term rewriting applied to cryptographic protocol analysis
play

Term Rewriting applied to Cryptographic Protocol Analysis: the - PowerPoint PPT Presentation

Nov 15, 2022 •210 likes •892 views

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Inform aticos y Computaci on Universitat Polit` ecnica de Val` encia sescobar@dsic.upv.es Santiago Escobar (UPV)

  1. Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Inform´ aticos y Computaci´ on Universitat Polit` ecnica de Val` encia sescobar@dsic.upv.es Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 1 / 68

  2. Outline 1 Formal Analysis of Protocols The Needham-Schroeder Public Key Motivating Protocols Some Examples of Algebraic Identities 2 Introduction to Rewriting Logic 3 How Maude-NPA works 4 Examples of execution Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 2 / 68

  3. Formal Analysis of Protocols Outline 1 Formal Analysis of Protocols The Needham-Schroeder Public Key Motivating Protocols Some Examples of Algebraic Identities 2 Introduction to Rewriting Logic 3 How Maude-NPA works 4 Examples of execution Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 3 / 68

  4. Formal Analysis of Protocols Formal Analysis of Protocols • Crypto protocol analysis in the standard model is well understood. • Need to support algebraic properties of some protocols • Diffie-Hellman exponentiation, • exclusive-or, • homomorphism (one-sided distributivity) • These operations well understood in the bounded sessions case • Decidability results for exclusive-or, exponentiation, homomorphisms, etc. • What is lacking: (1) more general understanding, especially for unbounded sessions, (2) tool support. Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 4 / 68

  5. Formal Analysis of Protocols Our approach • Use rewriting logic as general theoretical framework • protocols and intruder rules specified as transition rewrite rules • crypto properties as oriented equational properties and axioms • Use narrowing modulo equational theories in two ways • as a symbolic reachability analysis method • as an extensible equational unification method • Combine with state reduction techniques (grammars, optimizations, etc.) • Implement in Maude programming environment • Rewriting logic gives us theoretical framework and understanding • Maude implementation gives us tool support Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 5 / 68

  6. Formal Analysis of Protocols Our Plans 1 Start by formalizing NPA techniques in rewriting logic (2005) 2 Extend model to different types of equational theories (2006) • Explicit Encryption and Decryption, AC-unification, Diffie-Hellman Exponentiation, Exclusive-or 3 Include state reduction techniques (2008, 2013) 4 Document and distribute the tool (v1.0 2007) 5 Sequential protocol composition: specification and analysis (2010) 6 Integrate dedicated unification algorithms (2011) • Homomorphism, Exclusive-or 7 Document and distribute the tool (v2.0 2012) 8 Extensive protocol analysis (2012-now) • Homomorphism, Exclusive-or, Abelian groups 9 Advanced properties: • Indistinguishability (2013-now), Conditional protocols (2016) 10 Standard APIs: IBM CCA, PKCS#11, Yubikey (2014-now) 11 Document and distribute the tool (v3.0 2016) Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 6 / 68

  7. Formal Analysis of Protocols The Needham-Schroeder Public Key Outline 1 Formal Analysis of Protocols The Needham-Schroeder Public Key Motivating Protocols Some Examples of Algebraic Identities Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 7 / 68

  8. Formal Analysis of Protocols The Needham-Schroeder Public Key Building Blocks for Security Protocols Cryptographic Procedures: encryption of messages. {{ M } K B } K − 1 = M B (Pseudo-)Random Number Generators: to generate “nonces”, e.g. for “challenge/response”. Protocols: recipe for exchanging messages. Steps like: A sends B her name together with the message M. The pair { A , M } is encrypted with B’s public key . A → B : { A , M } K B Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 8 / 68

  9. Formal Analysis of Protocols The Needham-Schroeder Public Key An authentication protocol The Needham-Schroeder Public Key protocol (NSPK) : 1 . A → B : { NA , A } K B 2 . B → A : { NA , NB } K A 3 . A → B : { NB } K B Goal: mutual authentication. Translation: “This is Alice and I have chosen a nonce NA .” “Here is your nonce NA . Since I could read it, I must be Bob. I also have a challenge NB for you.” “You sent me NB . Since only Alice can read this and I sent it back, you must be Alice.” NSPK proposed in 1970s and used for decades, until... Protocols are typically small and convincing... and often wrong! Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 9 / 68

