extending proverif s resolution algorithm for verifying
play

Extending ProVerifs Resolution Algorithm for Verifying Group - PowerPoint PPT Presentation

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup


  1. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerif’s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup´ erieure June 25, 2010 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 1 / 24

  2. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Contents Introduction 1 Representation with Horn clauses Resolution Group Protocols 2 Generalized Horn Clauses 3 Syntax Resolution algorithm 4 Extension of the definition of Resolution Relation with Horn clauses The Algorithm Conclusions and Further works 5 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 2 / 24

  3. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Cryptographic protocols and their Verification Cryptographic protocols are protocols that perform a security-related function and apply cryptographic methods. The confidence in these protocols can be increased by a formal analysis in order to verify security properties considering cryptographic primitives as black boxes. For an unbounded number of sessions � undecidability. Group protocols are protocols that involve an unbounded number of participants � the number of steps and the form of messages depend on the number of participants. Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 3 / 24

  4. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Overview of ProVerif Properties to prove: Protocol: Pi calculus + cryptography secrecy, authentication,... Automatic translator Derivability queries Horn clauses Resolution with selection The property is true Potential attack Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 4 / 24

  5. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  6. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  7. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  8. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  9. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  10. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  11. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  12. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  13. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  14. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) attacker( pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ]))) ⇒ attacker( sencrypt ( s , y )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  15. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Representation of a protocol Messages are represented by patterns p ::= x | a [ p 1 , . . . , p n ] | f ( p 1 , . . . , p n ) � a , b � , sencrypt ( s , pk ) Properties are represented by facts F ::= attacker( p ) The protocol and the abilities of the attacker are represented by Horn clauses F 1 ∧ · · · ∧ F n ⇒ F attacker( s ) ∧ attacker( pk ) ⇒ attacker( sencrypt ( s , pk )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 6 / 24

  16. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Resolution Resolution Definition (Resolution) H 1 ⇒ C 1 F ∧ H 2 ⇒ C 2 σ ( H 1 ∧ H 2 ) ⇒ σ C 2 where σ is the most general unifier of C 1 and F . The selection function selects: a hypothesis not of the form attacker( x ) if possible, the conclusion otherwise Resolve until a fixpoint is reached. Keep clauses whose conclusion is selected. Theorem The obtained clauses derive the same facts as the initial clauses Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 7 / 24

  17. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Example Asokan-Ginzboorg protocol Let the set of players be { a i , i = 1 , . . . , n + 1 } for n ≥ 1 and a n +1 be the leader. The protocol describes the establishment of a session key between the leader and the other n participants. a n +1 → ALL : � a n +1 , sencrypt ( e , p ) � (1) a i → a n +1 : � a i , sencrypt ( � r i , s i � , e ) � (2) a n +1 → a i : sencrypt ( � s 1 , . . . , s n , s n +1 � , r i ) (3) a i → a n +1 : � a i , sencrypt ( � s i , h ( s 1 , . . . , s n +1 ) � , K ) � , for some i (4) where K = f ( s 1 , . . . , s n +1 ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 8 / 24

  18. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax Generalized Horn Clauses Syntax 1 p G , s , t ::= patterns x ( ι 1 ,...,ι h ) where 0 ≤ h variable f ( p G 1 , . . . , p G l ) function application a ι [ p G 1 , . . . , p G l ] indexed names mpair ( i , p G ) list constructor F G ::= facts attacker( p G ) fact ( i 1 ,..., i h ) ∈ I F G � conjunction fact R G ::= F G 1 ∧ · · · ∧ F G n ∧ δ ⇒ F G generalized Horn clause Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 9 / 24

Recommend


More recommend