verification of security protocols from confidentiality
play

Verification of security protocols: from confidentiality to privacy - PowerPoint PPT Presentation

Feb 15, 2024 •103 likes •1.78k views

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

  1. Messages as terms Terms are built over a set of names N , and a signature F . t ::= name n n | application of symbol f ∈ F f ( t 1 , . . . , t k ) Example: representation of { a , n } k senc ◮ Names: n , k , a ◮ constructors: senc, pair, pair k a n

  2. Messages as terms Terms are built over a set of names N , and a signature F . t ::= name n n | application of symbol f ∈ F f ( t 1 , . . . , t k ) Example: representation of { a , n } k senc ◮ Names: n , k , a ◮ constructors: senc, pair, pair k ◮ destructors: sdec, proj 1 , proj 2 . a n The term algebra is equipped with an equational theory E. sdec ( senc ( x , y ) , y ) = x proj 1 ( pair ( x , y )) = x proj 2 ( pair ( x , y )) = y Example: sdec ( senc ( s , k ) , k ) = E s .

  3. Semantics Semantics → : Comm out ( c , u ) . P | in ( c , x ) . Q → P | Q { u / x } Then if u = v then P else Q → P when u = E v Else if u = v then P else Q → Q when u � = E v

  4. Semantics Semantics → : Comm out ( c , u ) . P | in ( c , x ) . Q → P | Q { u / x } Then if u = v then P else Q → P when u = E v Else if u = v then P else Q → Q when u � = E v closed by ◮ structural equivalence ( ≡ ): P | Q ≡ Q | P , P | 0 ≡ P , . . . ◮ application of evaluation contexts: P → P ′ P → P ′ P | Q → P ′ | Q new n . P → new n . P ′

  5. Going back to the Denning Sacco protocol (1/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What symbols and equations do we need to model this protocol?

  6. Going back to the Denning Sacco protocol (1/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What symbols and equations do we need to model this protocol? 1. symmetric encryption: senc and sdec sdec ( senc ( x , y ) , y ) = x

  7. Going back to the Denning Sacco protocol (1/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What symbols and equations do we need to model this protocol? 1. symmetric encryption: senc and sdec sdec ( senc ( x , y ) , y ) = x 2. asymmetric encryption: aenc, adec, and pk adec ( aenc ( x , pk ( y )) , y ) = x

  8. Going back to the Denning Sacco protocol (1/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What symbols and equations do we need to model this protocol? 1. symmetric encryption: senc and sdec sdec ( senc ( x , y ) , y ) = x 2. asymmetric encryption: aenc, adec, and pk adec ( aenc ( x , pk ( y )) , y ) = x 3. signature: ok, sign, check, getmsg, and pk check ( sign ( x , y ) , pk ( y )) = ok and getmsg ( sign ( x , y )) = x

  9. Going back to the Denning Sacco protocol (1/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What symbols and equations do we need to model this protocol? 1. symmetric encryption: senc and sdec sdec ( senc ( x , y ) , y ) = x 2. asymmetric encryption: aenc, adec, and pk adec ( aenc ( x , pk ( y )) , y ) = x 3. signature: ok, sign, check, getmsg, and pk check ( sign ( x , y ) , pk ( y )) = ok and getmsg ( sign ( x , y )) = x The two terms involved in a normal execution are: aenc ( sign ( k , ska ) , pk ( skb )) , and senc ( s , k )

  10. Going back to the Denning Sacco protocol (2/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k )

  11. Going back to the Denning Sacco protocol (2/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . .

  12. Going back to the Denning Sacco protocol (2/3) A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) Alice and Bob as processes: P A ( sk a , pk b ) = new k . out ( c , aenc ( sign ( k , sk a ) , pk b )) . in ( c , x a ) . . . . P B ( sk b , pk a ) = in ( c , x b ) . if check ( adec ( x b , sk b ) , pk a ) = ok then new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b ))))

  13. Going back to the Denning Sacco protocol (3/3) P A ( sk a , pk b ) = P B ( sk b , pk a ) = new k . in ( c , x b ) . out ( c , aenc ( sign ( k , sk a ) , pk b )) . if check ( adec ( x b , sk b ) , pk a ) = ok then in ( c , x a ) . . . . new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b ))))

  14. Going back to the Denning Sacco protocol (3/3) P A ( sk a , pk b ) = P B ( sk b , pk a ) = new k . in ( c , x b ) . out ( c , aenc ( sign ( k , sk a ) , pk b )) . if check ( adec ( x b , sk b ) , pk a ) = ok then in ( c , x a ) . . . . new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) We consider the following scenario: � � P DS = new sk a , sk b . P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ))))

