6 research outputs found
Analysis of the IBM CCA Security API Protocols in Maude-NPA
Standards for cryptographic protocols have long been attractive
candidates for formal verification. It is important that such standards
be correct, and cryptographic protocols are tricky to design and subject
to non-intuitive attacks even when the underlying cryptosystems are secure.
Thus a number of general-purpose cryptographic protocol analysis
tools have been developed and applied to protocol standards. However,
there is one class of standards, security application programming interfaces
(security APIs), to which few of these tools have been applied.
Instead, most work has concentrated on developing special-purpose tools
and algorithms for specific classes of security APIs. However, there can
be much advantage gained from having general-purpose tools that could
be applied to a wide class of problems, including security APIs.
One particular class of APIs that has proven difficult to analyze using
general-purpose tools is that involving exclusive-or. In this paper
we analyze the IBM 4758 Common Cryptographic Architecture (CCA)
protocol using an advanced automated protocol verification tool with
full exclusive-or capabilities, the Maude-NPA tool. This is the first time
that API protocols have been satisfactorily specified and analyzed in the
Maude-NPA, and the first time XOR-based APIs have been specified
and analyzed using a general-purpose unbounded session cryptographic
protocol verification tool that provides direct support for AC theories.
We describe our results and indicate what further research needs to be
done to make such protocol analysis generally effective.Antonio González-Burgueño, Sonia Santiago and Santiago Escobar have been partially supported by the EU (FEDER) and the Spanish MINECO under grants TIN 2010-21062-C02-02 and TIN 2013-45732-C4-1-P, and by Generalitat Valenciana PROMETEO2011/052. José Meseguer has been partially supported by NSF Grant CNS 13-10109.González Burgueño, A.; Santiago Pinazo, S.; Escobar Román, S.; Meadows, C.; Meseguer, J. (2014). Analysis of the IBM CCA Security API Protocols in Maude-NPA. En Security Standardisation Research. Springer International Publishing. 111-130. https://doi.org/10.1007/978-3-319-14054-4_8S111130Abadi, M., Blanchet, B., Fournet, C.: Just fast keying in the pi calculus. ACM Trans. Inf. Syst. Secur. 10(3) (2007)Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2014), Cape Breton, Nova Scotia, Canada, June 2001, pp. 82–96. IEEE Computer Society (2014)Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A.: A formal analysis of some properties of kerberos 5 using msr. In: CSFW, pp. 175–1790. IEEE Computer Society (2002)Cachin, C., Chandran, N.: A secure cryptographic token interface. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8-10, pp. 141–153 (2009)Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: 18th Annual IEEE Symposium on Logic in Computer Science, LICS 2003 (2003)Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive-or. In: 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280 (2003)Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)Cortier, V., Keighren, G., Steel, G.: Automatic analysis of the aecurity of XOR-based key management schemes. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009)Erbatur, S., et al.: Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 73–90. Springer, Heidelberg (2012)Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2007)Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: Sequential Protocol Composition in Maude-NPA. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 303–318. Springer, Heidelberg (2010)Thayer Fabrega, F.J., Herzog, J., Guttman, J.: Strand Spaces: What Makes a Security Protocol Correct? Journal of Computer Security 7, 191–230 (1999)González-Burgueño, A.: Protocol Analysis Modulo Exclusive-Or Theories: A Case study in Maude-NPA. Master’s thesis, Universitat Politècnica de València (March 2014), https://angonbur.webs.upv.es/Previous_work/Master_Thesis.pdfIBM. Comment on Mike’s Bond paper A Chosen Key Difference Attack on Control Vectors (2001), http://www.cl.cam.ac.uk/~mkb23/research/CVDif-Response.pdfIBM. CCA basic services reference and guide: CCA basic services reference and guide for the IBM 4758 PCI and IBM 4764 (2001), http://www-03.ibm.com/security/cryptocards/pdfs/bs327.pdf.2008Keighren, G.: Model Checking IBM’s Common Cryptographic Architecture API. Technical Report 862, University of Edinburgh (October 2006)Kemmerer, R.A.: Using formal verification techniques to analyze encryption protocols. In: IEEE Symposium on Security and Privacy, pp. 134–139. IEEE Computer Society (1987)Küsters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-free case in the horn theory based approach. J. Autom. Reasoning 46(3-4), 325–352 (2011)Linn, J.: Generic security service application program interface version 2, update 1. IETF RFC 2743 (2000), https://datatracker.ietf.org/doc/rfc2743Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers & Security 11(1), 75–89 (1992)Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1(1) (1992)Meadows, C.: The NRL protocol analyzer: An overview. Journal of Logic Programming 26(2), 113–131 (1996)Meadows, C., Cervesato, I., Syverson, P.: Specification and Analysis of the Group Domain of Interpretation Protocol using NPATRL and the NRL Protocol Analyzer. Journal of Computer Security 12(6), 893–932 (2004)Meadows, C.: Analysis of the internet key exchange protocol using the nrl protocol analyzer. In: IEEE Symposium on Security and Privacy, pp. 216–231. IEEE Computer Society (1999)Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic snalysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013)Mukhamedov, A., Gordon, A.D., Ryan, M.: Towards a verified reference implementation of a trusted platform module. