Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Inductive Approach to Verifying Cryptographic Protocols

Published byΦυλλίδος Μπότσαρης Modified over 6 years ago

Similar presentations

Presentation on theme: "The Inductive Approach to Verifying Cryptographic Protocols"— Presentation transcript:

1 The Inductive Approach to Verifying Cryptographic Protocols
Shaohui Wang (aka Vincent) Computer and Information Science University of Pennsylvania November 17, 2018

2 The Inductive Approach to Verifying Cryptographic Protocols
Outline An Example: A Variant of the Otway-Rees Protocol Formal Modeling of Cryptographic Protocols Properties of the Otway-Rees Protocol Variant Proofs in Details (Optional) Conclusions 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

3 The (Modified) Otway-Rees Protocol
11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

4 A Variant of the Otway-Rees Protocol
Goal: To establish a session key between A and B for communication Note: before going in to the steps, explain the notation here. Identify the first one with the example in prev slide. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

5 The Dolev-Yao Adversary Model
A Spy Acts According to the Protocol Rules, but Can Overhear the traffic in the protocol Intercept events in protocol events Forge new messages from her existing knowledge Send fraudulent messages to other agents Forging of New Messages A spy can analyze her known set of messages, including decrypting messages if she knows the key. She can form fraudulent messages out of this analysis. Formally, she sends messages from the set of synth(analz H). Assumptions A spy can act as an honest agent. A spy can also send fraudulent messages . Should the spy hold somebody’s key, communications between other agents should not suffer. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

6 Attacking the Otway-Rees Protocol
11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

7 Formal Modeling of Cryptographic Protocols
11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

8 Proving Cryptographic Protocols: Idea
Model Components in a Cryptographic Protocol Messages—as sets of (uninterpreted) identities E.g., {| A, B, Na |}, {| A, Na, Crypt K Na |} Operations on messages—as inductively defined operators analz, parts, synth Events—as logical formulas based on primitives E.g., Says A B {| Na, A, B, Crypt Ka {| Na, A, B |} |} Describe Behaviors of Components with Traces / Rules Communication session—as a trace of events Behaviors of components—as rules under which an existing trace can be extended State and Prove Properties E.g., never can a nonce generated by two different agents Caution: stating the correct theorems is crucial! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

9 The Inductive Approach to Verifying Cryptographic Protocols
Messages and Events A message is one of Agent—A, B, Spy, S, etc. Number—1, 2, 3, etc. (Guessable) Nonce—Na, Nb, Na’, etc. (Non-guessable) Key—Ka, Kb, Kab, etc. Tuple / Compound Message—{| Na, A, B |} Hash—Hash X, where X is a message Encryption—Crypt K X, or {| X |}K An event is one of Says A B X where A and B are agents and X is a message Note A X where A is an agent and X is a message 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

10 Trace and Protocol Behaviors
A trace is a sequence of events E.g., An empty sequence [] of events is a trace E.g., [Says A B X, Notes Spy X, Says B S {| Nb, A, B, X |} ] is a trace Protocol behaviors are described with allowed rules for trace construction Protocol Specific Rules Standard Rules Nil rule: [] is a trace Fake rule: a spy can send a fraudulent message Need the parts, analz, and synth operators to define fraudulent message (next slides) Oops rule: a spy can take note of a compromised key 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

11 Describing Protocols as Rules (I)
If evs is a trace, Na is a fresh nonce and B is an agent distinct from A and S, then evs may be extended with the event Says A B {| Na, A, B, {| Na, A, B |}Ka |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

12 Describing Protocols as Rules (II)
If evs is a trace with an event of the form Says A’ B {| Na, A, B, X |} and Nb is a fresh nonce and B  S, then evs may be extended with the event Says B S {| Na, A, B, X, Nb, {| Na, A, B |}Kb |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

13 Describing Protocols as Rules (III)
If evs is a trace with an event of the form Says B’ S {| Na, A, B, {| Na, A, B |}Ka, Nb, {| Na, A, B |}Kb |} and Kab is a fresh key and B  S, then evs may be extended with the event Says S B {| Na, {| Na, Kab |}Ka, {| Nb, Kab |}Kb |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

