Satisfiability of Dolev-Yao Constraints Laurent Mazar e - - PowerPoint PPT Presentation

SLIDE 1

Satisfiability of Dolev-Yao Constraints

Laurent Mazar´ e

laurent.mazare@imag.fr

Laboratoire VERIMAG Grenoble, France

Satisfiability of Dolev-Yao Constraints – p.1/17

SLIDE 2

Motivation

Constraints are used to verify secrecy with a bounded number of sessions.

Satisfiability of Dolev-Yao Constraints – p.2/17

SLIDE 3

Motivation

Constraints are used to verify secrecy with a bounded number of sessions. Needham-Schroeder constraint:

NS

• E

✁ ✂

NC

✁

A

✄

KC

☎ ✂

x

✁

A

✄

KB

✆

E

✁ ✂

NC

✁

A

✄

KC

✁ ✂

x

✁

NB

✄

KA

☎ ✂

NC

✁

y

✄

KA

✆

E

✁ ✂

NC

✁

A

✄

KC

✁ ✂

x

✁

NB

✄

KA

✁ ✂

y

✄

KC

☎

NB

Satisfiability of Dolev-Yao Constraints – p.2/17

SLIDE 4

Motivation

Constraints are used to verify secrecy with a bounded number of sessions. Needham-Schroeder constraint:

NS

• E

✁ ✂

NC

✁

A

✄

KC

☎ ✂

x

✁

A

✄

KB

✆

E

✁ ✂

NC

✁

A

✄

KC

✁ ✂

x

✁

NB

✄

KA

☎ ✂

NC

✁

y

✄

KA

✆

E

✁ ✂

NC

✁

A

✄

KC

✁ ✂

x

✁

NB

✄

KA

✁ ✂

y

✄

KC

☎

NB

Extensions: Inequations, Multiple Intruders, Opacity (Strong Secrecy).

Satisfiability of Dolev-Yao Constraints – p.2/17

SLIDE 5

Messages and Constraints

Messages are defined by:

m ::

• a
• x
• f

✁

m1

✁ ✂ ✂ ✂ ✁

mn

✄

• ☎

m1

✁

m2

✆

• ✂

m1

✄

m2

a : atom, x: variable, f : first order symbol

Satisfiability of Dolev-Yao Constraints – p.3/17

SLIDE 6

Messages and Constraints

Messages are defined by:

m ::

• a
• x
• f

✁

m1

✁ ✂ ✂ ✂ ✁

mn

✄

• ☎

m1

✁

m2

✆

• ✂

m1

✄

m2

a : atom, x: variable, f : first order symbol Constraints are defined by:

C ::

• ✁
• C

✂

C

• C

✆

C

• CA

CA ::

• T

☎

m

✄

U

☎

• m

✆

• n

m, n: messages, T, U: finite sets of messages.

Satisfiability of Dolev-Yao Constraints – p.3/17

SLIDE 7

Models

A substitution σ is a model of constraint C iff σ

• C where
• is

the smallest relation defined by: Usual definitions for

✁

,

✆

,

✂

Satisfiability of Dolev-Yao Constraints – p.4/17

SLIDE 8

Models

A substitution σ is a model of constraint C iff σ

• C where
• is

the smallest relation defined by: Usual definitions for

✁

,

✆

,

✂

mσ

✆

• nσ

σ

• m

✆

• n

Satisfiability of Dolev-Yao Constraints – p.4/17

SLIDE 9

Models

A substitution σ is a model of constraint C iff σ

• C where
• is

the smallest relation defined by: Usual definitions for

✁

,

✆

,

✂

mσ

✆

• nσ

σ

• m

✆

• n

Tσ

• mσ

✄

Uσ

☎

σ

• T

☎

m

✄

U

☎

where T

• m

✄

U

☎

is defined as

• except the decode rule:

T

• ✂

m

✄

u

✄

U

☎

u

✁

U T

• m

✄

U

☎

Satisfiability of Dolev-Yao Constraints – p.4/17

SLIDE 10

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 11

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

If T

☎

m

✄

U

☎

and T

• ☎

m

• ✄

U

• ☎

are in Co, then T

✁

T

• r

T

• ✁

T (Environment Inclusion).

