Automata-based analysis of recursive cryptographic protocols Thomas - PowerPoint PPT Presentation

Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf K¨ usters Christian-Albrechts-Universit¨ at zu Kiel June 13, 2004 1

Un-/Decidability of security in the DY model Undecidable • protocols with an unbounded number of rewriting receive-send actions (Amadio et al., Mitchell et al., . . . ) Decidable • protocols with a bounded number of rewriting receive-send actions (Turuani, Rusinowitch) • extension by XOR and Diffie–Hellman exponentiation (Chevalier, K¨ usters et al., Shmatikov et al.) 2

Un-/Decidability of security in the DY model Undecidable • protocols with an unbounded number of rewriting receive-send actions (Amadio et al., Mitchell et al., . . . ) Decidable • protocols with a bounded number of rewriting receive-send actions (Turuani, Rusinowitch) • extension by XOR and Diffie–Hellman exponentiation (Chevalier, K¨ usters et al., Shmatikov et al.) protocols with a bounded number of recursive • receive-send actions 3

Recursive Authentication Protocol K 0 , 1 K 1 , 2 K 2 , 3 K n − 2 ,n − 1 K n − 1 ,n ← → P 1 ← → P 2 ← → . . . ← → ← → S = P n P 0 P n − 1 Phase 1 hash ( k, m ) = � m, keyed-hash k ( m ) � P 0 → P 1 : hash ( K P 0 , � P 0 , P 1 , N 0 , init � ) P 1 → P 2 : hash ( K P 1 , � P 1 , P 2 , N 1 , hash ( K P 0 , � P 0 , P 1 , N 0 , init � ) � ) P 2 → S : hash ( K P 2 , � P 2 , S, N 2 , hash ( K P 1 , � P 1 , P 2 , N 1 , hash ( K P 0 , � P 0 , P 1 , N 0 , init � ) � ) � ) Phase 2 S → P 2 : enc ( K P 2 , � K 2 , 3 , S, N 2 � ) enc ( K P 2 , � K 1 , 2 , P 1 , N 2 � ) enc ( K P 1 , � K 1 , 2 , P 2 , N 1 � ) enc ( K P 1 , � K 0 , 1 , P 0 , N 1 � ) enc ( K P 0 , � K 0 , 1 , P 1 , N 0 � ) P 2 → P 1 : enc ( K P 1 , � K 1 , 2 , P 2 , N 1 � ) enc ( K P 1 , � K 0 , 1 , P 0 , N 1 � ) enc ( K P 0 , � K 0 , 1 , P 1 , N 0 � ) P 1 → P 0 : enc ( K P 0 , � K 0 , 1 , P 1 , N 0 � ) 4

Recursive Authentication Protocol Phase 1 P 0 → P 1 : hash ( K P 0 , � P 0 , P 1 , N 0 , init � ) =: M 0 P 1 → P 2 : hash ( K P 1 , � P 1 , P 2 , N 1 , M 0 � ) =: M 1 P 2 → P 3 : hash ( K P 2 , � P 2 , P 3 , N 2 , M 1 � ) =: M 2 . . . P n − 1 → S : hash ( K P n − 1 , � P n − 1 , S, N n − 1 , M n − 2 � ) Phase 2 S → P n − 1 : � R n − 1 , L n − 1 , R n − 2 , L n − 2 , . . . , R 0 � where R i = enc ( K P i , � K i,i +1 , P i +1 , N i � ) L i = enc ( K P i , � K i − 1 ,i , P i − 1 , N i � ) P n − 1 → P n − 2 : � R n − 2 , L n − 2 , . . . , R 0 � . . . P 1 → P 0 : R 0 5

