Download presentation
Presentation is loading. Please wait.
1
Protocol Composition Logic John Mitchell Stanford TECS Week2005
2
Five-Minute University uEverything you could remember, five years after graduating from University … ? Father Guido Sarducci
3
TECS Week Lectures Summary uModel checking This is a method you can use –Murphi, Prism, Mocha, … can be downloaded –The lecture and handouts explain the method uProtocol Examples SSS, key management, contract signing uOther methods and tools Isabelle (or PVS) theorem proving A specialized protocol logic –Put theorem-proving method in systematic form Connections with cryptography –Equational specifications, process calculus, probability
4
Intuition for protocol logic uReason about local information I chose a new number I sent it out encrypted I received it decrypted Therefore: someone decrypted it uIncorporate knowledge about protocol Protocol: Server only answers if sent a request If server not corrupt and –I receive an answer from the server, then –the server must have received a request
5
Intuition: Picture uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Protocol Private Data
6
Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol and –he must have received msg1 from Alice [protocol dependent] Alice deduces: Received (B, msg1) Λ Sent (B, msg2)
7
Formalizing the Approach uLanguage for protocol description Write program for each role of protocol uProtocol logic State security properties Specialized form of temporal logic uProof system Formally prove security properties Supports modular proofs
8
Cords u Protocol programming language –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms –names, nonces, keys, encryption, … Actions –send, receive, pattern match, …
![Cords u Protocol programming language –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms –names, nonces, keys, encryption, … Actions –send, receive, pattern match, …](http://images.slideplayer.com./17/5218990/slides/slide_8.jpg "Cords u Protocol programming language –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms –names, nonces, keys, encryption, … Actions –send, receive, pattern match, …")
9
Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term
10
Actions and Cords u Actions send t; send a term t receive x; receive a term into variable x match t/p(x); match term t against p(x) uCord Sequence of actions uNotation Some match actions are omitted in slides receive sigB{A, n} means receive x; match x/sigB{A, n}
11
Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./17/5218990/slides/slide_11.jpg "Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
12
Execution Model uProtocol Cord gives program for each protocol role uInitial configuration Set of principals and keys Assignment of 1 role to each principal uRun new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B
13
Formulas true at a position in run uAction formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) uFormulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) | | 1 2 | x | | uExample After(a,b) = (b a)
14
Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas
![Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas](http://images.slideplayer.com./17/5218990/slides/slide_14.jpg "Modal Formulas uAfter actions, postcondition [ actions ] P where P = princ, role id uBefore/after assertions [ actions ] P uComposition rule [ S ] P [ T ] P [ ST ] P Note: same P in all formulas")
15
Security Properties uAuthentication for Initiator CR | [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) uShared secret NS | [ InitNS(A, B) ] A Honest(B) ( Has(X, m) X=A X=B )
![Security Properties uAuthentication for Initiator CR | [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) uShared secret NS | [ InitNS(A, B) ] A Honest(B) ( Has(X, m) X=A X=B )](http://images.slideplayer.com./17/5218990/slides/slide_15.jpg "Security Properties uAuthentication for Initiator CR | [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) uShared secret NS | [ InitNS(A, B) ] A Honest(B) ( Has(X, m) X=A X=B )")
16
Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P Some role of P in R does exactly actions and is true in state after actions completed Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q
![Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P Some role of P in R does exactly actions and is true in state after actions completed Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q](http://images.slideplayer.com./17/5218990/slides/slide_16.jpg "Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R | [ actions ] P Some role of P in R does exactly actions and is true in state after actions completed Q | [ actions ] P Q, R | [ actions ] P for all runs R of Q")