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 12

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

If T

☎

m

✄

U

☎

and T

• ☎

m

• ✄

U

• ☎

are in Co, then T

✁

T

• r

T

• ✁

T (Environment Inclusion).

If T

☎

m

✄

U

☎ ✁

Co and x

✁

var

✁

T

✄

, then there exists

T

• ☎

m

• ✄

U

• ☎

✁

Co such that x

✁

var

✁

m

• ✄

, U

• ✁

U and T

• T (Variable Introduction).

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 13

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

If T

☎

m

✄

U

☎

and T

• ☎

m

• ✄

U

• ☎

are in Co, then T

✁

T

• r

T

• ✁

T (Environment Inclusion).

If T

☎

m

✄

U

☎ ✁

Co and x

✁

var

✁

T

✄

, then there exists

T

• ☎

m

• ✄

U

• ☎

✁

Co such that x

✁

var

✁

m

• ✄

, U

• ✁

U and T

• T (Variable Introduction).

A constraint C quasi-well-formed iff

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 14

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

If T

☎

m

✄

U

☎

and T

• ☎

m

• ✄

U

• ☎

are in Co, then T

✁

T

• r

T

• ✁

T (Environment Inclusion).

If T

☎

m

✄

U

☎ ✁

Co and x

✁

var

✁

T

✄

, then there exists

T

• ☎

m

• ✄

U

• ☎

✁

Co such that x

✁

var

✁

m

• ✄

, U

• ✁

U and T

• T (Variable Introduction).

A constraint C quasi-well-formed iff Variable Introduction.

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 15

Well-Formed Constraints

A constraint C is well-formed iff C

• Co and for each Co:

If T

☎

m

✄

U

☎

and T

• ☎

m

• ✄

U

• ☎

are in Co, then T

✁

T

• r

T

• ✁

T (Environment Inclusion).

If T

☎

m

✄

U

☎ ✁

Co and x

✁

var

✁

T

✄

, then there exists

T

• ☎

m

• ✄

U

• ☎

✁

Co such that x

✁

var

✁

m

• ✄

, U

• ✁

U and T

• T (Variable Introduction).

A constraint C quasi-well-formed iff Variable Introduction. There exists a closed message m that occurs in any environment of Co.

Satisfiability of Dolev-Yao Constraints – p.5/17

SLIDE 16

Constraints

Reducing usual well-formed constraints to our constraints:

1

• i
• n Tiσ
• miσ

✁

σ

• k1

✂✄ ✄ ✄ ✂

kα

☎

keys

✆

T

✂

m

✝

1

✞

i1

✞

i2

✞ ✄ ✄ ✄ ✞

in

✞

n

✟

T1

☎

k1

✄ ☎ ✆ ✂ ✂ ✂ ✆

T1

☎

m1

✄

k1

✁ ✂ ✂ ✂ ✁

ki1

☎ ✠ ✆ ✟

T2

☎

ki1

✡

1

✄

k1

✁ ✂ ✂ ✂ ✁

ki1

☎ ✆ ✂ ✂ ✂ ✆

T2

☎

m2

✄

k1

✁ ✂ ✂ ✂ ✁

ki2

☎ ✠ ✆ ✂ ✂ ✂ ✆ ✟

Tn

☎

kin

☛

1

✡

1

✄

k1

✁ ✂ ✂ ✂ ✁

kin

☛

1

☎ ✆ ✂ ✂ ✂ ✆

Tn

☎

mn

✄

k1

✁ ✂ ✂ ✂ ✁

kin

☎ ✠

Satisfiability of Dolev-Yao Constraints – p.6/17

SLIDE 17

Satisfiability 1 : Rewriting

T

☎

a

✄

U

☎

• ✁

T

☎

a

✄

U

☎

• T

☎

f

✁

m1

✁ ✂ ✂ ✂ ✁

mn

✄ ✄

U

☎

• ✁

T

☎

f

✁

m1

✁ ✂ ✂ ✂ ✁

mn

✄ ✄

U

☎

• T

☎ ☎

m

✁

n

✆ ✄

U

☎

• T

☎

m

✄

U

☎ ✆

T

☎

n

✄

U

☎

T

☎ ✂

m

✄

n

✄

U

☎

• ✁

T

☎ ✂

m

✄

n

✄

U

☎

• T

☎

m

✄

U

☎ ✆

T

☎

n

✄

U

☎

Satisfiability of Dolev-Yao Constraints – p.7/17

SLIDE 18

Satisfiability 2 : Properties

C1

• C2, if C1 is well-formed, then C2 is well-formed too.

