ebook img

Symbolic Protocol Analysis With an Abelian Group Operator or Diffie-Hellman Exponentiation PDF

44 Pages·2004·0.3 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Symbolic Protocol Analysis With an Abelian Group Operator or Diffie-Hellman Exponentiation

Symbolic Protocol Analysis With an Abelian Group Operator or Diffie-Hellman Exponentiation JonathanMillenandVitalyShmatikov (cid:0) ComputerScience Laboratory SRI International millen,shmat @csl.sri.com (cid:0) (cid:1) Abstract We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multi- plication)canbereducedtosolvabilityofadecidablesystemofquadraticDiophantine equations. Thisresultenablescomplete,fullyautomatedformalanalysisofprotocols thatemployprimitivessuchasDiffie-Hellmanexponentiation,multiplication,andxor, withaboundednumberofroleinstances,butwithoutimposinganyboundsonthesize oftermscreatedbytheattacker. 1 Introduction Conventional formal analysis of cryptographic protocols relies on the so called “Dolev- Yao”attackermodel,whichassumesthattheattackercaninterceptanymessageandcon- structormodifymessagesusingagivensetofcomputationalandcryptographicprimitives. Cryptographicoperationsare treated abstractlyas black boxes, in the sense that they are assumed to have no computational features other than those associated with encryption anddecryption.Black-boxcryptographicprimitivesarecharacterizedusingsimpleaxioms such as dec enc , where is the inverse key to , which might be (cid:0)(cid:0) (cid:0)(cid:0) either itsel(cid:0)f for s(cid:0)y(cid:0)m(cid:1)(cid:2)m(cid:1)(cid:1)e(cid:2)tric(cid:1)en(cid:2)cry(cid:0)ption, or t(cid:2)he correspondingprivate k(cid:2)ey for public-key encryp(cid:2)tion. Sometimesevenlessisassumed: forexample,inthefreealgebramodeldec isnotusedexplicitly(theconsequencesofthisrestrictionarediscussedin[Mil03]). Thisrudimentarytreatmentofencryptionisnotadequatetodealwithprimitivessuchas xor (exclusiveor), multiplication, andDiffie-Hellmanexponentiation,whichare widely used in security protocols. The attacker can and will exploit associativity, commutativ- ity, cancellation, and other properties of these operations. For example, Bull’s recursive authenticationprotocolwasformallyprovedcorrectinamodelthattreatedxorasanab- stractencryption,andthenfoundtobevulnerableonceself-cancellationpropertiesofxor aretakenintoaccount[Pau97,RS98]. Weusesymbolictracereachabilityasthestandardrepresentationoftheprotocolanaly- sisproblemfortrace-basedsecurityproperties,whichincludesecrecyandmostauthentica- tionproperties.Thisproblemhasbeenshowntobeundecidableinseveralgeneralsettings Partially supported by ONRGrants N00014-01-1-0837 and N00014-03-1-0961, and byDARPA contract (cid:0) N66001-00-C-8014. (forexample, see [DLMS99]). Our approachfollowsthe line of researchthat makes the reachabilityproblemdecidablebyboundingthe numberofsessions, but allowinganun- boundedattackerwhomaycreatemessagesofarbitrarydepth[AL00,FA01,Bor01,MS01]. Othermodelcheckingapproachesrequireaprioriboundsonmessagecomplexityormay fail to terminate. Inductive proof approaches have no finiteness limitations, but require substantiallymorehumaneffortperprotocol,andarestillsubjecttoundecidabilityresults. In symbolic approaches, messages are represented as terms in an algebra generated byabstractcomputationalprimitives. Messages maycontainvariables, representingdata fieldswhosevalueisnotknowninadvancetotherecipient.Avariablecanbeviewedasthe attacker’sinputtotheprotocolexecutionsincetheattackercaninstantiateitwithanyterm availabletohimaslongastheinstantiationisconsistentineverytermwherethevariable appears. Atraceisasequenceofmessagessentandreceived. Atraceisreachableifthereisa substitutionthatinstantiatesallvariableswithgroundtermssuchthatallmessagessentby thehonestpartiesareconsistentwiththeprotocolspecification,andallmessagesreceived bythehonestpartiesfromthenetworkcouldhavebeenconstructedbytheattackerfrom thepreviouslysentmessagesandattacker’sinitialknowledge. Atraceisanattackifitviolatesthesecuritycondition–inthecaseofsecrecy,ifavalue thatissupposedtoremainsecretappearsinthetraceasanunencryptedreceivedmessage (i.e.,isannouncedbytheattacker). Foraboundednumberofsessions,thesymbolictrace reachability problem has been shown to be NP-complete [RT01], assuming a free term algebra. Our main contribution is to extend the constraint solving approach, first proposed in [MS01], to handlethe algebraicproperties of Abelian groupoperators. For any well- definedcryptographicprotocol,we showthatsymbolictracereachabilityis equivalentto solvabilityinintegersofacertainsystemofquadraticequations. We thenprovethatthis systemisdecidable. Decidabilityofthebounded-sessionprotocolinsecurityproblemfor xor (first shownin [CLS03, CKRT03b]) andforthe freeattacker algebrawithoutequa- tionalproperties(previouslyprovedin[RT01,CCM01,MS01])followasspecialcases. 