towards a logic for verification of security protocols
play

Towards a Logic for Verification of Security Protocols Work in - PowerPoint PPT Presentation

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,


  1. Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spécification et Vérification CNRS & ENS Cachan SPV’03 - Marseille – p.1/17

  2. Plan 1. Intro Existing models, caveats, reactive systems, properties 2. Transition system States, constraints, inference rules 3. Logics Temporal logics, expressiveness, decidability 4. Applications SPV’03 - Marseille – p.2/17

  3. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? SPV’03 - Marseille – p.3/17

  4. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra SPV’03 - Marseille – p.3/17

  5. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra Trace models SPV’03 - Marseille – p.3/17

  6. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Trace models SPV’03 - Marseille – p.3/17

  7. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models SPV’03 - Marseille – p.3/17

  8. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] SPV’03 - Marseille – p.3/17

  9. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] SPV’03 - Marseille – p.3/17

  10. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] Horn clauses [Comon-Lundh Cortier 2003] [Blanchet 2002] SPV’03 - Marseille – p.3/17

  11. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] Horn clauses [Comon-Lundh Cortier 2003] [Blanchet 2002] Others... SPV’03 - Marseille – p.3/17

  12. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. SPV’03 - Marseille – p.4/17

  13. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . SPV’03 - Marseille – p.4/17

  14. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . SPV’03 - Marseille – p.4/17

  15. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: SPV’03 - Marseille – p.4/17

  16. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: Secrecy is tightly linked to observational equivalence: how to express another kind of secrecy property ? SPV’03 - Marseille – p.4/17

  17. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: Secrecy is tightly linked to observational equivalence: how to express another kind of secrecy property ? To express an authentication property, one has to build an ad hoc process: difficulty to compare authentication properties between two different protocols. SPV’03 - Marseille – p.4/17

  18. Caveats for other models Most of these models are primary targeted to express protocols. SPV’03 - Marseille – p.5/17

  19. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: SPV’03 - Marseille – p.5/17

  20. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? SPV’03 - Marseille – p.5/17

  21. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? Given one protocol P in [Schneider 96] and one property φ expressed with [Comon-Lundh Cortier 2003], how can you check if φ satisfies P ? SPV’03 - Marseille – p.5/17

  22. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? Given one protocol P in [Schneider 96] and one property φ expressed with [Comon-Lundh Cortier 2003], how can you check if φ satisfies P ? Given a set of properties and a protocol P expressed with [Blanchet 2002], how could you check them without altering P ? SPV’03 - Marseille – p.5/17

  23. Reactive systems Abstraction petri automata process ... nets networks algebra SPV’03 - Marseille – p.6/17

  24. Reactive systems Abstraction petri automata process ... nets networks algebra Temporal logic LTL CTL PLTL ... SPV’03 - Marseille – p.6/17

  25. Reactive systems Abstraction petri automata process ... nets networks algebra Transition system Temporal logic LTL CTL PLTL ... SPV’03 - Marseille – p.6/17

  26. Reactive systems Abstraction petri automata process ... nets networks algebra Transition system Temporal logic LTL CTL PLTL ... The transition system is the semantic glue between the abstraction and the temporal logic. SPV’03 - Marseille – p.6/17

  27. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: SPV’03 - Marseille – p.7/17

  28. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; SPV’03 - Marseille – p.7/17

  29. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; SPV’03 - Marseille – p.7/17

  30. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; Easy comparison of different properties for a given protocol; SPV’03 - Marseille – p.7/17

  31. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; Easy comparison of different properties for a given protocol; No new model needed, current models are fine if the transition system is general enough. SPV’03 - Marseille – p.7/17

  32. Goals Conception of a logic for security properties covering at least: secrecy from the intruder point of view temporary secrecy partial secrecy SPV’03 - Marseille – p.8/17

  33. Goals Conception of a logic for security properties covering at least: secrecy authentication vivacity weak agreement non-injective agreement agreement SPV’03 - Marseille – p.8/17

Recommend


More recommend