Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University

Background Security protocols: Communication over insecure network Cryptography used for authentication, secrecy, etc. Formal analysis of security protocols: Assume perfect encryption Assume existence of intruder who may... See all exchanged messages Delete, alter, inject and redirect messages Initiate new communications Reuse messages from past sessions

An Example: A process of the Needham-Schroeder Protocol Initiator Responder The protocol aims to provide sharing secret data and. (1) (2) (3)

An Example: A process of the Needham-Schroeder Protocol Initiator Responder The protocol aims to provide sharing secret data and. (1) (2) (3) Alice ’ s identityFresh random value generated by Alice Encryption with Bob ’ s public key

The agreement property InitiatorResponder sendsreceives sendsreceives sendsreceives Instantiation (Hereare constants,.) and substitution

Initiator ’ s role Responder ’ s role (Here are variables.) The agreement property InitiatorResponder sendsreceives sendsreceives sendsreceives

The agreement property InitiatorResponder sendsreceives sendsreceives sendsreceives For any substitution and for any process, if contains execution of responder ’ s role and an initiator ’ s execution according to, then contains. Definition: has agreement property w.r.t.

An attack on the NS protocol [Lowe, 1996] From Bob's view, Bob believes that Alice communicates with Bob, but actually Alice communicates with Intruder. This attack has nothing to do with cryptography. (1) Alice BobIntruder (1 ’ ) (2) (3) (3 ’ )

Proving vs Model Checking (Two approaches for protocol verifications) Inference rule-based deductive approaches: BAN logics ( Burrows-Abadi-Needham, 1989 ) Protocol logics (or Compositional logics) etc. Trace-based semantic approaches: MSR ( Cervesato-Durgin-Lincoln-Mitchell-Scedrov, 1999 ) Strand space ( Thayer Fabrega-Herzog-Guttman, 1998 ) etc.

Protocol Logics Inference systems to prove protocols correct Primitive actions ( “ sending ”, “ receiving ”, “ generating ”, etc.) are described as predicate symbols Some properties about nonces and keys are formalized as non-logical axioms Prove correctness in the logical system Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitchell-Pavlovic (2003-), Cervesato-Meadows-Pavlovic (2004-), Hasebe-Okada (2004)

Proving Model Checking vs

Proving By completeness proof based on the proof-search (i.e., bottom-up proof construction) method Model Checking =

Proof-search of a query (which represents a correctness property) Obtain a formal proof of the query Obtain concrete attacks on the protocol If provable If not provable, then counter-example By completeness proof based on the proof-search (i.e., bottom-up proof construction) method Proving Model Checking =

Provable case Bottom-up proof search Axioms Agreement formula

Unprovable case Axioms Agreement formula Bottom-up proof search Counter-example

Proof search outputs Provable Counter-examples

Proof search outputs Provable Counter-examples Realizable counter-examples (=attacks) Use Comon-Treinen ’ s algorithm for the intruder deduction problem (2003)

Main results for agreement property with a bounded number of sessions 1. Basic part of Protocol Logic is describable in first-order predicate logic. 2. First-order proof search-based completeness proof is applicable to our Basic Protocol Logic, hence, usable for proving correctness and detecting attacks at once. 3.Provability of correctness property is decidable (by finite domain property).

1. Basic Protocol Logic (or BPL, for short) 2. Proof search-based completeness proof 3. Example of our proof construction / counter-example generation

Sorts: name, nonce, message, (key) Terms: Atomic terms: : atomic terms of sort (principal) name : atomic terms of sort nonce : variables of sort message All atomic terms of sort name and nonce are terms of sort message. Compound terms of sort message: Language of Basic Protocol Logic (1)

Formulas: Atomic formulas: Trace formula: a sequence of primitive actions (denoted by, or ) (Here we use sends, receives, generates as primitive actions.) Equality and subterm relations ( ) Compound formulas: Made by first-order logical connectives Language of Basic Protocol Logic (2) (P generates before P sends before Q receives.) e.g.

Base: Axioms of frist-order predicate logic with equality Rules for trace formulas: (for ) Logical Axioms of BPL (where are the list of order-preserving merges of and ) example: (the list of order-preserving merges) is axiom Axioms of universal sentences over terms (known as decidable [Venkataraman 87]): ifis valid in free term algebra.