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 69–81. Springer, Heidelberg (2013)National Institute of Standards and Technology. FIPS PUB 46-3: Data Encryption Standard (DES), supersedes FIPS 46-2 (October 1999)Nieuwenhuis, R. (ed.): CADE 2005. LNCS (LNAI), vol. 3632. Springer, Heidelberg (2005)Steel, G.: Deduction with xor constraints in security api modelling. In: Nieuwenhuis (ed.) [30], pp. 322–336Verma, K.N., Seidl, H., Schwentick, T.: On the complexity of equational horn clauses. In: Nieuwenhuis (ed.) [30], pp. 337–35
Protocol analysis modulo exclusive-or theories: a case study in Maude-MPA
[EN] Escobar of the Universitat Politècnica de València in collaboration with José Meseguer (University of
Illinois at Urbana-Champaign, USA) and Catherine Meadows (Naval Research Lab, Washington, DC,
USA). We focus on protocols using exclusive-or as the only cryptographic properties of symbols, apart
of the standard cancellation of encryption and decryption. The protocols analyzed in this document are
borrowed from the paper ”Reducing Protocol Analysis with XOR to the XOR- Free Case in the Horn
Theory Based Approach” by Ralf Küesters and Tomasz Truderung published in Journal of Automated
Reasoning, volume 46, pages 325-352, Springer 2011. These protocols are divided into two groups,
those that can be specified in the Alice-Bob notation and those corresponding to an Application
Programming Interface (API). We have proved the same security properties described in KĂĽesters and
Truderung paper, but we go beyond that paper in the sense that we have provided protocol
specifications that meet all the requirements of the original protocols, whereas KĂĽesters and Truderung
paper use simplified versions of these protocols.
The main problem that we have encountered is to specify API protocols in Maude-NPA, since this was
the first time that this kind of protocols were specified in the tool. Another contribution of this thesis is
to confirm that protocols with exclusive-or can be verified in Maude-NPA[ES] El desarrollo de esta tesis final de máster tiene como objetivo verificar diversos protocolos de
seguridad existentes utilizando una herramienta de verificaciĂłn automatizada de protocolos, Maude-
NPA, desarrollada por Santiago Escobar, de la Universitat Politècnica de València , en colaboración con
José Meseguer (Universidad de Illinois en Urbana- Champaign, EE.UU.) y Catherine Meadows (Naval
Research Lab , Washington , DC, EE.UU.). Nos centramos en el uso de protocolos con el operador orexclusivo
como propiedad principal criptográfica de sĂmbolos, asĂ como la cancelaciĂłn estándar de
cifrado y descifrado. Los protocolos analizados en esta tesis los tomamos del artĂculo ”Reducing
Protocol Analysis with XOR to the XOR- Free Case in the Horn Theory Based Approach” de Ralf
Küesters y Tomasz Truderung publicado en el “Journal of Automated Reasoning”, volumen 46, páginas
325-352 en el 2011 en Springer. Estos protocolos se dividen en dos grupos, los que se pueden
especificar en la notaciĂłn Alice-Bob y los correspondientes a una interfaz de programaciĂłn de
aplicaciones (API) . Hemos probado las mismas propiedades de seguridad descritas en el artĂculo de
Ralf Küesters y Tomasz Truderung , pero yendo más allá, en el sentido de que hemos proporcionado
las especificaciones de los protocolos que cumplen con todos los requisitos de los protocolos originales
, mientras que en el artĂculo de Ralf KĂĽesters y Tomasz Truderung utilizan versiones simplificadas de
estos protocolos.
El principal problema que nos hemos encontrado al especificar los protocolos API, es que esta fue la
primera vez que este tipo de protocolos se especificĂł en Maude-NPA. Otra aportaciĂłn de esta tesis es
la confirmación de que los “protocolos or-exclusivos” pueden ser verificados en Maude-NPA .González Burgueño, A. (2014). Protocol analysis modulo exclusive-or theories: a case study in Maude-MPA. http://hdl.handle.net/10251/51784Archivo delegad
Modeling and Analysis of Advanced Cryptographic Primitives and Security Protocols in Maude-NPA
Tesis por compendio[ES] La herramienta criptográfica Maude-NPA es un verificador de modelos especializado para protocolos de seguridad criptográficos que tienen en cuenta las propiedades algebraicas de un sistema criptográfico. En la literatura, las propiedades criptográficas adicionales han descubierto debilidades de los protocolos de seguridad y, en otros casos, son parte de los supuestos de seguridad del protocolo para funcionar correctamente. Maude-NPA tiene una base teórica en la rewriting logic, la unificación ecuacional y el narrowing para realizar una búsqueda hacia atrás desde un patrón de estado inseguro para determinar si es alcanzable o no. Maude-NPA se puede utilizar para razonar sobre una amplia gama de propiedades criptográficas, incluida la cancelación del cifrado y descifrado, la exponenciación de Diffie-Hellman, el exclusive-or y algunas aproximaciones del cifrado homomórfico.
