Security Models Lecture 4 Active Intruder

(1)

Pascal Lafourcade

2020-2021

(2)

Outline of Today

1 Unification Notions Terms and Messages Unification

2 Active Intruder: Security Problem 3 Bounded Number of Sessions

4 NP-Hardness for Bounded Number of Sessions 5 Conclusion

(3)

Outline of Today

2 Active Intruder: Security Problem

3 Bounded Number of Sessions

(4)

Outline of Today

(5)

Outline of Today

4 NP-Hardness for Bounded Number of Sessions

5 Conclusion

(6)

Outline of Today

(7)

Security Models Lecture 4 Active Intruder Unification Notions

Outline

(8)

Terms and Messages

Arity

Definition

• F is a finite set

• Arity is a mapping fromF into N

• (F,Arity) is a ranked alphabet orsignature denoted Σ

• The arityof a symbolf ∈ F is Arity(f)

• The set of symbols of arity p is denoted byF_p.

• Elements of arity 0, 1, . . .p are respectively called constants, unary, . . .p-ary symbols.

(9)

Terms and Messages

Example

LetF ={enc,pair,k1,k2,0,1}

Arity(enc) =Arity(pair) = 2

Arity(k₁) =Arity(k₂) =Arity(0) =Arity(1) = 0

We also denoteF ={enc/2,pair/2,k1/0,k2/0,0/0,1/0}

(10)

Terms and Messages

Terms

LetX be a set of symbols calledvariables.

Definition

The setT(F,X) oftermsover the ranked alphabet F and the set of variablesX is the smallest set defined by:

- F₀ ⊆ T(F,X) - X ⊆ T(F,X)

- ifp ≥1,f ∈ F_pandt₁, . . . ,t_p ∈ T(F,X), thenf(t₁, . . . ,t_p)∈ T(F,X).

• IfX =∅ thenT(F,X) is also written T(F). Terms inT(F) are called ground terms.

• T(F,X

(11)

Terms and Messages

Example

LetF ={enc/2,pair/2,k₁/0,k₂/0,0/0,1/0}andX ={x,y,z} pair(x,1), enc(pair(y,z),k1) and enc(0,k1) are terms in T(F,X) pair(0,1), enc(0,k1) are terms in T(F), i.e., ground terms We also denote{ } for enc( , ) andh , ifor pair( , ).

(12)

Unification

Substitution

Definition

• A substitution(respectively a ground substitution) σ is a mapping fromX into T(F,X) (respectively intoT(F)) where there are only finitely many variables not mapped to themselves.

• Substitutions can be extended to T(F,X) in such a way that

∀f ∈ F_n,∀t₁, . . . ,tn∈ T(F,X):

σ(f(t1, . . . ,tn)) =f(σ(t1), . . . , σ(tn)).

Thedomain of a substitutionσ is the subset of variablesx∈ X

(13)

Unification

Example:

Letσ ={x ←N_A,y← {hN_A,N_Bi}_k_B} andt =hx,hy,hx,xiii.

Then,

σ(t) =hN_A,h{hN_A,N_Bi}_k_B,hN_A,N_Aiii

(14)

Unification

Definition

Twot ands are unifiable if there exists a substitutionσ such that σ(s) =σ(t)

Examples:

(15)

Unification

Definition

Examples:

s =a t =X

(16)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

(17)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =a t =p(X)

(18)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =a t =p(X) No unifier

(19)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =a t =p(X) No unifier s =p(a,X) t =p(Y,b)

(20)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =p(a,X) t =p(Y,b) σ ={X ←b;Y ←a}

(21)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =p(a,X) t =p(Y,b) σ ={X ←b;Y ←a}

s =p(f(X),g(Z)) t =p(f(a),Y)

(22)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =p(a,X) t =p(Y,b) σ ={X ←b;Y ←a}

s =p(f(X),g(Z)) t =p(f(a),Y) σ={X ←a;Y ←g(Z)}

(23)

