TECS Week 2005 Intuition � Reason about local information Protocol Composition Logic • I chose a new number • I sent it out encrypted • I received it decrypted • Therefore: someone decrypted it John Mitchell � Incorporate knowledge about protocol • Protocol: Server only answers if sent a request Stanford • If server not corrupt and – I receive an answer from the server, then – the server must have received a request Intuition: Picture Example: Challenge-Response m, A Honest Principals, n, sig B {m, n, A} A B Protocol Attacker sig A {m, n, B} Private Data � Alice reasons: if Bob is honest, then: • only Bob can generate his signature. [protocol independent] � Alice’s information • if Bob generates a signature of the form sig B {m, n, A}, • Protocol – he sends it as part of msg2 of the protocol and • Private data – he must have received msg1 from Alice [protocol dependent] • Sends and receives • Alice deduces: Received (B, msg1) Λ Sent (B, msg2) Formalizing the Approach Cords � Language for protocol description � Protocol programming language • Write program for each role of protocol – Server = [receive x; new n; send {x, n}] � Building blocks � Protocol logic • Terms • State security properties – names, nonces, keys, encryption, … • Specialized form of temporal logic • Actions � Proof system – send, receive, pattern match, … • Formally prove security properties • Supports modular proofs 1
Terms Actions and Cords � Actions t ::= c constant term • send t; send a term t x variable • receive x; receive a term into variable x N name • match t/p(x); match term t against p(x) K key � Cord t, t tupling • Sequence of actions sig K {t} signature � Notation enc K {t} encryption • Some match actions are omitted in slides receive sigB{A, n} means Example: x, sig B {m, x, A} is a term receive x; match x/sigB{A, n} Challenge-Response as Cords Execution Model m, A � Protocol • Cord gives program for each protocol role n, sig B {m, n, A} A B � Initial configuration sig A {m, n, B} • Set of principals and keys • Assignment of ≥ 1 role to each principal � Run InitCR(A, X) = [ RespCR(B) = [ new m; receive Y, B, {y, Y}; Position in run new x send {x} B send A, X, {m, A}; new n; A receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; receive {x} B receive {z} B send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; B ] ] send {z} B new z C Modal Formulas Formulas true at a position in run � Action formulas � After actions, postcondition a ::= Send(P,m) | Receive (P,m) | New(P,t) [ actions ] P ϕ where P = 〈 princ, role id 〉 | Decrypt (P,t) | Verify (P,t) � Before/after assertions � Formulas ϕ [ actions ] P ψ ϕ ::= a | Has(P,t) | Fresh(P,t) | Honest(N) � Composition rule | Contains(t 1 , t 2 ) | ¬ϕ | ϕ 1 ∧ ϕ 2 | ∃ x ϕ ϕ [ S ] P ψ ψ [ T ] P θ | � ϕ | � ϕ Note: same P � Example in all formulas ϕ [ ST ] P θ After(a,b) = � (b ∧ �� a) 2
Security Properties Semantics � Authentication for Initiator � Protocol Q CR | = [ InitCR(A, B) ] A Honest(B) ⊃ • Defines set of roles (e.g, initiator, responder) ActionsInOrder( • Run R of Q is sequence of actions by principals Send(A, {A,B,m}), following roles, plus attacker Receive(B, {A,B,m}), � Satisfaction Send(B, {B,A,{n, sig B {m, n, A}}}), • Q, R | = [ actions ] P φ Receive(A, {B,A,{n, sig B {m, n, A}}}) Some role of P in R does exactly actions and φ is ) true in state after actions completed � Shared secret • Q | = [ actions ] P φ NS | = [ InitNS(A, B) ] A Honest(B) ⊃ Q, R | = [ actions ] P φ for all runs R of Q ( Has(X, m) ⊃ X=A ∧ X=B ) Proof System Sample axioms about