An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication-tests based Strand space) does not include (i.e., is not a forwarded message). is the only message sent by P which includes. Intuitive meaning:

An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space) does not include (i.e., is not a forwarded message). is the only message sent by P which includes. Intuitive meaning: decrypt send back

does not include (i.e., is not a forwarded message). is the only message sent by P which includes. First order formalization: An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space)

A ’ s honesty: (( A performs no action ) ( A performs and A does not perform any other actions) ( A performs and A does not perform any other actions)) A ’ s run (0) (A performs no action) (1) (2) An example of Honesty (The Needham-Schroeder protocol)

A ’ s honesty (described in BPL) Formalization of Honesty (The Needham-Schroeder protocol)

Main Results on BPL Complete for a certain formal trace semantics. Decidable for Provability of the query (which represents an agreement property). Applicable to counter-example generations (i.e., flaw detections)

: name domain : nonce domain : free term algebra domain on and along with,, : a sequence of primitive actions : valuation is extended to interpretation: Truth conditions: Formal Trace-Based Semantics etc. A formal trace model:

Completeness Theorem For any query (which represents an agreement property), the formula is provable in BPL iff it is true for any model

Completeness Proof (1) Proof-Search Tree Construction Proof-search (i.e., bottom-up proof construction) is based on the sequent calculus of first-order predicate logic Proof-search tree is constructed in Rounds: (Each round decomposes the outermost logical symbols.) Round 0 : put the query at the bottom of the tree Round i : apply the rules for logical connectives (then go to Round i+1 unless the current topmost sequent is closed, i.e., matches an axiom.)

Completeness Proof (1) Proof-Search Tree Construction Bottom-up proof search Axioms Agreement formula Counter-example

Completeness Proof (2) Main Lemma For any given query (which represents an agreement property), if its proof-search tree includes a branch which is not closed at the end of Round 3, then there exists a counter- model for the query.

Completeness Proof (3) Construction of Counter-Models A model which is obtained from a topmost non- closed sequent at the end of Round 3 (say, ) is as follows: 1.Take the set of literals from and, and solve the satisfaction problem of these literals. 2.Decompose each literal which consists of compound terms. (e.g., and ) 3.Take representatives as and. :,.. Interpretations for compound terms and formulas are defined by inductions. (where is the representative of the equivalence class of )

Completeness Proof (4) Essential Idea Let T be the set of terms in Round 3. For any variable (say, ) which appears above Round 3, an equation m=t with some t T always appears in the left side. Search domain does not increase above Round 3. (closed) left ( : new variable),, (in Honesty)(Axiom of formula) Query:

Decidability From Main Lemma and Soundness: If a query is provable in BPL, then the proof-construction procedure terminates by Round 3.

Counter-Example Generations (1) Realizable Traces We cannot directly consider counter-models to be an attack on the protocol in question, because some of them cannot be realizable. Use Comon-Treinen ’ s algorithm for the intruder deduction problem (2003). (An example of the unrealizable trace)

Counter-Example Generations (2) Realizable Traces Provable Counter-examples Realizable counter-examples (=attacks)

Proposition For any given query, we can determine whether there exists a realizable counter- example (i.e., a concrete attack on the protocol in question) whenever we set any upper-bound on the number of sessions.

The NS protocol Example: Proof construction and counter-example generation of the Needham-Schroeder

The NS protocol Query: If B (responder) executes a run of his role with (i.e., communicating with A using and ).

The NS protocol Query: If B (responder) executes a run of his role with (i.e., communicating with A using and ). “ B behaves as responder. ” Intuitively, means that B performs only the responder ’ s actions.

The NS protocol Query: A is honest (i.e., A always acts as initiator). If B (responder) executes a run of his role with (i.e., communicating with A using and ).

The NS protocol Query: A is honest (i.e., A always acts as initiator). If B (responder) executes a run of his role with (i.e., communicating with A using and ). A ’ s honesty:

The NS protocol Query: A is honest (i.e., A always acts as initiator). then A executes the run of her role, and A and B agree on the order of the messages exchanged. If B (responder) executes a run of his role with (i.e., communicating with A using and ).

The NS protocol

then by the Nonce Verification axiom

The NS protocol An order preserving merge of (derived from )

The NS protocol

Obtained by instantiation for where is the list of terms such that The length is less than or equal to the maximal length of terms appearing in the query. Each is constructed by atomic terms appearing in the lower sequent.

The NS protocol

closed The NS protocol

closed This branch is not closed. The NS protocol is not valid in the free term algebra. is not axiom.

closed The NS protocol (with ) Countermodel

closed The NS protocol (with ) Countermodel (1) A BQ (1 ’ ) (2) (3) (3 ’ ) Lowe ’ s attack

The NSL protocol Lowe ’ s modification of the NS protocol:

The NSL protocol Lowe ’ s modification of the NS protocol: Insert the sender ’ s name Insertion of the sender ’ s name makes impossible the Lowe ’ s attack, because... Alice BobIntruder In this scenario, A believes that she communicates with I, but she can detect that the message is actually sent by B.

closed The NSL protocol

closed This branch is closed. The NSL protocol

closed This branch is closed. The NSL protocol The set of literals is axiom. is valid in the free term algebra.

In the proof-search tree, there are some open branches, and each topmost sequent is: Left side includes an order-preserving merge of the following trace formulas (where ) are satisfied. Realizable counter-examples of the NS protocol (1)    

Realizable counter-examples of the NS protocol (2) Counter-model where an order-preserving merge of the following formulas    

Conclusions and Future Work Gave an inference system for proving protocols correct based on first-order predicate logic Showed completeness and decidability Presented how to construct proofs / generate counter-examples Implementation for automation Compositionality issue for automated protocol design