How to prevent type-flaw attacks on security protocols under algebraic properties
aa r X i v : . [ c s . CR ] M a r How to prevent type-flaw attacks on securityprotocols under algebraic properties
Sreekanth Malladi ⋆ and Pascal Lafourcade ⋆⋆ Dakota State UniversityMadison, SD 57042, USA
[email protected] Universit´e Grenoble 1, CNRS,
Verimag ,2 avenue de Vignate 38000 Gi`eres France [email protected]
July 8, 2018
Abstract.
Type-flaw attacks upon security protocols wherein agents areled to misinterpret message types have been reported frequently in theliterature. Preventing them is crucial for protocol security and verifica-tion. Heather et al. proved that tagging every message field with it’s typeprevents all type-flaw attacks under a free message algebra and perfectencryption system.In this paper, we prove that type-flaw attacks can be preventedwith the same technique even under the
ACUN algebraic properties of
XOR which is commonly used in “real-world” protocols such as
SSL 3.0 . Ourproof method is general and can be easily extended to other monoidaloperators that possess properties such as Inverse and Idempotence aswell. We also discuss how tagging could be used to prevent type-flawattacks under other properties such as associativity of pairing, commu-tative encryption, prefix property and homomorphic encryption.
Key words:
Cryptographic protocols, Type-flaw attacks, Tagging, Algebraicproperties, Equational theories, Constraint solving, Decidability. A type-flaw attack on a protocol is an attack where a message variable of onetype is essentially substituted with a message of a different type, to cause aviolation of a security property.In their pioneer work, Heather et al. proved that pairing constants called“tags” with each message prevents type-flaw attacks [1].Does preventing type-flaw attacks have advantages? ⋆ Supported by a doctoral SEED grant from the graduate school at DSU in 2007. ⋆⋆ Supported by ANR SeSur SCALP, SFINCS, AVOTE projects. Malladi, Lafourcade – As Heather et al. pointed out, besides the obvious advantage to securityin preventing these commonly and frequently reported attacks, preventingthem also allows many unbounded verification approaches (e.g. [2–4]) to bemeaningful, since they assume the absence of type-flaw attacks; – Further, Ramanujam-Suresh found that the absence of any type-flaw attacksallows us to restrict analysis to well-typed runs only [5], which is a decidableproblem; i.e., security can be decided with analyzing just a single session.Thus, prevention of type-flaw attacks is a crucial and significant result towardprotocol analysis and verification.However, Heather et al.’s work only considered a basic protocol model witha free message algebra and perfect encryption. Operators such as Exclusive-ORand ciphers such as CBC possess algebraic properties that violate these assump-tions. Recent focus in research projects world-wide has been to extend protocolanalysis with algebraic properties to accommodate “real-world” protocols (e.g.[6, 7]). Naturally, a corresponding study into type-flaw attacks would be bothcrucial and interesting.With this motivation, we examined several algebraic properties described inthe survey by Cortier et al. [8] such as: – Associative pairing, Commutative encryption, and Monoidal theories thatviolate the free algebra assumption; – the Prefix property, Homomorphic encryption, and Low-exponent RSA weak-ness that violate the perfect encryption assumption.We report our observations in this paper. As our main contribution, we provethat type-tagging prevents all type-flaw attacks under XOR that possesses
ACUN properties (Associativity, Commutativity, existence of Unity and Nilpotence).The proof approach is quite general and can be easily extended to other monoidaltheories such as Inverse and Idempotence as well. We also advocate some pru-dent tagging practices to prevent type-flaw attacks under the other algebraicproperties mentioned above.
Organization.
In Section 2, we show how type-tagging can prevent type-flawattacks under
XOR using an example. In Section 3, we give a formal treatment oftype-flaw attacks in a symbolic model and provide a simpler proof compared to[1] that tagging prevents type-flaw attacks under
XOR . In Section 4, we examinehow the result withstands each algebraic property and suggest remedies in theform of prudent engineering principles. We sum up with a Conclusion.
