Protocols are Programs Too:Using GAs to Evolve Secure Protocols

John A ClarkDept. of Computer Science

University of York, UKjac@cs.york.ac.uk

Seminal Presentation 2.03.00

Overview Motivation Introduction to heuristic optimisation

techniques Creating security protocols

Motivation Search techniques such as simulated annealing

and genetic algorithms have proved hugely successful across many domains

major success story of computer science They have seen little application to cryptology

most work has been concerned with breaking classical permutation and substitution ciphers (easy)

very little application to modern day cryptology (hard) I want to attack systematically this lack of

interest. Aim to show possibilities at a very high level of

abstraction

Heuristic Optimisation

(Local search via simulated annealing as an example)

Local Optimisation - Hill Climbing

x0 x1 x2

z(x)

Neighbourhood of a point x might be N(x)={x+1,x-1}Hill-climb goes x

0 x

1 x

2 since

f(x0)<f(x

1)<f(x

2) > f(x

3)

and gets stuck at x2 (local

optimum)

xopt

Really want toobtain x

opt

x3

Simulated Annealing

x0 x1

x2

z(x)Allows non-improving moves so that it is possible to go down

x11

x4

x5

x6

x7

x8

x9

x10

x12

x13

x

in order to rise again

to reach global optimum

In practice neighbourhood may be very large and trial neighbour is chosen randomly. Possible to accept worsening move when improving ones exist.

Simulated Annealing Improving moves always accepted Non-improving moves may be accepted

probabilistically and in a manner depending on the temperature parameter T. Loosely

the worse the move the less likely it is to be accepted

a worsening move is less likely to be accepted the cooler the temperature

The temperature T starts high and is gradually cooled as the search progresses.

Initially virtually anything is accepted, at the end only improving moves are allowed (and the search effectively reduces to hill-climbing)

Simulated Annealing Current candidate x. Minimisation formulation.

farsobestisSolution

TempTemp

rejectelse

acceptyxcurrentUifelse

acceptyxcurrentif

yfxf

xighbourgenerateNey

timesDo

dofrozenUntil

TTemp

xxcurrent

Temp

95.0

)( ))1,0((exp

)( )0(

)()(

)(

400

)(

0

0

/

At each temperature consider 400 moves

Always accept improving moves

Accept worsening moves probabilistically.

Gets harder to do this the worse the move.

Gets harder as Temp decreases.

Temperature cycle

Simulated Annealing

Do 400 trial moves

Do 400 trial moves

Do 400 trial moves

Do 400 trial moves

Do 400 trial moves

100T

95.0TT

95.0TT

95.0TT

95.0TT

00001.0TDo 400 trial moves

95.0TT

The problem is: maximise the function g(x)=x over the integers 0..15

We shall now show how genetic algorithms might find this solution.

Let’s choose the obvious binary encoding of the integer solution space:

x=0 has encoding 0000 x=5 has encoding 0101 x=15 has encoding 1111

Choose the obvious fitness function, fitness(x)=g(x)=x

Genetic Algorithms: Simple Example

Genetic Algorithms: Simple Example

0 1 0 00 0 1 10 0 1 10 0 1 0

4332

12

abcd

Randomly generate initial population

0 0 1 10 1 0 00 1 0 00 0 1 1

3443

14

abcd

Randomly select 4 of these solutions according to fitness, e.g. b, a, a, c

0 0 1 10 1 0 00 1 0 00 0 1 1

3443

14

abcd

Randomly choose pairs to mate, e.g. (a,b) and (c,d) with random cross-over points and swap right parts of genes

0 0 0 00 1 1 10 1 0 11 0 1 0

07510

22

abcd

Now have radically fitter population, so continue to cycle.

0 0 0 00 1 1 10 1 0 10 0 1 0

0752

14

abcd

Also allow bits to ‘flip’ occasionally, e.g. first bit of d. This allows a 1 to appear in the first column

General Iteration

We now have our new generation, which is subject to selection, mating and mutation again......until some convergence criterion is met.

In practice it’s a bit more sophisticated but the preceding slide gives the gist.

Genetic algorithms have been found to be very versatile. One of the most important heuristic techniques of the past 30 years.

Making Protocols with Heuristic Optimisation

Examples: Secure session key exchange “I am alive” protocols. Various electronic transaction protocols.

Probably the highest profile area of academic security research.

Problems Rather hard to get right “We cannot even get three-line programs right”

Major impetus given to the area by Burrows Abadi and Needham’s belief logic “BAN logic”.

Security Protocols

Allows the assumptions and goals of a protocol to be stated abstractly in a belief logic.

Messages contain beliefs actually held by the sender.

Rules govern how receiver may legitimately update his belief state when he receives a message.

Protocols are series of messages. At the end of the protocol the belief states of the principals should contain the goals.

BAN Logic

Basic elements

BAN Logic

QP,

QK

P

PN

)(# PN

K is a good key for communicating between P and Q

Np is a well-typed ‘nonce’, a number to be used only once in the current protocol run, e.g. a randomlygenerated number useds as a challenge.