Recursive definition of server P 2 → S : hash ( K P 2 , � P 2 , S, N 2 , hash ( K P 1 , � P 1 , P 2 , N 1 , hash ( K P 0 , � P 0 , P 1 , N 0 , init � ) � ) � ) S → P 2 : enc ( K P 2 , � K 2 , 3 , S, N 2 � ) enc ( K P 2 , � K 1 , 2 , P 1 , N 2 � ) enc ( K P 1 , � K 1 , 2 , P 2 , N 1 � ) enc ( K P 1 , � K 0 , 1 , P 0 , N 1 � ) enc ( K P 0 , � K 0 , 1 , P 1 , N 0 � ) OUT ( hash ( K ( X ) , � X, S, N, M � ) = HELP ( hash ( K ( X ) , � X, S, N, M � ) , new ()) HELP ( hash ( K ( X ) , � X, X ′ , N, init � , K ) = enc ( K ( X ) , � K, X ′ , N � ) HELP ( hash ( K ( X ) , � X, X ′ , N, hash ( K ( X ′′ ) , � X ′′ , X, N ′ , M � ) � , K ) = � enc ( K ( X ) , � K, X ′ , N � ) , enc ( K ( X ) , � K ′ , X ′′ , N � ) , HELP ( hash ( K ( X ′′ ) , � X ′′ , X, N ′ , M � ) , K ′ ) � where K ′ = new () 6

Related examples IKE (Internet Key Exchange protocol) The responder chooses an item from an unbounded list of security associations. Web service protocols Messages can have multiple (an unbounded number of) security tokens. Main issue Open-endedness of message structure, which requires iterative or recursive actions. 7

The message model Terms built using: • atoms from a finite set A , including principal names, symmetric and asymmetric keys, • enc k ( · ) for k ∈ A a key, • hash k ( · ) for k ∈ A a key, • �· , ·� , • anonymous constants from an infinite set C . 8

The message model Terms built using: • atoms from a finite set A , including principal names, symmetric and asymmetric keys, • enc k ( · ) for k ∈ A a key, • hash k ( · ) for k ∈ A a key, • �· , ·� , • anonymous constants from an infinite set C . Notice Atomic keys only! 9

The action model: tree transducer receive/send action = sequence of recursive definitions of the form F ( t ) = t ′ ( F 0 ( t 0 ) , F 1 ( t 1 ) , . . . , F r − 1 ( t r − 1 )) where • all variables from the RHS occur on the LHS, • t is a linear term, • all terms are without anonymous constants, • each t i ist a subterm of t , • one function symbol marked which is initially called. 10

Use of anonymous constants Functions may have additional parameters for anonymous constants: F ( t ; c 0 , . . . , c r − 1 ) , where the formal parameter may only be • a variable for an anonymous constanst or • the term new () . Examples OUT ( hash k i ( � i, n, N, M � ) = HELP ( hash k i ( � i, n, N, M � ); new ()) HELP ( hash k i ( � i, j, N, init � ; K ) = enc i ( � K, j, N � ) 11

The server definition revisited 0 , . . . , n for principals, k 0 , . . . , k n − 1 for symmetric keys. For i, j, k < n , OUT ( hash k i ( � i, n, N, M � ) = HELP ( hash k i ( � i, n, N, M � ); new ()) HELP ( hash k i ( � i, j, N, init � ; K ) = enc i ( � K, j, N � ) HELP ( hash k i ( � i, j, N, hash k k ( � k, i, N ′ , M � ); K � ) = � enc k i ( � K, j, N � ) , HELP2 ( � N, hash k k ( � k, i, N ′ , M � ) � ; new ()) � HELP2 ( � N, hash k k ( � k, i, N ′ , M � ) � ; K ′ ) = � enc i ( � K ′ , k, N � ) , HELP ( hash k k ( � k, i, N ′ , M � ); K ′ ) � 12

