The document discusses formal modeling and analysis of cryptographic protocols. It introduces formal methods, the Dolev-Yao model, pi-calculus as a modeling language, and the ProVerif tool. As an example, a naïve handshake protocol is presented and a man-in-the-middle attack is demonstrated. The talk concludes that formal methods provide rigorous analysis of protocol security properties.

1. Towards more secure networks
using formal approaches
Dr. Jayaraj Poroor
DependSoft Consulting
jayaraj@dependsoft.com
http://dependsoft.com
Presented at Dr. C. R. Rao Institute of Advanced Studies
Jan 22, 2013

2. DependSoft
Roadmap for the talk
• Formal Methods
• Cryptographic Protocols
• Formal Modeling
• Modeling Language
• A Cryptographic handshake Protocol
• The ProVerif Tool
✓ Motivate
✓ Key Ideas
✗ All
details
1
2
3
4
5
6

3. DependSoft
Formal Methods

4. DependSoft
Formal methods
• The art and science of describing and reasoning
about computing systems using rigorous
mathematical techniques having well-developed
theoretical basis.
Alan Turing Von Neumann John McCarthy
Turing Machine
Bombe machine
Automata Theory
Stored Program Computer
Artificial Intelligence
LISP

5. DependSoft
The bridge
THEORY FORMAL PRACTICE
METHODS
Computability
Complexity
Expressivity
Automata
Logics
Calculi
Semantics
Specification
Design &
Development
Software &
Hardware
Systems
Tools

6. DependSoft
Why do we need it?
• Gain precise understanding of computing
systems
▫ Ideas are developed with mathematical rigor
• Rigor pays off
▫ Strong guarantees
▫ Mechanization of synthesis and analysis
• Theory informs
▫ Establishes the limits
▫ Provides efficient algorithms

7. DependSoft
Reasoning about programs
• What is a correctness property?
▫ Safety + Liveness
• Safety
▫ Something bad will never happen.
• Liveness
▫ Something good will eventually happen.
• Can be expressed mathematically.
Recognizing Safety and Liveness, Alpern and Schneider, Distributed Computing,
1986

8. DependSoft
Coffee/tea machine as a finite-state
automata
5
3se
c
Now we can reason about safety and liveness!
Reasoning … is nothing but reckoning, Thomas Hobbes, 1
English Philosopher

9. DependSoft
Cryptographic
Protocols

10. DependSoft
What are they?
• Concurrent programs that interact via public
channels to achieve security objectives.
• “3 lines programs that people still manage to get
wrong,” Roger Needham.
• A critical component for ensuring security in
today’s distributed systems.
▫ e.g., SSL/TLS, SSH, IPSec, SRTP.
Gavin Lowe. 1995. An attack on the Needham-Schroeder public-key authentication
protocol. Inf. Process. Lett. 56, 3 (November 1995), 131-133.

11. DependSoft
Narrating a simple cryptographic protocol
request, A’s public key
A B
B
Response encrypted with A’s public key
A B
prepare
response
Many concurrent instances of A’s and B’s are possible
A
Decrypt response
with A’s private key
No guarantee that the response came from B!

12. DependSoft
Security objectives
• Secrecy
• Strong secrecy
• Origin Authentication

13. DependSoft
Security objectives
• Integrity
• Authenticated key exchange
• Non-repudiation

14. DependSoft
Security objectives
• Fairness
• Anonymity
• Availability1
1Jayaraj Poroor and Bharat Jayaraman, Denial of service attacks on Real-time
media through Indirect Contention-in-Hosts, IEEE Internet Computing, 2009.

15. DependSoft
The fruit flies of formal methods
research!
Is To
Is To Is Like

16. DependSoft
Formal reasoning
Attacker gets the secret!
Finite state
representation of a
cryptographic
protocol
A
S
?
Start state
Will attacker get the secret?
Is state A reachable from state S?
2

17. DependSoft
Formal Modeling
of
Cryptographic Protocols

18. DependSoft
Modeling assumptions
• What are the capabilities of the attacker?
• What are the assumptions behind modeling
cryptographic functions
▫ e.g., AES is cryptanalytically stronger than DES

