Security proofs in the symbolic model web services security, manual - - PowerPoint PPT Presentation
Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)
Security proofs in the symbolic model
web services security, manual and automated proofs Karthikeyan Bhargavan
INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik
September 2013
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 1 / 30
Recap: Applied Pi Calculus
A language for specifying cryptographic protocols [Abadi, Fournet ’00]
Builds on pi calculus [Milner ’92], spi calculus [Abadi, Gordon ’99]
Protocol roles encoded as concurrent processes that communicate by sending messages over public and private channels
Names represent channels, keys, nonces
Equational theories on messages specify cryptographic functions
Term rewriting systems are a way of specifying equational theories Convergent term rewriting systems provide algorithms for equality
Structural congruence defines behaviorally identical processes Internal reduction enables interaction between protocol processes Labeled reduction enables interaction with the attacker environment
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 2 / 30
Recap: Term Syntax
N: an infinite (countable) set of names a, b, c, . . . X: an infinite (countable) set of variables x, y, z, . . . F: a finite signature of function symbols f , g, h, . . .
Includes constructors and destructors F = FC [ FD
Terms represent messages that may be sent between processes M, N, O, . . . ::= Terms a name x variable f (M1, . . . , Mn) function application T (Σ): terms constructed from the symbols in Σ
Σ contains names, variables, and functions
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 3 / 30
Recap: Process Syntax
Processes: P, Q, R, . . . P, Q, R ::= Processes null process new a.P fresh name generation in(c, x).P message input (continue as P)
message output (continue as P) if M = N then P else Q conditional P k Q parallel composition !P replication Extended Processes : A, B, C, . . . A, B, C ::= Extended processes P process new a.A fresh name generation A k B parallel composition {M/x} active substitution
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 30
Recap: Security Goals
Notation:
Structural congruence P ⌘ Q, A ⌘ B Internal reduction P
⌧
! Q, transitive closure P
⌧ ∗
Labeled reduction A
l
! B, transitive closure A
~ l
Frames represent attacker knowledge
= new ~
= {M1/x1, M2/x2, . . . , Mn/xn} (A): the frame of A, replace every plain process P in A by 0 Example: (new a.(P k {M/x} k Q)) ⌘ new a.{M/x}
Deduction ` M enables an attacker to derive terms from a frame Secrecy goals in terms of what the attacker can deduce
a is secret in A if for all A
~ l
A syntactic notion of secrecy, weaker than indistinguishability and computational secrecy.
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 5 / 30
Recap: Finding Invariants
A method to prove syntactic secrecy Find an invariant on the shape of the extended process as it evolves
For all B such that A
~ l
Example: B ⌘ new ~ a.{senc(M, ai)/x} k P for some M, i, P such that M, P do not mention ai
Show that the frame of this invariant establishes your secrecy goal
The attacker cannot deduce a secret from the frame of I (I) = new ~ a.{senc(M, ai)/x} The attacker cannot deduce the secrets ak or M from this frame
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 6 / 30
Today
Case study: Web Services Security
Introduction and motivation Writing a WS-Security protocol in the applied pi calculus Proving its security by demonstrating invariants
Towards automated proof of protocol models
Deducibility constraint systems for bounded protocol sessions Decision procedure for secrecy Undecidability result for unbounded protocol sessions (Next lecture and later in the course: tackling undecidability)