Unification

Definition

Examples:

s =a t =X σ ={X ←a}

s =p(a,X) t =p(Y,b) σ ={X ←b;Y ←a}

s =p(f(X),g(Z)) t =p(f(a),Y)

σ={X ←a;Y ←g(Z)} or σ={X ←a;Y ←g(b);Z ←b}

(24)

Unification

Most General Unifier

Definition

The most general unification between two termss and t, denoted bymgu(s,t) if: ∀σ such that sσ =tσ,∃θ such that

σ=mgu(s,t)θ

Example:

s =p(f(X),g(Z)) t=p(f(a),Y)

σ1 ={X ←a;Y ←g(Z)}σ2={X ←a;Y ←g(b);Z ←b} θ={z 7→b},σ₂ =σ₁θ

(25)

Unification

Most General Unifier

Definition

σ=mgu(s,t)θ Example:

σ1 ={X ←a;Y ←g(Z)}σ2={X ←a;Y ←g(b);Z ←b} θ={z 7→b},σ₂ =σ₁θ

(26)

Unification

Most General Unifier

Definition

σ1 ={X ←a;Y ←g(Z)}σ2={X ←a;Y ←g(b);Z ←b}

θ={z 7→b},σ₂ =σ₁θ

(27)

Unification

Most General Unifier

Definition

σ1 ={X ←a;Y ←g(Z)}σ2={X ←a;Y ←g(b);Z ←b}

θ={z 7→b},σ₂ =σ₁θ

(28)

Unification

Goal

Design an algorithm that for a given unification problems =^? t

• returns an mgu of s andt if they are unifiable.

• reports failure otherwise.

(29)

Unification

Naive Algorithm

Write down two terms and set markers at the beginning of the terms. Then:

1 Move the markers simultaneously, one symbol at a time, until both move off the end of the term (success), or until they point to two different symbols;

2 If the two symbols are both non-variables, then fail;

otherwise, one is a variable (call it x) and the other one is the first symbol of a subterm (call it t):

• Ifx occurs int, then fail;

• Otherwise, replacex everywhere by t (including in the solution), write down ”x←t” as a part of the solution, and return to 1.

(30)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(x,g(a),g(z)) f(g(y),g(y),g(g(x)))

(31)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(x,g(a),g(z))

f(g(y),g(y),g(g(x)))

(32)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(x,g(a),g(z))

f(g(y),g(y),g(g(x)))

σ={x ←g(y)}

(33)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(g(y),g(a),g(z))

f(g(y),g(y),g(g(g(y))))

σ={x ←g(y)}

(34)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(g(y),g(a),g(z))

f(g(y),g(y),g(g(g(y))))

σ={x ←g(y)}

(35)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(g(a),g(a),g(z))

f(g(a),g(a),g(g(g(a))))

σ={x ←g(a),y ←a}

(36)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(g(a),g(a),g(z))

f(g(a),g(a),g(g(g(a))))

σ={x ←g(a),y ←a}

(37)

Unification

Example: f (x , g (a), g (z )) =

^?

f (g (y ), g (y ), g (g (x)))

f(g(a),g(a),g(g(g(a))))

σ={x ←g(a),y ←a,z ←g(g(a))}

(38)

Unification

Questions

1 Correctness:

• Does the algorithm always terminate?

• Does it always produce an mgu for two unifiable terms, and fail for non-unifiable terms?

• Do these answers depend on the order of operations?

2 Complexity:

• How much space does this take, and how much time?

3 Extension with equational theory, e.g., ab=ba.

(39)

Unification

Syntactic Unification is Unitary

Theorem (Robinson)

Without equational theory there exists an unique mgu for syntactic unification (modulo renaming). Unification is called unitary.

Herbrand, Martelli, Montanari, Plotkin, Robinson, Huet, Knuth, Bendix, Siekman, Baader.

(40)

Security Models Lecture 4 Active Intruder Active Intruder: Security Problem

Outline

(41)

Active Intruder with bounded number of sessions

• Theoriticaly: decidable

• Interestingpractically:

• Find flaws

• Usually attacks usefew sessions!

