verification of security protocols from confidentiality
play

Verification of security protocols: from confidentiality to privacy - PowerPoint PPT Presentation

Oct 13, 2023 •118 likes •1.88k views

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

  1. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 27th June 2016 18 / 72

  2. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) S. Delaune (LSV) Verification of security protocols 27th June 2016 18 / 72

  3. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = f ( K P , K R ) K seed = f ( K P , K R ) S. Delaune (LSV) Verification of security protocols 27th June 2016 18 / 72

  4. This talk: formal methods for protocol verification Does the protocol satisfy a security property? Modelling | | ϕ = S. Delaune (LSV) Verification of security protocols 27th June 2016 19 / 72

  5. This talk: formal methods for protocol verification Does the protocol satisfy a security property? Modelling | | ϕ = E-passport application What about unlinkability of the ePassport holders ? S. Delaune (LSV) Verification of security protocols 27th June 2016 19 / 72

  6. This talk: formal methods for protocol verification Does the protocol satisfy a security property? Modelling | | ϕ = Outline of the this talk 1 Modelling cryptographic protocols and their security properties 2 Designing verification algorithms S. Delaune (LSV) Verification of security protocols 27th June 2016 19 / 72

  7. Part I Modelling cryptographic protocols and their security properties S. Delaune (LSV) Verification of security protocols 27th June 2016 20 / 72

  8. Two major families of models ... ... with some advantages and some drawbacks. Computational model + messages are bitstring, a general and powerful adversary – manual proofs, tedious and error-prone Symbolic model – abstract model, e.g. messages are terms + automatic proofs S. Delaune (LSV) Verification of security protocols 27th June 2016 21 / 72

  9. Two major families of models ... ... with some advantages and some drawbacks. Computational model + messages are bitstring, a general and powerful adversary – manual proofs, tedious and error-prone Symbolic model – abstract model, e.g. messages are terms + automatic proofs Some results allowed to make a link between these two very different models. − → Abadi & Rogaway 2000 S. Delaune (LSV) Verification of security protocols 27th June 2016 21 / 72

  10. Protocols as processes Applied pi calculus [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication − → based on the π -calculus [Milner et al. , 92] ... P , Q := 0 null process in ( c , x ) . P input out ( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition replication ! P new n . P fresh name generation S. Delaune (LSV) Verification of security protocols 27th June 2016 22 / 72

  11. Protocols as processes Applied pi calculus [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication − → based on the π -calculus [Milner et al. , 92] ... P , Q := 0 null process in ( c , x ) . P input out ( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition replication ! P new n . P fresh name generation ... but messages that are exchanged are not necessarily atomic ! S. Delaune (LSV) Verification of security protocols 27th June 2016 22 / 72

  12. Messages as terms Terms are built over a set of names N , and a signature F . t ::= n name n | f ( t 1 , . . . , t k ) application of symbol f ∈ F S. Delaune (LSV) Verification of security protocols 27th June 2016 23 / 72

  13. Messages as terms Terms are built over a set of names N , and a signature F . t ::= n name n | f ( t 1 , . . . , t k ) application of symbol f ∈ F Example: representation of { a , n } k senc Names: n , k , a constructors: senc, pair, pair k a n S. Delaune (LSV) Verification of security protocols 27th June 2016 23 / 72

  14. Messages as terms Terms are built over a set of names N , and a signature F . t ::= n name n | f ( t 1 , . . . , t k ) application of symbol f ∈ F Example: representation of { a , n } k senc Names: n , k , a constructors: senc, pair, pair k destructors: sdec, proj 1 , proj 2 . a n The term algebra is equipped with an equational theory E. sdec ( senc ( x , y ) , y ) = proj 1 ( pair ( x , y )) = x x proj 2 ( pair ( x , y )) = y Example: sdec ( senc ( s , k ) , k ) = E s . S. Delaune (LSV) Verification of security protocols 27th June 2016 23 / 72

  15. Semantics Semantics → : out ( c , u ) . P | in ( c , x ) . Q → P | Q { u / x } Comm Then if u = v then P else Q → P when u = E v Else if u = v then P else Q → Q when u � = E v S. Delaune (LSV) Verification of security protocols 27th June 2016 24 / 72

  16. Semantics Semantics → : out ( c , u ) . P | in ( c , x ) . Q → P | Q { u / x } Comm Then if u = v then P else Q → P when u = E v Else if u = v then P else Q → Q when u � = E v closed by structural equivalence ( ≡ ): P | Q ≡ Q | P , P | 0 ≡ P , . . . application of evaluation contexts: P → P ′ P → P ′ P | Q → P ′ | Q new n . P → new n . P ′ S. Delaune (LSV) Verification of security protocols 27th June 2016 24 / 72

