Verification of Security Protocols

ing nonces by constants, an unbounded execution of the NeedhamSchroeder protocol can be represented by the following set CNS of clauses: ⇒ I(enca(〈na, a〉, pub(i))) I(enca(〈x, a〉, pub(b))) ⇒ I(enca(〈x, nb〉, pub(a))) I(enca(〈na, y〉, pub(a))) ⇒ I(enca(y, pub(i))) For simplicity, we have only described the clauses corresponding to the case where A starts sessions with a corrupted agent I and B is willing to answer to A. To have a complete description of the protocol, one should also consider the case where A is willing to talk to B, B is willing to talk to I and symmetrically, all cases where A plays the role of B and B plays the role of A. The ability of the intruder to analyze and forge new messages can be represented by the following set of clauses CI . It is the simple translation of the deduction system of Figure 1. I(x), I(y) ⇒ I(〈x, y〉) I(x), I(y) ⇒ I(sign(x, y)) I(x), I(y) ⇒ I(enc(x, y)) I(x), I(y) ⇒ I(enca(x, y)) I(〈x, y〉) ⇒ I(x) I(〈x, y〉) ⇒ I(y) I(enc(x, y)), I(y) ⇒ I(x) I(enc(x, pub(y))), I(priv(y)) ⇒ I(x) I(enc(x, priv(y))) ⇒ I(x) Then security of a protocol is reduced to checking satisfiability of a set of clauses. For example, the confidentiality of the nonce Nb can be expressed by the satisfiability of the set of clauses CNS ∪ CI ∪ {¬I(nb)}. This modeling of protocols is the approach used for by the ProVerif tool [8, 10], which has been successfully used for analyzing many security protocols (see e.g. [1, 11]). Some decidable fragments of Horn clauses, well suited for protocols have been proposed in [13, 25]. 3 Computational Approach The abstraction of messages by terms and the limited adversary raise some questions regarding the security guarantees offered by such proofs, especially from the perspective of the computational model. 3.1 Brief Presentation of Computational Models In computational models, messages that are exchanged are bit-strings and depend on a security parameter η which is used, for example to determine the length of random nonces. In contrast to symbolic models, the attacker does not perform predetermined actions for analyzing messages, but is modeled by any probabilistic Turing machine running in polynomial-time w.r.t. the security parameter. Security properties are also stated in a stronger way than in symbolic models. For example, the confidentiality of a nonce does not only say that an attacker should not be able to output the nonce but also require that the attacker should not be able to get any partial information about the nonce. Formally, confidentiality is expressed through a game. The game is parametrized by a bit b and involves an adversary A. The input to the game is the security parameter η. It starts by generating two random nonces n0 and n1. Then the adversary A starts interacting with the protocol Π . It generates new sessions, sends messages and receives messages to and from these sessions (as prescribed by the protocol). At some point in the execution the adversary initiates a session and declares this session under attack. Then, in this session, the confidential nonce is instantiated with nb (i.e. one of the two nonces chosen in the beginning of the experiment, the selection being made according to the bit b) and the adversary continues its interaction with the protocol. In the end, the adversary is given n0 and n1 and outputs a guess d. The nonce is computationally secret in Π if the probability that d = b is the same than the probability that d 6= b up to some negligible function in the security parameter. Under the computational approach, the security of protocols is based on the security of the underlying primitives, which in turn is proved assuming the hardness of solving various computational tasks such as factoring or taking discrete logarithms. The main tools used for proofs are reductions : to prove a protocol secure one shows that a successful adversary against the protocol can be efficiently 1 A function f is said to be negligible if it grows slower than the inverse of any polynomial, that is, for any polynomial P , there exists n0 such that for any n ≥ n0, |f(n)| ≤ 1 P (n) . transformed into an adversary against some primitive used in its construction. Here, quantification is universal over all possible probabilistic polynomial-time (probabilistic polynomial time) adversaries and the execution model that is analyzed is specified down to the bit-string level. Two important implications stem from these features: proofs in the computational model imply strong guarantees (security holds in the presence of an arbitrary probabilistic polynomial-time adversary). At the same time however, security reductions for even moderatelysized protocols become extremely long, difficult, and tedious. 3.2 Bridging the Gap Between Symbolic and Computational