XOR -Example
Consider the adapted Needham-Schroeder-Lowe protocol (
NSL ⊕ ) by Cheva-lier et al. [9]: reventing type-flaw attacks under algebraic properties 3 Msg 1. A → B : [1 , N A , A ] → pk ( B ) Msg 2. B → A : [2 , N A ⊕ B, N B ] → pk ( A ) Msg 3. A → B : [3 , N B ] → pk ( B ) ( A and B are agent variables; N A , N B are nonce variables; [ X ] → Y represents X encrypted with Y using an asymmetric encryption algorithm.).A type-flaw attack is possible on this protocol even in the presence of com-ponent numbering (recently presented in [10]): Msg α. . a → i : [1 , n a , a ] pk ( i ) Msg β .1. i ( a ) → b : [1 , n a ⊕ b ⊕ i, a ] pk ( b ) Msg β .2. b → i ( a ) : [2 , n a ⊕ b ⊕ i ⊕ b, n b ] pk ( a ) Msg α. . i → a : [2 , n a ⊕ i, n b ] pk ( a ) (replaying Msg β .2) Msg α. . a → i : [3 , n b ] pk ( i ) Msg β .3. i ( a ) → b : [3 , n b ] pk ( b ) Notice the type-flaw in the first message ( n a ⊕ b ⊕ i substituted for theclaimed N A ) that induces a type-flaw in the second message as well. This isstrictly a type-flaw attack since without the type-flaw and consequently withoutexploiting the algebraic properties, the same attack is not possible.Component numbering cannot also prevent type-flaw attacks under the In-verse property that allows cancellation much like
Nilpotence . Consider opera-tors { + , −} , where + is binary addition, − a unary operator, and 0a constant. Then, if we change the ⊕ operator in the NSL ⊕ protocol to+, variable N A could be substituted with n a + i − b to form the sameattack as with ⊕ .The above attack can be avoided if type-tagging were to be adopted for theelements of the XOR operator:
Msg 1. A → B : [1 , N A , A ] → pk ( B ) Msg 2. B → A : [2 , [ nonce , N A ] ⊕ [ agent , B ] , N B ] → pk ( A ) Msg 3. A → B : [3 , N B ] → pk ( B ) Msg β .2 is then not replayable as Msg α .2 even when i ( a ) sends Msg β .1 as i ( a ) → b : [1 , [ nonce , n a ] ⊕ [ agent , b ] ⊕ [ agent , i ] , a ] → pk ( b ) , Malladi, Lafourcade since
Msg β .2 then becomes b → i ( a ) : [2 , [ nonce , [ nonce , n a ] ⊕ [ agent , b ] ⊕ [ agent , i ]] ⊕ [ agent , b ] , n b ] → pk ( a ) .This is not replayable as the required Msg α .2 : i → a : [2 , [ nonce , n a ] ⊕ [ agent , i ] , n b ] → pk ( a ) because, inside Msg β .2 , one occurence of [ agent , b ]is in [ nonce , [ nonce , n a ] ⊕ [ agent , b ] ⊕ [ agent , i ]] and the other is outside.Hence, they cannot be canceled.A similar reasoning applies to Inverse property for ⊕ instead of Nilpotence . We leave this for the reader to verify.In the next subsection, we will prove these claims formally.
In this section, we present a formal proof extending an approach presented in[11] that non-unifiability of encryptions (which can be ensured by tagging withcomponent numbers) prevents type-flaw attacks with free operators and a moredetailed type-tagging will prevent them under the monoidal
XOR operator. Ourproof is much simpler than [1], and more importantly, allows us to easily studyextrapolating the result to operators with algebraic properties. Furthermore,being a symbolic protocol model, the framework is quite flexible to include themuch needed equational unification for additional equational theories.
We start off with a term algebra with mostly free operators except for the
XOR operator.
Definition 1. [Terms] A term is one of the following: Variable (can be an Agent, Nonce etc., that are all subsets of Var );
Con-stant (numbers 1,2, . . . ; name of the attacker ǫ etc.); Atom (split into setsagents, nonces etc.);
Concatenation denoted [ t , . . . , t n ] if t , . . . , t n areterms; Public-Key denoted pk ( A ) with A of type Agent; Shared-Key denoted sh ( A, B ) with A and B of type Agent; Asymmetricencryption denoted [ t ] → k where t and k are terms; Symmetric encryp-tion denoted [ t ] ↔ k where t and k are terms; Hash denoted h ( t ) where t isa term; Signature denoted Sig k ( t ) where t is a term to be validated usingthe key k ; XOR denoted t ⊕ . . . ⊕ t n where t , . . . , t n are terms. We will drop the superscript → and ↔ if the mode of encryption isirrelevant.We will call terms with no atoms (but only constants and variables) as para-metric terms . We will call a parametric term in which the variables were substi-tuted with variables and/or atoms as a semi-term .We will assume that the reader is familiar with the standard definitions ofsyntactic unification, and the most general unifier (mgu). We will write t ≈ t ′ if t and t ′ are unifiable.As usual, subterms are defined to capture parts of messages: reventing type-flaw attacks under algebraic properties 5 Definition 2. [Subterm]
Term t is a subterm of t ′ (denoted t ⊏ t ′ ) if – t = t ′ , or – t ′ = [ t , . . . , t n ] with t ⊏ t ′′ , where t ′′ ∈ { t , . . . , t n } or – t ′ = [ t ′′ ] k ′ with t ⊏ t ′′ , or – t ′ = h ( t ′′ ) with t ⊏ t ′′ , or – t ′ = Sig k ( t ′′ ) with t ⊏ t ′′ ; or – t ′ = t ⊕ . . . ⊕ t n with t ⊏ t ′′ where t ′′ ∈ { t , . . . , t n } . We will call encrypted subterms, hashes and signatures as
Compound Terms ;we will denote them as CT ( T ) for a set of terms, T .We will denote the type of a variable or atom t as type ( t ). We over-load this to give the type of other terms. For instance, type ([ t , . . . , t n ]) =[ type ( t ) , . . . , type ( t n )] and type ([ t ] k ) = [ type ( t )] type ( k ) .We will call a substitution of a term t to a variable V a “well-typed” substitution, if type ( t ) = type ( V ). We will call a set of substitutions σ well-typed and write well-typed ( σ ) if all its members are well-typed;otherwise, we call σ ill-typed.We will assume that all operators in the term algebra except the XOR operator are free of equations of the form t = t ′ where t and t ′ are two different terms. Thus, every equation between two terms that were notconstructed with the XOR operator is of the form t = t . We will denotethis theory, E STD .On the other hand, we will assume that terms created with the
XOR operatorto contain the following equational theory denoted E ACUN corresponding toit’s
ACUN algebraic properties: t ⊕ ( t ⊕ t ) = ( t ⊕ t ) ⊕ t ( A ssociativity ); t ⊕ t = t ⊕ t ( C ommutativity ); t ⊕ t ( existence of U nity ); t ⊕ t = 0 ( N ilpotence ).We will denote the unification algorithms for terms constructed purely withthe standard operators and purely with the XOR operator as A STD and A ACUN respectively.Terms constructed using both the standard operators and the
XOR operatorcan be unified using A STD , A ACUN and the combination algorithm of Baader& Schulz [12] resulting in a finite number of most general unifiers.
