Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols •...
Transcript of Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols •...
![Page 1: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/1.jpg)
Methods for Automated Protocol Analysis
Sebastian Modersheim
03.04.2005
AVASP
![Page 2: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/2.jpg)
Sebastian A. Modersheim 1
Example: H.530 Protocol
ZZ
ZZ_VA
Home DomainVisited Domain
Negotiated DH−key
VGKMT AuF
AuFReqMT
RespMT
AckMT ChalVGK
MT VGK
ChalMT RespVGK
ReqMT ReqVGK
AckMT AckVGK
1. MT -> VGK : MT,VGK,NIL,CH1,{G}DHX,F(ZZ,MT,VGK,NIL,CH1,{G}DHX)
2. VGK -> AuF : MT,VGK,NIL,CH1,{G}DHX,F(ZZ,MT,VGK,NIL,CH1,{G}DHX),VGK,{G}DHX XOR {G}DHY,F(ZZ_VA,MT,VGK,NIL,CH1,{G}DHX,
F(ZZ,MT,VGK,NIL,CH1,{G}DHX),VGK,{G}DHX XOR {G}DHY)
3. AuF -> VGK : VGK,MT,F(ZZ,VGK),F(ZZ,{G}DHX XOR {G}DHY),F(ZZ_VA,VGK,MT,F(ZZ,VGK),
F(ZZ,{G}DHX XOR {G}DHY))4. VGK -> MT : VGK,MT,CH1,CH2,{G}DHY,
F(ZZ,{G}DHX XOR {G}DHY),F(ZZ,VGK),F({{G}DHX}DHY,VGK,MT,CH1,CH2,{G}DHY,
F(ZZ,{G}DHX XOR {G}DHY),F(ZZ,VGK))5. MT -> VGK : MT,VGK,CH2,CH3,
F({{G}DHX}DHY,MT,VGK,CH2,CH3)6. VGK -> MT : VGK,MT,CH3,CH4,
F({{G}DHX}DHY,VGK,MT,CH3,CH4)
AVASP April 3rd, 2005
![Page 3: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/3.jpg)
Sebastian A. Modersheim 2
Automated Analysis of Security Protocols
• Several sources of infinity in protocol analysis:
� Unbounded message depth.� Unbounded number of agents.� Unbounded number of sessions or protocol steps.
• Possible approaches:
� Falsification identifies attack traces but does not guarantee correctness.� Verification proves correctness but is difficult to automate.
AVASP April 3rd, 2005
![Page 4: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/4.jpg)
Sebastian A. Modersheim 2
Automated Analysis of Security Protocols
• Several sources of infinity in protocol analysis:
� Unbounded message depth.� Unbounded number of agents.� Unbounded number of sessions or protocol steps.
• Possible approaches:
� Falsification identifies attack traces but does not guarantee correctness.� Verification proves correctness but is difficult to automate.
• Today’s focus: falsification and verification for a bounded number of sessions.
• Still challenging model-checking problem due to state explosions:
� The prolific Dolev-Yao intruder model� Concurrency: number of parallel sessions executed by honest agents.
AVASP April 3rd, 2005
![Page 5: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/5.jpg)
Sebastian A. Modersheim 2
Automated Analysis of Security Protocols
• Several sources of infinity in protocol analysis:
� Unbounded message depth.� Unbounded number of agents.� Unbounded number of sessions or protocol steps.
• Possible approaches:
� Falsification identifies attack traces but does not guarantee correctness.� Verification proves correctness but is difficult to automate.
• Today’s focus: falsification and verification for a bounded number of sessions.
• Still challenging model-checking problem due to state explosions:
� The prolific Dolev-Yao intruder model� Concurrency: number of parallel sessions executed by honest agents.
• Methods to reduce the search-space without excluding or introducing attacks.
AVASP April 3rd, 2005
![Page 6: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/6.jpg)
Sebastian A. Modersheim 3
Overview
• Introduction: IF
TranslatorHLPSL2IF
On−the−fly Model−Checker CL−based Model−Checker SAT−based Model−Checker
High−Level Protocol Specification Language (HLPSL)
Intermediate Format (IF)
Translator Translator TranslatorIF2OFMC IF2CL IF2SAT
AVASP April 3rd, 2005
![Page 7: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/7.jpg)
Sebastian A. Modersheim 3
Overview
• Introduction: IF
TranslatorHLPSL2IF
On−the−fly Model−Checker CL−based Model−Checker SAT−based Model−Checker
High−Level Protocol Specification Language (HLPSL)
Intermediate Format (IF)
Translator Translator TranslatorIF2OFMC IF2CL IF2SAT
• Compressions
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
AVASP April 3rd, 2005
![Page 8: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/8.jpg)
Sebastian A. Modersheim 3
Overview
• Introduction: IF
TranslatorHLPSL2IF
On−the−fly Model−Checker CL−based Model−Checker SAT−based Model−Checker
High−Level Protocol Specification Language (HLPSL)
Intermediate Format (IF)
Translator Translator TranslatorIF2OFMC IF2CL IF2SAT
• Compressions
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
• The Lazy Intruder
AVASP April 3rd, 2005
![Page 9: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/9.jpg)
Sebastian A. Modersheim 3
Overview
• Introduction: IF
TranslatorHLPSL2IF
On−the−fly Model−Checker CL−based Model−Checker SAT−based Model−Checker
High−Level Protocol Specification Language (HLPSL)
Intermediate Format (IF)
Translator Translator TranslatorIF2OFMC IF2CL IF2SAT
• Compressions
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
• The Lazy Intruder
• Symbolic SessionsSession Instances
Tool invocationsa=I a#I
AVASP April 3rd, 2005
![Page 10: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/10.jpg)
Sebastian A. Modersheim 3
Overview
• Introduction: IF
TranslatorHLPSL2IF
On−the−fly Model−Checker CL−based Model−Checker SAT−based Model−Checker
High−Level Protocol Specification Language (HLPSL)
Intermediate Format (IF)
Translator Translator TranslatorIF2OFMC IF2CL IF2SAT
• Compressions
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
• The Lazy Intruder
• Symbolic SessionsSession Instances
Tool invocationsa=I a#I
• Constraint Differentiation
symbolic
ground state space
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 11: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/11.jpg)
Sebastian A. Modersheim 4
IF: Protocol Model
• Protocol modeled as an transition system.
