Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001
Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction Imposed strong assumptions Showed that flaws can exist independent of u cryptography Discussed one approach to analysis (model ch 3This talk: Strand Spaces Pencil & paper proof technique Joint work with Guttman, Thayer
Overview of talk 3Brief review of problem Running example: Otway-Rees protocols 3Strand Space formalization Standard assumptions Regular participants, penetrator (adversary) Model protocol executions Global view from local views Definitions and machinery Proofs of security conditions Discovery of previously unpublished flaw
Protocols 3Sequence of messages between small number (2 o cipals No conditionals (except to abort) 3Abstract cryptographic primitives (encryption, sign 3Achieve authentication and/or key transmission
Otway-Rees Protocol 1.A B: M A B { N a M A B } Kas 2.B S: M A B { N a M A B } Kas { N b M A B } Kbs 3.S B: { N a K ab } Kas { N b K ab } Kbs 4.B A: { N a K ab } Kas 3 M: Public, unique session ID 3 N a, N b : fresh nonces 3 K as, K bs : secret keys shared with distinguished se 3 K ab : fresh session key 3Designed to provide mutual authentication and s K ab Formalized later in terms of strands
Message Algebra 3Messages are elements of an algebra A 32 disjoint sets of atomic messages: Texts (T ) Keys (K) 3 2 operators: enc : K A A (Range: E) pair : A A A (Range: C) 3 Often distinguish T Names T, T Nonces T T Names T Nonces =
Message Algebra (continued) 3Message algebra is free Unique representation of terms Exactly one way to build elements from atom ations Formulas, rather than bit-strings 3 K, T, E, C mutually disjoint 3 For all M 1, M 2, M 3, M 4 A, k 1, k 2 K, T T M 1 M 2 M 3 M 4, unless M 1 = M 3, M 2 = M 4 { M 1 } k1 { M 2 } k2 unless M 1 = M 2, k 1 = k 2
Message Algebra Structure 3 3 There is structure in the message algebra to explo Define the subterm relation as the smallest rela that for all a, g and h: a a, a g a { g } k a g a g h a h g
Strands 3Two types of actions: transmissions and receptio Written M and M (sign omitted when irre Assumed to have unsecured sender, recipient Ignored in this framework 3 Trace: sequence of actions 3 Strand: trace unique identifier Particular execution of a trace Two different strands may have the same trac Represent two different executions Actions on strands called nodes A, B, C, D
Regular Participants 3 Regular participants: All non-adversary agents 3Protocol defines all possible regular traces 3Regular participants represented by strands conta sible traces 3Internal actions, knowledge not modeled
Regular Participants (continued) 3Strand patterns for regular participants (Otway-Re Initiator (A) Responder: (B) M A C { N a M A C } Kas { N a K ac } Kas M D B { g } k M D B { g } k { N b M D B } Kbs { h } k { N b K db } Kbs { h } k Server: (S) M A B { N a M A B } Kbs { N b M A B { N a K ab } Kas { N b K ab } Kbs
Regular Participants (continued) 3Strands refuse to receive any messages other expected ones Implicit abort/fail operation in such cases 3Regular strands completely defined by values No variables These are different strands: M A B { Na M A B } Kas, { N a K ab } K M A B { Na M A B } Kas, { N a K ab } K
Regular Participants (continued) 3Often convenient to define sets of strands with sim Init-Strands[A, B, M, N a, k ab ] = { s : s has trace M A B { Na M A B } Kas, { N a K (Empty if parameters of wrong types) 3Build larger sets from these: Init-Strands[, B, M,, k ab ] = A T Names, N a T Nonces Init-Strands[A, B, M, N a, k
Penetrator (Adversary) 3Represented in terms of atomic (abstract) actions More complex actions can be built from these 3Unbounded number of strands of the forms: [C]: g, h, gh [S]: gh, g, h [E]: g, k, { g } k [D]: { g } k, k 1, g 3 3 [M]: g, if g T P T [K]: k, if k K P K (Often assume limits on T P, K P ) Communication channels double as penetrator wo Model penetrator control over network later
Bundles 3Consider graphs where Nodes are actions on regular, penetrator stran Two types of edges: We write g g (transmission/receptio We write g h if (g, h) are consecutive s strand 3A bundle is such a graph C (finite) where If n is a node of C, then there exists a un n of C such that n n is an edge of C If n 1 is a node of C, and n 0 n 1, then n 0 is C and n 0 n 1 is an edge of C C is acyclic 3Models concepts of causality
Example Bundle A B S M A B M 1 M A B M 1 M A B M 1 M 2 M A B M 1 M M 3 M 4 M 3 M 4 M 4 M 4
Example Bundle M M M A B K K A B { M } K B M A B M A B { M } K M M A B { M } K N (Where N = { N b M A B } Kbs )
Bundle Properties 3Bundles are partial orders Any non-empty set has minimal elements 3Important Definition 1: A value v originates on a node n if n is a positive node (transmission) v n, If n... n, then v n Origination points are where values spontane pear Minimal elements of {n v n} are origination We model the freshness of a value by saying t a unique origination point in the bundle
Bundle Properties (continued) 3Important Definition 2: A set H A is honest, with respect to a set trator strands, if For all bundles C, minimal elements of {n nodes(c) term(n) H} are not on penetrator nodes. Important tool for proving security conditions Example of honest set will come later
