A Formal Theory of Key Conjuring eronique Cortier LORI - PDF document

AFormalTheoryofKeyConjuringV´eroniqueCortierLORIA,ProjetCassisCNRS&INRIAcortier@loria.frSt´ephanieDelauneLORIA,ProjetCassisCNRS&INRIAdelaune@lsv.ens-cachan.frGrahamSteelSchoolofInformaticsUniversityofEdinburghgraham.steel@ed.ac.ukAbstractKeyconjuringistheprocessbywhichanattackerob-tainsanunknown,encryptedkeybyrepeatedlycallingacryptographicAPIfunctionwithrandomvaluesinplaceofkeys.Weproposeaformalismfordetectingcomputation-allyfeasiblekeyconjuringoperations,incorporatedintoaDolev-YaostylemodelofthesecurityAPI.Weshowthatsecurityinthepresenceofkeyconjuringoperationsisde-cidableforaparticularclassofAPIs,whichincludesthekeymanagementAPIofIBM'sCommonCryptographicAr-chitecture(CCA).1IntroductionCryptographicsecurityAPIsaresetsoffunctionsde-signedtofacilitatethesecuregeneration,storage,useanddestructionofcryptographickeys.SecurityAPIsfortamper-resistanthardwaredevicestypicallymanagekeysbykeepingasecretmasterkeyinsidethedevice.Thisisusedtoencryptalltheworkingkeysusedforoperationalfunc-tions,sothattheycanbesecurelystoredoutsidethedevice.Onetechniqueusedbyattackersattemptingtobreachsecu-rityistotrycallingAPIfunctionswithrandomvaluesintheplaceofencryptedkeys,toseeiftheyareallowedtopass,orwhetherthedevicesignalsanerror.Thisprocessisknownaskeyconjuring[1].Learningtheencryptedvalueofakeymightnotseemuseful,butseveralattackshavebeenpre-sentedthatleveragethistrickinordertocompromisethesecurityofanAPI[1,4,3].ApromisingapproachtosecurityAPIanalysisinvolvesadaptingDolev-Yaostyleprotocolanalysistechniques[10],wheredetailsofcryptographicalgorithmsusedareab-stractedawayandalogicalmodelisconstructed,withrulesdescribingtheoperationsoftheintruderandprotocol.This ThisworkhasbeenpartlysupportedbytheRNTLprojectPOSE,theACIJeunesChercheursJC9005,andEPSRCprojectAutomatedAnalysisofSecurityCriticalSystems,grantnumberGR/S98139/01.canbeadaptedquitenaturallytoAPIanalysisbyconsider-ingtheAPItobeasetof2-partyprotocols,eachdescrib-inganexchangebetweenthesecurehardwaremoduleandthehostmachine[12,14,8].However,inpreviouswork,thekeyconjuringtrickwastreatedinanad-hocfashion,byaddinganumberofpre-chosenkeystotheintruder'sinitialknowledge[12,14,8],orbyaddingaruletoallowparticu-larkeystobeconjured[11].Thisraisesdoubtsaboutcom-pletenessofthesearchforattacks,andhencethestrengthofanyproofsofsecurity.Theaimoftheworkinthispaperistoaddressthisprob-lembyproposingaformalmodelthatidentiesallcom-putationallyfeasiblekeyconjuringoperations,andallowsthesetobeincorporatedintoaDolev-YaostylemodelforsecurityanalysisoftheAPI.Weproposeatransformationthatautomaticallycomputesallthepossiblewaysofper-formingkeyconjuringfromtheAPIrules.Ourtransforma-tiontakesasinputasetofformalrulesrepresentingthebe-haviourofanAPIandoutputsnewformalrulesrepresent-ingkeyconjuring.Inthismanner,weeliminatetheneedfortheusertogeneratekeyconjuringrulesbyhand.Asfarasweareaware,thispaperpresentstherstformaltreatmentthatallowsanexhaustivesetofkeyconjuringrulestobeobtained.OursecondmaincontributionistoshowdecidabilityofthesecurityofAPIs(expressedasareachabilityproperty),inthepresenceofkeyconjuring,foraclassofAPIsthatincludesforexamplethesymmetrickeymanagementAPIofIBM'sCommonCryptographicArchitecture(CCA).Inparticular,itrequiresconsiderationofthealgebraicprop-ertiesoftheExclusiveOroperation.Ourdecidabilityre-sultholdsforanunlimitednumberofsessions,thoughwedoboundthenumberoftimeskeyconjuringoperationsareused.Indeed,itwouldnotberealistictoallowtheintrudertoconjureasmanykeysashewishessinceitrequiresasig-nicantamountofaccesstotheAPI.Thisclassisrelatedtotheclassproposedin[8],withtwomaindifferences.First,weconsiderexplicitdecryption,sinceitwasmoreappro-priateformodellingkeyconjuring,anditreectsbettertheimplementation.Second,wehavetoconsiderkeyconjuring ruleswhichintroducefreshnonces.AprecisecomparisoncanbefoundinSection6.5.Intherestofthepaper,werstexplainthepurposeandoperationofsecurityAPIs,anddeneourformalismfordescribingthem(Section2).Wethenproposeatransfor-mationforkeyconjuringinSection3.InSection4,weex-plainthesecurityproblemweareinterestedin,anddenearestrictedclassofAPIs,arguingthattheserestrictionsarequitenatural.InSection5weshowthatcertainclassesofkeyconjuringoperationsareofnousetotheintruder,andneednotbeconsideredinaformalmodel.Wethenshow(Section6)thatsecurityforourclassofAPIsisdecidableinthepresenceofkeyconjuringoperations.Theclassin-cludesourmotivatingexample,thekeymanagementAPIoftheIBM4758HardwareSecurityModule,whichwasshowntobevulnerabletokeyconjuringattacksbyBondin[1].Weconclude,withadiscussionoffuturework,inSection7.Duetolackofspace,someproofsareomittedandcanbefoundin[7].2BackgroundInthissection,werstexplainwhatasecurityAPIis,beforegoingontodenetheconceptmoreformally.2.1SecurityAPIsThepurposeofasecurityapplicationprograminter-face(API)istoallowuntrustedcodetoaccesssensitiveresourcesinasecureway.Hardwaresecuritymodules(HSMs),forexample,havesecurityAPIswhichcontrolac-cesstothecryptoprocessorandmemoryinsidethemod-ule.ThisallowstheAPItomanageaccesstocryptographickeys.HSMsaredeployedinsecuritycriticalenvironmentssuchasthecashmachinenetwork,wheretheyareusedtoprotectcustomersPINsandothersensitivedata.Theytypicallyconsistofacryptoprocessorandasmallamountofmemoryinsideatamper-proofenclosure.Theyarede-signedsothatshouldanintruderopenthecasingorinsertprobes,thememorywillauto-eraseinamatterofnanosec-onds.InatypicalATMnetworkapplication,allencryp-tion,decryptionandvericationofPINstakesplaceinsidetheHSM.Manydifferentcryptographickeyswillbeusedfortheseoperations.IBM's4758CCA1API[2]partitionskeysintovarioustypes,suchasdatakeys,PINderivationkeys,importkeysandexportkeys.Eachtypehasanas-sociatedpubliccontrolvector.TheHSMstoresamasterkeyinitstamper-proofmemory.ThekeystheHSMusesforitsvariousoperations,calledworkingkeys,arestoredoutsidetheHSMencryptedunderthemasterkeyXORed 