� States: local states of honest agents and current knowledge of the intruder.� Transitions: actions of the honest agents and the intruder.
• The Dolev-Yao intruder:
� Controls the entire network.� Perfect cryptography.� Unbounded composition of messages.
• Security properties: attack predicate on states.
• Prelude.if file: protocol-independent declarations (operator symbols,algebraic properties, intruder model)
AVASP April 3rd, 2005
![Page 12: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/12.jpg)
Sebastian A. Modersheim 5
IF: Messages
• Messages are represented by terms:
� Countable set of constants, a, b, c, . . .� Countable set of variables, A,B,C, . . .� Function symbols for (cryptographic) operators:
{m}k asymmetric encryption crypt/2{|m|}k symmetric encryption scrypt/2<m1,m2> concatenation pair/2m−1 the inverse of a public/private key inv/1also: hash functions, key tables, exponentiation, xor,. . .
• Here: Free algebra assumption:
f(t1, . . . , tn) = g(s1, . . . , sm) iff f = g ∧ n = m ∧ t1 = s1 ∧ . . . ∧ tn = sm
• In general not valid, e.g. m−1−1= m
<<m1, m2>, m3> = <m1, <m2, m3>>
AVASP April 3rd, 2005
![Page 13: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/13.jpg)
Sebastian A. Modersheim 6
IF: Facts & States
• A fact is one of the following:msg(m) there is a (not yet delivered) message m on the
networkstate(m) the local state of an agent, described by the term
mi knows(m) the intruder has learned message m
• A state is a set of facts, separated by dots. E.g. initial state for NSPK, for onesession between a and b:
state(roleA, 0, a, b, session1, pk(a), pk(a)−1, pk(b)).
state(roleB, 0, b, a, session1, pk(b), pk(b)−1, pk(a)).
AVASP April 3rd, 2005
![Page 14: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/14.jpg)
Sebastian A. Modersheim 6
IF: Facts & States
• A fact is one of the following:msg(m) there is a (not yet delivered) message m on the
networkstate(m) the local state of an agent, described by the term
mi knows(m) the intruder has learned message m
• A state is a set of facts, separated by dots. E.g. initial state for NSPK, for onesession between a and b:
state(roleA, 0, a, b, session1, pk).state(roleB, 0, b, a, session1, pk).i knows(i).i knows(a).i knows(b).i knows(pk).i knows(pk(i)−1)
AVASP April 3rd, 2005
![Page 15: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/15.jpg)
Sebastian A. Modersheim 6
IF: Facts & States
• A fact is one of the following:msg(m) there is a (not yet delivered) message m on the
networkstate(m) the local state of an agent, described by the term
mi knows(m) the intruder has learned message m
• A state is a set of facts, separated by dots. E.g. initial state for NSPK, for onesession between a and b:
state(roleA, 0, a, b, session1, pk).state(roleB, 0, b, a, session1, pk).i knows(i).i knows(a).i knows(b).i knows(pk).i knows(pk(i)−1)
• The dot is associative, commutative, and idempotent:f1.(f2.f3) = (f1.f2).f3 f1.f2 = f2.f1 f.f = f
AVASP April 3rd, 2005
![Page 16: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/16.jpg)
Sebastian A. Modersheim 7
IF: Rules
• Example: NSPK/Role Alice:
(step 1) state(roleA, 0,A,B,SID,K)∃NA ⇒ state(roleA, 1,A,B,SID,K,NA). msg({NA,A}K(B))
(step 2) state(roleA, 1,A,B,SID,K,NA). msg({NA,NB}K(A))⇒ state(roleA, 2,A,B,SID,K,NA,NB)
(step 3) state(roleA, 2,A,B,SID,K,NA,NB)⇒ state(roleA, 3,A,B,SID,K,NA,NB). msg({NB}K(B))
• Asynchronous Communication: sending and receiving messages are atomicevents.