Satisfiability of Dolev-Yao Constraints – p.8/17

SLIDE 19

Satisfiability 2 : Properties

C1

• C2, if C1 is well-formed, then C2 is well-formed too.

Correctness and Completness

Satisfiability of Dolev-Yao Constraints – p.8/17

SLIDE 20

Satisfiability 2 : Properties

C1

• C2, if C1 is well-formed, then C2 is well-formed too.

Correctness and Completness Termination

Satisfiability of Dolev-Yao Constraints – p.8/17

SLIDE 21

Satisfiability 2 : Properties

C1

• C2, if C1 is well-formed, then C2 is well-formed too.

Correctness and Completness Termination Normal Forms:

✟

T

☎

x

✄

U

☎ ✠ ✆ ✟

m

✆

• n

✠

Satisfiability of Dolev-Yao Constraints – p.8/17

SLIDE 22

Satisfiability 3 : Inequations

Let P be the constraint

m1

✆

• n1

✆ ✂ ✂ ✂ ✆

mj

✆

• nj

If P is satisfiable, then for any substitution σ such that Pσ is closed and xσ

• yσ
• x
• y,

There exists an integer k such that k

✁

j

✂

1 and σk is a

model of P.

Satisfiability of Dolev-Yao Constraints – p.9/17

SLIDE 23

Satisfiability 3 : Inequations

Let P be the constraint

m1

✆

• n1

✆ ✂ ✂ ✂ ✆

mj

✆

• nj

If P is satisfiable, then for any substitution σ such that Pσ is closed and xσ

• yσ
• x
• y,

There exists an integer k such that k

✁

j

✂

1 and σk is a

model of P. Application:

xσ

• ☎

m

✁ ✂ ✂ ✂ ✁

m

✆

Satisfiability of Dolev-Yao Constraints – p.9/17

SLIDE 24

Satisfiability 4 : Results

Satisfiability for well-formed constraints is decidable (and NP-complete).

Satisfiability of Dolev-Yao Constraints – p.10/17

SLIDE 25

Satisfiability 4 : Results

Satisfiability for well-formed constraints is decidable (and NP-complete). Same thing for quasi-well-formed constraints.

Satisfiability of Dolev-Yao Constraints – p.10/17

SLIDE 26

Satisfiability 4 : Results

Satisfiability for well-formed constraints is decidable (and NP-complete). Same thing for quasi-well-formed constraints. Security for protocols with inequations (bounded number of sessions).

Satisfiability of Dolev-Yao Constraints – p.10/17

SLIDE 27

Opacity: Definitions

An intruder C observes a protocol session between A and B. Could he deduce any property on the parameters of this protocol ?

Satisfiability of Dolev-Yao Constraints – p.11/17

SLIDE 28

Opacity: Definitions

An intruder C observes a protocol session between A and B. Could he deduce any property on the parameters of this protocol ? Example : electronic vote.

A

• B :

✂

vote

✄

k

If vote

✁ ✂

yes

✁

no

✄

, the intruder could infer yes or no using Dolev-Yao, could he guess the value of vote ?

Satisfiability of Dolev-Yao Constraints – p.11/17

SLIDE 29

Opacity: Definitions

An intruder C observes a protocol session between A and B. Could he deduce any property on the parameters of this protocol ? Example : electronic vote.

A

• B :

✂

vote

✄

k

If vote

✁ ✂

yes

✁

no

✄

, the intruder could infer yes or no using Dolev-Yao, could he guess the value of vote ? Intuitive definition of opacity of property φ.