1CCAstandsfor`CommonCryptographicArchitecture',while4758isthemodelnumberoftheHSM.Seehttp://www-3.ibm.com/security/cryptocards/pcicc.shtmlagainsttheappropriatecontrolvectorforthekeytype.Forexample,adatakeywouldbeencryptedunderkmdata.2WorkingkeyscanthenonlybeusedbysendingthembackintotheHSMunderanappropriateAPIcommand.OnlyparticulartypesofkeyswillbeacceptedbytheHSMforparticularoperations.Forexample,datakeyscanbeusedtoencryptarbitrarymessages,butso-calledPINDerivationKeys(PDKs,withcontrolvectorpin)cannot.Thisiscriti-calforsecurity:acustomer'sPINisjusthisaccountnumberencryptedunderaPINderivationkey.In2001,Bonddis-coveredattacksinwhichtheintruderusesAPIcommandstochangethetypeofakey,exploitingthealgebraicproper-tiesofXOR[1].TheattackallowsaPINderivationkeytobeconvertedintoadatakey,whichcanthenbeusedtoen-cryptdata.HencetheattackallowstheintrudertogenerateaPINforanyaccountnumber.FormalworkontheCCArstconcentratedonrediscov-eringtheattacksontheoriginalversionoftheAPI[12,14],andthenonprovingbothBond'sproposedxes[9],andthexesIBMactuallyimplemented[8],tobesecure.However,theseworksmadeaninformalapproximationoftheabilityoftheintruderto`conjure'keys,atrickusedseveraltimesinBond'sattacks.Toexplainpreciselywhatkeyconjuringis,werstneedtodenesomenotation.2.2DenitionsWenowdeneour(mostlystandard)notationforreason-ingaboutAPIs,andthendenetheclassofAPIsconsideredinthispaper.Cryptographicprimitivesarerepresentedbyfunctionalsymbols.Morespecically,weconsiderasignaturewhichconsistsofaninnitenumberofconstantsincludingaspecialconstant0andthreenonconstantsymbolsf g (encryption),dec(decryption)and(XORing)ofarity2.WealsoassumeaninnitesetofvariablesX.Thesetofterms,denotedbyT(;X),isdenedinductivelybyT::=termsxvariablexjf(T1;:::;Tn)functionapplicationwherefrangesoverthefunctionsofandnmatchesthearityoff.Forinstance,thetermfmgkisintendedtorep-resentthemessagemencryptedwiththekeyk(usingsym-metricencryption)whereasthetermm1m2representsthemessagem1XORedwiththemessagem2.Thecon-stantsmayrepresentcontrolvectorsorkeysforexample.Werelyonasortsystemforterms.Termswhichrespectthissort-systemaresaidtobewell-typed.ItincludesasetofbasetypeBaseandasetofciphertexttypeCipher.Wehavevariablesandconstantsofbothtypes.Moreoverwe 2representsbitwiseXOR. assumethatourfunctionsymbolshavethefollowingtype::BaseBase!Basef g :BaseBase!Cipherdec:CipherBase!BaseApuretermtisawell-typedtermwhoseonlyencryptionsymbol(whensuchasymbolexists)isatitsrootposition.Wesaythatatermtisheadedwithfifitsrootsymbolisf.Thesetofvariablesoccurringintisdenotedvars(t).Wedenotebyst(t)thesetofsubtermsoft.Thisnotationisextendedasexpectedtosetofterms.Atermisgroundifithasnovariable.Substitutionsarewritten=fx17!t1;:::;xn7!tngwithdom()=fx1;:::;xng.Asubsti-tutionisgroundifallofthetiareground.Theapplicationofasubstitutiontoatermtiswrittent.WeequipthesignaturewithanequationaltheoryEAPIthatmodelsthealgebraicpropertiesofouroperators:EAPI:=8:fdec(x;y)gy=xx0=xdec(fxgy;y)=xxx=0x(yz)=(xy)zxy=yxItdenesanequivalencerelationthatisclosedundersubstitutionsoftermsforvariablesandunderapplicationofcontexts.Inparticular,wesaythattwotermst1andt2areequal,denotedbyt1=EAPIt2iftheyareequalmod-ulotheequationaltheoryEAPI.Iftwotermsareequalusingonlytheequationsofthelastline(resp.involving),wesaythattheyareequalmoduloAssociativityandCommu-tativity(AC)(resp.moduloXor).IntheCCAAPI,asinmanyothers,symmetrickeysaresubjecttoparitychecking.The4758usestheDES(and3DES)algorithmforsymmetrickeyencryption.A(singlelength)DESkeyconsistsof64bitsintotal,whichisdividedintoeightgroups,eachconsistingofsevenkeybitsandoneassociatedparitybit.Foranoddparitykey,eachparitybitmustbesetsothattheoverallparityofitsgroupisodd.Foranevenparitykey,theparitybitsmustbesetsothatallgroupsareofevenparity.Ifthegroupshavemixedparities,thenthekeyisofundenedparityandconsideredinvalid.TheCCAAPIchecksthatallDESkeysareofoddparity,andallcontrolvectorsareeven,sothatakeyXORedagainstacontrolvectorwillgiveanotheroddparitykey.Thesepar-ityconsiderationsareimportantforouranalysisofkeycon-juring,andarerepresentedinourformalismbyoccurrencesofthepredicatesymbolschkEvenandchkOdd,eachhavingatermasargument.Intuitively,chkOdd(t)meansthatthasanoddparity.Amongtheconstantsin,somehaveapar-ity.Bydefault(noexplicitparitygiventoaconstant),wewillassumethatsuchaconstanthasnoparity.Moreover,wehavesomerulestoinferparityfromknownfacts,whichare:chkEven(x1);chkEven(x2)!chkEven(x1x2)chkOdd(x1);chkOdd(x2)!chkEven(x1x2)chkEven(x1);chkOdd(x2)!chkOdd(x1x2)Intrudercapabilitiesandtheprotocolbehaviourarede-scribedusingrulesasdenedbelow.Denition1(APIrule)AnAPIruleisaruleoftheformchk1(u1);:::;chkk(uk);x1;:::;xn!t,wherex1;:::;xnarevariables,tisatermsuchthatvars(t)fx1;:::;xng,u1;:::;ukaretermsofBasetypenotheadedwith,chki2fchkOdd;chkEveng,1ik.Wealsoassumethattheruleonlyinvolvespureterms.Thethirdconditionmightseemrestrictive.However,itmerelyrequiresthatwecheckeachcomponentofasumratherthantheentiresum.Forexample,ifthesumv1


vkhassomeexpectedparity,eachvishouldalsohavesomeexpectedparity,andweaskthattheirparityischeckedseparately.Example1TheintrudercapabilitiesarerepresentedbythefollowingsetofthreeAPIrules:x;y!fxgyencryptionx;y!dec(x;y)decryptionx;y!xyxoringExample2Commandsmayincludeseveralparitychecks.InFigure1,wegivethesymmetrickeymanagementsubsetoftheIBM4758API,writteninournotation.Thetermskm,imp,exp,kp,dataandpindenoteconstantofBasetypewhereasxtype,xk1,...denotevariables.NotethatalltherulessatisesconditionsstatedinDenition1.Forin-stance,KeyImportisusedtomakeanewworkingkeyforanHSM.ThenewkeyissenttothetargetHSMencryptedunderatransportkey.Thecommanddecryptstheimportedpackage,andreturnsthekeyencryptedunderthelocalmas-terkeyXORtheappropriatecontrolvector.3AFormalTheoryofKeyConjuringWerstintroducekeyconjuringinformally,givinganexampleofakeyconjuringattack.Thiswillhelptoexplainourtransformation.Wethenformallydeneourtransfor-mationthattakesasetofAPIrules,andextendsitwithrulesthatpermitkeyconjuring. KeyPartImp.1:xk1;xtype!fxk1gkmkpxtypechkOdd(xk1);chkEven(xtype)KeyPartImp.2:chkEven(xtype);y;xk2;xtype!fdec(y;kmkpxtype)xk2gkmkpxtypechkOdd(dec(y;kmkpxtype))chkEven(xk2)KeyPartImp.3:chkEven(xtype);y;xk3;xtype!fdec(y;kmkpxtype)xk3gkmxtypechkOdd(dec(y;kmkpxtype))chkEven(xk3)KeyImport:chkEven(xtype);y;xtype;z!fdec(y;dec(z;kmimp)xtype)gkmxtypechkOdd(dec(z;kmimp))chkOdd(dec(y;dec(z;kmimp)xtype))KeyExport:chkOdd(dec(z;kmexp));y;xtype;z!fdec(y;kmxtype)gdec(z;kmexp)xtypechkOdd(dec(y;kmxtype))chkEven(xtype)EncryptData:chkOdd(dec(y;kmdata));x;y!fxgdec(y;kmdata)DecryptData:chkOdd(dec(y;kmdata));x;y!dec(x;dec(y;kmdata))TranslateKey:chkEven(xtype);x;xtype;y1;y2!fdec(x;dec(y1;kmimp)xtype)gdec(y2;kmexp)xtypechkOdd(dec(y1;kmimp))chkOdd(dec(y2;kmexp))chkOdd(dec(x;dec(y1;kmimp)xtype))Figure1.IBMCCASymmetricKeyManagementTransactionSet3.1KeyConjuringAswehaveseen,keymanagementAPIsliketheCCAkeepworkingkeysoutsidetheHSM,safelyencrypted,sothattheycanonlybeusedbysendingthembackintotheHSMunderthetermsoftheAPI.Whathappenswhenanintruderwantstouseaparticularcommandinanattack,butdoesnothaveaccesstoanappropriatekey?Forex-ample,supposehehasnodatakeys(termsoftheformfd1gkmdata),butwantstousetheEnciphercommand.Inanimplicitdecryptionformalism,thecommandisdenedlikethisx;fxkeygkmdata!fxgxkeyThissuggeststhatthecommandcannotbeusediftheintruderdoesnothaveadatakey.However,inreality,anintrudercouldjustguessa64bitvalueandusethatinplaceofthedatakey.TheHSMwilldecrypttheguessedvalueunderkmdata,andchecktheparityoftheresulting64bittermtoseeifitisavalidkeybefore,encipheringthedata.Usually,thecheckwillfailandtheHSMwillrefusetoprocessthecommand,butiftheintruderguessesrandomly,hecanexpectthat1inevery256guessedvalueswillresultinavalidkey.Thisnotioniscapturedbyourformalism,inwhichwewritetheEnciphercommandlikethis:chkOdd(dec(y;kmdata));x;y!fxgdec(y;kmdata)Itmayseemuselessfortheintrudertosimplyguessval-ues,sincetheresultisatermheknowsencipheredun-deranunknownkey,butusedcleverly,thistechniquecanresultinseriousattacks.Forexample,Bond'ssocalledimport-exportattack[1],useskeyconjuringtoconvertaPINderivationkeyintoanencryptionkey,allowinganin-trudertogeneratethePINforanygivenaccountnumber.DescriptionofBond'sattack.WegiveBond'sattackinFigure2,writteninourformalism,withexplicitdecryp-tionandparitychecking.Weassumethattheattackerinitialknowledgecontainsfpdkgkmpin(aPINkeyencryptedfortransfer),thecontrolvectorspin,data,imp,exp,kp,andtheconstant0.Moreover,wemodelthefactthatcontrolvectorsareofevenparityandsecretkeyskmandpdkareofoddparitybyconsideringthecorrespondingfacts(e.g.chkEven(pin)).WewillshowhowthePINderivationkeypdkcanbeconvertedintoadatakey,whichthencanbeusedtoencryptdata.HencetheattackallowsacriminaltogenerateaPINforanyaccountnumber.Forthis,weshowthattheattackerisabletoderivefpdkgkmdata.Step1isakeyconjuringstep.TheattackerisusingtheKeyPartImport3command,usingthecontrolvec-torimp(forxtype)andthekeypart0(forxk3)butwith-outatermoftheformfmgkmkpimp.Instead,here-peatedlytriesrandomvaluesuntilsomevaluen1decryptsunderkmkpimptogiveavalidkey,i.e.atermof 1.KeyPartImp.3?;0;impnewn1!fdec(n1;kmkpimp)gkmimp;n1chkEven(0);chkEven(imp)chkOdd(dec(n1;kmkpimp))Letr=dec(n1;kmkpimp)2.KeyPartImp.3n1;impexp;imp!frimpexpgkmimpchkEven(imp);chkEven(impexp)chkOdd(dec(n1;kmkpimp))3.KeyImport?;impkp;frgkmimpnewn2!fdec(n2;rimpkp))gkmimpkp;n2chkOdd(r);chkEven(impkp)chkOdd(dec(n2;rimpkp))Letr0=dec(n2;rimpkp)4.KeyImportn2;expkp;frimpexpgkmimp!fr0gkmexpkpchkEven(expkp);chkOdd(rimpexp)chkOdd(dec(n2;rimpkp))5.KeyPartImp.3fr0gkmexpkp;0;exp!fr0gkmexpchkEven(0);chkEven(exp);chkOdd(r0)6.KeyPartImp.3fr0gkmimpkp;pindata;imp!fr0datapingkmimpchkEven(datapin);chkEven(imp);chkOdd(r0)7.KeyExportfpdkgkmpin;pin;fr0gkmexp;!fpdkgr0pinchkOdd(pdk);chkEven(pin)8.KeyImportfpdkgr0imp;data;fr0datapingkmimp!fpdkgkmdatachkOdd(pdk);chkOdd(r0datapin);chkEven(data)“?”representsinputsthatarereplacedbyrandomvaluesbytheattacker.Figure2.Bond'sImport/ExportAttackinourformalismoddparity.Notethatwehavewrittenthisbylabellingthearrowtoshowtheconjuringofanewtermn1,andtheoddparitycheckisnowontherighthandsideoftherule,indicatingthattheintruderhaslearntthefactchkOdd(dec(n1;kmkpimp)).Intherestoftheattackwewriterinplaceofdec(n1;kmkpimp).Havingsucceededinndingasuitablevaluen1,heusesthecommandagainwithimpexpasthekeyparttobeaddedtothekey,inStep2.Thisyieldstwounknownkeyencryptingkeys,randrimpexp,withaknowndiffer-ence.InStep3,theintruderuseskeyconjuringagain,thistimewiththeKeyImportcommand,usingrandomvaluesinplaceoffxkeygxkekxtype,andusingfrgkmimpasthekeyencryptingkey.Again,wewritethisasthegener-ationofanewtermn2,andtheintruderlearnsthefactchkOdd(dec(n2;rimp)).Intherestoftheattackwewriter0inplaceofdec(n2;rimp).InStep4,theintruderusestheconjuredvalueagaintoobtainanexportversionofthekey.ThepartialkeysobtainedbythesetwooperationscanthenbecompletedusingKeyPartImport3.Theexporteriscompletedtogivefr0gkmexp,inStep5,whilsttheimporterissettochangethetypeofakeyfrompintodata,inStep6.APINderivationkeyfpdkgkmpincanthenbeturnedintoadatakeybyrstexportingitunderfr0gkmexpusingKeyEx-portinStep7,andthenchangingthetypebyre-importingitusingfr0datapingkmimpastheimporter,inStep8.HavingobtainedaPINderivationkeyasadatakey,thein-trudercannowencryptaccountnumberstoobtaincustomerPINs.In2003,asaresultofworkbyYounet.al[14],itcametolightthatthisattackwasimpossibleinpractice,asanundocumentedcheckintheCCA'simplementationpreventskeypartsbeingpassedtoKeyImport.Thiswouldmeansteps3and4oftheattackcouldn'tbeexecuted.However,furtherattacksusingkeyconjuringhadbeendiscoveredbythen,[3,4],onboththeCCAAPIandotherAPIs.Clulownotesin[4]thatkeyconjuringcanbepreventedbyusingahashorMACtotesttheauthenticityofkeys,butmanydesignsdonotincludesuchmeasures,whichincreasethekeymanagementoverhead.Ourexampleattackshowsthepotentialofkeyconjur-ingtomountattacks.Italsodemonstratesthefeaturesofourformalismwhichallowustodetectrealistickeycon-juringoperations.Astraightforward`explicitdecryption'modelisnotsufcientforakeyconjuringanalysis,sincethoughthisallowsanattacklikeBond'sbediscovered,itdoesn'ttakeintoaccountparitychecks.Thismeansthatthemodelcannotdistinguishbetweenfeasibleandnon-feasible keyconjuringsteps,leadingtofalseattacks.Forexample,foracommandlikeKeyImport(seeExample2),anexplicitdecryptionmodelwithoutparitycheckingwouldallowanintrudertoconjurevaluesforbothyandz,whichinprac-ticeishighlyunlikely:only1inevery216pairsofvalueswillpass.Ourtransformensuresthattheintruderhastoguessvaluesforatmostoneparitycheck.3.2TransformationontheAPIrulesWeproposeatransformationallowingustomodelkeyconjuring.ThistransformationisgenericenoughtodealwithanyAPImadeupofrulessatisfyingtheconditionsgiveninDenition1.Werstintroduceasetofnonces,denotedbyN,asub-setofthesetofconstantsthatdoesnotcontainthespecialconstant0.Weassumeaninnitenumberofnoncesofbothtypes.Anoncerepresentsafreshvaluethathasbeenneverusedbefore.Rulesobtainedaftertransformationarecalledkeyconjuringrulesandhavethefollowingform:x1;:::;xnnewn!t;nchk1(u1);:::;chkk(uk)chk01(v1);[chk02(n)]Thenotation[chk02(n)]isusedtoexpressthefactthatchk02(n)isoptional.LetRl!Rr=chk1(u1);:::;chkk(uk);x1;:::;xn!tbeanAPIrule.Foreachisuchthat1ik,sinceuiisatermofBasetypenotheadedwithandwhichcontainsnoencryptionsymbol,wehavethatuiiseitheraconstant,avariableoratermoftheformdec(z;t).Inthislastcase,wecomputethekeyconjuringrulesassociatedtoRl!Rrasfollows:1.Let=fz7!ng,weconsiderthenewrule(Rlrfz;chkj(uj)gnewn!Rr[fz;chkj(uj)g)2.Moreover,wehavethatt=pMi=1yi`Mi=1ciqMi=1dec(zi;ti):forsomevariablesyi;zi,someconstantsciandsometermsti.Foreachjsuchthat1jp,welet=fyj7!ngandweconsiderthenewrule(Rlrfyj;chkj(uj)gnewn!Rr[fyj;chkj(uj)g)Moreover,wepushalsoontherighthand-sidethecheckperformedonyjifsuchacheckexists.GivenanAPIruleR,wedenotebyKeyCj(R)thesetofrulesobtainedafterapplyingthetransformationdescribedabove.ThisnotationisextendedasexpectedtosetsofAPIrules.Example3ConsidertheruleR,namelyKeyPartImport3describedbelow.y;xk3;xtype!fdec(y;kmkpxtype)xk3gkmxtypechkEven(xtype)chkEven(xk3)chkOdd(dec(y;kmkpxtype))Thepurposeofthisruleistoallowausertoaddanalkeypartxk3toapartialkeyywithcontrolvectorxtype.Af-terapplyingourtransformation,thesetKeyCj(R)containsthetworulesdescribedbelow:xk3;xtypenewn!fdec(n;kmkpxtype)xk3gkmxtypechkEven(xtype)chkOdd(dec(n;kmkpxtype))chkEven(xk3)y;xk3newn!fdec(y;kmkpn)xk3gkmnchkEven(xk3)chkOdd(dec(y;kmkpn))chkEven(n)Thisrepresentsthetwowaystheintrudercanusetheruleforkeyconjuring.Intherst,heconjuresapartiallycompletedkey(thisistheruleusedinstep1oftheBondattackinFigure2).Inthesecond,foraxedconstanty,heconjuresacontrolvectorthatwillallowytobedecryptedtoformavalidpartialkey.Notethattheconjuredcontrolvectorisofevenparity,sotheintruderlearnstwoparityfactsinthiscase.Ourtransformallowsthiskindofconjur-ingbecauseitisassumedtheintrudercansettheparityofthetermsheusesasguesses.Thevaluethatischeckedforevenparityisunderhiscontrol.Hencetheprobabilityofsuccessisthesameasfortherstconjuringvariant.Therulesobtainedbyapplyingourkeyconjuringtrans-formationontheIBMCCASymmetricKeyManagementTransactionSetisfullydescribedinAppendix(Figure3).Notethatourtransformationwillsometimesproduceruleswhichtheintrudercannotuse.Thishappenswhenthefreshnonceappearsinaparitycheckontheleft,asintherstruleforKeyImportinFigure3.Theintrudercannotusethisrule,sincehedoesnotknowanyparityinformationaboutthenewnoncebeforethecommandisused.Thiscor-respondstoacasewheretheintruderwouldhavetoguessavaluethatdecryptstogiveavalidkey,k,suchthatkalsodecryptssomeothervaluetogiveavalidkey.ForsinglelengthDESkeys,thisgivestheintrudera1in216chanceofsuccess,whichweconsiderunrealistic.However,ifthein-truderhasextendedaccesstoaliveHSMrunningtheAPI,webelieveourtransformationcouldbequitenaturallyex-tendedtothesemorecostlyoperations(seeSection7).3.3IntruderrulesWedenotebyIthethreeAPIrulesrepresentingtheca-pabilitiesoftheintruder(seeExample1).Weobservethat theintruderdoesnothavetofollowanyparitycheckswhenencryptingordecrypting,butthathecanalsocheckthepar-ityoftermsheproduces.RecallthatparityisdenedonlyontermsofBasetype.IfanintrudermakesanewtermbyXORing,hecanalreadypredicttheparityoftheout-comefollowingtherulesinSection2.2.However,whendecrypting,theintrudermaylearnnewparityinformationbydecryptingaknownconstantwitharandomkey,orbydecryptingarandomconstantwithaknownkey.Werefertothisasofinekeyconjuring.Therulescorrespondingtothisaredescribedbelow:bydecryptingarandomconstantwithaknownkeyynewn!dec(n;y);nwithX2fOdd;EvengchkX(dec(n;y))LetI+1bethesetofthesetworules.decryptingaknownconstantwitharandomkeyxnewn!dec(x;n);n;chkX(n)withX;Y2fOdd;EvengchkY(dec(x;n))LetI+2bethesetofthesefourrules.InSection5,wewillseethatforacertainclassofAPIs,theclassconsideredinthispaper,theofinekeyconjuringrulescanbesafelyignored.Ournalsetofintruderrules,includingofinekeyconjuring,isdenotedbyI+=I[I+1[I+2.4ANewDecidableClassInthissection,wedenethesemanticsofourAPI-rulesandweintroducetheclassofrulesforwhichweproveourdecidabilityresult.4.1SecurityProblemTheproblemweconsideristheproblemofdecidingwhetheraparticularterm,forexampleaPINderivationkey,canbelearntbyanattacker.Theintruderstartswithaxedsetoftermsthatconstitutehisinitialknowledge.HecanthenusetherulesoftheAPIandalsothekeyconjuringvariantsoftherulesinanyordertoextendhisknowledge.Werstneedtomakesurethatparitychecksareper-formedconsistently.Denition2(consistent)LetS=fchk1(u1);:::;chki(ui)g[Twhereu1;:::;uiaregroundtermsofBasetypeandTisasetofterms.WedenotebySatChk(S)thesmallestsetwhichcontainsSandthatisclosedbyapplicationofthefollowingrulesmoduloXor.chkEven(x1);chkEven(x2)!chkEven(x1x2)chkOdd(x1);chkOdd(x2)!chkEven(x1x2)chkEven(x1);chkOdd(x2)!chkOdd(x1x2)WesaythatSisconsistentifforanytermt,chkOdd(t)andchkEven(t)arenotbothinSatChk(S).Afactiseitheratermtoraparitycheck,i.e.chkX(t).AfactisgroundifthetermtisgroundanditissaidpureifthetermtispureandofBasetypeinsideaparitycheck.Example4LetSbethefollowingset:S=fchkEven(ab);chkEven(bc);chkOdd(ac)gSisnotconsistent.Indeed,since(ab)(bc)=Xorac,wehavethatchkEven(ac)2SatChk(S)andalsothatchkOdd(ac)2SatChk(S).Denition3(one-stepdeducible,deducible)LetAbeasetofrulesoftheformRl[newn]!RrandEbeanequationaltheory.LetSbeasetofpuregroundfactsthatisconsis-tent.ThesetoffactsFisone-stepdeduciblefromSifthereexistsaruleRl[newn]!Rr2AandagroundsubstitutionsuchthatRlSatChk(S)(moduloE),F=Rr(moduloE),andnisfresh,i.e.ndoesnotoccurinS.AtermuisdeduciblefromSbyusingthesetofrulesAmodulotheequationaltheoryE,denotedbyS`A;Euifu2S(moduloE)orthereexistssomesetsoffactsF1;:::;Fnsuchthatu2FnandFiisone-stepdeduciblefromS[F1[:::[Fi1.ThesequenceF1;:::;FnisaproofthatS`A;Eu.Ofcourse,ateachstepoftheproofthesetofgroundfactsobtainedhastobeconsistentwithrespecttothepar-itycheckingpredicates.However,thiswillbethecasebyconstruction,sincetheonlyruleswhichaddparityfactsarethekeyconjuringones,whichalwaysintroducesomethingfreshintheparityfacts.Example5LetS=ffsga;ab;bg.WehavethatsisdeduciblefromSbyusingtherulesImoduloEAPI.Indeed,wehavethatS;fag;fsgisaproofofS`I;EAPIs.Example6(Bond'sImport/Exportattack)LetAbetherulesdescribedinFigure1,V=fpin;data;exp;imp;kpg.LetSbeasetwhichcontains:fpdkgkmpin,chkOdd(pdk),chkOdd(km),tandchkEven(t)foranyt2V.WehavethatfpdkgkmdataisdeduciblefromSbyusingtherulesinA[KeyCj(A)[ImoduloEAPI.TheproofwitnessingthisfactcanbeeasilyextractedfromFigure2. Notethatthisattackinvolvestwoonlinekeyconjuringsteps.Eachkeyconjuringattempthasa1in256chanceofsuccess,duetotheparitychecks.Eachtimetheadversarywantstoconjureakey,itrequiresasignicantamountofac-cesstotheAPI.Weassumeinwhatfollowsthattheuseoftheserulesbytheadversaryislimited.Thisismodelledbyintroducingaparameterkthatboundsthemaximumnum-berofapplicationsofthekeyconjuringrulesinducedbytheprotocol.ThevalueofkcouldbesetbasedontheamountoftimeanattackermayhaveaccesstoaliveHSM,basedonphysicalsecuritymeasures,auditingproceduresinplace,etc.Notehoweverthatwedonotboundthenumberofof-inekeyconjuringsinceitismucheasierforanadversarytotrynumerousvaluesoff-line.Formally,wewriteS`A2kA1;EAPIuifuisdeduciblefromSbyusingtherulesinA1andatmostkinstancesoftheruleinA2(moduloEAPI).Inthispaperwerelyonaxedequa-tionaltheory,denotedbyEAPI(seeSection2.2)andaxedsetofintruderrulesdenotedbyI+.Henceourproblemisthefollowingone:SecurityProblemEntries