AVASP April 3rd, 2005
![Page 17: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/17.jpg)
Sebastian A. Modersheim 8
IF: Dolev-Yao intruder
(intercept) msg(M) ⇒ i knows(M)
AVASP April 3rd, 2005
![Page 18: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/18.jpg)
Sebastian A. Modersheim 8
IF: Dolev-Yao intruder
(intercept) msg(M) ⇒ i knows(M)(insert) i knows(M) ⇒ msg(M).i knows(M)
AVASP April 3rd, 2005
![Page 19: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/19.jpg)
Sebastian A. Modersheim 8
IF: Dolev-Yao intruder
(intercept) msg(M) ⇒ i knows(M)(insert) i knows(M) ⇒ msg(M).i knows(M)
(synthesis) i knows(M1).i knows(M2) ⇒ i knows(<M1,M2>)i knows(M1).i knows(M2) ⇒ i knows({M2}M1)i knows(M1).i knows(M2) ⇒ i knows({|M2|}M1)
AVASP April 3rd, 2005
![Page 20: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/20.jpg)
Sebastian A. Modersheim 8
IF: Dolev-Yao intruder
(intercept) msg(M) ⇒ i knows(M)(insert) i knows(M) ⇒ msg(M).i knows(M)
(synthesis) i knows(M1).i knows(M2) ⇒ i knows(<M1,M2>)i knows(M1).i knows(M2) ⇒ i knows({M2}M1)i knows(M1).i knows(M2) ⇒ i knows({|M2|}M1)
(analysis) i knows(<M1,M2>) ⇒ i knows(M1).i knows(M2)i knows({M2}M1).i knows(M1
−1) ⇒ i knows(M2)i knows({M2}M1
−1).i knows(M1) ⇒ i knows(M2)i knows({|M2|}M1).i knows(M1) ⇒ i knows(M2)
m1 ∈ DY(M) m2 ∈ DY(M){|m2|}m1 ∈ DY(M)
Gscrypt ,
{|m2|}m1 ∈ DY(M) m1 ∈ DY(M)m2 ∈ DY(M)
Ascrypt ,
AVASP April 3rd, 2005
![Page 21: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/21.jpg)
Sebastian A. Modersheim 9
IF: As Search Tree
IF Search Treestate nodeinitial state root nodetransition relation descendants of a nodeattack state attack node
• States are always ground terms.
• The search tree is, in general, infinitely deep.
• Also the tree might have infinite branching.
⇒ Semi-decision procedure for insecurity.
⇒ Use lazy data-structures, e.g. in Haskell: formulate infinite tree; heuristics andattack search as tree-transformers.
AVASP April 3rd, 2005
![Page 22: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/22.jpg)
Sebastian A. Modersheim 10
Overview
• Introduction: IF
• Compressions
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
• The Lazy Intruder
• Symbolic SessionsSession Instances
Tool invocationsa=I a#I
• Constraint Differentiation
symbolic
ground state space
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 23: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/23.jpg)
Sebastian A. Modersheim 11
Compression: Immediate Reaction
• Idea [Denker, Millen, Grau, and Kuester Filipe]: combine rules for receivingmessages and for sending the reply, e.g. NSPK/Role Alice:
(step 2) state(roleA, 1,A,B,SID,K,NA). msg({NA,NB}K(A))⇒ state(roleA, 2,A,B,SID,K,NA,NB)
(step 3) state(roleA, 2,A,B,SID,K,NA,NB)⇒ state(roleA, 3,A,B,SID,K,NA,NB). msg({NB}K(B))
↓(step 2/3) state(roleA, 1,A,B,SID,K,NA). msg({NA,NB}K(A))
⇒ state(roleA, 3,A,B,SID,K,NA,NB). msg({NB}K(B))
• Correct: composed rule can be simulated using the uncomposed rules.
• Complete: (for standard security properties) this does not exclude any attacks.
• The compression drastically reduces the search space.
AVASP April 3rd, 2005
![Page 24: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/24.jpg)
Sebastian A. Modersheim 12
Immediate Reaction: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...a/step 1insert m2divert
b/step 2 insert m2a/step 1
b/step 1 divert insert m2 a/step 1
insert m1 insert m2a/step 1
AVASP April 3rd, 2005
![Page 25: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/25.jpg)
Sebastian A. Modersheim 12
Immediate Reaction: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...divert insert m2 a/step 1
insert m2b/step 2a/step 1
a/step 1insert m2divertb/step 1
insert m1 insert m2a/step 1
AVASP April 3rd, 2005
![Page 26: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/26.jpg)
Sebastian A. Modersheim 12
Immediate Reaction: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...divert insert m2 a/step 1
insert m2b/step 2a/step 1
insert m2 a/step 1divertb/step 1
insert m1 insert m2a/step 1
AVASP April 3rd, 2005
![Page 27: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/27.jpg)
Sebastian A. Modersheim 13
Compressing Further
Honest Agents state(b,...)state(a, ...)
Network message(...)
Intruder iknows(...)
receive & send
insert intercept
synthesis & analysis
AVASP April 3rd, 2005
![Page 28: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/28.jpg)
Sebastian A. Modersheim 13
Compressing Further
Honest Agents state(b,...)state(a, ...)
Network message(...)
Intruder iknows(...)
receive & send
insert intercept
synthesis & analysis
Idea: the intruder is the network.
