Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic

1
Correctness Proofs and Counter-model Generation
with Authentication-Protocol Logic

• Koji Hasebe
• Mitsuhiro Okada
• Department of Philosophy, Keio University

2
Background

• Security protocols
• Communication over insecure network
• Cryptography used for authentication, secrecy,
  etc.
• Formal analysis of security protocols
• Assume perfect encryption
• Assume existence of intruder who may ...
• See all exchanged messages
• Delete, alter, inject and redirect messages
• Initiate new communications
• Reuse messages from past sessions

3
An Example A process of the Needham-Schroeder
Protocol
Initiator
Responder
(1)
(2)
(3)
The protocol aims to provide sharing secret data
and .
4
An Example A process of the Needham-Schroeder
Protocol
Alices identity
Fresh random value generated by Alice
Initiator
Responder
(1)
Encryption with Bobs public key
(2)
(3)
The protocol aims to provide sharing secret data
and .
5
The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
Instantiation
Instantiation
(Here
are constants,
.)
and substitution
6
The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
7
The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
Definition has agreement property w.r.t.
For any substitution and for any process ,
if contains execution of responders
role and an initiators execution according to
, then contains .
8
An attack on the NS protocol Lowe, 1996
Alice
Bob
Intruder
(1)
(1)
(2)
(3)
(3)

• From Bob's view, Bob believes that Alice
  communicates with Bob, but actually Alice
  communicates with Intruder.
• This attack has nothing to do with cryptography.

9
Proving vs Model Checking (Two approaches for
protocol verifications)

• Inference rule-based deductive approaches
• BAN logics (Burrows-Abadi-Needham, 1989)
• Protocol logics (or Compositional logics)
• etc.
• Trace-based semantic approaches
• MSR (Cervesato-Durgin-Lincoln-Mitchell-Scedrov,
  1999)
• Strand space (Thayer Fabrega-Herzog-Guttman,
  1998)
• etc.

10
Protocol Logics
Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitch
ell-Pavlovic (2003-), Cervesato-Meadows-Pavlovic
(2004-), Hasebe-Okada (2004)

• Inference systems to prove protocols correct
• Primitive actions (sending, receiving,
  generating, etc.) are described as predicate
  symbols
• Some properties about nonces and keys are
  formalized as non-logical axioms
• Prove correctness in the logical system

11
Proving
vs
Model Checking
12
Proving

Model Checking
By completeness proof based on the proof-search
(i.e., bottom-up proof construction) method
13
Proving

Model Checking
By completeness proof based on the proof-search
(i.e., bottom-up proof construction) method
Proof-search of a query (which represents a
correctness property)
If not provable, then counter-example
If provable
Obtain a formal proof of the query
Obtain concrete attacks on the protocol
14
Provable case

• Bottom-up proof search

Axioms
Agreement formula
15
Unprovable case

• Bottom-up proof search

Counter-example
Axioms
Agreement formula
16
Proof search outputs
Provable
Counter-examples
17
Proof search outputs
Provable
Counter-examples
Realizable counter-examples (attacks)
Use Comon-Treinens algorithm for the intruder
deduction problem (2003)
18
Main results for agreement property with a
bounded number of sessions

• Basic part of Protocol Logic is describable in
  first-order predicate logic.
• First-order proof search-based completeness
  proof is applicable to our Basic Protocol Logic,
• hence, usable for proving correctness and
  detecting attacks at once.
• Provability of correctness property is decidable
  (by finite domain property).

19

1. Basic Protocol Logic (or BPL, for short)
2. Proof search-based completeness proof
3. Example of our proof construction /
   counter-example generation

20
Language of Basic Protocol Logic (1)

• Sorts name, nonce, message, (key)
• Terms
• Atomic terms
• atomic terms of sort
  (principal) name
• atomic terms of
  sort nonce
• variables of sort
  message
• All atomic terms of sort name and nonce are terms
  of sort message.
• Compound terms of sort message

21
Language of Basic Protocol Logic (2)

• Formulas
• Atomic formulas
• Trace formula a sequence of primitive actions
• (denoted by , or )
• (Here we use sends, receives, generates as
  primitive actions.)
• Equality and subterm relations (
  )
• Compound formulas
• Made by first-order logical connectives

e.g.
(P generates before P sends before Q
receives .)
22
Logical Axioms of BPL

• Base Axioms of frist-order predicate logic with
  equality
• Rules for trace formulas

(for )
(where are the list of
order-preserving merges of and )
example
(the list of order-preserving merges)

• Axioms of universal sentences over terms
• (known as decidable Venkataraman 87)

is axiom
if
is valid in free term algebra.
23
An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication-tests
based Strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
Intuitive meaning
24
An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication tests
based strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
Intuitive meaning
decrypt
send back
25
An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication tests
based strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
First order formalization
26
An example of Honesty(The Needham-Schroeder
protocol)

• As honesty

(( A performs no action )
( A performs and A does not perform any other
actions)
( A performs and A does not perform any
other actions))
As run
(A performs no action)
(2)
(0)
(1)
27
Formalization of Honesty(The Needham-Schroeder
protocol)

• As honesty (described in BPL)

