the journey towards a reference implementation of ipsec
play

The Journey towards a Reference Implementation of IPSec Automatic - PowerPoint PPT Presentation

1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice


  1. 7/25 fresh top s . Example (Cryptographic messages) S msg fresh pub , msg pub top s msg , PHS fst snd h senc top s k f Term Algebras and Cryptographic Messages I satisfying Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s c , we also have C c top s . 2. For every k -ary function symbol f s s k s sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of

  2. 7/25 msg pub top s k top s . Example (Cryptographic messages) fresh pub fresh msg Term Algebras and Cryptographic Messages I , PHS fst snd h senc top s f , we also have s Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s satisfying c C c top s . 2. For every k -ary function symbol f s s k sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , } ,

  3. 7/25 msg pub top s top s k top s . Example (Cryptographic messages) fresh msg Term Algebras and Cryptographic Messages I , PHS fst snd h senc f , we also have s s k Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s satisfying c C c top s . 2. For every k -ary function symbol f s sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , fresh , pub } ,

  4. 7/25 Term Algebras and Cryptographic Messages I senc h snd fst PHS Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s is a set of function symbols associated with the sorts such that and sorts Defjnition sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg,

  5. 7/25 s senc h snd fst PHS Example (Cryptographic messages) . top s top s k top s f , we also have s k Term Algebras and Cryptographic Messages I s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s such that Defjnition sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg,

  6. 7/25 Term Algebras and Cryptographic Messages I Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s such that Defjnition A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  7. 7/25 Term Algebras and Cryptographic Messages I Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f Defjnition A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that 1. For every s ∈ S the connected component C of s contains a top sort top ( s ) satisfying ∀ c ∈ C : c ≤ top ( s ) . S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  8. 7/25 Term Algebras and Cryptographic Messages I Defjnition Example (Cryptographic messages) A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that 1. For every s ∈ S the connected component C of s contains a top sort top ( s ) satisfying ∀ c ∈ C : c ≤ top ( s ) . 2. For every k -ary function symbol f : s 1 × · · · × s k → s ∈ Σ , we also have f : top ( s 1 ) × · · · × top ( s k ) → top ( s ) ∈ Σ . S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  9. s and constants s where t if s t PHS we have, for instance, the following 8/25 A denotes the set of all well-sorted terms constructed over A . Example (Cryptographic messages) Given PHS well-sorted terms msg fresh pub s S m msg fst m n senc m k sdec k senc k s , s S s s Defjnition Given a order-sorted signature S . For every sort s S we assume there are countably infjnite sets of variables s Term Algebras and Cryptographic Messages II and s t s S s t . Then given A m

  10. s and constants s where t if s t PHS we have, for instance, the following 8/25 constructed over A . Example (Cryptographic messages) Given PHS msg fresh pub well-sorted terms s , m msg fst m n senc m k sdec k senc k A denotes the set of all well-sorted terms s S s S s Defjnition For every sort s S we assume there are countably infjnite sets of variables s s and s t s S s t . Then given A Term Algebras and Cryptographic Messages II m Given a order-sorted signature Σ = ( S , ≤ , Σ) .

  11. t if s t PHS we have, for instance, the following msg fresh pub constructed over A . Example (Cryptographic messages) Given PHS 8/25 s , well-sorted terms m msg fst m n senc m k sdec k senc k A denotes the set of all well-sorted terms s S Term Algebras and Cryptographic Messages II s Defjnition where s s and s t s S s t . Then given A s S m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s

  12. PHS we have, for instance, the following 8/25 Example (Cryptographic messages) senc k sdec k senc m k fst m n msg m well-sorted terms msg fresh pub PHS Given A . Term Algebras and Cryptographic Messages II constructed over A denotes the set of all well-sorted terms s , s S s s S Then given A Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t .

  13. PHS we have, for instance, the following 8/25 PHS senc k sdec k senc m k fst m n msg m well-sorted terms msg fresh pub Given Term Algebras and Cryptographic Messages II Example (Cryptographic messages) Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A .

