Outline. Context. The applied pi calculus. Formalising untraceability. Analysing the French e-passport. Ongoing and future work ...
Untraceability in the applied pi calculus Myrto Arapinis Joint work with T. Chothia, E. Ritter, and M. Ryan
University of Birmingham
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Isn’t 12 am a bit late to show up at work? Identification protocol
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
⇒ My bosses could track what time I come in the office in the morning...
Isn’t 12 am a bit late to show up at work? Identification protocol
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
⇒ My bosses could track what time I come in the office in the morning...
Untraceability informally
Definition (ISO 15408) Untraceability ensures that a user may make multiple uses of a resource or service without other users being able to link these uses together.
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Why use the applied pi calculus? The applied pi calculus
[Abadi & Fournet, 01]
Basic programming language with constructs for concurrency and communication I
extends the π-calculus
I
in some ways similar to the spi-calculus
[Milner et al., 92] [Abadi & Gordon, 98]
Advantages I
allows modelling of less classical cryptographic primitives
I
both reachability and equivalence-based specification of properties
I
automated proofs using ProVerif tool
I
powerful proof techniques for hand proofs
I
successfully used to analyse a variety of security protocols
[Blanchet, 01]
Why use the applied pi calculus? The applied pi calculus
[Abadi & Fournet, 01]
Basic programming language with constructs for concurrency and communication I
extends the π-calculus
I
in some ways similar to the spi-calculus
[Milner et al., 92] [Abadi & Gordon, 98]
Advantages I
allows modelling of less classical cryptographic primitives
I
both reachability and equivalence-based specification of properties
I
automated proofs using ProVerif tool
I
powerful proof techniques for hand proofs
I
successfully used to analyse a variety of security protocols
[Blanchet, 01]
Why use the applied pi calculus? The applied pi calculus
[Abadi & Fournet, 01]
Basic programming language with constructs for concurrency and communication I
extends the π-calculus
I
in some ways similar to the spi-calculus
[Milner et al., 92] [Abadi & Gordon, 98]
Advantages I
allows modelling of less classical cryptographic primitives
I
both reachability and equivalence-based specification of properties
I
automated proofs using ProVerif tool
I
powerful proof techniques for hand proofs
I
successfully used to analyse a variety of security protocols
[Blanchet, 01]
Syntax: messages as terms
I
A signature Σ - a finite set of function symbols each with an arity. Example Σ = {senc, sdec, aenc, adec, pk, pair, fst, snd}
I
Given a signature Σ, the set of terms is defined as: L, M, N, K ::= a, b, c, . . . , k, . . . , m, n, . . . , s x, y, z f (M1 , . . . , M` ) where ` matches the arity of f ∈ Σ
terms names variables function application
Syntax: processes
The set of processes is defined by P, Q, R ::= processes 0 null process P |Q parallel composition !P replication νn. P name restriction if M = N then P else Q conditional in(c, x ). P message input out(c, M). P message output
Equations to define cryptographic primitives
I
The calculus is parametrised by an equational theory E for terms
I
Equational theories are typically (but not necessarily) specified by equational rules that are closed by variable substitutions
I
Σ ` M = N iff M is equal to N in the considered equational theory
Examples fst(pair(x , y )) = x snd(pair(x , y )) = y
sdec(senc(x , y ), y ) = x
adec(aenc(x , pk(y )), y ) = x
Example
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
reader
::=
!(out(c, Welcome). in(c, x ))
tag
::=
νnid . !(in(c, x ). (if x = Welcome then out(c, nid )))
system
::=
!tag | !reader
Example
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
reader
::=
!(out(c, Welcome). in(c, x ))
tag
::=
νnid . !(in(c, x ). (if x = Welcome then out(c, nid )))
system
::=
!tag | !reader
Example
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
reader
::=
!(out(c, Welcome). in(c, x ))
tag
::=
νnid . !(in(c, x ). (if x = Welcome then out(c, nid )))
system
::=
!tag | !reader
Example
database
tag
reader Welcome
−−−−−−−−−−−−−−−→ ID
←−−−−−−−−−−−−−−− if ID ∈ DB then open door
reader
::=
!(out(c, Welcome). in(c, x ))
tag
::=
νnid . !(in(c, x ). (if x = Welcome then out(c, nid )))
system
::=
!tag | !reader
Operational semantics The operational semantics is defined in terms of structural equivalence and reduction I
The structural equivalence is an equivalence relation ≡ is defined much as usual.
P |Q≡Q |P νn. νm. P ≡ νm.νn. P
I
P | (Q | R) ≡ (P | Q) | R 0 ≡ νn. 0 ...
