Title: Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic
1Correctness Proofs and Counter-model Generation
with Authentication-Protocol Logic
- Koji Hasebe
- Mitsuhiro Okada
- Department of Philosophy, Keio University
2Background
- Security protocols
- Communication over insecure network
- Cryptography used for authentication, secrecy,
etc. - Formal analysis of security protocols
- Assume perfect encryption
- Assume existence of intruder who may ...
- See all exchanged messages
- Delete, alter, inject and redirect messages
- Initiate new communications
- Reuse messages from past sessions
3An Example A process of the Needham-Schroeder
Protocol
Initiator
Responder
(1)
(2)
(3)
The protocol aims to provide sharing secret data
and .
4An Example A process of the Needham-Schroeder
Protocol
Alices identity
Fresh random value generated by Alice
Initiator
Responder
(1)
Encryption with Bobs public key
(2)
(3)
The protocol aims to provide sharing secret data
and .
5The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
Instantiation
Instantiation
(Here
are constants,
.)
and substitution
6The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
7The agreement property
Initiator
Responder
sends
receives
sends
receives
sends
receives
Definition has agreement property w.r.t.
For any substitution and for any process ,
if contains execution of responders
role and an initiators execution according to
, then contains .
8An attack on the NS protocol Lowe, 1996
Alice
Bob
Intruder
(1)
(1)
(2)
(3)
(3)
- From Bob's view, Bob believes that Alice
communicates with Bob, but actually Alice
communicates with Intruder. - This attack has nothing to do with cryptography.
9Proving vs Model Checking (Two approaches for
protocol verifications)
- Inference rule-based deductive approaches
- BAN logics (Burrows-Abadi-Needham, 1989)
- Protocol logics (or Compositional logics)
- etc.
- Trace-based semantic approaches
- MSR (Cervesato-Durgin-Lincoln-Mitchell-Scedrov,
1999) - Strand space (Thayer Fabrega-Herzog-Guttman,
1998) - etc.
10Protocol Logics
Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitch
ell-Pavlovic (2003-), Cervesato-Meadows-Pavlovic
(2004-), Hasebe-Okada (2004)
- Inference systems to prove protocols correct
- Primitive actions (sending, receiving,
generating, etc.) are described as predicate
symbols - Some properties about nonces and keys are
formalized as non-logical axioms - Prove correctness in the logical system
11Proving
vs
Model Checking
12Proving
Model Checking
By completeness proof based on the proof-search
(i.e., bottom-up proof construction) method
13Proving
Model Checking
By completeness proof based on the proof-search
(i.e., bottom-up proof construction) method
Proof-search of a query (which represents a
correctness property)
If not provable, then counter-example
If provable
Obtain a formal proof of the query
Obtain concrete attacks on the protocol
14Provable case
Axioms
Agreement formula
15Unprovable case
Counter-example
Axioms
Agreement formula
16Proof search outputs
Provable
Counter-examples
17Proof search outputs
Provable
Counter-examples
Realizable counter-examples (attacks)
Use Comon-Treinens algorithm for the intruder
deduction problem (2003)
18Main results for agreement property with a
bounded number of sessions
- Basic part of Protocol Logic is describable in
first-order predicate logic. - First-order proof search-based completeness
proof is applicable to our Basic Protocol Logic, - hence, usable for proving correctness and
detecting attacks at once. - Provability of correctness property is decidable
(by finite domain property).
19- Basic Protocol Logic (or BPL, for short)
- Proof search-based completeness proof
- Example of our proof construction /
counter-example generation
20Language of Basic Protocol Logic (1)
- Sorts name, nonce, message, (key)
- Terms
- Atomic terms
- atomic terms of sort
(principal) name - atomic terms of
sort nonce - variables of sort
message - All atomic terms of sort name and nonce are terms
of sort message. - Compound terms of sort message
21Language of Basic Protocol Logic (2)
- Formulas
- Atomic formulas
- Trace formula a sequence of primitive actions
- (denoted by , or )
- (Here we use sends, receives, generates as
primitive actions.) - Equality and subterm relations (
) - Compound formulas
- Made by first-order logical connectives
e.g.
(P generates before P sends before Q
receives .)
22Logical Axioms of BPL
- Base Axioms of frist-order predicate logic with
equality - Rules for trace formulas
-
-
(for )
(where are the list of
order-preserving merges of and )
example
(the list of order-preserving merges)
- Axioms of universal sentences over terms
- (known as decidable Venkataraman 87)
is axiom
if
is valid in free term algebra.
23An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication-tests
based Strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
Intuitive meaning
24An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication tests
based strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
Intuitive meaning
decrypt
send back
25An example of the non-logical axioms Nonce
Verification axiom (Cf. Authentication tests
based strand space)
does not include (i.e., is not a
forwarded message).
is the only message sent by P which includes
.
First order formalization
26An example of Honesty(The Needham-Schroeder
protocol)
(( A performs no action )
( A performs and A does not perform any other
actions)
( A performs and A does not perform any
other actions))
As run
(A performs no action)
(2)
(0)
(1)
27Formalization of Honesty(The Needham-Schroeder
protocol)
- As honesty (described in BPL)
28Main Results on BPL
- Complete for a certain formal trace semantics.
