Exploiting symmetries when proving equivalence properties for - - PowerPoint PPT Presentation

Exploiting symmetries when proving equivalence properties for security protocols

Vincent Cheval, Steve Kremer, Itsaka Rakotonirina

Inria Nancy Grand-Est

2

Security protocols

24

@ Wifi TLS

PASS

E-passport E-voting

2

Security protocols

24

@ Wifi TLS 2016 (early ver. 1.3) 2017 (WPA2)

PASS

E-passport E-voting 2010 (Helios) 2013 (BAC)

3

Symbolic attacker model

24

= protocol’s logic in an adversarial environment, with perfect cryptography

3

Symbolic attacker model

24

= protocol’s logic in an adversarial environment, with perfect cryptography Dishonest parties can: Crypto = equations: no other behaviours dec(enc(m, k), k) = m

(symmetric encryption)

e.g. DoS read / overwrite messages

4

Privacy as indistinguishability

24

Anonymity

Alice Bob

4

Privacy as indistinguishability

24

Anonymity

Alice Bob yes no no yes

Vote privacy …

4

Privacy as indistinguishability

24

Anonymity

Alice Bob yes no no yes Behavioural indistinguishability for all potential attackers

Vote privacy …

5

Privacy as indistinguishability

24

yes no no yes

5

Privacy as indistinguishability

24

yes no no yes

Equivalence coNEXP-complete

for a fixed number of participants

[S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice

5

Privacy as indistinguishability

24

Each time, the two processes share a common structure Observation !

yes no no yes

Equivalence coNEXP-complete

for a fixed number of participants

[S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice

6

Contributions

24

A refinement of trace equivalence

for processes with structural similarities

Partial-order reductions

for any process for this new equivalence

Integration into the DeepSec prover

Trace equivalence

8 24

Modelling indistinguishability

A simple example

8 24

enc(0,k) enc(1,k)

t

Modelling indistinguishability

A simple example

8 24

enc(0,k) enc(1,k)

• ut(c, enc(0,k))
• ut(c, enc(1,k))

t

Modelling indistinguishability

A simple example

8 24

k k enc(0,k) enc(1,k)

• ut(c, enc(0,k))
• ut(c, enc(1,k))
• ut(d, k) |

| out(d, k)

t

Modelling indistinguishability

A simple example

8 24

k k enc(0,k) enc(1,k)

• ut(c, enc(0,k))
• ut(c, enc(1,k))
• ut(d, k) |

| out(d, k)

t

Modelling indistinguishability

A simple example Distinguishing execution:

m1 m2

8 24

k k enc(0,k) enc(1,k)

• ut(c, enc(0,k))
• ut(c, enc(1,k))
• ut(d, k) |

| out(d, k)

t

Modelling indistinguishability

A simple example Distinguishing execution:

m1 m2

+ test dec(m1,m2) = 0 ?

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

Modelling indistinguishability

Formalism

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

algebra of finite concurrent processes

Modelling indistinguishability

Formalism

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

algebra of finite concurrent processes in(c,x). P P | Q

• ut(c,u). P

if u = v then P else Q

Modelling indistinguishability

Formalism

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

sequences of inputs/outputs in an active adversarial environment algebra of finite concurrent processes in(c,x). P P | Q

• ut(c,u). P

if u = v then P else Q

Modelling indistinguishability

Formalism

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

sequences of inputs/outputs in an active adversarial environment algebra of finite concurrent processes in(c,x). P P | Q

• ut(c,u). P

if u = v then P else Q in(c,x)

• ut(c,u) ⇒ adds u to the attacker’s knowledge

⇒ receives a term from the attacker

Modelling indistinguishability

Formalism

9 24

∀ t ∈ Traces(Pi), ∃ t’ ∈ Traces(P1-i), t ~ t’ P0 P1

t

iff

sequences of inputs/outputs in an active adversarial environment static indistinguishability of sequences of inputs/outputs algebra of finite concurrent processes in(c,x). P P | Q

• ut(c,u). P

if u = v then P else Q in(c,x)

• ut(c,u) ⇒ adds u to the attacker’s knowledge

⇒ receives a term from the attacker

Modelling indistinguishability

Formalism

Trace equivalence… in practice

11

A combinatorial fact

24

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 …

11

A combinatorial fact

24

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 … n sessions p actions per session

11

A combinatorial fact

24

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 … n sessions p actions per session

∀ seq. of actions a1 a2 … anp , ∃ equivalent seq. of actions a’1 a’2 … a’np Goal

11

A combinatorial fact

24

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 … n sessions p actions per session

~(np)! matchings Actions ∀ seq. of actions a1 a2 … anp , ∃ equivalent seq. of actions a’1 a’2 … a’np Goal

11

A combinatorial fact

24

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 … n sessions p actions per session

~(np)! matchings Actions ~n! matchings Sessions ∀ seq. of actions a1 a2 … anp , ∃ equivalent seq. of actions a’1 a’2 … a’np Goal

12

Why matching sessions?

