Constraint Logic Programming for Verifying Security Protocols a gzipped tutorial

1
Constraint Logic Programming for Verifying
Security Protocolsa gzipped tutorial
Sandro Etalle Ricardo Corin University of Twente
2
Why another talk

• Addressing the (old) problem of verifying
  security protocols.
• Against e.g., man-in-the-middle attacks.
• use constraint solving to model efficiently the
  intruder.
• It works lazily.
• We have a very fast tool.
• Based on Millen Shmatikov.

3
Index

• How to specify a protocol.
• The intruder model.
• The constraint-solving algorithm.
• Conclusions.

4
Preliminaries Prologs notation

• variables begin with uppercase or with _
• Complex terms can be built using predicate
  (function) symbols
• pk(b)
• Nbpk(B) is the same as (Nb,pk(B)) is an
  infix-operator.
• send(Nbpk(B))
• Lists t1,,tn

5
The same, old example Needham-Schroeder

• A-gtB A,Napk(B)
• B-gtA Na,Nbpk(A)
• A-gtB Nbpk(B)
• Notation
• msgk asymmetric encryption
• Na, Nb nonces
• A, B Agents (Alice and Bob)
• pk(A) public key of A
• First, we want to model it.

6
Roles

• Here we have 2 roles initiator responder.
• A role is specified as a sequence of events
• send(t)
• recv(t)
• t is a term (a message)
• initiator(A,B,Na,Nb) send(A,Napk(B)),
• recv(Na,Nbpk(A)),
• send(Nbpk(B)).

7
The Responder

• Just exchange send and recv
• responder(A,B,Na,Nb) recv(A,Napk(B)),
  send(Na,Nbpk(A)), recv(Nbpk(B))).
• Notice the variables.
• names nonces are not fixed
• roles are parametric
• We still need to
• fix some parameters
• determine how many agents are there, what they
  know etc.
• We do this by specifying a session.

8
Session (scenario)

• session set of (instantiated) roles
• initiator(a,B,na,Nb), responder(A,b,Na,nb)
• Notice the variables
• Freshness nonces new terms (ground terms that
  dont occur elsewhere ).
• We can add more agents etc.
• next network model constraint-solving

9
The network model
Scenario
Agent
Role
Role
Role
Role
Role
send(t)
recv(t)
Network/Intruder

• Dolev-Yao
• Constraint Solving to see what the intruder can
  generate.

10
Constraints

• A constraint is a pair
• mT
• m is a message term, T is a list of terms.
• is called simple if m is a variable.
• intuitive meaning m is generable from T
• The Constraint Store (CS) is a set of
  constraints.

11
the Verification Algorithm

• S scenario
• CS constraint store (initially empty)
• K intruders knowledge (K0 is provided by the
  user)
• A step of the verification algorithm
• choose the first event e from a non-empty role of
  S
• case 1) e send(t)
• K K U t proceed
• case 2) e recv(t)
• CS CS U tK
• if CS can be solved to CS with solution ?,
• S S? K K? CS CS
• proceed
• otherwise, stop

12
What is solvable?

• CS can be solved to CS with solution ? if we can
  apply reduction rules to CS until we obtain CS,
  where
• CS is empty or
• CS contains only simple constraints.
• Two kind of rules
• synthesis.
• analysis.

13
Synthesis reduction rules

• ??rewriting step yielding substitution ?
• ? is the empty substitution
• Local rules
• Pair m1,m2T ?? m1T , m2T
• hash h(m)T ?? mT
• penc mpk(a) T ?? mT, aT
• senc mk T ?? mT, kT
• sig msk(e) ?? mT
• Global rule
• unify mT,C1,,Cn ?? C1?,,Cn?
• provided that ?mgu(m,t), t?T

14
Analysis reduction rules (2)

• Affect the other side of the constraint.
• Local rules
• split mt1,t2 ?T ?? mt1,t2 ?T
• pdec mtpk(e) ? T ?? mt ? T
• sdec mT?tk ?? kT?t-k, mT?t,k
• forget about this one
• used only for constructed symmetric keys
• Global rule
• ksub mtk?T, C1, , Cn ??
• m?(tk?T)?, C1?, , Cn?
• where ?mgu(k,pk(e)), k?pk(e)

15
the Result

• CS0 ??1 CS1 ??2 ??n CSn
• each time a constraint in CS is selected and a
  rule is applied to it
• The rewriting stops when
• CSn is empty or made of simple constraints
• CS is solved
• the composition of the substitutions is the
  result of the simplification ? ?1 ?2 ?n
• a constraint is selected that cannot be
  simplified
• CS is unsolvable
• there is no result (failure)

16
Properties

• Is it Confluent?
• No.
• Different reduction sequences are possible
• in total 4 sources of nondeterminism
• choice of the event in the algorithm.
• choice of the constraint to be reduced.
• choice of the rule to be applied.
• in the the analysis rules and in the unify rule
  there is the additional choice of the term in T
  to which the rule is applied.
• Full backtracking to preserve completeness.
• Local analysis reduction rules preserve
  confluence, and this can be used for optimization.

17
Finding Secrecy flaws

• What is a secrecy flaw?
• To check if na remains secret, one just has to
  add to the scenario the singleton role recv(na)
• na remains secret ltgt the intruder cannot output
  it!
• in practice we define a special role
• secrecy(X) recv(X).

18
Finding Authentication Flaws

• More complex than checking secrecy.
• What is an authentication flaw?
• Various definitions.
• Basically an input event recv(t) without
  corresponding preceding output event send(t).
• Can be checked by e.g., running the responder
  strand without an initiator role.
• Presently a pain in the neck.
• We are working on it.