  15. Going back to the Denning Sacco protocol (3/3) P A ( sk a , pk b ) = P B ( sk b , pk a ) = new k . in ( c , x b ) . out ( c , aenc ( sign ( k , sk a ) , pk b )) . if check ( adec ( x b , sk b ) , pk a ) = ok then in ( c , x a ) . . . . new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) We consider the following scenario: � � P DS = new sk a , sk b . P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) → new sk a , sk b , k . � in ( c , x a ) . . . . � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ))))

  16. Going back to the Denning Sacco protocol (3/3) P A ( sk a , pk b ) = P B ( sk b , pk a ) = new k . in ( c , x b ) . out ( c , aenc ( sign ( k , sk a ) , pk b )) . if check ( adec ( x b , sk b ) , pk a ) = ok then in ( c , x a ) . . . . new s . out ( c , senc ( s , getmsg ( adec ( x b , sk b )))) We consider the following scenario: � � P DS = new sk a , sk b . P A ( sk a , pk ( sk b )) | P B ( sk b , pk ( sk a ) � → new sk a , sk b , k . in ( c , x a ) . . . . | if check ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b ) , pk a ) = ok then � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) → new sk a , sk b , k . � in ( c , x a ) . . . . � new s . out ( c , senc ( s , getmsg ( adec ( aenc ( sign ( k , sk a ) , pk b ) , sk b )))) − → this derivation represents a normal execution between two honest participants

  17. Security properties - confidentiality Confidentiality for process P w.r.t. secret s For all processes A such that A | P → ∗ Q , we have that Q is not of the form C [ out ( c , s ) . Q ′ ] with c public.

  18. Security properties - confidentiality Confidentiality for process P w.r.t. secret s For all processes A such that A | P → ∗ Q , we have that Q is not of the form C [ out ( c , s ) . Q ′ ] with c public. Some difficulties: ◮ we have to consider all the possible executions in presence of an arbitrary adversary (modelled as a process) ◮ we have to consider realistic initial configurations ◮ an unbounded number of agents, ◮ replications to model an unbounded number of sessions, ◮ reveal public keys and private keys to model dishonest agents, ◮ honest agents may initiate a session with a dishonest agent, . . .

  19. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) The aforementioned attack 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) The “minimal” initial configuration to retrieve the attack is: � � new sk a , sk b . P A ( sk a , pk ( sk c )) | P B ( sk b , pk ( sk a ) | out ( c , pk ( skb ))

  20. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) The aforementioned attack 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) The “minimal” initial configuration to retrieve the attack is: � � new sk a , sk b . P A ( sk a , pk ( sk c )) | P B ( sk b , pk ( sk a ) | out ( c , pk ( skb )) Exercise: Exhibit the process A (the behaviour of the attacker) that witnesses the aforementioned attack, i.e. such that: A | P DS → ∗ C [ out ( c , s ) . Q ′ ]

  21. Part II Designing verification algorithms ( confidentiality )

  22. Warm-up

  23. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. Input: A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ m 1 , . . . , w n ⊲ m n } Output: Can the attacker learn s from φ ? In other words, does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s ?

  24. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. Input: A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ m 1 , . . . , w n ⊲ m n } Output: Can the attacker learn s from φ ? In other words, does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s ? Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1. Is k deducible from φ ? 2. What about s ?

  25. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. Input: A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ m 1 , . . . , w n ⊲ m n } Output: Can the attacker learn s from φ ? In other words, does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s ? Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1. Is k deducible from φ ? Yes, using R 1 = getmsg ( adec ( w 4 , w 3 )) 2. What about s ?

  26. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. Input: A sequence φ of ground terms ( i.e. messages) and a term s (the secret) φ = { w 1 ⊲ m 1 , . . . , w n ⊲ m n } Output: Can the attacker learn s from φ ? In other words, does there exist a term (called recipe) R built using public symbols and w 1 , . . . , w n such that R φ = E s ? Exercise: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . 1. Is k deducible from φ ? Yes, using R 1 = getmsg ( adec ( w 4 , w 3 )) 2. What about s ? Yes, using R 2 = sdec ( w 5 , R 1 ) .

  27. The deduction problem Proposition The deduction problem is decidable in PTIME for the equational theory modelling the DS protocol (and for many others) Algorithm 1. saturation of φ with its deducible subterms in one-step: φ + 2. does there exist R such that R φ + = s (syntaxic equality)

  28. The deduction problem Proposition The deduction problem is decidable in PTIME for the equational theory modelling the DS protocol (and for many others) Algorithm 1. saturation of φ with its deducible subterms in one-step: φ + 2. does there exist R such that R φ + = s (syntaxic equality) Going back to the previous example: ◮ φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . ◮ φ + = φ ⊎ { w 6 ⊲ sign ( k , ska ); w 7 ⊲ k ; w 8 ⊲ s } .