  10. Formal Analysis of Protocols The Needham-Schroeder Public Key How to at least tie against a Chess Grandmaster Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 10 / 68 { } { }

  11. Formal Analysis of Protocols The Needham-Schroeder Public Key Man-in-the-middle attack on NSPK NSPK #1 NSPK #2 { } NA,A KC { } NA,A KB { } { } NA,NB NA,NB KA K A { } { } NB NB KB K C B believes he is speaking with A ! Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 11 / 68

  12. Formal Analysis of Protocols The Needham-Schroeder Public Key What went wrong? • Problem in step 2: B � → A : { N A , N B } K A • Agent B should also give his name: NA, NB, BKA . • The improved version is called NSL protocol by Gavin Lowe. • Is the protocol now correct? Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 12 / 68 { } NA,A { } NA,NB,B

  13. Formal Analysis of Protocols The Needham-Schroeder Public Key Needham-Schroeder-Lowe Public Key Exchange Protocol NSL #1 NSL #2 { } NA,A KC { } NA,A KB { } { } NA,NB,B NA,NB,B KA KA A aborts the protocol execution! (or ignores the message) Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 13 / 68

  14. Formal Analysis of Protocols Motivating Protocols Outline 1 Formal Analysis of Protocols The Needham-Schroeder Public Key Motivating Protocols Some Examples of Algebraic Identities Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 14 / 68

  15. Formal Analysis of Protocols Motivating Protocols Example: Needham-Schroeder Public Key Protocol Protocol (text-book) A − → B : pk ( B , A ; N A ) B − → A : pk ( A , N A ; N B ) A − → B : pk ( B , N B ) Attack sequence 1. ( pk ( i , a ; n ( a , r 1 ))) + 8. ( pk ( a , n ( a , r 1 ) ; n ( b , r 2 ))) − 2. ( pk ( i , n ( b , r 2 ))) − 9. ( pk ( i , n ( b , r 2 ))) + 3. ( a ; n ( a , r 1 )) + 10. ( pk ( i , n ( b , r 2 ))) − 4. ( a ; n ( a , r 1 )) − 11. ( n ( b , r 2 )) + 5. ( pk ( b , a ; n ( a , r 1 ))) + 12. ( n ( b , r 2 )) − 6. ( pk ( b , a ; n ( a , r 1 ))) − 13. ( pk ( b , n ( b , r 2 ))) + 7. ( pk ( a , n ( a , r 1 ) ; n ( b , r 2 ))) + 14. ( pk ( b , n ( b , r 2 ))) − Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 15 / 68

  16. Formal Analysis of Protocols Motivating Protocols Example: Needham-Schroeder-Lowe Protocol Protocol (text-book) A − → B : pk ( B , A ; N A ) B − → A : pk ( A , N A ; N B ; B ) A − → B : pk ( B , N B ) Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 16 / 68

  17. Formal Analysis of Protocols Motivating Protocols Example: NSL-xor Protocol Protocol (text-book) A − → B : pk ( B , A ; N A ) B − → A : pk ( A , N A ; N B ⊕ B ) A − → B : pk ( B , N B ) Attack sequence 1. ( pk ( i , a ; n ( a , r 1 ))) + 10. ( pk ( i , n ( b , r 2 ) ⊕ b ⊕ i )) + 2. ( pk ( i , n ( b , r 2 ))) − 11. ( pk ( i , n ( b , r 2 ) ⊕ b ⊕ i )) − 3. ( a ; n ( a , r 1 )) + 12. ( n ( b , r 2 ) ⊕ b ⊕ i ) + 4. ( a ; n ( a , r 1 )) − 13. ( b ⊕ i ) − 5. ( pk ( b , a ; n ( a , r 1 ))) + 14. ( n ( b , r 2 ) ⊕ b ⊕ i ) + 15. ( n ( b , r 2 ))) + 6. generatedByIntruder ( b ⊕ i ) 7. ( pk ( b , a ; n ( a , r 1 ))) − 16. ( n ( b , r 2 ))) − 8. ( pk ( a , n ( a , r 1 ) ; n ( b , r 2 ) ; b )) + 17. ( pk ( b , n ( b , r 2 ))) + 9. ( pk ( a , n ( a , r 1 ) ; n ( b , r 2 ) ; b )) − 18. ( pk ( b , n ( b , r 2 ))) − Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 17 / 68

