A Rewriting-Based Inference System for the NRL Protocol Analyzer

(1)

A Rewriting-Based Inference System

for the NRL Protocol Analyzer

Santiago Escobar

Cathy Meadows

Jos ´e Meseguer

UIUC NRL UIUC

(UPV, Valencia, Spain)

(2)

NRL & UIUC

Outline

➀ Motivation

➁ Inference System through the NSPK Example

• Top Level

• Grammar Generation Level

• Reachability Analysis Level

(3)

MOTIVATION NRL & UIUC

Motivation

The NRL Protocol Analyzer (NPA) have been used with great effect on a number of complex real-life protocols

NPA successful because of its ability to use inductive techniques (formal languages) to drastically limit the infinite search space

However, lack of an independent formal specification and model of NPA. Basic techniques are closely intertwined with other features.

⇓ ⇓ Main Contribution ⇓ ⇓

Give a precise formal specification within the rewriting framework: 1. its backwards reachability analysis

(4)

Motivation

The NRL Protocol Analyzer (NPA) have been used with great effect on a number of complex real-life protocols

NPA successful because of its ability to use inductive techniques (formal languages) to drastically limit the infinite search space

However, lack of an independent formal specification and model of NPA. Basic techniques are closely intertwined with other features.

⇓ ⇓ Main Contribution ⇓ ⇓

Give a precise formal specification within the rewriting framework: 1. its backwards reachability analysis

(5)

Benefits

Formal specification in a system accessible to a large community of researchers

Inference system specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic al-gorithms involved

Extension of the equational theory with other algebraic properties of the underlying cryptographic functions

Allows us to make use of theorems from rewriting logic to prove open conjectures about properties of the NPA inference system.

(6)

INFERENCE SYSTEM NRL & UIUC

Inference System

Parametric on (Σ, RP, E)

• Σ is a protocol-specific signature (with type information)

• RP is the rewrite rules describing the protocol

• E is the equational theory describing the underlying algebraic prop-erties (encryption/decryption)

Two things:

1. Protocols (Notation, Semantics, Role in NPA) 2. Grammars (Notation, Semantics, Role in NPA)

(7)

The NSPK Example

Signature Σ :

pk : N ame × _{M sg} → _Enc

sk : N ame × _{M sg} → _Enc

n : N ame × _Integer → _{N once}

r, r0 : → _Integer ; : M sg × _{M sg} → _{M sg} Equational Theory E : pk(Y, sk(Y, Z)) = Z sk(Y, pk(Y, Z)) = Z Protocol rules RP : (p1) ∅ → _pk₍_{B, A}_;_n₍_{A, r}₎₎ (p2) pk(A, n(A, r);Z) → _pk₍_{B, Z}₎_{, f inal}₍_{A, B}_;_n₍_{A, r}₎₎ (p3) pk(B, A;Z) → _pk₍_{A, Z}_;_n₍_{B, r}₎₎ (p4) pk(B, A;Z), pk(B, n(B, r0)) → _{f inal}₍_{B, A}_;_n₍_{B, r}0₎₎ (p5) M1, M2 → M1;M2 (p7) M → sk(Y, M) (p6a) M1;M2 → M1 (p8) M → pk(Y, M) (p6b) M1;M2 → M2

(8)

Grammars

Used by the NPA to reduce the search space obtained by narrowing when performing backwards reachability analysis

Each grammar starts with a seed term and is generated by back-wards narrowing via the protocol rules

Grammars are described in terms of constraints:

1. Terms that the intruder is not expected to know (such as secret keys) (Y /∈I)

2. Instances of the seed term that the intruder may be able to learn

(Y t)

3. Recursive calls to know whether some subterm is in the lan-guage of the grammar (Y ∈L)

(9)