- Decidable for Provability of the query (which
represents an agreement property). - Applicable to counter-example generations (i.e.,
flaw detections)
29Formal Trace-Based Semantics
A formal trace model
- name domain
- nonce domain
- free term algebra domain on and
along with , , - a sequence of primitive actions
- valuation
-
- is extended to interpretation
-
-
- Truth conditions
-
-
-
etc.
30Completeness Theorem
For any query (which represents an agreement
property), the formula is provable in BPL iff it
is true for any model
31Completeness Proof (1) Proof-Search Tree
Construction
- Proof-search (i.e., bottom-up proof construction)
is based on the sequent calculus of first-order
predicate logic - Proof-search tree is constructed in Rounds
- (Each round decomposes the outermost logical
symbols.) - Round 0 put the query at the bottom of the tree
- Round i apply the rules for logical connectives
(then go to Round i1 unless the current topmost
sequent is closed, i.e., matches an
axiom.)
32Completeness Proof (1) Proof-Search Tree
Construction
Agreement formula
33Completeness Proof (2) Main Lemma
- For any given query (which represents an
agreement property), if its proof-search tree
includes a branch which is not closed at the end
of Round 3, then there exists a counter-model
for the query.
34Completeness Proof (3) Construction of
Counter-Models
- A model which is obtained
from a topmost non-closed sequent at the end of
Round 3 (say, ) is as follows
- Take the set of literals from and , and
solve the satisfaction problem of these literals. - Decompose each literal which consists of compound
terms. - (e.g.,
and ) - Take representatives as and .
-
- ,
. - ,
. - .
- Interpretations for compound terms and formulas
are defined by inductions.
(where is the representative of the
equivalence class of )
35Completeness Proof (4) Essential Idea
Let T be the set of terms in Round 3. For any
variable (say, ) which appears above Round 3,
an equation mt with some t T always appears
in the left side.
Search domain does not increase above Round 3.
(closed)
left
left
left
( new variable)
(in Honesty)
(Axiom of formula)
,
,
Query
36Decidability
- From Main Lemma and Soundness
- If a query is provable in BPL, then the
proof-construction procedure terminates by Round
3.
37Counter-Example Generations (1) Realizable
Traces
- We cannot directly consider counter-models to be
an attack on the protocol in question, because
some of them cannot be realizable.
(An example of the unrealizable trace)
Use Comon-Treinens algorithm for the intruder
deduction problem (2003).
38Counter-Example Generations (2) Realizable
Traces
Provable
Counter-examples
Realizable counter-examples (attacks)
39Proposition
- For any given query, we can determine whether
there exists a realizable counter-example (i.e.,
a concrete attack on the protocol in question)
whenever we set any upper-bound on the number of
sessions.
40Example Proof construction and
counter-example generation of the
Needham-Schroeder
The NS protocol
41The NS protocol
Query
- If
- B (responder) executes a run of his role
with
- (i.e., communicating with A using and
).
42The NS protocol
Query
- If
- B (responder) executes a run of his role
with
- (i.e., communicating with A using and
).
43The NS protocol
Query
- If
- B (responder) executes a run of his role
with
- (i.e., communicating with A using and
).
- A is honest (i.e., A always acts as initiator).
44The NS protocol
Query
- If
- B (responder) executes a run of his role
with
- (i.e., communicating with A using and
).
- A is honest (i.e., A always acts as initiator).
45The NS protocol
Query
- If
- B (responder) executes a run of his role
with
- (i.e., communicating with A using and
).
- A is honest (i.e., A always acts as initiator).
- then
- A executes the run of her role,
- and A and B agree on the order of the messages
exchanged.
46The NS protocol
47The NS protocol
48The NS protocol
49The NS protocol
50The NS protocol
51The NS protocol
52The NS protocol
closed
53The NS protocol
This branch is not closed.
closed
54The NS protocol
closed
55The NS protocol
closed
56The NSL protocol
Lowes modification of the NS protocol
57The NSL protocol
Insert the senders name
Lowes modification of the NS protocol
Insertion of the senders name makes impossible
the Lowes attack, because...
In this scenario, A believes that she
communicates with I, but she can detect that the
message is actually sent by B.
58The NSL protocol
closed
59The NSL protocol
This branch is closed.
closed
60The NSL protocol
This branch is closed.
closed
61Realizable counter-examples of the NS protocol
(1)
- In the proof-search tree, there are some open
branches, and each topmost sequent is - Left side includes an order-preserving merge of
the following trace formulas - (where )
-
- are satisfied.
62Realizable counter-examples of the NS protocol
(2)
- Counter-model
-
- where
- an order-preserving merge of the following
formulas
63Conclusions and Future Work
- Gave an inference system for proving protocols
correct based on first-order predicate logic - Showed completeness and decidability
- Presented how to construct proofs / generate
counter-examples - Implementation for automation
- Compositionality issue for automated protocol
design