  14. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k fst m n msg m well-sorted terms Example (Cryptographic messages) Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following

  15. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k fst m n well-sorted terms Example (Cryptographic messages) m Defjnition Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg ,

  16. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k well-sorted terms Example (Cryptographic messages) m Defjnition Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg , fst ( ⟨ m , n ⟩ ) ,

  17. 8/25 Example (Cryptographic messages) Defjnition Term Algebras and Cryptographic Messages II well-sorted terms Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg , fst ( ⟨ m , n ⟩ ) , senc ( m , k ) , sdec ( k 2 , senc ( k 1 , m ))

  18. E containing PHS as before. We defjne 9/25 y sdec k senc k m x snd x y fst x y E PHS Given Example (Cryptographic primitives) all instances of equations in E . The equational theory defjned by E is the smallest congruence relation Equational Theories and Cryptographic Primitives t . equation, we write s is called an of terms s t s t be a order-sorted signature. A pair Let Defjnition m

  19. E containing PHS as before. We defjne 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Given E PHS fst x y x snd x y y sdec k senc k m m Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t .

  20. E containing PHS as before. We defjne 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Given E PHS fst x y x snd x y y sdec k senc k m m Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t .

  21. E containing 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t . Given Σ PHS as before. We defjne E PHS = { fst ( ⟨ x , y ⟩ ) = x , snd ( ⟨ x , y ⟩ ) = y , sdec ( k , senc ( k , m )) = m }

  22. 9/25 Equational Theories and Cryptographic Primitives Defjnition all instances of equations in E . Example (Cryptographic primitives) Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t . The equational theory defjned by E is the smallest congruence relation = E containing Given Σ PHS as before. We defjne E PHS = { fst ( ⟨ x , y ⟩ ) = x , snd ( ⟨ x , y ⟩ ) = y , sdec ( k , senc ( k , m )) = m }

  23. Fact be an unsorted signature partitioned into linear and persistent fact symbols. Fact modelling freshness. , we defjne the set of all facts by Fact arity F 10/25 Example c . a written p , A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c k t F t k Labeled Multiset Rewriting and Protocol Specifjcation I t k F t Given a order-sorted term algebra Furthermore, assume there is a designated fact symbol Fr Let Defjnition In our example from before:

  24. Fact modelling freshness. , we defjne the set of all facts by Fact arity F 10/25 Example c . a written p , A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c k t k F Labeled Multiset Rewriting and Protocol Specifjcation I t t k F t Given a order-sorted term algebra Furthermore, assume there is a designated fact symbol Fr Defjnition In our example from before: Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols.

  25. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c . Example In our example from before: Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k }

  26. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } In our example from before: Secret ( m , k )

  27. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: Secret ( m , k )

  28. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: [ Secret ( m , k )] Encrypted ( m ) [ Out ( senc ( k , m ))]

  29. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr ∈ Σ Fact modelling freshness. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: [ Secret ( m , k )] Encrypted ( m ) [ Out ( senc ( k , m ))]

  30. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. fresh ). 1. No rule in R contains a fresh name ( properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules.

  31. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. fresh ). 1. No rule in R contains a fresh name ( properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules.

  32. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  33. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  34. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  35. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. 3. No conclusion of a rule instance in R contains a fresh name which does not occur in one of its premises (modulo E ). Example Message deduction rules (means of the attacker): Out x k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { } MD Σ :=

  36. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II in one of its premises (modulo E ). Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. 3. No conclusion of a rule instance in R contains a fresh name which does not occur Example Message deduction rules (means of the attacker): k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , } MD Σ :=

  37. 11/25 Labeled Multiset Rewriting and Protocol Specifjcation II arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x k 3. No conclusion of a rule instance in R contains a fresh name which does not occur Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). properties 2. No conclusion of a rule in R contains a Fr fact. Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ :=

  38. 11/25 Labeled Multiset Rewriting and Protocol Specifjcation II arity f f x k K f x K x k K x pub K x k Message deduction rules (means of the attacker): 3. No conclusion of a rule instance in R contains a fresh name which does not occur Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. in one of its premises (modulo E ). Example Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh )

  39. 11/25 Message deduction rules (means of the attacker): arity f f x k K f x K x k K x Labeled Multiset Rewriting and Protocol Specifjcation II k Example 2. No conclusion of a rule in R contains a Fr fact. Defjnition 3. No conclusion of a rule instance in R contains a fresh name which does not occur Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties in one of its premises (modulo E ). Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh ) K ( x : pub )