(42)

Dolev-Yao Deduction System

Deduction System : T0 `^?s

(A) u∈T0

T0`u (UL) T0` hu,vi

T0`u

(P) T0`u T0`v

T0` hu,vi (UR) T0` hu,vi T0`v

(C) T0`u T0`v T0` {u}v

(D) T0` {u}v T0`v T0`u

(43)

Model: actions, roles and protocol

Definition (Action)

Anactionis a couple (recv(u),send(v))such that

u∈ T(F,X)∪ {init},v ∈ T(F,X)∪ {stop}. Denoted (u →v).

Example

First and last actions of Needham Schroeder

• (init,Xb→ {N_a,A}_pk(X_b₎)

• ({N_b}_pk(B) →stop)

(44)

Model: actions, roles and protocol

Definition (Action)

Anactionis a couple (recv(u),send(v))such that

u∈ T(F,X)∪ {init},v ∈ T(F,X)∪ {stop}. Denoted (u →v).

Example

First and last actions of Needham Schroeder

• (init,Xb→ {N_a,A}_pk(X_b₎)

• ({N_b}_pk(B) →stop)

(45)

Model: actions, roles and protocol

Definition (Role)

Aroleis a finite sequence of actions:

(u₁ →v₁), . . . ,(u_n→v_n) such thatvars(vi)⊆ [

1≤j≤i

vars(uj).

Definition (Protocol)

AprotocolP is a finite set of roles: P ={R₁, . . . ,Rk}

(46)

Model: actions, roles and protocol

Definition (Role)

Aroleis a finite sequence of actions:

(u₁ →v₁), . . . ,(u_n→v_n) such thatvars(vi)⊆ [

1≤j≤i

vars(uj).

Definition (Protocol)

AprotocolP is a finite set of roles: P ={R₁, . . . ,R_k}

(47)

1st Example:

Example (Needham-schroeder)

1. A → B :{N_a,A}_pk(B) 2. B → A :{N_a,N_b}_pk(A) 3. A → B :{N_b}_pk(B)

Write down each agent’s role description, thisA talks with anybody.

R_A = (init,X_b→ {N_a,A}_pk(X_b₎), ({N_a,x_N_b}_pk(A)→ {x_Nb}_pk(X_b₎), R_B = ({x_N_a,x_A}_pk(B)→ {x_N_a,N_b}_pk(x

A)) ({N } →stop)

(48)

Scyther Notation

A: const Na: Nonce;

var Nb: Nonce;

send(A,B, {Na,A}pk(B));

recv(B,A, {Na,Nb}pk(A));

send(A,B, {Nb}pk(B));

B: const Nb: Nonce;

var Na: Nonce;

recv(A,B,{Na,A}pk(B));

send(B,A,{Na,Nb}pk(A));

(49)

Exercise

Denning-Sacco Protocol

1. A→S : hA,Bi

2. S →A: {hhB,NABi,hN_s,{hN_AB,hA,Nsii}_K_BSii}_K_AS 3. A→B : {hN_AB,hA,Nsii}_K_BS

4. B→A: {S_AB}_N_AB

PDS ={R_A,RB,RS}models one session ofA,B andS.

R_A= (init,X_B → hA,X_Bi),

({hhX_B,x_N_ABi,hx_N_S,z_Aii}_K_AS →z_A), ({w_A}_x_NAB →stop)

RB = ({y_N_AB,hX_A,yN_Sii}_K_BS → {S_AB}_y_NAB)

R_S = (hX_A,X_Bi → {hX_B,N_AB,hN_S,{hN_AB,hX_A,N_Sii}_K_BSii}_K_AS)

(50)

Exercise

Denning-Sacco Protocol

1. A→S : hA,Bi

2. S →A: {hhB,NABi,hN_s,{hN_AB,hA,Nsii}_K_BSii}_K_AS 3. A→B : {hN_AB,hA,Nsii}_K_BS

4. B→A: {S_AB}_N_AB

PDS ={R_A,RB,RS}models one session ofA,B andS. R_A= (init,X_B → hA,X_Bi),

({hhX_B,x_N_ABi,hx_N_S,z_Aii}_K_AS →z_A), ({w_A}_x_NAB →stop)

