A Linear Framework for Protocol Analysis

1
A Linear Framework for Protocol Analysis

• Patrick Lincoln
• Illiano Cervesato, Nancy Durgin, John Mitchell,
  Mark Mitchell, Andre Scedrov
• Supported by ONR MURI

2
Outline The Nonce is the thing

• Multiset rewriting model
• Strand spaces
• Complexity analysis
• Previous results, folklore, easy preliminaries
• Main result security in restricted fragment
  undecidable
• Exponential tight bound on steps
• EXPTIME-completeness of fragment

3
A notation for inf-state systems

• Define protocol, intruder in minimal framework
• Disadvantage need to introduce new notation

4
Key Insights

• Existential quantification model of nonces
• Protocol model
• Initialization
• Replication
• Roles
• Intruder model

5
Protocol Notation

• Non-deterministic infinite-state systems
• Facts
• F P(t1, , tn)
• t x c f(t1, , tn)
• States F1, ..., Fn
• Multiset of facts
• Includes network messages, private state
• Intruder will see messages, not private state

Multi-sorted first-order atomic formulas
6
State Transitions

• Transition
• F1, , Fk ?? ?x1 ?xm. G1, , Gn
• What this means
• If F1, , Fk in state ?, then a next state ? has
• Facts F1, , Fk removed
• G1, , Gn added, with x1 xm replaced by new
  symbols
• Other facts in state ? carry over to ?
• Free variables in rule universally quantified
• Pattern matching in F1, , Fk can invert
  functions
• Linear Logic

7
Finite-State Example
a
q1
a
a
b
q0
q3
b
b
a
b
q2

• Predicates State, Input
• Function ?
• Constants q0, q1, q2, q3, a, b, nil
• Transitions State(q0), Input(a ? x) ?
  State(q1), Input(x)
• State(q0), Input(b ? x) ?
  State(q2), Input(x)
• ...

b
8
Simplified Needham-Schroeder

• Predicates
• Ai, Bi, Ni
• -- Alice, Bob, Network in state i
• Transitions
• ?x. A1(x)
• A1(x) ?? N1(x), A2(x)
• N1(x) ?? ?y. B1(x,y)
• B1(x,y) ?? N2(x,y), B2(x,y)
• A2(x), N2(x,y) ?? A3(x,y)
• A3(x,y) ?? N3(y), A4(x,y)
• B2(x,y), N3(y) ?? B3(x,y)

• A ? B na, AKb
• B ? A na, nbKa
• A ? B nbKb
• Authentication
• A4(x,y) ? B3(x,y) ? yy

9
Common Intruder Model

• Derived from Dolev-Yao model 1989
• Adversary is nondeterministic process
• Adversary can
• Block network traffic
• Read any message, decompose into parts
• Decrypt if key is known to adversary
• Insert new message from data it has observed
• Adversary cannot
• Gain partial knowledge
• Guess part of a key
• Perform statistical tests,

10
Formalize Intruder Model

• Intercept and remember messages
• N1(x) ?? M(x) N2(x,y) ??
  M(x), M(y)
• N3(x) ?? M(x)
• Send messages from known data
• M(x) ?? N1(x), M(x)
• M(x), M(y) ?? N2(x,y), M(x), M(y)
• M(x) ?? N3(x), M(x)
• Generate new data as needed
• ?x. M(x)
• Highly nondeterministic, same for any
  protocol

11
Other Formalism Strand Spaces

• Snapshot of protocol execution
• Very economical and intuitive notation
• Multiset rewriting and strand spaces are very
  closely related
• Have described mapping between the two formalisms

12
Multiset Rewriting and Strand Spaces

• Use linear logic as a common basis
• Makes definitions and manipulations precise
• Horn fragment of multiplicative-exponential
  linear logic
• Future complete the connection and directly
  infer graph of execution from linear logic
  formulas

13
Multiset rewriting and complexity

• Use Multiset model for analysis
• Complexity results map to other frameworks
• Example simple binary counter coded in protocol
  shows exponential lower bound

14
Protocol Analysis is Undecidable

• Full language can encode data structures
• Even and Goldreich 1983, Heintze and Tygar 1996
• Post Correspondence Problem
• Good guy adds domino to end of sequence
• If top and bottom read the same, spill secret
• A -gt B empty, emptyk
• B -gt A X,Yk -gt (X Z11), (Y Z12)k
• A -gt B X,Xk -gt if X!empty, send SECRET

15
So disallow data structures

• Without cons, cannot directly encode lists
• Arbitrary numbers can also be used
• 2 Counter machine halting problem
• C1, C2, Qk Encodes that state C1, C2, Q is
  reachable
• A-gtB 0,0,Qinitk
• B-gtA C1,C2,Qk -gt C11,C2,Q2k
• A-gtB C1,C2,Qfinalk -gt SECRET

16

So disallow ints and successor

• Some protocols use nested encryption
• A -gt B mk, Noncek
• Arbitrary depth encryption allows undecidability
• 2 counter machines
• A -gt B mk, mkkk, Qk
• State is Q, counters are 1 and 3.