The NSPK Example – Grammars

Seed term sd1 = Y /∈I 7→ X;Y ∈L

(g1.0) Y /∈I_{, Y} _A_;_n₍_{A, r}₎ 7→ _X_;_Y ∈_L

(g1.1) W∈_L 7→ _pk₍_{A, n}₍_{A, r}_);_sk₍_{B, W}₎₎∈_L

(g1.2) W∈_L 7→ _W_;_M2∈L (g1.4) W∈L 7→ pk(Y, W)∈L

(g1.3) W∈_L 7→ _M1;W∈L (g1.5) W∈L 7→ sk(Y, W)∈L

Seed term sd2 = Y /∈I 7→ pk(X, Y )∈L

(g2.0) Z /∈I_{, Z}_Z0_;_n₍_{B, r}₎ 7→ _pk₍_{R, Z}₎∈_L (g2.1) Y /∈I_{, Y} _Z0_;_n₍_{B, r}₎ 7→ _pk₍_{A, n}₍_{A, r}_);_Y ₎∈_L (g2.2a) Y ∈_L 7→ ₍_Y _;_M2)∈L (g2.3) Y ∈L 7→ pk(Y 0 , Y )∈_L (g2.2b) Y ∈_L 7→ ₍_M1;Y )∈L (g2.4) Y ∈L 7→ sk(Y 0, Y )∈L

(10)

INFERENCE SYSTEM – TOP LEVEL NRL & UIUC

Top Level - NSPK

(1) Grammar Generation: where G0_sd₁ = {sd1} and G0_sd₂ = {sd2}

G0 = hG0_sd₁, G0_sd₂i VP_,G₀ G₁ = hG_sd1 ₁, G0_sd₂i VP_,G₁ G₂ = hG!_sd₁, G0_sd₂i

V_P_,_G₂ G₃ = hG!

sd1, G

!

sd2i

(2) Reachability Analysis: Useless backwards narrowing derivations are cut by grammars:

h pk(B, n(B, r)), . . . i

∗ P_,G

h M1;pk(B, n(B, r)), . . . i

using protocol rule p6b ≡ (M₁;M₂) → M₂, but

h G!_sd₁, (pk(B, n(B, r))∈I/ ) i ` (M1;pk(B, n(B, r)))∈L

(11)

INFERENCE SYSTEM – GRAMMAR GENERATION NRL & UIUC

Grammar Generation - NSPK

Consider G2 = hG!_sd₁, G0_sd₂i VP_,G₂ G₃ = hG!_sd₁, G!_sd₂i with

G0_sd₂ = {sd₂ = Y /∈I 7→ pk(X, Y )∈L}

For each backwards narrowing step sd₂ _σ,P_,G₂_,G0

sd₂ g

0_{, apply some}

heuristics and generate a new grammar rule or constraint to be included in G!_sd₂. For example, Z /∈ I 7→ pk(R, Z)∈L _σ,P_,G₂_,G0 sd₂ Z /∈ I 7→ pk(A, n(A, r);Z)∈L ≡ g 0 ⇓⇓ heuristics_G0 sd₂,S1(sd2, id_{, g}0_{) =} h∅_,{ _{Y /}∈I 7→ _pk₍_{A, n}₍_{A, r}_);_Y )∈_L }i ⇓⇓

(12)

Dependencies in Grammar Generation

G_i V_P_,_G i Gi+1 z z L%% L L L L L L L L L L L L L L s s ggggg newGrammars(G,C,H) t t hhhh h + + X X X X X X X X X α(G,C) β(G,C) Gb optimize(G) t t iiii iiii hC,H, Gi ⇒ P,G_{i ,G}k_j,s hC0,H0, G0 i removeContrainsts(G) removeRules(G) heuristics Gk j,s (g, σ, g0) s s gggg ggg hG_{i ,}Di ` C t t jjjj jjjj j g σ,P,G_{i ,G}k j g0 o o s s hhhh hhhh h c v c0 →R−_G1 R −1 Gk j • σ,R−1 P ,EP

(13)

The relation

_G

_i

V

_P_,_G i

G

i+1 Gi VP_,G_i G_i₊₁ if Gi = hG!₁, . . . , G!_j−₁, Gk_j, . . . , Gk_nni, Gi+1 = hG!₁, . . . , G!_j−₁, Gk_j+1, . . . , Gk_nni, and Gk_j+1 6≡ Gk_j ; where h∅,∅, Gk_j i ⇒!_P_,_G i,Gk_j,s hC,H,∅i and Gk_j+1 = optimize(newGrammar_s(Gk_j ,C,H))

(14)

The Backwards Narrowing Relation

g

_σ,_P_,_G

i,Gk_j

g

0 g _σ,P_,G_i_,Gk j g 00 if g • σ,R−_P1,EP g 0_, _g0 _! R−1 Gk j g00, and g00 is Gi-expandable g00 ≡ c1, . . . , ck 7→ (t1, . . . , tn)∈L is Gi-expandable iff

(i) there is no c_i and t_j such that c_i ≡ (t_j 6∈ I),

(ii) for each c_i of the form (ut), ∃θ : θ(u) ≡ θ(t), and (iii) for each t_j, hGi,(c1, . . . , ck)i 6` (ti∈L).