actions � Goal: prove properties formally � New data � Axioms • [ new x ] P Has(P,x) • [ new x ] P Has(Y,x) ⊃ Y=P • Simple formulas provable by hand � Actions � Inference rules • [ send m ] P � Send(P,m) • Proof steps � Knowledge � Theorem • [receive m ] P Has(P,m) • Formula obtained from axioms by application of inference rules � Verify • [ match x/sig X {m} ] P � Verify(P,m) Reasoning about knowledge Encryption and signature � Pairing � Public key encryption • Has(X, {m,n}) ⊃ Has(X, m) ∧ Has(X, n) Honest(X) ∧ � Decrypt(Y, enc X {m}) ⊃ X=Y � Encryption � Signature • Has(X, enc K (m)) ∧ Has(X, K -1 ) ⊃ Has(X, m) Honest(X) ∧ � Verify(Y, sig X {m}) ⊃ ∃ m’ ( � Send(X, m’) ∧ Contains(m’, sig X {m}) 3
Sample inference rules Bidding conventions (motivation) � Preservation rules � Blackwood response to 4NT ψ [ actions ] P Has(X, t) – 5 ♣ : 0 or 4 aces ψ [ actions; action ] P Has(X, t) – 5 ♦ : 1 ace – 5 ♥ : 2 aces � Generic rules – 5 ♠ : 3 aces � Reasoning ψ [ actions ] P φ ψ [ actions ] P ϕ ψ [ actions ] P φ ∧ ϕ • If my partner is following Blackwood, then if she bid 5 ♥ , she must have 2 aces Honesty rule (rule scheme) Honesty rule (example use) ∀ roles R of Q. ∀ initial segments A ⊆ R. ∀ roles R of Q. ∀ initial segments A ⊆ R. Q |- [ A ] X φ Q |- [ A ] X φ Q |- Honest(X) ⊃ φ Q |- Honest(X) ⊃ φ • This is a finitary rule: • Example use: – Typical protocol has 2-3 roles – If Y receives a message from X, and – Typical role has 1-3 receives Honest(X) ⊃ (Sent(X,m) ⊃ Received(X,m’)) then Y can conclude – Only need to consider A waiting to receive Honest(X) ⊃ Received(X,m’)) Correctness of CR Correctness of CR – step 1 InitCR(A, X) = [ RespCR(B) = [ InitCR(A, X) = [ RespCR(B) = [ new m; receive Y, B, {y, Y}; new m; receive Y, B, {y, Y}; send A, X, {m, A}; new n; send A, X, {m, A}; new n; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; ] ] ] ] CR |- [ InitCR(A, B) ] A Honest(B) ⊃ 1. A reasons about it’s own actions ActionsInOrder( CR |- [ InitCR(A, B) ] A Send(A, {A,B,m}), � Verify(A, sig B {m, n, A}) Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) 4
Correctness of CR – step 2 Correctness of CR – Honesty InitCR(A, X) = [ RespCR(B) = [ InitCR(A, X) = [ RespCR(B) = [ new m; receive Y, B, {y, Y}; new m; receive Y, B, {y, Y}; send A, X, {m, A}; new n; send A, X, {m, A}; new n; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; ] ] ] ] 2. Properties of signatures Honesty invariant CR |- Honest(X) ∧ CR |- [ InitCR(A, B) ] A Honest(B) ⊃ � Send(X, m’) ∧ Contains(m’, sig x {y, x, Y}) ∧ ¬ � New(X, y) ⊃ ∃ m’ ( � Send(B, m’) ∧ Contains(m’, sig B {m, n, A}) m= X, Y, {x, sig B {y, x, Y}} ∧ � Receive(X, {Y, X, {y, Y}}) Correctness of CR – step 3 Correctness of CR – step 4 InitCR(A, X) = [ RespCR(B) = [ InitCR(A, X) = [ RespCR(B) = [ new m; receive Y, B, {y, Y}; new m; receive Y, B, {y, Y}; send A, X, {m, A}; new n; send A, X, {m, A}; new n; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; receive X, A, {x, sig X {m, x, A}}; send B, Y, {n, sig B {y, n, Y}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; send A, X, sig A {m, x, X}}; receive Y, B, sig Y {y, n, B}}; ] ] ] ] 3. Use Honesty rule 4. Use properties of nonces for temporal ordering CR |- [ InitCR(A, B) ] A Honest(B) ⊃ CR |- [ InitCR(A, B) ] A Honest(B) ⊃ Auth � Receive(B, {A,B,m}), Complete proof What does proof tell us? � Soundness Theorem: • If Q |- φ then Q |= φ • If φ is provable about protocol Q, then φ is true about protocol Q. � φ true in every run of Q • Dolev-Yao intruder • Unbounded number of participants 5
Recommend
More recommend