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 7 / 30
APIs for Cloud-based Web Services APIs
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 8 / 30
APIs for Cloud-based Web Services APIs
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 9 / 30
– Timestamp
– Tokens identifying principals and keys
– Signatures
security token
– Encrypted Keys
At S, only accepts an accountC after checking pwdC
<Envelope> <Header> <Security> <UsernameToken Id=1> <Username>“C" <Nonce>"mTbzQM84RkFqza+lIes/xw==" <Created>"2004-09-01T13:31:50Z" <Signature> <SignedInfo> <SignatureMethod Algorithm=hmac-sha1> <Reference URI=#2> <DigestValue>"U9sBHidIkVvKA4vZo0gGKxMhA1g=“ <SignatureValue>"8/ohMBZ5JwzYyu+POU/v879R01s=" <KeyInfo> <SecurityTokenReference> <Reference URI=#1 ValueType=UsernameToken> <Body Id=2> <BalanceRequest> <AccountNumber> accountC </>
UsernameToken assumes both ¡parties ¡know ¡adg’s ¡ secret password p Each DigestValue is the sha1 hash of the URI target hmacsha1(key, SignedInfo) where keypsha1(p+nonce+created)
<Envelope> <Header> <Action Id=1> "http://stockservice.contoso.com/wse/samples/2003/06/StockQuoteRequest" <MessageID Id=2> "uuid:abc4946b-112f-4a26-b923-4ffc948c15ef" <ReplyTo Id=3> <Address> "http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous" <To Id=4> "http://localhost/UsernameSignCodeService/UsernameSigningService.asmx" <Security mustUnderstand="1"> <Timestamp Id=5> <Created> "2004-09-01T13:31:50Z" <Expires> "2004-09-01T13:32:50Z" <UsernameToken Id=7> <Username> "adg" <Nonce> "mTbzQM84RkFqza+lIes/xw==" <Created> "2004-09-01T13:31:50Z" <Signature> <SignedInfo> <CanonicalizationMethod Algorithm=exc-c14n> <SignatureMethod Algorithm=hmac-sha1> <Reference URI=#1> ... <Reference URI=#2> ... <Reference URI=#3> ... <Reference URI=#4> ... <Reference URI=#5> ... <Reference URI=#6> ... <SignatureValue> "8/ohMBZ5JwzYyu+POU/v879R01s=" <KeyInfo> <SecurityTokenReference> <Reference URI=#7 ValueType=UsernameToken> <Body Id=6> <BalanceRequest> <AccountNumber> accountC </>
To prevent replays, need to sign Timestamp and MessageId To prevent redirections, need to sign To and Action
Actually, to prevent various XML ¡rewriting ¡attacks, ¡it’s ¡ necessary to co-sign other message parts with the body
(Assume they have exchanged X.509 public-key certificates)
– freshly encrypted under pkS and pkC
– signature of request counter-signed in response
Response signature includes request signature Two-step encryption
A symbolic representation of an X.509 cert issued by “Root” ¡to ¡“C” Encrypting fresh symmetric ¡“key” ¡ ¡ Encrypting symbol under ¡“key” ¡ ¡
Web services vulnerable to same sorts of attacks as websites
Buffer overruns, denial of service, SQL injection, etc
New concerns: flexible, XML-based protocols
Web services developers can design and deploy
their own application-specific security protocols
XML message format open to rewriting attacks
Much like classic active attackers (Needham-Schroeder’78) Attacker can redirect, replay, modify, impersonate New: message processing is driven by a flexible,
semi-structured message format
This flexibility is bad news for security
We found a range of problems in specs & code,
thus motivating research on theory and tools
<Envelope> <Header> <Security> <UsernameToken Id=2> <Username>Alice</> <Nonce>cGxr8w2AnBUzuhLzDYDoVw==</> <Created>2003-02-04T16:49:45Z</> <Signature> <SignedInfo> <Reference URI= #1><DigestValue>Ego0...</> <SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</> <KeyInfo> <SecurityTokenReference><Reference URI=#2/> <Body Id=1> <TransferFunds> <beneficiary>Bob</> <amount>1000</>
