A Rewriting-Based Inference System for the NRL Protocol Analyzer

Size: px

Start display at page:

Download "A Rewriting-Based Inference System for the NRL Protocol Analyzer"

Henry White
8 years ago
Views:

1 A Rewriting-Based Inference System for the NRL Protocol Analyzer Santiago Escobar Cathy Meadows José Meseguer UIUC NRL UIUC (UPV, Valencia, Spain) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE 9-10

2 Outline ➀ Motivation ➁ Inference System through the NSPK Example Top Level Grammar Generation Level Reachability Analysis Level ➂ Conclusions & long-term goals PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

Reachability Analysis Level ➂ Conclusions & long-term

3 MOTIVATION Motivation The NRL Protocol Analyzer (NPA) have been used with great effect on a number of complex real-life protocols NPA successful because of its ability to use inductive techniques (formal languages) to drastically limit the infinite search space However, lack of an independent formal specification and model of NPA. Basic techniques are closely intertwined with other features. PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

drastically limit the infinite search space However, lack of an independent formal specification and model of

4 MOTIVATION Motivation The NRL Protocol Analyzer (NPA) have been used with great effect on a number of complex real-life protocols NPA successful because of its ability to use inductive techniques (formal languages) to drastically limit the infinite search space However, lack of an independent formal specification and model of NPA. Basic techniques are closely intertwined with other features. Main Contribution Give a precise formal specification within the rewriting framework: 1. its backwards reachability analysis 2. its grammar-based techniques for invariant generation PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE a

and model of NPA. Basic techniques are closely intertwined with other features.

5 MOTIVATION Benefits Formal specification in a system accessible to a large community of researchers Inference system specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved Extension of the equational theory with other algebraic properties of the underlying cryptographic functions Allows us to make use of theorems from rewriting logic to prove open conjectures about properties of the NPA inference system. Comparison with other narrowing-based tools and techniques PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

algebraic properties of the underlying cryptographic functions Allows us to make use of theorems from rewriting logic to prove open conjectures

6 INFERENCE SYSTEM Inference System Parametric on (Σ, R P, E) Σ is a protocol-specific signature (with type information) R P is the rewrite rules describing the protocol E is the equational theory describing the underlying algebraic properties (encryption/decryption) Two things: 1. Protocols (Notation, Semantics, Role in NPA) 2. Grammars (Notation, Semantics, Role in NPA) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

underlying algebraic properties (encryption/decryption) Two things: 1.

7 INFERENCE SYSTEM The NSPK Example Signature Σ : pk : Name Msg Enc sk : Name Msg Enc n : Name Integer Nonce r, r : Integer ; : Msg Msg Msg Equational Theory E : pk(y, sk(y, Z)) = Z sk(y, pk(y, Z)) = Z Protocol rules R P : (p1) pk(b, A; n(a, r)) (p2) pk(a, n(a, r); Z) pk(b, Z), final(a, B; n(a, r)) (p3) pk(b, A; Z) pk(a, Z; n(b, r)) (p4) pk(b, A; Z), pk(b, n(b, r )) final(b, A; n(b, r )) (p5) M 1, M 2 M 1 ; M 2 (p7) M sk(y, M) (p6a) M 1 ; M 2 M 1 (p8) M pk(y, M) (p6b) M 1 ; M 2 M 2 PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

pk(b, Z), final(a, B; n(a, r)) (p3) pk(b, A; Z) pk(a, Z; n(b, r)) (p4) pk(b, A; Z), pk(b, n(b, r )) final(b, A; n(b, r )) (p5) M 1, M

8 INFERENCE SYSTEM Grammars Used by the NPA to reduce the search space obtained by narrowing when performing backwards reachability analysis Each grammar starts with a seed term and is generated by backwards narrowing via the protocol rules Grammars are described in terms of constraints: 1. Terms that the intruder is not expected to know (such as secret keys) (Y / I) 2. Instances of the seed term that the intruder may be able to learn (Y t) 3. Recursive calls to know whether some subterm is in the language of the grammar (Y L) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

Terms that the intruder is not expected to know (such as secret keys) (Y / I) 2.