Tree transducer: the picture F ( t ) = t ′ ( F ( t 0 ) , F ( t 1 ) , G ( t 0 )) ✑◗◗◗◗◗◗ ✑◗◗◗◗◗◗ ✑✑✑✑✑✑ ✑✑✑✑✑✑ − → ◗ ◗ F G F F G ✁ ❆ ✂ ❇ � ❅ ✁ ❆ ✂ ❇ ✁ ❆  � ❅ ✂ ❇ ✁ ❆❆ ✂ ❇ ✁ ❆❆ ✂ ❇ ✁ ❆  ✁ ❆   ✁ ✁ ❆ ✁ t 0 ✂ ❇ ✂ ❇ ✂ ❇ ✁ t ′ ❆ t ✂ ❇ ✂ ❇ ✂ ❇ ✁ ❆ t 1 ✂ ❇ ✂ ❇   ✁ ❆ F F G  ✂ ❇ ✂ ❇ ✁ ❆ ✂ ❇ ✁ ❆ ✁ ❆ ✁ ❆ t 0 t 0 ✂ ❇ t 1 ✂ ❇ ✂ ❇ ✂ ❇ 13

The intruder model Dolev–Yao intruder! • controls entire network • has initial knowledge u • can derive information according to the following rules: – u ∈ der ( u ) , – if � t, t ′ � ∈ der ( u ) , then t, t ′ ∈ der ( u ) , – if k ∈ K s and k, enc k ( t ) ∈ der ( u ) , then t ∈ der ( u ) , – if k ∈ K a and k − 1 , enc k ( t ) ∈ der ( u ) , then t ∈ der ( u ) , – if hash k ( t ) ∈ der ( u ) , then t ∈ der ( u ) , – if t, t ′ ∈ der ( u ) , then � t, t ′ � ∈ der ( u ) , – if k, t ∈ der ( u ) , then hash k ( t ) , enc k ( t ) ∈ der ( u ) . 14

The protocol model principal = finite sequence of receive-send actions protocol = finite set of principals protocol run = interleaving of the receive-send actions of the principals with intruder inbetween protocol is insecure (the intruder is successful) iff in some run the intruder can derive an atom or an anonymous constant output in the last step of the protocol Example OUT ( enc K 0 ( � K 0 , 1 , P 1 , N � )) = K 0 , 1 15

Main result Theorem It is decidable whether a protocol is secure. 16

Main result Theorem It is decidable whether a protocol is secure. Remark No elementary upper bound for computational complexity known. 17

First steps in the proof τ 0 , τ 1 receive-send actions, u initial knowledge of intruder. δ non-deterministic function (relation) for intruder (output can be derived from input). ✲ ✲ ✲ ✲ ? go τ 0 τ 1 δ = ✯ ✟ ✟✟✟✟ ✲ u ✲ δ ✲ 18

First steps in the proof τ 0 , τ 1 receive-send actions, u initial knowledge of intruder. δ non-deterministic function (relation) for intruder (output can be derived from input). ✲ ✲ ✲ ✲ ? go τ 0 τ 1 δ = ✯ ✟ ✟✟✟✟ ✲ u ✲ δ ✲ ✲ fst ✲ ✲ ✲ ✲ ✲ fst ✲ ✲ ✲ ∈ T ? � go , u � τ 0 τ 1 δ � , � � , � � , � ✲ ✲ ✲ ✲ ✲ snd snd T := {� a, t � | a ∈ δ ( t ) } τ ′ δ ′ τ ′ 0 1 19

First steps in the proof τ 0 , τ 1 receive-send actions, u initial knowledge of intruder. δ non-deterministic function (relation) for intruder (output can be derived from input). ✲ ✲ ✲ ✲ ? go τ 0 τ 1 δ = ✟ ✯ ✟✟✟✟ ✲ u ✲ δ ✲ ✲ fst ✲ ✲ ✲ ✲ ✲ fst ✲ ✲ ✲ ∈ T ? � go , u � τ 0 τ 1 δ � , � � , � � , � ✲ ✲ ✲ ✲ ✲ snd snd T := {� a, t � | a ∈ δ ( t ) } τ ′ δ ′ τ ′ 0 1 General condition − 1 ( . . . ( τ ′ − 1 ( δ ′− 1 ( τ ′ − 1 ( T )))) . . . ) . � go , u � ∈ τ ′ 0 n − 2 n − 1 20