1.1 Overview InSection2,weintroduceourformalmodelanddescribehowtoreducetheprotocolanal- ysisproblemtoasequenceofsymbolicconstraints. InSection3,weposittheorigination stability condition, which is a necessary property of any well-defined protocol. In Sec- tion4,wesummarizethetheoryofgroundtermderivabilityinthepresenceofanAbelian groupoperator,duetoComon-LundhandShmatikov[CLS03]. ThemaintechnicalresultofthepaperappearsinSection5. Iftheconstraintsequence has a solution, we provethat it has a conservative solution. Intuitively, the conservative solutionusesonlythestructurethatisalreadypresentintheoriginalsequence. Weshow thatthesubstitutionforanyvariableisaproductofterms(andtheirinverses)drawnfrom a finite set: the non-variablesubterms of the original constraint sequence. The resulting setofproductderivationproblemsisnaturallyreducedtoasystemofquadraticDiophan- tine equations, as shown in Section 6. One of the steps along the way is Abelian group unification,whichisknowntobedecidable[BS01]. Wethenproceedtodemonstratethat the quadraticsystem has a solution if and only if a particularlinear subsystem has a so- lution. Since linear Diophantine equations are decidable (e.g., [CD94]), this establishes decidabilityoftheprotocolanalysisprobleminthepresenceofanAbeliangroupoperator. 2 In Section 7, we extend our approach to protocols with Diffie-Hellman exponentia- tion, under the restriction that multiplication may appear only in exponents. We replace exponentialsbyacombinationofproductsanduninterpretedfunctions,whichreducesthe symbolic analysis problem for such protocols to the solvability of a symbolic constraint sequencewithanAbeliangroupoperator.ConclusionsareinSection8. 1.2 Related work BorealeandBuscemi[BB03]andChevalieretal.[CKRT03a]recentlydevelopeddecision proceduresforprotocolanalysisinthepresenceofDiffie-Hellmanexponentiation.Neither addressesdecidabilityinthepresenceofanAbeliangroupoperator.Thedecisionprocedure of[BB03]requiresanaprioriupperboundonthenumberoffactorsineachproduct,butthe paperdoesnotindicatehowtocomputethisboundforagivensymbolictrace. Ingeneral, establishingupperboundsonthesizeofvariableinstantiationsneededforafeasibleattack on a protocol is a highly non-trivial problem and one of the main challenges in proving decidability.Therefore,thetechniqueof[BB03]cannotbeconsideredacompletedecision procedureevenforprotocolswithDiffie-Hellmanexponentiation. Chevalier et al. [CKRT03a] proved that the insecurity problem for a restricted class of protocols is NP-complete in the presence of Diffie-Hellman exponentiation. They do not consider Abelian group operators outside exponents, and their result only applies to protocolsinwhichnomorethanonenewvariableisintroducedineachprotocolmessage. Also,theydonotpermitvariablestobeinstantiatedwithproducts. Theserestrictionsare quitestrong,rulingoutsomewell-definedprotocols. Forexample,aprotocolinwhichan honestparticipantreceives ,thenreceives ,andthensends isnotpermittedbythe syntacticrestrictionsof[CK(cid:0)R(cid:0)T(cid:3)03a](thisprotoc(cid:3)olmayberewritte(cid:0)nsoastosatisfythere- strictions,butitisnotclearwhetherthereexistsageneral-purposesyntactictransformation thatconvertsanyprotocolintoonesatisfyingtherestrictionsof[CKRT03a]). Incontrast, theresultsofthispaperaredirectlyapplicabletoanyprotocolwhichiswell-definedinthe followingsense: anhonestparticipantis notrequiredtooutputthevalueofanattacker’s variablebeforehehasreceivedanymessagecontainingthatvariable. Thetechniqueof[CKRT03a]ismoregeneralinitstreatmentofDiffie-Hellmanexpo- nentiationsinceitallowsexponentiationfromanarbitrarybase,whileonlyconstant-base