secure protocols for secrecy
play

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM - PowerPoint PPT Presentation

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer Science Department LAVAL University Quebec, Canada Houmani, 2003 p. 1/25 c Outline Motivations Related works Overview Protocol Modelling


  1. Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer Science Department LAVAL University Quebec, Canada � Houmani, 2003 – p. 1/25 c

  2. Outline Motivations Related works Overview Protocol Modelling Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 2/25 c

  3. Motivations Problems: ➪ Urgent need of security to develop Internet, www, electronic trade, etc. confidence between the electronic market actors Analysis of security protocols ➪ subtle and complex Need of guarantee that the protocols, used to make our transactions secure, don’t have any flaw ➪ Need of methods to verify the correctness of cryptographic protocols � Houmani, 2003 – p. 3/25 c

  4. Motivations Problems: ➪ Urgent need of security to develop Internet, www, electronic trade, etc. confidence between the electronic market actors Analysis of security protocols ➪ subtle and complex Need of guarantee that the protocols, used to make our transactions secure, don’t have any flaw ➪ Need of methods to verify the correctness of cryptographic protocols Objectives: Establish some sufficient conditions under which the correctness of a given protocol is guaranteed Conditions must be verified easily on a protocol � Houmani, 2003 – p. 3/25 c

  5. Related works Logical methods: based on multi-modal logics (temporal, epistemic and doxatic logics). BAN, CKT5, GNY, etc. General purpose formal methods: based on the use of traditional formal specification and verification methods. Z, VDM, B, RSL, Coq, Isabelle, HOL, etc. Process algebra methods: based on the use of process algebra for the protocol description and for verification. CSP , CCS, LOTOS, SPI, etc. Search oriented methods: based on the intruder abilities modeling and the search of insecure states. Interrogator, NRL, etc. Correctness oriented methods : based on proving correctness of protocols Methods based on model-checking, Typing system of Abadi, Inductive method of Paulson, method proving of Guttman, etc. � Houmani, 2003 – p. 4/25 c

  6. Overview Result: Any protocol that satisfies correctness conditions, is correct with respect to the secrecy property � Houmani, 2003 – p. 5/25 c

  7. Overview Result: Any protocol that satisfies correctness conditions, is correct with respect to the secrecy property Correctness verification: The verification of the correctness condition on a given protocol consists of a verification on the whole of messages sent in roles-based specification of this protocol. The verification of the correctness condition on protocols can be automatized. This result involves the protocols that use symmetric and atomic keys � Houmani, 2003 – p. 5/25 c

  8. Outline Motivations Related works Overview Protocol Modelling Basics Protocol & Generalized roles Reduction Example Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 6/25 c

  9. Basics Message : A, B, C, S and I. : principal identities N a : nonce chosen by A k ab : shared key between A and B k a (resp k − 1 a ): A’s public key (resp A’s private key.) { m } k : message encrypted by public key of A m.m : composed message Communication step: → B : m i A � Houmani, 2003 – p. 7/25 c

  10. Protocol Modelling A Protocol is defined by a pair � P, K � , where: P has to respect the following BNF grammar: ::= � i, A → B : m � | P.P P K is a set of triples like ( X, K X , F X ) Role-based specification : is a set of generalized roles extracted from the analyzed protocol. Generalized roles are extracted from the protocol according to the following steps Extracting the roles: A role is a protocol abstraction where the emphasis is put on a particular principal. Extracting the generalized roles: A generalized role is an abstraction of a role where some messages are replaced by variables � Houmani, 2003 – p. 8/25 c

  11. Protocol Modelling Reduction ( ↓ ): Let M be a set of messages. The reduction of M , denoted by M ↓ , is defined as the normal form of M obtained from the following rewriting rules: ( M ∪ { m 1 .m 2 } ) ↓ → c ( M ∪ { m 1 , m 2 } ) ↓ ( M ∪ {{ m } k , k } ) ↓ → e ( M ∪ { m, k } ) ↓ Extended Reduction ( ↓ x ): Let M be a set of messages. The extended reduction of M , denoted by M ↓ x , is defined as the normal form of M obtained using the following rewriting rules: M ∪ { m 1 .m 2 } → c x M ∪ { m 1 , m 2 } M ∪ {{ m } α , β } → e x M ∪ {{ m } α , β } ∪ { mσ, βσ | σ = mgu ( α, β ) } � Houmani, 2003 – p. 9/25 c