(51)

Semantics

Definition (States)

• T is a set of ground terms (intruder knowledge)

• P a protocol

Astate is a couple (T,P) Definition (Transtion)

Is arelation between states(T,P)→^σ (T⁰,P⁰)

• P =Sk

i Ri, take an i : Ri = (ui →vi)

• Possible σ:T `u_iσ (dom(σ) =vars(u_i))

• Update intruder knowledge : T⁰=T∪ {v_iσ}

• Update Protocol ∀j 6=i,R ∈P⁰,P⁰ = (P\ {R})∪Rσ

(52)

Example

Simple LetT ={a,b,k_I}and P ={R} where R= (hx,yi → h{y}_k,xi),(z → hx,hy,zii).

• (T,P)→^σ (T ∪ {h{b}_k,ai},{(z → ha,hb,zii)}) σ ={x ←a,y ←b}

• (T,P)→^σ (T ∪ {h{{a}_k_I}_k,ai},{(z → ha,h{a}_k_I,zii)} σ ={x ←a,y ← {a}_k_I}

• (T,P)6→^σ (T ∪ {h{{a}_k}_k,ai},{(z → ha,h{a}_k,zii)}) σ ={x ←a,y ← {a}_k}

Each branch has afinite depth (protocol are finite),

butpossibly a infinite branching(infinite number of terms).

(53)

Example

• (T,P)→^σ (T ∪ {h{{a}_k_I}_k,ai},{(z → ha,h{a}_k_I,zii)}

σ ={x ←a,y ← {a}_k_I}

(54)

Example

σ ={x ←a,y ← {a}_k_I}

(55)

Example

σ ={x ←a,y ← {a}_k_I}

(56)

Example

σ ={x ←a,y ← {a}_k_I}

(57)

Preservation of the secrecy

Definition (Secrecy)

LetT₁ be a ground set of terms (Initial knowledge of the intruder).

A protocolP does not preserve the secrecy of a ground terms for T1 if there exists a state (T⁰,P⁰), such that

• T⁰`s

• (T₁,P)→^∗ (T⁰,P⁰)

where→^∗ is the reflexive and transitive closure of→.

If there does not exist a such state(T⁰,P⁰) we say that P preserves the secrecy ofs for the initial intruder knowledgeT1.

(58)

Interleaving

Definition (Partial Order<_p)

A protocolP define apartial order <_P on actions ofP, s.t (ui →vi)<P (uj →vj)

ifR ∈P,R = (u₁→v₁). . .(u_i →v_i). . .(u_j →v_j). . .(u_n→ vn) (1≤i ≤j ≤n).

Definition (Execution Order<_E)

An execution order<E of P is a total order on the subset Aof actions of P, compatible with <_P and stable by predecessor, i.e.

ifb∈Aet a<P b then a∈Aanda<E b

It corresponds to an interleaving of roles.

(59)

Interleaving

Definition (Partial Order<_p)

A protocolP define apartial order <_P on actions ofP, s.t (ui →vi)<P (uj →vj)

ifR ∈P,R = (u₁→v₁). . .(u_i →v_i). . .(u_j →v_j). . .(u_n→ vn) (1≤i ≤j ≤n).

Definition (Execution Order<E)

An execution order<E of P is a total order on the subset Aof actions ofP, compatible with <_P and stable by predecessor, i.e.

ifb∈Aet a<P b then a∈Aanda<E b

(60)

Secrecy

Definition (Secrecy over<_E)

Let an execution order<E ofP. We assume that (u₁ →v₁)<_E . . . <_E (u_n→v_n)

<_E does not preserve the secrecy ofs, givenT₁ if there exists σ₁, . . . , σ_n such that

(T₁,P)→(T₁∪ {v₁σ₁},P₁)→. . .→(T₁∪ {v₁σ₁, . . . ,v_nσ_n},P_n) andT1∪ {v₁σ1, . . . ,vnσn} `s.