The protocol model is based on the strand space framework of [2].
Definition 3. [Node, Strand, Protocol] A node is a tuple h Sign , Term i denoted + m when it sends a term m , or − m when it receives m . The sign of a node n is denoted sign( n ) that can be ‘ + ’ or ‘ − ’ and its term as term( n ) derivedfrom the term algebra. A strand is a sequence of nodes denoted h n , . . . , n k i if it has k nodes. Nodes in a strand are related by the edge ⇒ defined such Malladi, Lafourcade that if n i and n i +1 belong to the same strand, then we write n i ⇒ n i +1 .A parametric strand is a strand with all parametric terms on its nodes. A protocol is a set of parametric strands. Protocol roles (or parametric strands) can be partially instantiated to pro-duce semi-strands containing semi-terms on nodes obtained instantiating theirparametric terms, depending on the knowledge of agents concerning the variablesbeing instantiated: A variable is instantiated to an atom if the agent to whichthe strand corresponds to, either creates the atom according to the protocol orknows the value ( e.g. being public such as an agent name). Variables may alsobe replaced with new variable substitutions in order for different semi-strandsof the same parametric strand to be distinguishable. This is done if more thanone instance of a role is visualized in an execution scenario.We will denote the substitution to a parametric strand ‘ p ’ by an honestagent leading to a semi-strand ‘ s ’ as σ hs p .For instance, role ‘ A ’ in the NSL ⊕ protocol is the parametric strand role A = h + [1 , N A , A ] → pk ( B ) , − [2 , [ nonce , N A ] ⊕ [ agent , A ] , N B ] → pk ( A ) , + [3 , N B ] → pk ( B ) i and an agent ‘ a ’ that plays the role could be the semi-strand σ hs role A = h + [1 , n a , a ] → pk ( B ) , − [2 , [ nonce , n a ] ⊕ [ agent , a ] , N B ] → pk ( a ) , + [3 , N B ] → pk ( B ) i where σ hs = { a/A, n a /N A } .A set of semi-strands is a semi-bundle . We will denote the set of allsubstitutions to a protocol by honest agents leading to a semi-bundle S as σ HS .We will assume that honest agent substitutions leading to semi-strands arealways well-typed: Assumption 1
Let P be a protocol and S be a semi-bundle such that S = σ HS P . Then, ( ∀ σ ∈ σ HS )( well-typed ( σ )) . We will use the relation ‘ precedes ’ ( (cid:22) ) on stand-alone strands in semi-bundles: Let s be a strand in a semi-bundle S . Then,( ∀ n i , n j ∈ s )( i ≤ j ⇒ n i (cid:22) n j ).We will abuse the notation of CT () on strands, protocols and semi-bundlesas well. We will write t ∈ S even if t is a term on some node of somestrand of a semi-bundle S . reventing type-flaw attacks under algebraic properties 7 We use the constraint solving model of Millen-Shmatikov [13] that was latermodified by Chevalier [14] to model the penetrator .The main constraint satisfaction procedure, denoted P ⊕ first forms aconstraint sequence from an interleaving of nodes belonging to strands in asemi-bundle: Definition 4. [Constraint sequence] A constraint sequence C = h term ( n ) : T , . . . , term ( n k ) : T k i is from a semi-bundle S with k ‘ − ’ nodes if ( ∀ n )( ∀ n ′ )(( term ( n ′ ) : T ∈ C ) ∧ ( term ( n ) ∈ T ) ⇒ ( n (cid:22) n ′ )) . Further, if i < j and n i , n j belong tothe same strand, then n i (cid:22) n j and ( ∀ i = 1 to k )( T i ⊆ T i +1 ) . A symbolic reduction rule applied to a constraint m : T is said to“reduce” it to another constraint m : T ′ or m ′ : T . P ⊕ applies a setof such rules R ⊕ (Table 1) in any order to the first constraint in a sequencethat does not have a variable as it’s target, called the “ active constraint ”. Itis worth mentioning that P ⊕ eliminates any stand-alone or free variables inthe term set of a constraint before applying any rule. concat [ t , . . . , t n ] : T t : T ,. . . , t n : T split t : T ∪ [ t , . . . , t n ] t : T ∪ t ∪ . . . ∪ t n penc [ m ] → k : T k : T, m : T pdec m : [ t ] → pk ( ǫ ) ∪ T m : t ∪ T senc [ m ] ↔ k : T k : T, m : T sdec m : [ t ] ↔ k ∪ T k : T, m : T ∪ { t, k } XOR R m : T ∪ { t , . . . , t n } m : T ∪ t ⊕ . . . ⊕ t n XOR L t ⊕ . . . ⊕ t n : T t : T, t ⊕ . . . ⊕ t n : T Sig
Sig k ( f ( t )) : T t : T Hash h ( t ) : T t : T Table 1.