AVASP April 3rd, 2005
![Page 29: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/29.jpg)
Sebastian A. Modersheim 13
Compressing Further
Honest Agents state(b,...)state(a, ...)
Network message(...)
Intruder iknows(...)
receive & send
insert intercept
synthesis & analysis
Idea: the intruder is the network.
Honest Agents state(b,...)state(a, ...)
Network=Intruder iknows(...)
synthesis & analysis
insert &receive & send
& intercept
AVASP April 3rd, 2005
![Page 30: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/30.jpg)
Sebastian A. Modersheim 14
Step-Compression
• Idea: since we do not distinguish intruder and network
� every message that an honest agent sends to the network is automaticallydiverted; and
� every message that an honest agent reveices from the network was earlierinserted by the intruder.
• ⇒ Compression of 3 rules:
=>state(...)msg(...)
state(...)msg(...)
=>iknows(...)
msg(...)
=>iknows(...)
msg(...)
step
intercept
insert
AVASP April 3rd, 2005
![Page 31: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/31.jpg)
Sebastian A. Modersheim 14
Step-Compression
• Idea: since we do not distinguish intruder and network
� every message that an honest agent sends to the network is automaticallydiverted; and
� every message that an honest agent reveices from the network was earlierinserted by the intruder.
• ⇒ Compression of 3 rules:
=>state(...)msg(...)
state(...)msg(...)
=>iknows(...)
msg(...)
=>iknows(...)
msg(...)
step
intercept
insert
AVASP April 3rd, 2005
![Page 32: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/32.jpg)
Sebastian A. Modersheim 14
Step-Compression
• Idea: since we do not distinguish intruder and network
� every message that an honest agent sends to the network is automaticallydiverted; and
� every message that an honest agent reveices from the network was earlierinserted by the intruder.
• ⇒ Compression of 3 rules:
=>iknows(...)
step
insert
interceptstate(...)iknows(...)
state(...)
• Correctness & completeness similar as for the immediate reaction.AVASP April 3rd, 2005
![Page 33: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/33.jpg)
Sebastian A. Modersheim 15
Example NSPK, role Alice
(insert) i knows(M)⇒ msg(M)
(step 2/3) state(roleA, 1,A,B,SID,K,NA). msg({NA,NB}K(A))⇒ state(roleA, 3,A,B,SID,K,NA,NB). msg({NB}K(B))
(intercept) msg(M)⇒ i knows(M)
↓
(compressed step 2/3)state(roleA, 1,A,B,SID,K,NA). i knows({NA,NB}K(A))
⇒ state(roleA, 3,A,B,SID,K,NA,NB). i knows({NB}K(B))
AVASP April 3rd, 2005
![Page 34: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/34.jpg)
Sebastian A. Modersheim 16
Step-Compression: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...divert insert m2 a/step 1
insert m2b/step 2a/step 1
a/step 1insert m2divertb/step 1
insert m1 insert m2a/step 1
AVASP April 3rd, 2005
![Page 35: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/35.jpg)
Sebastian A. Modersheim 16
Step-Compression: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...divert insert m2 a/step 1
insert m2b/step 2a/step 1
insert m2 a/step 1divertb/step 1
insert m1 insert m2a/step 1
AVASP April 3rd, 2005
![Page 36: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/36.jpg)
Sebastian A. Modersheim 16
Step-Compression: Effects
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m2’m2
Agents Network
a: 0b: 0
m2’m1’
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
Agents Network
a: 0b: 0
m1m2
Agents Network
a: 0b: 0
m1m1’
Agents Network
a: 0b: 0
m1
Agents Network
a: 0b: 0
m2
Agents Network
a: 0b: 0
m1’
Agents Network
a: 0b: 0
......
... ... ...
Agents Network
a: 0b: 0
m2’
... ...divert insert m2 a/step 1
insert m2a/step 1
b/step 1 divert insert m2 a/step 1
insert m1 insert m2a/step 1
b/step 2
AVASP April 3rd, 2005
![Page 37: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/37.jpg)
Sebastian A. Modersheim 17
Overview
• Introduction: IF
• Compressions
• The Lazy Intruder
• Symbolic SessionsSession Instances
Tool invocationsa=I a#I
• Constraint Differentiation
symbolic
ground state space
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 38: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/38.jpg)
Sebastian A. Modersheim 18
The Lazy Intruder: Idea
1. A → B : M,A,B, {|NA,M,A,B|}KAS
Which concrete value is chosen for these parts makes a difference only later.
AVASP April 3rd, 2005
![Page 39: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/39.jpg)
Sebastian A. Modersheim 18
The Lazy Intruder: Idea
1. A → B : M,A,B, {|NA,M,A,B|}KAS
Which concrete value is chosen for these parts makes a difference only later.
Idea: postpone this decision.
1. i(X2) → b : X1,X2, b,X3 from({X1,X2,X3}; IK )
IK : current Intruder Knowledge
AVASP April 3rd, 2005
![Page 40: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/40.jpg)
Sebastian A. Modersheim 18
The Lazy Intruder: Idea
1. A → B : M,A,B, {|NA,M,A,B|}KAS
Which concrete value is chosen for these parts makes a difference only later.
Idea: postpone this decision.