9 INFERENCE SYSTEM The NSPK Example Grammars Seed term sd 1 = Y / I X; Y L (g1.0) Y / I, Y A; n(a, r) X; Y L (g1.1) W L pk(a, n(a, r); sk(b, W )) L (g1.2) W L W ; M 2 L (g1.4) W L pk(y, W ) L (g1.3) W L M 1 ; W L (g1.5) W L sk(y, W ) L Seed term sd 2 = Y / I pk(x, Y ) L (g2.0) Z / I, ZZ ; n(b, r) pk(r, Z) L (g2.1) Y / I, Y Z ; n(b, r) pk(a, n(a, r); Y ) L (g2.2a) Y L (Y ; M 2 ) L (g2.3) Y L pk(y, Y ) L (g2.2b) Y L (M 1 ; Y ) L (g2.4) Y L sk(y, Y ) L PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

5) W L sk(y, W ) L Seed term sd 2 = Y / I pk(x, Y ) L (g2.0) Z / I, ZZ ; n(b, r) pk(r, Z) L (g2.

10 INFERENCE SYSTEM TOP LEVEL Top Level - NSPK (1) Grammar Generation: where G 0 sd 1 = {sd 1 } and G 0 sd 2 = {sd 2 } G 0 = G 0 sd 1, G 0 sd 2 P,G0 G 1 = G 1 sd 1, G 0 sd 2 P,G1 G 2 = G! sd 1, G 0 sd 2 P,G2 G 3 = G! sd 1, G! sd 2 (2) Reachability Analysis: Useless backwards narrowing derivations are cut by grammars: pk(b, n(b, r)),... M 1 ; pk(b, n(b, r)),... P,G using protocol rule p6b (M 1 ; M 2 ) M 2, but G! sd 1, (pk(b, n(b, r))/ I) (M 1 ; pk(b, n(b, r))) L using g1.0 (Y / I, Y A; n(a, r) X; Y L) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

.. M 1 ; pk(b, n(b, r)),... P,G using protocol rule p6b (M 1 ; M 2 ) M 2, but G!

11 INFERENCE SYSTEM GRAMMAR GENERATION Grammar Generation - NSPK Consider G 2 = G! sd 1, G 0 sd 2 P,G2 G 3 = G! sd 1, G! sd 2 with G 0 sd 2 = {sd 2 = Y / I pk(x, Y ) L} For each backwards narrowing step sd 2 σ,p,g2,g 0 sd 2 g, apply some heuristics and generate a new grammar rule or constraint to be included in G! sd 2. For example, Z / I pk(r, Z) L σ,p,g2,g 0 Z / I pk(a, n(a, r); Z) L g sd 2 heuristics G 0 sd2,s1(sd 2, id, g ) =, { Y / I pk(a, n(a, r); Y ) L } G! sd 2 = optimize(newgrammar S1 (G 0 sd 2,..., Y / I pk(a, n(a, r); Y ) L,...})) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

sd 2 with G 0 sd 2 = {sd 2 = Y / I pk(x, Y ) L} For each backwards narrowing step sd 2 σ,p,g2,g 0 sd 2 g, apply some heuristics and generate a new

12 INFERENCE SYSTEM GRAMMAR GENERATION Dependencies in Grammar Generation newgrammars(g, C, H) G i P,Gi G i+1 α(g, C) β(g, C) b G removecontrainsts(g) c c optimize(g) removerules(g) G i, D C R 1 G C, H, G P,Gi,G k j,s C, H, G heuristics G k j,s (g, σ, g ) R 1 G k j g σ,p,gi,g k j σ,r 1 P,E P g PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

removerules(g) G i, D C R 1 G C, H, G P,Gi,G k j,s C, H, G heuristics G k j,s (g, σ, g

13 INFERENCE SYSTEM GRAMMAR GENERATION The relation G i P,Gi G i+1 G i P,Gi G i+1 if G i = G! 1,..., G! j 1, Gk j,..., Gk n n, G i+1 = G! 1,..., G! j 1, Gk+1 j,..., G k n n, and G k+1 j G k j ; where,, G k j! P,G i C, H, and,g k j,s = optimize(newgrammar s (G k j, C, H)) G k+1 j PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