Set of reduction rules, R ⊕ = R ∪ { XOR L , XOR R } The rules in Table 1 do not affect the attacker substitution. There are twoother rules that involve unification, and generate a new substitution that is tobe applied to the whole sequence before applying the next rule. It is worthgiving a more detailed account of those rules including the transformation tothe constraints before the active constraint ( C < ) and the ones after ( C > ): C < , m : T ∪ t, C > ; στ C < , τ C > ; τ ∪ σ where τ = mgu( m, t ) ( un ) C < , m : [ t ] → k ∪ T, C > ; στ C < , τ m : τ [ t ] → k ∪ τ T, τ C > ; τ ∪ σ , where τ = mgu( k, pk ( ǫ )) , k = pk ( ǫ ) ( ksub )A sequence of applications of reduction rules on a constraint sequence cantransform it into a “simple” constraint sequence: Heather et al. [1] used classical penetrator strands of [2], but the basic penetratorcapabilities are equal in both models. Malladi, Lafourcade
Definition 5. [Simple constraint sequence]
A constraint m : T is a simple constraint if m is a variable.A constraint sequence C is a simple constraint sequence if everyconstraint in C is a simple constraint. The possibility of forming bundles from a given semi-bundle can be deter-mined by testing if constraint sequences from it are satisfiable. Satisfiability isusually defined in terms of attacker operations on ground terms; however, Cheva-lier [14] proved that P ⊕ is terminating, sound and complete with respect tothe attacker capabilities. Hence, we define satisfiability directly in terms of thedecision procedure: Definition 6. [Satisfiability]
A constraint is satisfiable if a sequence of reduction rule application from R result in a simple constraint. A constraint sequence C is satisfiable if every constraint in the sequence is satisfiable. Further, the initially emptysubstitution σ is said to satisfy C , denoted σ ⊢ C . It is useful to characterize “normal” constraint sequences which are thosethat do not contain pairs on the left and right sides of any constraint:
Definition 7. [Normal Constraint Sequence]
A constraint sequence C is normal iff for every constraint m : T ∈ C , m is not a pair and for every t ∈ T , t is not a pair. It has been proven in [14] that any constraint sequence can be “normalized”such that if a substitution satisfies the original sequence, it can also satisfy thenormalized sequence.Violations of trace properties such as secrecy and authentication can be em-bedded in a semi-bundle so that a satisfiable constraint sequence from the semi-bundle points to an attack. Using this concept, we define a type-flaw attack:
Definition 8. [Type-flaw attacks] A type-flaw attack exists on a semi-bundle S if a constraint sequence C from S is satisfiable with an ill-typed substitution, but not with a well-typedsubstitution. i.e. ( ∃ σ )( σ ⊢ C ) ∧ ( ∄ σ ′ )(( σ ′ ⊢ C ) ∧ ( well-typed ( σ ′ ))) . We will now state our main requirement on protocol messages which states thattextually distinct compound terms should be non-unifiable and that all XORedterms must be type-tagged:
Definition 9. [NUT]
Let P be a protocol. Then P is NUT -Satisfying iff – ( ∀ t ∈ CT ( P ))( ∀ t ∈ CT ( P ))( t = t ⇒ t t ) . ; reventing type-flaw attacks under algebraic properties 9 – ( ∀ t )( ∀ t ′ )(( t ∈ P ) ∧ ( t = t ⊕ . . . ⊕ t n ) ∧ ( t ′ ∈ { t , . . . , t n } ) ⇒ ( ∃ t ′′ )( t ′ =[ type ( t ′′ ) , t ′′ ])) . It can be easily seen that
NUT for terms constructed with standard operatorsis achieved by placing component numbers as the beginning element of concate-nations inside all distinct compound terms in a protocol. E.g. [1 , N A , A ] → pk ( B ) ,[2 , N A , [3 , N B , A ] ↔ sh ( A,B ) ] ↔ sh ( B,S ) , etc. Further, for terms that are XORed to-gether, type tags must be included. For instance, N A ⊕ B ⊕ [1 , N A , A ] K shouldbe transformed into [ nonce , N A ] ⊕ [ agent , B ] ⊕ [[ nonce , agent ] → key , [1 , N A , A ] → K ].The tagged NSL ⊕ protocol in Section 2 clearly conforms to these stipulationsand hence is a NUT -Satisfying protocol.