  18. Formal Analysis of Protocols Motivating Protocols Example: NSL-homomorphism Protocol Protocol (text-book) A − → B : pk ( B , A ; N A ) B − → A : pk ( A , N A ; N B ; B ) A − → B : pk ( B , N B ) Attack sequence 11. ( pk ( i , a ) ; pk ( a , n ( b , r 2 ))) + 1. generatedByIntruder ( pk ( a , i )) 12. pk ( a , i ; n ( b , r 2 )) − 2. generatedByIntruder ( pk ( b , a ; NI )) 3. ( pk ( b , a ; NI )) − 13. ( pk ( i , n ( b , r 1 ) ; n ( a , r 1 ) ; a )) + 4. ( pk ( a , NI ; n ( b , r 2 ) ; b )) + 14. ( pk ( i , n ( b , r 2 )) ; pk ( i , n ( a , r 1 )) ; pk ( i , a )) − 5. ( pk ( a , NI ) ; pk ( a , n ( b , r 2 )) ; pk ( a , b )) − 15. ( pk ( i , n ( b , r 2 ))) + 6. ( pk ( a , n ( b , r 2 )) ; pk ( a , b )) + 16. ( pk ( i , n ( b , r 2 ))) − 7. ( pk ( a , n ( b , r 2 )) ; pk ( a , b )) − 17. ( n ( b , r 2 )) + 8. ( pk ( a , n ( b , r 2 ))) + 18. ( n ( b , r 2 )) − 9. ( pk ( a , i ) − 19. ( pk ( b , n ( b , r 2 ))) + 10. ( pk ( a , n ( b , r 2 ))) − 20. ( pk ( b , n ( b , r 2 ))) − Santiago Escobar (UPV) Universidad Complutense de Madrid - March 14th 18 / 68

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020 What is Formal Verification? Using software tools in order to obtain guarantees on the security of cryptographic components.

319 views • 21 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy Durgin, Patrick Lincoln John Mitchell, Andre Scedrov July 3 rd , 2000 CSFW-13 Cambridge, UK Representing Security Protocols Several recent

632 views • 38 slides
Term rewriting Equational logic Term rewriting systems Termination Confluence

Term rewriting Equational logic Term rewriting systems Termination Confluence

Term rewriting Equational logic Term rewriting systems Termination Confluence Rapid prototyping Summary and Exercises Equational logic Reflexivity t = t t 1 = t 2 Symmetry t 2 = t 1 t 1 = t 2 t 2 = t 3 Transitivity t 1 =

769 views • 52 slides
Term rewriting in partial algebras Norbert Dojer 20.06.2014 Term rewriting motivating

Term rewriting in partial algebras Norbert Dojer 20.06.2014 Term rewriting motivating

Term rewriting in partial algebras Norbert Dojer 20.06.2014 Term rewriting motivating example How to check whether two polynomial expressions are equal? ? ( x + 1) 2 x ( x + 2)( x 1) + 3 = = x 2 + 2 x

308 views • 16 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 3: Coding

527 views • 36 slides
Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline TLS overview TLS Record Protocol Theory Attacks Security analysis TLS Handshake Protocol Security analysis Discussion 2

1.78k views • 173 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 7: Using

393 views • 38 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
Soundness and Completeness of Infinitary Term Graph Rewriting Patrick Bahr paba@diku.dk

Soundness and Completeness of Infinitary Term Graph Rewriting Patrick Bahr paba@diku.dk

Soundness and Completeness of Infinitary Term Graph Rewriting Patrick Bahr paba@diku.dk University of Copenhagen Department of Computer Science 17th Informal Workshop on Term Rewriting, Aachen, March 28, 2012 From Terms to Term Graphs f f

426 views • 19 slides
Rewriting Part 4. Termination of Term Rewriting Systems Temur Kutsia RISC, JKU Linz Termination

Rewriting Part 4. Termination of Term Rewriting Systems Temur Kutsia RISC, JKU Linz Termination