1. i(X2) → b : X1,X2, b,X3 from({X1,X2,X3}; IK )
IK : current Intruder Knowledge
from-constraints are evaluated in a demand-driven way,hence lazy intruder.
AVASP April 3rd, 2005
![Page 41: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/41.jpg)
Sebastian A. Modersheim 19
Lazy Intruder: Formally• Constraints of the lazy intruder: from(T ; IK )
• [[from(T ; IK )]] = {σ | ground(Tσ ∪ IKσ) ∧ (Tσ ⊆ DY(IKσ))}
where DY(IK ) is the closure of IK under Dolev-Yao rules.
• Semantics hence relates from-constraints to the Dolev-Yao model.
AVASP April 3rd, 2005
![Page 42: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/42.jpg)
Sebastian A. Modersheim 19
Lazy Intruder: Formally• Constraints of the lazy intruder: from(T ; IK )
• [[from(T ; IK )]] = {σ | ground(Tσ ∪ IKσ) ∧ (Tσ ⊆ DY(IKσ))}
where DY(IK ) is the closure of IK under Dolev-Yao rules.
• Semantics hence relates from-constraints to the Dolev-Yao model.
• Simple constraints: the T -part contains only variables⇒ simple constraints are always satisfiable⇒ solved form for constraints.
• Calculus of reduction rules for constraints to obtain simple constraints.⇒ simple constraints are not reduced — lazy.
• Adding Inequalities
from(X1, . . . ,Xn; IK ) ∧ t1 6= t2 ∧ t3 6= t4 . . .
If the inequalities are satisfiable then the entire constraint set is satisfiable.
AVASP April 3rd, 2005
![Page 43: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/43.jpg)
Sebastian A. Modersheim 19
Lazy Intruder: Formally• Constraints of the lazy intruder: from(T ; IK )
• [[from(T ; IK )]] = {σ | ground(Tσ ∪ IKσ) ∧ (Tσ ⊆ DY(IKσ))}
where DY(IK ) is the closure of IK under Dolev-Yao rules.
• Semantics hence relates from-constraints to the Dolev-Yao model.
• Simple constraints: the T -part contains only variables⇒ simple constraints are always satisfiable⇒ solved form for constraints.
• Calculus of reduction rules for constraints to obtain simple constraints.⇒ simple constraints are not reduced — lazy.
• Adding Inequalities
from(X1, . . . ,Xn; IK ) ∧ t1 6= t2 ∧ t3 6= t4 . . .
If the inequalities are satisfiable then the entire constraint set is satisfiable.Justchoose different messages for each Xi!
AVASP April 3rd, 2005
![Page 44: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/44.jpg)
Sebastian A. Modersheim 20
Lazy Intruder: Reduction Rules
from(m1 ∪ m2 ∪ T ; IK ) ∪ C, σfrom({|m2|}m1 ∪ T ; IK ) ∪ C, σ
Glscrypt ,
(from(T ;m2 ∪ IK ) ∪ C)τ, στfrom(m1 ∪ T ;m2 ∪ IK ) ∪ C, σ
Glunif (τ = mgu(m1,m2), m1 /∈ V) ,
from(m1; IK ) ∪ from(T ;m2 ∪ {|m2|}m1 ∪ IK ) ∪ C, σfrom(T ; {|m2|}m1 ∪ IK ) ∪ C, σ
Alscrypt (m2 /∈ IK ) ,
AVASP April 3rd, 2005
![Page 45: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/45.jpg)
Sebastian A. Modersheim 21
Lazy Intruder: An Example
The intruder knows an old message {|a, b, n1, n2|}k(b,s) ∈ IK , as well as thecontained nonces n1, n2 ∈ IK .
Agent b expects to receive the final message of the protocol:
{|a, b,KAB|}k(b,s), {|n2|}KAB
from(∅; IK ) ; [KAB 7→<n1, n2>]
from(n1 ∪ n2; IK ) ; [KAB 7→<n1, n2>]Gl
unif
from({|n2|}<n1,n2>; IK ) ; [KAB 7→<n1, n2>]
Glpair, G
lscrypt
from({|a, b,KAB|}k(b,s) ∪ {|n2|}KAB; IK ) ; idGl
unif
AVASP April 3rd, 2005
![Page 46: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/46.jpg)
Sebastian A. Modersheim 22
Lazy Intruder: Completeness
• Theorem. Satisfiability of (well-formed) from-constraints is decidable.
from(
T1....t1τ
T2....t2τ
{|t2|}t1τ`
{|t2|}t1 ∪T0....E0; IK )
↓Glscrypt
from(
T1....t1τ
t1 ∪
T2....t2τ
t2 ∪T0....
E0σ; IKσ) .
AVASP April 3rd, 2005
![Page 47: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/47.jpg)
Sebastian A. Modersheim 23
Integration: Symbolic Transition System
• Symbolic state = term with variables + constraint set
• [[(t, C)]] = {tσ | σ ∈ [[C]]} (a set of ground states).
• Two layers of search:
Layer 1: search in the symbolic state spaceLayer 2: constraint reduction
AVASP April 3rd, 2005
![Page 48: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/48.jpg)
Sebastian A. Modersheim 24
Lazy Intruder: History
[Huima 1999] First paper with the idea. Formalization extremely complex.
