A Formal Approach for Automated Reasoning about Off-Line and Undetectable On-Line Guessing

Starting from algebraic properties that enable guessing lowentropy secrets, we formalize guessing rules for symbolic verification. The rules are suited for both off-line and on-line guessing and can distinguish between them. We add our guessing rules as state transitions to protocol models that are input to model checking tools. With our proof-of-concept implementation we have automatically detected guessing attacks in several protocols. Some attacks are especially significant since they are undetectable by protocol participants, as they cause no abnormal protocol behavior, a case not previously addressed by automated techniques. 1 Motivation and Related Work As password-based authentication continues to be used in practice and weak passwords are still chosen by users, detecting protocols subject to guessing attacks is a topic of high interest in security. In this paper we address the problem of formalizing a previously introduced approach to detect guessing attacks in a manner suitable for implementation in an automated verification toolset. We use IF (Intermediate Format), a specification language that can be handled by model checkers such as OFMC (Open Source Fixedpoint Model-Checker) [3] and SATMC (SAT-based Model Checker) [2] from the AVISPA toolset. A previous intention of integrating guessing rules in OFMC exists in [9], which gives a formalization for off-line guessing attacks. In comparison, our contribution proposes a different formalism (with guessing rules based on a different reasoning), which allows us to handle both on-line and off-line attacks. Our guessing rules are implemented at the level of the protocol description language, without requiring the modification of the back-end model checkers. Other concrete implementations of guessing detection rules are by Corin et al. [7], Lowe [13] who used Casper/FDR and Blanchet [5] in ProVerif, a verifier based on Prolog rules. Our implementation is based on IF, a specification language which can be handled by several back-end model checkers, notably OFMC and SATMC, which thus gain the ability of detecting guessing attacks. Other theoretical foundations for This work is supported in part by FP7-ICT-2007-1 project 216471, AVANTSSAR: Automated Validation of Trust and Security of Service-oriented Architectures. R. Sion (Ed.): FC 2010, LNCS 6052, pp. 391–399, 2010. c © IFCA/Springer-Verlag Berlin Heidelberg 2010 392 B. Groza and M. Minea reasoning about guessing attacks exist. Abadi et al. [1] use indistinguishability of two terms, deduced by static equivalence, to formalize guessing. Equational theories for the applied pi-calculus are used by Corin et al. in [6], while Baudet [4] uses a constraint solving algorithm for an equational theory. Our guessing rules are based on the pseudo-randomness properties of one-way functions. We consider two cases of guessing: first, when the adversary knows the image of a one-way function computed on the secret and other known input; second, when the adversary knows the image of a trapdoor function (encryption) with a key that depends on the secret, and can establish relations on its input. As one-way functions are pseudo-random, the output for a wrong secret cannot match any previously known value, thus a correct guess can be verified. Most prior work addresses only off-line guessing, considering the low-entropy secret large enough to prevent guessing, or that unsuccessful attempts can be blocked. However, in some on-line attacks the protocol behavior is indistinguishable from normal. These attacks are undetectable by participants and especially dangerous. They are also realistic, as one of our case studies, a Norwegian ATM system, illustrates. Undetectable on-line attacks have also been the focus of Ding and Horster [8], but without a formalization or automated detection. 2 Formalization of Guessing Rules To express the feasibility of guessing, we use, as in [10], the concept of strongly distinguishing functions, which cannot give the same output for two different secrets when these are paired with sufficiently many input choices. Definition 1. Given σ ∈ {0, 1}k, we call a function f(σ, x) strongly distinguishing in the first argument after q queries, if given any q distinct values {x1, x2, ..., xq}, ∀s1 = s2 the probability that f(s1, xi) = f(s2, xi) for all i = 1 .. q is at most 2−k, i.e., ∀s1 = s2 . P r[f(s1, xi) = f(s2, xi), i = 1 .. q] ≤ 2−k. Using strongly distinguishing functions, we have characterized the conditions for an intruder’s guess in a guessing lemma [10]. However, due to its algebraic rather than symbolic formulation, it cannot be directly implemented in a formal verification tool. Therefore, we will link the concept of strongly distinguishing function (in one query) with a symbolic protocol description. Protocol descriptions contain terms, which are either atomic or composed. Atomic terms are