Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy."— Presentation transcript:

1 Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy

2 Logistics  This Friday at 2PM (CIC 1301) Section on PRISM, a probabilistic model- checker Analysis of Crowds, a protocol for anonymous communication [Reiter, Rubin] Previous sections: Murphi, AVISPA Future: MOCHA, Theorem-proving  Sign up for project discussion slots

3 Protocol Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Protocol LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Process Calculi … Applied  -calculus BAN, PCLMurphi, AVISPA

4 Recall: protocol state space  Participant + attacker actions define a state transition graph  A path in the graph is a trace of the protocol  Graph can be Finite if we limit number of agents, size of message, etc. Infinite otherwise...

5 Analysis using theorem proving  Correctness instead of bugs Use higher-order logic to reason about possible protocol executions  No finite bounds Any number of interleaved runs Algebraic theory of messages No restrictions on attacker  Mechanized proofs Automated tools can fill in parts of proofs Proof checking can prevent errors in reasoning [Paulson]

6 Inductive proofs  Define set of traces Given protocol, a trace is one possible sequence of events, including attacks  Prove correctness by induction For every state in every trace, no security condition fails  Works for safety properties only Proof by induction on the length of trace

7 Inductive Definitions  Example: The set of natural numbers, N 0  N If n  N then successor(n)  N Nothing else is in N, i.e. N is the least set closed under these operations  Inductive definitions are widely used in Computer Science, e.g. in defining syntax and semantics of programming languages See Chapter 1 of Harper’s “Practical Foundations for Programming Languages”

8 Two forms of induction  Usual form for  n  Nat. P(n) Base case: P(0) Induction step: P(x)  P(x+1) Conclusion:  n  Nat. P(n)  Minimial counterexample form Assume:  x [  P(x)   y<x. P(y) ] Prove: contradiction Conclusion:  n  Nat. P(n) Both equivalent to “the natural numbers are well-ordered”

9 Use second form  Given set of traces Choose shortest sequence to bad state Assume all steps before that OK Derive contradiction  Consider all possible steps All states are goodBad state

10 Sample Protocol Goals  Authenticity: who sent it? Fails if A receives message from B but thinks it is from C  Integrity: has it been altered? Fails if A receives message from B but message is not what B sent  Secrecy: who can receive it? Fails if attacker knows message that should be secret  Anonymity Fails if attacker or B knows action done by A These are all safety properties Safety = “Nothing bad happens”; violation observable in a finite trace

11 Inductive Method in a Nutshell Attacker inference rules Abstract trace model Informal Protocol Description Theorem is correct Try to prove the theorem Correctness theorem about traces same for all protocols!

12 Work by Larry Paulson  Isabelle theorem prover General tool; protocol work since 1997  Papers describing method  Many case studies Verification of SET protocol (6 papers) Kerberos (3 papers) TLS protocol Yahalom protocol, smart cards, etc http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html

13 Agents and Messages agent A,B,…=Server | Friend i | Spy msg X,Y,…=Agent A |Nonce N |Key K |{ X, Y } |Crypt X K Typed, free term algebra, …

14 Agents & messages in Isabelle

15 Protocol semantics  Traces of events: A sends X to B A notes X  Operational model of agents  Algebraic theory of messages  A general attacker  Proofs mechanized using Isabelle/HOL

16 Define sets inductively  Traces Set of sequences of events Inductive definition involves implications if ev 1, …, ev n  evs, then add ev’ to evs  Information from a set of messages parts H : parts of messages in H analz H : information derivable from H synth H : msgs constructible from H

17 Protocol events in trace  Several forms of events A sends B message X A receives X A stores X If ev is a trace and Na is unused and B is an agent distinct from A, add event Says A B Crypt(pk B){A,Na} AB {A,N A } pk(B) BA {N B,N A } pk(A) If Says A’ B Crypt(pk B){A,X}  ev and Nb is unused, add event Says B A Crypt(pk A){Nb,X} AB {N B } pk(B) If Says A B Crypt(pk B){A,Na} …  ev, add Says A B Crypt(pk B){Nb} “Fresh” nonce is a new symbol

18 NS in Isabelle

19 Dolev-Yao Attacker Model  Attacker is a nondeterministic process  Attacker can Intercept any message, decompose into parts Decrypt if it knows the correct key Create new message from data it has observed  Attacker cannot Gain partial knowledge Perform statistical tests Stage timing attacks, …

20 Attacker in Isabelle spies evs: set of messages (terms) that attacker observes from trace evs analz (H): set of terms that attacker can learn from set H synth (H): set of terms that attacker can create from H All 3 sets are defined inductively

21 Attacker’s view of trace

22 Attacker Capabilities: Analysis X  H  X  analz H {X,Y}  analz H  X  analz H {X,Y}  analz H  Y  analz H Crypt X K  analz H & K -1  analz H  X  analz H analz H is what attacker can learn from H

23 Attacker Capabilities: Synthesis X  H  X  synth H X  synth H & Y  synth H  {X,Y}  synth H X  synth H & K  synth H  Crypt X K  synth H synth H is what attacker can create from H infinite set!

24 Attacker and correctness conditions If Says A B {N b } pk(B)  evs Then Nb  synth(analz(spies evs)), Nb is secret because attacker cannot construct it from the parts it learned from events If Says B A {N b,X} pk(A)  evs & Says A’ B {N b } pk(B)  evs, Then Says A B {N b } pk(B)  evs If B thinks he’s talking to A, then A must think she’s talking to B

25 Inductive Method: Pros & Cons  Advantages Reason about infinite runs, message spaces Trace model close to protocol specification Can “prove” protocol correct  Disadvantages Does not always give an answer Failure does not always yield an attack Still trace-based properties only Labor intensive  Must be comfortable with higher-order logic Proofs are very long  4000 steps for Otway-Rees session key secrecy

26 Caveat  Quote from Paulson (J Computer Security, 2000) The Inductive Approach to Verifying Cryptographic Protocols The attack on the recursive protocol [40] is a sobering reminder of the limitations of formal methods… Making the model more detailed makes reasoning harder and, eventually, infeasible. A compositional approach seems necessary  Reference [40] P.Y.A. Ryan and S.A. Schneider, An attack on a recursive authentication protocol: A cautionary tale. Information Processing Letters 65, 1 (January 1998) pp 7 – 10.

27 Questions?

28 Isabelle  Automated support for proof development Higher-order logic Serves as a logical framework Supports ZF set theory & HOL Generic treatment of inference rules  Powerful simplifier & classical reasoner  Strong support for inductive definitions

29 Equations and implications analz(analz H) = analz H synth(synth H) = synth H analz(synth H) = analz H  synth H Nonce N  synth H  Nonce N  H Crypt K X  synth H  Crypt K X  H or X  synth H & K  H

Download ppt "Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
Part 3: Safety and liveness

Part 3: Safety and liveness
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Timed Automata.

Timed Automata.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Induction and recursion

Induction and recursion
Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.

Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.
Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:

Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Similar presentations

Ads by Google