14 INFERENCE SYSTEM GRAMMAR GENERATION The Backwards Narrowing Relation g σ,p,gi,g k j g g σ,p,gi,g k j g if g σ,r 1 P,E P g, g! R 1 G k j g, and g is G i -expandable g c 1,..., c k (t 1,..., t n ) L is G i -expandable iff (i) there is no c i and t j such that c i (t j I), (ii) for each c i of the form (ut), θ : θ(u) θ(t), and (iii) for each t j, G i, (c 1,..., c k ) (t i L). PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

.., t n ) L is G i -expandable iff (i) there is no c i and t j such that c i (t j I), (ii) for each c i of

15 INFERENCE SYSTEM GRAMMAR GENERATION The Operator heuristics G k j,s(g, σ, g ) H1 s i, p Pos(s i ) : G k j, D (s i p L) heuristics G k j,s(g, σ, g ) =, {Y L s i [Y ] p L} H2a H2b d i D : d i (u / I) u X heuristics G k j,s(g, σ, g ) = {Xu}, σ(t) t c i C : c i (X L) heuristics G k j,s(g, σ, g ) = {tσ(t)}, H3 d i D, s j, p Pos(s j ) : d i (s j p I) heuristics G k j,s(g, σ, g ) =, {Y I s j [Y ] p L} PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

g ) = {Xu}, σ(t) t c i C : c i (X L) heuristics G k j,s(g, σ, g ) = {tσ(t)}, H3 d i D, s j, p Pos(s j ) : d i (s

16 INFERENCE SYSTEM GRAMMAR GENERATION Grammar Generation (More Examples) - NSPK For example, sd 2 Z / I pk(r, Z) L id,p,gi,g g Z / I pk(r, Z); M k j 2 L heuristics G0,S1(g, id, g ) =, {Y L Y ; M 2 L} G! sd 2 = optimize(newgrammar S1 (G 0 sd 2,..., Y L Y ; M 2 L,...})) For example, sd 2 Z / I pk(r, Z) L [Z/A;n(A,r)],P,Gi,G g A; n(a, r) / I k j heuristics G0,S1(g, id, g ) = {ZA; n(a, r)}, G! sd 2 = optimize(newgrammar S1 (G 0 sd 2,..., ZA; n(a, r),...})) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

17 INFERENCE SYSTEM REACHABILITY ANALYSIS Reachability Analysis - NSPK final(b, A; n(b, r)), ɛ P,G (pk(b, A; Z), pk(b, n(b, r))), w 1 P,G pk(b, n(b, r))), w 2 n(b, r), w 3 P,G pk(y, n(b, r)), w 4 P,G pk(a, n(a, P,G r ); n(b, r)), w 5 pk(b, A; n(a, P,G r )), w 6 A; n(a, P,G r ), w 7 1. A I : {N A, A} KI 2. I A B : {K A, A} KB 3. B A : {N A, N B } KA 4. A I : {N B } KI 5. I B : {N B } KB P,G pk(y, A; n(a, r )), w 8 P,G, w 9 PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

pk(b, A; n(a, P,G r )), w 6 A; n(a, P,G r ), w 7 1. A I : {N A, A} KI 2. I A B : {K A, A} KB 3. B A : {N A, N B } KA 4.

18 INFERENCE SYSTEM REACHABILITY ANALYSIS Reachability Analysis t, w P,G t, σ(t p.w) if t p σ,r 1 P,E P t and for each s i t, G, ctr(w) (s i / I) and G, ctr(w) (s i L); where ctr(u 1..u n ) = (u 1 / I,..., u n / I). PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

19 INFERENCE SYSTEM REACHABILITY ANALYSIS Conclusions & long-term goals Precise rewriting-based formalization of the NPA inference system: grammar generation mechanisms and narrowing-based backwards reachability analysis. 1. Implementation of our rewrite-rule based inference system in Maude 2. Experimentation with such an implementation, and comparison with the original NPA tool. 3. Generalization of our inference system to handle equational theories for the underlying cryptography 4. Development of a next-generation NPA-like tool based on such a generalized inference system 5. The meta-logical properties of the current inference system PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE

Experimentation with such an implementation, and comparison with the original NPA tool. 3.

STATUS REPORT ON MAUDE-NPA TOOL

STATUS REPORT ON MAUDE-NPA TOOL Catherine Meadows Santiago Escobar Jose Meseguer September 28, 2006 1 GOAL Extend standard free algebra model of crypto protocol analysis to deal with algebraic properties