(61)

Security Models Lecture 4 Active Intruder Bounded Number of Sessions

Outline

(62)

Constraints System

Symbolic representation of execution tree by constraints system.

Definition (Constraints System) Aconstraintis an expression T u whereT is a set of terms andu a term.

Aconstraints systemC is a finite set of constraints ∪_1≤i≤nT_i u_i such that

• T_i ⊆T_i₊₁ (1≤i ≤n)

• if T_i u_i ∈C andx ∈vars(T_i) then

Tj =min{T⁰|T⁰v ∈C,x∈vars(v)} exists and j <i A substitutionσ is a solution ofC ifTσ`uσ for all T u ∈C.

(63)

From Protocols to Constraints system

LetP a protocol,<_E an execution order ofP ands a secret term.

(u1 →v1)<_E (u2 →v2)<_E . . . <_E (un→vn)

We associateC:

T1 u1

T₂=T₁∪ {v₁} u₂ ... Tn=Tn−1∪ {v_n−1} un

T_n+1=T_n∪ {v_n} s

We show thatC has a solution iff<_E does not preserve the secret

(64)

Exercises

Exercise 1

A→B: hA,N_Ai B →A: {hN_A,N_Bi}_K_ab A→B: N_B

B →A: {hK,N_Bi}_K_ab A→B: {s}_K

Intruder knows only identities of AandB.

• Give role specification of this protocol of an instance of execution between AandB.

• Give a constraint system associated to this protocol between A andB.

(65)

Solution

A→B: hA,N_Ai B →A: {hN_A,N_Bi}_K_ab A→B: NB

T1=

{A,B,hA,N_Ai,{hN_A,N_Bi}_K_ab,N_B,{hK,N_Bi}_K_ab,{s}_K,init,stop}

Roles

R_A = (init → hA,N_Ai), ({hN_A,XN_Bi}_K_(A,

XB) →XN_B), ({hX_K,X_N_Bi}_K

(A,XB) → {s}_X_K) R_B = (hX_A,X_N_Ai → {hX_N_A,N_Bi}_K

(XA,B))

(66)

Solution

A→B: hA,N_Ai B →A: {hN_A,N_Bi}_K_ab A→B: NB

T1=

{A,B,hA,N_Ai,{hN_A,N_Bi}_K_ab,N_B,{hK,N_Bi}_K_ab,{s}_K,init,stop}

Constraint System

T₁ init

T2 =T1∪ {hA,NAi} hX_A,XN_Ai T₃ =T₂∪ {{hX_N_A,N_Bi}_K₍

XA,B)} {hN_A,X_N_Bi}_K_(A,

XB)

T4 =T3∪ {X_N_B} NB

(67)

Resolution of Constraints systems

Definition (Rules of simplification: C σ C⁰)

R1 C∪ {Tu} C ifT∪ {x|

T⁰x∈C,T⁰⊂T} `u R2 C∪ {Tu} σ Cσ∪ {Tσuσ} σ=mgu(t,u),t∈st(T),

t,uno variables

R3 C∪ {Tu} σ Cσ∪ {Tσuσ} σ=mgu(t1,t2),t1,t2∈st(T), t1,t2no variables

R4 C∪ {T{u}v} C∪ {Tu,Tv}

R5 C∪ {Thu,vi} C∪ {Tu,Tv}

R6 C∪ {Tu} ⊥ ifT=∅or

var(T) =var(u) =∅andT6`u

(68)

Properties of simplification rules

Lemma (Preservation)

Simplification rules transform a constraints system into a constraints system.

Lemma (Correctness)

IfC σ C⁰ then if θis a solution of C⁰,σθ is also a solution of C .

Lemma (Termination)

Simplification rules always terminate: There does not exist infinite chainC σ1C1 σ2 C2 σ3. . ..

(69)

Properties of simplification rules

Lemma (Correctness)

Lemma (Termination)

(70)

Properties of simplification rules

Lemma (Correctness)

Lemma (Termination)

(71)

Properties

Definition (Solved Form)

A constraints systemC is insolved form if C =⊥or if each constraint is of the following formT x wherex is a variable T 6=∅.