!P ≡!P | P P | νn. Q ≡ νn. (P | Q) n6∈fn(P)
The reduction → is the smallest relation on closed that is closed by structural equivalence and application of evaluation contexts such that: out(a, M).P | in(a, x ).Q if M = M then P else Q if M = N then P else Q
→ → →
P | Q{M/x } P Q
for all ground terms M and N such that Σ6`M=N
Operational semantics The operational semantics is defined in terms of structural equivalence and reduction I
The structural equivalence is an equivalence relation ≡ is defined much as usual.
P |Q≡Q |P νn. νm. P ≡ νm.νn. P
I
P | (Q | R) ≡ (P | Q) | R 0 ≡ νn. 0 ...
!P ≡!P | P P | νn. Q ≡ νn. (P | Q) n6∈fn(P)
The reduction → is the smallest relation on closed that is closed by structural equivalence and application of evaluation contexts such that: out(a, M).P | in(a, x ).Q if M = M then P else Q if M = N then P else Q
→ → →
P | Q{M/x } P Q
for all ground terms M and N such that Σ6`M=N
Operational semantics The operational semantics is defined in terms of structural equivalence and reduction I
The structural equivalence is an equivalence relation ≡ is defined much as usual.
P |Q≡Q |P νn. νm. P ≡ νm.νn. P
I
P | (Q | R) ≡ (P | Q) | R 0 ≡ νn. 0 ...
!P ≡!P | P P | νn. Q ≡ νn. (P | Q) n6∈fn(P)
The reduction → is the smallest relation on closed that is closed by structural equivalence and application of evaluation contexts such that: out(a, M).P | in(a, x ).Q if M = M then P else Q if M = N then P else Q
→ → →
P | Q{M/x } P Q
for all ground terms M and N such that Σ6`M=N
Observational equivalence We write P ⇓ a when P can send a message on channel a, i.e. P →∗ C [out(a, M).Q] for some evaluation context C [•] that does not bind a.
Definition (Observational equivalence) Observational equivalence (≈) is the largest symmetric relation R between closed processes such that PRQ implies 1. if P ⇓ a then Q ⇓ a; 2. if P →∗ P 0 , then Q → Q 0 and P 0 RQ 0 for some Q 0 ; 3. C [P]RC [Q] for all evaluation context C [•] Example
out(c, n). out(c, m) ≈ 6 out(c, n) | out(c, m) νn. out(c, n) ≈ νn. out(c, h(n))
Observational equivalence We write P ⇓ a when P can send a message on channel a, i.e. P →∗ C [out(a, M).Q] for some evaluation context C [•] that does not bind a.
Definition (Observational equivalence) Observational equivalence (≈) is the largest symmetric relation R between closed processes such that PRQ implies 1. if P ⇓ a then Q ⇓ a; 2. if P →∗ P 0 , then Q → Q 0 and P 0 RQ 0 for some Q 0 ; 3. C [P]RC [Q] for all evaluation context C [•] Example
out(c, n). out(c, m) ≈ 6 out(c, n) | out(c, m) νn. out(c, n) ≈ νn. out(c, h(n))
Observational equivalence We write P ⇓ a when P can send a message on channel a, i.e. P →∗ C [out(a, M).Q] for some evaluation context C [•] that does not bind a.
Definition (Observational equivalence) Observational equivalence (≈) is the largest symmetric relation R between closed processes such that PRQ implies 1. if P ⇓ a then Q ⇓ a; 2. if P →∗ P 0 , then Q → Q 0 and P 0 RQ 0 for some Q 0 ; 3. C [P]RC [Q] for all evaluation context C [•] Example
out(c, n). out(c, m) ≈ 6 out(c, n) | out(c, m) νn. out(c, n) ≈ νn. out(c, h(n))
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Untraceability informally
ISO 15408 definition Untraceability ensures that a user may make multiple uses of a resource or service without other users being able to link these uses together.
Intuitively Each session of a protocol should look to the intruder as initiated by a different user. In other words, an ideal system, w.r.t untraceability, would allow users to execute themselves at most once.
Untraceability formally An RFID party protocol P is a closed plain process such that P ≡ ν˜ n. (DB | !R | !T )
s.t.
T ≡ ν m. ˜ init. !main
for some processes init and main.
Definition Let P be an RFID protocol. Let P 0 ≡ ν˜ n. (DB | !R | !T 0 )
s.t.
P preserves untraceability of tags iff P ≈ P0
T 0 ≡ ν m. ˜ init. main
Untraceability formally An RFID party protocol P is a closed plain process such that P ≡ ν˜ n. (DB | !R | !T )
s.t.
T ≡ ν m. ˜ init. !main
for some processes init and main.