  12. Protocol Modelling Example: Let p = � P, K � be the following protocol :  P = � 1 , A → S : { A.B.N a } k as � .      � 2 , S → A : {{ A } N a .B.k ab } k as � .   � α. 1 , A → I ( S ) : { A.B.N α A = a } k as � .    � 3 , S → B : { A.B.k ab } k bs �    a .B.k α � α. 2 , I ( S ) → A : {{ A } N α ab } k as �         { ( A, K A , F A ) , ( B, K B , F B ) , ( S, K S , F S ) }  K =   � α. 3 , I ( S ) → B : { A.B.k α B = ab } k bs �  ➪  K A = { A, B, S, k as }   K B = { A, B, S, k bs }   � α. 1 , I ( A ) → S : { A.B.N α  S = a } k as � .    K S = { A, B, S, k ab , k bs , k as }   a .B.k α � α. 2 , S → I ( A ) : {{ A } N α ab } k as � .    F A = { N a }    � α. 3 , S → I ( B ) : { A.B.k α ab } k bs �    F B = ∅       F S = { k ab }  � Houmani, 2003 – p. 10/25 c

  13. Protocol Modelling Example: � α. 1 , A → I ( S ) : { A.B.N α � α. 1 , A → I ( S ) : { A.B.N α A = a } k as � . A G = a } k as � . a .B.k α � α. 2 , I ( S ) → A : {{ A } N α ab } k as � � α. 2 , I ( S ) → A : {{ A } N α a .B.X } k as � � α. 3 , I ( S ) → B : { A.B.k α B = ab } k bs � B G = � α. 3 , I ( S ) → B : { A.B.Y } k bs � ➪ � α. 1 , I ( A ) → S : { A.B.N α S = a } k as � . S G = � α. 1 , I ( A ) → S : { A.B.Z } k as � . a .B.k α � α. 2 , S → I ( A ) : {{ A } Z .B.k α � α. 2 , S → I ( A ) : {{ A } N α ab } k as � . ab } k as � . � α. 3 , S → I ( B ) : { A.B.k α � α. 3 , S → I ( B ) : { A.B.k α ab } k bs � ab } k bs � D ( p ) the set of all messages sent by the honest agents in all generalized roles of p and the initial knowledge of the intruder D ( p ) = K I ∪ {{ A.B.N α a } k as , {{ A } Z .B.k α ab } k as , { A.B.k α ab } k bs } � Houmani, 2003 – p. 11/25 c

  14. Outline Motivations Overview Protocol Modelling Secrecy property Trace Def/ Use Secrecy property Relationship between valid trace and generalized roles Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 12/25 c

  15. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him � Houmani, 2003 – p. 13/25 c

  16. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Def / Use : Def ( τ ) : The set of messages sent by the honest agent in τ Use ( τ ) : The set of messages received by the honest agent in τ � Houmani, 2003 – p. 13/25 c

  17. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Def / Use : Def ( τ ) : The set of messages sent by the honest agent in τ Use ( τ ) : The set of messages received by the honest agent in τ Secret property: a protocol keeps a message m secret, if there is no valid trace that leaks this message to an intruder. Formally: ∀ τ, S ∩ Def ( τ ) ↓ = ∅ � Houmani, 2003 – p. 13/25 c

  18. Relationship between valid traces and generalized roles Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Honest agent acts according to the protocol specification if any given run in which he participates is an instance (variables are replaced by constant messages) of a prefix of his generalized role ➻ Let p be a protocol and τ a p -valid trace. There exist n communication steps, { e 1 , . . . , e n } ⊆ η R G ( p ) and a substitution σ such that: = { e 1 , . . . , e n } σ τ � Houmani, 2003 – p. 14/25 c

  19. Outline Motivations Overview Protocol Modelling Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 15/25 c

Recommend


More recommend