  40. 11/25 2. No conclusion of a rule in R contains a Fr fact. Labeled Multiset Rewriting and Protocol Specifjcation II Message deduction rules (means of the attacker): Example 3. No conclusion of a rule instance in R contains a fresh name which does not occur in one of its premises (modulo E ). properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh ) K ( x : pub ) ∪ { K ( x 1 ) , . . . , K ( x k ) K ( f ( x 1 , . . . , x k )) | f ∈ Σ , arity ( f ) = k }

  41. traces E R R E S R E S n A Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. uniqueness condition for freshness = A n R E = 12/25 Traces and Security Properties = A S n S A n A A facts. transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of

  42. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. uniqueness condition for freshness = = = facts. transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n }

  43. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. = = facts. = transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness }

  44. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: , e.g. Security properties can then be formulated as fjrst-order formulas on traces = = facts. = transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness }

  45. 12/25 = Given a multiset rewriting system R and a equational theory by E . This yields a transition relation = facts. secrecy properties: = Traces and Security Properties Security properties can then be formulated as fjrst-order formulas on traces, e.g. = ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness } ∀ I , x : K ( x ) ∧ Id ( I , x ) ⇒ Corrupt ( I , x )

  46. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Trace formulas • Every R E -validity claim can be converted into a R E -satisfjability claim. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always algorithm. When the algorithm terminates it arrived either 13/25 solving constraints. Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • can be R E -valid or R E -satisfjable (or neither). terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory.

  47. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Every R E -validity claim can be converted into a R E -satisfjability claim. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always algorithm. When the algorithm terminates it arrived either 13/25 solving constraints. Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither).

  48. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always solving constraints. algorithm. When the algorithm terminates it arrived either 13/25 Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim.

  49. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable.

  50. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces.

  51. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by

  52. • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed.

  53. 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • The underlying satisfjability problem is undecidable, the solver does not always

  54. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  55. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  56. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  57. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  58. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  59. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  60. 15/25 Tamarin-Prover in Practice

  61. 16/25 (Short) Demo ⌣

  62. 17/25 Reference Implementation of IPSec

  63. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Random choices • Cryptographic primitives • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now )

  64. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices

  65. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 rule gen_nonce: ) (use identifjer and signature(s) for now (function symbols, no collisions) (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~n) ] --> [ State(~n) ] • Random choices

  66. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 rule gen_nonce: ) (use identifjer and signature(s) for now (function symbols, no collisions) (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~n) ] --> [ State(~n) ] • Random choices ✓

  67. (function symbols, no collisions) • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives

  68. (function symbols, no collisions) • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates in gab = ga ^ ~b let rule dh_calc: ) (use identifjer and signature(s) for now 18/25 (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation

  69. (function symbols, no collisions) • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates in gab = ga ^ ~b let rule dh_calc: ) (use identifjer and signature(s) for now 18/25 (use EtA for now) Building Blocks for IPSec ( ) [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in)

  70. • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions

  71. • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 in let SKEYSEED = prf(<Ni, Nr, DH>) rule use_prf: functions: prf/1 ) (use identifjer and signature(s) for now (use EtA for now) Building Blocks for IPSec ( ) [ State(Ni, Nr, DH) ] --> [ State(Ni, Nr, DH, SKEYSEED) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions)

  72. • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo)

  73. • Certifjcates 18/25 Building Blocks for IPSec ( ) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes

  74. • Certifjcates 18/25 hdr = < '120', ... > tag = mac(ct, key_a) let ct = senc(~secret, key_e) rule use_aeenc: ) (use identifjer and signature(s) for now in [ Fr(~secret), State(key_e, key_a) ] --> [ Out(<hdr, ct, tag>)] Building Blocks for IPSec ( ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now)

  75. • Certifjcates 18/25 Building Blocks for IPSec (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now)

  76. 18/25 Building Blocks for IPSec (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now) • Certifjcates

  77. 18/25 Building Blocks for IPSec • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now) • Certifjcates (use identifjer and signature(s) for now ✓ )

  78. 19/25 Finite State Machine Init Phase ∅

  79. 19/25 Finite State Machine Init Phase ∅

  80. 19/25 Finite State Machine Init Phase I 1 init_send ∅

  81. 19/25 Finite State Machine Init Phase I 1 init_send m 1 = ⟨ Hdr , SAi1 , KEi , Ni ⟩ ∅ resp_accept R 1

  82. 19/25 Finite State Machine Init Phase resp_send I 1 init_send ∅ m 1 resp_accept R 1 R 2

Recommend


More recommend