Definition Let P be an RFID protocol. Let P 0 ≡ ν˜ n. (DB | !R | !T 0 )
s.t.
P preserves untraceability of tags iff P ≈ P0
T 0 ≡ ν m. ˜ init. main
Example Our protocol reader ::= !(out(c, Welcome). in(c, x )) tag ::= νnid . !(in(c, x ). (if x = Welcome then out(c, nid ))) system ::= (!tag | !reader )
Ideal protocol reader ::= !(out(c, Welcome). in(c, x )) tag 0 ::= νnid . (in(c, x ). (if x = Welcome then out(c, nid ))) system0 ::= (!tag 0 | !reader )
Obviously
system 6≈ system0
−→ tags are traceable in this protocol.
Example Our protocol reader ::= !(out(c, Welcome). in(c, x )) tag ::= νnid . !(in(c, x ). (if x = Welcome then out(c, nid ))) system ::= (!tag | !reader )
Ideal protocol reader ::= !(out(c, Welcome). in(c, x )) tag 0 ::= νnid . (in(c, x ). (if x = Welcome then out(c, nid ))) system0 ::= (!tag 0 | !reader )
Obviously
system 6≈ system0
−→ tags are traceable in this protocol.
Example Our protocol reader ::= !(out(c, Welcome). in(c, x )) tag ::= νnid . !(in(c, x ). (if x = Welcome then out(c, nid ))) system ::= (!tag | !reader )
Ideal protocol reader ::= !(out(c, Welcome). in(c, x )) tag 0 ::= νnid . (in(c, x ). (if x = Welcome then out(c, nid ))) system0 ::= (!tag 0 | !reader )
Obviously
system 6≈ system0
−→ tags are traceable in this protocol.
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Basic Access Control (BAC) Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
{NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− {NT ,NR ,KT }KE ,MACKM ({NT ,NR ,KT }KE )
−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Kseed =KT ⊕KR
Kseed =KT ⊕KR
The French implementation of BAC
Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
{NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
Kseed =KT ⊕KR
Kseed =KT ⊕KR
The French implementation of BAC
Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
{NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− if MAC check fails Kseed =KT ⊕KR
mac err
−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Kseed =KT ⊕KR
The French implementation of BAC
Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
{NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− if nonce check fail Kseed =KT ⊕KR
nce err
−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Kseed =KT ⊕KR
The French implementation of BAC Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
{NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− else Kseed =KT ⊕KR
{NT ,NR ,KT }KE ,MACKM ({NT ,NR ,KT }KE )
−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Kseed =KT ⊕KR
An attack on the French e-passport (part1) The attacker eavesdrop on Alice using her passport Passport
Reader
(KE ,KM)
(KE ,KM)
NT ,KT ∈R {0,1}64
NR ,KR ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
M = {NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
and records message M
An attack on the French e-passport (part2) ????
Attacker
(KE 0 ,KM 0 ) NT0 ,KT0 ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N0
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
M = {NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
An attack on the French e-passport (part2) ????
Attacker
(KE 0 ,KM 0 ) NT0 ,KT0 ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N0
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
M = {NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− MAC check fails
mac err
−−−−−−−−−−−−−−−−−−−−−−−−−−−→
MAC check failed ⇒ KM 6= KM 0 ⇒ KM is not ????’s key ⇒ ???? is not Alice
An attack on the French e-passport (part2) ????
Attacker
(KE 0 ,KM 0 ) NT0 ,KT0 ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N0
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
M = {NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− nonce check fails
nce err
−−−−−−−−−−−−−−−−−−−−−−−−−−−→
MAC check passed ⇒ KM = KM 0 ⇒ KM is ????’s key ⇒ ???? is Alice
An attack on the French e-passport (part2) ????
Attacker
(KE 0 ,KM 0 ) NT0 ,KT0 ∈R {0,1}64 get challenge
←−−−−−−−−−−−−−−−−−−−−−−−−−−− N0
T −−−−−−−−−−−−−−− −−−−−−−−−−−−→
M = {NR ,NT ,KR }KE ,MACKM ({NR ,NT ,KR }KE )
←−−−−−−−−−−−−−−−−−−−−−−−−−−− nce err
−−−−−−−−−−−−−−−−−−−−−−−−−−−→
In the ideal version of the protocol, message nce err is never output.
Outline
Context The applied pi calculus Formalising untraceability Analysing the French e-passport Ongoing and future work
Ongoing and future work
1. Weak untraceability ?
−→ Strong untraceability ⇒ Weak untraceability
2. Anonymity ?
−→ untraceability ⇒ anonymity
3. Case studies −→ The British e-passport is expected to satisfy untraceability −→ Attack and fix of the DAA protocol