Lemma

All constraints systems in solved form different of⊥ has at least one solution.

Lemma (Completeness)

IfC is a constraint system not in solved form and if σ is a solution ofC then there existsθ, τ such that C _θC⁰,σ =θτ and τ is a solution ofC⁰.

(72)

Properties

Definition (Solved Form)

A constraints systemC is insolved form if C =⊥or if each constraint is of the following formT x wherex is a variable T 6=∅.

Lemma

All constraints systems in solved form different of⊥ has at least one solution.

Lemma (Completeness)

IfC is a constraint system not in solved form and if σ is a solution ofC then there existsθ, τ such that C C⁰,σ =θτ and τ is a

(73)

Decidability

Theorem

Preservation of the secrecy for protocol with bounded number of sessions is decidable.

• Guess an interleaving and build constraints system associated.

• Using previous lemma C has a solution iff there existsC⁰ in solved form such that C⁰ 6=⊥andC τ C⁰

• Using termination lemma to conclude.

We also can show that the problem is in co-NP.

(74)

Exercises

Exercise 1

A→B: hA,NAi B →A: {hN_A,N_Bi}_K_ab A→B: N_B

B →A: {hK,NBi}_K_ab A→B: {s}_K

Intruder knows only identities ofA andB.

• Use simplification rules to transform the system in solved form.

• There exists an easy attack, can you find it ?

(75)

Solution

T₁={A,B,hA,N_Ai,{hNA,N_Bi}Kab,N_B,{hK,N_Bi}Kab,{s}K,init,stop}

C1 T1 init

C2 T2=T1∪ {hA,NAi} hXA,XN_Ai C3 T3=T2∪ {{hXN_A,NBi}K₍_XA_,B)} {hNA,XN_Bi}K_(A,_XB₎

C4 T4=T3∪ {XN_B} NB

C5 T5=T4∪ {{hK,NBi}K₍_XA_,B)} {hXK,XN_Bi}K_(A,_XB₎

C₆ T₆=T₅∪ {{s}XK} {Xs}K

C₇ T₇=T₆∪ {stop} s

Road book

Interleaving: (u₁Â,v₁Â)(u₁^B,v₁^B)(u₂Â,v₂Â)(u₂^B,v₂^B)(u₃Â,v₃Â)(u₃^B,v₃^B)

R2 C∪ {T u} σ Cσ∪ {Tσuσ} σ=mgu(t,u),t ∈st(T), t,uno variables

• Apply nothing onC , already in resolved form.

(76)

Solution

T1={A,B,hA,NAi,{hNA,NBi}K_ab,NB,{hK,NBi}K_ab,{s}K,init,stop}

C3σ1 T3=T2∪ {{hNA,NBi}K_(A,B)} {hNA,XN_Bi}K_(A,_XB₎

C₄σ₁ T₄=T₃∪ {X_N_B} N_B

C5σ1 T5=T4∪ {{hK,NBi}K_(A,B)} {hXK,XN_Bi}K_(A,_XB₎

C6σ1 T6=T5∪ {{s}X_K} {Xs}K

C₇σ₁ T₇=T₆∪ {stop} s

Road bookσ1={XN_A ←NA,XA←A}

• ApplyR₂onC₃givesσ₂={XNB ←N_B,X_B ←B}(orN_A) andR₁

(77)

Solution

T₁={A,B,hA,N_Ai,{hNA,N_Bi}Kab,N_B,{hK,N_Bi}Kab,{s}K,init,stop}

C₅σ₁σ₂ T₅=T₄∪ {{hK,N_Bi}_K_(A,B)} {hX_K,N_Bi}_K_(A,B) C6σ1σ2 T6=T5∪ {{s}X_K} {Xs}K