exponentiationisconsideredinthispaper. See[Shm04]foranextensionofourconstraint solvingtechniquetomodularexponentiationfromanarbitrarybase. PereiraandQuisquater[PQ01]discoveredanattackonagroupDiffie-Hellman(GDH) protocol that exploits algebraic properties of Diffie-Hellman exponents. Their approach is specific to GDH-based protocols, and the attacker model is restricted correspondingly (e.g., the attacker is not even equipped with the ability to perform standard symmetric encryption).Theydonotattempttoaddressthegeneralproblemofdecidingwhetheraterm isderivableinanattackeralgebrawiththeequationaltheoryofmultiplication,orwhether aparticularsymbolicattacktracehasafeasibleinstantiation. Sincetheyonlyconsiderthe probleminthegroundcase,theresultingsystemofequationsislinear,whereasthesystem weobtaininthegeneralcasewithvariablesisquadratic(seeSection6).Anapplicationof ourapproachtooneofthePereira-QuisquaterexamplesissummarizedinSection7. RecentresearchbyNarendranetal. focusesondecidabilityofunificationmodulothe equationaltheoryofmultiplicationandexponentiation[MN02,KNW02,KNW03]. While equationalunificationisanimportantsubprobleminsymbolicprotocolanalysis,unification aloneisinsufficienttodecidewhetheraparticularsymbolicattacktraceisfeasible. 3 Decidability of symbolic protocol analysis in the presence of xor has been proved in [CKRT03b, CLS03]. Chevalier et al. [CKRT03b] showed that the problem is NP- completein a restrictedprotocolmodelwhichis verysimilar tothe oneproposedin this paper.Independently,Comon-LundhandShmatikov[CLS03]demonstrateddecidabilityof symbolicprotocolanalysiswithxorintheunrestrictedmodel. Thispaperliftstheresults of[CLS03]byconsideringthesymbolicanalysisprobleminthepresenceofanarbitrary Abelian group operator, resulting in a substantially more complicated theory than in the xorcase.Incontrast,[CLS03]onlyconsidersAbeliangroupoperatorsinthegroundcase, andobtainssymbolicdecidabilityresultsforxoronly. Bertolottietal.[BDSV03]investigatedcryptographicprotocolanalysisinthepresence ofassociativeandcommutativeoperators.Thealgebraictheoryconsideredinthispaperis significantlymorecomplicated. InprotocolssuchasgroupDiffie-Hellman[STW96],the exponentsformanAbeliangroup.Inparticular,theattackercaneasilycomputemultiplica- tiveinverses.TodiscoverattackssuchasthatfoundbyPereiraandQuisquater[PQ01],the algebraic theory must include inverses and cancellative reductions such as . DemonstratingdecidabilityinthepresenceofanAbeliangroupoperator(rath(cid:4)e(cid:0)r(cid:4)th(cid:0)a(cid:0)n(cid:1)mer(cid:0)e associativityandcommutativity)isthemaintechnicalcontributionofthispaper. 2 Model Webeginwiththestrandspacemodelof[THG99]. Astrandisasequenceofnodesrep- resenting the activity of one party executing the protocol. Strands are finite and do not havebranchingorloops. Associated witheach nodeis a message termwith asign, + or , indicatingthatthemessageis sent orreceived,respectively. Messagesin astrandare (cid:2)groundtermsinasuitablealgebra. Aprotocolspecificationis aset ofroles forlegitimatepartiesinthe protocol. A role can be instantiated with different data in different protocol sessions. Hence, roles in a protocolarespecifiedas strandschemas,inwhichmessagetermsmaycontainvariables. Arolestrandisapartially(orfullyorun-)instantiatedstrandschemathatisarole;arole instanceisafullyinstantiated(ground)rolestrand. Inthe usualstrandspace model, thereis a standardset ofpenetrator roles represent- ing primitive computations that an attacker can perform. An attack on a protocol may involvemanyconcurrentsessionsorroleinstanceswoventogetherwithpenetratorstrands. A bundle is a collection of (protocol and penetrator) role instances in which the source of each receivedmessage is identified. Thus, nodes in a bundle are partially orderedby theirstrandsequenceandalsobytheconnectionofasendnodetoareceivenodeforthe samemessage. Bundlesarebackwardcompleteinthesensethatthestrandpredecessorof each(non-initial)nodemustbepresent,andthesendnodeforeachreceivenodemustbe present. A bundle is essentially a Lamportdiagram [Lam78] in which the processes are strands. (Lamportcalledthisaspace-timediagram,butothersrenameditinthecontextof distributedsystems.) 