:AnitesetAofAPIrules,asetSofpuregroundfactsthatisconsistent(theinitialknowledgeoftheat-tacker),apuregroundterms(thesecret)andaboundk2N(numberofkeyconjuringsteps).Question:IsthesecretsdeduciblefromSbyusingtherulesinA[I+andatmostkinstancesofrulesinKeyCj(A)(moduloEAPI),i.e.doesS`KeyCj(A)kA[I+;EAPIs?4.2Well-formedAPIAPI-rulesasdenedinDenition1areslightlytoogen-eralforourdecidabilityresult.Henceweintroducefurtherassumptions,thatwebelieveareveryreasonableinprac-tice.NotethatthesehypothesesarecheckedontheAPIrulesbeforeperformingthekeyconjuringtransformation.Denition4LetS0beasetofpuregroundfactthatiscon-sistent.LetR=Rlnewn!RrbearuleandtbeatermofBasetype.WesaythattischeckedinRw.r.t.S0ifchkX(t)2SatChk(S0[Rl[Rr).Denition5LetRbearule.KeyTerm(R)arethesub-termsofRwhichappearatakeyposition.Moreformally,KeyTerm(R)=fKeyTerm(t)jt2RorchkX(t)2RgwhereKeyTerm(t)isdenedasfollows:KeyTerm(t)=fu2jdec(u1;u2)2st(t)forsomeu1g[fu2jfu1gu22st(t)forsomeu1g:WewillrestrictourattentiontoAPIssuchthatatermwhichappearsatakeypositionhastobeparitychecked.Thishypothesisisnatural,sinceitcorrespondstotheAPIdesignerbeingconsistentaboutcheckingtheparityofkeysbeforetheyareused.Example7LetV=fimp;kp;exp;pin;datag.andS0beasetthatisconsistentandwhichcontainsatleastchkEven(t)foranyt2VandchkOdd(km).TherulesgiveninFigure1aresuchthateachtermwhichappearsatakeypositionischeckedw.r.t.S0.Denition6(dec-property)LetTbeasetofterms.WesaythatThasthedec-propertyifdec(x;v1);dec(x;v2)2st(T))v1=v2:WesaythataruleRhasthedec-propertyifthesetoftermsT=ftjt2RorchkX(t)2Rgsatisesthedec-property.IntheAPIweconsider,wewillassumethatalltherulessatisfythedec-property.Thishypothesisisnatural,sinceitonlyforbidstheAPIfromdecryptingthesameinputun-dertwodifferentkeys.Notethatthedec-propertyisclearlysatisedbytherulesgiveninFigure1.Denition7(well-formedAPIrule)LetS0beasetofpuregroundfactthatisconsistent.LetRbeanAPIrule.chk1(u1);:::;chkk(uk);x1;:::;xn!tWesaythatRiswell-formedw.r.t.S0if:forallisuchthat1ik,wehavethatui2st(t),Rsatisesthedec-property,forallv2KeyTerm(R),vischeckedinRw.r.t.S0.AnAPIrulesatisfyingonlythetworstpointsissaidtobeweaklywell-formed.TherstpointrequiresthattheAPIonlychecksthepar-ityofobjectsthataretobeusedingeneratingtheoutput.Sincetheformofourruleshasonlyvariablesontheleft,andalldecryptionexplicitlystatedontheright,thisisquitenatural.WewouldnotexpectanAPItochecktheparityofatermthatissubsequentlydiscarded.Forinstance,theAPIrulesgiveninFigure1arewell-formed.However,therulesdescribingthecapabilitiesoftheattacker(seeExample1)arenotwell-formed,butonlyweaklywell-formed.4.3DecidabilityTheorem1(Mainresult)LetPbeaninstanceofthese-curityproblem(asstatedattheendofSection4.1)wherethesetAofAPIrulesiswell-formedw.r.t.thesetS 02S,thetermsinS[fsgdonotcontainanysymboldec.WecandecidewhetherPisapositiveoranegativeinstanceofthesecurityproblem.Theremainderofthepaperisdevotedtotheproofofthisresult.Weproceedinseveralsteps:1.FromI+toI.InSection5,weestablishsomere-ductionresultsallowingustogetridoftheofinekeyconjuringrules.TheseresultsareobtainedforanysetofAPIrulesasdenedinDenition1,andnotonlythewell-formedonesintroducedinDenition7.2.FromEAPItoAC.InSection6.1,weshowthatwecangetridofsomeaxiomsoftheequationaltheorybyusingthefactthatEAPIsatisesthenitevariantpropertyintroducedin[6].Thiscanbedonesafelybyconsideringsomenewrules,namelythevariantsdenotedVar(A),whichareobtainedfromtherulesAwehaveatthebeginningbyinstantiatingthem.3.Controllingtheformoftherules.InSection6.2,weshowthatthevariantscomputedattheprevi-ousstepsatisfysomeproperties.GivenasetAof(weakly)well-formedAPIrules,wehavethatVar(A[KeyCj(A)),rulesobtainedafterourbothtransforma-tions,are(weakly)well-adapted(seeDenition9).4.Existenceofapureattack.InSection6.3,weshowthatforasetofweaklywell-adaptedrules,ifthereexistsanattackthenthereisonewhichonlyinvolvespureterms(seeProposition5).5.Boundedthenumberofsubtermsheadedwithdec.Now,toobtainourdecidabilityresultitissufcienttoboundthenumberoftermsheadedwithdecinanat-tack(seeSection6.4).Thisallowsustoconsideronlyanitenumberofterms.5Off-linekeyconjuringisuselessTheadversarycanperformasmanyoff-linekeyconjur-ingashewishes,sinceitisveryeasyforhimtotrynumer-ousvaluesoff-line,untilthedecryptionalgorithmyieldsabitstringofthedesiredparity.Weshownowthatinfact,off-linekeyconjuringdoesnotprovideanyextrapossibili-tiesfortheadversarytomountanattack.Thusthereisnoneedtoconsidertheserules.WerstshowthattherulesofI+1areuselessassoonastheadversaryknowsaxedconstantofeachparity.Proposition1LetAbeasetofAPIrulesandSbeasetofpuregroundfacts.WehavethatS`KeyCj(A)kA[I+;EAPIu,S0`KeyCj(A)kA[I[I+2;EAPIuwhereS0=S[fc1;c2;chkOdd(c1);chkEven(c2)gandc1,c2areconstantsofBasetypethatdonotappearinA,Sandu.Then,weshowthatthereisnoneedtoconsiderrulesofI+2iftheintruderalreadyknowstermsoftheformdec(1;ci)ofeachparity.Intuitively,theintruderknowsaninstanceofeachofthefourrules.Proposition2LetAbeasetofAPIrulesandSbeasetofpuregroundfacts.WehavethatS`KeyCj(A)kA[I[I+2;EAPIu,S0`KeyCj(A)kA[I;EAPIuwhereS0isthesetobtainedfromSbyaddingtheconstants1(Cipher)andc1;c2;c3;c4(Base),chkOdd(dec(1;c1));chkOdd(c1)chkOdd(dec(1;c2));chkEven(c2)chkEven(dec(1;c3));chkOdd(c3)chkEven(dec(1;c4));chkEven(c4)andc1;c2;c3;c4donotappearinA,Sandu.Theideaoftheproofistoreplaceeachapplicationofarulexnewn!dec(n;x);chkX(dec(x;n));chkY(n)inI+2byitscorrespondinginstance.Inparticular,xisal-waysreplacedbythesameconstant1.Wecanshowthatwestillobtainaproof.Intuitively,ifitwasnotthecase,itwouldmeanthatitwasimportantforxtobeanencryptionoradecryption.Thiswouldbethecaseonlyiftherewasnestedencryptionontherighthandsideoftherule,whichisnotthecaseforAPIrules.6DecidabilityforWell-FormedAPIsIntheremainderofthissectionwedescribeadecisionproceduretodealwithanysetofwell-formedAPIrules.6.1GettingridofsomeequationsThegoalofthissectionistogetridofalltheaxiomsoftheequationaltheorybutassociativityandcommutativity,decomposingthetheoryintoaconvergentrewritingsystem