Upload
kimmiahuja
View
220
Download
0
Embed Size (px)
Citation preview
8/20/2019 04-Inductive Method.ppt
1/24
Protocol Verification bythe Inductive Method
John Mitchell
Stanford
TECS Week 2005
8/20/2019 04-Inductive Method.ppt
2/24
8/20/2019 04-Inductive Method.ppt
3/24
Analysis Techniques
Crypto Protocol Analysis
Formal Models Computational Models
Modal Logics Model Checking Inductive Proofs
Dolev-Yao
(perfect crpto!rap"#
$ando% oracle
Pro&a&ilistic process calculi
Pro&a&ilistic I' auto%ata
)
Finite processes,
finite attacker
Process Calculi )
Finite processes,
infinite attacker
Spi-calculus*+, lo!ic
8/20/2019 04-Inductive Method.ppt
4/24
Recall: protocol state space
Participant + attackeractions define a statetransition graph
A path in the graph is atrace of the protocol
Graph can be
!inite if "e li#it nu#ber ofagents$ si%e of #essage$ etc&
'nfinite other"ise
8/20/2019 04-Inductive Method.ppt
5/24
Analysis using theore# pro(ing
)orrectness instead of bugs *se higherorder logic to reason about possible
protocol e,ecutions
-o finite bounds Any nu#ber of interlea(ed runs
Algebraic theory of #essages
-o restrictions on attacker
Mechani%ed proofs Auto#ated tools can fill in parts of proofs
Proof checking can pre(ent errors in reasoning
[Paulson]
8/20/2019 04-Inductive Method.ppt
6/24
'nducti(e proofs
.efine set of traces Gi(en protocol$ a trace is one possible
sequence of e(ents$ including attacks
Pro(e correctness by induction !or e(ery state in e(ery trace$ no
security condition fails
/ 0orks for safety properties only Proof by induction on the length of trace
8/20/2019 04-Inductive Method.ppt
7/24
T"o for#s of induction
*sual for# for ∀n∈-at& P1n2 3ase case: P142
'nduction step: P1,2 ⇒ P1,+52
)onclusion: ∀n∈-at& P1n2
Mini#ial countere,a#ple for#
Assu#e:∃, 6
¬P1,2
∧ ∀ y7,& P1y2 8 Pro(e: contraction
)onclusion: ∀n∈-at& P1n2
oth equivalent to “the natural numbers are well-ordered”
8/20/2019 04-Inductive Method.ppt
8/24
*se second for#
Gi(en set of traces )hoose shortest sequence to bad state Assu#e all steps before that 9
.eri(e contradiction/ )onsider all possible steps
All states are good Bad state
8/20/2019 04-Inductive Method.ppt
9/24
Sa#ple Protocol Goals
Authenticity: "ho sent it; !ails if A recei(es #essage fro# 3 but thinks it
is fro# ) 'ntegrity: has it been altered;
!ails if A recei(es #essage fro# 3 but #essageis not "hat 3 sent
Secrecy: "ho can recei(e it; !ails if attacker kno"s #essage that should be
secret Anony#ity
!ails if attacker or 3 kno"s action done by A
These are all safety properties
8/20/2019 04-Inductive Method.ppt
10/24
'nducti(e Method in a -utshell
+ttacker
inference
rules
+&stract
trace %odel
Infor%al
Protocol
Description
T"eore%
is correct Tr to prove
t"e t"eore%
Correctness
t"eore%
a&out tracessame forall protocols!
