Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Verification by the Inductive Method

Published byNoreen Allison Modified over 5 years ago

Similar presentations

Presentation on theme: "Protocol Verification by the Inductive Method"— Presentation transcript:

1 Protocol Verification by the Inductive Method
CS 259 Protocol Verification by the Inductive Method John Mitchell I’m going to talk about work we’ve been doing on designing a compositional logic for protocol correctness. This is joint work with John Mitchell and Dusko Pavlovic

2 Course schedule Begin final presentations next week?
Two weeks after presentation 2 Final slides, tool input, and 1-3 page summary of results due last day of class (Mar13) I will need to miss at least one class meeting in the last 2 weeks of quarter

3 Crypto Protocol Analysis
Analysis Techniques Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models Random oracle Probabilistic process calculi Probabilistic I/O automata Modal Logics Model Checking Process Calculi Inductive Proofs BAN logic Spi-calculus Finite processes, finite attacker Finite processes, infinite attacker

4 Recall: protocol state space
Participant + attacker actions define a state transition graph A path in the graph is a trace of the protocol Graph can be Finite if we limit number of agents, size of message, etc. Infinite otherwise ... ...

5 Analysis using theorem proving
[Paulson] Analysis using theorem proving Correctness instead of bugs Use higher-order logic to reason about possible protocol executions No finite bounds Any number of interleaved runs Algebraic theory of messages No restrictions on attacker Mechanized proofs Automated tools can fill in parts of proofs Proof checking can prevent errors in reasoning

6 Inductive proofs Define set of traces Prove correctness by induction
Given protocol, a trace is one possible sequence of events, including attacks Prove correctness by induction For every state in every trace, no security condition fails Works for safety properties only Proof by induction on the length of trace

7 Both equivalent to “the natural numbers are well-ordered”
Two forms of induction Usual form for nNat. P(n) Base case: P(0) Induction step: P(x)  P(x+1) Conclusion: nNat. P(n) Minimial counterexample form Assume: x [ P(x)  y<x. P(y) ] Prove: contraction Both equivalent to “the natural numbers are well-ordered”

8 Use second form Given set of traces
Choose shortest sequence to bad state Assume all steps before that OK Derive contradiction Consider all possible steps All states are good Bad state

9 Sample Protocol Goals Authenticity: who sent it?
Fails if A receives message from B but thinks it is from C Integrity: has it been altered? Fails if A receives message from B but message is not what B sent Secrecy: who can receive it? Fails if attacker knows message that should be secret Anonymity Fails if attacker or B knows action done by A These are all safety properties

10 Inductive Method in a Nutshell
Informal Protocol Description Abstract trace model Correctness theorem about traces Attacker inference rules same for all protocols! Try to prove the theorem Theorem is correct

11 Work by Larry Paulson Isabelle theorem prover Papers describing method
Stanford Phd 1981 Work by Larry Paulson Isabelle theorem prover General tool; protocol work since 1997 Papers describing method Many case studies Verification of SET protocol (6 papers) Kerberos (3 papers) TLS protocol Yahalom protocol, smart cards, etc

12

13 Isabelle Automated support for proof development
Higher-order logic Serves as a logical framework Supports ZF set theory & HOL Generic treatment of inference rules Powerful simplifier & classical reasoner Strong support for inductive definitions

14 Agents and Messages agent A,B,… = Server | Friend i | Spy
msg X,Y,… = Agent A | Nonce N | Key K | { X, Y } | Crypt X K Typed, free term algebra, …

15 Protocol semantics Traces of events: Operational model of agents
A sends X to B Operational model of agents Algebraic theory of messages (derived) A general attacker Proofs mechanized using Isabelle/HOL

16 Define sets inductively
Traces Set of sequences of events Inductive definition involves implications if ev1, …, evn  evs, then add ev’ to evs Information from a set of messages parts H : parts of messages in H analz H : information derivable from H synth H : msgs constructible from H

17 Protocol events in trace
Several forms of events A sends B message X A receives X A stores X AB {A,NA}pk(B) If ev is a trace and Na is unused, add Says A B Crypt(pk B){A,Na} If Says A’ B Crypt(pk B){A,X}  ev and Nb is unused, add Says B A Crypt(pk A){Nb,X} BA {NB,NA}pk(A) AB {NB}pk(B) If Says ...{X,Na}...  ev , add Says A B Crypt(pk B){X}

18 Dolev-Yao Attacker Model
Attacker is a nondeterministic process Attacker can Intercept any message, decompose into parts Decrypt if it knows the correct key Create new message from data it has observed Attacker cannot Gain partial knowledge Perform statistical tests Stage timing attacks, …

19 Attacker Capabilities: Analysis
analz H is what attacker can learn from H X  H  X  analz H {X ,Y}  analz H  X  analz H {X ,Y}  analz H  Y  analz H Crypt X K  analz H & K-1  analz H  X  analz H

20 Attacker Capabilities: Synthesis
synth H is what attacker can create from H infinite set! X  H  X  synth H X  synth H & Y  synth H  {X ,Y}  synth H X  synth H & K  synth H  Crypt X K  synth H

21 Equations and implications
analz(analz H) = analz H synth(synth H) = synth H analz(synth H) = analz H  synth H synth(analz H) = ??? Nonce N  synth H  Nonce N  H Crypt K X  synth H  Crypt K X  H or X  synth H & K  H

22 Attacker and correctness conditions
If X  synth(analz(spies evs)), add Says Spy B X X is not secret because attacker can construct it from the parts it learned from events If Says B A {Nb,X}pk(A)  evs & Says A’ B {Nb}pk(B)  evs, Then Says A B {Nb}pk(B)  evs If B thinks he’s talking to A, then A must think she’s talking to B

23 Inductive Method: Pros & Cons
Advantages Reason about infinite runs, message spaces Trace model close to protocol specification Can “prove” protocol correct Disadvantages Does not always give an answer Failure does not always yield an attack Still trace-based properties only Labor intensive Must be comfortable with higher-order logic

24 Caveat Quote from Paulson (J Computer Security, 2000) Reference
The Inductive Approach to Verifying Cryptographic Protocols The attack on the recursive protocol [40] is a sobering reminder of the limitations of formal methods… Making the model more detailed makes reasoning harder and, eventually, infeasible. A compositional approach seems necessary Reference [40] P.Y.A. Ryan and S.A. Schneider, An attack on a recursive authentication protocol: A cautionary tale. Information Processing Letters 65,  1  (January 1998) pp 7 – 10.

25

Download ppt "Protocol Verification by the Inductive Method"

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Timed Automata.

Timed Automata.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Theory of Computing Lecture 22 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 22 MAS 714 Hartmut Klauck.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Analyzing SET with Inductive Method CS 395T. Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic.

Analyzing SET with Inductive Method CS 395T. Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic.

Similar presentations

Ads by Google