2.1 Overviewofconstraint solving Itisshownin[THG99]andelsewherehowsecurityquestionscanbereducedtoquestions abouttheexistenceofabundlethatexhibitsasecurityviolation. Inourconstraintsolving approachbegunin[MS01],bundleexistenceisdeterminedbystartingwithasemibundle 4 consisting of partially instantiated role instances, in which the sources of received mes- sages are not necessarily determined. (The term “semibundle” comes from the Athena paper[Son99].) Inasemibundletobeanalyzed,thenumberofinstancesofeachrolehas been chosen, and variables representing nonces (or session keys) have been instantiated to symbolic constants in the roles that generate them. The remaining variables are, for purposesofanalysis,viewedaschosenorconstructedbytheattacker. As in Athena, search for a solution begins with a semibundle that has no penetrator strands. Athenaaddspenetratorstrandsandrolestrandsasnecessarytoextendthesemi- bundle until it is a complete bundle. We never add role strands, because we bound the number of roles to begin with to achieve decidability. We never add penetrator strands, becausetheirpurposeismodeledimplicitlybyderivationconstraints. We solvethecon- straintstoseeiftheoriginalsemibundlecanbeinstantiatedtotherolestrandsofabundle. Unlike Athena, we solve the problem in an infinite state space that includes all possible combinationsofpenetratorstrands. A different sequence of derivation constraints is generated for each possible trace. Derivationconstraintsassertthateachreceivedmessageisderivable,usingattackerterm- generationrules,frommessagesthatwerepreviouslysentinthetrace. Asolutioninstan- tiatesvariablesinthesemibundlesothatgroundtermsrepresentingreceivedmessagesare allderivable. Iftheconstraintsequenceisnotsolvableforanyofthepossibletraces,then anattackbundledoesnotexistforthegivensetofrolestrands(thoughonemightexistfor alargerset). Anefficientmethodforgeneratingtracesandsolvingasetofderivationconstraintsby applyingrulesforsuccessivetransformationsoftheconstraintsequenceisgivenin[MS01]. One important advance in that paper is the ability to handle non-atomic or constructed symmetrickeys,thatis,keysthatmaybetheresultofacombinationofoperationssuchas concatenation,encryption,andhashing.Someworkwasdonesubsequentlytoimprovethe efficiencyof constraint generationand solving. Corin and Etalle devised an incremental approach[CE02]thathasbeenadoptedandincorporatedintoourownsoftwaretool. Re- cently,theAVISPAprojectmadefurtherimprovementswitha“constraintdifferentiation” approach[BMV03]. Thispaperfocusesonthedecidabilityofconstraintsolvingintheextendedmodelwith Abelian group operations. The constraint solving step is different from that of [MS01], andconsistsmainlyinreducingtheconstraintsolvingproblemtoachoiceamongafinite selectionofsubstitutions,followedbysolvingasystemofsimultaneouslinearDiophantine equations. The solutionapproachpresented here is aimed onlyat establishing decidability. An- alyzing complexityand finding an efficient way to carryout protocolanalysis are left to futurework. Apracticalalgorithmsimilartothatof[MS01]mayworkbygradualdiscov- eryoftherightsetofsubstitutionsbysuccessiveunifications,butunificationwouldhaveto beperformedmodulotheequationaltheoryofAbeliangroups,followedbysolvingasys- tem of linearDiophantineequations. Practical techniquesforsolvinglinear Diophantine equationshavealreadybeendevelopedinthecontextofassociative-commutativeunifica- tion[LC89]. 2.2 Term algebra TofocusondecidabilityinthepresenceofanAbeliangroupoperator,weuseasimplified termalgebrathatincludesonlypairing,symmetricencryption(butnotdecryption),aone- 5 argument function modeling a one-way hash function, and an Abelian group operator writtenasmultiplic(cid:5)ation. Therearealsoassumedtobeanunlimitednumberofvariables andfreeconstants(zero-argumentfunctions).Thisisalmostafreealgebra,thatis,onewith novalidequationsbetweenterms(otherthanidentities). Butourtermalgebraisnotfree because multiplicationforms an Abelian group, with unit and a multiplicativeinverse. (cid:0) ThenotationfortheseoperationsisshowninFig.1. Asinpriorworkwithfreealgebras,thereisnoexplicitdecryptionoperator.Decryption is performedimplicitlyby protocolparticipants. Theattacker’s abilityto extractcompo- nents of a pair, or to decrypt