04-Inductive Method.ppt

8/20/2019 04-Inductive Method.ppt

1/24

Protocol Verification bythe Inductive Method

John Mitchell

Stanford

TECS Week 2005


2/24


3/24

Analysis Techniques

Crypto Protocol Analysis

Formal Models Computational Models

Modal Logics Model Checking Inductive Proofs

Dolev-Yao

(perfect crpto!rap"#

$ando% oracle

Pro&a&ilistic process calculi

Pro&a&ilistic I' auto%ata

)

Finite processes,

finite attacker

Process Calculi )

Finite processes,

infinite attacker

Spi-calculus*+, lo!ic


4/24

Recall: protocol state space

Participant + attackeractions define a statetransition graph

A path in the graph is atrace of the protocol

Graph can be

!inite if "e li#it nu#ber ofagents$ si%e of #essage$ etc&

'nfinite other"ise


5/24

Analysis using theore# pro(ing

)orrectness instead of bugs *se higherorder logic to reason about possible

protocol e,ecutions

-o finite bounds Any nu#ber of interlea(ed runs

Algebraic theory of #essages

-o restrictions on attacker

Mechani%ed proofs Auto#ated tools can fill in parts of proofs

Proof checking can pre(ent errors in reasoning

[Paulson]


6/24

'nducti(e proofs

.efine set of traces Gi(en protocol$ a trace is one possible

sequence of e(ents$ including attacks

Pro(e correctness by induction !or e(ery state in e(ery trace$ no

security condition fails

/ 0orks for safety properties only Proof by induction on the length of trace


7/24

T"o for#s of induction

*sual for# for ∀n∈-at& P1n2 3ase case: P142

'nduction step: P1,2 ⇒ P1,+52

)onclusion: ∀n∈-at& P1n2

Mini#ial countere,a#ple for#

Assu#e:∃, 6

¬P1,2

∧ ∀ y7,& P1y2 8 Pro(e: contraction

)onclusion: ∀n∈-at& P1n2

oth equivalent to “the natural numbers are well-ordered”


8/24

*se second for#

Gi(en set of traces )hoose shortest sequence to bad state Assu#e all steps before that 9

.eri(e contradiction/ )onsider all possible steps

All states are good Bad state


9/24

Sa#ple Protocol Goals

Authenticity: "ho sent it; !ails if A recei(es #essage fro# 3 but thinks it

is fro# ) 'ntegrity: has it been altered;

!ails if A recei(es #essage fro# 3 but #essageis not "hat 3 sent

Secrecy: "ho can recei(e it; !ails if attacker kno"s #essage that should be

secret Anony#ity

!ails if attacker or 3 kno"s action done by A

These are all safety properties


10/24

'nducti(e Method in a -utshell

+ttacker

inference

rules

+&stract

trace %odel

Infor%al

Protocol

Description

T"eore%

is correct Tr to prove

t"e t"eore%

Correctness

t"eore%

a&out tracessame forall protocols!


11/24

0ork by


12/24


13/24

'sabelle

Auto#ated support for proof de(elop#ent Eigherorder logic

Ser(es as a logical fra#e"ork

Supports F! set theory E9< Generic treat#ent of inference rules

Po"erful si#plifier classical reasoner

Strong support for inducti(e definitions


14/24

Agents and Messages

agent A$3 $H I Ser(er !riend i Spy

#sg K $D $H I Agent A

-once - ey :

L K $ D

)rypt K :

Typed, free term algebra, …


15/24

Protocol se#antics

Traces of e(ents: A sends K to 3

9perational #odel of agentsAlgebraic theory of #essages 1deri(ed2A general attacker

Proofs #echani%ed using 'sabelleNE9<


16/24

.efine sets inducti(ely

Traces Set of sequences of e(ents

'nducti(e definition in(ol(es i#plications

if e(5$ H$ e(n ∈ e(s$ then add e(O to e(s

'nfor#ation fro# a set of #essages

parts E : parts of #essages in E anal% E : infor#ation deri(able fro# E

synth E : #sgs constructible fro# E


17/24

Protocol e(ents in trace

Se(eral for#s of e(ents A sends 3 #essage K

A recei(es K

A stores K

I ev is a trace and Na is unused! add Says A B Crypt(pk B){A,Na}

A→B {A,NA}pkB

B→A {NB,NA}pkAI Says A’ B Crypt(pk B){A,X} ev and Nb is unused! add Says B A Crypt(pk A){Nb,X}

A→B {NB}pkB I Says ...{X,Na}... ev ! add

Says A B Crypt(pk B){X}


18/24

.ole(Dao Attacker Model

Attacker is a nondeter#inistic processAttacker can

'ntercept any #essage$ deco#pose into parts

.ecrypt if it kno"s the correct key )reate ne" #essage fro# data it has obser(ed

Attacker cannot

Gain partial kno"ledge Perfor# statistical tests

Stage ti#ing attacks$ H


19/24

Attacker )apabilities: Analysis

K ∈ E ⇒ K ∈ anal% E

LK $D ∈ anal% E ⇒ K ∈ anal% E

LK $D ∈ anal% E ⇒ D ∈ anal% E

)rypt K :∈

anal% E : +5 ∈ anal% E ⇒ K ∈ anal% E

anal" H is what attacker can learnrom H


20/24


21/24

quations and i#plications

anal%1anal% E 2 I anal% E synth1synth E 2 I synth E anal%1synth E 2 I anal% E ∪ synth E synth1anal% E 2 I ;;;

-once - ∈ synth E ⇒ -once - ∈ E )rypt : K ∈ synth E ⇒ )rypt : K ∈ E or K ∈ synth E : ∈ E


22/24

Attacker and correctness conditions

'f K ∈ synth1anal%1spies e(s 22$ add Says Spy 3 K # "s not secret because attacker can construct "t

from t$e parts "t learned from events

'f Says 3 A L- b $KM pk1A2 ∈ e(s Says AO 3 L- b M pk132 ∈ e(s $Then Says A 3 L- b M pk132 ∈ e(s

%f B t$"nks $e&s talk"ng to A,

t$en A must t$"nk s$e&s talk"ng to B


23/24

'nducti(e Method: Pros )ons

Ad(antages Reason about infinite runs$ #essage spaces Trace #odel close to protocol specification

)an pro(eQ protocol correct.isad(antages

.oes not al"ays gi(e an ans"er !ailure does not al"ays yield an attack

Still tracebased properties only


24/24

)a(eat

uote fro# Paulson 1J )o#puter Security$ 4442The Inductive Approach to Verifying Cryptographic Protocols

The attack on the recursi(e protocol 648 is a soberingre#inder of the li#itations of for#al #ethodsH Making

the #odel #ore detailed #akes reasoning harder and$e(entually$ infeasible& A co#positional approach see#snecessary

Reference 648 P&D&A& Ryan and S&A& Schneider$ An attack on a

recursi(e authentication protocol: A cautionary tale&'nfor#ation Processing >W2 pp? / 54&

Documents

04-Inductive Method.ppt