Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing SET with Inductive Method CS 395T. Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic.

Published byBritton Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing SET with Inductive Method CS 395T. Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic."— Presentation transcript:

1 Analyzing SET with Inductive Method CS 395T

2 Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions uNo finite bounds Any number of interleaved runs Algebraic theory of messages No finite bounds on the attacker uMechanized proofs Automated tools can fill in parts of proofs [Paulson]

3 Inductive Method uDefine the set of protocol traces Given a protocol, a trace is one possible sequence of events, including attacker actions uProve correctness by induction For every state in every trace, prove that no security condition fails –Works for safety properties only Induction is on the length of the trace

4 Two Forms of Induction uUsual form for  n  Nat. P(n) Base case: P(0) Induction step: P(x)  P(x+1) Conclusion:  n  Nat. P(n) uMinimal counterexample form Assume:  x [  P(x)   y<x. P(y) ] Prove contradiction Conclusion:  n  Nat. P(n) Both equivalent to “the natural numbers are well-ordered”

5 Induction for Protocol Analysis uGiven a set of traces, choose shortest sequence to a bad state Bad state = state in which an invariant is violated Assume all steps before that are OK Derive contradiction –Consider all possible actions taken at this step All states are goodBad state

6 Work by Larry Paulson uIsabelle theorem prover General tool; security protocols work since 1997 uMany case studies of security protocols Verification of SET protocol (6 papers) Kerberos (3 papers) TLS protocol Yahalom protocol, smart cards, etc http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html

7 Isabelle uAutomated support for proof development Higher-order logic Serves as a logical framework Supports ZF set theory & HOL Generic treatment of inference rules uPowerful simplifier & classical reasoner uStrong support for inductive definitions

8 Agents and Messages agent A,B,… =Server | Friend i | Spy msg X,Y,… =Agent A| Nonce N| Key K| { X, Y }| Crypt (K) X Typed, free term algebra, …

9 Protocol Semantics u“Set of event traces” semantics for protocols uOperational model for honest agents Similar to pi calculus or protocol composition logic uAlgebraic theory of messages defines attacker Primitive operations: encrypt, decrypt, … Inductive closure of the intercepted messages under primitive operations defines the set of all messages available to the attacker uProofs mechanized using Isabelle/HOL

10 A Few Definitions uTraces A protocol is a set of traces A trace is a sequence of events Inductive definition involves implications if ev 1, …, ev n  evs, then add ev’ to evs uInformation from a set of messages parts H : parts of messages in H analz H : parts of messages in H that can be learned by attacker –Not every message part can be learned by attacker! synth H : messages that can be constructed from H

11 Protocol Events uSeveral types of events A sends B message X A receives X A stores X If ev is a trace and Na is unused, add Says A B Crypt(pk B){A,Na} AB {A,N A } pk(B) BA {N B,N A } pk(A) If Says A’ B Crypt(pk B){A,X}  ev and Nb is unused, add Says B A Crypt(pk A){Nb,X} AB {N B } pk(B) If Says...{X,Na}...  ev, add Says A B Crypt(pk B){X}

12 Attacker Capabilities: Analysis X  H  X  analz H {X,Y}  analz H  X  analz H {X,Y}  analz H  Y  analz H Crypt X K  analz H & K -1  analz H  X  analz H analz H is what attacker can learn from H

13 Attacker Capabilities: Synthesis X  H  X  synth H X  synth H & Y  synth H  {X,Y}  synth H X  synth H & K  synth H  Crypt (K) X  synth H synth H is what attacker can create from H infinite set!

14 Equations and Implications analz(analz H) = analz H synth(synth H) = synth H analz(synth H) = analz H  synth H synth(analz H) = ??? Nonce N  synth H  Nonce N  H Crypt (K) X  synth H  Crypt (K) X  H or X  synth H & K  H But only if keys are atomic

15 Attacker Events If X  synth(analz(spies evs)), add Says Spy B X X is not secret because attacker can construct it from the parts he learned from events evs (attacker announces all secrets he learns)

16 Correctness Conditions If Says B A {N b,X} pk(A)  evs & Says A’ B {N b } pk(B)  evs, Then Says A B {N b } pk(B)  evs If B thinks he’s talking to A, then A must think she’s talking to B

17 Secure Electronic Transactions (SET) uGoal: privacy of online credit card transactions Merchant doesn’t learn credit card details Bank (credit card issuer) doesn’t learn what you buy uCardholders and merchants must register and receive electronic credentials Proof of identity Evidence of trustworthiness uExpensive development effort, little deployment Isabelle verification by Larry Paulson, Giampaolo Bella, and Fabio Massacci

18 SET Documentation uBusiness Description General overview 72 pages uProgrammer’s Guide Message formats & English description of actions 619 pages uFormal Protocol Definition Message formats & the equivalent ASN.1 definitions 254 pages Total: 945 pages

19 Dual Signatures uLink two messages sent to different receivers uEach receiver can only read one message Alice checks (message1, digest2, dual sig) Bob checks (message2, digest1, dual sig) MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY SIGN NEW DIGEST WITH SIGNER’S PRIVATE KEY