moduloACequations.Theideaistopre-computevariantsoftherulessothatthereisnoneedtoapplythefullequa-tionaltheoryanymore.LetRbeatermrewritingsystem(TRS)andE0beanequationaltheory,wewriteu!R;E0vwhenvcanbewrit-tenintovmoduloE0.AdecompositionofanequationaltheoryEisapair(R;E0)suchthatRisanE0-convergentsystemforE,i.e.u=EAPIvifandonlyifu#=v#whereu#denotesthenormalisedformofuw.r.t.!R;E0.Forinstance,fortheequationaltheoryEAPI,wecanshowthat(R;AC)isadecompositionofEAPIwhereR=8:dec(fxgy;y)!xxx!0fdec(x;y)gy!xx0!0x(xy)!yDenition8(nitevariantproperty)Adecomposition(R;E0)ofagiventheoryEhasthenitevariantpropertyifforeverytermt,thereisanitesetofsubstitutions(t)suchthat892(t);9suchthat#=E0^(t)#=E0(t)#:Inotherwords,allpossiblereductionsinanin-stanceoftcanbecomputedinadvance.Givenatermt,wedenotebyVar(t)thesetofitsvariants,i.e.Var(t)=f(t)#j2(t)g.In[6],theauthorsgivesuf-cientconditiontoestablishthatagivenpresentationsat-isesthenitevariantproperty.Moreovertheygiveanal-gorithmallowingustocomputethevariantsassociatedtoagiventerm.Byusingtheirresult,itiseasytoestablishthat(R;AC)isadecompositionofEAPIwhichsatisesthe-nitevariantproperty.Theso-calledvariantsofaruleRareobtainedbyperformingnarrowingwithRmoduloAC.Narrowing.Thesubtermoftatpositionp2O(t)iswrit-tentjp.Thetermobtainedbyreplacingtjpwithuisdenotedt[u]p.WedenotebyO(t)thesetofnon-variablepositionoft.GivenaTRSR,wesaythatatermtnarrowstot0withthesubstitution,atp2O(t),byl!r2Rifthereexistsarenamingl0!r0ofl!r2Rsuchthatisaunieroftjpandl0andt0=(t[r]p).Inthiscase,wewritet t0.Wewritet t0ifthereexistsanarrow-ingderivationt=t1 1t2::: n1tn=t0suchthat=1:::n1.IfE0isasetofequationssuchthatanE0-unicationalgorithmexists,wedeneE0-narrowingasexpected(isanE0-unieroftjpandl).Inparticular,thisallowsustodeneAC-narrowing.Computationofthevariants.LetRbeanAPIruleandkbethenumberofoccurrencesoff g ,decand.Accordingto[6],wehavethatVar(R)=fR0jR R0byaderivationoflengthatmostkgNowthepropositionbelowisaneasyconsequenceofthefactthatEAPIsatisesthenitevariantproperty.Proposition3LetA1,A2betwosetsofrules,Sbeasetofgroundfactsandsbeagroundterm(innormalform).S`KeyCj(A1)kA1[A2;EAPIuifandonlyifS`Var(KeyCj(A1))kVar(A1[A2);ACuMoreover,weonlyneedtoconsiderinstancesoftheruleswhichinvolvetermsinnormalform.Example8Forinstance,considerthefollowingruleR=x;y!dec(x;y).WehavethatVar(R)=fR;R0gwhereR0=fzgy;y!z.NotethatR0isanormalisedinstanceofR.IndeedR0=R#where=fx7!fzgyg.6.2ControllingtheformoftherulesWeneedtocontroltheformoftherulesaftercomputa-tionofthekeyconjuringtransformationandcomputationofthevariants.WeshowthatthesetVar(A[KeyCj(A))obtainedfromasetAwhichonlycontains(weakly)well-formedrulesw.r.t.Sis(weakly)well-adaptedw.r.t.S.Denition9(well-adapted)LetS0beasetofpuregroundfactthatisconsistent.LetR=Rl[newn]!Rr.WesaythatRiswell-adaptedw.r.t.S0if1.Riswell-typedandvars(Rr)vars(Rl),2.atermoftypeCipherappearingasastrictsubtermpositioninRiseitheranonceoravariable,3.forallt2KeyTerm(R),tischeckedinRw.r.t.S0,4.thereisatmostonetermuinacheckinRrnotequaltonandweareinoneofthefollowingcases:u=dec(y;nu0),u=dec(n;u0),ornoccursinRlandhencetheruleRisuseless.Asetofruleswhichsatisesthetworstpointsissaidtobeweaklywell-adapted.Proposition4LetS0beasetofpuregroundfactthatisconsistent.LetAbeasetof(weakly)well-formedAPIrulesw.r.t.S0.LetA0=Var(A[KeyCj(A)).WehavethatA0isasetof(weakly)well-adaptedrulesw.r.t.S0.Thenotionofwell-adaptedreliesonfourconditions(seeDenition9).Theconditions1,3and4areestablishedbyusingthefactthatavariantR0isjustanormalisedinstanceofwell-formedAPIruleR,thatisR0=R#forsome. Provingcondition2ismoreinvolved.Asshownintheex-amplebelow,Condition2isnotstablebyAC-narrowing,i.e.bycomputationofthevariants,thuswehadtorsten-forceit.Example9LetR=x!fdec(x;k1)gdec(x;k2).Thecon-dition2issatisedbyR.Now,considertheruleR0=fygk1!fygdec(fygk1;k2)WehavethatR02Var(R).However,R0doesnotsatisfythecondition.ThisproblemcomesfromthefactthatthereisavariableoftypeCipherwhichinvolvedintwodifferentsubtermsheadedwithdec.Herewehavethatxisinvolvedindec(x;k1)andalsoindec(x;k2).Sincek1=k2,theruleRdoesnotsatisfythedec-propertyandhenceisnotawell-formedrule.6.3ExistenceofapureattackWeshowinthissectionthatwecanrestrictourattentiontoproofswhichonlyinvolvepureterms.Thefollowingre-sultholdsforanysetofweaklywell-adaptedrules.Theconditions3and4ofDenition9areonlyusedforthelastpartofourdecisionprocedure(seeSection6.4).Apositioninatermisimpureifthesubtermatthatpo-sitionisnotoftheexpectedtypeandform.Byconventiontherootpositionisalwaysanimpureposition.Notethatinapuretermttheonlyimpurepositionis.Example10Lett=dec(ab;c)wherea;bandcarecon-stantofBasetype.Thepositionpintsuchthattjp=abisimpure.Lett=dec(fagb;c)wherea;bandcarecon-stantofBasetype.Thepositionpintsuchthattjp=fagbisimpure.Werstprovethatwheneveranimpuretermoccursinadeducibletermtatapositionp,thetermtjpisitselfde-ducible.Lemma1LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.LetubeagroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A;ACu.Letpbeanim-purepositionofu.Wehavethatujp2S[F1[:::[Fn.Wearenowreadytostateourresultwhichsaysthatonlypuretermsneedtobeconsideredwhencheckingforde-ducibility.Proposition5LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.Letubeapuregroundterm.IfS`A;ACuthenthereisaproofofS`A;ACuwhichonlyinvolvepureterms.Toestablishthisresult,weassumewearegivenaproofPofS`A;ACu,andweshowhowtocomputeaproofP0fromPwhichonlyinvolvespureterms.TheproofP0usesexactlythesameruleateachstepbutnotthesameinstance.Inparticularanytermappearingatanimpurepo-sitionwillbereplacedtoobtainapureterm.Fromthis,weeasilydeducethefollowingcorollary.Corollary1LetA1,A2betwosetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.Letubeapuregroundterm.IfS`A1kA2;ACuthenthereisaproofwitnessingthisfactwhichonlyinvolvespureterms.6.4AboundonthenumberofdectermsFromCorollary1weknowthatifthereisanattack,thereisanattackthatinvolvesonlypureterms.Puretermsarewell-typedandcontainatmostoneencryptionsymbol.However,thedecsymbolsmightbearbitrarilynested.Ourgoalistoboundthesizeofanattackbylimitingtheuseofdecsymbols.Adec-termisatermoftheformdec(u;v).GivenaproofF1;:::;FnofsomedeductionfactS`R;ACw,wesaythatadec-termtislegalifitischeckedinS,thatischkX(t)2SatChk(S)orithasbeenproducedbyakey-conjuringrule,thatischkX(t)2Fjforsome1jn.Thetermtissaidtobeillegalotherwise.Letk0bethenumberoflegaldec-termsoccurringinS.Sincethereareatmostkapplicationsofthekey-conjuringrulesandsinceeachkey-conjuringruleintroducesatmostonetermthatisnotaname,thereareatmostk+k0legaldec-termsoccur-ringassubterminaproofF1;:::;Fn.Wewishtoshowthat,besidesthelegaldec-terms,nodecryptionsymbolcanoccurunderakeyposition.Thisensuresthatillegaldec-termscanonlyoccurasplaintextthuscannotbenested.Werstshowthatillegaldec-termcannotoccurinchecks.Lemma2(Noillegaldec-terminchecks)LetAbeasetofwell-adaptedrulesandSbeasetofpuregroundfactssuchthatnodectermsoccursinKeyTerm(S).LetwbeapuregroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A[Var(I);ACwthatinvolvesonlypurefacts.Weassumethatthereisnodec-termsubtermofw.Foranytermtsuchthatchk(t)2SatChk(S[F1[:::[Fn),foranydec(u;v)subtermoft,thedec-termdec(u;v)islegal.Theintuitiveideaforprovingthislemmaisthatnewcheckscanonlybeintroducedbythekey-conjuringrules,whicharelimited.Inaddition,whenachkX(t)isintroduced,ille-galdec-termscannotoccursincetherulesarewell-adapted.Wethenprovethatillegaldec-termscannotoccurinkeypositionortheycanbereplacedby0.LetNandN0betwoterms.ForanytermM,wedenotebyMN;N0the