24

instead of individual actions

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 …

12

Why matching sessions?

24

instead of individual actions Reduces combinatorial explosion Sound, and often sufficient to prove trace equivalence

actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 …

12

Why matching sessions?

24

instead of individual actions Reduces combinatorial explosion Sound, and often sufficient to prove trace equivalence Actually a realistic attacker model

e.g. for an adversary observing ports dynamically allocated to each session actionn,p action1,1 action1,p … …

…

… actionn,1 … action’n,p action’1,1 action’1,p … …

…

… action’n,1 …

13

Formally: process pairing

24

13

Formally: process pairing

24

(MATCH) (P1 | … | Pn, Q1 | … | Qn) (P1,Qσ(1)), …, (P1, Qσ(n))

σ permutation of {1,…,n}

13

Formally: process pairing

24

(MATCH) (P1 | … | Pn, Q1 | … | Qn) (P1,Qσ(1)), …, (P1, Qσ(n))

σ permutation of {1,…,n}

(EXEC) (P,Q) (P’,Q’) 훼

if P→P’ and Q→Q’ (in the single-process semantics) 훼 훼

13

Formally: process pairing

24

(MATCH) (P1 | … | Pn, Q1 | … | Qn) (P1,Qσ(1)), …, (P1, Qσ(n))

σ permutation of {1,…,n}

(EXEC) (P,Q) (P’,Q’) 훼

if P→P’ and Q→Q’ (in the single-process semantics) 훼 훼

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P), Trace Equiv.

13

Formally: process pairing

24

(MATCH) (P1 | … | Pn, Q1 | … | Qn) (P1,Qσ(1)), …, (P1, Qσ(n))

σ permutation of {1,…,n}

(EXEC) (P,Q) (P’,Q’) 훼

if P→P’ and Q→Q’ (in the single-process semantics) 훼 훼

∃ t2 ∈ Traces(P,Q), snd(t2) = t’ ∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P), Trace Equiv.

• Equiv. by session

Optimisations

15

For trace equivalence

24

[CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols

15

For trace equivalence

24

[CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P),

15

For trace equivalence

24

[CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P),

reduce the number

• f traces to check?

15

For trace equivalence

24

[CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P),

reduce the number

• f traces to check?

Main theorem If P,Q are determinate, it is sufficient to adjacent independent actions. consider traces up to permutation of

15

For trace equivalence

24

[CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P),

reduce the number

• f traces to check?

Main theorem

Concurrent actions with no data flow

If P,Q are determinate, it is sufficient to adjacent independent actions. consider traces up to permutation of independent

Concurrent actions with no data flow

If P,Q are determinate, it is sufficient to adjacent independent actions. consider traces up to permutation of independent

16

For equivalence by session

24

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P), Main theorem ∃ t2 ∈ Traces(P,Q), snd(t2) = t’

reduce the number

• f traces to check?

Concurrent actions with no data flow

If P,Q are determinate, it is sufficient to adjacent independent actions. consider traces up to permutation of independent

16

For equivalence by session

24

∃ t’ ∈ Traces(Q), t ~ t’ ∀ t ∈ Traces(P), Main theorem ∃ t2 ∈ Traces(P,Q), snd(t2) = t’

reduce the number

• f traces to check?

17

In practice

24

Main theorem it is sufficient to consider traces independent actions. up to permutation of adjacent independent

Concurrent actions with no explicit data flow

17

In practice

24

Only consider traces that: Main theorem it is sufficient to consider traces independent actions. up to permutation of adjacent independent

Concurrent actions with no explicit data flow

17

In practice

24

Only consider traces that: Execute outputs in priority

(because an input followed by a concurrent output are independent)

Main theorem it is sufficient to consider traces independent actions. up to permutation of adjacent independent

Concurrent actions with no explicit data flow

17

In practice

24

Only consider traces that: Execute outputs in priority

(because an input followed by a concurrent output are independent)

Execute outputs in a deterministic order

(because two concurrent outputs are always independent)

Main theorem it is sufficient to consider traces independent actions. up to permutation of adjacent independent