[Amadio & Lugiez 2001] Much simpler presentation of the idea and proofs.
[Rusinowitch & Turuani 2001] The insecurity problem for a bounded number ofsessions is NP-complete, even without restriction to atomic keys.
[Chevalier & Vigneron 2001] First lazy intruder without the restriction toatomic keys.
[Millen & Shmatikov 2001] Similar (independent) approach with non-atomickeys, including formal proofs.
. . .
The approaches get more powerful and at the same time simpler, for instance . . .
AVASP April 3rd, 2005
![Page 49: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/49.jpg)
Sebastian A. Modersheim 25
Overview
• Introduction: IF
• Compressions
• The Lazy Intruder
• Symbolic SessionsSession Instances
Tool invocationsa=I a#I
• Constraint Differentiation
symbolic
ground state space
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 50: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/50.jpg)
Sebastian A. Modersheim 26
Session Instances — The Model
• Session: instantiation of all roles with an agent name.
• Example:[A : a,B : b][A : a,B : i]
means that the initial state contains
state(roleA, 0, a, b)state(roleB, 0, b, a)state(roleA, 0, a, i)state(roleB, 0, i, a)
• We also call this a scenario.
AVASP April 3rd, 2005
![Page 51: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/51.jpg)
Sebastian A. Modersheim 27
Automated Session Generation
• What scenarios to examime?
• Bouallagui et al, 2002 : given a bound n, generate all instances of n parallelsessions avoiding redundancies like isomorph instances.
• E.g. n = 2:
[A : a,B : b][A : a,B : b]
[A : a,B : b][A : a,B : i]
[A : a,B : b][A : b,B : a] . . .
• Parameter Search:
Session Instances
Tool invocations
AVASP April 3rd, 2005
![Page 52: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/52.jpg)
Sebastian A. Modersheim 28
Symbolic Sessions
• Let the lazy intruder take care of the instantiation problem.
• Ag is the set of agent names.
• Initial state containts variables ranging over Ag, e.g.:
state(roleA, 0,A1,B1) A1 6= istate(roleB, 0,B′1,A
′1) B′1 6= i
• Constraint sets must be well-formed, in particular, all variables must be boundby a constraint.
• {from(Ai; IK 0)} where Ai are the variables occuring in the initial state.
• We therefore assume the intruder initially knows all agent names: Ag ⊆ IK 0.
⇒ The agent names are chosen by the intruder as well.
AVASP April 3rd, 2005
![Page 53: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/53.jpg)
Sebastian A. Modersheim 28
Symbolic Sessions
• Let the lazy intruder take care of the instantiation problem.
• Ag is the set of agent names.
• Initial state containts variables ranging over Ag, e.g.:
state(roleA, 0,A1,B1) A1 6= istate(roleB, 0,B′1,A
′1) B′1 6= i
• Constraint sets must be well-formed, in particular, all variables must be boundby a constraint.
• {from(Ai; IK 0)} where Ai are the variables occuring in the initial state.
• We therefore assume the intruder initially knows all agent names: Ag ⊆ IK 0.
⇒ The agent names are chosen by the intruder as well. Lazily.
AVASP April 3rd, 2005
![Page 54: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/54.jpg)
Sebastian A. Modersheim 29
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : B1
A : A2 → B : B2
A1 6= i B2 6= i
IK 0
Trace:1. A1 → i(B1) : {n1,A1}k(B1)
⇒ The intruder can read n1 iff B1 = i.⇒ Case split B1 = i and B1 6= i.Let’s follow the case B1 = i.
AVASP April 3rd, 2005
![Page 55: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/55.jpg)
Sebastian A. Modersheim 30
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A2 → B : B2
A1 6= i B2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
Trace:1. A1 → i(i) : {n1,A1}k(i)
AVASP April 3rd, 2005
![Page 56: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/56.jpg)
Sebastian A. Modersheim 31
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A2 → B : B2
A1 6= i B2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
Trace:1. A1 → i : {n1,A1}k(i)
1.′ i(A2) → B2 : {NA,A2}k(B2)
with the new constraint store
from(A1,A2,B2; IK 0)from({NA,A2}k(B2); IK 1)
Solutions: either replay old messages or generate the new message from subterms:
from(k ∪ B2 ∪ A2∪NA; IK 1)
AVASP April 3rd, 2005
![Page 57: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/57.jpg)
Sebastian A. Modersheim 32
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A2 → B : B2
A1 6= i B2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
{NA, n2}k(A2)IK 2
Trace:1. A1 → i : {n1,A1}k(i)
1.′ i(A2) → B2 : {NA,A2}k(B2)
2.′ B2 → i(A2) : {NA, n2}k(A2)
Again, the intruder can decrypt this message iff he is the intended recipient, i.e. iffA2 = i.
Let’s follow the case A2 6= i here.