14 Describing Protocols as Rules (IV)
If evs contains the two events Says B S {| Na, A, B, X’, Nb, {| Na, A, B |}Kb |} Says S’ B {| Na, X, {| Nb, K |}Kb |} and A  B, then evs may be extended with the event Says B A {| Na, X |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

15 The Inductive Approach to Verifying Cryptographic Protocols
Standard Rules The Empty List [] is a trace If evs is a trace, X  synth(analz H) is a fraudulent message and B  Spy, then evs maybe extended with the event Says Spy B X If evs is a trace and S distributed the session key K in a run involving the nonces Na and Nb, then evs may be extended with the event Notes Spy {| Na, Nb, K |} 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

16 The Inductive Approach to Verifying Cryptographic Protocols
The Operator parts Definition The set parts H is obtained from H by repeatedly adding the components of compound message and the bodies of encrypted messages Not including the key K in Crypt K X unless K is part of X. Represents the set of all components of H that are potentially recoverable. Example parts{ {| A, Na, Crypt K X |} } = { {| A, Na, Crypt K X |}, A, Na, Crypt K X, X } Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

17 The Inductive Approach to Verifying Cryptographic Protocols
The Operator analz Definition The set analz H is obtained from H by repeatedly adding the component of compound messages and by decrypting messages whose keys are in analz H. Represents the most that could be gleaned from H without breaking ciphers. Example analz{ {| Na |}Ka } = { {| Na |}Ka } analz{ {| {| Na |}Ka, Ka-1 |} } = { {| {| Na |}Ka, Ka-1 |}, {| Na |}Ka, Ka-1, Na } Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

18 The Inductive Approach to Verifying Cryptographic Protocols
The Operator synth Definition The set synth H models the messages a spy could build up from elements of H by repeatedly adding agent names, forming compound messages and encrypting with keys contained in H. Example synth{ {| K |} } = { A, {| A, K |}, Crypt K A, {| A, Crypt K (Crypt K A) |}, …. } (essentially unbound) Properties 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

19 The Operators parts, analz, synth
Monotonic Idempotent Equations Equivalencies 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

20 Computing parts and analz
The set of keys that can decrypt messages in H Defining analz (the case for Crypt) Note: not going through these one by one, but emphasize the inductive definition. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

21 The Inductive Approach to Verifying Cryptographic Protocols
Modeling the Spy She has some initial knowledge The server S knows the shared keys for everyone Each agent knows his own key The Spy knows keys of a set of bad agents She updates her knowledge on the fly Initially she only has her initial knowledge If she overheard an event Says A B X, she learns X If she overheard an event Notes A X and knows the key for A, she learns X 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

22 The Inductive Approach to Verifying Cryptographic Protocols
What’s Next? What we have now The behaviors of agents / server / spy are described by rules The interaction is modeled as a trace of events What to do next State properties on the any trace that can be constructed according to the protocol rules E.g., secret keys remain secret, i.e., A’s key is known to the Spy if and only if A is a bad agent. Formal description: Prove them! Most of the time with induction! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

23 The Major Proof Technique: Induction
The set of natural numbers  is inductively defined 0  , and n    Suc n  . To prove a property P on all natural numbers  Prove P(0), and P(n)  P(Suc n). A cryptographic session trace is inductively defined [] is a trace ev#evs is a trace if evs is a trace, and ev is the new message allowed by the protocol To prove a property P on a trace Prove P[], and P(evs)  P(ev#evs) for all allowed ev. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

24 The (Modified) Otway-Rees Protocol Revisited: Properties
11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

25 The Inductive Approach to Verifying Cryptographic Protocols
Overall Idea For a given protocol, we need establish a few properties Correctness of the protocol To do so, different types of supporting lemmas are needed Possibility Properties Forwarding Lemmas Regularity Lemmas Unicity Theorems Secrecy Theorems Authenticity Theorems We prove families of these lemmas and draw a conclusion If the key correctness theorems can be proved, the protocol is safe When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