19. DependSoft
Be specific!

20. DependSoft
The Dolev Yao model
Alice Intruder Bob
• All-powerful Intruder
▫ Channel is the Intruder
▫ Intruder can read, modify, fabricate, replay,
analyze messages
• Perfect cryptography
▫ Computational complexity abstracted out
Dolev, D.; Yao, A. C. (1983), "On the security of public key protocols", IEEE
trans. on Information Theory IT-29: 198–208

21. DependSoft
Modeling perfect cryptography
• Functions as symbolic terms
▫ senc(m,k) may be applied to any message m and
key k
• Properties of functions as equations
▫ sdec(senc(m,k),k) = m

22. DependSoft
Equational reasoning
• Equations:
▫ mix(salt, water) may be applied to any salt
▫ mix(salt, empty) = salt
▫ heat(water) = empty
▫ heat(salt) = salt
▫ heat(mix(a,b)) = mix(heat(a),heat(b))
• What happens if we: heat(mix(salt,water))?

23. DependSoft
Equational reasoning
heat(mix(salt,water)) mix(heat(salt), heat(water))
mix(heat(salt), heat(water)) mix(heat(salt),empty)
mix(heat(salt),empty) mix(salt,empty)
mix(salt,empty) salt

24. DependSoft
Equational theory
• The set of equalities derivable under
▫ A set of equational axioms +
Don Knuth
▫ Rules of equational reasoning (e.g., reflexivity,
commutativity)
▫ Proof technique: Matching & rewriting
Klop, Term rewriting systems from Church-Rosser to Knuth-Bendix and
beyond, LNCS, 90.

25. DependSoft
Try out
• What do we get?
▫ sdec(sdec(senc(senc(m,k2),k1),k1) ,k2)
• Remember:
▫ sdec(senc(m,k),k) = m

26. DependSoft
Soundness & Completeness
• Tells us how a model and the reality (model’s
intended meaning) are related.
Soundness
Completeness
MODEL The Map is not the Territory!
REALITY

27. DependSoft
Unsoundness
Route Exits
however
A route exists from B to A is a theorem
provable in our model
But route from B to A does not
Exist in Reality

28. DependSoft
Incompleteness
Road Exists
No route exists in our map
however

29. DependSoft
Limits of Dolev-Yao models
• Could be computationally unsound
▫ A provably secure protocol could be
computationally breakable (e.g., use of DES)
• Incomplete
▫ A secure protocol need not be provable in the
model
▫ undecidable in general for unbounded sessions
Soundness Limits of Dolev-Yao Models, Backus, Pfitzmann, Waidner, FCC, 3
2006

30. DependSoft
Modeling Language

31. DependSoft
Modeling requirements
• Modeling the domain
▫ Unforgeable fresh secrets, nonces
▫ Symbolic encoding of cryptographic functions
⚫enc(M,k), dec(M, pk(k))
⚫dec(enc(m,k),k) = m
⚫xor(xor(m,k),k) = m
• Concurrency and communication
▫ Client parallel with Server
▫ out(channel, encrypted msg), in(channel, msg)

32. DependSoft
Computational calculus
• Succinct language for studying a particular class
of computation
• Results in well-developed theory
▫ Can prove properties of programs
• e.g., λ-calculus: sequential functional-style
computation
▫ Influenced functional language development over
last 5 decades
Alonzo Church

33. DependSoft
π-calculus
• Communication & concurrency are primitive
operations
• Milner, Parrow, Walker, 89
• Numerous extensions, applications
▫ Distributed systems
▫ Programming languages
▫ Biomolecular systems
▫ Cryptographic protocols
Robin Milner

34. DependSoft
A multithreaded echo server in Java
http://www.javareference.com/jrexamples/viewexample.jsp?id=47

35. DependSoft
Multithreaded echo server in Java (2)

36. DependSoft
Multithreaded echo server in π-
calculus
let Echo = in(echo, (client,msg));out(client,msg);0
Two threads: Echo | Echo
Three threads: Echo | Echo | Echo
Unbounded threads: !Echo
!in(echo, (client,msg));out(client,msg);0

37. DependSoft
Sending a fresh name
• Java:
▫ Read from random sources
▫ Write to socket etc.,
• π-calculus:
▫ new n; out(channel,n)