Concurrent actions with no explicit data flow

17

In practice

24

Only consider traces that: Execute outputs in priority

(because an input followed by a concurrent output are independent)

Execute outputs in a deterministic order

(because two concurrent outputs are always independent)

Main theorem it is sufficient to consider traces independent actions. up to permutation of adjacent independent

Concurrent actions with no explicit data flow

…

Implementation

DeepSec prover

A tool proving trace equivalence of finite processes

24 19

[CAV18] S. Kremer, V. Cheval, I. Rakotonirina. The DeepSec prover

DeepSec prover

A tool proving trace equivalence of finite processes

P Q P1, P2, Q1 P3, P4 Q2 P5, P6 P7 Q3, Q4 P8, P9 Q5, Q6

24 19

[CAV18] S. Kremer, V. Cheval, I. Rakotonirina. The DeepSec prover

DeepSec prover

A tool proving trace equivalence of finite processes

P Q P1, P2, Q1 P3, P4 Q2 P5, P6 P7 Q3, Q4 P8, P9 Q5, Q6

Branch ≈ set of equivalent traces

24 19

[CAV18] S. Kremer, V. Cheval, I. Rakotonirina. The DeepSec prover

DeepSec prover

A tool proving trace equivalence of finite processes

P Q P1, P2, Q1 P3, P4 Q2 P5, P6 P7 Q3, Q4 P8, P9 Q5, Q6

Branch ≈ set of equivalent traces Attack ≈ node not containing any process

• riginated from P, or any from Q

24 19

[CAV18] S. Kremer, V. Cheval, I. Rakotonirina. The DeepSec prover

DeepSec prover

A tool proving trace equivalence of finite processes

P Q P1, P2, Q1 P3, P4 Q2 P5, P6 P7 Q3, Q4 P8, P9 Q5, Q6

Branch ≈ set of equivalent traces Attack ≈ node not containing any process

• riginated from P, or any from Q

Partial-order reductions ≈ not generating some branches

24 19

[CAV18] S. Kremer, V. Cheval, I. Rakotonirina. The DeepSec prover

20

Approaches to prove trace equivalence

24

Baseline Structure-guided

P and Q trace equivalent? P and Q equivalent by session?

20

Approaches to prove trace equivalence

24

Baseline Structure-guided

P and Q trace equivalent? yes no >12h P ≈ Q P ≈ Q

?

P and Q equivalent by session?

20

Approaches to prove trace equivalence

24

Baseline Structure-guided

P and Q trace equivalent? yes no >12h P ≈ Q P ≈ Q

?

P and Q equivalent by session? yes P ≈ Q no

?

>12h

?

20

Approaches to prove trace equivalence

24

Baseline Structure-guided

P and Q trace equivalent? yes no >12h P ≈ Q P ≈ Q

?

P and Q equivalent by session? yes P ≈ Q Does the attack trace violate trace equivalence? yes P ≈ Q no

?

no >12h

?

20

Approaches to prove trace equivalence

24

Baseline Structure-guided

P and Q trace equivalent? yes no >12h P ≈ Q P ≈ Q

?

P and Q equivalent by session? yes P ≈ Q Does the attack trace violate trace equivalence? yes P ≈ Q no

?

no >12h

? Future work:

conclude in this case (currently: heuristic)

21

Experimental results (1)

24

Unlinkability in the Electronic passport

21

Experimental results (1)

24

Unlinkability in the Electronic passport

PASS PASS PASS PASS

2 identical passports readers 2 different passports readers

21

Experimental results (1)

24

Unlinkability in the Electronic passport

PASS PASS PASS PASS

2 identical passports readers 2 different passports readers Scenario baseline structure-guided 2 identical <1s <1s 2 identical + 1 fresh >12h 2s 3 identical + 1 fresh >12h 3s 2 identical + 2 fresh >12h 1min20 2 identical + 3 fresh >12h 11h06 property disproved property proved

22

Experimental results (2)

24

Vote privacy in Helios (vote swap)

Scenario baseline structure-guided no revote <1s <1s A x 2 + B x 1 2h41 1min2 A x 3 + B x 2 >12h 7min40 A x 4 + B x 2 >12h 16min36 A x 7 + B x 3 >12h 3h53 yes no ? no yes ? property disproved property proved

Conclusion

24

Conclusion

24

A new equivalence exploiting the structure

• f practical privacy statements

Decision of trace equivalence improved by

• rders of magnitude on concrete examples

Future work: Complete procedure for trace equivalence guided by equivalence by session