We will now prove that
NUT -Satisfying protocols are not vulnerable to type-flawattacks.The main idea is to show that every unification when applying P ⊕ to a con-straint sequence from a NUT -Satisfying protocol results in a well-typed unifier.The intuition behind showing that unifiers are necessarily well-typed is asfollows: informally, the problem of unification of two terms under the combinedtheory of ( E STD ∪ E ACUN ) must first result in subproblems that are purely in E STD or purely in E ACUN according to Baader-Schulz algorithm.Now E ACUN problems will have a unifier only if the
XOR terms contain vari-ables. However, according to our extended requirement of
NUT above, no pro-tocol term has an
XOR term with an untagged variable. Further, the
XOR termsproduced by P ⊕ in the term set of a constraint cannot contain variables eithersince like in P , the rule ( elim ) eliminates any stand-alone variables in a term setbefore applying any other rule. Thus, algorithm A ACUN returns an empty unifier.Unification of E ACUN problems only happens when two standard terms that werereplaced by variables belong to the same equivalence class, can be unified with A STD and could thus be canceled.In summary, the unifier for a problem in ( E STD ∪ E ACUN ) under the extendedrequirement on
NUT is only from applying A STD . We show that these problemsalways produce well-typed unifiers.For instance, consider the unification problem[1 , n a ] pk ( B ) ? ≈ E [1 , N B ] pk ( a ) ⊕ [2 , A ] ⊕ [2 , b ]Following Baader & Schulz method, we first purify this to sub-problems: W ? ≈ E STD [1 , n a ] pk ( B ) , X ? ≈ E STD [1 , N B ] pk ( a ) , Y ? ≈ E STD [2 , A ] , Z ? ≈ E STD [2 , b ] , and W ? ≈ E ACUN X ⊕ Y ⊕ Z. Now, the new variables W , X , Y , and Z are treated as constantsduring A ACUN . In that case, the problem W = X ⊕ Y ⊕ Z isnot unifiable. However, there is a step we missed: we need to form equivalenceclasses from the variables W , X , Y , and Z such that variables fromone class can be replaced with just one representative element. In this case, if wepartition the variables into { { W } , { X } , { Y, Z } } , then we can changethe problem W ? ≈ E ACUN X ⊕ Y ⊕ Z into W ? ≈ E ACUN X ⊕ Y ⊕ Y with an additional problem of Y ? ≈ E STD Z . This is obviously equivalent to W ? ≈ E STD X since the Y ’s cancel out leading to another sub-problem.Now all the sub-problems are purely in the STD theory (terms on eithersides do not involve the ⊕ operator):[1 , n a ] pk ( B ) ? ≈ E STD [1 , N B ] pk ( a ) , [2 , A ] ? ≈ E STD [2 , b ] . It can be easily seen that A STD outputs a well-typed unifier ( { n a /N B , b/A } )for these problems resulting in a well-typed unifier for a combination of A STD and A ACUN , since A ACUN outputs an empty unifier.