26 The Possibility Properties
Synopsis If A tries to establish a session with B, finally the message BA : Na, {| Na, Kab |}Ka will be sent. English Description For all agents A and B, distinct from each other and from the server, there is a key Kab, a nonce Na, and a trace such that the final message BA : Na, {| Na, Kab |}Ka is sent. Proof Idea Successively applying the protocol rules and checking all the preconditions of the rules are satisfied. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

27 The Inductive Approach to Verifying Cryptographic Protocols
Forwarding Lemmas Synopsis Once a message is learnt, an agent can forward an unknown item in the message. Example If a spy sees this message, she learns the message X. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

28 The Inductive Approach to Verifying Cryptographic Protocols
Regularity Lemmas Synopsis Once a message is known to the spy, something happens… In the form of “X  parts(spies evs)  …” Example Secret keys remain secret. I.e., once A’s key is known to the spy, we know A is a bad agent. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

29 The Inductive Approach to Verifying Cryptographic Protocols
Unicity Theorems Synopsis Uniqueness of session keys and nonces Example If the Server ever tells Agent B that this message is uniquely formed with the messages B, Na, Nb, X. Formally, it is 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

30 The Inductive Approach to Verifying Cryptographic Protocols
Secrecy Theorems Synopsis A spy cannot reveal other keys with an known key and existing trace. E.g., the Session Key Compromise Theorem If K can be obtained with the help of a session key K’ and previous traffic, then either K = K’ or K can be obtained from the traffic alone. If the server distributes a session key Kab to A and B, then the spy (hence other agents) never gets this key. Formal Description For an arbitrary trace evs, where  is an arbitrary set of session keys, not necessarily in the trace evs. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

31 The Session Key Secrecy Theorem
Synopsis The protocol is correct from the server’s viewpoint. English Description If the server distributes a session key to agents A and B, and the key is not lost in an Oops event, then the key is unavailable to the spy. Formally, and implies 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

32 Authenticity Theorems
Synopsis If a message appears to be from an agent A, then it is precisely A who sent this message. An agent must guarantee that his certificate is authentic. In the correct version of the Otway-Rees Protocol If a trace contains an event and if A is uncompromised and has previously sent then the Server should have sent a correct instance of step 3 with some Nonce Nb. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

33 Authenticity Theorems
In the modified version of the Otway-Rees Protocol The authenticity property cannot be proved. This indicates possible attacks. Although A has sent and received correct messages in step 1 and step 4, the event trace doesn’t show the server has sent the correct form of message back to CB. 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

34 Proof of the Session Key Compromise Theorem
11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

35 The Inductive Approach to Verifying Cryptographic Protocols
Conclusions 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

36 The Inductive Approach to Verifying Cryptographic Protocols
Conclusions The Inductive Approach to Cryptographic Protocols Verification We first formally model the cryptographic protocol Components, Behaviors We then describe the properties of the protocol based on event trace Pitfall: it is a challenge to state the correct theorems E.g., in the Otway-Rees protocol, only the secrecy theorems are not enough, but the authenticity theorems are needed as well We prove the theorems With the help of possibly a family of other supporting theorems The proofs are heavily based on “proof by induction” And make a conclusion If the key correctness theorems can be proved, the protocol is safe When a proof for the theorems cannot be obtained, possible attacks to cryptography protocols could be found from the proof 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

37 The Inductive Approach to Verifying Cryptographic Protocols
Q & A Thank you! 11/17/201811/17/2018 The Inductive Approach to Verifying Cryptographic Protocols

Download ppt "The Inductive Approach to Verifying Cryptographic Protocols"

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen

DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Programming Satan’s Computer

Programming Satan’s Computer
BAN LOGIC Amit Chetal Monica Desai November 14, 2001

BAN LOGIC Amit Chetal Monica Desai November 14, 2001
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group

© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
Presented by: Suparita Parakarn 50-7038-103-2 Kinzang Wangdi 51-7018-007-8 Research Report Presentation Computer Network Security.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach.

Automatic Analysis of Security Protocols using SPASS by Christoph Weidenbach.
CSCE 813 Internet Security Cryptographic Protocol Analysis.

CSCE 813 Internet Security Cryptographic Protocol Analysis.

Similar presentations

Ads by Google