termMwhereanyoccurrenceofNinkeypositionisre-placedbyN0.Lemma3(Replacementofdec-termsinkeyposition)LetAbeasetofwell-adaptedrulesandSbeasetofpuregroundfactssuchthatnodectermsoccursinKeyTerm(S).LetwbeapuregroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A[Var(I);ACwthatinvolvesonlypurefacts.Weassumethatthereisnodec-termsubtermofw.Lettbeatermsuchthatt2Fjforsome1jnandletpbesomekeypositionoftsuchthattjp=dec(u;v)t0(t0beingpossiblyemptyinwhichcasebyconvention,tjp=dec(u;v)).Eitherthetermdec(u;v)islegal.OrF1(dec(u;v)t0;0);:::;Fj(dec(u;v)t0;0)isapureproofofS`R[Var(I);ACt(dec(u;v)t0;0).Thelemmaisprovedbyinduction.Now,weareabletoproveourmainresult(Theorem1).Proof.LetPbeaninstanceofthesecurityproblemwherethesetAofAPIrulesiswell-formedw.r.t.Sand02S.LetS0bethesetoffactsobtainedfromSbyadding1(constantoftypeCipher),c1,c2,c01,c02,c03,c04constantsofBasetype,chkOdd(c1),chkOdd(c01),chkOdd(c03),chkEven(c2),chkEven(c02),chkEven(c04),chkOdd(dec(1;c01)),chkOdd(dec(1;c02)),chkOdd(dec(1;c03)),chkOdd(dec(1;c04)).NotethatnodectermsoccursinKeyTerm(S0).ThankstoPropositions1and2,weeasilydeducethatS`KeyCj(A)kA[I+;EAPIu,S0`KeyCj(A)kA[I;EAPIuProposition3givesusS0`KeyCj(A)kA[I;EAPIu,S0`Var(KeyCj(A))kVar(A[I);ACuThankstothewell-formednessoftherulesinA,wede-duce(Proposition4)thattherulesinVar(KeyCj(A))arewell-adapted,therulesinVar(A)arewell-adapted,therulesinVar(I)areweaklywell-adapted.NotealsothatVar(A[I)=Var(A)[Var(I).Now,weapplyCorollary1andwededucethatifS0`Var(KeyCj(A))kVar(A[I);ACuthenthereexistsaproofwitnessingthisfactwhichinvolvesonlypureterms.Lastly,Lemmas2and3allowustoboundthenumberofdec-termswhichcanappearinsuchaproof.Thisallowsustoconsideronlya-nitenumberofterms:wehaveanitenumberofconstantsandnonceswhichcanonlybecombinedtoproducepuretermsinvolvingsomeprecisedec-terms.Complexity.Ourdecisionprocedureworksasfollows.WerstguesstheklegaltermsthatareproducedbykeyconjuringrulesandthensaturatethesetS0withallde-ducibletermsthatarepuretermswithnoillegaldectermsunderkeyposition.Letnbythenumberofconstantsoc-curringinS0plusk.Illegaldectermscannotoccurnestedthusitiseasytoseethatthereareatmostn2nillegaldecterms.ThesedectermscanbearbitrarilyXORedinplain-textpositionbutcannotoccurunderkeyposition.Thuswehavetoconsideratmost22O(n)terms.Thusourprocedureterminatesafteratmost22O(n)steps.Altogether,wecanshowthatouralgorithmisnon-deterministic2-EXPTIME.6.5RelatedworkTheclassofwell-formedAPIrulesisrelatedtotheclassproposedin[8].Thereitisshownthatsecrecypreserva-tionofprotocolsisdecidableforanunboundednumberofsessionsforprotocolswithXOR,providedtheycanbeex-pressedwithrulesintheWFX-class,thatis,asetofrulesoftheformt1;:::;tn!tn+1whereeachtjiseitheraxortermthatistj=Lni=1ui,n1whereeachuiisavariableoraconstant.ortj=fugvwhereuandvarexorterms.Thisisintuitivelyrelatedtoournotionofwell-typedtermsthatensuresinparticularthatatmostoneencryptionsym-bolcanappearinaterm.However,therearetwomaindif-ferencesbetweentheclassofwell-formedAPIrulesintro-ducedinthispaperandtheWFX-class.1.Weconsiderhereanequationaltheorywithexplicitdecryption.Thisisnecessaryformodellingkey-conjuring.Addingthetwoequationsforencryptionanddecryptionrequiresamuchmorecarefultreatmentwhenprovingthatwheneverthereisanattack,thereisanattackthatinvolvesonlypureterms.2.Intheworkpresentedhere,itisnotsufcienttoboundthenumberofencryptionsymbols,asin[8].In-deed,thereareaninnitenumberofwell-typedtermssincethenumberofnesteddecryptionsymbolsisnot boundedbytyping.Thuswehadtoshowthatitisnotnecessarytoconsidernesteddecryptionsymbolsex-ceptforanitenumberofterms,comingfromtheap-plicationofkey-conjuringrules(thelegaldecterms).Toconclude,thetwoclassesareformallyincomparable.Whilewell-formedAPIrulesenableexplicitdecryption,thuspotentiallymoreattacks,therearenoequalitychecksbetweencomponentsofthereceivedmessages.Forexam-ple,thefollowingrulefxgk1;fxgk2!k3belongstotheWFX-classbutcannotbeexpressedasawell-formedAPIrule.WewouldneedtoextendAPIruleswithequalitychecks.Tothebestofourknowledge,thereexistonlytwootherdecidableclasses[5,13]forsecrecypreservationforproto-colswithXOR,foranunboundednumberofsessions.Inbothcases,themaindifferencewithourclassisthatwemakerestrictionsonthecombinationoffunctionalsymbolsratherthanontheoccurrencesofvariables.Asaconse-quence,ourclassisincomparabletothetwoexistingones.Inparticular,theIBMCCAprotocolcannotbemodelledineitherofthesetwootherclasses.7ConclusionWehavepresentedaformalismforkeyconjuring,ob-tainedbyapplyingatransformationtoamodelofasecurityAPIwithexplicitparitychecks.WehaveshownthatthesecurityproblemisdecidableforageneralclassofAPIs(well-formed).Inthispaper,wehaveconcentratedontheexampleoftheIBMCCAAPI,whichusesparitycheckstovalidateDESkeys.However,webelieveourapproachcanbeappliedingeneraltosecurityAPIanalysis,whereotherfunctionsmaybeusedtocheckvalidityofkeys.Inparticular,ourlanguagefordeningAPIcommands,withvariablesonthelefthandsideandalldecryptionmadeexplicitontheright,seemsmorenaturalthantheuseofanAlice-Bobstyleimplicitde-cryptionformalism.Itwouldenablethedetectionoftheso-called`trojankey'attacksofthetypedescribedbyClu-low,[4].Wecouldalsoextendourtransformationtoallowmorecomputationallyexpensivekeyconjuringoperations,byallowingmultiplefreshtermstobegeneratedinasinglerule.WeplantoextendourresultstoalargerclassofAPIs,incorporatingpairingandfurthercryptographicprimitives,andtoimplementourmodelinananalysistool.Therere-mainsasignicantclassofknownAPIattacksthathasnotbeendealtwithformally:so-calledparallelkeysearchat-tacks.Formalisingkeyconjuringisanimportantrststeptowardsthis,sincemanyoftheseattacksrelyonbuildingupasetofconjuredkeys.References[1]M.Bond.Attacksoncryptoprocessortransactionsets.InProceedingsofthe3rdInternationalWorkshoponCrypto-graphicHardwareandEmbeddedSystems(CHES'01),vol-ume2162ofLNCS,pages220–234,Paris(France),2001.Springer-Verlag.[2]CCABasicServicesReferenceandGuide,Oct.2006.Avail-ableonline.[3]R.ClaytonandM.Bond.Experienceusingalow-costFPGAdesigntocrackDESkeys.InProceedingsofthe4thIn-ternationalWorkshoponCryptographicHardwareandEm-beddedSystem(CHES'02),volume2523ofLNCS,pages579–592,RedwoodShores(CA,USA),2003.Springer.