Theorem 1. [
NUT prevents type-flaw attacks]
Let P be a NUT -Satisfying protocol and S = σ HS P . Let C be a normal con-straint sequence from S . Then, ( σ ⊢ C ) ⇒ ( ∃ σ ′ )(( σ ′ ⊢ C ) ∧ ( well-typed ( σ ′ ))) .Proof. If σ satisfies C , then from Def. 6, rules from R ⊕ have been used to reduceit to a simple constraint sequence. The only rules that can change σ are ( un )and ( ksub ). ( ksub ) makes a well-typed substitution since it unifies a term withthe attacker’s public-key which is of the same type.We prove below that if m : T ∪ t ∈ C , and m ≈ t then for each mgu( m, t ) = τ , well-typed ( τ ). Since initially σ is empty, using induction on each constraint ofthe sequence, we can then conclude that σ is well-typed.Following the combination algorithm of [12] described in [15], let the initialproblem of Γ = { m ? ≈ E t } be reduced to ( Γ ′ , <, p ) where – Γ ′ is a set of unification problems { m ≈ t , . . . , m n ? ≈ t n } ; – Let Γ ′ be pure with every m ≈ E t ∈ Γ ′ have m , t formed purely fromoperator ⊕ on 0, constants and variables or from the standard theory in theterm algebra defined in Def. 1; – < is a linear ordering on variables such that if X < Y then Y does not occuras a subterm of the instantiation of X ; – p is a partition { V , V } on the set of all variables V such that V are treatedas constants when A STD is applied and V are constants when A ACUN isapplied; – Let another partition p ′ of variables identifies equivalence classes of V whereevery class in a partition is replaced with a representative and where mem-bers of the class are unifiable; reventing type-flaw attacks under algebraic properties 11 Let the combined unifier of σ STD and σ ACUN denoted σ ST D ⊙ σ ACUN = σ which is obtained by applying [15, Def. 9]; i.e., by induction on < . Our aim is toprove that every σ obtained for different combinations of <, p, p ′ is well-typed.Let us examine the possible forms of problem elements in Γ ′ : ACUN theory: m ? ≈ ACUN t exist where m = a ⊕ a ⊕ . . . ⊕ a i and b = b ⊕ b ⊕ . . . ⊕ b j where each of a ∈ { a , . . . , a i } and b ∈ { b , . . . , b j } is a constant or a newvariable in V for some positive i and j . The reason is as follows: according tothe requirement on protocol messages for a NUT -Satisfying protocol, noneof { a , . . . , a i } can be an untagged variable. Also, none of { b , . . . , b j } is avariable, since P ⊕ applies rule ( elim ) eliminating all stand-alone variablesbefore applying any other rule. Lastly, the new variables in m and t would beother problems in Γ ′ of the form X = [ tag , x ] where X is the new variable, tag is a constant and x is any term. These new variables have to be treated asconstants when applying A ACUN (they cannot be substituted with 0’s whichis the only substitution that A ACUN can return). With all constants in m and t , A ACUN that would normally return a set of ‘0’ substitutions for somevariables, returns an empty set of substitutions answering that m and t areequivalent (if they are); STD theory: m ≈ STD t where1. either m or t is a new variable belonging to V ; there is no unifier toexisting variables here;2. m, t are tagged terms of the form, [ tag , x ] and [ tag , x ′ ] where tag is aconstant. In this case, m unifies with t only if x unifies with x ′ and theproof can be applied recursively;3. m, t ∈ CT ( S ); In this case, again the proof applies recursively. For in-stance, if m = h ( m ′ ) and t = h ( t ′ ) then we need to unify m ′ and t ′ ;Suppose m ′ = [ tag , x , . . . , x n ] and t ′ = [ tag , y , . . . , y n ]. The constant tag guarantees that m ′ and t ′ have the same number of elements ( n ).Now we need to unify every x i with y i for i = 1 to n . Firstly, if one of x i and y i is a variable, then: – If x i or y i is a new variable, there is no substitution to existingvariables; – If both are existing variables, then they are both of the same typeby Def. 9 and Assumption 1; similarly if one of them is an atom;If x i , y i ∈ CT ( S ), then the proof proceeds recursively to each subtermin turn.4. m and t are two new variables in a subset of the variable identificationpartition p ′ . However, since both are problems in Γ ′ are such that theymap to a tagged pair or compound term in the standard theory, theirunifier is once again well-typed from above. Note that m and t cannotbe existing variables since these variables are from ACUN problems and
ACUN problems contain necessarily new variables as explained previouslyin the case for
ACUN theory.
We now consider some more algebraic properties of message operators. The firstset breaks the free algebra assumption for protocol messages like
XOR . The secondset breaks the perfect encryption assumption.
Following the definition of monoidal theories from [16],we can determine that – the theory ACU over { + , } where A stands for associativity, C for commu-tativity and U for the existence of Unity is a monoidal theory; – the theories ACUIdem and
ACUN where
Idem stands for Idempotence and N for Nilpotence are also monoidal theories over { + , } and {⊕ , } respectively; – the theory of Abelian Groups ( AG or ACUInv ) over { + , − , } where Inv standsfor Inverse is also monoidal where − is a unary operator.If we replace or overload the ⊕ operator in Section 3 with Idem or Inv , wecan make a similar reasoning as made for
ACUN properties in Theorem 1:When the combination algorithm of Baader & Schulz is applied for E STD ∪ E T where T is a theory with any, some or all of A, C, U, N, Idem, Inv , the algorithmfor T , say A T will return an empty substitution when the operator with theoryis so used in the protocol such that every term is type-tagged. Consequently, theunifier for the combined unification problem will only have substitutions from A STD which will be well-typed as explained in Theorem 1.However, we must note that the procedure P ⊕ in [14] that we followed onlyconsidered ACUN properties. We conjecture that if a suitable constraint solvingalgorithm is developed for other monoidal theories as well, then the above con-cept of necessarily well-typed unifiers could be used to extend Theorem 1 underthose theories.
Associativity of Pairing.