19
An Example for Laziness

• send(napk(b)), recv(X), recv(Xpk(b))
• two constraints are generated
• X a,b,e
• Xpk(b) a,b,e,napk(b)
• by rule (unify)
• na a,b,e
• not solvable!
• we did not know this after the first step.

20
Bibliography Remark

• The system is strongly based on that of Millen
  and Shmatikov MS01
• Various differences
• Constraints checked on the fly
• Consider run also with unfinished roles (very
  important in practice)
• Few other minor things.

21
Part 3

• Example

22
Example

• Consider the scenario for NS with OA
• initiator(a,B,na,Nb), responder(A,b,Na,nb),
• recv(nb)
• A possible interleaving
• recv(A,B), send(a,napk(B))
• recv(A,Napk(b)), send(Na,nbpk(A))
• recv( na,Nbpk(a)), send(Nbpk(B)),
• recv(nb) ...
• We omit the events after recv(nb)

23
Example (cont)

• recv(A,B), send(a,napk(B))
• recv(A,Napk(b)), send(Na,nbpk(A))
• recv( na,Nbpk(a)), send(Nbpk(B)),
• recv(nb) ...
• find out what happens to the CS
• T a,b,e (intruder knowledge)
• CS

24
The run (1)

• recv(A,B), send(a,napk(B)),
  recv(A,Napk(b)), send(Na,nbpk(A)), recv(
  na,Nbpk(a)), send(Nbpk(B)),
• recv(nb) ...
• Before the step
• T a,b,e
• CS
• After (T does not change)
• CS A,Ba,b,e
• By applying pair
• CS Aa,b,e, Ba,b,e

25
The run (2)

• send(a,napk(B)), recv(A,Napk(b)),
  send(Na,nbpk(A)), recv( na,Nbpk(a)),
  send(Nbpk(B)), recv(nb) ...
• Before the step
• T T0 a,b,e
• CS Aa,b,e, Ba,b,e
• After
• T T1 a,b,e,a,napk(B)

26
The run (3)

• recv(A,Napk(b)), send(Na,nbpk(A)),
  recv( na,Nbpk(a)), send(Nbpk(B)), recv(nb)
  ...
• Before the step
• T T1 a,b,e,a,napk(B) (T0 a,b,e)
• CS Aa,b,e, Ba,b,e
• After
• CS AT0, BT0, A,Napk(b)T1
• by penc pair
• CS AT0, BT0, AT1, NaT1, bT1
• by nif
• CS AT0, BT0, AT1, NaT1

27
The run (4)

• send(Na,nbpk(A)), recv( na,Nbpk(a)),
  send(Nbpk(B)), recv(nb) ...
• Before the step
• T T1 a,b,e,a,napk(B)
• T0 a,b,e
• CS AT0, BT0, AT1, NaT1
• After
• T T2 T1 U Na,nbpk(A)
• T1 a,b,e,a,napk(B)
• T0 a,b,e
• CS is unchanged

28
The run (5)

• recv( na,Nbpk(a)), send(Nbpk(B)), recv(nb)
  ...
• Before
• T T2 T1 U Na,nbpk(A)
• T1 a,b,e,a,napk(B)
• T0 a,b,e
• CS AT0, BT0, AT1, NaT1
• After
• CS AT0, BT0, AT1, NaT1,na,Nbpk(a)T2
• unify! (Na-gt na , Nb -gt nb and A-gt a)
• The unification has to be applied to the rest

29
The run (5.1)

• recv(na,bpk(a)), send(nbpk(B)), recv(nb)
  ...
• After the unification
• T T2 T1 U na,nbpk(a)
• T1 a,b,e,a,napk(B)
• T0 a,b,e
• CS aT0, BT0, aT1, naT1
• Unify
• CS Ba,b,e, na a,b,e,a,napk(B)

30
The run (5.2)

• recv(na,bpk(a)), send(nbpk(e)), recv(nb)
  ...
• After the unification
• CS Ba,b,e, na a,b,e,a,napk(B)
• ksub (unification B -gt e) split
• CS ea,b,e, na a,b,e,a,na
• unify twice, with empty answer
• CS
• T na,nbpk(a), a,b,e,a,napk(e)

31
The run (5.3)

• send(nbpk(e)), recv(nb) ...
• Before
• CS
• T na,nbpk(a), a,b,e,a,napk(e)
• After
• CS
• T na,nbpk(a), a,b,e,a,napk(e),
  nbpk(e)

32
The run (5.4)

• recv(nb) ...
• Before
• CS
• T na,nbpk(a), a,b,e,a,napk(e),
  nbpk(e)
• After
• CS nbna,nbpk(a), a,b,e,a,napk(e),
  nbpk(e)
• pdec
• CS nbna,nbpk(a), a,b,e,a,napk(e),nb
• unify (empty substitution)
• CS !!!

33
The solution substitution

• We ended up with an empty CS
• gt the system has a solution
• in the process, reduction rules gave us the
  solution substitution
• ? A-gta,Na-gtna,Nb-gtb, B-gte

34
Part 3

• Considerations

35
Laziness

• We stop simplifying a constraint when the lhs is
  a variable.
• This enforces a call-by-need mechanism.
• As long as the lhs is a variable the constraint
  is trivially solvable.
• If subsequent unification step instantiate the
  lhs of a constraint, then I check further if it
  can be solved.
• It would be silly to guess.

36
An Example for Laziness

• Consider two roles
• roleA(X,A) recv(X), recv(Xpk(A))
• roleB(Na,A) send(Napk(A))
• and this scenarioroleA(X, b), roleB(na,b)
• initial intruder knowledge a,b,e
• theres only one possible order
• send(napk(b)), recv(X), recv(Xpk(b))