(15)

The Operator

heuristics

_Gk

j,s

(

g, σ, g

0

₎

H1 ∃si, p ∈ Pos(si) : hG k j,Di ` (si|p ∈ L) heuristics_Gk j,s(g, σ, g 0_{) =} _h∅_,_{_Y _∈ _L _7→ _s i[Y ]p∈L}i H2a ∃di ∈ D : di ≡ (u /∈ I) ∧ u 6∈ X heuristics_Gk j,s(g, σ, g 0_{) =} h{Xu},∅i H2b σ(t) 6≡ t ∀ci ∈ C : ci 6≡ (X ∈ L) heuristics_Gk j,s(g, σ, g 0_{) =} _h{_t σ(t)},∅i H3 ∃di ∈ D, sj, p ∈ Pos(sj) : di ≡ (sj|p 6∈ I) heuristics_Gk j,s(g, σ, g 0_{) =} _h∅_,_{_Y _{6∈ I 7→} _s j[Y ]p∈L}i

(16)

Grammar Generation (More Examples) - NSPK

For example, sd2 ≡ Z /∈ I 7→ pk(R, Z)∈L _id,P_,G_i_,Gk_j g 0 ≡ Z /∈ I 7→ pk(R, Z);M2∈L ⇓⇓ heuristics_G₀_,S₁(g,id_{, g}0_{) =} _h∅_,_{_Y _∈_L _7→ _Y _;_M₂_∈_L_}i ⇓⇓ G!_sd₂ = optimize(newGrammarS1(G_sd0 ₂, . . . , Y ∈L 7→ Y ;M2∈L, . . .})) For example, sd2 ≡ Z /∈ I 7→ pk(R, Z)∈L _[_Z/A_;_n₍_A,r_)]_,P_,G_i_,Gk j g 0 _≡ _A_;_n₍_{A, r}₎ _{∈ I 7→ ∅}_/ ⇓⇓ heuristicsG0,S1(g,id, g 0 ) = h{ZA;n(A, r)},∅i ⇓⇓ G! = optimize(newGrammar (G0 , . . . , ZA;n(A, r), . . .}))

(17)

INFERENCE SYSTEM – REACHABILITY ANALYSIS NRL & UIUC

Reachability Analysis - NSPK

hf inal(B, A;n(B, r)), i ∗ P,Gh(pk(B, A;Z), pk(B, n(B, r))), w1i ∗ P,Ghpk(B, n(B, r))), w2i ∗ P,Ghn(B, r), w3i ∗ P,Ghpk(Y 0_{, n(B, r)), w4}_i ∗ P,Ghpk(A, n(A, r 0_);_{n(B, r)), w5}_i ∗ P,Ghpk(B, A;n(A, r 0_{)), w} 6i ∗ P,GhA;n(A, r 0 ), w7i ∗ P,Ghpk(Y 0_{, A;}_{n(A, r}0_{)), w8}_i ∗ P,Gh∅, w9i 1. A ,→ I : {NA, A}K_I 2. IA ,→ B : {KA, A}K_B 3. B ,→ A : {NA, NB}K_A 4. A ,→ I : {NB}K_I 5. I ,→ B : {NB}K_B

(18)

Reachability Analysis

ht, wi P_,G ht0, σ(t|_p.w)i if t p • σ,R_P−1,EP t

0 _{and for each} _s

i ∈ t0,

hG, ctr(w)i 6` (s_i∈I)/ and hG, ctr(w)i 6` (s_i∈L); where ctr(u1.· · · .un) = (u1∈I/ , . . . , un∈I/ ).

(19)

Conclusions & long-term goals

Precise rewriting-based formalization of the NPA inference system: grammar generation mechanisms and narrowing-based backwards reachability analysis.

1. Implementation of our rewrite-rule based inference system in Maude

2. Experimentation with such an implementation, and comparison with the original NPA tool.

3. Generalization of our inference system to handle equational theo-ries for the underlying cryptography

4. Development of a next-generation NPA-like tool based on such a generalized inference system