Satisfiability of Dolev-Yao Constraints – p.11/17

SLIDE 30

Similarity

Simultaneous Deductions: E

✁

E

• m

✁

m

• n1

✁✂ ✂ ✂ ✁

nk

✄

j

✁

• n

☎

1

✁✂ ✂ ✂ ✁

n

☎

k

✄

j

✆

ni

✁

n

☎

i

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

• n1

✄

n2

✁

• n

☎

1

✄

n

☎

2

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

• n1

✄

n2

✁

• n

☎

1

✄

n

☎

2

Satisfiability of Dolev-Yao Constraints – p.12/17

SLIDE 31

Similarity

Simultaneous Deductions: E

✁

E

• m

✁

m

• n1

✁✂ ✂ ✂ ✁

nk

✄

j

✁

• n

☎

1

✁✂ ✂ ✂ ✁

n

☎

k

✄

j

✆

ni

✁

n

☎

i

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆ ✝

n1

✁

n2

✞ ✁ ✝

n

☎

1

✁

n

☎

2

✞

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

• n1

✄

n2

✁

• n

☎

1

✄

n

☎

2

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n1

✁

n

☎

1

E

✁

E

☎ ✆

n2

✁

n

☎

2

E

✁

E

☎ ✆

• n1

✄

n2

✁

• n

☎

1

✄

n

☎

2

Similarity:

a

• Atomes

a

✁

a u1

✁

u2 v1

✁

v2

✝

u1

✁

v1

✞ ✁ ✝

u2

✁

v2

✞

env1

✁

env2

✆

k

✁

k u

✁

v

• u

✄

k

✁

• v

✄

k

✂

env1

✆

k

✂

env2

✆

k

☎

• u

✄

k

✁

• v

✄

k

☎

Satisfiability of Dolev-Yao Constraints – p.12/17

SLIDE 32

Hypothesis

The intruder C follows Dolev-Yao model against a protocol implying A and B (Active Intruder).

Satisfiability of Dolev-Yao Constraints – p.13/17

SLIDE 33

Hypothesis

The intruder C follows Dolev-Yao model against a protocol implying A and B (Active Intruder). The intruder knows the protocol used and the trace of the protocol followed during this session.

Satisfiability of Dolev-Yao Constraints – p.13/17

SLIDE 34

Hypothesis

The intruder C follows Dolev-Yao model against a protocol implying A and B (Active Intruder). The intruder knows the protocol used and the trace of the protocol followed during this session. The intruder has an initial knowledge c0. For example :

c0

• ✁

k1

✆

• k2

✄

Satisfiability of Dolev-Yao Constraints – p.13/17

SLIDE 35

Hypothesis

The intruder C follows Dolev-Yao model against a protocol implying A and B (Active Intruder). The intruder knows the protocol used and the trace of the protocol followed during this session. The intruder has an initial knowledge c0. For example :

c0

• ✁

k1

✆

• k2

✄

Protocols without branching (if).

Satisfiability of Dolev-Yao Constraints – p.13/17

SLIDE 36

Opacity Constraints

Two sessions are not similar iff C is satisfiable.

Satisfiability of Dolev-Yao Constraints – p.14/17

SLIDE 37

Opacity Constraints

Two sessions are not similar iff C is satisfiable. Constraint related to the active intruder is:

CAI

• T1

✁

T

• 1

☎

m1

✁

m

• 1

✆

T2

✁

T

• 2

☎

m2

✁

m

• 2

✆ ✂ ✂ ✂ ☎

mα

Satisfiability of Dolev-Yao Constraints – p.14/17

SLIDE 38

Opacity Constraints

Two sessions are not similar iff C is satisfiable. Constraint related to the active intruder is:

CAI

• T1

✁

T

• 1

☎

m1

✁

m

• 1

✆

T2

✁

T

• 2

☎

m2

✁

m

• 2

✆ ✂ ✂ ✂ ☎

mα

Sessions are not similar:

CS

• ✟

i

Tα

✁

T

• α

☎

ni

• n
• i

✠

Satisfiability of Dolev-Yao Constraints – p.14/17

SLIDE 39

Opacity Constraints

Two sessions are not similar iff C is satisfiable. Constraint related to the active intruder is:

CAI

• T1

✁

T

• 1

☎

m1

✁

m

• 1

✆

T2

✁

T

• 2

☎

m2

✁

m

• 2

✆ ✂ ✂ ✂ ☎

mα

Sessions are not similar:

CS

• ✟

i

Tα

✁

T

• α

☎

ni

• n
• i

✠

Eventually,

C

• CAI

✆

CS

Satisfiability of Dolev-Yao Constraints – p.14/17

SLIDE 40

Restricted Version: Vote Protocol

Only two possible sessions: v

• y (for T) and v
• n (for T
• ).