Np is ‘fresh’ #, meaning that it really is a valid ‘nonce’

P,Q stand for arbitrary protocol principals

BAN Logic

XP |~

P believes X. The general idea is that principals shouldonly issue statements they actually believe. Thus, P mighthave believed that the number Na was fresh yesterdayand said so, but it would be wrong to conclude that hebelieves it now. If the message is recent (see later) then we might conclude he believes it.

P once said X, i.e. has issued a message containing X at some point

XP |

XP | P has jurisdiction over X. This captures the notion that P is an authority about the statement X. If you believeP believes X and you trust him on the matter, then you should believe X too (see later)

BAN Logic - Assumptions and Goals

BASA

NaANaA

BASSASSAA

Kab

KabKasKas

||

)(#| |

| | |

BAA Kab |

A and S share common belief in the goodness of the key Kasand so they can use it to communicate. S also believes thatthe key Kab is a good session key for A and B.

A has a number Na that he also believes is fresh and believes thatS is the authority on statements about the goodness of key Kab.

The goal of the protocol is to get A to believe the key Kab is good for communication with B

BAN Logic –Message Meaning Rule

QK

P

X

}{X K

statebeliefQ

QK

PP |

XQP |~ |

then P should believe that Q once uttered or ‘once said’ X.

XQ |~

QK

P

X KP If P sees X encrypted

using key K

statebeliefP

,

and P believes that key K is shared securely only with principal Q

QK

PP |

BAN Logic –Nonce Verification Rule

statebeliefP

XQP | |

then P should believe that Q currently believes X

XQ |

)(#| XP ,

and P believes that X is ‘fresh’

)(# XThis rule promotes ‘once saids’ to actual beliefs

If P believes that Q once said X

XQ |~

XQP |~ |

BAN Logic – Jurisdiction Rule

statebeliefP

XP |

then P should believe X too

X

If P believes that Q has jurisdiction over X

XQP | |

XQ |

,

and P believes Q believes X

XQP | |

XQ |

Jurisdiction captures the notion of being an authority.

A typical use would be to give a key server authority over statements of belief about keys.

If I believe that a key is good and you reckon I am an authority on such matters then you should believe the key is good too

Messages as Integer Sequences

sender Belief_1

statebeliefP

null

XQ |~ N p

)(# N P

QK

P

4

3

2

1

0

receiver Belief_2

21 819 12

0=21 mod 3 3=8 mod 51=19 mod 3 2=12 mod 5

P Q N p XQ |~

Say 3 principals P, Q and SP=0, Q=1,S=2

Message components are beliefs in thesender’s current belief state (and so if P has 5 beliefsintegers are interpreted modulo 5)

Search Strategy

We can now interpret sequences of integers as valid protocols.

Interpret each message in turn updating belief states after each message

This is the execution of the abstract protocol. Every protocol achieves something! The issue is

whether it is something we want! We also have a move strategy for the search, e.g.

just randomly change an integer element. This can change the sender,receiver or specific

belief of a message (and indeed subsequent ones)

Fitness Function

We need a fitness function to capture the attainment of goals.

Could simply count the number of goals attained at the end of the protocol

In practice this is awful. A protocol that achieves a goal after 6 messages

would be ‘good as’ one that achieved a goal after 1 message.

Much better to reward the early attainment of goals in some way

Have investigated a variety of strategies.

Fitness Functions

mmess

messmess messvedAfterGoalsAchiew

protocolFitness

1)(

)( is given by

One strategy (uniform credit) would be to make all the weightsthe same. Note that credit is cumulative. A goal achievedafter the first message is also achieved after the second andthird and so on.

Examples

KabKab

KabKab

KbsKab

Kbs

KasKab

Kas

BANbBBA

BANbNaAAB

BANbBNaABS

NbSB

BANaAAS

NaSA

,|~:.6

,,|~:.5

,|~,|~:.4

:.3

,|~:.2

:.1

One of the assumptions made was that B would take S’sword on whether A |~Na

Examples

KabKab

KabKab

KbsKab

KasKab

Kbs

Kas

BANaAAB

BANaNbBBA

BANaANbBBS

BANbBNaAAS

NbSB

NaSA

,|~:.6

,,|~:.5

,|~,|~:.4

,|~,|~:.3

:.2

:.1

General Observations Able to generate protocols whose abstract

executions are proofs of their own correctness Have done so for protocols requiring up to 9

messages to achieve the required goals. Other methods for protocol synthesis is search via

model checking. Exhaustive but limited to short protocols.

Limited by the power of the logic used. Can generalise notion of fitness function to include

aspects other than correctness (e.g. amount of encryption).

General Observations In a sense there is a notion of progress implicit in

the idea of a protocol. Gradually a protocol moves towards its eventual goals. Seems sensible to adopt a guided search rather than an

enumerative type search Nothing to stop you using model checking as an analysis

technique after generating examples using guided search. Generally capable of generating example protocols

in under a minute (1.8 GHz PC) Real need to increase power of the logic. Believe that this is the most abstract application of

heuristic search in cryptology.

Conclusions A highly novel application. Well received:

Paper accepted to IEEE Symposium on Security and Privacy 2000.

Journal paper in preparation. Extensible. Very easy to incorporate additional criteria. Shows that in a subject that is right at the

heart of formal methods research heuristic search can make a real contribution.