Presentation is loading. Please wait.

Presentation is loading. Please wait.

Expressing Security Properties in CSP

Published byÍΘεριστής Χριστόπουλος Modified over 6 years ago

Similar presentations

Presentation on theme: "Expressing Security Properties in CSP"— Presentation transcript:

1 Expressing Security Properties in CSP
Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat – the intruders and their capabilities We will consider the following security properties: Secrecy No information leakage Authentication No falsification of identity Non-repudiation Evidence of the involvement of the other party Anonymity Protecting the identity of agents wrt particular events Lecture 5

2 Secrecy and authentication
They are both safety properties: a certain bad thing should not happen Explicit annotations: In the CSP approach, these properties are defined by “enhancing” the code of the processes with explicit signal claiming the success of the protocol wrt the intended property Secrecy: Claim_secret. m Information m has not become known to the intruder Authentication: Run with A , Commit with B The matching of these two events guarrantees the identities of A and B Lecture 5

3 Secrecy and authentication
Intr B A Intr B Protocol run Run with A Claim_Secret.m Commit with B Lecture 5

4 Example: The Yahalom Protocol
The protocol Message 1 a -> b : a.na Message 2 b -> s : b.{a.na.nb}ServerKey(b) Message 3 s -> a : {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) Message 4 a -> b : {a.kab}ServerKey(b) .{nb}kab Authentication of the participants Kab should remain secret We may require secrecy also on nb Lecture 5

5 Exm: Secrecy in the Yahalom protocol
CSP description of the two parties - Original Initiator(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g Session(a,b,kab,na,nb) ) m e T Responder(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g Session(b,a,kab,na,nb) ) Lecture 5

6 Exm: Secrecy in the Yahalom protocol
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g signal.Claim_Secret.a.b. kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g signal.Claim_Secret.a.b. kab m e T g Session(b,a,kab,na,nb) ) Lecture 5

7 Exm: Secrecy in the Yahalom protocol
CSP description of the server Server(J,kab ) = [] (receive.b.J.b .{a.na.nb}ServerKey(b) A,B e Agent g send.J.a. {b. kab.na.nb}ServerKey(a) .{a.kab}ServerKey(b) Nb ,nb e Nonce g Server(J,ks ) ) Server(J) = ||| Server(J,kab ) kab e KeysServer Lecture 5

8 Exm: Secrecy in the Yahalom protocol
CSP description of the intruder Intruder(X) = learn?m: messages gIntruder(close(X U {m}) [] say!m: X /\ messages gIntruder(X) Close(X) represents all the possible information that the attacker can infer from X. Typically we assume {k,m} |- encript(k,m) {encript(k,m), k-1} |- m {Sq<x1,…,xn>} |- xi {x1,…,xn} |- Sq<x1,…,xn>} Lecture 5

9 Exm: Secrecy in the Yahalom protocol
Initiator’(Anne,nA)S ||| Responder(Bob,nB)S ||| Server(Jeeves)S ||| Intruder’(f)S’ S = [fake,take/receive,send] S’ = [take.x.y/learn][fake.x.y, leak/say] Jeeves receive send Anne Bob receive send send receive fake.x.Bob take.Anne.y learn say Yves leak Lecture 5

10 Exm: Secrecy in the Yahalom protocol
The property to be verified: Signal.Claim_Secret.a.b.m e Traces(System) a not(leak.m e Traces(System) ) As usual, this property can be verified automatically by checking the traces Lecture 5

11 Authentication The CSP approach is based on inserting signals:
Running.a.b (in a’s protocol) Agent a is executing a protocol run apparently with b Commit.b.a (in b’s protocol) Agent b has completed a protocol run apparently with a Authentication is achieved if Running.a.b always precedes Commit.b.a in the traces of the system Weaker or stronger forms of authentication can be achieved by variations of the parameters of these signals and the constraints on them Lecture 5

12 Authentication in the Yahalom Pr.
The Yahalom Protocol aims at providing authentication of both parties : authentication of the initiator to the responder, and viceversa We will analyze the two authentication properties separately This requires two separate enhancements of the protocol Lecture 5

13 Yahalom: authentication of initiator
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g signal.Running_Initiator.a.b.na.nb.kab nb e Nonce g send.a.b.m.{nb}kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g signal. Commit_Responder.b.a.na.nb.kab m e T g Session(b,a,kab,na,nb) ) Lecture 5