  17. Going back to the Denning Sacco protocol (1/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? S. Delaune (LSV) Verification of security protocols 27th June 2016 25 / 72

  18. Going back to the Denning Sacco protocol (1/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x S. Delaune (LSV) Verification of security protocols 27th June 2016 25 / 72

  19. Going back to the Denning Sacco protocol (1/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x 2 asymmetric encryption: aenc ( · , · ) , adec ( · , · ) , pk ( · ) − → adec ( aenc ( x , pk ( y )) , y ) = x S. Delaune (LSV) Verification of security protocols 27th June 2016 25 / 72

  20. Going back to the Denning Sacco protocol (1/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x 2 asymmetric encryption: aenc ( · , · ) , adec ( · , · ) , pk ( · ) − → adec ( aenc ( x , pk ( y )) , y ) = x 3 signature: ok, sign ( · , · ) , check ( · , · ) , getmsg ( · ) − → check ( sign ( x , y ) , pk ( y )) = ok − → getmsg ( sign ( x , y )) = x S. Delaune (LSV) Verification of security protocols 27th June 2016 25 / 72

  21. Going back to the Denning Sacco protocol (1/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x 2 asymmetric encryption: aenc ( · , · ) , adec ( · , · ) , pk ( · ) − → adec ( aenc ( x , pk ( y )) , y ) = x 3 signature: ok, sign ( · , · ) , check ( · , · ) , getmsg ( · ) − → check ( sign ( x , y ) , pk ( y )) = ok − → getmsg ( sign ( x , y )) = x The two terms involved in a normal execution are: aenc ( sign ( k , ska ) , pk ( skb )) , and senc ( s , k ) S. Delaune (LSV) Verification of security protocols 27th June 2016 25 / 72

  22. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  23. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  24. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  25. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) One possible scenario: � P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � P DS = new sk a , sk b . S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  26. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) One possible scenario: � P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � P DS = new sk a , sk b . � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  27. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) One possible scenario: � P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � P DS = new sk a , sk b . � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) � → new sk a , sk b , k . in ( c , x a ) . . . . � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  28. Going back to the Denning Sacco protocol (2/2) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) One possible scenario: � P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � P DS = new sk a , sk b . � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) � → new sk a , sk b , k . in ( c , x a ) . . . . � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) − → this simply models a normal execution between two honest participants S. Delaune (LSV) Verification of security protocols 27th June 2016 26 / 72

  29. Security properties - confidentiality Confidentiality for process P w.r.t. secret s For all processes A such that A | P → ∗ Q , we have that Q is not of the form C [ out ( c , s ) . Q ′ ] with c public. S. Delaune (LSV) Verification of security protocols 27th June 2016 27 / 72

  30. Security properties - confidentiality Confidentiality for process P w.r.t. secret s For all processes A such that A | P → ∗ Q , we have that Q is not of the form C [ out ( c , s ) . Q ′ ] with c public. Some difficulties: we have to consider all the possible executions in presence of an arbitrary adversary (modelled as a process) we have to consider realistic initial configurations − → an unbounded number of agents, − → replications to model an unbounded number of sessions, − → reveal public keys and private keys to model dishonest agents, − → honest agents may initiate a session with a dishonest agent, . . . S. Delaune (LSV) Verification of security protocols 27th June 2016 27 / 72

  31. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) The aforementioned attack 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) The “minimal” initial configuration to retrieve the attack is: � � P DS = new sk a , sk b . P A ( sk a , pk ( sk c )) | P B ( sk b , pk ( sk a ) | out ( c , pk ( skb )) S. Delaune (LSV) Verification of security protocols 27th June 2016 28 / 72

  32. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) The aforementioned attack 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) The “minimal” initial configuration to retrieve the attack is: � � P DS = new sk a , sk b . P A ( sk a , pk ( sk c )) | P B ( sk b , pk ( sk a ) | out ( c , pk ( skb )) Exercise: Exhibit the process A (the behaviour of the attacker) that witnesses the aforementioned attack, i.e. such that: A | P DS → ∗ C [ out ( c , s ) . Q ′ ] S. Delaune (LSV) Verification of security protocols 27th June 2016 28 / 72