variables, constants or numbers ; composed terms are formed by applying pair, crypt, inv and other predefined operators on atomic terms. Facts are predicates defined over terms, such as iknows, state, contains, etc. Definition 2. We call a symbolic protocol description P a triple composed of an initial state, a set of transition rules and a set of attack states, i.e., P = (InitialState,TransitionRule∗,AttackState∗), where: i) the initial state is a conjunction of ground facts, ii) a transition rule has the form LHS ⇒ RHS where LHS and RHS are conjunctions of facts, and LHS may also contain a negated fact and a condition (a conjunction of term equalities and inequalities), iii) an attack state is a conjunction of facts with a condition (like a LHS). Formal Automated Reasoning 393 To reason about guessing, we define derivation rules P r T , denoting that term T can be derived from term set P using rule r. Rule ihears T denotes that a term T has been overheard by the intruder during protocol execution. Denote the set of symbols (constants or variables) appearing in term T by S(T ). If s ∈ S(T ) is such a symbol, we also write T part s. Let T s←gen(s′) T ′ denote that term T ′ is obtained by substituting any occurrence of the symbol s in T with a fresh symbol s′ ∈ S(T ). For instance, crypt(s,m) s←gen(s′) crypt(s′,m). As a special case, we write T s←igen(s′) T ′ if s is substituted by a fresh value chosen by the intruder. Consider a valuation function v defined on atomic terms with algebraic values, and extended to composed terms through function and operator application. We now relate our symbolic reasoning to the algebraic properties of the protocol. Definition 3. A symbolic protocol description P is called algebraically dependent on symbol s, denoted P dep s if for any term T such that ihears T and T part s, and considering T ′ such that T s←gen(s′) T ′, for any valuation v with v(s) = v(s′), we have v(T ) = v(T ′). Given s ∈ S(T ), denote by O s (·) the oracle corresponding to the function obtained by making s a variable in T and keeping other parts of it constant, e.g., O crypt(s,m) s (·) is the oracle corresponding to f(s) = crypt(s,m). Lemma 1. The symbolic protocol description P is algebraically dependent on s, i.e., P dep s, if and only if any function f obtained as O s (·) where s ∈ S(T ) and ihears T is strongly distinguishing in one query. Lemma 1 relates a symbolic protocol description with the algebraic notion of strongly distinguishing function. Since injective functions are strongly distinguishing in one query, any symbolic protocol description in which a symbol s occurs only in the body of a injective (bijective) function is algebraically dependent on s. In practice, this covers a large class of protocols, since most cryptographic functions are bijective (as are hash functions, if assumed collision-free). Definition 4. An adversary observes an oracle for a secret s if it hears a term that contains s. The adversary controls an oracle for secret s if by replacing s in a term with a fresh s′ (rule s←igen(s′)) the adversary knows the new term. ihears T ∧ T part s ⇒ observes(O s (·)) (1) ihears T ∧ T s←igen(s′) T ′ ∧ iknows T ′ ⇒ controls(O s (·)) (2) Lemma 2. Consider a symbolic protocol description P such that P dep s. If an adversary observes and controls an oracle for a low-entropy secret s then the adversary can guess the secret s, i.e., observes(O s (·)) ∧ controls(O s (·)) ⇒ guess(s) (3) This first guessing case involves observing and controlling a one-way function (oracle) that is strongly distinguishing in the secret. A second case uses invertible functions. The adversary can also guess if he or she observes messages encrypted 394 B. Groza and M. Minea with a key computed as a strongly distinguishing function on the secret, controls the corresponding decryption oracle, and can establish a relation to one or several parts of the encrypted messages. We formalize this case as follows: Definition 5. We call s-dependent an encryption or decryption oracle that uses a key containing s. An adversary that hears the encryption of some message with a key that contains s is said to observe an s-dependent encryption oracle. Moreover, we say that he controls the corresponding s-dependent decryption oracle if by replacing s in the encryption key with a fresh s′ known to him the adversary can decrypt arbitrary messages encrypted with the new key, i.e., ihears {M}K ∧ K part s ⇒ observes(O{M}K s (·)) (4) {M}K s ← igen(s′) M ← gen(M′) {M ′}K′ ∧ iknows M ′ ⇒ controls(O{M}K−1 s (·)) (5) Here, {M}K is the encryption of message M with key K. To keep relation (5) simple, we’ve left implicit that the adversary must overhear the term {M}K and the encryption key must contain s, i.e., ihears {M}K ∧ K part s as a premise. This is of course needed for the question of controlling the oracle to make sense. To express a relation between encrypted inputs we employ a derivation rule Fact concat T to produce all distinct