8/20/2019 04-Inductive Method.ppt
11/24
0ork by
8/20/2019 04-Inductive Method.ppt
12/24
8/20/2019 04-Inductive Method.ppt
13/24
'sabelle
Auto#ated support for proof de(elop#ent Eigherorder logic
Ser(es as a logical fra#e"ork
Supports F! set theory E9< Generic treat#ent of inference rules
Po"erful si#plifier classical reasoner
Strong support for inducti(e definitions
8/20/2019 04-Inductive Method.ppt
14/24
Agents and Messages
agent A$3 $H I Ser(er !riend i Spy
#sg K $D $H I Agent A
-once - ey :
L K $ D
)rypt K :
Typed, free term algebra, …
8/20/2019 04-Inductive Method.ppt
15/24
Protocol se#antics
Traces of e(ents: A sends K to 3
9perational #odel of agentsAlgebraic theory of #essages 1deri(ed2A general attacker
Proofs #echani%ed using 'sabelleNE9<
8/20/2019 04-Inductive Method.ppt
16/24
.efine sets inducti(ely
Traces Set of sequences of e(ents
'nducti(e definition in(ol(es i#plications
if e(5$ H$ e(n ∈ e(s$ then add e(O to e(s
'nfor#ation fro# a set of #essages
parts E : parts of #essages in E anal% E : infor#ation deri(able fro# E
synth E : #sgs constructible fro# E
8/20/2019 04-Inductive Method.ppt
17/24
Protocol e(ents in trace
Se(eral for#s of e(ents A sends 3 #essage K
A recei(es K
A stores K
I ev is a trace and Na is unused! add Says A B Crypt(pk B){A,Na}
A→B {A,NA}pkB
B→A {NB,NA}pkAI Says A’ B Crypt(pk B){A,X} ev and Nb is unused! add Says B A Crypt(pk A){Nb,X}
A→B {NB}pkB I Says ...{X,Na}... ev ! add
Says A B Crypt(pk B){X}
8/20/2019 04-Inductive Method.ppt
18/24
.ole(Dao Attacker Model
Attacker is a nondeter#inistic processAttacker can
'ntercept any #essage$ deco#pose into parts
.ecrypt if it kno"s the correct key )reate ne" #essage fro# data it has obser(ed
Attacker cannot
Gain partial kno"ledge Perfor# statistical tests
Stage ti#ing attacks$ H
8/20/2019 04-Inductive Method.ppt
19/24
Attacker )apabilities: Analysis
K ∈ E ⇒ K ∈ anal% E
LK $D ∈ anal% E ⇒ K ∈ anal% E
LK $D ∈ anal% E ⇒ D ∈ anal% E
)rypt K :∈
anal% E : +5 ∈ anal% E ⇒ K ∈ anal% E
anal" H is what attacker can learnrom H
8/20/2019 04-Inductive Method.ppt
20/24
8/20/2019 04-Inductive Method.ppt
21/24
quations and i#plications
anal%1anal% E 2 I anal% E synth1synth E 2 I synth E anal%1synth E 2 I anal% E ∪ synth E synth1anal% E 2 I ;;;
-once - ∈ synth E ⇒ -once - ∈ E )rypt : K ∈ synth E ⇒ )rypt : K ∈ E or K ∈ synth E : ∈ E
8/20/2019 04-Inductive Method.ppt
22/24
Attacker and correctness conditions
'f K ∈ synth1anal%1spies e(s 22$ add Says Spy 3 K # "s not secret because attacker can construct "t
from t$e parts "t learned from events
'f Says 3 A L- b $KM pk1A2 ∈ e(s Says AO 3 L- b M pk132 ∈ e(s $Then Says A 3 L- b M pk132 ∈ e(s
%f B t$"nks $e&s talk"ng to A,
t$en A must t$"nk s$e&s talk"ng to B
8/20/2019 04-Inductive Method.ppt
23/24
'nducti(e Method: Pros )ons
Ad(antages Reason about infinite runs$ #essage spaces Trace #odel close to protocol specification
)an pro(eQ protocol correct.isad(antages
.oes not al"ays gi(e an ans"er !ailure does not al"ays yield an attack
Still tracebased properties only
8/20/2019 04-Inductive Method.ppt
24/24
)a(eat
uote fro# Paulson 1J )o#puter Security$ 4442The Inductive Approach to Verifying Cryptographic Protocols
The attack on the recursi(e protocol 648 is a soberingre#inder of the li#itations of for#al #ethodsH Making
the #odel #ore detailed #akes reasoning harder and$e(entually$ infeasible& A co#positional approach see#snecessary
Reference 648 P&D&A& Ryan and S&A& Schneider$ An attack on a
recursi(e authentication protocol: A cautionary tale&'nfor#ation Processing >W2 pp? / 54&