an encrypted term when he knows the decryption key is modeledbyseparateattackerinferencerules,whicharediscussedinSection2.4. Theoverallalgebraicstructureisdescribedasthedisjointcombinationofafreetheory andtheAbeliangrouptheory,following[SS89].Inthiscontext,“disjoint”meansthateach relationinvolvesonlyfunctions(andconstants)fromonetheoryatatime,inthiscasethe grouptheory. However,anytermisacceptableasanargumenttoanyfunction. Oneway of viewing this is that all terms are untyped (or share a common base type, or sort). In particular,wedonotdistinguishbetweenkeysandotherkindsofmessages. Actual cryptographicoperators do have requirements on their arguments, at least on their size in bits, and in many cases more subtle restrictions. Protocol implementations dependonobservingtheserestrictions. Forexample,ouralgebrawouldallowatermlike ,butaprotocolwouldnormallyhavetoapplyatypecoercionoperator(ahashor t(cid:3)r(cid:4)u(cid:4)n(cid:1)c(cid:0)a(cid:1)(cid:0)ti(cid:0)o(cid:2)n,perhaps)to beforeitcouldbeusedasakey.Moreover,whentheAbelian (cid:3) groupoperatoris appli(cid:5)e(cid:2)d(cid:1)t(cid:2)o(cid:6)a compoundterm(e.g.,a pair),intheactualimplementation the corresponding bitstring must be interpreted as an element of the right group, which may ormay not be possible. We trust the protocolspecificationin this respect. If terms appearing in the abstract protocol specification involve application of the Abelian group operator to compoundterms, we assume that such terms can be mapped into the group. Nevertheless, due to our abstract treatment of cryptographicfunctions, our analysis may generateunimplementableattacks, e.g., those involvingapplicationof the Abeliangroup operatortociphertextsencryptedwithasymmetrickey,etc. Thesespuriousattackscanbe recognizedbystaticinspectionanddiscarded. Itisnaturaltoaskhereabouttherelationshipbetweengroundtermsinourtermalgebra andthebitstringstheyaremappedtointheprotocolimplementation. Thisisnotaneasy question to answer because of the level of abstraction of our model (and all Dolev-Yao- style [DY83] models in general). For example, regarding encryption as a free operator meansthat theinfinitesequenceofterms are all distinct, whereasin practicethebitstringvalueswouldall hav(cid:4)e(cid:1)t(cid:3)h(cid:4)e(cid:4)(cid:0)sa(cid:1)m(cid:3)(cid:3)e(cid:4)(cid:4)le(cid:0)n(cid:4)g(cid:0)t(cid:1)h(cid:6)(cid:6)a(cid:6)ndcouldnotallbe distinct. Thus, there are additional relations in reality, and this implies that there may be more attacks onthereal protocolthanonthe abstractversion. Such concernsareaddressedin workon computationallysoundformalmodels, whichis beyondthe scopeof this paper. TheAbadi-Rogawaypaper[AR02]isagoodintroductiontothisissue. Additionalrelations may also come aboutbecauseof particularways that encryption isperformed. Encryptioncanbeaccomplishedusingexponentiationormultiplication,for example,andsomeinteractionwiththemultiplicativeAbeliangroupoperatorcouldoccur, especiallyiftheybothusemodulararithmetic. Suchdesignchoicesmightleadtoattacks thatwouldnotbediscoveredinthepresentmodel. However,ourdecisionprocedurewill determinetheexistenceofanyattackstrategiesthatworkuniformly,thatis,forallpossible cryptographicimplementationsthatsatisfytheabstractaxioms. WedescribeaspecificextensionwithexponentialsinSection7,forapplicationtopro- 6 Pairingofterms and . (cid:5)(cid:4)(cid:0)(cid:1)(cid:4)(cid:1)(cid:6) Term encrypte(cid:4)d(cid:0)with(cid:4)t(cid:1)erm (cid:3)(cid:4)(cid:0)(cid:4)(cid:2)(cid:0) using(cid:4)a(cid:0)symmetricalgorithm.(cid:4)(cid:1) Productofterms(associativeandcommutative). (cid:4)(cid:0)(cid:0)(cid:6)(cid:6)(cid:6)(cid:0)(cid:4)(cid:3) Multiplicativeinverseofterm . (cid:0)(cid:0) (cid:4) Anyfreefunction. (cid:4) (cid:5)(cid:0)(cid:4)(cid:1) Figure1:Messagetermconstructors (cid:4)(cid:0)(cid:0) (cid:1) (cid:4) (cid:4)(cid:0)(cid:4)(cid:0)(cid:0) (cid:1) (cid:0) (cid:0)(cid:0) (cid:0)(cid:0) (cid:0)(cid:4) (cid:1) (cid:1) (cid:4) (cid:0)(cid:0) (cid:0)(cid:0) (cid:0)(cid:0) (cid:0)(cid:4)(cid:0)(cid:0)(cid:4)(cid:1)(cid:1) (cid:1) (cid:4)(cid:1) (cid:0)(cid:4)(cid:0) Figure2:Normalizationrulesforproductsandinverses tocols using Diffie-Hellman key agreement, while still allowing ordinary symmetric en- cryptionintheprotocol. Theideais