This property allows the equation [ a, [ b, c ]] = [[ a, b ] , c ].Denote this as the theory Assoc .Component numbering cannot prevents ill-typed unifiers. A simple exam-ple can prove this: [1 , A, [ b, c ] , d ] can be unified using [1 , [ a, B ] , C, d ], with σ = { [ a, B ] /A, [ b, c ] /C, d/D } . Obviously, σ is ill-typed.However, type-tagging prevent ill-typed unifiers. If we consider the sameexample,[[ agent , A ] , [ pair , [[ nonce , b ] , [ agent , c ]]] , [ key , d ]] cannot be unified with[[ pair , [[ agent , a ] , [ nonce , B ]]] , [ agent , C ] , [ key , D ]] even under associativity, due tothe “ pair ” tag for pairs.It would be straightforward to prove this claim formally: – Following Baader-Schulz algorithm again, we can first purify the main uni-fication problem into sub problems that are either purely in the
STD theory reventing type-flaw attacks under algebraic properties 13 and through the introduction of new variables, to those that resemble m ≈ t where all subterms of m and t are variables, atoms or pairs for the Assoc theory; – The
STD theory returns well-typed unifiers as described in the proof ofTheorem 1; – The unifiable problems in the
Assoc theory will resemble [[ tag , x ] , . . . , [ tag n , x n ]] ≈ [[ tag , y ] , . . . , [ tag n , y n ]]. This returns a well-typed unifier if all x i ≈ y i ( i = 1to n ) return well-typed unifiers which they do if at least one of x i or y i arevariables from Def. 9 and Assumption 1. If they are both compound terms,the proof proceeds recursively. Associativity and Commutativity of a general operator
The conceptsabove can easily be extrapolated to associativity of a general operator, say ‘ . ’as well. For instance, [1 , [ a.b ] .C ] and [2 , A. [ b.c ]] return an ill-typed unifier, but[[ pair , [ agent , a ] . [ nonce , b ]] . [ key , C ]] and [[ agent , A ] . [ pair , [ nonce , b ] . [ key , c ]]] do not.These concepts can be extrapolated to commutativity as well: Consider [1 , n a .B.a ]unified with [1 , A.b.N A ] that results in an ill-typed unifier { n a /A, b/B, a/N A } buttype-tagging does not allow such a unification and ensures well-typed unification.Consider the same example: [ nonce . agent . agent , [ nonce , n a ] . [ agent , B ] . [ agent , a ]]cannot be unified with [ nonce . agent . agent , [ agent , A ] . [ agent , b ] . [ nonce , N A ]].It should be straightforward to extend the formal proof that we outlinedfor associativity of pairing to the cases of associativity and commutativity of ageneral operator. Some algebraic properties violate the perfect encryption assumption, withoutaltering the freeness of the message algebra. If they produce subterms, like thefollowing inference rule due to Coppersmith [17], the main theorem still standstall since unification in the
STD theory will still be well-typed (recall the stepsof
STD theory unification in the proof of Theorem 1 that handles the case of m ≈ STD t – they consider m and t being subterms of the semi-bundle): { [ a, x, b ] → k , [ c, x, d ] → k , a, b, c, d } ⊢ x, where a = c ∨ b = d .Clearly, since this inference produces a subterm (‘ x ’), the main result standstall in its presence and no type-flaw attacks can be possible if the protocol obeys NUT .Some others produce non-subterms such as the Prefix property and homo-morphic encryption discussed in [8]. Let us examine if and how prudent taggingcould be adopted to prevent type-flaw attacks under these properties:
Prefix property.
The Prefix property is obeyed by block ciphering techniquessuch as CBC and ECB. This property leads the attacker to infer [ m ] ↔ k (a non-subterm) from [ m, n ] ↔ k thereby invalidating Theorem 1. Consider the Woo and Lam π protocol modified by inserting componentnumbers inside each encrypted component :Msg 1. a → b : a Msg 2. b → a : n b Msg 3. a → b : [ a, b, n b , ↔ sh ( a,s ) Msg 4. b → s : [ a, b, [ a, b, n b , ↔ sh ( a,s ) , ↔ sh ( b,s ) Msg 5. s → b : [ a, b, n b , ↔ sh ( b,s ) sh ( x, y ) represents a shared-key between agents x and y . We presented a type-flaw attack on this protocol in [18] even when it uses component numbering ifthe Prefix property is exploited, and if pairing is associative:Msg 1. a → b : a Msg 2. b → a : n b Msg 3. I ( a ) → b : [ n b ,
3] /* In place of [ a, b, n b , sh ( a,s ) */Msg 4. b → I ( s ) : [ a, b, [ n b , , ↔ sh ( b,s ) Msg 5. I ( s ) → b : [ a, b, n b , ↔ sh ( b,s ) /* using Prefix property on Msg 4. */This attack works because, an attacker can infer [ a, b, n b , ↔ sh ( b,s ) from Msg 4([ a, b, [ n b , , ↔ sh ( b,s ) ) exploiting the Prefix property and associativity of pairing.This attack can be easily prevented by adopting type-tagging since it elim-inates associativity of pairing as explained previously. It can also be preventedby simply inserting component numbers at the beginning of encryptions, insteadof at the end. Homomorphism of Encryptions.