Message ¡to ¡bank’s ¡web ¡ service ¡says: ¡“Transfer ¡$1000 ¡ to ¡Bob, ¡signed ¡Alice” Bank can verify the signature has been computed using key derived ¡from ¡Alice’s ¡ secret password
<Envelope> <Header> <Security> <UsernameToken Id=2> <Username>Alice</> <Nonce>cGxr8w2AnBUzuhLzDYDoVw==</> <Created>2003-02-04T16:49:45Z</> <Signature> <SignedInfo> <Reference URI= #1><DigestValue>Ego0...</> <SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</> <KeyInfo> <SecurityTokenReference><Reference URI=#2/> <BogusHeader> <Body Id=1> <TransferFunds> <beneficiary>Bob</> <amount>1000</> <Body> <TransferFunds> <beneficiary>Charlie</> <amount>5000</>
Although ¡Alice’s ¡password ¡ has not been broken, the message now reads “Transfer ¡$5000 ¡to ¡Charlie, ¡ signed ¡Alice” Charlie has intercepted and rewritten this message The indirect signature of the body, now hidden in BogusHeader, may still appear valid
From: Alice From: Alice To: Bookshop To: Bookshop Action: “Buy Charlie’s Action: “Buy Charlie’s book” book” (signed by Alice) (signed by Alice)
Alice’s laptop Alice’s bookshop (Web Service) Someone
(Charlie?) Sent: Monday Sent: Monday From: Alice From: Alice To: Bank To: Bank Action: “Pay Charlie $ Action: “Pay Charlie $20 20” (signed by Alice) (signed by Alice) Sent: Tuesday Sent: Tuesday From: Alice From: Alice To: Bank To: Bank Action: “Buy Charlie’s Action: “Buy Charlie’s book” book” (signed by Alice) (signed by Alice) Sent: Wednesday Sent: Wednesday
From: Alice From: Alice To: Bookshop To: Bookshop Action: “Buy Charlie’s Action: “Buy Charlie’s book” book” (signed by Alice) (signed by Alice)
Alter and replay envelopes to confuse participants
Alice’s ¡ laptop
Alice’s ¡bookshop (Web Service) Someone
(Charlie?) From: Alice From: Alice To: Bookshop To: Bookshop “Publish this paper” “Publish this paper” (encrypted for bookshop) (encrypted for bookshop) (signed by Alice) (signed by Alice) From: Charlie From: Charlie To: Bookshop To: Bookshop “Publish this paper” “Publish this paper” (encrypted for bookshop) (encrypted for bookshop) (signed by Charlie) (signed by Charlie)
Take credit for someone ¡else’s ¡data
Should the client sign before encrypting or encrypt before signing? Both are allowed by the specifications. Both can be incorrect depending on the rest of the protocol.
Alice’s laptop Alice’s bookshop (Web Service) Someone
(Charlie?)
<Envelope> <Header>… <Id> aabbcczTy…</> <Security> <UsernameToken> <User>Alice</> <Password> <EncryptedData> <CipherValue>uVx..</> <Body>... <Envelope> <Header>… <Id> aabbcczTy…</> <Security> <UsernameToken> <User>Alice</> <Password> <EncryptedData> <CipherValue>uVx..</> <Body>... <Envelope> <Header>… <Id> <EncryptedData> <CipherValue>uVx..</> <Security> <UsernameToken> <User>Alice</> <Password> <EncryptedData> <CipherValue>uVx..</> <Body> ... <Envelope> <Header>… <Id> <EncryptedData> <CipherValue>uVx..</> <Security> <UsernameToken> <User>Alice</> <Password> <EncryptedData> <CipherValue>uVx..</> <Body> ... <Envelope> <Header> <RelatesTo> Alice’s Password </> … <Envelope> <Header> <RelatesTo> Alice’s Password </> …
Models and Proofs of WS-Security Protocols
A semantics for web services authentication, K Bhargavan, C Fournet, AD Gordon, Theoretical Computer Science, 2005. (POPL’04) Verifying policy-based security for web services, K Bhargavan, C Fournet, AD Gordon, TOPLAS, 2008. (CCS’04)
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 10 / 30
Password-based signature protocol
Simple one-message authentication protocol: A ! B : ⌦ b, hmac(b)pwd ↵
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 11 / 30
Password-based signature protocol
Simple one-message authentication protocol: A ! B : ⌦ b, hmac(b)pwd ↵
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 11 / 30
Plan: Proving password-based signature in applied pi