17
Proof System uGoal: prove properties formally uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules
18
Sample axioms about actions uNew data [ new x ] P Has(P,x) [ new x ] P Has(Y,x) Y=P uActions [ send m ] P Send(P,m) uKnowledge [receive m ] P Has(P,m) uVerify [ match x/sig X {m} ] P Verify(P,m)
![Sample axioms about actions uNew data [ new x ] P Has(P,x) [ new x ] P Has(Y,x) Y=P uActions [ send m ] P Send(P,m) uKnowledge [receive m ] P Has(P,m) uVerify [ match x/sig X {m} ] P Verify(P,m)](http://images.slideplayer.com./17/5218990/slides/slide_18.jpg "Sample axioms about actions uNew data [ new x ] P Has(P,x) [ new x ] P Has(Y,x) Y=P uActions [ send m ] P Send(P,m) uKnowledge [receive m ] P Has(P,m) uVerify [ match x/sig X {m} ] P Verify(P,m)")
19
Reasoning about knowledge uPairing Has(X, {m,n}) Has(X, m) Has(X, n) uEncryption Has(X, enc K (m)) Has(X, K -1 ) Has(X, m)
20
Encryption and signature uPublic key encryption Honest(X) Decrypt(Y, enc X {m}) X=Y uSignature Honest(X) Verify(Y, sig X {m}) m’ ( Send(X, m’) Contains(m’, sig X {m})
21
Sample inference rules uPreservation rules [ actions ] P Has(X, t) [ actions; action ] P Has(X, t) uGeneric rules [ actions ] P [ actions ] P [ actions ] P
![Sample inference rules uPreservation rules [ actions ] P Has(X, t) [ actions; action ] P Has(X, t) uGeneric rules [ actions ] P [ actions ] P [ actions ] P ](http://images.slideplayer.com./17/5218990/slides/slide_21.jpg "Sample inference rules uPreservation rules [ actions ] P Has(X, t) [ actions; action ] P Has(X, t) uGeneric rules [ actions ] P [ actions ] P [ actions ] P ")
22
Bidding conventions (motivation) uBlackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces
23
Honesty rule (rule scheme) roles R of Q. initial segments A R. Q |- [ A ] X Q |- Honest(X) This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive
24
Honesty rule (example use) roles R of Q. initial segments A R. Q |- [ A ] X Q |- Honest(X) Example use: –If Y receives a message from X, and Honest(X) (Sent(X,m) Received(X,m’)) then Y can conclude Honest(X) Received(X,m’))
25
Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./17/5218990/slides/slide_25.jpg "Correctness of CR CR |- [ InitCR(A, B) ] A Honest(B) ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
26
Correctness of CR – step 1 1. A reasons about it’s own actions CR |- [ InitCR(A, B) ] A Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
27
Correctness of CR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B) m’ ( Send(B, m’) Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
28
Correctness of CR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
![Correctness of CR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]](http://images.slideplayer.com./17/5218990/slides/slide_28.jpg "Correctness of CR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x, Y}) New(X, y) m= X, Y, {x, sig B {y, x, Y}} Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]")
29
Correctness of CR – step 3 3. Use Honesty rule CR |- [ InitCR(A, B) ] A Honest(B) Receive(B, {A,B,m}), InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
30
Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- [ InitCR(A, B) ] A Honest(B) Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]
31
Complete proof
32
What does proof tell us? u Soundness Theorem: If Q |- then Q |= If is provable about protocol Q, then is true about protocol Q. u true in every run of Q Dolev-Yao intruder Unbounded number of participants
33
Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]
![Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]](http://images.slideplayer.com./17/5218990/slides/slide_33.jpg "Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]")
34
Correctness of WCR – step 1 1. A reasons about it’s own actions WCR |- [ InitWCR(A, B) ] A Verify(A, sig B {m, n}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]
35
Correctness of WCR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B) m’ ( Send(B, m’) Contains(m’, sig B {m, n, A}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]
36
Correctness of WCR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x}) New(X, y) m= X, Z, {x, sig B {y, x}} Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]
![Correctness of WCR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x}) New(X, y) m= X, Z, {x, sig B {y, x}} Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]](http://images.slideplayer.com./17/5218990/slides/slide_36.jpg "Correctness of WCR – Honesty Honesty invariant CR |- Honest(X) Send(X, m’) Contains(m’, sig x {y, x}) New(X, y) m= X, Z, {x, sig B {y, x}} Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]")