Rewriting Part 4. Termination of Term Rewriting Systems Temur Kutsia RISC, JKU Linz Termination Definition 4.1 A term rewriting system R is terminating iff R is terminating, i.e., there is no infinite reduction chain t 0 R t 1 R t

1.22k views • 94 slides
B ohm Reduction for Terms and Term Graphs Confluence in Infinitary Rewriting Patrick Bahr IT

B ohm Reduction for Terms and Term Graphs Confluence in Infinitary Rewriting Patrick Bahr IT

B ohm Reduction for Terms and Term Graphs Confluence in Infinitary Rewriting Patrick Bahr IT University of Copenhagen Infinitary Term Rewriting Assign outcome to (well-formed) infinite reductions. 1 / 32 Infinitary Term Rewriting Assign

1.8k views • 151 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Search algorithms Algorithms are a constrained form of rewriting systems. You may remember that,

Search algorithms Algorithms are a constrained form of rewriting systems. You may remember that,

Search algorithms Algorithms are a constrained form of rewriting systems. You may remember that, sometimes, several rewriting rules can be applied to the same term. This is a kind of non-determinism , i.e., the process requires an arbitrary

309 views • 26 slides
Paraconsistent Modular Answer Set Programming Thomas Eiter joint with M. Dao-Tran, M. Fink, T.

Paraconsistent Modular Answer Set Programming Thomas Eiter joint with M. Dao-Tran, M. Fink, T.

Paraconsistent Modular ASP Paraconsistent Modular Answer Set Programming Thomas Eiter joint with M. Dao-Tran, M. Fink, T. Krennwallner Institut fr Informationsysteme, TU Wien 2nd Datalog 2.0 Workshop, Vienna, September 13, 2012 Austrian

736 views • 69 slides
bZkksifu"kn ~ a Upaniad Za (This whole universe is pervaded by supreme.) By Dr.

bZkksifu"kn ~ a Upaniad Za (This whole universe is pervaded by supreme.) By Dr.

bZkksifu"kn ~ a Upaniad Za (This whole universe is pervaded by supreme.) By Dr. Suryanarayna Nanda 2019-06-30 for Arya Samaj Greater Houston 1 vXu Xus u; u; lqi qiFk Fkk jk;sLeku ~ ~ fookfu ns nso o;quk qukfu fu fo

300 views • 16 slides
Thank you for joining us. The program will commence momentarily. Optimizing the Selection and

Thank you for joining us. The program will commence momentarily. Optimizing the Selection and

Thank you for joining us. The program will commence momentarily. Optimizing the Selection and Sequencing of Therapy for Patients with Chronic Lymphocytic Leukemia A Meet The Professor Series Kerry Rogers, MD Assistant Professor in the

1.4k views • 97 slides
MySQL Developments Narayan Newton Lead Sysadmin Drupal.org Performance Engineer Tag1 Consulting

MySQL Developments Narayan Newton Lead Sysadmin Drupal.org Performance Engineer Tag1 Consulting

3 March 2012 MySQL Developments Narayan Newton Lead Sysadmin Drupal.org Performance Engineer Tag1 Consulting Wednesday, August 22, 12 01 MySQL Fragmentation MySQL used to be just MySQL, there might have been a discussion between 5.0 vs

518 views • 22 slides
Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

24 gennaio 2017 Modulo Jean Monnet III ed. Universit di Catania conferenza su Nuove Competenze per Nuove Sfide: politiche nazionali ed europee per la lotta alla Criminalit Organizzata MAFIE IN EUROPA E NON SOLO: LE INFILTRAZIONI DELLA

283 views • 27 slides
BI NARY HEAPS Binary Trees in Contiguous Storage

BI NARY HEAPS Binary Trees in Contiguous Storage

BI NARY HEAPS Binary Trees in Contiguous Storage 1 array 2 3 4 5 6 7 9 10 8 11 15 12 13 14 23 16 18 21 22 25 26 27 30 17 19 20 24

697 views • 17 slides
Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail:

Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail:

Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail: Jacek.Jezierski@fuw.edu.pl Jurekfest, Warszawa Abstract: We discuss geometry of null surfaces (and its possible applications to the horizons, null shells, near

566 views • 39 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides

More recommend