  33. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  34. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . ? Exercise 1: out ( a , yes ) ≈ out ( a , no ) S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  35. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise 1: out ( a , yes ) �≈ out ( a , no ) − → A = in ( a , x ) . if x = yes then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  36. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise 2: k and k ′ are known to the attacker new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) ? ≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  37. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise 2: k and k ′ are known to the attacker new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) �≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) − → A = in ( a , x ) . in ( a , y ) . if ( sdec ( x , k ) = sdec ( y , k ′ )) then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  38. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties Testing equivalence between P and Q , denoted P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise 3: Are the two following processes in testing equivalence? ? new s . out ( a , s ) ≈ new s . new k . out ( a , senc ( s , k )) S. Delaune (LSV) Verification of security protocols 27th June 2016 29 / 72

  39. Some privacy-type properties Unlinkability [Arapinis et al, 2010] ! new ke . new km . (! P BAC | ! R BAC ) ≈ ! new ke . new km . ( P BAC | ! R BAC ) ↑ ↑ many sessions only one session for each passport for each passport S. Delaune (LSV) Verification of security protocols 27th June 2016 30 / 72

  40. Some privacy-type properties Unlinkability [Arapinis et al, 2010] ! new ke . new km . (! P BAC | ! R BAC ) ≈ ! new ke . new km . ( P BAC | ! R BAC ) ↑ ↑ many sessions only one session for each passport for each passport Vote privacy [Kremer and Ryan, 2005] S [ V A ( yes ) | V B ( no )] ≈ S [ V A ( no ) | V B ( yes )] ↑ ↑ A votes yes A votes no B votes yes B votes no S. Delaune (LSV) Verification of security protocols 27th June 2016 30 / 72

  41. Part II Designing verification algorithms (from confidentiality to privacy) S. Delaune (LSV) Verification of security protocols 27th June 2016 31 / 72

  42. State of the art in a nutshell for analysing confidentiality properties Unbounded number of sessions undecidable in general [Even & Goldreich, 83; Durgin et al , 99] decidable for restricted classes [Lowe, 99; Rammanujam & Suresh, 03] − → ProVerif: A tool that does not correspond to any decidability result but works well in practice. [Blanchet, 01] S. Delaune (LSV) Verification of security protocols 27th June 2016 32 / 72

  43. State of the art in a nutshell for analysing confidentiality properties Unbounded number of sessions undecidable in general [Even & Goldreich, 83; Durgin et al , 99] decidable for restricted classes [Lowe, 99; Rammanujam & Suresh, 03] − → ProVerif: A tool that does not correspond to any decidability result but works well in practice. [Blanchet, 01] Bounded number of sessions a decidability result (NP-complete) [Rusinowitch & Turuani, 01; Millen & Shmatikov, 01] result extended to deal with various cryptographic primitives. − → various automatic tools, e.g. AVISPA platform [Armando et al. , 05] S. Delaune (LSV) Verification of security protocols 27th June 2016 32 / 72

  44. The deduction problem: is u deducible from T ? We consider a signature F and an equational theory E. The deduction problem input A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } output Can the attacker learn s from φ , i.e. does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s . S. Delaune (LSV) Verification of security protocols 27th June 2016 33 / 72

  45. The deduction problem: is u deducible from T ? We consider a signature F and an equational theory E. The deduction problem input A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } output Can the attacker learn s from φ , i.e. does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s . Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1 Is k deducible from φ ? 2 What about s ? S. Delaune (LSV) Verification of security protocols 27th June 2016 33 / 72

  46. The deduction problem: is u deducible from T ? We consider a signature F and an equational theory E. The deduction problem input A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } output Can the attacker learn s from φ , i.e. does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s . Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1 Is k deducible from φ ? Yes, using R 1 = getmsg ( adec ( w 4 , w 3 )) 2 What about s ? S. Delaune (LSV) Verification of security protocols 27th June 2016 33 / 72

  47. The deduction problem: is u deducible from T ? We consider a signature F and an equational theory E. The deduction problem input A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } output Can the attacker learn s from φ , i.e. does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s . Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1 Is k deducible from φ ? Yes, using R 1 = getmsg ( adec ( w 4 , w 3 )) 2 What about s ? Yes, using R 2 = sdec ( w 5 , R 1 ) . S. Delaune (LSV) Verification of security protocols 27th June 2016 33 / 72

  48. The deduction problem Proposition The deduction problem is decidable in PTIME for the equational theory modelling the DS protocol (and for many others) Algorithm 1 saturation of φ with its deducible subterms in one-step: φ + 2 does there exist R such that R φ + = s (syntaxic equality) S. Delaune (LSV) Verification of security protocols 27th June 2016 34 / 72

  49. The deduction problem Proposition The deduction problem is decidable in PTIME for the equational theory modelling the DS protocol (and for many others) Algorithm 1 saturation of φ with its deducible subterms in one-step: φ + 2 does there exist R such that R φ + = s (syntaxic equality) Going back to the previous example: φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . φ + = φ ⊎ { w 6 ⊲ sign ( k , ska ); w 7 ⊲ k ; w 8 ⊲ s } . S. Delaune (LSV) Verification of security protocols 27th June 2016 34 / 72

