Deduction with XOR Constraints in Security API Modelling

Abstract: We introduce XOR constraints, and show how they enable a theorem prover to reason effectively about security critical subsystems which employ bitwise XOR. Our primary case study is the API of the IBM 4758 hardware security module. We also show how our technique can be applied to standard security protocols.

“…His proof used normalisation functions to deal with XOR, and most of the proof effort was in showing these functions to be sound. Other work has looked at rediscovering Bond's attacks on the old API, [12,15], the latter work using (without proof) a heuristic that splits intruder knowledge into an encrypted and unencrypted part. We believe that our theoretical results show that their heuristic preserves attack-completeness.…”

“…Following previous work [15,12], our experiments consider a number of key management commands from the CCA API. We ignore commands which do not generate key material and commands that are subsumed by more general ones.…”

“…IBM made changes of their own in version 2.41 of the API, and provided several procedural recommendations to prevent the attack. Though previous formal work has been able to rediscover the flaws in the old version [12,15], the new version of the API had not been formally analysed before.…”

Automatic Analysis of the Security of XOR-Based Key Management Schemes

“…His proof used normalisation functions to deal with XOR, and most of the proof effort was in showing these functions to be sound. Other work has looked at rediscovering Bond's attacks on the old API, [12,15], the latter work using (without proof) a heuristic that splits intruder knowledge into an encrypted and unencrypted part. We believe that our theoretical results show that their heuristic preserves attack-completeness.…”

“…Following previous work [15,12], our experiments consider a number of key management commands from the CCA API. We ignore commands which do not generate key material and commands that are subsumed by more general ones.…”

“…IBM made changes of their own in version 2.41 of the API, and provided several procedural recommendations to prevent the attack. Though previous formal work has been able to rediscover the flaws in the old version [12,15], the new version of the API had not been formally analysed before.…”

Automatic Analysis of the Security of XOR-Based Key Management Schemes

“…Formal work on the CCA first concentrated on rediscovering the attacks on the original version of the API [12,14], and then on proving both Bond's proposed fixes [9], and the fixes IBM actually implemented [8], to be secure. However, these works made an informal approximation of the ability of the intruder to 'conjure' keys, a trick used several times in Bond's attacks.…”

“…This can be adapted quite naturally to API analysis by considering the API to be a set of 2-party protocols, each describing an exchange between the secure hardware module and the host machine [12,14,8]. However, in previous work, the key conjuring trick was treated in an ad-hoc fashion, by adding a number of pre-chosen keys to the intruder's initial knowledge [12,14,8], or by adding a rule to allow particular keys to be conjured [11]. This raises doubts about completeness of the search for attacks, and hence the strength of any proofs of security.…”

A Formal Theory of Key Conjuring

Combining ProVerif and Automated Theorem Provers for Security Protocol Verification