totransformconstraintswithexponentialtermsinto constraintswithproductsofexponents. Otherextensionsarepossiblewithnoconceptual difficulty.Abstractpublickeyencryptioncanbehandledinawaysimilartosymmetricen- cryption,usingapairoffunctions and togenerateapairofkeysforaprincipal . Variationsandextensionsofpa(cid:7)ir(cid:2)in(cid:0)(cid:8)g(cid:1)could(cid:9)(cid:2)al(cid:0)s(cid:8)o(cid:1)beaddedwithoutaffectingdecidability, s(cid:8)uchas -tuplesforsomeorall ,orassociativeconcatenation. The(cid:10)associative and commu(cid:10)ta(cid:11)tive(cid:3)properties of our multiplicative group allow us to regard the product as an operator on a set of any number of terms, as suggested by the extendedproductnotation . Terms can be put in no(cid:4)r(cid:0)m(cid:0)a(cid:6)l(cid:6)(cid:6)fo(cid:0)r(cid:4)m(cid:3) by applyingthe reductionrules given in Fig. 2. A termisinnormalformifnofurtherreductionsarepossible,evenafterrearrangingproducts usingassociativityandcommutativity. Normalizationalsoincludes“flattening”products, sothat willbenormalizedto .Thenormalformisuniqueuptopermutations ofthee(cid:0)x(cid:8)te(cid:0)n(cid:12)d(cid:1)e(cid:0)d(cid:13)product.Thus,forexa(cid:8)m(cid:0)p(cid:12)l(cid:0)e(cid:13), reducestoeither or ,and (cid:0)(cid:0) thesetwoproductssareregardedasequal.W(cid:0)(cid:8)e(cid:0)a(cid:12)s(cid:1)s(cid:0)u(cid:0)m(cid:8)eth(cid:0)a(cid:13)t(cid:1)termsarealways(cid:12)n(cid:0)o(cid:13)rma(cid:13)li(cid:0)z(cid:12)ed. A termwith a positiveintegerexponentis definedin the expectedway; forexample, . A termwith a negativeexponent,like , is an abbreviationforan inverse (cid:1) (cid:0)(cid:3) (cid:8)with(cid:2)a(cid:8)po(cid:0)s(cid:8)itiveexponent,like . (cid:4) (cid:0)(cid:0) (cid:3) (cid:0)(cid:4) (cid:1) 2.3 Unification Thereisaunificationalgorithmthatcanbeappliedtoanytwoterms and constructed using the syntax of Fig. 1, by combining conventional structural un(cid:4)i(cid:0)ficatio(cid:4)n(cid:1)on the free operatorsandAbelianGroup(AG-)unificationmoduloassociativityandcommutativityof the operatorandnormalizationrulesofFig.2.Ifbothtermstobeunifiedarenotproducts, (cid:0) 7 Unpairing(UL,UR) Decryption(D) (cid:14) (cid:7)(cid:5)(cid:15)(cid:1)(cid:16)(cid:6) (cid:14) (cid:7)(cid:5)(cid:15)(cid:1)(cid:16)(cid:6) (cid:14) (cid:7)(cid:3)(cid:15)(cid:4)(cid:4) (cid:14) (cid:7)(cid:16) (cid:14) (cid:7)(cid:15) (cid:14) (cid:7)(cid:16) (cid:14) (cid:7)(cid:15) Pairing(P) Encryption(E) (cid:14) (cid:7)(cid:15) (cid:14) (cid:7)(cid:16) (cid:14) (cid:7)(cid:15) (cid:14) (cid:7)(cid:16) (cid:14) (cid:7)(cid:5)(cid:15)(cid:1)(cid:16)(cid:6) (cid:14) (cid:7)(cid:3)(cid:15)(cid:4)(cid:4) Function(F) Inversion(I) (cid:14) (cid:7)(cid:15) (cid:14) (cid:7)(cid:15) (cid:0)(cid:0) (cid:14) (cid:7)(cid:5)(cid:0)(cid:15)(cid:1) (cid:14) (cid:7)(cid:15) Multiplication(M) (cid:14) (cid:7)(cid:15)(cid:0) (cid:6)(cid:6)(cid:6) (cid:14) (cid:7)(cid:15)(cid:3) (cid:14) (cid:7)(cid:15)(cid:0)(cid:0)(cid:6)(cid:6)(cid:6)(cid:0)(cid:15)(cid:3) Figure3:Attacker’scapabilities weuseconventionalunificationbystructuralrecursion,treatingallconstructorsofFig.1 asfreefunctions. Ifatleastoneofthetermsisaproduct,unificationisperformedmodulo AG,whichisknowntobedecidable[BS01]andwhichproducesafinitenumberofmost generalunifiers. Inthe restofthe paper,weuse notationforthefinite setofmostgeneralunifiersof and .Notethat(cid:0)be(cid:1)ca(cid:2)us(cid:2)e(cid:3)a(cid:4)n(cid:0)o(cid:4)n(cid:0)(cid:1)-p(cid:4)(cid:1)ro(cid:1)ducttermmaycontain productsasinnersubterms, (cid:4)a(cid:0)nd (cid:4)m(cid:1) ayhavemorethanonemostgeneralunifierevenif neitherisaproduct. (cid:4)(cid:0) (cid:4)(cid:1) 2.4 Attacker model Weusethestandardattackermodelaugmentedwithrulesconcerningproductsandinverses (anextensiontoexponentialscanbefoundinSection7). Theattacker’s abilityto derive terms is characterizedas a termclosure underthe inferencerules of Fig. 3. Thesequent meansthat isderivable(computable)fromthetermsintheset .Thetermclosure (cid:14)of(cid:7)(cid:15)isthesetofa(cid:15)lltermsderivablefrom (includingmembersof ).