We define F to code XML messages with crypto We define a term rewriting system !R We write processes for A and B We specify the authentication goal using security events We prove the goals using invariants
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 12 / 30
Representing XML messages
F = {pair/2, proj1, proj2, hmac/2, hash/1, . . .} Add constructors for string encodings: base64, utf8 Add XML constructors: elem/3, att/2
XML tags and string constants encoded as 0-ary constructors e.g. <X id=“1”>t</X> is written as elem(X(), att(id(), one()), t)
Add lists: cons/2, nil/0
can appear both in attributes and element bodies e.g. <X a=s1 b=s2>e1 e2</X> is written as elem(X(), cons(att(a, s1), cons(att(a, s2), nil)), cons(e1, cons(e2, nil)))
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 13 / 30
Parsing XML messages
Add inverses for string encodings: ibase64, iutf8 Add XML destructors: attributes/2, body/2, attval/2
take both expected tag and element/attribute as parameter e.g. attributes(X(), elem(X(), as, b)) e.g. body(X(), elem(X(), as, b)) e.g. attval(id(), att(id(), one()))
Add list destructors: hd/1, tl/1
e.g. hd(cons(a, b)), tl(cons(a, b))
No destructors for hash or hmac
reflects symbolic crypto assumption on one-way functions
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 14 / 30
Term rewriting system
Rewrite rules for destructors: proj1(pair(x, y)) ! x proj2(pair(x, y)) ! y ibase64(base64(x)) ! x iutf8(utf8(x)) ! x attributes(x, elem(x, y, z)) ! y body(x, elem(x, y, z)) ! z attval(x, att(x, y)) ! y hd(cons(x, y)) ! a tl(cons(x, y)) ! y Assume all constructors and destructors are public Fpub = F
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 15 / 30
Processes for password-based signature
A − → B :
A(u, p, n, t, b) = let k = hash(hp, hn, tii) in let si = elem(SignedInfo(), · · · elem(DigestValue(), nil, cons(base64(hash(b)), nil))) in let sv = hmac(utf8(si))k in let ut = elem(UsernameToken(), nil, cons(elem(Username(), nil, cons(u, nil)), cons(elem(Nonce(), nil, cons(base64(n), nil)), cons(elem(Created(), nil, cons(t, nil)), nil)))) let sig = elem(Signature(), nil, cons(si, cons(elem(SignatureValue, nil, cons(base64(sv), nil)), . . .))) in
cons(elem(Header(), nil, cons(ut, cons(sig, . . .))), cons(b, nil)))).0
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 16 / 30
Processes for password-based signature
A − → B :
B(u, p) = in(net, e). let hdrs = body(Header(), hd(body(Envelope(), e))) in let b = tl(body(Envelope(), e)) in let si = hd(body(Signature(), hd(hdrs))) in let sv = ibase64(body(SignatureValue, hd(tl(body(Signature(), hd(hdrs)))))) in let n, t = . . . in let k = hash(hp, hn, tii) in if sv = hmac(utf8(si))k then out(app, b).0 else 0
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 17 / 30
Embedding Authentication Goals
System, with (public) free names: net, app, u, n, t, b S = new p.(A(u, p, n, t, b) k B(u, p)) Authentication goal: If B sends x on the channel app then x must be the message b sent by A Informally, only A could have sent the message since it is the only one that uses p to sign messages and nobody else knows p Formally, we code the authentication goal as a correspondence assertion between security events [Woo, Lam ’93]
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 18 / 30
Embedding Authentication Goals
We extend the syntax of processes with events: P, Q, R ::= Processes begin(M) begin event end(M) end event Events are inert, they have no reductions A begin event specifies a sender’s intention; an end event specifies a receiver’s decision. A(u, p, n, t, b) = begin(Send(u, b)) k let k = . . . B(u, p) = in(net, e). . . . if sv = hmac(utf8(si))k then (end(Send(u, b)) k out(app, b).0) else 0