  29. The deduction problem Proposition The deduction problem is decidable in PTIME for the equational theory modelling the DS protocol (and for many others) Algorithm 1. saturation of φ with its deducible subterms in one-step: φ + 2. does there exist R such that R φ + = s (syntaxic equality) Going back to the previous example: ◮ φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . ◮ φ + = φ ⊎ { w 6 ⊲ sign ( k , ska ); w 7 ⊲ k ; w 8 ⊲ s } . − → Therefore k and s are deducible from φ !

  30. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible from φ . − → easy to prove

  31. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible from φ . − → easy to prove Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study

  32. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible from φ . − → easy to prove Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study Completeness If u is deducible from φ , then the algorithm returns Yes. − → this relies on a locality property Locality lemma Let φ be a frame and u be a deducible subterm of φ . There exists a recipe R witnessing this fact which satisfies the locality property: for any R ′ subterm of R , we have that R ′ φ ↓ is a subterm of φ .

  33. Caution ! One should never underestimate the attacker ! The attacker can listen to the communication but also: ◮ intercept the messages that are sent by the participants, ◮ build new messages according to his deduction capabilities, and ◮ send messages on the communication network. − → this is the co-called active attacker

  34. State of the art in a nutshell (active attacker) for analysing confidentiality properties Unbounded number of sessions ◮ undecidable in general [Even & Goldreich, 83; Durgin et al , 99] ◮ decidable for restricted classes [Lowe, 99; Rammanujam & Suresh, 03; . . . ] − → ProVerif: A tool that does not correspond to any decidability result but works well in practice. [Blanchet, 01]

  35. State of the art in a nutshell (active attacker) for analysing confidentiality properties Unbounded number of sessions ◮ undecidable in general [Even & Goldreich, 83; Durgin et al , 99] ◮ decidable for restricted classes [Lowe, 99; Rammanujam & Suresh, 03; . . . ] − → ProVerif: A tool that does not correspond to any decidability result but works well in practice. [Blanchet, 01] Bounded number of sessions ◮ a decidability result (NP-complete) [Rusinowitch & Turuani, 01; Millen & Shmatikov, 01] − → Avantssar: a platform that implements two such decision procedures [Armando et al. , 05]

  36. Confidentiality using the constraint solving approach − → active attacker, only for a bounded number of sessions [Comon, Cortier & Zalinescu, 10]

  37. Confidentiality using the constraint solving approach − → active attacker, only for a bounded number of sessions [Comon, Cortier & Zalinescu, 10] Two main steps: 1. A symbolic exploration of all the possible traces The infinite number of possible execution traces are represented by a finite set of constraint systems 2. A decision procedure for deciding whether a constraint system has a solution or not.

  38. Step 1: confidentiality via constraint solving We consider a finite sequence of actions: in ( u 1 ); out ( v 1 ); in ( u 2 ); . . . out ( v n ) − → u i and v i may contain variables We build the following constraint system C :  ? φ 0 ⊢ u 1     ?   φ 0 , w 1 ⊲ v 1 ⊢ u 2 C = ...    ?    φ 0 , w 1 ⊲ v 1 , . . . , w n ⊲ v n ⊢ s

  39. Step 1: confidentiality via constraint solving We consider a finite sequence of actions: in ( u 1 ); out ( v 1 ); in ( u 2 ); . . . out ( v n ) − → u i and v i may contain variables We build the following constraint system C :  ? φ 0 ⊢ u 1     ?   φ 0 , w 1 ⊲ v 1 ⊢ u 2 C = ...    ?    φ 0 , w 1 ⊲ v 1 , . . . , w n ⊲ v n ⊢ s A solution of a constraint system C is a substitution σ such that for ? ⊢ u ∈ C , we have that: every constraint w 1 ⊲ v 1 , . . . , w n ⊲ v n u σ is deducible from w 1 ⊲ v 1 σ, . . . , w n ⊲ v n σ .

  40. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A senc ( s , k ) : One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x ))

  41. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A senc ( s , k ) : One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? ⊢ aenc ( sign ( x , ska ) , pk ( skb )) φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , x ) ⊢ s with φ 0 = { w 1 ⊲ pk ( ska ) , w 2 ⊲ pk ( skb ); w 3 ⊲ skc } .

  42. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A senc ( s , k ) : One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? ⊢ aenc ( sign ( x , ska ) , pk ( skb )) φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , x ) ⊢ s with φ 0 = { w 1 ⊲ pk ( ska ) , w 2 ⊲ pk ( skb ); w 3 ⊲ skc } . Question: Does C admit a solution?