37
Correctness of WCR – step 3 3. Use Honesty rule WCR |- [ InitWCR(A, B) ] A Honest(B) Receive(B, {Z,B,m}), InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]
38
Result uWCR does not have the strong authentication property for the initiator uCounterexample Intruder can forge senders and receivers identity in first two messages –A -> X(B)m –X(C) -> Bm –B -> X(C) n, sig B (m, n) –X(B) ->An, sig B (m, n)
39
Extensions uAdd Diffie-Hellman primitive Can prove authentication and secrecy for key exchange protocols (STS, ISO- 97898-3) uAdd symmetric encryption, hashing Can prove authentication for ISO-9798- 2, SKID3
40
Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants
![Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants](http://images.slideplayer.com./17/5218990/slides/slide_40.jpg "Composition Rules uProve assertions from invariants |- […]P uInvariant weakening rule |- […]P ’ |- […]P uProve invariants from protocol Q Q’ Q Q’ If combining protocols, extend assertions to combined invariants Use honesty (invariant) rule to show that both protocols preserve assumed invariants")
41
Combining protocols DH Honest(X) …CR Honest(X) … ’’ |- Secrecy ’ |- Authentication ’ |- Secrecy ’ |- Authentication ’ |- Secrecy Authentication DH CR ’ ISO Secrecy Authentication =
42
Protocol Templates uProtocols with function variables instead of specific operations One template can be instantiated to many protocols uAdvantages: proof reuse design principles/patterns
43
Extending Formalism uLanguage Extension Add function variables to term language for cords and logic (HOL) uSemantics Q |= φ σQ |= σφ, for all substitutions σ eliminating all function variables uSoundness Theorem Every provable formula is valid
44
Example A B: m B A: n, F(B,A,n,m) A B: G(A,B,n,m) A B: m B A: n,E KAB (n,m,B) A B: E KAB (n,m) A B: m B A: n,H KAB (n,m,B) A B: H KAB (n,m,A) A B: m B A: n, sig B (n,m,A) A B: sig A (n,m,B) Challenge-Response Template ISO-9798-2ISO-9798-3SKID3 Abstraction Instantiation
45
Proof Structure Template axiomhypothesis Instance Discharge hypothesis
46
Modular proof techniques (2) uCombining protocol templates If protocol P is a hypotheses-respecting instance of two different templates, then it has the properties of both. uBenefits: Modular proofs of properties Formalization of protocol refinements
47
Refinement Example Revisited uTwo templates: Template 1: authentication + shared secret –(Preserves existing properties; proof reused) Template 2: identity protection (encryption) –(Adds new property) A B: g a, A B A: g b, E K { sig B {g a, g b, A} } A B: E K { sig A {g a, g b, B} } Encrypt Signatures
48
A B: g a, A B A: g b, F(B,A,g b,g a ) A B: G(A,B,g a,g b ) A B: g a B A: g b, F(B,g b,g a ), F’(B,g ab ) A B: G(A,g a, g b ), G’(A,g ab ) AKE1AKE2 Shared secret Stronger authentication Identity protection for B Non-repudiation Shared secret Weaker authentication Identity protection for A Repudiability H. Krawczyk: The Cryptography of the IPSec and IKE Protocols [CRYPTO’03] ISO-9798-3, JFKi STS, JFKr, IKEv2, SIGMA Authenticated key exchange
49
Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress, mostly done SSL verification Wireless 802.11i uImplementation of logic Student project, using Isabelle
![Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress, mostly done SSL verification Wireless i uImplementation of logic Student project, using Isabelle](http://images.slideplayer.com./17/5218990/slides/slide_49.jpg "Sample projects using this method uKey exchange STS family, JFK, IKEv2 Diffie-Hellman -> MQV GDOI [Meadows, Pavlovic] uWork in progress, mostly done SSL verification Wireless i uImplementation of logic Student project, using Isabelle")
50
Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against “perfect” cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability
![Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against perfect cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability](http://images.slideplayer.com./17/5218990/slides/slide_50.jpg "Symbolic vs Computational model uSuppose |- [actions] X If a protocol P satisfies invariants , then if X does actions, will be true uSymbolic soundness No idealized adversary acting against perfect cryptography can make fail uComputational soundness No probabilistic polytime adversary can make fail with nonnegligible probability")
Similar presentations