14 Yahalom: authentication of initiator
Initiatora Responderb Server a.na b.{a.na.nb}ServerKey(b) {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) Run_Init.a.b.na.nb.kab {a.kab}ServerKey(b) .{nb}kab Com_Resp.b.a.na.nb.kab Lecture 5

15 Yahalom: authentication of initiator
The property to be verified: signal. Running_Initiator.a.b.na.nb.kab precedes signal.Commit_Responder.b.a.na.nb.kab in all the Traces(System) Again, this property can be verified automatically by checking the traces Lecture 5

16 Yahalom: authentication of responder
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g signal.Commit_Initiator.a.b.na.nb.kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g signal. Running_Responder.b.a.na.nb nb e Nonce g receive.a.b.{a. kab}ServerKey(b) .{nb}kab m e T g Session(b,a,kab,na,nb) ) Lecture 5

17 Yahalom: authentication of responder
Initiatora Responderb Server a.na Run_Resp.b.a.na.nb. b.{a.na.nb}ServerKey(b) {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) {a.kab}ServerKey(b) .{nb}kab Run_Init.a.b.na.nb.kab Lecture 5

18 Yahalom: authentication of responder
The property to be verified: signal. Running_Responder.b.a.na.nb precedes signal.Commit_Initiator.a.b.na.nb.kab in all the Traces(System) Again, this property can be verified automatically by checking the traces Lecture 5

19 {fNRR .a.l.c}Skb and {fCON .a.b.l.k}Skj
Non-repudiation Goal: provide the parties of an interaction with evidence so that later they cannot deny having participated Example: The Zhou-Gollmann protocol Message 1 a -> b : {fNRO .b.l.c}Ska Message 2 b -> a : {fNRR .a.l.c}Skb Message 3 a -> j : {fSUB .b.l.k}Ska Message 4 b <-> j : {fCON .a.b.l.k}Skj Message 5 a <-> j : {fCON .a.b.l.k}Skj c = k(m) where m is the message to be transmitted a and b are the parties, j is the trusted server fNRO , fNRR, etc. are flags identifying the steps. l is a nonce Ska, Skb, etc. are signature keys known only to their owners a can prove that b has got the message by presenting {fNRR .a.l.c}Skb and {fCON .a.b.l.k}Skj Lecture 5

20 The Zhou-Gollmann protocol
Non-Repudiation of Recipient: a can prove that b has got the message by presenting {fNRR .a.l.c}Skb and {fCON .a.b.l.k}Skj Non-Repudiation of Origin: b can prove that a has sent the message by presenting {fNRO .b.l.c}Ska and {fCON .a.b.l.k}Skj Lecture 5

21 CSP analysis of Non-Repudiation
Specification of the Zhou-Gollmann protocol in CSP Agenta(S) = [] b e Agent, m e S send.a.b.m -> Agenti(S) [] receive.a.b?m -> Agenta(close(S U {m})) [] ftp.a.Jeeves?m -> Agenta(close(S U {m})) [] m e S evidence.a.m -> Agenti(S) Close(S) represent the capability of inferring new information Server(S) = receive.a.Jeeves?. {fSUB .b.l.k}Ska -> Server(S U {fCON .a.b.l.k}Skj) [] b e Agent, m e S ftp.a.Jeeves.m -> Server(S) Lecture 5

22 The Zhou-Gollmann protocol in CSP
evidence.a evidence.b a b ftp.a ftp.b send.*.b send.*.a J receive.*.b receive.*.a receive.*.J send.*.J medium Lecture 5

23 Analysis of the Zhou-Gollmann protocol
Non-Repudiation of Recipient: evidence.a.{fNRR .a.l.c}Skb in Tr a b sent (fNRR .a.l.c) evidence.a.{fCON.a.b.l.k}Skj in Tr a receive.a.j. {fCON .a.b.l.k}Skj in Tr Non-Repudiation of Origin: evidence.b.{fNRO .b.l.c}Ska in Tr a a sent (fNRO.b.l.c) evidence.b.{fCON.a.b.l.k}Skj in Tr a a sent (fSUB.b.l.k) Again, these properties on traces can be proven automatically Lecture 5

Download ppt "Expressing Security Properties in CSP"

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
5 June 2002 - Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.

Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
1 Lecture 3 The CSP approach to the specification and analysis of Security protocols Communicating Sequential Processes [Hoare 78] Mathematical framework.

1 Lecture 3 The CSP approach to the specification and analysis of Security protocols Communicating Sequential Processes [Hoare 78] Mathematical framework.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.

© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.

Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Similar presentations

Ads by Google