Multiset Rewriting and Security
Protocol Analysis
John Mitchell
Stanford University
I. Cervesato, N. Durgin, P. Lincoln, A. Scedrov
Outline
Protocol security
Analysis methods
Multiset rewriting with 
• Rewrite formalism with “choose new value”
• Protocol modeling within this framework
Decision problems
Applications of the MSR framework
Protocol Security
Cryptographic Protocol
• Program distributed over network
• Use cryptography to achieve goal
Attacker
• Read, intercept, replace messages, and
remember their contents
Correctness
• Attacker cannot learn protected secret
or cause incorrect protocol completion
Needham-Schroeder Protocol
{ A, Noncea }
A
Kb
{ Noncea, Nonceb }
{ Nonceb}
Ka
B
Kb
Result: A and B share two private numbers
not known to any observer without Ka-1, Kb -1
Run of protocol
Initiate
A
Respond
B
Attacker
C
D
Correct if no security violation in any run
Anomaly in N-S Protocol
[Lowe]
{A, Na}
A
E
{Na, Nb} Ka
{Nb}
Evil agent E tricks
honest A into revealing
private key Nb from B.
Evil E can then fool B.
Ke
Ke
{Na, Nb}
{A, Na}
Ka
B
Kb
Contract Signing (Fair Exchange)
Immunity
deal
Both parties want to sign a contract
Neither wants to commit first
General protocol outline
I am going to sign the contract
I am going to sign the contract
A
Here is my signature
B
Here is my signature
Trusted third party can force contract
• Third party can declare contract binding if
presented with first two messages.
Asokan-Shoup-Waidner protocol
Agree
Abort
m1= sign(A, c, hash(r_A) )
A
sign(B, m1, hash(r_B) )
r_A
???
sigT (a1,abort)
T
Attack?
m1
m2
A Net
a1
B
r_B
Resolve
B
A
B
A
???
T
sigT (m1, m2)
T
Network
If not already
resolved
Secure Sockets Layer
http
telnet
ftp
Application
nntp
SSL
Transport
Internet
(TCP)
(IP)
Network interface
Physical layer
Common use: https
= http over SSL
Handshake Protocol
Signature: signCA{ … }
Encryption: { … }K
Hash: Hash( … )
ClientHello
CS
C, VerC, SuiteC, NC
ServerHello
SC
VerS, SuiteS, NS, signCA{ S, KS }
ClientVerify
CS
signCA{ C, VC }
{ VerC, SecretC } K
S
signC { Hash( Master(NC, NS, SecretC) + Pad2 +
Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) }
(Change to negotiated cipher)
ServerFinished S  C { Hash( Master(NC, NS, SecretC) + Pad2 +
Hash( Msgs + S + Master(NC, NS, SecretC) + Pad1))
} Master(NC, NS, SecretC)
ClientFinished C  S
{ Hash( Master(NC, NS, SecretC) + Pad2 +
Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1))
} Master(NC, NS, SecretC)
II.
Analysis Methods
Protocol Analysis Methods
Non-formal approaches
(useful, but no tools…)
• Some crypto-based proofs [Bellare, Rogaway]
• Communicating Turing Machines
[Canetti]
 BAN and related logics
• Axiomatic semantics of protocol steps
 Methods based on operational semantics
• Intruder model derived from Dolev-Yao
• Protocol gives rise to set of traces
– Denotation of protocol = set of runs involving arbitrary
number of principals plus intruder
Example projects and tools
Prove protocol correct
• Paulson’s “Inductive method”, others in HOL, PVS,
• MITRE - Strand spaces
• Process calculus: Abadi-Gordon, Gordon-Jeffrey
Search using symbolic representation of states
• Meadows: NRL Analyzer, Millen: CAPSL
Exhaustive finite-state analysis
• FDR, based on CSP
[Lowe, Roscoe, Schneider, …]
• Murphi, CASPER, CAPSL, …
All depend on behavior of protocol in presence of attack
III. Multiset Rewriting Method
•
A form of rewriting with
–
–
•
One associative, commutative operator
(Banatre, LeMetayer; Chem Abs Machine)
 to generate fresh data
Conventions for modeling protocols,
adversary using rewriting
A notation for inf-state systems
Linear Logic
()
Proof search
(Horn clause)
Multiset
rewriting
Finite Automata
Process
Calculus
• Many previous models are buried in tools
• Define common model in tool-independent formalism
Modeling Requirements
Express properties of protocols
• Initialization
– Principals and their private/shared data
• Nonces
– Generate fresh random data
Model attacker
• Characterize possible messages by attacker
• Cryptography
Set of runs of protocol under attack
Notation commonly found in literature
A  B : { A, Noncea }Kb
B  A : { Noncea, Nonceb }Ka
A  B : { Nonceb }Kb
• The notation describes protocol traces
• Does not
– specify initial conditions
– define response to arbitrary messages
– characterize possible behaviors of attacker
Rewriting Notation
Non-deterministic infinite-state systems
Facts
F ::= P(t1, …, tn)
t ::= x | c | f(t1, …, tn)
Multi-sorted
first-order
atomic formulas
States { F1, ..., Fn }
• Multiset of facts
– Includes network messages, private state
– Intruder will see messages, not private state
Rewrite rules
Transition
• F1, …, Fk  x1 … xm. G1, … , Gn
What this means
• If F1, …, Fk in state , then a next state ’ has
– Facts F1, …, Fk removed
– G1, … , Gn added, with x1 … xm replaced by new symbols
– Other facts in state  carry over to ’
• Free variables in rule universally quantified
Note
• Pattern matching in F1, …, Fk can invert functions
• Linear Logic: F1…Fk  x1 … xm(G1…Gn)
Finite-State Example
a
q1
a
b
q0
a
q3
b
b
• Predicates: State, Input
• Function:

a
b
b
q2
• Constants: q0, q1, q2, q3, a, b, nil
• Transitions: State(q0), Input(a  x)  State(q1), Input(x)
State(q0), Input(b  x)  State(q2), Input(x)
...
Set of rewrite transition sequences = set of runs of automaton
Simplified Needham-Schroeder
 Predicates
Ai, Bi, Ni
-- Alice, Bob, Network in state i
 Transitions
x. A1(x)
A  B: {na, A}Kb
B  A: {na, nb}Ka
A  B: {nb}Kb
A1(x)  N1(x), A2(x)
N1(x)  y. B1(x,y)
B1(x,y)  N2(x,y), B2(x,y)
A2(x), N2(x,y)  A3(x,y)
A3(x,y)  N3(y), A4(x,y)
B2(x,y), N3(y)  B3(x,y)
picture next slide
 Authentication
A4(x,y)  B3(x,y’)  y=y’
A  B: {na, A}Kb
B  A: {na, nb}Ka
A  B: {nb}Kb
Sample Trace
x. A1(x)
A1(na)
A1(x)  A2(x), N1(x)
A2(na)
N1(x)  y. B1(x,y)
A2(na)
B1(x,y)  N2(x,y), B2(x,y)
A2(na)
A2(x), N2(x,y)  A3(x,y)
A3(na, nb)
A3(x,y)  N3(y), A4(x,y)
A4(na, nb)
B2(x,y), N3(y)  B3(x,y)
A4(na, nb)
N1(na)
B1(na, nb)
N2(na, nb)
B2(na, nb)
B2(na, nb)
N3( nb)
B2(na, nb)
B3(na, nb)
Adversary and Cryptography
How powerful is the adversary?
•
•
•
•
Simple replay of previous messages
Block messages; Decompose, reassemble, resend
Statistical analysis, traffic analysis
Timing attacks
How much detail in underlying data types?
• Plaintext, ciphertext and keys
– atomic data or bit sequences
• Encryption and hash functions
– “perfect” cryptography
– algebraic properties: encr(x*y) = encr(x) * encr(y) for
RSA encrypt(k,msg) = msgk mod N
Common Intruder Model
Derived from Dolev-Yao model
• Adversary is nondeterministic process
• Adversary can
–
–
–
–
Block network traffic
Read any message, decompose into parts
Decrypt if key is known to adversary
Insert new message from data it has observed
• Adversary cannot
– Gain partial knowledge
– Guess part of a key
– Perform statistical tests, …
Formalize Intruder Model
 Intercept, decompose and remember messages
N1(x)  M(x)
N3(x)  M(x)
N2(x,y)  M(x), M(y)
 Decrypt if key is known
M(enc(k,x)), M(k)  M(x)
 Compose and send messages from “known” data
M(x)  N1(x), M(x)
M(x), M(y)  N2(x,y), M(x), M(y)
M(x)  N3(x), M(x)
 Generate new data as needed
x. M(x)
Highly nondeterministic, same for any protocol
Attack on Simplified Protocol
x. A1(x)
A1(na)
N1(na)
A1(x)  A2(x), N1(x)
A2(na)
N1(x)  M(x)
A2(na)
M(na)
x. M(x)
A2(na)
M(na), M(na’)
M(x)  N1(x), M(x)
N1(x)  y. B1(x,y)
A2(na)
M(na), M(na’)
A2(na)
M(na), M(na’)
N1(na’)
B1(na’, nb)
Continue “man-in-the-middle” to violate specification
Protocols vs Rewrite rules
Can axiomatize any computational system
But -- protocols are not arbitrary programs
Choose principals
Select roles
Client
Client
TGS
Server
Protocol theory
Initialization theory
• Bounded theory that “precedes” protocol run
• Example:  key. Principal(key)
Role generation theory
• Principal(key)  A0(key), Principal(key)
• Principal(key)  B0(key), Principal(key)
Role theory
• Finite ordered list of rules
Ai(…), Nj(…)  … Ak(…), Nl(x)
where i<k, j<l
• Can also have persistent predicates on left/right
Two-phase intruder theory
Avoid pointless looping by intruder
• M(x), M(y)  N(x,y), M(x), M(y)
• N (x,y)  M(x), M(y)
Phase 1: Decomposition
Phase 2: Composition
Thesis: MSR Model is accurate
Captures
“Dolev-Yao-Needham-Millen-Meadows- …”
model
• MSR defines set of traces protocol and attacker
• Connections with approach in other formalisms
Useful for protocol analysis
• Errors shown by model are errors in protocol
• If no error appears, then no attack can be carried
out using only the actions allowed by the model
IV. Decision Problems
Complexity results using MSR
Bounded #
of roles
Intruder , 
with 
 only
Intruder , 
w/o 
 only
Bounded
use of 
Unbounded
use of 
??
NP –
complete
DExp –
time
Undecidable
All: Finite number of different roles, each role of finite length, bounded message size
Key insight: existential quantification () captures cryptographic
nonce; main source of complexity
[Durgin, Lincoln, Mitchell, Scedrov]
[Durgin, Lincoln, Mitchell, Scedrov]
Corresponding rewrite systems
Bounded #
of subsets
Transfer , 
rules
 only
with 
Transfer , 
rules w/o