17
What is left?

• Fixed set of constants
• Nonces (but no succ, API is Gensym, ?)
• Fixed depth encryption (1 or 2 enough)
• Fixed number of arguments of message
• Everything fixed or constant, except nonces
• Nonces
• Implicit unboundedness (Gensym is fresh)
• But no obvious way to exploit this

18
Still undecidable Encode Turing Machines

• Main Idea Cooks Theorem
• but use nonces instead of propositions

Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
19
Turing Machine
Constant size (3) piece of state at time
N determines state of cell at time N1
0 0 1
0
Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
20
Turing Machine
Constant size (3) piece of state at time
N determines state of cell at time N1
0 1 q4
q5
Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
21
Turing Machine
Constant size (3) piece of state at time
N determines state of cell at time N1
1 q4 0
0
Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
22
Turing Machine
Constant size (3) piece of state at time
N determines state of cell at time N1
q4 0 1
0
Start 0 0 1 q4 0 1 1 End
Start 0 0 q5 0 0 1 1 0 End
Start 0 0 0 q6 0 1 1 0 0 End
23
Turing machine

• Predicates
• Cell(name, symbol, right) -- contents
  of tape cell
• Below(cell, cell) -- next
  row of tableau
• Rules
• Cell(a,0,b), Cell(b, q2,c), Cell(c,1,)
• ?? ? d. Below(b,d), Cell(d,1,),...

24
Turing machine
Turing machine move

• Cell(a,da, b), Cell(b,db, c), Cell(c,dc, d),
  Below(b,b) ?? ?c. Below(c,c),
  Cell(b,F(da,db,dc),c)
• Below(a,a), Cell(a,Start,b)
  ??
  ?a,b Below(a,a), Cell(a,Start, b)
• Below(a,a), Cell(a,End,b)
  ?? ?b,
  c Cell(a,0, b), Cell(b, End, c)
• ?? ?a,a,b,c,d,e Cell(a,Start,b),
  Cell(b,Qinit,c), Cell(c, 0, d),
  Cell(d,End,e), Below(a,a)
• Cell(a,Qfinal,b) ?? Broadcast(Secret)

Copy to Next Time
Extend Tape
Start and End
25
Turing machine discussion

• Each move is a protocol role
• Finite length protocol
• Attacker replays and routes messages
• To prevent malicious alteration, encrypt all
  messages will shared private key
• Cell(a,da, b) k
• Machine steps in standard protocol form
• Ai(), Nj() ? Ak(), Nl()
• Role reads hypotheses one at a time, saving data
  in internal state.

26
Undecidability

• Finite length protocols with
• bounded number of principals
• bounded message size
• have undecidable behavior if
• principals can repeat roles arbitrarily many
  times
• runs can generate new atomic data
• What happens if we
• Bound ability to generate new data?
• Restrict number of roles ?

27
Some attacks need lots of roles

• Sender role broadcasts initial message
• A Broadcast 0, 0, 0, 0k
• n responder roles modify secret messages
• B1 x, y, z, 0 k ?? x, y, z, 1 k
• B2 x, y, 0, 1 k ?? x, y, 1, 0 k
• B3 x, 0, 1, 1 k ?? x, 1, 0, 0 k
• B4 0, 1, 1, 1 k ?? 1, 0, 0, 0 k
• Server broadcasts key on specific message
• C 1, 1, 1, 1k ?? Broadcast( k )
• Attack requires 2n steps and 2n messages.

28
Security DEXP-time complete

• No new data, but repeat roles arbitrarily
• Essentially same proof as undecidability
• Axiomatize bounded Turing machine tableau
• Use counters instead of nonces to name cells
• Cell(name, data, neighbor) as before
• Represent name by pair of numbers
• Cell( 0,1,0,...,0, 0,0,1,,1, data,
  neighbor),
• 2n ? 2n tableau using messages of size 4n

n bits
n bits
29
Conclusions

• Symbolic notation for unrestricted protocols
• Nonce becomes existentially quantified variable
• Translations to process calculus, strands, HOL,
  ...
• Fragment of linear logic
• Protocol search is proof search
• Formal proofs using linear-logic proof theory,
  tools
• Study decision problems (secrecy, authenticity)
• Undecidable if protocols generate new data
• DEXP-time complete with bounded new data
• NP-complete if bounded number of roles
• 
  

30
Present and future impact

• Basis for protocol analysis tools
• Optimizations based on model
• CAPSL intermediate language
• Connections between models
• Linear logic
• Strand spaces
• Upper bounds and lower bounds
• Future synthesis, compositional proofs, PVS