Secrecy Conditions 3Intuitively, a value v is secret if no penetrator can v from the messages of regular participants 3A value v is secret, with respect to a set of assum if no bundle that satisfies A contains a node of the 3One proof technique: Show that v is in an honest set H Fix an arbitrary bundle that satisfies A. Through case analysis, show that H has no m ements on regular strands Because H is honest, no minimal elements on p strands Hence, no nodes in bundle in H
Authentication Conditions 3Example: If a bundle contains all of a given initiat then it must also contain a given responder strand 3Formalized as inference: If a bundle contains a str α, then the bundle also contains a strand from a s β 3One proof technique: Suppose the bundle contains a strand s α Find a honest set H s so that s contains a nod Since the bundle has a node in H s, it must ha imal element Minimal elements must be on regular strands Show that those strands must be in β
Ideals 3 3 3 Honest sets only useful if they exist Let k K. Then a k-ideal I is a set such that g I g h I, h g I g I, k k { g } k I Let S be a set of messages. Then I k [S] is the smallest k-ideal that contain 3Big theorem: If S T K, S (T P K P ) =, k = (K \ S) 1, and Then I k [S] is honest
Ideals Intuition 3 Typically, S is a set of secrets Since k = (K \ S) 1, k contains (inverse of) e key 3 I k [S] contains every term in which a secret is encry with non-secret keys 3Theorem: penetrator can only produce one of thes ing one first
Otway-Rees Secrecy 3 Wish to show secrecy of K ab: Suppose K ab is uniquely originating Suppose K as, K bs K P Suppose the bundle C contains a strand in Serv-Strands[A, B, M, N a, N b, K ab ] Let S = {K as, K bs, K ab }, k = K \ S Then no node in C is in I k [S] 3 Proof: S, k meet criteria of big theorem Case analysis: no regular node are minimal el I k [S] Hence, no nodes in bundle in I k [S]
Corollary to Big Theorem 3 Suppose S T K, (K \ S) 1 = k, and S (T P K P ) No regular node is a minimal element of I k [S Then any message of the form { g } k for k S m originated on a regular node.
Otway-Rees Authentication 3Suppose C contains a strand in Init-Strands[A, B, M 3 If: A B, N a is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, 3 Then for some N b, C contains strands in Serv-Strands[A, B, M, N a, N b, K ab ], and Resp-Strands[A, B, M, N b, ]
Otway-Rees Authentication: Proof 3Proof: Messy 3 Let S = {K as}, k = K \ S. 3 Show no regular nodes are minimal elements I k [S 3 Apply Corollary: Any term of the form { g } K as orig regular node 3 Hence, { N a K ab } Kas originates on regular node Case analysis: strand in Serv-Strands[A, B, M, N a, N b, K ab ] (for some 3 Apply previous result: No minimal elements of I k [ S = {K as, K bs, K ab }, k = K \ S 3 Hence { M N b A B } Kbs originates on regular strand Case analysis: Resp-Strands[A, B, M, N b, ]
Otway-Rees Authentication (continued) 3Similar result for Responder: suppose C contains a strand in 3 3 Resp-Strands[A, B, M, N a, K ab ] A B, N b is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, Then C contains strands in Serv-Strands[A, B, M, and Init-Strands[A, B, M,, ] Note: Cannot show that initiator, responder agree key
Closing Remarks 3Further developments: Protocol composition Automated protocol analysis Athena (Song) Simpler results Authentication tests 3Open questions Non-free algebras (Xor, Diffie Hellman) Reconciliation with computational viewpoint
What Good are Proofs? 3Strands: proof technique Uses (standard) strong assumptions Proves (at present) protocol-specific statemen 3Proof fails: Find cryptography-independent flaw 3Proof works: What have you shown? Strong motivation for justifying assumptions Goal for further work on cryptographic primiti
Formalization of Security Conditions 3In practice, two types of security conditions to pro Secrecy of values (keys, nonces) Authentication 3State of the art: Competing models, formalizations, intuitions Most methods prove protocol-specific condi pressed in model Why? Still debate over right definitions Protocols seem to satisfy points on cont conditions 3No reason Strand Space reasoning would be inva universal definitions
Origination Vs. Minimality g g h h g h g h g g h h g h a a b b a b a b a
Subterm relation 3 Note that k { g } k k g Intuition: a b means that a can be learned To say that k { g } k (unless k g) prohibits attacks Other definitions of subterm possible Lead to similar results
Ideals (continued) 3Proof of big theorem case analysis 3 Example: [D] strand ( { g } k, k 1, g ) If g is a minimal element, then k 1 I k [S k 1 S Since (K \ S) 1 = k, k 1 k 1. Hence, k But since g I k [S], { g } k I k [S]
Ideals (continued) 3More complex example: [E] strand ( g, k, { g Suppose { g } k I k [S], but g I k [S] Let I = I k [S] \ {{ g } k }. I still contains S S T K I still closed under join operator I still closed under encryption with keys in k If not, because g Ik [S] and k k Hence, I a smaller k-ideal containing S, a con