[4]J.Clulow.OnthesecurityofPKCS#11.InProceedingsofthe5thInternationalWorshoponCryptographicHardwareandEmbeddedSystems(CHES'03),volume2779ofLNCS,pages411–425,Cologne(Germany),2003.Springer-Verlag.[5]H.Comon-LundhandV.Cortier.Newdecidabilityresultsforfragmentsofrst-orderlogicandapplicationtocryp-tographicprotocols.InProceedingsofthe14thInterna-tionalConferenceonRewritingTechniquesandApplica-tions(RTA'2003),volume2706ofLNCS,pages148–164,Valencia,Spain,2003.Springer-Verlag.[6]H.Comon-LundhandS.Delaune.Thenitevariantprop-erty:Howtogetridofsomealgebraicproperties.InPro-ceedingsofthe16thInternationalConferenceonRewrit-ingTechniquesandApplications(RTA'05),volume3467ofLNCS,pages294–307,Nara(Japan),2005.Springer.[7]V.Cortier,S.Delaune,andG.Steel.Aformaltheoryofkeyconjuring.ResearchReport6134,INRIA,Feb.2007.41pages.[8]V.Cortier,G.Keighren,andG.Steel.Automaticanalysisofthesecurityofxor-basedkeymanagementschemes.InProceedingsofthe13thInternationalConferenceonToolsandAlgorithmsfortheConstructionandAnalysisofSys-tems(TACAS'07),LNCS,pages538–552,Braga(Portugal),2007.Springer-Verlag.[9]J.CourantandJ.-F.Monin.Defendingthebankwithaproofassistant.InProceedingsofWorkshoponIssuesintheThe-oryofSecurity(WITS'06),Vienna(Austria),March2006.[10]D.DolevandA.Yao.Onthesecurityofpublickeyproto-cols.IEEETransactionsinInformationTheory,2(29):198–208,March1983.[11]G.Keighren.ModelcheckingIBM'scommoncryptographicarchitectureAPI.InformaticsResearchReportEDI-INF-RR-0862,UniversityofEdinburgh,2006.[12]G.Steel.DeductionwithXORconstraintsinsecurityAPImodelling.InProceedingsofthe20thInternationalCon-ferenceonAutomatedDeduction(CADE'05),volume3632ofLNCS,pages322–336,Tallinn(Estonia),2005.Springer-Verlag.[13]K.N.Verma,H.Seidl,andT.Schwentick.Onthecom-plexityofequationalHornclauses.InProceedingsofthe20thInternationalConferenceonAutomatedDeduction(CADE'05),volume3632ofLNCS,pages337–352,Tallinn(Estonia),2005.Springer-Verlag. [14]P.Youn,B.Adida,M.Bond,J.Clulow,J.Herzog,A.Lin,R.Rivest,andR.Anderson.Robbingthebankwithatheo-remprover.TechnicalReportUCAM-CL-TR-644,Univer-sityofCambridge,August2005.AExistenceofapureattackLemma1LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.LetubeagroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A;ACu.Letpbeanim-purepositionofu.Wehavethatujp2S[F1[:::[Fn.Proof.Theproofisbyinductiononthenumberofstepsneededtoobtainu.Thebasecase,i.e.u2S,istriv-ial.Fortheinductionstep,wehavethatthereexistsaweaklywell-adaptedruleRlnewn!Rrandagroundsub-stitutionsuchthatRlSatChk(S[F1[:::[Fn1)andu2Fn=Rr(moduloAC).Letpbeanimpureposi-tioninu.eitherp=andinsuchacasewehavethatujp2S[F1[:::[Fn,orujpisastrictsubtermofu.SinceRlnewn!Rrisaweaklywell-adaptedrule,ujpmustbeasub-termofxforsomevariablex2Rr.Sincevars(Rr)vars(Rl),wehavethatthereexistst2Rlsuchthatt2S[F1[:::[Fn1andujp2st(t).Moreover,wecaneasilycheckthatujpappearsatanimpurepositionint.Byinductionhypothesis,wededucethatujp2S[F1[:::[Fn1andthusujp2S[F1[:::[Fn.Proposition5LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.Letubeapuregroundterm.IfS`A;ACuthenthereisaproofofS`A;ACuwhichonlyinvolvepureterms.Wedenethefunction
overgroundtermsthatre-placesanytermatanimpurepositionby0(neutralelementof)or1(constantoftypeCipher).Moreformally
isinductivelydenedasfollows: u=uifuisavariableoraconstant u1u2= u10 u20 dec(u1;u2)=dec(u1; u20)ifu12NoftypeCipher dec(u1;u2)=dec(1; u20)otherwise fu1gu2=f u10g u20where
0aredenedby: u0=uifuisavariableoraconstantofbasetype u1u20= u10 u20 dec(u1;u2)0=dec(u1; u20)ifu12NoftypeCipher dec(u1;u2)0=dec(1; u20)otherwise u0=0otherwiseThefunctions
0and
areextendedtosetsoffactsasex-pected.Moreover,thefunction
0isalsodenedonchecksasfollows: chkX(t)0=chkX( t0):Proof.ConsideraproofF1;:::;FnofS`u.WeshowbyinductiononnthatwecanconstructsetsG1;:::;GpwhichonlyinvolvepurefactssuchthatG1;:::;GpisaproofofS` tforanyt2S[F1[:::[Fn, chkX(t)02SatChk(S[G1:::[Gp)foranychkX(t)2SatChk(S[F1[:::[Fn).Thiswouldconcludetheproofsinceu2Fnand u=u.Thebasecaseu2Sistrivial.Fortheinductionstep,weassumethattherearesetsofpuregroundfactsG1;:::GpsuchthatG1;:::;GpisaproofofS` tforanyt2S[F1[:::[Fi, chkX(t)02SatChk(S[G1[:::[Gp)foranycheckchkX(t)2SatChk(S[F1[:::[Fi).andweshowthatwecanconstructasetofpuregroundfactsGp+1suchthatG1;:::;Gp+1isaproofofS` tforanyt2S[F1[:::[Fi+1, chkX(t)02SatChk(S[G1[:::[Gp+1)foranychkX(t)2SatChk(S[F1[:::[Fi+1).ThesetofgroundfactsFi+1isone-stepdeduciblefromS[F1[:::Fi,thusthereexistsaweaklywell-adaptedruleRlnewn!Rr2AandagroundsubstitutionsuchthatRlSatChk(S[F1[:::[Fi)andFi+1=Rr(mod-uloAC).Let0bethesubstitutiondenedbyx0= x0foranyx2dom()oftypeBase,x0=xwhenxisaconstantoranonceoftypeCipherand1otherwise.WecanshowthatGp+1=Rr0satisestherequiredconditions. KeyPartImport2:xk2;xtypenewn!fdec(n;kmkpxtype)xk2gkmkpxtype;nchkEven(xk2);chkEven(xtype)chkOdd(dec(n;kmkpxtype))y;xk2newn!fdec(y;kmkpn)xk2gkmkpn;nchkEven(xk2)chkEven(n);chkOdd(dec(y;kmkpn))KeyPartImport3:xk3;xtypenewn!fdec(n;kmkpxtype)xk3gkmxtype;nchkEven(xk3);chkEven(xtype)chkOdd(dec(n;kmkpxtype))y;xk3newn!fdec(y;kmkpn)xk3gkmn;nchkEven(xk3)chkEven(n);chkOdd(dec(y;kmkpn))KeyImport:y;xtypenewn!fdec(y;dec(n;kmimp)xtype)gkmxtype;nchkEven(xtype)chkOdd(dec(n;kmimp))chkOdd(dec(y;dec(n;kmimp)xtype))xtype;znewn!fdec(n;dec(z;kmimp)xtype)gkmxtype;nchkEven(xtype);chkOdd(dec(z;kmimp))chkOdd(dec(n;dec(z;kmimp)xtype))y;znewn!fdec(y;dec(z;kmimp)n)gkmn;nchkOdd(dec(z;kmimp))chkOdd(dec(y;dec(z;kmimp)n))chkEven(n)KeyExport:y;xtypenewn!fdec(y;kmxtype)gdec(n;kmexp)xtype;nchkEven(xtype)chkOdd(dec(n;kmexp))chkOdd(dec(y;kmxtype))xtype;znewn!fdec(n;kmxtype)gdec(z;kmexp)xtype;nchkEven(xtype);chkOdd(dec(z;kmexp))chkOdd(dec(n;kmxtype))y;znewn!fdec(y;kmn)gdec(z;kmexp)n;nchkOdd(dec(z;kmexp))chkEven(n)chkOdd(dec(y;kmn))EncryptData:xnewn!fxgdec(n;kmdata);n;chkOdd(dec(n;kmdata))DecryptData:xnewn!dec(x;dec(n;kmdata));nchkOdd(dec(n;kmdata))TranslateKey:x;xtype;y2newn!fdec(x;dec(n;kmimp)xtype)gdec(y2;kmexp)xtype;nchkOdd(dec(y2;kmexp));chkEven(xtype)chkOdd(dec(n;kmimp))chkOdd(dec(x;dec(n;kmimp)xtype))x;xtype;y1newn!fdec(x;dec(y1;kmimp)xtype)gdec(n;kmexp)xtype;nchkEven(xtype);chkOdd(dec(y1;kmimp))chkOdd(dec(n;kmexp))chkOdd(dec(x;dec(y1;kmimp)xtype))chkOdd(dec(y2;kmexp));xtype;y1;y2newn!fdec(n;dec(y1;kmimp)xtype)gdec(y2;kmexp)xtype;nchkEven(xtype);chkOdd(dec(y1;kmimp))chkOdd(dec(n;dec(y1;kmimp)xtype))x;y1;y2newn!fdec(x;dec(y1;kmimp)n)gdec(y2;kmexp)n;nchkOdd(dec(y2;kmexp))chkEven(n);chkOdd(dec(x;dec(y1;kmimp)n))chkOdd(dec(y1;kmimp))NotethatnokeyconjuringvariantcanbeobtainedfromtheKeyPartImport1rule.Figure3.KeyConjuringvariantsoftherulesoftheIBMCCAKeyManagementTransactionSet