28
Main Results on BPL

• Complete for a certain formal trace semantics.
• Decidable for Provability of the query (which
  represents an agreement property).
• Applicable to counter-example generations (i.e.,
  flaw detections)

29
Formal Trace-Based Semantics
A formal trace model

• name domain
• nonce domain
• free term algebra domain on and
  along with , ,
• a sequence of primitive actions
• valuation
• is extended to interpretation
• Truth conditions

etc.
30
Completeness Theorem
For any query (which represents an agreement
property), the formula is provable in BPL iff it
is true for any model
31
Completeness Proof (1) Proof-Search Tree
Construction

• Proof-search (i.e., bottom-up proof construction)
  is based on the sequent calculus of first-order
  predicate logic
• Proof-search tree is constructed in Rounds
• (Each round decomposes the outermost logical
  symbols.)
• Round 0 put the query at the bottom of the tree
• Round i apply the rules for logical connectives
  (then go to Round i1 unless the current topmost
  sequent is closed, i.e., matches an
  axiom.)

32
Completeness Proof (1) Proof-Search Tree
Construction

• Bottom-up proof search

Agreement formula
33
Completeness Proof (2) Main Lemma

• For any given query (which represents an
  agreement property), if its proof-search tree
  includes a branch which is not closed at the end
  of Round 3, then there exists a counter-model
  for the query.

34
Completeness Proof (3) Construction of
Counter-Models

• A model which is obtained
  from a topmost non-closed sequent at the end of
  Round 3 (say, ) is as follows

• Take the set of literals from and , and
  solve the satisfaction problem of these literals.
• Decompose each literal which consists of compound
  terms.
• (e.g.,
  and )
• Take representatives as and .

• ,
  .
• ,
  .
• .
• Interpretations for compound terms and formulas
  are defined by inductions.

(where is the representative of the
equivalence class of )

35
Completeness Proof (4) Essential Idea
Let T be the set of terms in Round 3. For any
variable (say, ) which appears above Round 3,
an equation mt with some t T always appears
in the left side.
Search domain does not increase above Round 3.
(closed)
left
left
left
( new variable)
(in Honesty)
(Axiom of formula)
,
,
Query
36
Decidability

• From Main Lemma and Soundness
• If a query is provable in BPL, then the
  proof-construction procedure terminates by Round
  3.

37
Counter-Example Generations (1) Realizable
Traces

• We cannot directly consider counter-models to be
  an attack on the protocol in question, because
  some of them cannot be realizable.

(An example of the unrealizable trace)
Use Comon-Treinens algorithm for the intruder
deduction problem (2003).
38
Counter-Example Generations (2) Realizable
Traces
Provable
Counter-examples
Realizable counter-examples (attacks)
39
Proposition

• For any given query, we can determine whether
  there exists a realizable counter-example (i.e.,
  a concrete attack on the protocol in question)
  whenever we set any upper-bound on the number of
  sessions.

40
Example Proof construction and
counter-example generation of the
Needham-Schroeder
The NS protocol
41
The NS protocol
Query

• If
• B (responder) executes a run of his role
  with
  
• (i.e., communicating with A using and
  ).

42
The NS protocol
Query

• If
• B (responder) executes a run of his role
  with
  
• (i.e., communicating with A using and
  ).

43
The NS protocol
Query

• If
• B (responder) executes a run of his role
  with
  
• (i.e., communicating with A using and
  ).

• A is honest (i.e., A always acts as initiator).

44
The NS protocol
Query

• If
• B (responder) executes a run of his role
  with
  
• (i.e., communicating with A using and
  ).

• A is honest (i.e., A always acts as initiator).

45
The NS protocol
Query

• If
• B (responder) executes a run of his role
  with
  
• (i.e., communicating with A using and
  ).

• A is honest (i.e., A always acts as initiator).

• then
• A executes the run of her role,
• and A and B agree on the order of the messages
  exchanged.

46
The NS protocol
47
The NS protocol
48
The NS protocol
49
The NS protocol
50
The NS protocol
51
The NS protocol
52
The NS protocol
closed
53
The NS protocol
This branch is not closed.
closed
54
The NS protocol
closed
55
The NS protocol
closed
56
The NSL protocol
Lowes modification of the NS protocol
57
The NSL protocol
Insert the senders name
Lowes modification of the NS protocol
Insertion of the senders name makes impossible
the Lowes attack, because...
In this scenario, A believes that she
communicates with I, but she can detect that the
message is actually sent by B.
58
The NSL protocol
closed
59
The NSL protocol
This branch is closed.
closed
60
The NSL protocol
This branch is closed.
closed
61
Realizable counter-examples of the NS protocol
(1)

• In the proof-search tree, there are some open
  branches, and each topmost sequent is
• Left side includes an order-preserving merge of
  the following trace formulas
• (where )
• are satisfied.

62
Realizable counter-examples of the NS protocol
(2)

• Counter-model
• where
• an order-preserving merge of the following
  formulas

63
Conclusions and Future Work

• Gave an inference system for proving protocols
  correct based on first-order predicate logic
• Showed completeness and decidability
• Presented how to construct proofs / generate
  counter-examples
• Implementation for automation
• Compositionality issue for automated protocol
  design