With this property, it would be possibleto infer the non-subterms [ m ] k , and [ n ] k from [ m, n ] k . Obviously, this is strongerthan the Prefix property.The “ pair ” tag assumed to contain within parentheses cannot void this infer-ence. For instance, a term [[ type , t ] , [ type , t ]] k can still yield the non-subterms[ type , t ] k , and [ type , t ] k . Even with component numbering, a term such as[1 , [ t , t ]] k can be broken down into [1] k , and [ t , t ] k .With a range of such non-subterm encryptions to infer, it can be easily seenthat neither component numbers, nor type-tags, no matter how they are placed,can prevent the attack on the Woo and Lam protocol above under this inference.In particular, if the plaintext block length equals the length of a nonce oragent, then the attacker can infer [ a ] sh ( b,s ) , [ b ] sh ( b,s ) , [ n b ] sh ( b,s ) easily from Msg 4under any tagging. He can then replay Msg 5 by stitching these together.However, this inference is only possible under an extremely weak system suchas ECB, so a realistic threat in real-world situations is unlikely. Heather et al. [1] do not specify the exact position where component numbers needto be inserted, although they inserted numbers at the beginning of encryptions intheir examples.reventing type-flaw attacks under algebraic properties 15
In this paper, we provided a proof that adopting type-tagging for message fieldsin a protocol prevents type-flaw attacks under the
ACUN properties induced bythe most popular Exclusive-OR operator. We also extrapolated those results tomany other interesting and commonly encountered theories.We did not find a single property under which component numbering pre-vents type-flaw attacks that type-tagging cannot, although we presented severalexamples where the opposite could be true. However, we advocate the use ofcomponent numbering in addition to type-tagging, since they prevent the replayof different terms with the same type as well.The most significant advantage of being able to prevent type-flaw attacks isthat analysis could be restricted to well-typed runs only. This has been shownto be a decidable problem in the standard, free theory but not for monoidaltheories. We are currently in this pursuit . Acknowledgments.
We benefited greatly from the following people’s help andguidance: Gavin Lowe (OUCL) provided many useful explanations and insight-ful observations into type-flaw attacks during 2003-2005. Cathy Meadows (NRL)gave useful guidance and suggested adopting of Baader & Schulz algorithmwhen dealing with
XOR unification. Jon Millen (MITRE) clarified numerous con-cepts about constraint solving and some crucial aspects of
XOR unification. Yan-nick Chevalier (IRIT) explained some concepts about his extensions to Millen-Shmatikov model with
XOR . References
1. Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on securityprotocols. Journal of Computer Security (2) (2003) 217–2442. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security pro-tocol correct? In: Proc. IEEE Symposium on Research in Security and Privacy,IEEE Computer Society Press (1998) 160–1713. Cohen, E.: Taps: A first-order verifier for cryptographic protocols. In: ComputerSecurity Foundations Workshop (CSFW). (2000) 144–1584. Heather, J., Schneider, S.: Towards automatic verification of security protocols onan unbounded network. In: Proc. 13th Computer Security Foundations Workshop,IEEE Computer Society Press (2000) 132–1435. Ramanujam, R., Suresh, S.P.: Tagging makes secrecy decidable for unboundednonces as well. In: 23rd FST&TCS, Lecture Notes in Computer Science. Volume2914. (2003) 323–3746. K¨usters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-freecase in the horn theory based approach. In: ACM Conference on Computer andCommunications Security. (2008) 129–138 We previously made an attempt at this under the belief that tagging might notprevent type-flaw attacks [19]. We intend to reattempt it by taking advantage of theresults in this paper.6 Malladi, Lafourcade7. Escobar, S., Meadows, C., Meseguer, J.: Equational cryptographic reasoning inthe maude-nrl protocol analyzer. Electr. Notes Theor. Comput. Sci. (4) (2007)23–368. Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used incryptographic protocols. Journal of Computer Security (1) (2006) 1–439. Chevalier, Y., K¨usters, R., Rusinowitch, M., Turuani, M.: An NP decision proce-dure for protocol insecurity with XOR. In: Proc. 18 th Annual IEEE Symposiumon Logic in Computer Science (LICS’03), IEEE Computer Society Press (2003)261–27010. Malladi, S., Hura, G.S.: What is the best way to prove a cryptographic protocolcorrect? (position paper). In: Workshop on Security in Systems and Networks(SSN 2008), IEEE International Symposium on Parallel and Distributed Processing(IPDPS 2008). (2008) 1–711. Malladi, S.: Phd dissertation - formal analysis and verification of password proto-cols. ACM Portal, University of Idaho (2004)12. Baader, F., Schulz, K.U.: Unification in the union of disjoint equational theories:Combining decision procedures. J. of Symbolic Computation1070