AVASP April 3rd, 2005
![Page 58: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/58.jpg)
Sebastian A. Modersheim 33
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A2 → B : B2
A1 6= i B2 6= i A2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
{NA, n2}k(A2)IK 2
Trace:1. A1 → i : {n1,A1}k(i)
1.′ i(A2) → B2 : {NA,A2}k(B2)
2.′ B2 → iA2 : {NA, n2}k(A2)
2. i → A1 : {n1,NB}k(A1)
with the new constraint storefrom(A1,A2,B2; IK 0)from(NA; IK 1)from({n1,NB}k(A1); IK 2)
Solutions: generate the new message from its subterms, or replay an old one:{n1,NB}k(A1) = {NA, n2}k(A2)
⇒ A1 = A2, n1 = NA, NB = n2
AVASP April 3rd, 2005
![Page 59: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/59.jpg)
Sebastian A. Modersheim 34
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A1 → B : B2
A1 6= i B2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
{n1, n2}k(A1)IK 2
Trace:1. A1 → i : {n1,A1}k(i)
1.′ i(A1) → B2 : {n1,A1}k(B2)
2.′ B2 → i(A1) : {n1, n2}k(A1)
2. i → A1 : {n1, n2}k(A1)
with the new constraint store
from(A1,B2; IK 0)from(n1; IK 1)from(n1; IK 2)
The answer from A1 is {n2}k(i), so the intruder now knows n2 and can finish theprotocol with B2.
AVASP April 3rd, 2005
![Page 60: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/60.jpg)
Sebastian A. Modersheim 35
Symbolic Sessions: Example
1. A -> B: {NA,A}KB2. B -> A: {NA,NB}KA3. A -> B: {NB}KB
A : A1 → B : i
A : A1 → B : B2
A1 6= i B2 6= i
IK 0
{n1, A1}k(i) n1 IK 1
{n1, n2}k(A1)IK 2
{n2}k(i) n2 IK 3
Trace:1. A1 → i : {n1,A1}k(i)
1.′ i(A1) → B2 : {n1,A1}k(B2)
2.′ B2 → i(A1) : {n1, n2}k(A1)
2. i → A1 : {n1, n2}k(A1)
3. A1 → i : {n2}k(i)
3.′ i(A1) → B2 : {n2}k(b)
where A1 and B2 are arbitrary honest agents.
AVASP April 3rd, 2005
![Page 61: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/61.jpg)
Sebastian A. Modersheim 36
Two agents are sufficient
All substitutions for the variables for agent names are substituted either
• with each other (e.g. A1 = A2)
• or with the intruder (e.g. B1 = i).
Thus: isn’t it sufficient to have only two agents, alice and intruder?
AVASP April 3rd, 2005
![Page 62: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/62.jpg)
Sebastian A. Modersheim 37
Intuition
Session Instances
Tool invocations
a=I a#I
AVASP April 3rd, 2005
![Page 63: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/63.jpg)
Sebastian A. Modersheim 38
Overview
• Introduction: IF
• Compressions
• The Lazy Intruder
• Symbolic Sessions
• Constraint Differentiation
symbolic
ground state space
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 64: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/64.jpg)
Sebastian A. Modersheim 39
Two Key Challenges and their Solutions
Two key challenges of model-checking security protocols:
1. The prolific Dolev-Yao intruder model.
2. Concurrency: number of parallel sessions executed by honest agents.
AVASP April 3rd, 2005
![Page 65: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/65.jpg)
Sebastian A. Modersheim 39
Two Key Challenges and their Solutions
Two key challenges of model-checking security protocols:
1. The prolific Dolev-Yao intruder model.
• No bound on the messages the intruder can compose.• Lazy Intruder: symbolic representation of intruder.
“Often just as if there were no intruder!”
2. Concurrency: number of parallel sessions executed by honest agents.
AVASP April 3rd, 2005
![Page 66: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/66.jpg)
Sebastian A. Modersheim 39
Two Key Challenges and their Solutions
Two key challenges of model-checking security protocols:
1. The prolific Dolev-Yao intruder model.
• No bound on the messages the intruder can compose.• Lazy Intruder: symbolic representation of intruder.
“Often just as if there were no intruder!”
2. Concurrency: number of parallel sessions executed by honest agents.
• Often addressed using Partial-Order Reduction (POR).• POR is limited when using the lazy intruder technique.• Constraint Differentiation: general, POR-inspired reduction technique
extending the lazy intruder.
AVASP April 3rd, 2005
![Page 67: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/67.jpg)
Sebastian A. Modersheim 40
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
CIKs t
AVASP April 3rd, 2005
![Page 68: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/68.jpg)
Sebastian A. Modersheim 40
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
CIKs t
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
AVASP April 3rd, 2005
![Page 69: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/69.jpg)
Sebastian A. Modersheim 40
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
AVASP April 3rd, 2005
![Page 70: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/70.jpg)
Sebastian A. Modersheim 40
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
(where t2 = t4)
AVASP April 3rd, 2005
![Page 71: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/71.jpg)
Sebastian A. Modersheim 40
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
CIKs t
from(m3, IK ∪m2)from(m1, IK )m2
m4
IK Ct2s2
IK
m4 from(m3, IK )Ct3s3
i sends m3 to b and
receives m4 from b
i sends m1 to a and
receives m2 from a
from(m1, IK ∪m4)from(m3, IK )
IK
m4
m2
Cs4
t4
receives m2 from a
i sends m1 to a and
IK
m2 from(m1, IK )Ct1s1
i sends m3 to b and
receives m4 from b
(where t2 = t4)
Idea: exploit redundancies in the symbolic states, i.e. reduction exploitsoverlapping of the sets of ground states.