(cid:14) (cid:14) (cid:14) (cid:14) 2.5 Constraintgeneration Suppose we are given a protocol specified as a set of roles (strand schemas). We first chooseafinitesetofrolestrandsforthesemibundle. (Thereisnoalgorithmtodetermine howmanyofeachareneeded.) Eachrolemaybeinstantiatedzeroormoretimes. Ineach 8 rolestrand,anynoncevariablegeneratedbythatroleisinstantiatedwithadistinctsymbolic constant. Asanexample,considertheprotocolwithtworoles and ,where and arenonces,andthesecuritypolicyistokeep secret.I(cid:4)n(cid:0)thesem(cid:2)i(cid:0)bu(cid:4)nd(cid:3)l(cid:3)e(cid:4)p(cid:5)icturedb(cid:0)elow, (cid:3) has beeninstantiatedwith inthe first role(cid:3)strand, whichgeneratesit, and has been (cid:0)instantiatedwith . (cid:8) (cid:3) Thethirdstra(cid:12)nd(node4)isanartificial“test”strandintroducedtodetectcompromise of .If canbereceived(intheclear)bythetestparty,then hasbeencompromised. (cid:12) (cid:12) (cid:12) (cid:1)(cid:5)(cid:2)(cid:6)(cid:3)(cid:7)(cid:4)(cid:8) (cid:1)(cid:1) (cid:1)(cid:1)(cid:1)(cid:5)(cid:2)(cid:6)(cid:3)(cid:7)(cid:4)(cid:8) (cid:5)(cid:6) (cid:0)(cid:5) (cid:5) (cid:3) (cid:2)(cid:2) (cid:1)(cid:5)(cid:2)(cid:6)(cid:3)(cid:7)(cid:4)(cid:8)(cid:3)(cid:3) (cid:3)(cid:3) (cid:1)(cid:5)(cid:2)(cid:6)(cid:3)(cid:7)(cid:4)(cid:8) (cid:0)(cid:7) (cid:5)(cid:4)(cid:7)(cid:5)(cid:0) (cid:6) (cid:7) Novariables remainingin a semibundleshouldoccurin morethan onestrand. Even thoughrolespecificationsmayusethesamevariablelike or indifferentrolesbecause thevalueisexpectedtobethesame,thereisnoguarantee(cid:17)thatc(cid:18)orrespondingvariableswill beinstantiatedwiththesamevalueduringexecution. We generate all possible node orderings, or traces, that are consistent with the given strands. This is a finite set that grows exponentiallywith the numberof strands. (Some tracescanbediscardedsafely,butforprovingdecidabilitywemayaswellassumethatwe haveallofthem.)Eachtraceyieldsasequenceofderivationconstraints. Ingeneral,if isthesequenceofreceive-nodemessages,and isthesetof messagessentin(cid:15)n(cid:0)o(cid:1)d(cid:6)e(cid:6)s(cid:6)p(cid:1)(cid:15)ri(cid:0)ortothenodeinwhich isreceived,thenthe(cid:14)co(cid:8)nstraintsare justthesequence (cid:15)(cid:8) (cid:1)(cid:2)(cid:3)(cid:14)(cid:8)(cid:0)(cid:15)(cid:8)(cid:4)(cid:6) Each individual constraint can be interpreted as “at step , the attacker knows messagesin andneedsto(cid:14)g(cid:8)e(cid:0)ne(cid:15)ra(cid:8)temessage .” Wewillreferto(cid:19) asthetargetterm of the constra(cid:14)i(cid:8)nt, and as the source set ofth(cid:15)e(cid:8)constraint. Both (cid:15)a(cid:8)ndmessages in may containvariables.(cid:14)(cid:8)We assume that containsterms that are(cid:15)in(cid:8)itially knownto th(cid:14)e(cid:8) attacker,suchasconstantsspecifictothe(cid:14)p(cid:0)rotocolandtheattacker’sownlong-termkeys. It is usually not necessary to includethe constant , since if containsany term , the attackercanderive as . (cid:0) (cid:14)(cid:0) (cid:4) Thepropertieso(cid:0)fpro(cid:4)t(cid:0)oc(cid:4)(cid:0)ol(cid:0)-generatedsequencesarediscussedinSection3. Our example semibundle has traces corresponding to all node orderings that respect theorderingofnodes2and3. Notealsothattheonlytracesofinterestareattacks,which endwithnode4. Thus,thecompletesetoforderingstoexamineis1234,124,14,2134, 2314, 214, 24, 4. (One can show that it is sufficient to examine 1234and 14, since any attackpossiblewithadifferentorderingispossiblewithoneofthese.) Theordering1234 generatestheconstraintsequence (cid:8)(cid:0)(cid:0) (cid:3)(cid:8)(cid:1)(cid:3)(cid:12)(cid:4)(cid:5)(cid:4)(cid:0)(cid:12)(cid:6) Forconvenience,wesimplifythenotationforsourcesetsbyregardingalistasaunion. Thus, maybewritten and maybewritten . We(cid:3)(cid:8)sa(cid:1)y(cid:3)(cid:12)t(cid:4)h(cid:5)a(cid:4)t (cid:0)i(cid:15)sasolutionof (cid:8)(cid:1)(cid:3)(cid:12)((cid:4)w(cid:5)r(cid:0)itte(cid:15)n (cid:14) (cid:8)(cid:3)(cid:8)(cid:4))(cid:0)if(cid:15) isagroundsub(cid:14)st(cid:1)i(cid:8)tu(cid:0)tio(cid:15)n such that either(cid:20) , or (cid:14) (cid:0)(cid:15) is deriv(cid:20)ab(cid:0)le(cid:14)usi(cid:0)ng(cid:15)the(cid:20)inference rules of Fig. 3. (cid:15)(cid:20) (cid:9) (cid:14)(cid:20) (cid:14)(cid:20) (cid:7) (cid:15)(cid:20) 9 Given a constraint sequence , is a solution of the constraint sequence ( )if simultaneouslys(cid:1)olv(cid:2)es(cid:3)ev(cid:14)e(cid:8)ry(cid:0)c(cid:15)o(cid:8)n(cid:4)str(cid:20)aint . (cid:20) (cid:0)Th(cid:1)econ(cid:20)straintsequencearisingfromthetrace123(cid:14)4(cid:8)i(cid:0)nt(cid:15)h(cid:8)eexamplecanbesatisfiedwith thesubstitution , sincetheattacker’sDecryptionrule(D)canbeappliedtosatisfy thesecondconst(cid:0)rai(cid:10)(cid:1)nt.