate part of system the attacker
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocol Scenarios
Network
S
A
B
M
In LySa: A | B | S | M
legitimate part of system the attacker
We write the legitimate part of the system
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocols Scenarios
Network
S M
A
B K A
K B
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocols Scenarios
Network
S M
A i A 3 A 2 A 1
B i
B 3
B 2
B 1
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Protocols Scenarios
Network
S M
A i A 3 A 2 A 1
B i B 3 B 2 B 1 K A 1
K A i
K B 1 K B i
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Meta Level
E ::= n i 1 ···i k Indexed names x i 1 ···i k Indexed variables . . .
P ::= . . .
| i∈S Indexed parallel
(ν i∈S n i )P Indexed restriction
(ν ± i ∈ S n i )P Indexed key pair restriction
let X ⊆ S in P Declare set
Example
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems
Analysing a Protocol
1. Write the protocol in the process calculus L Y S A 2. Specify an attacker
3. Analyse the protocol and the attacker using control flow analysis
4. Inspect the analysis result to determine
(security) properties of the protocol.
Technical University of Denmark / Informatics and Mathematical Modelling / Safe and Secure IT-Systems