20 Verifying the SET Protocols uSeveral sub-protocols uComplex cryptographic primitives Dual signatures for partial sharing of secrets uMany types of principals Cardholder, Merchant, Payment Gateway, CAs u1000 pages of specification and description uSET is probably the upper limit of realistic verification

21 SET Terminology uIssuer Cardholder’s bank uAcquirer Merchant’s bank uPayment gateway Pays the merchant uCertificate authority (CA) Issues electronic credentials uTrust hierarchy Top CAs certify other CAs in the chain

22 Root CA (SET Co) Geo-political CA (optional) (only for VISA) Brand CA (MasterCard, Visa) Merchant CA (Banesto) Cardholder CA (Banesto) Cardholder Payment Gateway CA ( MasterCard, Banesto in VISA) Merchant Payment Gateway SET Certificate Hierarchy SOURCE: INZA.COMINZA.COM

23 Players Issuing Bank Issues card Extends credit Assumes risk of card Cardholder reporting Card associations Merchant Merchant Bank (Acquirer) Sets up merchant Extends credit Assumes risk of merchant Consumer Processor SOURCE: Michael I Shamos

24 1. Customer pays with card card swiped for mag data read (get signature) 5. Merchant stores authorizations and sales conducted captures sales (at end of day) submits batch for funding 2.Card Authorization via dial, lease line, satellite 3. Acquiring Bank’s Processor directs connections to MC /VI obtains authorization from Issuer returns response to merchant five digit number that must be stored Authorizations Batch settlement 6. Acquiring Bank / Processor scans settlement file verifies authorizations match captured data prepares file for MC/VI prepares funding file records txs for reporting 4. Issuing Bank / Processor receives authoriz’n request verifies available funds places hold on funds 7. Issuing Bank / Processor receives settlement file from MC / VI funds MC / VI matches txs to auths post txs to cardholder records transactions for reporting 8. MC / VI debit issuers / credit acquirers 9. Acquiring Bank funds merchant SOURCE: Michael I Shamos

25 SET Consists in 5 Subprotocols uCardholder registration uMerchant registration uPurchase request uPayment authorization uPayment capture Will look at these two briefly

26 Cardholder Registration uTwo parties Cardholder Certificate authority CA uCardholder sends credit card number to CA uCardholder completes registration form Inserts security details Discloses his public signature key uOutcomes Cardholder’s bank can vet the registration CA associates cardholder’s signing key with card details

27 SET Registration Subprotocol

28 Certificate Request in Isabelle Key dependency: KC3 protects KC2, EKi protects KC3 Public signing key Encrypted, signed request to register account number (PAN) and to encrypt reply with key KC2 The symmetric key KC3 for decrypting the request is encrypted under CA’s key EKi

29 Secrecy of Session Keys and Nonces uSecrecy is modeled as dependency Session keys: EKi protects KC3, KC3 protects cardholder’s request (which includes symmetric key KC2 and public key cardSK), KC2 protects CA’s reply Nonces: KC3 protects NC3, EKi protects CardSecret uDependency theorem To learn KC2, need to know KC3; to learn KC3, need to know private key corresponding to EKi, etc. u“Base case” lemmas Session keys never encrypt PANs Session keys never encrypt private keys

30 SET Purchase Subprotocol

31 SET Messages (Purchase Phase)

32 Dual Signatures for Privacy u3-way agreement with partial knowledge Cardholder shares Order Information (OI) only with Merchant Cardholder shares Payment Information (PI) only with Payment Gateway uCardholder signs hashes of OI, PI Merchant can verify signature on hashed OI because he knows order description Bank learns purchase amount from merchant and verifies its consistency with signed hash of PI uSignatures guarantee non-repudiation

33 Purchase Request in Isabelle PIdata includes only amount. It is hashed and signed to prevent merchant from cheating. Account data is encrypted with session key to hide it from merchant.

34 SET Proofs are Complicated uMassive redundancy caused by hashing and dual signatures 9 copies of “purchase amount” in one message! uMany nested digital envelopes for key dependency Results in multi-page subgoals for proving key dependency theorems uYet insufficient redundancy leads to failure of one agreement property Insufficient redundancy = lack of explicit information

35 Inductive Method: Pros & Cons uAdvantages Reason about arbitrarily large runs, message spaces Trace model close to protocol specification Can “prove” protocol correct uDisadvantages Does not always give an answer Failure of proof does not always yield an attack Trace-based properties only Labor intensive –Must be comfortable with higher-order logic

Download ppt "Analyzing SET with Inductive Method CS 395T. Theorem Proving for Protocol Analysis uProve correctness instead of looking for bugs Use higher-order logic."

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Chapter 8 Web Security.

Chapter 8 Web Security.
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Electronic Payment Systems In any commercial transaction payment is an integral part for goods supplied. Four types of payments may be made in e-commerce.

Electronic Payment Systems In any commercial transaction payment is an integral part for goods supplied. Four types of payments may be made in e-commerce.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google