(cid:8) 2.6 Subterms andproduct closures Weintroduceafewdefinitionsforconvenience. If isafinitesetofterms,let be thesetofsubtermsof ,whichistheleastsetofter(cid:14)mssuchthat: (cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:14) If then (cid:11) (cid:4)(cid:9)(cid:14) (cid:4)(cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) If then (cid:11) (cid:5)(cid:15)(cid:1)(cid:16)(cid:6)(cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:15)(cid:1)(cid:16) (cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) If then (cid:11) (cid:3)(cid:15)(cid:4)(cid:4) (cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:15)(cid:1)(cid:16) (cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) If then (cid:11) (cid:5)(cid:0)(cid:15)(cid:1)(cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:15)(cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) If then foreach (cid:11) (cid:15)(cid:0)(cid:0)(cid:6)(cid:6)(cid:6)(cid:0)(cid:15)(cid:3) (cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:15)(cid:8) (cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1) (cid:19) Note that is not considered a subterm of . For an individual term , (cid:15)(cid:0) (cid:0)(cid:15).(cid:1)Wesaythat isasupertermof (cid:15)if(cid:0) (cid:0)(cid:15)(cid:1) (cid:0)(cid:15)(cid:6). (cid:4) (cid:8)(cid:9)(cid:0)(cid:4)D(cid:1)e(cid:2)fin(cid:8)e(cid:9)(cid:0)(cid:3)(cid:4)(cid:4)(cid:1) (cid:4) (cid:15) (cid:15)(cid:9)(cid:8)(cid:9)(cid:0)(cid:4)(cid:1) or (cid:0)(cid:1)(cid:2) (cid:0)(cid:0) (cid:10)(cid:11)(cid:0)(cid:14)(cid:1) (cid:2) (cid:3)(cid:4)(cid:0)(cid:0)(cid:6)(cid:6)(cid:6)(cid:0)(cid:4)(cid:3) (cid:12)(cid:0)(cid:13)(cid:19)(cid:1)(cid:4)(cid:8) (cid:9)(cid:14) (cid:4)(cid:8) (cid:9)(cid:14)(cid:4) (cid:0)(cid:1)(cid:2) (cid:8)(cid:9)(cid:0)(cid:1)(cid:1) (cid:2) (cid:9)(cid:1)(cid:0)(cid:10)(cid:1)(cid:6)(cid:0)(cid:8)(cid:9)(cid:0)(cid:14)(cid:8)(cid:8)(cid:3)(cid:15)(cid:8)(cid:4)(cid:1) (cid:0)(cid:1)(cid:2) (cid:12)(cid:13)(cid:14)(cid:0)(cid:1)(cid:1) (cid:2) (cid:12)(cid:13)(cid:14)(cid:0)(cid:8)(cid:9)(cid:0)(cid:1)(cid:1)(cid:1) (cid:0) isavariable (cid:0)(cid:1)(cid:2) (cid:12)(cid:13)(cid:14)(cid:0)(cid:14)(cid:1) (cid:2) (cid:3)(cid:0)(cid:9)(cid:8)(cid:9)(cid:0)(cid:14)(cid:1)(cid:12)(cid:0) (cid:4) (cid:0)(cid:1)(cid:2) (cid:14)(cid:0)(cid:1)(cid:1) (cid:2) (cid:8)(cid:9)(cid:0)(cid:1)(cid:1)(cid:15)(cid:12)(cid:13)(cid:14)(cid:0)(cid:1)(cid:1) (cid:0)(cid:1)(cid:2) (cid:14)(cid:15)(cid:0)(cid:1)(cid:1) (cid:2) (cid:10)(cid:11)(cid:0)(cid:14)(cid:0)(cid:1)(cid:1)(cid:1) Thus, isthesetofallnon-variablesubtermsof ,and istheclosureofthisset under(cid:14)pr(cid:0)o(cid:1)du(cid:1)ct()andinverse. (cid:1) (cid:14)(cid:15)(cid:0)(cid:1)(cid:1) (cid:0) 3 Well-Defined Protocols and Constraint Sequences Westartbydefiningtwopropertiesofconstraintsequencesthatareessentialforestablish- ingdecidability: monotonicityandorigination. Conceptually,thesepropertiesaresimilar to those defined for the constraint solving method of [MS01]. Informally, monotonicity meansthattheattacker’sknowledgeneverdecreasesas theprotocolprogresses: all mes- sages intercepted by the attacker are simply added to the set of terms available to him. Originationmeansthateachvariableappearsforthefirsttimeinsomemessagegenerated by the attacker (recall that in the symbolic analysis approach, variables model attacker’s inputtotheprotocolexecution). Our proof of decidability requires that monotonicityand originationbe preservedby any partial substitution (this is a technical difference from [MS01]). In this section, we arguethatthisistrueforanysymbolicconstraintsequenceassociatedwithawell-defined 10

Description:
by the honest parties from the network could have been constructed by the A trace is an attack if it violates the security condition – in the case of defined cryptographic protocol, we show that symbolic trace reachability is .. practice the bitstring values would all have the same length and c
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.