En esta tesis consideramos nuevas propiedades criptográficas, ya sea como parte de protocolos de seguridad o para descubrir nuevos ataques. También hemos modelado diferentes familias de protocolos de seguridad, incluidos los Distance Bounding Protocols or Multi-party key agreement protocolos. Y hemos desarrollado nuevas técnicas de modelado para reducir el coste del análisis en protocolos con tiempo y espacio. Esta tesis contribuye de varias maneras al área de análisis de protocolos criptográficos y muchas de las contribuciones de esta tesis pueden ser útiles para otras herramientas de análisis criptográfico.[CAT] L'eina criptografica Maude-NPA es un verificador de models especialitzats per a protocols de seguretat criptogrà fics que tenen en compte les propietats algebraiques d'un sistema criptogrà fic. A la literatura, les propietats criptogrà fiques addicionals han descobert debilitats dels protocols de seguretat i, en altres casos, formen part dels supòsits de seguretat del protocol per funcionar correctament. Maude-NPA te' una base teòrica a la rewriting lògic, la unificació' equacional i narrowing per realitzar una cerca cap enrere des d'un patró' d'estat insegur per determinar si es accessible o no. Maude-NPA es pot utilitzar per raonar sobre una amplia gamma de propietats criptogrà fiques, inclosa la cancel·lació' del xifratge i desxifrat, l'exponenciacio' de Diffie-Hellman, el exclusive-or i algunes aproximacions del xifratge homomòrfic.
En aquesta tesi, considerem noves propietats criptogrĂ fiques, ja sigui com a part de protocols de seguretat o per descobrir nous atacs. Tambe' hem modelat diferents famĂlies de protocols de seguretat, inclosos els Distance Bounding Protocols o Multi-party key agreement protocols. I hem desenvolupat noves tècniques de modelitzaciĂł' de protocols per reduir el cost de l'analisi en protocols amb temps i espai. Aquesta tesi contribueix de diverses maneres a l’à rea de l’anĂ lisi de protocols criptogrĂ fics i moltes de les contribucions d’aquesta tesi poden ser Ăştils per a altres eines d’anĂ lisi criptogrĂ fic.[EN] The Maude-NPA crypto tool is a specialized model checker for cryptographic security protocols that take into account the algebraic properties of the cryptosystem. In the literature, additional crypto properties have uncovered weaknesses of security protocols and, in other cases, they are part of the protocol security assumptions in order to function properly. Maude-NPA has a theoretical basis on rewriting logic, equational unification, and narrowing to perform a backwards search from an insecure state pattern to determine whether or not it is reachable. Maude-NPA can be used to reason about a wide range of cryptographic properties, including cancellation of encryption and decryption, Diffie-Hellman exponentiation, exclusive-or, and some approximations of homomorphic encryption.
In this thesis, we consider new cryptographic properties, either as part of security protocols or to discover new attacks. We have also modeled different families of security protocols, including Distance Bounding Protocols or Multi-party key agreement protocols. And we have developed new protocol modeling techniques to reduce the time and space analysis effort. This thesis contributes in several ways to the area of cryptographic protocol analysis and many of the contributions of this thesis can be useful for other crypto analysis tools.This thesis would not have been possible without the funding of a set of research projects. The main contributions and derivative works of this thesis
have been made in the context of the following projects:
- Ministry of Economy and Business of Spain : Project LoBaSS Effective Solutions Based on Logic, Scientific Research under award number TIN2015-69175-C4-1-R, this project was focused on using powerful logic-based technologies to analyze safety-critical systems.
- Air Force Office of Scientific Research of United States of America : Project Advanced symbolic methods for the cryptographic protocol analyzer Maude-NPA Scientific Research under award number FA9550-17-1-0286
- State Investigation Agency of Spain : Project FREETech: Formal Reasoning for Enabling and Emerging Technologies Scientific I+D-i Research under award number RTI2018-094403-B-C32Aparicio Sánchez, D. (2022). Modeling and Analysis of Advanced Cryptographic Primitives and Security Protocols in Maude-NPA [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/190915Compendi
Variant-Based Satisfiability
Although different satisfiability decision procedures
can be combined by algorithms such as those of Nelson-Oppen or
Shostak, current tools typically can only support a finite number of
theories to use in such combinations. To make SMT solving more
widely applicable, generic satisfiability algorithms that can
allow a potentially infinite number of decidable theories to be
user-definable, instead of needing to be built in by the
implementers, are highly desirable. This work studies how
folding variant narrowing, a generic
unification algorithm that offers
good extensibility in unification theory, can be extended to
a generic variant-based satisfiability algorithm for the initial
algebras of its user-specified input theories when such theories
satisfy Comon-Delaune's finite variant property (FVP) and some
extra conditions. Several, increasingly larger infinite classes of
theories whose initial algebras enjoy decidable variant-based satisfiability
are identified, and a method based on descent maps to bring other theories
into these classes and to improve the generic
algorithm's efficiency is proposed and illustrated with examples.Partially supported by NSF Grant CNS 13-19109.Ope