messages M that satisfy a property Fact(M), by concatenating them into term T . For example, ( ihears M) concat T yields a term T that is the concatenation of all distinct terms for which ihears M holds. Similarly, ( ihears {M}K ∧ K part s) concat T produces the concatenation of all distinct messages that are encrypted with a key that contains s. Also, let T split 〈T ′.T ′′〉 denote that T ′ and T ′′ are derived by splitting T into disjoint subsets of terms (at least one of them non-empty). The second guessing rule provides powerful capabilities: to find a relation between two terms (the relates fact) the adversary can use any available operators: pair, crypt, etc., as well as his Dolev-Yao abilities, fake, overhear, etc. Thus, for deciding relates the adversary can perform any transition allowed by the symbolic protocol description P . The following definition models this intuition. Definition 6. An adversary can relate two terms T ′ and T ′′ of a symbolic protocol description P if by adding T ′ to the adversary knowledge he can derive T ′′ (denoted T ′ DY (P)T ′′) using all his abilities over P . T ′ DY (P) T ′′ ⇒ relates(T ′, T ′′) (6) Lemma 3. Let P be a symbolic protocol description such that P dep s. If the adversary observes one or more s-dependent encryption oracles for which he or she controls the corresponding decryption oracles and can relate parts of the encrypted messages then the adversary can guess the secret, i.e., observes(O{M}K s (·)) ∧ controls(O{M}K−1 s (·)) concat T ∧T split 〈T ′.T ′′〉 ∧ relates(T ′, T ′′) ⇒ guess(s) (7) Formal Automated Reasoning 395 3 Implementation and Experimental Results Our formalization of the guessing calculus makes it amenable to an implementation where states are sets of terms, and transitions are given as rewrite rules, as in the IF protocol specification language. Derivations such as ihears , part, s←gen(s′), split yield corresponding IF facts. These are combined into rules to establish the relations observes and controls, and ultimately, guessing. We use an adversary model with standard Dolev-Yao abilities: the adversary can fake new messages, intercept sent messages or overhear them. Moreover, the adversary has the standard computational abilities: he can encrypt and decrypt if he knows the corresponding key, and he can pair and decompose messages. Based on this model we want to express rules for the adversary’s ability to observe and control oracles. To decide whether a composed term represents an oracle, we need to determine if it contains the secret to be guessed. By overhearing such a term, the adversary observes the oracle. Further, to decide controls, we start from terms containing the secret, construct new terms in which the secret is replaced by a different value and test if the adversary knows them, and thus controls the oracle for the function derived from the term. For secret containment (the derivation part in our theory) we define the containsSec fact, which is true for all terms containing the secret. For secret replacement (derivation s←gen(s′)), we define the replaceSec fact which replaces any secret from the guessableSecrets set with a replacement secret. With these helper facts defined, the observes and controls abilities are easily derived. Observing an oracle is modeled as ihears(T).containsSec(T, SList), where SList is the list of guessable secrets, while controlling an oracle is specified as replaceSec(T, Tnew).iknows(TNew) (where pairing with . means fact conjunction in IF). Explicit observes and controls predicates are not necessary; for efficiency, the above expressions are directly embedded into the guessing rules. Guessing multiple secrets. To enable guessing in such scenarios, secrets already guessed must be used in subsequent guesses. However, this cannot be expressed by a simple chaining of the guesses, since adding new knowledge to the intruder cannot be done dynamically in the attack condition. Our simple and effective solution expresses the guessing rule (based on the observes and controls abilities) as transition of the protocol itself. As a result, any guessed value is added to iknows. Being protocol-independent, this rule can be inserted in any protocol specification and enables chaining multiple guesses. Distinguishing detectable from undetectable on-line attacks. As a first intuition, if guessing takes place after a participant has reached a final state, then guessing goes undetected for that participant. This intuition is wrong, as the same participant may have another instance still running. To distinguish undetectable from detectable on-line guessing attacks, we need to express that all participant instances have successfully completed. We can do this by adding the PIDs of all started instances to a set, adding their termination to the intruder knowledge and checking the match in the attack condition. Alternatively, simply matching the count of started and finished instances suffices. 396 B. Groza and M. Minea