  50. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from φ . S. Delaune (LSV) Verification of security protocols 27th June 2016 35 / 72

  51. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from φ . Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study S. Delaune (LSV) Verification of security protocols 27th June 2016 35 / 72

  52. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from φ . Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study Completeness If u is deducible from φ , then the algorithm returns Yes. S. Delaune (LSV) Verification of security protocols 27th June 2016 35 / 72

  53. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from φ . Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study Completeness If u is deducible from φ , then the algorithm returns Yes. − → this relies on a locality property Locality lemma Let φ be a frame and u be a deducible subterm of φ . There exists a recipe R witnessing this fact which satisfies the locality property: for any R ′ subterm of R , we have that R ′ φ ↓ is a subterm of φ . S. Delaune (LSV) Verification of security protocols 27th June 2016 35 / 72

  54. Caution ! One should never underestimate the attacker ! The attacker can listen to the communication but also: intercept the messages that are sent by the participants, build new messages according to his deduction capabilities, and send messages on the communication network. − → this is the co-called active attacker S. Delaune (LSV) Verification of security protocols 27th June 2016 36 / 72

  55. Confidentiality using the constraint solving approach − → active attacker, only for a bounded number of sessions S. Delaune (LSV) Verification of security protocols 27th June 2016 37 / 72

  56. Confidentiality using the constraint solving approach − → active attacker, only for a bounded number of sessions Two main steps: 1 A symbolic exploration of all the possible traces The infinite number of possible traces ( i.e. experiment) are represented by a finite set of constraint systems − → this set can be huge (exponential on the number of sessions) ... but some optimizations are used to reduce this number 2 A decision procedure for deciding whether a constraint system has a solution or not. − → this algorithm works quite well S. Delaune (LSV) Verification of security protocols 27th June 2016 37 / 72

  57. Step 1: confidentiality via constraint solving We consider a finite sequence of actions: in ( u 1 ); out ( v 1 ); in ( u 2 ); . . . out ( v n ) − → u i and v i may contain variables We build the following constraint system: ?  T 0 ⊢ u 1     ?   T 0 , v 1 ⊢ u 2 C = ...    ?   T 0 , v 1 , .., v n ⊢ s  S. Delaune (LSV) Verification of security protocols 27th June 2016 38 / 72

  58. Step 1: confidentiality via constraint solving We consider a finite sequence of actions: in ( u 1 ); out ( v 1 ); in ( u 2 ); . . . out ( v n ) − → u i and v i may contain variables We build the following constraint system: ?  T 0 ⊢ u 1     ?   T 0 , v 1 ⊢ u 2 C = ...    ?   T 0 , v 1 , .., v n ⊢ s  Solution of a constraint system C ? A substitution σ such that: for every T ⊢ u ∈ C , u σ is deducible from T σ . S. Delaune (LSV) Verification of security protocols 27th June 2016 38 / 72

  59. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) S. Delaune (LSV) Verification of security protocols 27th June 2016 39 / 72

  60. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) ⊢ s with T 0 = { pk ( ska ) , pk ( skb ); skc } . S. Delaune (LSV) Verification of security protocols 27th June 2016 39 / 72

  61. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) ⊢ s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Question: Does C admit a solution? S. Delaune (LSV) Verification of security protocols 27th June 2016 39 / 72

  62. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) ⊢ s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Question: Does C admit a solution? Yes: x → k . S. Delaune (LSV) Verification of security protocols 27th June 2016 39 / 72

  63. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form  ? ⊢ x 0 T 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? S. Delaune (LSV) Verification of security protocols 27th June 2016 40 / 72

  64. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form  ? ⊢ x 0 T 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? Choose u 0 ∈ T 0 , and consider the substitution: Of course, yes ! σ = { x 0 �→ u 0 , . . . , x n �→ u 0 } S. Delaune (LSV) Verification of security protocols 27th June 2016 40 / 72

  65. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only ? C ∧ T ⊢ u C R ax : � if u is deducible from T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ? ? C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ R unif : � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u � ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } S. Delaune (LSV) Verification of security protocols 27th June 2016 41 / 72

  66. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) S. Delaune (LSV) Verification of security protocols 27th June 2016 42 / 72

  67. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb ))  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  � ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 27th June 2016 42 / 72

  68. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 27th June 2016 43 / 72

  69. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )   ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  � ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) pk ( skb )  S. Delaune (LSV) Verification of security protocols 27th June 2016 43 / 72

Recommend

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides

More recommend