  43. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A senc ( s , k ) : One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? ⊢ aenc ( sign ( x , ska ) , pk ( skb )) φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , x ) ⊢ s with φ 0 = { w 1 ⊲ pk ( ska ) , w 2 ⊲ pk ( skb ); w 3 ⊲ skc } . Question: Does C admit a solution? Yes: x → k . ◮ R 1 = aenc ( adec ( w 4 , w 3 ) , w 2 ) solve the first constraint, ◮ R 2 = sdec ( w 5 , getmsg ( adec ( w 4 , w 3 ) , w 1 )) solve the second constraint

  44. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  ⊢ x 0 φ 0     ?   φ 0 ; φ 1 ⊢ x 1 C = ...    ?   φ 0 ; φ 1 ; . . . ; φ n ⊢ x n  Question: Is there a solution to such a system ?

  45. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  ⊢ x 0 φ 0     ?   φ 0 ; φ 1 ⊢ x 1 C = ...    ?   φ 0 ; φ 1 ; . . . ; φ n ⊢ x n  Question: Is there a solution to such a system ? Of course, yes ! The substitution σ = { x 0 �→ u 0 , . . . , x n �→ u 0 } with u 0 in φ 0 is such a solution.

  46. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only

  47. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only ? ? ? R f : C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc }

  48. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only ? ? ? R f : C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : �

  49. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only ? ? ? R f : C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : � ? ? R unif : C ∧ φ ⊢ u C σ ∧ φσ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u }

  50. Step 2: simplification rules − → these rules deal with pairs and symmetric encryption only ? ? ? R f : C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : � ? ? R unif : C ∧ φ ⊢ u C σ ∧ φσ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } ? C ∧ φ ⊢ u C R ax : � if u is deducible from φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ }

  51. Applying rule R f ? ? ? C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 R f : Example: ? ⊢ aenc ( sign ( x , ska ) , pk ( skb )) φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc ))

  52. Applying rule R f ? ? ? C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 R f : Example: ? ⊢ aenc ( sign ( x , ska ) , pk ( skb )) φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc ))  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  � ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb ) 

  53. Applying rule R unif ? ? R unif : C ∧ φ ⊢ u C σ ∧ φσ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } Example:  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb ) 

  54. Applying rule R unif ? ? R unif : C ∧ φ ⊢ u C σ ∧ φσ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } Example:  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )   ? ⊢ φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) sign ( k , ska )  � ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb ) 

  55. Applying rule R ax ? R ax : C ∧ φ ⊢ u C if u deducible from � φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Example: (assuming that skc and pk ( skb ) are in φ 0 )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb ) 

  56. Applying rule R ax ? R ax : C ∧ φ ⊢ u C if u deducible from � φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Example: (assuming that skc and pk ( skb ) are in φ 0 )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � ⊢ φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) sign ( k , ska )

  57. Applying rule R ax ? R ax : C ∧ φ ⊢ u C if u deducible from � φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Example: (assuming that skc and pk ( skb ) are in φ 0 )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � ⊢ φ 0 ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )) sign ( k , ska ) ∅ � (empty constraint system)

  58. Results on the simplification rules ? ? ? C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } R f : ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : � ? ? R unif : C ∧ φ ⊢ u � σ C σ ∧ φσ ⊢ u σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } ? C ∧ φ ⊢ u C R ax : � if u is deducible from φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Given a (well-formed) constraint system C :

  59. Results on the simplification rules ? ? ? C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } R f : ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : � ? ? R unif : C ∧ φ ⊢ u � σ C σ ∧ φσ ⊢ u σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } ? C ∧ φ ⊢ u C R ax : � if u is deducible from φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Given a (well-formed) constraint system C : Soundness σ C ′ and θ solution of C ′ then σθ is a solution of C . If C � ∗ − → easy to show

  60. Results on the simplification rules ? ? ? C ∧ φ ⊢ f ( u 1 , u 2 ) � C ∧ φ ⊢ u 1 ∧ φ ⊢ u 2 f ∈ {�� , senc } R f : ? C ∧ φ ⊢ u ⊥ if vars ( φ ∪ { u } ) = ∅ and φ �⊢ u R fail : � ? ? R unif : C ∧ φ ⊢ u � σ C σ ∧ φσ ⊢ u σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( φ ) ∪ { u } ? C ∧ φ ⊢ u C R ax : � if u is deducible from φ ∪ { x | φ ′ ? ⊢ x ∈ C , φ ′ � φ } Given a (well-formed) constraint system C : Termination There is no infinite chain C � σ 1 C 1 . . . � σ n C n .

Recommend

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides

More recommend