Satisfiability of Dolev-Yao Constraints – p.15/17

SLIDE 41

Restricted Version: Vote Protocol

Only two possible sessions: v

• y (for T) and v
• n (for T
• ).

New constraint:

CS

• Tα

✁

T

• α

☎

y

✁

n

✂

Tα

✁

T

• α

☎

n

✁

y

Satisfiability of Dolev-Yao Constraints – p.15/17

SLIDE 42

Restricted Version: Vote Protocol

Only two possible sessions: v

• y (for T) and v
• n (for T
• ).

New constraint:

CS

• Tα

✁

T

• α

☎

y

✁

n

✂

Tα

✁

T

• α

☎

n

✁

y

The vote value is opaque (φ

• ✁

v

• y

✄

) iff C is not satisfiable.

Satisfiability of Dolev-Yao Constraints – p.15/17

SLIDE 43

Restricted Version: Vote Protocol

Only two possible sessions: v

• y (for T) and v
• n (for T
• ).

New constraint:

CS

• Tα

✁

T

• α

☎

y

✁

n

✂

Tα

✁

T

• α

☎

n

✁

y

The vote value is opaque (φ

• ✁

v

• y

✄

) iff C is not satisfiable. Constraint C only uses

☎

so satisfiability is decidable.

Satisfiability of Dolev-Yao Constraints – p.15/17

SLIDE 44

Dumb Vote Protocol

S is the authority collecting votes, A is a voter. S

• A :

k A

• S :

✂

v

✄

k

And T

• T
• ✂

y

✁

n

✁

kC

✁

k

• 1

C

✄

.

Satisfiability of Dolev-Yao Constraints – p.16/17

SLIDE 45

Dumb Vote Protocol

S is the authority collecting votes, A is a voter. S

• A :

k A

• S :

✂

v

✄

k

And T

• T
• ✂

y

✁

n

✁

kC

✁

k

• 1

C

✄

. Constraint C is:

T

✁

T

• ☎

x

✁

x

• ✆

T;

✂

y

✄

x

✁

T

• ;

✂

n

✄

x

☎ ☎

y

✁

n

Satisfiability of Dolev-Yao Constraints – p.16/17

SLIDE 46

Dumb Vote Protocol

S is the authority collecting votes, A is a voter. S

• A :

k A

• S :

✂

v

✄

k

And T

• T
• ✂

y

✁

n

✁

kC

✁

k

• 1

C

✄

. Constraint C is:

T

✁

T

• ☎

x

✁

x

• ✆

T;

✂

y

✄

x

✁

T

• ;

✂

n

✄

x

☎ ☎

y

✁

n C is satisfiable (x

• x
• kC). Immediate attack.

Satisfiability of Dolev-Yao Constraints – p.16/17

SLIDE 47

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges".

Satisfiability of Dolev-Yao Constraints – p.17/17

SLIDE 48

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges". Decision procedure for opacity with an active (Dolev-Yao) intruder.

Satisfiability of Dolev-Yao Constraints – p.17/17

SLIDE 49

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges". Decision procedure for opacity with an active (Dolev-Yao) intruder. Future Works:

Satisfiability of Dolev-Yao Constraints – p.17/17

SLIDE 50

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges". Decision procedure for opacity with an active (Dolev-Yao) intruder. Future Works: General opacity problem.

Satisfiability of Dolev-Yao Constraints – p.17/17

SLIDE 51

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges". Decision procedure for opacity with an active (Dolev-Yao) intruder. Future Works: General opacity problem. General constraints (allow to modelize Fairness/Protocol Composition...).

Satisfiability of Dolev-Yao Constraints – p.17/17

SLIDE 52

Conclusion

Decision procedure for constraint with inequations, first order symbols, multiple "knowledges". Decision procedure for opacity with an active (Dolev-Yao) intruder. Future Works: General opacity problem. General constraints (allow to modelize Fairness/Protocol Composition...). Add equational theories.

Satisfiability of Dolev-Yao Constraints – p.17/17