AVASP April 3rd, 2005
![Page 72: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/72.jpg)
Sebastian A. Modersheim 41
Constraint Differentiation: IdeaTypical situation: 2 independent actions executable in either order:
symbolic
ground state space
Idea: exploit redundancies in the symbolic states, i.e. reduction exploitsoverlapping of the sets of ground states.
AVASP April 3rd, 2005
![Page 73: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/73.jpg)
Sebastian A. Modersheim 42
Constraint Differentiation (1)
statespace
ground
symbolicfrom(m1, IK ∪ m4)from(m3, IK )
from(m3, IK ∪ m2)from(m1, IK )
from(m3, IK ∪ m2)from(m1, IK )s2
Cs4
C t2s2
Ct2 Ct2
D-from(m1, IK , m4)from(m3, IK )
t2s′4
• New kind of constraints: D-from(T ; IK ;NIK ).
• Intuition:
� Intruder has just learned some new intruder knowledge NIK .
AVASP April 3rd, 2005
![Page 74: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/74.jpg)
Sebastian A. Modersheim 42
Constraint Differentiation (1)
statespace
ground
symbolicfrom(m1, IK ∪ m4)from(m3, IK )
from(m3, IK ∪ m2)from(m1, IK )
from(m3, IK ∪ m2)from(m1, IK )s2
Cs4
C t2s2
Ct2 Ct2
D-from(m1, IK , m4)from(m3, IK )
t2s′4
• New kind of constraints: D-from(T ; IK ;NIK ).
• Intuition:
� Intruder has just learned some new intruder knowledge NIK .
� All solutions [[from(T ; IK ∪NIK )]] are “correct”
AVASP April 3rd, 2005
![Page 75: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/75.jpg)
Sebastian A. Modersheim 42
Constraint Differentiation (1)
statespace
ground
symbolicfrom(m1, IK ∪ m4)from(m3, IK )
from(m3, IK ∪ m2)from(m1, IK )
from(m3, IK ∪ m2)from(m1, IK )s2
Cs4
C t2s2
Ct2 Ct2
D-from(m1, IK , m4)from(m3, IK )
t2s′4
• New kind of constraints: D-from(T ; IK ;NIK ).
• Intuition:
� Intruder has just learned some new intruder knowledge NIK .
� All solutions [[from(T ; IK ∪NIK )]] are “correct” but a solution is interestingonly if it requires NIK .
[[D-from(T ; IK ;NIK )]] = [[from(T ; IK ∪NIK )]] \ [[from(T ; IK )]].
AVASP April 3rd, 2005
![Page 76: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/76.jpg)
Sebastian A. Modersheim 43
Constraint Differentiation (2)
statespace
ground
symbolicfrom(m1, IK ∪ m4)from(m3, IK )
from(m3, IK ∪ m2)from(m1, IK )
from(m3, IK ∪ m2)from(m1, IK )s2
Cs4
C t2s2
Ct2 Ct2
D-from(m1, IK , m4)from(m3, IK )
t2s′4
• [[D-from(T ; IK ;NIK )]] = [[from(T ; IK ∪NIK )]] \ [[from(T ; IK )]]
• Theorem. Satisfiability of (well-formed) D-from constraints is decidable.
• Theorem. [[s2]] ∪ [[s4]] = [[s2]] ∪ [[s′4]]
AVASP April 3rd, 2005
![Page 77: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/77.jpg)
Sebastian A. Modersheim 44
Constraint Differentiation: Reduction Rules
D-from(m1 ∪ m2 ∪ M ; IK ;NIK ) ∪ C, σD-from({|m1|}m2 ∪ M ; IK ;NIK ) ∪ C, σ
GLDscrypt ,
(D-from(M ;m2 ∪ IK ;NIK ) ∪ C)τ, στD-from(m1 ∪ M ;m2 ∪ IK ;NIK ) ∪ C, σ
GLDunif1 (τ = mgu(m1,m2),m1 /∈ V) ,
(from(M ;m2 ∪ IK ∪NIK ) ∪ C)τ, στD-from(m1 ∪ M ; IK ;m2 ∪ NIK ) ∪ C, σ
GLDunif2 (τ = mgu(m1,m2),m1 /∈ V) ,
Analysis: either specialized rules,
. . . or by normalization:
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
analysis of IK and new message
NIK
IKanalyzed
messagenew
AVASP April 3rd, 2005
![Page 78: Sebastian M¨odersheimSebastian A. M¨odersheim 2 Automated Analysis of Security Protocols • Several sources of infinity in protocol analysis: Unbounded message depth. Unbounded](https://reader031.fdocument.pub/reader031/viewer/2022011914/5fc4589ffd69ae2e355cdd18/html5/thumbnails/78.jpg)
Sebastian A. Modersheim 45
Conclusions
• Introduction: IFSimple, powerful formalism to describe protocols and intruder.
• CompressionsWe can optimize specifications by compressing rules.
• The Lazy IntruderEfficient representation of the prolific Dolev-Yao intruder.
• Symbolic SessionsLeaving the instantiation problem to the intruder.
• Constraint DifferentiationRemoving redundancies by “POR for the lazy intruder”.
AVASP April 3rd, 2005