38. DependSoft
The complete π-calculus language
• A process P, Q is
▫ 0
▫ in(c, x); P
▫ out(c, v); P
▫ P | Q
▫ new n; P
▫ if u = v then P else Q
▫ !P

39. DependSoft
Execution: Informal vs Formal
Gordon Plotkin
G. Plotkin, A Structural Approach to Operational Semantics (1981)
Java
Program
Compiler
Byte
code
Executions
JVM
π-calculus
Program
Operational
Semantics
Rules
Transition
Graph

40. DependSoft
Sample execution steps
in(echo, (c,x));out(c,x);0 | out(echo, (ret,3));in(ret,y);out(prn,y);0
reduction
out(ret,3);0 | in(ret,y).out(prn,y);0
reduction
0 | out(prn,3);0

41. DependSoft
A Cryptographic
Handshake protocol

42. DependSoft
A naïve handshake protocol
pk(skA)
pk(skB) known
A B
B
aenc( s i g n ( ( p k ( s k B ) , k ) , s k B ) , pk(skA))
A B
generate key k
senc(s,k)
A B
Bruno Blanchett and Ben Smyth, ProVerif 1.86pl3: Automatic
Cryptographic Protocol Verifier, User Manual and Tutorial, Dec 2011

43. DependSoft
Handshake protocol properties
• Secrecy
▫ Secret s is known only to A and B
• Authentication of A to B
▫ If B believes he has shared key k with A
▫ then B was indeed communicating with A
▫ and A has the shared key k.
• Authentication of B to A

44. DependSoft
Murphy’s law!

45. DependSoft
Murphy’s law in cyber security!
CENTER FOR
CYBER
SECURITY
If an attack can happen, it will

46. DependSoft
Man-in-the-middle attack
pk(skI)
I B
aenc(sign((pk(skB),k),skB),pk(skI))
I B
pk(skA)
A B
I
A
aenc(sign((pk(skB),k),skB),pk(skA))
senc(s,k)
A B

47. DependSoft
The fix
A B
5
pk(skA)
aenc( s i g n ( ( p k ( s k A ) , p k ( s k B ) , k ) , s k B ) , pk(skA))
A B
senc(s,k)
A B

48. DependSoft
The ProVerif tool

49. DependSoft
Short bio
• Follows Dolev-Yao model
▫ CryptoVerif: Computational Model
• Input language: Applied π-calculus
• Reconstructs attacks
▫ Sound when trace is given
• Successfully verified complex protocols/systems
▫ TPM, TLS, JFK, Plutus, electronic voting
Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules.
CSFW-14, June 2001.

50. DependSoft
ProVerif: attack types
• Reachability properties
▫ Secrecy
• Correspondence assertions
▫ authentication
• Observational equivalence
▫ non-interference

51. DependSoft
Symmetric encryption
Constructor name
argument types
Result type
Destructor name
Typed variables

52. DependSoft
Horn clause representation
• P(x) if Q1(x) and Q2(x) … and Qn(x)
• grandparent(x,z) if parent(x,y) and parent(y,z)
• attacker(m) if attacker(senc(m,k)) and attacker(k)
• Horn clause logic
▫ Basis for logic programming
▫ Resolution Proof: Unification & Search

53. DependSoft
Model components
• Constructors & Destructors for:
▫ Symmetric encryption
▫ Asymmetric encryption
▫ Digital signature
• Process definitions for:
▫ clientA
▫ serverB

54. DependSoft
The system
6

55. DependSoft
Conclusion
• Formal Methods
▫ Rigorous Methods = Theory + Practice
• Cryptographic Protocols
▫ Fruit-flies of formal methods research
• Formal Modeling
▫ The Dolev-Yao model
• Modeling Language
▫ Applied Pi-calculus
• A Cryptographic handshake Protocol
▫ Man-in-the-middle vulnerability
• The ProVerif Tool
▫ Uses Horn-clause logic, sound if trace is given
Thank You. Questions?
1
2
3
4
5
6
jayaraj@am.amrita.edu

56. DependSoft
Asymmetric encryption

57. DependSoft
Digital Signature

58. DependSoft
The client

59. DependSoft
The server

60. DependSoft
Other Modeling languages/tools
• Murphi
• FDR/CSP
• BAN Logic
• AVISPA
• CryptoVerif