Formal Verification of e-Reputation Protocols 1 Ali Kassem 2 , Pascal Lafourcade 1 , Yassine Lakhnech 2 1 University d’Auvergne, LIMOS 2 Université Grenoble Alpes, CNRS, VERIMAG The 7th International Symposium on Foundations & Practice of Security FPS’2014, Montréal November 4, 2014 1 This research was conducted with the support of the "Digital trust" Chair from the Foundation of the University of Auvergne. 1/32
Reputation Systems Reputation systems: quantify the trust between different users. Application: ◮ Electronic commerce ◮ Social news ◮ Peer-to-peer routing ◮ etc. Goal: act in truthfulness way. 2/32
E-Reputation Players Three Players: different interest. Target User Authority 3/32
How they work? Interaction ( , ) Feedback ( , ) Computation 4/32
Requirements To be beneficial: users have to provide fedbacks �→ preserve their privacy and anonymity To rely on them: compute the score correctly �→ score verifiability 5/32
Related Work Related Work: ◮ Several secure e-reputation protocols: ◮ Supporting Privacy in Decentralized Additive Reputation Systems [ ? ] ◮ Signatures of Reputation [ ? ] ◮ Extending Signatures of Reputation [ ? ] ◮ etc. ◮ Definitions of the security properties are only informal . ◮ No tool to check whether a reputation protocol satisfies the security properties. 6/32
Contributions Contributions: ◮ Formalize e-reputation protocols in the applied π -calculus. ◮ Formal definitions of Privacy , Authentication and Verifiability properties. ◮ Automated verification in ProVerif of Pavlov et al. reputation protocol [ ? ] 7/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 8/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 9/32
Attacker Dolev-Yao [ ? ] attacker: ◮ controls the public channels ◮ read, block, modify and send messages ◮ under perfect cryptographic assumption K M 10/32
Processes Players as processes in the applied π -calculus [ ? ] P , Q ::= Processes 0 null process in ( u , x ) . P message input out ( u , m ) . P message output ν n . P name restriction if m = m ′ then P else Q conditional P | Q parallel composition ! P replication Annotated using events 11/32
Events Authority Target User Interaction Interaction eligible ( )
Events Authority Target User Interaction Interaction eligible ( ) Rate sent ( ) record ( ) , , , , 12/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 13/32
User Eligibility All recorded rates are casted by eligible users, and only one rate per user. On every trace: Interaction Interaction eligible ( ) preceeded by distinct occurence Rate sent ( ) record ( ) , , , , 14/32
Rate Integrity Rates are recorded as casted without modification. On every trace: Interaction Interaction eligible ( ) Rate sent ( ) record ( ) , , , , preceeded by distinct occurence 15/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 16/32
Rate Privacy No information about the rates is leaked. Observational equivalence of two instances Instance 1 Instance 2 Rate 1 ≈ l Rate 2 Can be considered with or without dishonest users. 17/32
Rate Anonymity An attacker cannot link a rate to a user. Observational equivalence of two instances Instance 1 Instance 2 Rate 1 Rate 2 ≈ l Rate 2 Rate 1 Can be considered with or without dishonest users and target. 18/32
Receipt-Freeness A user cannot prove to an attacker that he provided a certain rate s t e Instance 1 Instance 2 r c e s Rate Rate ≈ l Rate Rate The coerced user cooperates with the attacker by leaking secrets . 19/32
Coercion-Resistance Even when interacting with a coercer, the user can still provide a rate of his choice . s t Instance 1 Instance 2 e r c e s r s e d r o Rate Rate ≈ l Rate Rate The coerced user is forced by the attacker to provide Rate . 20/32
Relations Rate Privacy Rate Anonymity Receipt-Freeness Coercion-Resistance 21/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 22/32
Verifiability for Reputation Protocols Definition (Verifiability): A reputation protocol ensures Verifiability if there are Verification tests UEV, RSV respecting the following conditions: 1. User Eligibility Verifiability (UEV): ◮ UEV = true ⇒ all rates are casted by eligible users 2. Reputation Score Verifiability (RSV): ◮ RSV = true ⇒ the reputation score is computed correctly from the casted rates 3. Completeness: if all participants follow the protocol honestly, the above tests succeed. 23/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 24/32
Application: Pavlov et al. Protocol [ ? ] r pre . + r n A q rand . r q � = 0 U n r pre . U 1 U 3 r q + r 1 U 2 r q + r 1 + r 2 Score: A q subtracts r q from the summation. Assumption: secure authenticated channels between users. Goal: ensure rate privacy if all users act honestly 25/32
Modeling in ProVerif We model the protocol in ProVerif for two users in addition to A q . Addition and Subtraction: sub ( sum ( x , y ) , x ) = y sub ( sum ( x , y ) , y ) = x sub ( sum ( sum ( x , y ) , z ) , x ) = sum ( y , z ) sub ( sum ( sum ( x , y ) , z ) , y ) = sum ( x , z ) Secure Authenticated Channels: ◮ encrypt the exchanged messages ◮ include the unique identities of the sender and the receiver in the messages 26/32
Results Formal Verification with ProVerif [ ? ]: Property Result Rate Privacy � Rate Anonymity � Receipt-Freeness × Coercion-Resistance × � 2 Rate Integrity User Eligibility � � 3 Reputation Score Verifiability User Eligibility Verifiability × Time: less than one second with standard PC. 2 without injectivity 3 if the rates are published in a Bulletin Board 27/32
Attacks Receipt-Freeness: the shared symmetric key k can act as a recipet . r i = decrypt ( r p + r i , k ) − decrypt ( r p , k ) ⇒ Coercion-Resistance is not ensured also. User Eligibility Verifiability: users do not provide any proof ( e.g., certificate) of their eligibility. 28/32
Plan Introduction Model and Properties Authentication Properties Privacy Properties Verifiability Properties Case Study: Pavlov et al. Protocol Conclusion 29/32
Conclusion Conclusion: ◮ E-reputation protocols have many applications ◮ Secure reputation protocols exist ◮ Lack of formal verification ◮ First formal framework for analysis of e-reputation: ◮ Formal model in the applied π -calculus ◮ Definitions for privacy, authentication, verifiability properties ◮ Automated verification in ProVerif of one case study. 30/32
Future Work Future work: ◮ Analyze more reputation protocols ◮ Study properties such as : correctness, accountability, . . . ◮ Verify other protocols such as: e-cash, . . . 31/32
Thank you for your attention! Questions? ali.kassem@imag.fr pascal.lafourcade@udamail.fr 32/32
Recommend
More recommend