 only
Bounded
use of 
Unbounded
use of 
??
NP –
complete
DExp –
time
Undecidable
• Standard set of rules, standard rewrite sequence
–
–
–
–
Partition into disjoint subsets
Each subset progresses finitely
Fixed set of rules move terms from one subset to another
Bounded number of function symbols in any term
Lower bounds from Horn clauses
Bounded #
of roles
Intruder , 
with 
 only
Intruder , 
w/o 
 only
Bounded
# of 
Unbounded
# of 
??
NP-complete:
Provable by Dexptime:
boundedDatalog
length proof
Undecidable:
Datalog + 
All: Finite number of different roles, each role of finite length, bounded message size
Need to show that hard instances of Horn clause inference can be
be represented in the restricted form of a security protocol
[Durgin, Lincoln, Mitchell, Scedrov]
Additional decidable cases
Bounded role instances, unbounded msg size
•
•
•
•
Huima 99: decidable
Amadio, Lugiez: NP w/ atomic keys
Rusinowitch, Turuani: NP-complete, composite keys
Other studies, e.g., Kusters: unbounded # data fields
Constraint systems
• Cortier, Comon: Limited equality test
• Millen, Shmatikov: Finite-length runs
All: bound number of role instances
IV. Refinement and applications of
multiset rewriting framework
Using MSR for protocol analysis
Extensions and general properties
• Add dependent types and subsorting [C]
• DY intruder is most powerful attacker [C]
Relate to other models
• Strand space model [CDLMS]
• Linear logic provability [CDKS]
Prove protocols correct
• Contract signing [Chadha, Kanovich, Scedrov]
• Kerberos 5 [Butler, Cervesato, Jaggard, Scedrov]
[Chadha, Kanovich, Scedrov]
A glimpse of contract signing
Each party enters contract with goal
• Party who wants contract acts to
complete the contract
Correctness is relative to goal
• Do not want well-intentioned party to
suffer
Leads to game-theoretic notions
• If A follows strategy S, then B cannot
achieve win over A
• Or, A follows strategy from some class …
Strategy: example
S
S1
S3
S2
S4
S5
S8
S6
S
• Define execution tree using MSR
• Prune tree according to assumed strategy
• Determine correctness
7
Honest participant
Principle A is said to be honest if
• A moves only according to protocol
Equivalent: A’s key not known to adversary
Interested participant
Honest A is said to be interested if
• Whenever A can choose between
– waiting for a message from B
– asking TTP for an abort
A waits and allows B to move next
[Chadha, Mitchell, Scedrov, Shmatikov]
Optimistic participant
Honest A is said to be optimistic if
• Whenever A can choose between
– waiting for a message from B
– contacting TTP for any purpose
A waits and allows B to move next
Hierarchy
Advantage against honest A
H-adv

Advantage against interested A
I-adv

Advantage against optimistic A
O-adv
MSR model lets us define execution tree
Define strategies, correctness over execution model
(End glimpse of contract signing)
Sophistication of attacks
Low
High
Protocol analysis spectrum
Hand proofs


Poly-time calculus
Multiset rewriting with 
Spi-calculus 
Strands Paulson
 NRL
Bolignano
BAN logic


Protocol logic
Model checking

FDR
Low
High
Protocol complexity

Murj
What’s missing?
(Future directions)
Specification language
• MSR defines traces, execution tree
• Need to specify correctness formally
Programming language?
• Separate commands done from those that remain
• Distinguish local knowledge from global state
Quantification over protocols
• Every protocol satisfying j also satisfies .
• Composition: Properties of Compose(P, Q) from
properties of P and Q
Conclusions
Thesis
• Protocol analysis requires precise
definition of possible runs under attack
• Multiset rewriting with 
–
–
–
–
Provides natural, usable formalism
Captures set of runs
Exhibits uniformity of DY attacker
Related to linear logic, other protocol notations
• Can use proof-theoretic results from LL
• Can approximate MSR model by finite-state analysis
Conclusions
Results
• Decision problems
– NP-complete with bounded role instances
– Dexp-time complete with bounded nonces ()
– Undecidable even if everything else bounded
• Applications
– Metatheory
• Two attackers no better than one
• Correctness of model checking optimizations
– Protocol analysis
• Contract signing, Kerberos v5