Presentation of the ProVerif tool St ephanie Delaune January 2018 - PowerPoint PPT Presentation

Presentation of the ProVerif tool St´ ephanie Delaune January 2018

ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages ◮ fully automatic, and quite efficient ◮ a rich process algebra: replication, else branches, . . . ◮ handles many cryptographic primitives ◮ various security properties: secrecy, correspondences, equivalences

ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages ◮ fully automatic, and quite efficient ◮ a rich process algebra: replication, else branches, . . . ◮ handles many cryptographic primitives ◮ various security properties: secrecy, correspondences, equivalences No miracle ◮ the tool can say “can not be proved”; ◮ termination is not guaranteed

How does ProVerif work?

Some vocabulary First order logic Atoms P ( t 1 , . . . , t n ) where t i are terms, P is a predicate Literals P ( t 1 , . . . , t n ) or ¬ P ( t 1 , . . . , t n ) closed under ∨ , ∧ , ¬ , ∃ , ∀ Clauses: Only universal quantifiers Horn Clauses: at most one positive literal (where A i , B are atoms.) ∀ ˜ x . A 1 , . . . , A n ⇒ B

Modelling using Horn clauses

Modelling the attacker Horn clauses C att reflects the capabilities of the attacker. att( x ) , att( y ) ⇒ att( � x , y � ) pairing att( � x , y � ) ⇒ att( x ) projection att( � x , y � ) ⇒ att( y ) projection att( x ) , att( y ) ⇒ att( { x } y ) encryption att( { x } y ) , att( y ) ⇒ att( x ) decryption

Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb − → {{ pin } Ka } Kb = {{ pin } Kb } Ka .

Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb This protocol does not work! (authentication problem)

Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb This protocol does not work! (authentication problem) { pin } Ka {{ pin } Ka } Ki { pin } Ki

Modelling the protocol (using Horn clauses) Protocol: Horn clauses C P : A → B : { pin } K a ⇒ att( { pin } K a ) B → A : {{ pin } K a } K b att( x ) ⇒ att( { x } K b ) A → B : { pin } K b att( { x } K a ) ⇒ att( x ) − → These clauses model an arbitrary number of executions of the protocol between the two honest participants A and B .

Modelling the security property We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬ att(pin) There exists an attack (in this model) iff C att + C prot + ¬ att(pin) is NOT satisfiable.

Modelling the security property We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬ att(pin) There exists an attack (in this model) iff C att + C prot + ¬ att(pin) is NOT satisfiable. Exercise Do you think that C prot + C att + ¬ att(pin) is satisfiable or not? Justify your answer. What about C prot + C att ? and C prot ?

How to decide satisfiability? − → using resolution techniques

Binary resolution ¬ A ∨ C B ∨ D Binary resolution θ = mgu( A , B ) C θ ∨ D θ Theorem (Soundness and Completeness) Binary resolution is sound and refutationally complete for Horn clauses, i.e. a set of Horn clauses C is not satisfiable if and only if � (the empty clause) can be obtained from C by binary resolution.

Example C = {¬ att( s ) , att( k 1 ) , att( { s } � k 1 , k 1 � ) , att( { x } y ) , att( y ) ⇒ att( x ) , att( x ) , att( y ) ⇒ att( � x , y � ) }

Example C = {¬ att( s ) , att( k 1 ) , att( { s } � k 1 , k 1 � ) , att( { x } y ) , att( y ) ⇒ att( x ) , att( x ) , att( y ) ⇒ att( � x , y � ) } att( k 1 ) att( x ) , att( y ) ⇒ att( � x , y � ) att( { s } � k 1 , k 1 � ) att( { x } y ) , att( y ) ⇒ att( x ) att( k 1 ) att( y ) ⇒ att( � k 1 , y � ) att( � k 1 , k 1 � ) ⇒ att( s ) att( � k 1 , k 1 � ) ¬ att( s ) att( s ) �

But it is not terminating! att( s ) att( x ) , att( y ) ⇒ att( � x , y � ) att( s ) att( y ) ⇒ att( � s , y � ) att( y ) ⇒ att( � s , y � ) att( � s , s � ) att( y ) ⇒ att( � s , y � ) att( � s , � s , s �� ) att( � s , � s , � s , s ��� ) · · · → This does not yield any decidability result.

How does ProVerif work?

ProVerif in a nutshell Two main ideas (extending [Weidenbach, CADE’99]): 1. a simple abstract representation of these protocols, by a set of Horn clauses; − → relying on parametrized terms (called patterns) 2. an efficient solving algorithm based on resolution to find which facts can be derived from these clauses. − → ordered resolution with selection Using this, ProVerif can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret.

Modelling the attacker using Horn clauses Public key encryption att( x ) ⇒ att(pk( x )) att( x ) , att(pk( y )) ⇒ att(aenc( x , pk( y ))) att((aenc( x , pk( y ))) , att( y ) ⇒ att( x )

Modelling the attacker using Horn clauses Public key encryption att( x ) ⇒ att(pk( x )) att( x ) , att(pk( y )) ⇒ att(aenc( x , pk( y ))) att((aenc( x , pk( y ))) , att( y ) ⇒ att( x ) Signature att( x ) , att( y ) ⇒ att(sign( x , y )) att(sign( x , y )) ⇒ att( x ) Symmetric encryption att( x ) , att( y ) ⇒ att(senc( x , y )) att((senc( x , y )) , att( y ) ⇒ att( x ) Initial knowledge ⇒ att(pk( sk A )) ⇒ att( sk I ) ⇒ att(pk( sk B ))

Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses

Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k , sk A ) , pk( x )))

Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k , sk A ) , pk( x ))) ◮ When B receives a message of the expected form, he replies accordingly att(aenc(sign( y , sk A ) , pk( sk B ))) ⇒ att(senc( s , y ))

Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k [ x ] , sk A ) , pk( x ))) ◮ When B receives a message of the expected form, he replies accordingly att(aenc(sign( y , sk A ) , pk( sk B ))) ⇒ att(senc( s , y )) − → names are parametrized to partially modelled their freshness

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not?

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge 5 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk B )) using attacker rules on 3 with 1/4

Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge 5 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk B )) using attacker rules on 3 with 1/4 6 . att(senc( s , k [ sk I ])) using protocol (rule 2) on 5