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 19 / 30
Embedding Authentication Goals
Authentication goal: If S
~ l
top-level process for some u, x, then B also has begin(Send(u, x)) as a top-level process. 8 ~ l, B such that S
~ l
B ⌘ (new ~ a.end(M) k A) ) B ⌘ (new ~ a.begin(M) k A0) This goal must be preserved as an invariant in all runs of S
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 20 / 30
Proof by Invariant Preservation
Invariant: All extended processes obtained from S can be deterministically reduced to a process of the form new p.begin(Send(u, b)) k {hmac(utf8(si))hash(hp,nti)/sv} k (B(u, p) + 0 + (end(Send(u, b)) k {b/x})) Exercise: Show that this is indeed an invariant of S
Hint: There is a bug in the definition of B which causes this invariant to fail, you need to fix the bug to make the invariant succeed Hint: You will need to prove a lemma from the invariant that the only message of the form hmac(utf8(X))hash(hp,NTi) that the attacker can deduce must have X = si, where si is as computed by A.
Exercise: Show that this invariant guarantees our authentication goal
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 21 / 30
Proofs for more advanced protocols
What if A and B are replicated processes?
The invariant must account for N active sessions of the protocol, each with its own message bi We can make the authentication goal more precise by including n, t in the events.
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 22 / 30
Proofs for more advanced protocols
What if A and B are replicated processes?
The invariant must account for N active sessions of the protocol, each with its own message bi We can make the authentication goal more precise by including n, t in the events.
What if there are many users and passwords accepted by B, some of which may be controlled by the attacker?
We refine the authentication goal: if end(Send(u, b)) then either begin(Send(u, b)) or else u is compromised
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 22 / 30
Proofs for more advanced protocols
What if A and B are replicated processes?
The invariant must account for N active sessions of the protocol, each with its own message bi We can make the authentication goal more precise by including n, t in the events.
What if there are many users and passwords accepted by B, some of which may be controlled by the attacker?
We refine the authentication goal: if end(Send(u, b)) then either begin(Send(u, b)) or else u is compromised
What if b is encrypted?
We add a secrecy goal for b We enrich our invariant to account for the attacker’s knowledge of b
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 22 / 30
Proofs for more advanced protocols
What if A and B are replicated processes?
The invariant must account for N active sessions of the protocol, each with its own message bi We can make the authentication goal more precise by including n, t in the events.
What if there are many users and passwords accepted by B, some of which may be controlled by the attacker?
We refine the authentication goal: if end(Send(u, b)) then either begin(Send(u, b)) or else u is compromised
What if b is encrypted?
We add a secrecy goal for b We enrich our invariant to account for the attacker’s knowledge of b
As we increase the complexity, establishing the invariant becomes more difficult and eventually infeasible
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 22 / 30
74
XML-Encryption WS-Security Platform (CLR/Windows) Crypto Net Prins Client Code Server Code SOAP WS-Addressing XML-DSIG
Pi Calculus Symbolic Crypto Channel Comm Abstract Principals
Security goals Applied pi-calculus script Proverif
Provably satisfies security goals Fails security goals, here’s ¡an ¡attack!