C7σ1σ2 T7=T6∪ {stop} s

Road bookσ₁={X_N_A ←N_A,X_A←A} σ₂={X_N_B ←N_B,X_B ←B}

• ApplyR2onC5σ1σ2 giveσ3={XK ←NA}

• ApplyR2, onσ1σ2σ3C6 giveσ4={XS ←s}

(78)

Solution

1 A→B : hA,N_Ai 2 B →A: {hN_A,N_Bi}_K_ab 3 A→B : N_B

4 B →A: {hK,N_Bi}_K_ab 5 A→B : {s}_K

The resolution of constraint system gives the following attack:

Send 2nd message{hN_A,NBi}_K_ab instead of the 4th message {hK,N_Bi}_K_ab. HenceA will replay{s}_N_A because intruder knows N_A

(79)

Exercises

Exercise 2

A→B : {hA,Ki}_K_ab B →A: {s}_K_ab

Intruder knows only identities ofA andB. Show that the secret datas is preserved by one single session betweenA andB.

(80)

Solution

A→B : {hA,Ki}_K_ab B →A: {s}_K_ab

T₁={A,B,{hA,Ki}_K_ab,{s}_K_ab} Constraint System

C₁ T₁ init

C₂ T₂ =T₁∪ {{hA,X_Ki}_K_ab} {hA,X_Ki}_K_ab C3 T3 =T2∪ {{s}_X

Kab} {s}_X

Kab

C4 T4 =T3∪ {stop} s

(81)

Solution

C₁ T₁ init

C2 T2 =T1∪ {{hA,XKi}_K_ab} {hA,XKi}_K_ab C₃ T₃ =T₂∪ {{s}_X

Kab} {s}_X

Kab

C₄ T₄ =T₃∪ {stop} s

T1={A,B,{hA,Ki}_K_ab,{s}_K_ab} Road book

• Apply nothing or R₄ or R₅ andR₂ onC₁ give σ0={X_K ←K,XK_ab ←Kab}

Each time you meet a solved form of the form⊥with R6.

(82)

Security Models Lecture 4 Active Intruder NP-Hardness for Bounded Number of Sessions

Outline

(83)

NP-hardness

Theorem

Decide if a protocolP does not preserve the secrecy of a ground terms from an initial knowledgeT₁ is NP-difficult.

(84)

Recall 3-SAT Problem

Definition

Input: set of propositional variables {x₁, . . . ,x_n} and a conjunction of clauses with 3 literals.

f(~x) = ^

1≤i≤I

(x_i,1ⁱ^,1∨x_i,2^i,2∨x_i,3^i,3)

where_i_,j ∈ {+,−}andx⁺=x,x⁻=¬x.

Question : Does exist a valuation V of {x₁, . . . ,xn}, such that V(f(~x)) =>.

Theorem

(85)

NP-difficulty

We build a protocol such that an intruder can deduces iff f(~x) is satisfaisable.

g(x_i,j^i,j) =

xi,j if i,j = + {x_i,j}_K if _i_,j =−

∀1≤i ≤I : fi(~x) =hg(x_i,1ⁱ^,1),hg(x_i,2^i,2),g(x_i,3^i,3)ii We suppose Initial intruder knowledge is {⊥,>}.

A: hx₁,h. . . ,xnii → {hf₁(~x),hf₂(~x),h. . . ,hf_n(~x),endi. . .ii}_p

∀1≤i ≤I :

B_i : {hh>,hx,yii,zi}_p → {z}_p B_i : {hh{⊥}_K,hx,yii,zi}_p→ {z}_p

C_i : {hhx,h>,yii,zi}_p → {z}_p C_i : {hhx,h{⊥}_K,yii,zi}_p→ {z}_p Di : {hhx,hy,>ii,zi}_p → {z}_p

(86)

Security Models Lecture 4 Active Intruder Conclusion

Outline

(87)

Summary

Today

• Active Intruder

• Bounded Number of Sessions

• NP-Hardness

• Tools

(88)

Next Time

• Playing with Tools:

• Scyther

• Avispa: OFMC, Cl-Atse, SATMC, TA4SP

• Proverif

(89)

Thank you for your attention

Questions ?