with modules implementing a symbolic Dolev-Yao Abstraction
76
– An implementation of Otway-Rees – Libraries for principals + realistic attacker models – Libraries for Web Services Security standards – A series of Web Services sample protocols
– We can use our command-line client + client application code in C# + an IIS/WSE web server – We can register an IIS/F# SOAP filter for our server + client application code in C# using WSE
77
Protocol Narration for Protocol Narration for Managed Card Protocol Implemented Protocol Implemented by MSN Live Labs
Towards Automated Symbolic Security Proofs
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 23 / 30
Recall: Attacker knowledge by deduction
Assume that the functions in F are divided into private and public functions: F = Fpub [ Fpriv The attacker can use public function symbols and fresh names to deduce terms from a frame ` M: M can be deduced from
new ~ a.{ ~ M/~ x} ` Mi new ~ a.{ ~ M/~ x} ` b, if b 2 N \~ a new ~ a.{ ~ M/~ x} ` f (M1, . . . , Mn) if ` Mi for each i 2 [1..n] new ~ a.{ ~ M/~ x} ` N if new ~ a.{ ~ M/~ x} ` N and M =R N Exercise: Show how to deduce a from new a, k.{senc(a, k)/x1, k/x2}
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 24 / 30
Decidability of attacker deduction
Can we write an algorithm to decide whether ` M? Exercise: Prove that 6` p when = new p.{n/y, t/z, si/w, hmac(utf8(si))hash(hp,hn,tii)/s}
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 25 / 30
Decidability of attacker deduction
Can we write an algorithm to decide whether ` M? Exercise: Prove that 6` p when = new p.{n/y, t/z, si/w, hmac(utf8(si))hash(hp,hn,tii)/s}
easy if did not mention p
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 25 / 30
Decidability of attacker deduction
Can we write an algorithm to decide whether ` M? Exercise: Prove that 6` p when = new p.{n/y, t/z, si/w, hmac(utf8(si))hash(hp,hn,tii)/s}
easy if did not mention p easy if we could show that the attacker can deduce only a fixed number
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 25 / 30
Decidability of attacker deduction
Can we write an algorithm to decide whether ` M? Exercise: Prove that 6` p when = new p.{n/y, t/z, si/w, hmac(utf8(si))hash(hp,hn,tii)/s}
easy if did not mention p easy if we could show that the attacker can deduce only a fixed number
How would you automate the proof?
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 25 / 30
Towards automated security proofs
A decidability result (and algorithm) for attacker deduction
Deduction is PTIME complete
A decidability result (and algorithm scheme) for protocol security for bounded number of sessions
Bounded protocol seciurity is NP complete
An undecidability result for unbounded number of sessions
Proof techniques that require user input or allow non-termination
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 26 / 30
Inference systems
An inference rule is of the form M1, . . . , Mn ` M An inference system is a set of rules We rewrite the attacker’s deduction rules eliminating destructors: x, y ` hx, yi x, y ` hash(x) x, y ` aenc(x)y x, y ` senc(x)y x, y ` sig{x}y x, y ` hmac(x)y hx, yi ` x hx, yi ` y aenc(x)y, sk(y) ` x senc(x)y, y ` x
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 27 / 30
Proofs
Assume an inference system I and a set of terms T A proof Π of T ` M in I is a tree such that
the root is labeled M every leaf is a term in T every node has a result (label) N and hypotheses N1, . . . , Nn, such that N1, . . . , Nn ` N is an instance of an inference rule in I
Example: A proof that ⌦ senc(s)ha,bi, a ↵ , senc(b)a ` s is
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 28 / 30
Locality
Inference system I is local if whenever T ` M, there exists a proof Π such that every conclusion in Π is a subterm of a term in T [ {M}
Hence, in searching for a proof, one never need look outside the subterms of the known T or the target M There is only a polynomial number of such subterms
One-step deducibility: can we test whether T ` M in one inference step? Given locality and one-step deducibility, we obtain decidability in PTIME
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 29 / 30
Proving Locality
Exercise: Prove that our attacker deduction system is local x, y ` hx, yi x, y ` hash(x) x, y ` aenc(x)y x, y ` senc(x)y x, y ` sig{x}y x, y ` hmac(x)y hx, yi ` x hx, yi ` y aenc(x)y, sk(y) ` x senc(x)y, y ` x Hint: only consider minimal proofs Hint: we will need a stronger invariant
Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 30 / 30